Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDL3 Rootkit infection


  • This topic is locked This topic is locked
22 replies to this topic

#1 blackartz

blackartz

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 22 November 2010 - 01:07 PM

Firstly I must apologise for my earlier post on this subject. I posted in haste without reading the guidelines, could someone delete my earlier post whilst receiving my humblest apologies?

Here is the problem:

I've been trying to remove a persistent browser hijack/redirect infection for a friend on a machine running Win XP home. I've disabled system restore and installed and run Adaware, Malwarebytes and SuperAntispyware and although they've caught and removed numerous items the infection quickly recurs. Shortly after launching a browser(either IE7 or Chrome) and trying to use the Google search function, I'm redirected to bogus sites instead of the ones I'm trying to reach like Amazon. Also whilst trying to post this message from the infected machine IE would tell me that my internet connection was lost, even though it wasn't!

DDS (Ver_10-11-10.01) - NTFSx86
Run by John at 13:41:06.98 on 22/11/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.959.294 [GMT 0:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning enabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Barclays\Business Manager\bin\BarclaysBusinessManager.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_UD.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\TRENDnet\TRENDnet TEW-421PC_TEW-423PI\WlanCU.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Barclays\Business Manager\bin\ticketservice.exe
C:\Program Files\Barclays\Business Manager\bin\updateservice.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\John\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.hotmail.com/
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EPSON Stylus DX7400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticde.exe /fu "c:\windows\temp\E_SDF.tmp" /EF "HKCU"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [{743F2CD2-74E3-771C-5688-F6BA921F2155}] "c:\documents and settings\john\application data\agih\usyd.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Barclays Business Manager] c:\program files\barclays\business manager\bin\BarclaysBusinessManager.exe /server
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [B2C_AGENT] c:\documents and settings\all users\application data\lgmobileax\b2c_client\B2CNotiAgent.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
StartupFolder: c:\docume~1\john\startm~1\programs\startup\bbcipl~1.lnk - c:\program files\bbc iplayer desktop\BBC iPlayer Desktop.exe
StartupFolder: c:\docume~1\john\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\paloal~1.lnk - c:\program files\common files\palo alto software\8.0\PAS8_UD.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\paloal~2.lnk - c:\windows\installer\{1797ce09-d183-4911-8ffc-53d9b9cebbac}\NewShortcut1.BDD3527A_D6D6_4DD6_AEAD_6B5236DA8F67.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\trendnet\trendnet tew-421pc_tew-423pi\WlanCU.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: hmrc.gov.uk\online
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.tescophoto.com/wpp/tesco/app/ImageUploader5.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197505852375
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {C9386579-3C0F-4713-82C6-5BA8088C7C8D} - hxxps://secure.shared.live.com/Pa6vGqB728AxD-ckvrPc0A/etc/Microsoft.Live.Folders.RichUpload.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-11-19 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 BBMTicketService;BBM Ticket Service;c:\program files\barclays\business manager\bin\ticketservice.exe [2010-2-11 40960]
R2 BBMUpdateService;BBM Update Service;c:\program files\barclays\business manager\bin\updateservice.exe [2010-2-11 49152]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-9-23 1375992]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-9-23 15264]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-3 135664]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\drivers\s115bus.sys [2007-4-23 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\drivers\s115mdfl.sys [2007-4-23 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\drivers\s115mdm.sys [2007-4-23 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [2007-4-23 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [2007-4-23 98568]

=============== Created Last 30 ================

2010-11-22 13:03:35 388096 ----a-r- c:\docume~1\john\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-11-22 13:03:35 -------- d-----w- c:\program files\Trend Micro
2010-11-22 12:55:10 -------- d-----w- c:\windows\pss
2010-11-19 18:27:57 -------- d-----w- c:\docume~1\john\applic~1\Windows Search
2010-11-19 17:36:00 -------- d-----w- c:\docume~1\john\applic~1\SUPERAntiSpyware.com
2010-11-19 17:36:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-11-19 17:35:50 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-11-19 14:53:40 -------- d-----w- c:\docume~1\john\applic~1\Malwarebytes
2010-11-19 14:53:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-19 14:53:30 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-19 14:53:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-19 14:53:30 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-11-19 14:10:52 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-11-19 13:20:42 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-11-19 10:55:40 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-11-19 10:54:54 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{E961CE1B-C3EA-4882-9F67-F859B555D097}
2010-11-19 10:54:15 -------- d-----w- c:\program files\Lavasoft
2010-11-19 10:10:18 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-11-19 10:10:18 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2010-11-17 08:02:17 -------- d-----w- c:\docume~1\john\locals~1\applic~1\{4F1C85C2-566F-4D12-8DED-02F8B92E6E61}
2010-11-16 23:28:08 0 ----a-w- c:\windows\Ctefunirumecah.bin

==================== Find3M ====================

2010-11-14 22:54:41 60 ----a-w- c:\windows\wpd99.drv

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800JD-00MSA1 rev.10.01E01 -> Harddisk0\DR0 -> \Device\00000032

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x85D7A446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x85d80504]; MOV EAX, [0x85d80580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE00A] -> \Device\Harddisk0\DR0[0x85D95AB8]
3 CLASSPNP[0xF754805B] -> ntkrnlpa!IofCallDriver[0x804EE00A] -> \Device\0000008f[0x85DF7140]
5 ACPI[0xF735E620] -> ntkrnlpa!IofCallDriver[0x804EE00A] -> [0x85D94650]
\Driver\nvata[0x85DF6030] -> IRP_MJ_CREATE -> 0x85D7A446
error: Read The system cannot find the file specified.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV SI, 0x7be; MOV CL, 0x4; CMP [SI], CH; JL 0x2d; JNZ 0x3b; }
detected disk devices:
\Device\0000008e -> \??\IDE#DiskWDC_WD800JD-00MSA1______________________10.01E01#2020202057202D444D574D415539364D36323233#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 13:43:11.20 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:38 PM

Posted 22 November 2010 - 03:20 PM

Good evening. :)

I've locked your first thread as it's the only thing I can do - it's a permissions thing.

Take a trip to this webpage for download links and instructions for running Combofix by sUBs.*

  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply.
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console so, should you choose not to allow the installation, you may not get the results you hoped for.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for either.

So long, and thanks for all the fish.

 

 


#3 blackartz

blackartz
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 23 November 2010 - 05:21 AM

Many thanks for your help!

I'll get on and follow these instructions tomorrow, but just wanted to check whether you think its safe to backup data from the infected machine before I begin?

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:38 PM

Posted 23 November 2010 - 02:53 PM

Good evening. :)

It depends on the data that you want to back up. Some nasties can infect various types of files and that obviously poses a risk to your PC in the future.
With the nasty that you seem to have I wouldn't have thought that it was a major threat if you just want to back up pictures/video/music/text files, but I would avoid files with .exe or .htm/.html extensions as they are more likely to be a potential risk - but not necessarily actually a threat.

So long, and thanks for all the fish.

 

 


#5 blackartz

blackartz
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 26 November 2010 - 08:51 AM

Hi there and thanks again for your help and advice.

After backing up some essential data files I finally ran combofix. The results are below. The browsers still seems a little odd. Google Chrome seems to still have a residual redirect interfering with it and although IE seems better, when I login to this forum and try to view 'my content' I'm told that this is temporarily disabled. I'll keep trying with IE to see if I can work out if there are other problems.

ComboFix 10-11-25.05 - John 26/11/2010 12:35:08.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.959.658 [GMT 0:00]
Running from: c:\documents and settings\John\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\John\Application Data\Agih\usyd.exe
c:\documents and settings\Yvonne\Application Data\Adobe\AdobeUpdate .exe
c:\documents and settings\Yvonne\Application Data\Adobe\plugs
c:\documents and settings\Yvonne\Application Data\Adobe\plugs\KB24959859.exe
C:\LOG2C.tmp
C:\LOGB.tmp
c:\windows\2417.EXE

.
((((((((((((((((((((((((( Files Created from 2010-10-26 to 2010-11-26 )))))))))))))))))))))))))))))))
.

2010-11-22 13:03 . 2010-11-22 13:03 388096 ----a-r- c:\documents and settings\John\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-11-22 13:03 . 2010-11-22 13:03 -------- d-----w- c:\program files\Trend Micro
2010-11-22 12:56 . 2010-11-22 12:56 -------- d-----w- c:\documents and settings\Administrator
2010-11-19 18:27 . 2010-11-19 18:27 -------- d-----w- c:\documents and settings\John\Application Data\Windows Search
2010-11-19 17:36 . 2010-11-19 17:36 -------- d-----w- c:\documents and settings\John\Application Data\SUPERAntiSpyware.com
2010-11-19 17:36 . 2010-11-19 17:36 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-11-19 17:35 . 2010-11-19 17:36 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-11-19 17:31 . 2010-11-19 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA
2010-11-19 14:53 . 2010-11-19 14:53 -------- d-----w- c:\documents and settings\John\Application Data\Malwarebytes
2010-11-19 14:53 . 2010-04-29 15:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-19 14:53 . 2010-11-19 14:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-19 14:53 . 2010-11-19 14:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-19 14:53 . 2010-04-29 15:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-19 14:10 . 2010-11-19 14:10 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-11-19 13:20 . 2010-09-23 07:46 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-11-19 10:55 . 2010-09-23 07:46 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-11-19 10:54 . 2010-11-19 10:55 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{E961CE1B-C3EA-4882-9F67-F859B555D097}
2010-11-19 10:54 . 2010-11-19 10:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-11-19 10:54 . 2010-11-19 10:54 -------- d-----w- c:\program files\Lavasoft
2010-11-19 10:10 . 2001-08-17 13:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-11-19 10:10 . 2001-08-17 13:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2010-11-17 12:30 . 2010-11-17 12:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-11-17 12:30 . 2010-11-17 12:30 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-11-17 08:02 . 2010-11-17 08:02 -------- d-----w- c:\documents and settings\John\Local Settings\Application Data\{4F1C85C2-566F-4D12-8DED-02F8B92E6E61}
2010-11-16 23:28 . 2010-11-19 10:26 0 ----a-w- c:\windows\Ctefunirumecah.bin
2010-11-16 23:28 . 2010-11-16 23:28 -------- d-----w- c:\documents and settings\Yvonne\Local Settings\Application Data\{ECEF95CE-7A91-4D7A-A4C8-CB89D888C488}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-10-25 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-16 7630848]
"nwiz"="nwiz.exe" [2006-08-16 1617920]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-16 86016]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-03 16841216]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-15 185896]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"Barclays Business Manager"="c:\program files\Barclays\Business Manager\bin\BarclaysBusinessManager.exe" [2010-02-11 181568]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"B2C_AGENT"="c:\documents and settings\All Users\Application Data\LGMOBILEAX\B2C_Client\B2CNotiAgent.exe" [2010-03-16 300992]

c:\documents and settings\Yvonne\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\documents and settings\John\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [2010-8-15 142336]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Palo Alto Software Update Manager 8.0.lnk - c:\program files\Common Files\Palo Alto Software\8.0\PAS8_UD.exe [2007-2-13 128544]
Palo Alto Software Update Manager 9.0.lnk - c:\windows\Installer\{1797CE09-D183-4911-8FFC-53D9B9CEBBAC}\NewShortcut1.BDD3527A_D6D6_4DD6_AEAD_6B5236DA8F67.exe [2008-9-11 45056]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
Wireless Configuration Utility HW.15.lnk - c:\program files\TRENDnet\TRENDnet TEW-421PC_TEW-423PI\WlanCU.exe [2007-1-30 577536]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [19/11/2010 10:55 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 18:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 18:41 67656]
R2 BBMTicketService;BBM Ticket Service;c:\program files\Barclays\Business Manager\bin\ticketservice.exe [11/02/2010 16:40 40960]
R2 BBMUpdateService;BBM Update Service;c:\program files\Barclays\Business Manager\bin\updateservice.exe [11/02/2010 16:40 49152]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [03/02/2010 19:27 135664]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [23/09/2010 07:46 1375992]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [23/09/2010 07:46 15264]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\drivers\s115bus.sys [23/04/2007 12:54 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\drivers\s115mdfl.sys [23/04/2007 13:54 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\drivers\s115mdm.sys [23/04/2007 13:54 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [23/04/2007 12:54 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [23/04/2007 12:54 98568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-11-22 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-09-23 14:10]

2010-11-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-11-26 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-12-13 07:51]

2010-11-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 19:27]

2010-11-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 19:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hotmail.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
Trusted Zone: hmrc.gov.uk\online
DPF: {C9386579-3C0F-4713-82C6-5BA8088C7C8D} - hxxps://secure.shared.live.com/Pa6vGqB728AxD-ckvrPc0A/etc/Microsoft.Live.Folders.RichUpload.cab
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Scooby-Doo™, Showdown in Ghost Town™ - c:\program files\The Learning Company\Scooby-Doo™



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-26 12:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800JD-00MSA1 rev.10.01E01 -> Harddisk0\DR0 -> \Device\00000032

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x85D95446]<<
c:\docume~1\John\LOCALS~1\Temp\catchme.sys
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x85d9b504]; MOV EAX, [0x85d9b580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE00A] -> \Device\Harddisk0\DR0[0x85E1BAB8]
3 CLASSPNP[0xF754805B] -> ntkrnlpa!IofCallDriver[0x804EE00A] -> \Device\0000008f[0x85E07A98]
5 ACPI[0xF735E620] -> ntkrnlpa!IofCallDriver[0x804EE00A] -> [0x85E1A650]
\Driver\nvata[0x85E302B0] -> IRP_MJ_CREATE -> 0x85D95446
error: Read The system cannot find the file specified.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV SI, 0x7be; MOV CL, 0x4; CMP [SI], CH; JL 0x2d; JNZ 0x3b; }
detected disk devices:
\Device\0000008e -> \??\IDE#DiskWDC_WD800JD-00MSA1______________________10.01E01#2020202057202D444D574D415539364D36323233#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'lsass.exe'(732)
c:\windows\system32\WININET.dll
.
Completion time: 2010-11-26 12:57:37
ComboFix-quarantined-files.txt 2010-11-26 12:57

Pre-Run: 45,182,787,584 bytes free
Post-Run: 47,272,280,064 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - C9DF9E8FB9E3506294DCAC081071791C

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:38 PM

Posted 26 November 2010 - 02:50 PM

Good evening. :)

Download TDSSKiller.zip from Kaspersky from here and save it to your Desktop.

  • You will then need to extract the file(s) from the zipped folder.

  • To do this: Right-click on the zipped folder and from the menu that appears, click on Extract All...
    In the Extraction Wizard window that opens, click on Next> and in the next window that appears, click on Next> again.
    In the final window, click on Finish


  • Please close all open programs as this may result in a reboot being necessary.
  • Double click TDSSKiller.exe to begin.
  • Click Start scan and allow the tool to do just that.
  • One the scan has completed, if the tool has identified anything allow it to carry out it's default action(s) - you'll need to click Continue where appropriate.
  • Finally, if it prompts you to reboot your machine, please click Reboot Now and ensure that your machine does so.
  • If the scan finds nothing, please click the Report button and let me have a copy of the text file that opens.
  • If you reboot your machine, the log, which i'd like to see, will be located at the root of you hard drive as C:\TDSSKiller.Version_Date_Time_log.txt.
    Please check that you get the one with the right date and time. :)

So long, and thanks for all the fish.

 

 


#7 blackartz

blackartz
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 28 November 2010 - 02:27 PM

Here's the TDSS Killer log (below). after reboot I ran it again and it found nothing.

2010/11/28 19:20:40.0281 TDSS rootkit removing tool 2.4.9.0 Nov 26 2010 15:38:31
2010/11/28 19:20:40.0281 ================================================================================
2010/11/28 19:20:40.0281 SystemInfo:
2010/11/28 19:20:40.0281
2010/11/28 19:20:40.0281 OS Version: 5.1.2600 ServicePack: 2.0
2010/11/28 19:20:40.0281 Product type: Workstation
2010/11/28 19:20:40.0281 ComputerName: FEATHERSTONE-1
2010/11/28 19:20:40.0281 UserName: John
2010/11/28 19:20:40.0281 Windows directory: C:\WINDOWS
2010/11/28 19:20:40.0281 System windows directory: C:\WINDOWS
2010/11/28 19:20:40.0281 Processor architecture: Intel x86
2010/11/28 19:20:40.0281 Number of processors: 1
2010/11/28 19:20:40.0281 Page size: 0x1000
2010/11/28 19:20:40.0281 Boot type: Normal boot
2010/11/28 19:20:40.0281 ================================================================================
2010/11/28 19:20:40.0500 Initialize success
2010/11/28 19:20:43.0156 ================================================================================
2010/11/28 19:20:43.0156 Scan started
2010/11/28 19:20:43.0156 Mode: Manual;
2010/11/28 19:20:43.0156 ================================================================================
2010/11/28 19:20:44.0250 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2010/11/28 19:20:44.0421 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/11/28 19:20:44.0578 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/11/28 19:20:44.0703 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2010/11/28 19:20:44.0843 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
2010/11/28 19:20:44.0984 AegisP (58a8273918eef2bf9204b12ed171513a) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2010/11/28 19:20:45.0093 Afc (a7b8a3a79d35215d798a300df49ed23f) C:\WINDOWS\system32\drivers\Afc.sys
2010/11/28 19:20:45.0234 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
2010/11/28 19:20:45.0343 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/11/28 19:20:45.0500 agpCPQ (67288b07d6aba6c1267b626e67bc56fd) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2010/11/28 19:20:45.0656 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2010/11/28 19:20:45.0750 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2010/11/28 19:20:45.0828 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2010/11/28 19:20:45.0937 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2010/11/28 19:20:45.0968 alim1541 (f312b7cef21eff52fa23056b9d815fad) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2010/11/28 19:20:46.0000 amdagp (675c16a3c1f8482f85ee4a97fc0dde3d) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2010/11/28 19:20:46.0015 AmdK8 (59301936898ae62245a6f09c0aba9475) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
2010/11/28 19:20:46.0046 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2010/11/28 19:20:46.0078 AN983 (f5b9fadbd5d996051c5b2798a56258d7) C:\WINDOWS\system32\DRIVERS\AN983.sys
2010/11/28 19:20:46.0125 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2010/11/28 19:20:46.0140 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2010/11/28 19:20:46.0171 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2010/11/28 19:20:46.0218 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/11/28 19:20:46.0265 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/11/28 19:20:46.0343 ati2mtag (8759322ffc1a50569c1e5528ee8026b7) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/11/28 19:20:46.0468 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/11/28 19:20:46.0578 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/11/28 19:20:46.0656 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/11/28 19:20:46.0906 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2010/11/28 19:20:46.0953 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/11/28 19:20:47.0015 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2010/11/28 19:20:47.0203 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/11/28 19:20:47.0375 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/11/28 19:20:47.0437 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/11/28 19:20:47.0703 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2010/11/28 19:20:48.0015 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2010/11/28 19:20:48.0187 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2010/11/28 19:20:48.0203 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2010/11/28 19:20:48.0234 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/11/28 19:20:48.0359 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2010/11/28 19:20:48.0406 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2010/11/28 19:20:48.0453 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/11/28 19:20:48.0515 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2010/11/28 19:20:48.0546 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2010/11/28 19:20:48.0562 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/11/28 19:20:48.0593 EL90XBC (6e883bf518296a40959131c2304af714) C:\WINDOWS\system32\DRIVERS\el90xbc5.sys
2010/11/28 19:20:48.0671 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/11/28 19:20:48.0812 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/11/28 19:20:49.0000 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2010/11/28 19:20:49.0031 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/11/28 19:20:49.0078 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2010/11/28 19:20:49.0140 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/11/28 19:20:49.0218 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/11/28 19:20:49.0328 GEARAspiWDM (5dc17164f66380cbfefd895c18467773) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2010/11/28 19:20:49.0375 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/11/28 19:20:49.0421 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/11/28 19:20:49.0453 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/11/28 19:20:49.0484 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2010/11/28 19:20:49.0531 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/11/28 19:20:49.0578 i2omgmt (8f09f91b5c91363b77bcd15599570f2c) C:\WINDOWS\system32\drivers\i2omgmt.sys
2010/11/28 19:20:49.0593 i2omp (ed6bf9e441fdea13292a6d30a64a24c3) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2010/11/28 19:20:49.0625 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/11/28 19:20:49.0656 iaStor (580bfec487c55264bfe3d60c3c24eee1) C:\WINDOWS\system32\DRIVERS\iaStor.sys
2010/11/28 19:20:49.0687 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/11/28 19:20:49.0750 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2010/11/28 19:20:49.0937 IntcAzAudAddService (8c65fcf7ab3389e7c224ea2ec4456f2d) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2010/11/28 19:20:50.0015 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/11/28 19:20:50.0078 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2010/11/28 19:20:50.0140 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/11/28 19:20:50.0187 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/11/28 19:20:50.0234 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/11/28 19:20:50.0296 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/11/28 19:20:50.0343 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/11/28 19:20:50.0375 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/11/28 19:20:50.0390 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/11/28 19:20:50.0406 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/11/28 19:20:50.0453 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
2010/11/28 19:20:50.0515 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/11/28 19:20:50.0625 Lavasoft Kernexplorer (0bd6d3f477df86420de942a741dabe37) C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys
2010/11/28 19:20:50.0656 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys
2010/11/28 19:20:50.0750 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/11/28 19:20:50.0796 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2010/11/28 19:20:50.0828 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/11/28 19:20:50.0859 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/11/28 19:20:50.0875 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/11/28 19:20:50.0906 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2010/11/28 19:20:50.0937 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/11/28 19:20:51.0000 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/11/28 19:20:51.0093 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2010/11/28 19:20:51.0125 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/11/28 19:20:51.0156 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/11/28 19:20:51.0187 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/11/28 19:20:51.0250 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/11/28 19:20:51.0265 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2010/11/28 19:20:51.0296 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2010/11/28 19:20:51.0359 ndiscm (b797ee2ef919c95561dee78b72b33e5b) C:\WINDOWS\system32\DRIVERS\NetMotCM.sys
2010/11/28 19:20:51.0390 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/11/28 19:20:51.0437 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/11/28 19:20:51.0468 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/11/28 19:20:51.0500 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/11/28 19:20:51.0515 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/11/28 19:20:51.0546 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/11/28 19:20:51.0593 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2010/11/28 19:20:51.0640 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/11/28 19:20:51.0671 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/11/28 19:20:51.0812 nv (15a6306a0b958bf60f09688d0ee70479) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/11/28 19:20:51.0953 nvata (947c4a0e7b25bcecc3b40f0f1070378b) C:\WINDOWS\system32\DRIVERS\nvata.sys
2010/11/28 19:20:51.0984 NVENETFD (4d6f0d3fb17c1ba64942f415c73adcdb) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
2010/11/28 19:20:52.0000 nvnetbus (921e63aa1e1a20302223d016acafb52b) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
2010/11/28 19:20:52.0046 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/11/28 19:20:52.0062 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/11/28 19:20:52.0109 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/11/28 19:20:52.0125 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/11/28 19:20:52.0156 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/11/28 19:20:52.0187 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/11/28 19:20:52.0234 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/11/28 19:20:52.0265 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/11/28 19:20:52.0406 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2010/11/28 19:20:52.0421 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2010/11/28 19:20:52.0484 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/11/28 19:20:52.0500 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/11/28 19:20:52.0531 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/11/28 19:20:52.0546 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2010/11/28 19:20:52.0578 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2010/11/28 19:20:52.0609 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2010/11/28 19:20:52.0640 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2010/11/28 19:20:52.0656 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2010/11/28 19:20:52.0687 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/11/28 19:20:52.0765 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/11/28 19:20:52.0781 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/11/28 19:20:52.0796 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/11/28 19:20:52.0843 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/11/28 19:20:52.0875 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/11/28 19:20:52.0921 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/11/28 19:20:52.0953 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/11/28 19:20:53.0015 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/11/28 19:20:53.0093 rtl8185 (88b63f291ae10c1b66d2b9ed6921a7df) C:\WINDOWS\system32\DRIVERS\rtl8185.sys
2010/11/28 19:20:53.0156 s115bus (e1ab463b36a7ef31d8a73a97a9b57afa) C:\WINDOWS\system32\DRIVERS\s115bus.sys
2010/11/28 19:20:53.0203 s115mdfl (e24113fc13b8737c94cf4e3415488c76) C:\WINDOWS\system32\DRIVERS\s115mdfl.sys
2010/11/28 19:20:53.0250 s115mdm (4029e49e7c673aa0670bd206b0af1b5b) C:\WINDOWS\system32\DRIVERS\s115mdm.sys
2010/11/28 19:20:53.0281 s115mgmt (eb02ab4ca8bccecfde236cad8fc6e135) C:\WINDOWS\system32\DRIVERS\s115mgmt.sys
2010/11/28 19:20:53.0328 s115obex (089869db9ffd2ac807fa87fe82ac7761) C:\WINDOWS\system32\DRIVERS\s115obex.sys
2010/11/28 19:20:53.0421 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/11/28 19:20:53.0453 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2010/11/28 19:20:53.0546 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/11/28 19:20:53.0593 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/11/28 19:20:53.0609 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/11/28 19:20:53.0671 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/11/28 19:20:53.0765 sisagp (732d859b286da692119f286b21a2a114) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2010/11/28 19:20:53.0828 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
2010/11/28 19:20:53.0859 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2010/11/28 19:20:53.0890 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
2010/11/28 19:20:53.0921 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/11/28 19:20:54.0000 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/11/28 19:20:54.0046 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
2010/11/28 19:20:54.0062 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/11/28 19:20:54.0093 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2010/11/28 19:20:54.0125 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2010/11/28 19:20:54.0140 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2010/11/28 19:20:54.0171 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2010/11/28 19:20:54.0187 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2010/11/28 19:20:54.0203 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/11/28 19:20:54.0250 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/11/28 19:20:54.0296 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/11/28 19:20:54.0328 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/11/28 19:20:54.0343 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/11/28 19:20:54.0375 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2010/11/28 19:20:54.0421 uagp35 (49c805d42d75eddc9b6a7130999c9054) C:\WINDOWS\system32\DRIVERS\uagp35.sys
2010/11/28 19:20:54.0468 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2010/11/28 19:20:54.0546 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2010/11/28 19:20:54.0593 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys
2010/11/28 19:20:54.0671 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/11/28 19:20:54.0734 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/11/28 19:20:54.0781 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/11/28 19:20:54.0812 usbohci (bdfe799a8531bad8a5a985821fe78760) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/11/28 19:20:54.0828 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/11/28 19:20:54.0859 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/11/28 19:20:54.0875 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/11/28 19:20:54.0906 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2010/11/28 19:20:54.0937 viaagp (d92e7c8a30cfd14d8e15b5f7f032151b) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2010/11/28 19:20:54.0953 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/11/28 19:20:54.0984 viamraid (fbf18f9f5fb852c2976723587b44f346) C:\WINDOWS\system32\DRIVERS\viamraid.sys
2010/11/28 19:20:55.0015 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/11/28 19:20:55.0078 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/11/28 19:20:55.0140 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/11/28 19:20:55.0234 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2010/11/28 19:20:55.0296 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/11/28 19:20:55.0328 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/11/28 19:20:55.0390 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/11/28 19:20:55.0406 ================================================================================
2010/11/28 19:20:55.0406 Scan finished
2010/11/28 19:20:55.0406 ================================================================================
2010/11/28 19:20:55.0421 Detected object count: 1
2010/11/28 19:21:02.0640 \HardDisk0 - will be cured after reboot
2010/11/28 19:21:02.0640 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2010/11/28 19:21:04.0640 Deinitialize success

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:38 PM

Posted 28 November 2010 - 03:43 PM

Good evening. :)

This may be a new version of an old nasty, which could make it more difficult to get rid of. Will you run ComboFix again, as before, and post accordingly.

So long, and thanks for all the fish.

 

 


#9 blackartz

blackartz
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 29 November 2010 - 07:14 AM

You were dead right - Combofix found something again!

ComboFix 10-11-28.05 - John 29/11/2010 11:14:44.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.959.663 [GMT 0:00]
Running from: c:\documents and settings\John\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\John\Application Data\Inygvo\ivzee.exe
c:\windows\system32\0.04682541753958336.exe

.
((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-29 )))))))))))))))))))))))))))))))
.

2010-11-28 19:04 . 2010-11-29 11:03 -------- d-----w- c:\documents and settings\John\Application Data\Inygvo
2010-11-28 19:04 . 2010-11-28 19:18 -------- d-----w- c:\documents and settings\John\Application Data\Yfvo
2010-11-22 13:03 . 2010-11-22 13:03 388096 ----a-r- c:\documents and settings\John\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-11-22 13:03 . 2010-11-22 13:03 -------- d-----w- c:\program files\Trend Micro
2010-11-22 12:56 . 2010-11-22 12:56 -------- d-----w- c:\documents and settings\Administrator
2010-11-19 18:27 . 2010-11-19 18:27 -------- d-----w- c:\documents and settings\John\Application Data\Windows Search
2010-11-19 17:36 . 2010-11-19 17:36 -------- d-----w- c:\documents and settings\John\Application Data\SUPERAntiSpyware.com
2010-11-19 17:36 . 2010-11-19 17:36 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-11-19 17:35 . 2010-11-19 17:36 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-11-19 17:31 . 2010-11-19 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA
2010-11-19 14:53 . 2010-11-19 14:53 -------- d-----w- c:\documents and settings\John\Application Data\Malwarebytes
2010-11-19 14:53 . 2010-04-29 15:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-19 14:53 . 2010-11-19 14:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-19 14:53 . 2010-11-19 14:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-19 14:53 . 2010-04-29 15:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-19 14:10 . 2010-11-19 14:10 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-11-19 13:20 . 2010-09-23 07:46 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-11-19 10:55 . 2010-09-23 07:46 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-11-19 10:54 . 2010-11-19 10:55 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{E961CE1B-C3EA-4882-9F67-F859B555D097}
2010-11-19 10:54 . 2010-11-19 10:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-11-19 10:54 . 2010-11-19 10:54 -------- d-----w- c:\program files\Lavasoft
2010-11-19 10:10 . 2001-08-17 13:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-11-19 10:10 . 2001-08-17 13:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2010-11-17 12:30 . 2010-11-17 12:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-11-17 12:30 . 2010-11-17 12:30 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-11-17 08:02 . 2010-11-17 08:02 -------- d-----w- c:\documents and settings\John\Local Settings\Application Data\{4F1C85C2-566F-4D12-8DED-02F8B92E6E61}
2010-11-16 23:28 . 2010-11-19 10:26 0 ----a-w- c:\windows\Ctefunirumecah.bin
2010-11-16 23:28 . 2010-11-16 23:28 -------- d-----w- c:\documents and settings\Yvonne\Local Settings\Application Data\{ECEF95CE-7A91-4D7A-A4C8-CB89D888C488}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((( SnapShot@2010-11-26_12.53.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-29 11:03 . 2010-11-29 11:03 16384 c:\windows\Temp\Perflib_Perfdata_6f4.dat
+ 2010-11-28 18:06 . 2010-11-22 12:34 142754 c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-10-25 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-16 7630848]
"nwiz"="nwiz.exe" [2006-08-16 1617920]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-16 86016]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-03 16841216]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-15 185896]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"Barclays Business Manager"="c:\program files\Barclays\Business Manager\bin\BarclaysBusinessManager.exe" [2010-02-11 181568]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"B2C_AGENT"="c:\documents and settings\All Users\Application Data\LGMOBILEAX\B2C_Client\B2CNotiAgent.exe" [2010-03-16 300992]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
awes.exe [2010-11-28 155136]
meod.exe [2010-11-28 155136]

c:\documents and settings\Kids\Start Menu\Programs\Startup\
meym.exe [2010-11-28 155136]
tuly.exe [2010-11-28 155136]

c:\documents and settings\Yvonne\Start Menu\Programs\Startup\
myow.exe [2010-11-28 155136]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
suho.exe [2010-11-28 155136]

c:\documents and settings\John\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [2010-8-15 142336]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Palo Alto Software Update Manager 8.0.lnk - c:\program files\Common Files\Palo Alto Software\8.0\PAS8_UD.exe [2007-2-13 128544]
Palo Alto Software Update Manager 9.0.lnk - c:\windows\Installer\{1797CE09-D183-4911-8FFC-53D9B9CEBBAC}\NewShortcut1.BDD3527A_D6D6_4DD6_AEAD_6B5236DA8F67.exe [2008-9-11 45056]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
Wireless Configuration Utility HW.15.lnk - c:\program files\TRENDnet\TRENDnet TEW-421PC_TEW-423PI\WlanCU.exe [2007-1-30 577536]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [19/11/2010 10:55 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 18:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 18:41 67656]
R2 BBMTicketService;BBM Ticket Service;c:\program files\Barclays\Business Manager\bin\ticketservice.exe [11/02/2010 16:40 40960]
R2 BBMUpdateService;BBM Update Service;c:\program files\Barclays\Business Manager\bin\updateservice.exe [11/02/2010 16:40 49152]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [03/02/2010 19:27 135664]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [23/09/2010 07:46 1375992]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [23/09/2010 07:46 15264]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\drivers\s115bus.sys [23/04/2007 12:54 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\drivers\s115mdfl.sys [23/04/2007 13:54 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\drivers\s115mdm.sys [23/04/2007 13:54 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [23/04/2007 12:54 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [23/04/2007 12:54 98568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-11-22 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-09-23 14:10]

2010-11-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-11-29 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-12-13 07:51]

2010-11-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 19:27]

2010-11-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 19:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hotmail.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
Trusted Zone: hmrc.gov.uk\online
DPF: {C9386579-3C0F-4713-82C6-5BA8088C7C8D} - hxxps://secure.shared.live.com/Pa6vGqB728AxD-ckvrPc0A/etc/Microsoft.Live.Folders.RichUpload.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-{DB4C5915-D449-0358-F42B-1A2470EB1BA5} - c:\documents and settings\John\Application Data\Inygvo\ivzee.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-29 11:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2010-11-29 11:26:02
ComboFix-quarantined-files.txt 2010-11-29 11:25
ComboFix2.txt 2010-11-26 12:57

Pre-Run: 46,563,491,840 bytes free
Post-Run: 46,716,420,096 bytes free

- - End Of File - - A3362D0624832B25680CC3824B0DA26E

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:38 PM

Posted 29 November 2010 - 02:18 PM

Good evening. :)

Things are looking better. I think one last scan and if you aren't having any further problems, a quick tidy-up and you'll be on your way.

Pay a visit to the ESET Online Scanner.
  • Click the ESET Online Scanner button, read the info in the new window, check the appropriate box and click Start.
  • Accept the ActiveX download, and allow it to install.
  • Once this has been completed, you will see the Computer Scan settings page - ensure that you uncheck the "Remove found threats" box and then click Start.
  • The virus signature database will now need to be downloaded, so don't forget to instruct your firewall to permit it if it asks.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.

Throw in one last DDS log and let me know how the PC is behaving.

So long, and thanks for all the fish.

 

 


#11 blackartz

blackartz
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 29 November 2010 - 05:41 PM

A whole load of new stuff discovered by ESET (pasted below - as instructed, I've not removed them). Persistant little blighter isn't it?


C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\awes.exe a variant of Win32/Kryptik.IMX trojan
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\meod.exe a variant of Win32/Kryptik.IMX trojan
C:\Documents and Settings\Best people ever\Start Menu\Programs\Startup\didey.exe a variant of Win32/Kryptik.IMX trojan
C:\Documents and Settings\Best people ever\Start Menu\Programs\Startup\evedul.exe a variant of Win32/Kryptik.IMX trojan
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\quaka.exe a variant of Win32/Kryptik.IMX trojan
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\ybypuz.exe a variant of Win32/Kryptik.IMX trojan
C:\Documents and Settings\Kids\Start Menu\Programs\Startup\meym.exe a variant of Win32/Kryptik.IMX trojan
C:\Documents and Settings\Kids\Start Menu\Programs\Startup\tuly.exe a variant of Win32/Kryptik.IMX trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\18\bbe6ed2-2d68bf0d multiple threats
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\62\30d4243e-3b03f48e a variant of Java/TrojanDownloader.OpenStream.NAU trojan
C:\Documents and Settings\Yvonne\Start Menu\Programs\Startup\myow.exe a variant of Win32/Kryptik.IMX trojan
C:\Documents and Settings\Yvonne\Start Menu\Programs\Startup\suho.exe a variant of Win32/Kryptik.IMX trojan
C:\Qoobox\Quarantine\C\Documents and Settings\John\Application Data\Agih\usyd.exe.vir a variant of Win32/Kryptik.ILK trojan
C:\Qoobox\Quarantine\C\Documents and Settings\John\Application Data\Inygvo\ivzee.exe.vir a variant of Win32/Kryptik.IMX trojan
C:\System Volume Information\_restore{56C962A6-4C54-4057-822C-D86CD7D0B01B}\RP1\A0000140.exe a variant of Win32/Kryptik.ILK trojan
C:\System Volume Information\_restore{56C962A6-4C54-4057-822C-D86CD7D0B01B}\RP2\A0002817.exe a variant of Win32/Kryptik.IMX trojan

#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:38 PM

Posted 30 November 2010 - 03:54 PM

Good evening. :)

Some of the above detections are from nasties that were backed up when Windows created System Restore points. Unless you use System Restore, and pick an infected point to use, they pose no threat to your PC and will be deleted as Windows recycles the space that it has reserved for Restore Points.

In short, we'll ignore them and in time they will go away on their own!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Will you work through the two sets of instructions below, in order, and post accordingly.

You may need to set Windows to show All Hidden Files and Folders.
Instructions can be found here.
** These files are hidden to stop you accidentally removing something important.
It is advisable to hide them again after fixing your computer. **

Remove any/all of the following files/folders that you can find:

Files

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\awes.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\meod.exe
C:\Documents and Settings\Best people ever\Start Menu\Programs\Startup\didey.exe
C:\Documents and Settings\Best people ever\Start Menu\Programs\Startup\evedul.exe
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\quaka.exe
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\ybypuz.exe
C:\Documents and Settings\Kids\Start Menu\Programs\Startup\meym.exe
C:\Documents and Settings\Kids\Start Menu\Programs\Startup\tuly.exe
C:\Documents and Settings\Yvonne\Start Menu\Programs\Startup\myow.exe
C:\Documents and Settings\Yvonne\Start Menu\Programs\Startup\suho.exe


As an example:
To delete C:\WINDOWS\system32\filetogo.bye
Double click the My Computer icon on your Desktop.
Double click on Local Disc (C:)
Double click on the Windows folder,
Double click on the System 32 folder,
Right click on filetogo.bye and from the menu that appears, click on 'Delete'


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download Malwarebytes' Anti-Malware from here and save it to your Desktop - unless you already have it, in which case skip to the "updating" bit below.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Ensure a checkmark is placed next to both Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware and then click Finish.
  • If an update is found, it will download and install the latest version - you'll need to clear it with your firewall.
  • Once the program has loaded, select Perform full scan and then Scan.
  • When the scan has finished, click OK and then Show Results to view the results - no surprise there!
  • If MBAM finds anything, check the box(es) and click Remove Selected.
  • Please note - Leave unchecked any boxes that have \System Volume Information\ in the filepath. These pose no immediate risk to your PC unless you use System Restore and will be dealt with later.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Let me have the MBAM log, a fresh DDS log AND a description of how your PC is behaving.

So long, and thanks for all the fish.

 

 


#13 blackartz

blackartz
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 01 December 2010 - 10:03 AM

Hi there,
and thanks again! The PC 'seems' to be behaving itself well at the moment. Both IE and Chrome appear to be listening exclusively to my instructions and only conducting the searches I specify and visiting the sites I request.

I've deleted all the files listed above and run Malwarebytes and DDS. Here are the logs:


DDS (Ver_10-11-10.01) - NTFSx86
Run by John at 14:23:52.17 on 01/12/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.959.514 [GMT 0:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Barclays\Business Manager\bin\ticketservice.exe
C:\Program Files\Barclays\Business Manager\bin\updateservice.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Barclays\Business Manager\bin\BarclaysBusinessManager.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_UD.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\TRENDnet\TRENDnet TEW-421PC_TEW-423PI\WlanCU.exe
C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\John\Desktop\dds.scr
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.hotmail.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Barclays Business Manager] c:\program files\barclays\business manager\bin\BarclaysBusinessManager.exe /server
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [B2C_AGENT] c:\documents and settings\all users\application data\lgmobileax\b2c_client\B2CNotiAgent.exe"
StartupFolder: c:\docume~1\john\startm~1\programs\startup\bbcipl~1.lnk - c:\program files\bbc iplayer desktop\BBC iPlayer Desktop.exe
StartupFolder: c:\docume~1\john\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\paloal~1.lnk - c:\program files\common files\palo alto software\8.0\PAS8_UD.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\paloal~2.lnk - c:\windows\installer\{1797ce09-d183-4911-8ffc-53d9b9cebbac}\NewShortcut1.BDD3527A_D6D6_4DD6_AEAD_6B5236DA8F67.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\trendnet\trendnet tew-421pc_tew-423pi\WlanCU.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: hmrc.gov.uk\online
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.tescophoto.com/wpp/tesco/app/ImageUploader5.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197505852375
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {C9386579-3C0F-4713-82C6-5BA8088C7C8D} - hxxps://secure.shared.live.com/Pa6vGqB728AxD-ckvrPc0A/etc/Microsoft.Live.Folders.RichUpload.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-11-19 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 BBMTicketService;BBM Ticket Service;c:\program files\barclays\business manager\bin\ticketservice.exe [2010-2-11 40960]
R2 BBMUpdateService;BBM Update Service;c:\program files\barclays\business manager\bin\updateservice.exe [2010-2-11 49152]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-3 135664]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-9-23 1375992]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-9-23 15264]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\drivers\s115bus.sys [2007-4-23 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\drivers\s115mdfl.sys [2007-4-23 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\drivers\s115mdm.sys [2007-4-23 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [2007-4-23 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [2007-4-23 98568]

=============== Created Last 30 ================

2010-11-29 20:08:35 -------- d-----w- c:\program files\ESET
2010-11-28 19:04:13 -------- d-----w- c:\docume~1\john\applic~1\Yfvo
2010-11-28 19:04:13 -------- d-----w- c:\docume~1\john\applic~1\Inygvo
2010-11-26 12:23:25 -------- d-sha-r- C:\cmdcons
2010-11-26 12:00:56 98816 ----a-w- c:\windows\sed.exe
2010-11-26 12:00:56 89088 ----a-w- c:\windows\MBR.exe
2010-11-26 12:00:56 256512 ----a-w- c:\windows\PEV.exe
2010-11-26 12:00:56 161792 ----a-w- c:\windows\SWREG.exe
2010-11-22 13:03:35 388096 ----a-r- c:\docume~1\john\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-11-22 13:03:35 -------- d-----w- c:\program files\Trend Micro
2010-11-22 12:55:10 -------- d-----w- c:\windows\pss
2010-11-19 18:27:57 -------- d-----w- c:\docume~1\john\applic~1\Windows Search
2010-11-19 17:36:00 -------- d-----w- c:\docume~1\john\applic~1\SUPERAntiSpyware.com
2010-11-19 17:36:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-11-19 17:35:50 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-11-19 14:53:40 -------- d-----w- c:\docume~1\john\applic~1\Malwarebytes
2010-11-19 14:53:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-19 14:53:30 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-19 14:53:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-19 14:53:30 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-11-19 14:10:52 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-11-19 13:20:42 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-11-19 10:55:40 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-11-19 10:54:54 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{E961CE1B-C3EA-4882-9F67-F859B555D097}
2010-11-19 10:54:15 -------- d-----w- c:\program files\Lavasoft
2010-11-19 10:10:18 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-11-19 10:10:18 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2010-11-17 08:02:17 -------- d-----w- c:\docume~1\john\locals~1\applic~1\{4F1C85C2-566F-4D12-8DED-02F8B92E6E61}
2010-11-16 23:28:08 0 ----a-w- c:\windows\Ctefunirumecah.bin

==================== Find3M ====================

2010-11-14 22:54:41 60 ----a-w- c:\windows\wpd99.drv

============= FINISH: 14:25:19.20 ===============


Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5214

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

01/12/2010 13:54:59
mbam-log-2010-12-01 (13-54-59).txt

Scan type: Full scan (C:\|)
Objects scanned: 280371
Time elapsed: 1 hour(s), 14 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Qoobox\quarantine\C\documents and settings\John\application data\Inygvo\ivzee.exe.vir (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{56c962a6-4c54-4057-822c-d86cd7d0b01b}\RP2\A0002817.exe (Spyware.Passwords.XGen) -> Not selected for removal.
c:\system volume information\_restore{56c962a6-4c54-4057-822c-d86cd7d0b01b}\RP4\A0002937.exe (Spyware.Passwords.XGen) -> Not selected for removal.
c:\system volume information\_restore{56c962a6-4c54-4057-822c-d86cd7d0b01b}\RP4\A0002935.exe (Spyware.Passwords.XGen) -> Not selected for removal.
c:\system volume information\_restore{56c962a6-4c54-4057-822c-d86cd7d0b01b}\RP4\A0002936.exe (Spyware.Passwords.XGen) -> Not selected for removal.
c:\system volume information\_restore{56c962a6-4c54-4057-822c-d86cd7d0b01b}\RP4\A0002938.exe (Spyware.Passwords.XGen) -> Not selected for removal.
c:\system volume information\_restore{56c962a6-4c54-4057-822c-d86cd7d0b01b}\RP4\A0002939.exe (Spyware.Passwords.XGen) -> Not selected for removal.
c:\system volume information\_restore{56c962a6-4c54-4057-822c-d86cd7d0b01b}\RP4\A0002940.exe (Spyware.Passwords.XGen) -> Not selected for removal.
c:\system volume information\_restore{56c962a6-4c54-4057-822c-d86cd7d0b01b}\RP4\A0002941.exe (Spyware.Passwords.XGen) -> Not selected for removal.
c:\system volume information\_restore{56c962a6-4c54-4057-822c-d86cd7d0b01b}\RP4\A0002942.exe (Spyware.Passwords.XGen) -> Not selected for removal.
c:\system volume information\_restore{56c962a6-4c54-4057-822c-d86cd7d0b01b}\RP4\A0002943.exe (Spyware.Passwords.XGen) -> Not selected for removal.
c:\system volume information\_restore{56c962a6-4c54-4057-822c-d86cd7d0b01b}\RP4\A0002944.exe (Spyware.Passwords.XGen) -> Not selected for removal.

Attached Files



#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:38 PM

Posted 01 December 2010 - 03:01 PM

Good evening. :)

There are a couple of entries that point to folders that i'm interested in. Please download SystemLook by jpshortstuff from one of the links below and save it to your Desktop:

  • Linky #1
  • Linky #2

  • Double-click SystemLook.exe to run it.
  • Copy the contents of the following codebox into the main textfield:


    :dir
    c:\documents and settings\John\Application Data\Inygvo /s
    c:\documents and settings\John\Application Data\Yfvo /s
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan - the log can also be found on your Desktop entitled SystemLook.txt
  • Please post the contents of this log in your next reply.

So long, and thanks for all the fish.

 

 


#15 blackartz

blackartz
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 01 December 2010 - 03:11 PM

Hi there. The following log looks encouraging?


SystemLook 04.09.10 by jpshortstuff
Log created at 20:08 on 01/12/2010 by John
Administrator - Elevation successful

========== dir ==========

c:\documents and settings\John\Application Data\Inygvo - Parameters: "/s"

---Files---
None found.

No folders found.

c:\documents and settings\John\Application Data\Yfvo - Parameters: "/s"

---Files---
None found.

No folders found.

-= EOF =-




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users