Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Antivirus 2010 + Ransomware


  • Please log in to reply
80 replies to this topic

#1 PostPerInfection

PostPerInfection

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 24 November 2010 - 10:43 PM

My dad installed Antivirus 2010 by entering a website somehow, and apparently, it installed automatically and came with ransomware. Currently, even by following this guide: http://www.bleepingcomputer.com/virus-removal/remove-antivirus-2010, it still will not work. The ransomware is smart; it allows a program to execute, until it starts scanning the registry or whatever, then it locks it up unless I use this in the cmd: cacls <full path to the program> /G Everyone:F. Even that however only unblocks it temperarily, and it re-blocks after the registry is scanned. It has successfully blocked: Superantispyware, Malwarebytes, Hitman Pro (even in force mode), Panda cloud antivirus, Spyware Terminator, Freefixer, Spybot S&D, Process Explorer (even renamed), System Restore, and blocks connection with WLMessenger. I have full access to CMD, Regedit, Task Manager, Firefox, and pretty much everything else that does not interfere with the registry. I also can download any sort of files.
I forcefully removed Antivirus 2010 through CCleaner, used Eset Smart Security and SuperAntiSpyware (partial scan) to remove a few files, and most likely all that is left is the ransomware and registry entries stuck inside my PC. Avira, when booting up normally detects msiscsi.sys (from system32) as a threat, and even clicking the "Remove" button, it keeps on alerting me that it is infected.
Please help!
NOTE: I have a GMER log, however, it crashed on me after it told me to either continue or stop my scan, so the GMER log stopped at the rootkit itself.
NOTE: Antivirus 2010 is no longer in my PC (not visible at least)
NOTE: I can try to post a video if you wish (if I can)

DDS (Ver_10-11-10.01) - NTFSx86 NETWORK
Run by MatthewTo at 22:17:19.71 on 24/11/2010
Internet Explorer: 8.0.6001.18943 BrowserJavaVersion: 1.6.0_21
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.3069.2029 [GMT -5:00]

SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Spyware Terminator *enabled* (Outdated) {55EE49A8-16BE-4601-BBE6-607B7F7317DE}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
"\\.\globalroot\Device\svchost.exe\svchost.exe"
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox 4.0 Beta 5\firefox.exe
C:\Windows\system32\DllHost.exe
C:\Users\MatthewTo\Desktop\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page =
uStart Page = hxxp://www.ask.com?o=14196&l=dis
uSearch Bar =
mSearch Page =
mStart Page = hxxp://www.google.ca/
mDefault_Page_URL =
uInternet Settings,ProxyOverride = <local>;*.local
uCustomizeSearch =
uSearchAssistant =
mCustomizeSearch =
mSearchAssistant =
mWinlogon: UIHost=c:\windows\system32\logonui.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Click-to-Call BHO: {5c255c8a-e604-49b4-9d64-90988571cecb} - c:\program files\windows live\messenger\wlchtc.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search

helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12

\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft

shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common

files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - c:\program files\wot\WOT.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common

files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common

files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - c:\program files\wot\WOT.dll
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableStartupSound = 1 (0x1)
IE: &Clean Traces - c:\program files\dap\privacy package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: Append Link Target to Existing PDF - c:\program files\common

files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common

files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12

\ONBttnIE.dll
IE: {400A6CFA-E326-4d61-A90C-9AD75358DC5F} - {44E212AB-13EA-4CA4-BE65-197FBA170412}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2

\office12\REFIEBAR.DLL
IE: {BC3F6B6D-2E49-4603-B028-7411655713F3} - {0CC2F28D-D415-4FC6-A2E4-54B4D983609A}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1

\SDHelper.dll
LSP: mswsock.dll
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} -

hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1210203009674
DPF: {664088B0-6AF3-4514-AF9D-A0DC3A3DF24A} - hxxp://support.f-secure.com/ols3beta/fscax.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -

hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1228168326985
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -

hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} -

hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} - hxxp://gameadvisor.futuremark.com/global/msc3121.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E1E73B44-2D20-47A9-9CA2-B534CEBBF856} - hxxp://support.f-secure.com/enu/home/onlineservices/fshc/fscax.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12

\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot\WOT.dll
Notify: igfxcui - igfxdev.dll
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - No File
STS: RcabuensDpv: {a5e5e0ba-a7c9-4f44-b4db-4bc3ec959222} - RcabuensDpv.Rcabuens
STS: FencesShlExt Class: {1984dd45-52cf-49cd-ab77-18f378fea264} - c:\program files\stardock\fences\FencesMenu.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12

\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\matthe~1\appdata\roaming\mozilla\firefox\profiles\8iq6bra5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT622910&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Swagbucks.com
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://ca.search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.type - 1
FF - component: c:\users\matthewto\appdata\roaming\mozilla\firefox\profiles\8iq6bra5.default\extensions\{a7c6cf7f-112c-4500-a7ea-

39801a327e5f}\platform\winnt_x86-msvc\components\ipc_fireftp.dll
FF - component:

c:\users\matthewto\appdata\roaming\mozilla\firefox\profiles\8iq6bra5.default\extensions\optout@dubfire.net\lib\winnt\ff3

\AbineComponent.dll
FF - component:

c:\users\matthewto\appdata\roaming\mozilla\firefox\profiles\8iq6bra5.default\extensions\twitternotifier@naan.net\platform\winnt\compo

nents\nsTwitterFoxSign.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
FF - plugin: c:\program files\opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\opera\program\plugins\npmmaud.dll
FF - plugin: c:\program files\opera\program\plugins\npmmprog.dll
FF - plugin: c:\program files\opera\program\plugins\npmmvid.dll
FF - plugin: c:\program files\opera\program\plugins\npmmzip.dll
FF - plugin: c:\program files\opera\program\plugins\npmusicn.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} -

c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R3 IntelDH;IntelDH Driver;c:\windows\system32\drivers\IntelDH.sys [2007-5-29 5504]
R3 jumi;%Jumi%;c:\windows\system32\drivers\jumi.sys [2009-7-23 6528]
R3 LachesisFltr;Lachesis Mouse Driver;c:\windows\system32\drivers\Lachesis.sys [2008-10-4 12032]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [2009-6-29 28672]
R3 LycoFltr;Lycosa Keyboard;c:\windows\system32\drivers\Lycosa.sys [2009-10-3 16896]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [2009-9-27 206608]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-9-1 28544]
S1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2010-6-17 126024]
S1 SASDIFSV;SASDIFSV;c:\users\matthe~1\appdata\local\temp\sas_selfextract\SASDIFSV.SYS [2010-2-17 12872]
S1 SASKUTIL;SASKUTIL;c:\users\matthe~1\appdata\local\temp\sas_selfextract\SASKUTIL.SYS [2010-5-10 67656]
S1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2008-6-16 142592]
S2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program

files\cyberlink\powerdvd8\000.fcl [2008-2-1 41456]
S2 0037101223741590mcinstcleanup;McAfee Application Installer Cleanup (0037101223741590); [x]
S2 0321561227141915mcinstcleanup;McAfee Application Installer Cleanup (0321561227141915); [x]
S2 a2free;a-squared Free Service; [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-8-25 176128]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-9-26 135336]
S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-9-26 267944]
S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-9-26 61960]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN

v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-10-29

208896]
S2 edsvc;Edison Power Management Service;c:\program files\verdiem\edison\edsvc.exe [2008-10-24 75008]
S2 gupdate1c908457b79df40;Google Update Service (gupdate1c908457b79df40);c:\program files\google\update\GoogleUpdate.exe

[2008-8-27 133104]
S2 HssWd;Hotspot Shield Monitoring Service;c:\program files\hotspot shield\bin\hsswd.exe -product hss --> c:\program files\hotspot

shield\bin\hsswd.exe -product HSS [?]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; [x]
S2 MCLServiceATL;Intel® Application Tracker;c:\program files\intel\inteldh\intel media server\shells\MCLServiceATL.exe [2006-11-

18 174552]
S2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2010-8-9

140608]
S2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\system32\drivers\nmsgopro.sys [2006-9-27 28672]
S2 nmsunidr;UniDriver for NMS;c:\windows\system32\drivers\nmsunidr.sys [2006-10-19 7424]
S2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2010-5-27 141384]
S2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2010-7-21 99400]
S2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2010-4-30 111112]
S2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [2010-7-21 112712]
S2 RUBotted;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\TMRUBotted.exe [2009-9-27 582992]
S3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2010-8-25 6096384]
S3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2010-8-25 214016]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-5-10

21504]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2009-8-6 16968]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32

\drivers\NETw2v32.sys [2006-11-2 2589184]
S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-3-17 16472]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2008-11-18 12648]
S3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2010-2-3 115432]
S3 tap0801;Smarthide TAP driver;c:\windows\system32\drivers\tap0801.sys [2007-10-12 55808]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [2009-9-27 206608]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2010-5-18 100368]
S3 vvftav302;vvftav302;c:\windows\system32\drivers\vvftav302.sys [2007-3-18 475136]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319

\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 IconixService;Iconix Update Service;c:\program files\common files\email id\IconixService.exe [2008-10-5 254224]
S4 JQDMPNE;JQDMPNE; [x]
S4 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -

service [?]
S4 T;T; [x]

=============== Created Last 30 ================

2010-11-25 05:50:57 -------- d-sh--w- C:\found.001
2010-11-22 22:03:57 -------- d-----w- c:\program files\ESET
2010-11-22 21:28:27 -------- d-----w- c:\users\matthe~1\appdata\roaming\FreeFixer
2010-11-22 21:28:27 -------- d-----w- c:\users\matthe~1\appdata\local\FreeFixer
2010-11-22 21:28:24 -------- d-----w- c:\program files\FreeFixer
2010-11-22 20:56:52 -------- d-----w- c:\users\matthe~1\appdata\roaming\SUPERAntiSpyware.com
2010-11-17 20:32:38 -------- d-----w- c:\program files\iPod
2010-11-17 05:01:56 -------- d-----w- c:\program files\TuneUpMedia
2010-11-17 05:01:38 -------- d-----w- c:\users\matthe~1\appdata\roaming\TuneUpMedia
2010-11-17 05:01:31 -------- d-----w- c:\progra~2\TuneUpMedia
2010-11-16 00:39:45 -------- d-----w- c:\users\matthe~1\appdata\roaming\FrostWire
2010-11-16 00:30:25 -------- d-----w- c:\program files\FrostWire
2010-10-31 18:20:53 -------- d-----w- c:\program files\ipsXP
2010-10-30 00:40:28 -------- d-----w- c:\progra~2\Panda Security

==================== Find3M ====================

2010-09-28 20:44:52 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-09-08 15:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts

============= FINISH: 22:19:32.84 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:06:49 PM

Posted 02 December 2010 - 02:45 AM

Hello and welcome to Bleeping Computer :welcome:

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log



Regards,
Georgi :hello:

cXfZ4wS.png


#3 PostPerInfection

PostPerInfection
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 02 December 2010 - 04:44 PM

Does this require the Attach file as well? I'll include it.

I apologize for not being able to disable IAT/EAT with Gmer since it automatically starts up a scan. Along with that, if I go beyond the point where it says "rootkit has been detected," the program crashes.


DDS (Ver_10-11-27.01) - NTFSx86
Run by MatthewTo at 16:30:30.97 on 02/12/2010
Internet Explorer: 8.0.6001.18943 BrowserJavaVersion: 1.6.0_21
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.3069.1122 [GMT -5:00]

SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Spyware Terminator *enabled* (Outdated) {55EE49A8-16BE-4601-BBE6-607B7F7317DE}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
"\\.\globalroot\Device\svchost.exe\svchost.exe"
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_98f8d2d0\STacSV.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
C:\Program Files\Verdiem\Edison\edsvc.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Hotspot Shield\bin\hsswd.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k iissvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
C:\Program Files\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Steam\Steam.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files\Mozilla Firefox 4.0 Beta 5\firefox.exe
C:\Program Files\Mozilla Firefox 4.0 Beta 5\plugin-container.exe
C:\Windows\system32\conime.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Users\MatthewTo\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page =
uStart Page = hxxp://www.ask.com?o=14196&l=dis
uSearch Bar =
mSearch Page =
mStart Page = hxxp://www.google.ca/
mDefault_Page_URL =
uInternet Settings,ProxyOverride = <local>;*.local
uCustomizeSearch =
uSearchAssistant =
mCustomizeSearch =
mSearchAssistant =
mWinlogon: UIHost=c:\windows\system32\logonui.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Click-to-Call BHO: {5c255c8a-e604-49b4-9d64-90988571cecb} - c:\program files\windows live\messenger\wlchtc.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - c:\program files\wot\WOT.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - c:\program files\wot\WOT.dll
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableStartupSound = 1 (0x1)
IE: &Clean Traces - c:\program files\dap\privacy package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {400A6CFA-E326-4d61-A90C-9AD75358DC5F} - {44E212AB-13EA-4CA4-BE65-197FBA170412}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {BC3F6B6D-2E49-4603-B028-7411655713F3} - {0CC2F28D-D415-4FC6-A2E4-54B4D983609A}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1210203009674
DPF: {664088B0-6AF3-4514-AF9D-A0DC3A3DF24A} - hxxp://support.f-secure.com/ols3beta/fscax.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1228168326985
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} - hxxp://gameadvisor.futuremark.com/global/msc3121.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E1E73B44-2D20-47A9-9CA2-B534CEBBF856} - hxxp://support.f-secure.com/enu/home/onlineservices/fshc/fscax.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot\WOT.dll
Notify: igfxcui - igfxdev.dll
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - No File
STS: RcabuensDpv: {a5e5e0ba-a7c9-4f44-b4db-4bc3ec959222} - RcabuensDpv.Rcabuens
STS: FencesShlExt Class: {1984dd45-52cf-49cd-ab77-18f378fea264} - c:\program files\stardock\fences\FencesMenu.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\matthe~1\appdata\roaming\mozilla\firefox\profiles\8iq6bra5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT622910&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Swagbucks.com
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://ca.search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.type - 1
FF - component: c:\users\matthewto\appdata\roaming\mozilla\firefox\profiles\8iq6bra5.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc_fireftp.dll
FF - component: c:\users\matthewto\appdata\roaming\mozilla\firefox\profiles\8iq6bra5.default\extensions\optout@dubfire.net\lib\winnt\ff3\AbineComponent.dll
FF - component: c:\users\matthewto\appdata\roaming\mozilla\firefox\profiles\8iq6bra5.default\extensions\twitternotifier@naan.net\platform\winnt\components\nsTwitterFoxSign.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
FF - plugin: c:\program files\opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\opera\program\plugins\npmmaud.dll
FF - plugin: c:\program files\opera\program\plugins\npmmprog.dll
FF - plugin: c:\program files\opera\program\plugins\npmmvid.dll
FF - plugin: c:\program files\opera\program\plugins\npmmzip.dll
FF - plugin: c:\program files\opera\program\plugins\npmusicn.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - Extension: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - c:\users\matthe~1\appdata\roaming\mozilla\firefox\profiles\8iq6bra5.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - Extension: Element Hiding Helper for Adblock Plus: elemhidehelper@adblockplus.org - c:\users\matthe~1\appdata\roaming\mozilla\firefox\profiles\8iq6bra5.default\extensions\elemhidehelper@adblockplus.org
FF - Extension: Flagfox: {1018e4d6-728f-4b20-ad56-37578a4de76b} - c:\users\matthe~1\appdata\roaming\mozilla\firefox\profiles\8iq6bra5.default\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}
FF - Extension: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - c:\users\matthe~1\appdata\roaming\mozilla\firefox\profiles\8iq6bra5.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Extension: URL Fixer: {0fa2149e-bb2c-4ac2-a8d3-479599819475} - c:\users\matthe~1\appdata\roaming\mozilla\firefox\profiles\8iq6bra5.default\extensions\{0fa2149e-bb2c-4ac2-a8d3-479599819475}
FF - Extension: Stop-or-Reload Button: {61D0D7AF-4FF6-476a-B68F-6531F613A6D8} - c:\users\matthe~1\appdata\roaming\mozilla\firefox\profiles\8iq6bra5.default\extensions\{61D0D7AF-4FF6-476a-B68F-6531F613A6D8}
FF - Extension: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - c:\users\matthe~1\appdata\roaming\mozilla\firefox\profiles\8iq6bra5.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Extension: All-in-One Sidebar: {097d3191-e6fa-4728-9826-b533d755359d} - c:\users\matthe~1\appdata\roaming\mozilla\firefox\profiles\8iq6bra5.default\extensions\{097d3191-e6fa-4728-9826-b533d755359d}
FF - Extension: Extended Statusbar: {daf44bf7-a45e-4450-979c-91cf07434c3d} - c:\users\matthe~1\appdata\roaming\mozilla\firefox\profiles\8iq6bra5.default\extensions\{daf44bf7-a45e-4450-979c-91cf07434c3d}
FF - Extension: Echofon: twitternotifier@naan.net - c:\users\matthe~1\appdata\roaming\mozilla\firefox\profiles\8iq6bra5.default\extensions\twitternotifier@naan.net
FF - Extension: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - c:\users\matthe~1\appdata\roaming\mozilla\firefox\profiles\8iq6bra5.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
FF - Extension: Locationbar²: locationbar2@design-noir.de - c:\users\matthe~1\appdata\roaming\mozilla\firefox\profiles\8iq6bra5.default\extensions\locationbar2@design-noir.de
FF - Extension: Chromifox Basic: chromifox@altmusictv.com - c:\users\matthe~1\appdata\roaming\mozilla\firefox\profiles\8iq6bra5.default\extensions\chromifox@altmusictv.com
FF - Extension: Tab Counter: tabcounter@morac - c:\users\matthe~1\appdata\roaming\mozilla\firefox\profiles\8iq6bra5.default\extensions\tabcounter@morac
FF - Extension: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - c:\users\matthe~1\appdata\roaming\mozilla\firefox\profiles\8iq6bra5.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Extension: XP on Vista: {07b2a769-ed19-4483-87ce-c643914caed1} - c:\users\matthe~1\appdata\roaming\mozilla\firefox\profiles\8iq6bra5.default\extensions\{07b2a769-ed19-4483-87ce-c643914caed1}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox 4.0 beta 5\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-9-1 28544]
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2010-6-17 126024]
R1 SASDIFSV;SASDIFSV;c:\users\matthe~1\appdata\local\temp\sas_selfextract\SASDIFSV.SYS [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\users\matthe~1\appdata\local\temp\sas_selfextract\SASKUTIL.SYS [2010-5-10 67656]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2008-6-16 142592]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\cyberlink\powerdvd8\000.fcl [2008-2-1 41456]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-8-25 176128]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-9-26 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-9-26 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-9-26 61960]
R2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-10-29 208896]
R2 edsvc;Edison Power Management Service;c:\program files\verdiem\edison\edsvc.exe [2008-10-24 75008]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\hotspot shield\bin\hsswd.exe -product hss --> c:\program files\hotspot shield\bin\hsswd.exe -product HSS [?]
R2 MCLServiceATL;Intel® Application Tracker;c:\program files\intel\inteldh\intel media server\shells\MCLServiceATL.exe [2006-11-18 174552]
R2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\system32\drivers\nmsgopro.sys [2006-9-27 28672]
R2 nmsunidr;UniDriver for NMS;c:\windows\system32\drivers\nmsunidr.sys [2006-10-19 7424]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2010-5-27 141384]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2010-7-21 99400]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2010-4-30 111112]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [2010-7-21 112712]
R2 RUBotted;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\TMRUBotted.exe [2009-9-27 582992]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2010-8-25 6096384]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2010-8-25 214016]
R3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-5-10 21504]
R3 IntelDH;IntelDH Driver;c:\windows\system32\drivers\IntelDH.sys [2007-5-29 5504]
R3 jumi;%Jumi%;c:\windows\system32\drivers\jumi.sys [2009-7-23 6528]
R3 LachesisFltr;Lachesis Mouse Driver;c:\windows\system32\drivers\Lachesis.sys [2008-10-4 12032]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [2009-6-29 28672]
R3 LycoFltr;Lycosa Keyboard;c:\windows\system32\drivers\Lycosa.sys [2009-10-3 16896]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2010-2-3 115432]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [2009-9-27 206608]
S2 0037101223741590mcinstcleanup;McAfee Application Installer Cleanup (0037101223741590); [x]
S2 0321561227141915mcinstcleanup;McAfee Application Installer Cleanup (0321561227141915); [x]
S2 a2free;a-squared Free Service; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c908457b79df40;Google Update Service (gupdate1c908457b79df40);c:\program files\google\update\GoogleUpdate.exe [2008-8-27 133104]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; [x]
S2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2010-8-9 140608]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2009-8-6 16968]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]
S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-3-17 16472]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2008-11-18 12648]
S3 tap0801;Smarthide TAP driver;c:\windows\system32\drivers\tap0801.sys [2007-10-12 55808]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [2009-9-27 206608]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2010-5-18 100368]
S3 vvftav302;vvftav302;c:\windows\system32\drivers\vvftav302.sys [2007-3-18 475136]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 IconixService;Iconix Update Service;c:\program files\common files\email id\IconixService.exe [2008-10-5 254224]
S4 JQDMPNE;JQDMPNE; [x]
S4 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S4 T;T; [x]

=============== Created Last 30 ================

2010-11-25 05:50:57 -------- d-sh--w- C:\found.001
2010-11-22 22:03:57 -------- d-----w- c:\program files\ESET
2010-11-22 21:28:27 -------- d-----w- c:\users\matthe~1\appdata\roaming\FreeFixer
2010-11-22 21:28:27 -------- d-----w- c:\users\matthe~1\appdata\local\FreeFixer
2010-11-22 21:28:24 -------- d-----w- c:\program files\FreeFixer
2010-11-22 20:56:52 -------- d-----w- c:\users\matthe~1\appdata\roaming\SUPERAntiSpyware.com
2010-11-17 20:32:38 -------- d-----w- c:\program files\iPod
2010-11-17 05:01:56 -------- d-----w- c:\program files\TuneUpMedia
2010-11-17 05:01:38 -------- d-----w- c:\users\matthe~1\appdata\roaming\TuneUpMedia
2010-11-17 05:01:31 -------- d-----w- c:\progra~2\TuneUpMedia
2010-11-16 00:39:45 -------- d-----w- c:\users\matthe~1\appdata\roaming\FrostWire
2010-11-16 00:30:25 -------- d-----w- c:\program files\FrostWire

==================== Find3M ====================

2010-09-28 20:44:52 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-09-08 15:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts

============= FINISH: 16:32:46.48 ===============

Attached Files



#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:06:49 PM

Posted 03 December 2010 - 02:56 AM

Hi PostPerInfection,
I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.


Regards,
Georgi

cXfZ4wS.png


#5 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:06:49 PM

Posted 03 December 2010 - 05:51 PM

Hello PostPerInfection ! Welcome to BleepingComputer Forums! :welcome:

My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.



IMPORTANT NOTE: One or more of the identified infections is related to the rootkit Agent component. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used be the attacker for malicious purposes. Rootkits are used be Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bepasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, you should stay disconnected from the Internet until your system is fully cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you decide to continue please do this:



Please download ComboFix from one of these locations:

Link 1
Link 2

Save it to your Desktop <-- Important!!!

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click it & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply



Regards,
Georgi :hello:

cXfZ4wS.png


#6 PostPerInfection

PostPerInfection
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 03 December 2010 - 08:59 PM

I thought it may come to reformatting. Is it possible for a rootkit/virus to be still inside my PC once I reformat? And do I require myself to go on Safe Mode with Networking to use ComboFix, because it's not working after I execute it and the bar pops up. Fortunately for it though, the rootkit did not crash it.

Just in case I do reformat, will OEMs like http://www.tigerdirect.ca/applications/SearchTools/item-details.asp?EdpNo=5213934&CatId=4622 be able to be used more than once? And if I were to reformat from that Windows 7, will I have to buy another Windows copy?

P.S. Also, I feel as C:\WINDOWS\System32\drivers\vbma92a1.sys is the rootkit service file. Is there a safe way to remove it?

Edited by PostPerInfection, 03 December 2010 - 10:18 PM.


#7 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:06:49 PM

Posted 04 December 2010 - 11:12 AM

Hi PostPerInfection,

The Combofix didn't run successfully because the rootkit is still active and he is preventing ComboFix from running.

Let's see if this will work out:



Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a service named vbma92a1.sys is detected change the default action to delete at the top then click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • Select Skip to the sptd.sys

    Posted Image
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

    Posted Image
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.



After reboot please do this:

Please delete your copy of Combofix on your desktop and download a fresh version from the link in the post earlier in this thread.

Then run Combofix and post the log from it in your next reply.



Regards,
Georgi

cXfZ4wS.png


#8 PostPerInfection

PostPerInfection
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 04 December 2010 - 03:56 PM

Ah... I selected delete for vbma92a1.sys and left sptd alone. It didn't say it was malicious, but it was suspicious, which is good as it was detected. I'm doing it as I post this comment. I'll reply after I reboot and I get the logs in.

#9 PostPerInfection

PostPerInfection
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 04 December 2010 - 04:12 PM

I was able to get a log, but after a restart, and an attempted log in to my PC account, my PC crashed, so currently I am in Safe Mode with Networking. I have only attempted to log in once, so I'm not sure if I can re-log in or not. Here is the log BTW:

2010/12/04 15:52:29.0253 TDSS rootkit removing tool 2.4.10.1 Dec 2 2010 12:28:01
2010/12/04 15:52:29.0253 ================================================================================
2010/12/04 15:52:29.0253 SystemInfo:
2010/12/04 15:52:29.0253
2010/12/04 15:52:29.0253 OS Version: 6.0.6002 ServicePack: 2.0
2010/12/04 15:52:29.0253 Product type: Workstation
2010/12/04 15:52:29.0253 ComputerName: LARCASTLE-16-PC
2010/12/04 15:52:29.0253 UserName: MatthewTo
2010/12/04 15:52:29.0253 Windows directory: C:\Windows
2010/12/04 15:52:29.0253 System windows directory: C:\Windows
2010/12/04 15:52:29.0253 Processor architecture: Intel x86
2010/12/04 15:52:29.0253 Number of processors: 2
2010/12/04 15:52:29.0253 Page size: 0x1000
2010/12/04 15:52:29.0253 Boot type: Normal boot
2010/12/04 15:52:29.0253 ================================================================================
2010/12/04 15:52:38.0142 Initialize success
2010/12/04 15:52:46.0598 ================================================================================
2010/12/04 15:52:46.0598 Scan started
2010/12/04 15:52:46.0598 Mode: Manual;
2010/12/04 15:52:46.0598 ================================================================================
2010/12/04 15:52:48.0583 ac97intc (4b56caafed0b0b996341d74ce0e76565) C:\Windows\system32\drivers\ac97intc.sys
2010/12/04 15:52:48.0651 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
2010/12/04 15:52:48.0762 adfs (73685e15ef8b0bd9c30f1af413f13d49) C:\Windows\system32\drivers\adfs.sys
2010/12/04 15:52:48.0812 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
2010/12/04 15:52:48.0862 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
2010/12/04 15:52:48.0905 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
2010/12/04 15:52:48.0971 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
2010/12/04 15:52:49.0073 AFD (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys
2010/12/04 15:52:49.0178 AgereSoftModem (7560f465f1ce69c53bf17559ee195548) C:\Windows\system32\DRIVERS\AGRSM.sys
2010/12/04 15:52:49.0266 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
2010/12/04 15:52:49.0304 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2010/12/04 15:52:49.0356 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
2010/12/04 15:52:49.0428 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
2010/12/04 15:52:49.0487 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
2010/12/04 15:52:49.0542 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
2010/12/04 15:52:49.0612 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys
2010/12/04 15:52:49.0795 amdkmdag (8e6bf8e8b78ba958b30b0c0e83c86c87) C:\Windows\system32\DRIVERS\atikmdag.sys
2010/12/04 15:52:49.0962 amdkmdap (31de9b1ceaa9e25b141232f7f1443239) C:\Windows\system32\DRIVERS\atikmpag.sys
2010/12/04 15:52:50.0039 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
2010/12/04 15:52:50.0094 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
2010/12/04 15:52:50.0178 Aspi32 (b979979ab8027f7f53fb16ec4229b7db) C:\Windows\system32\drivers\Aspi32.sys
2010/12/04 15:52:50.0216 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2010/12/04 15:52:50.0267 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
2010/12/04 15:52:50.0330 AtiHdmiService (4995e9945ac009112b0a87dae0cb51d4) C:\Windows\system32\drivers\AtiHdmi.sys
2010/12/04 15:52:50.0415 avgntflt (47b879406246ffdced59e18d331a0e7d) C:\Windows\system32\DRIVERS\avgntflt.sys
2010/12/04 15:52:50.0450 avipbb (f8c56231ed5ecf7d1b46b0330880ccef) C:\Windows\system32\DRIVERS\avipbb.sys
2010/12/04 15:52:50.0506 bcm4sbxp (08015d34f6fdd0b355805bad978497c3) C:\Windows\system32\DRIVERS\bcm4sbxp.sys
2010/12/04 15:52:50.0558 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2010/12/04 15:52:50.0665 bowser (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys
2010/12/04 15:52:50.0717 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2010/12/04 15:52:50.0743 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2010/12/04 15:52:50.0779 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2010/12/04 15:52:50.0812 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2010/12/04 15:52:50.0864 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2010/12/04 15:52:50.0902 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2010/12/04 15:52:50.0927 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2010/12/04 15:52:50.0991 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2010/12/04 15:52:51.0067 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
2010/12/04 15:52:51.0122 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
2010/12/04 15:52:51.0175 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
2010/12/04 15:52:51.0237 CmBatt (0fed59edb4a83ff17f1778827b88ab1a) C:\Windows\system32\DRIVERS\CmBatt.sys
2010/12/04 15:52:51.0280 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
2010/12/04 15:52:51.0335 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
2010/12/04 15:52:51.0502 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
2010/12/04 15:52:51.0573 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
2010/12/04 15:52:51.0665 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys
2010/12/04 15:52:51.0712 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
2010/12/04 15:52:51.0760 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2010/12/04 15:52:51.0835 DXGKrnl (5c7e2097b91d689ded7a6ff90f0f3a25) C:\Windows\System32\drivers\dxgkrnl.sys
2010/12/04 15:52:51.0926 E100B (ac9cf17ee2ae003c98eb4f5336c38058) C:\Windows\system32\DRIVERS\e100b325.sys
2010/12/04 15:52:52.0010 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
2010/12/04 15:52:52.0115 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
2010/12/04 15:52:52.0179 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
2010/12/04 15:52:52.0235 ENTECH (16ebd8bf1d5090923694cc972c7ce1b4) C:\Windows\system32\DRIVERS\ENTECH.sys
2010/12/04 15:52:52.0313 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
2010/12/04 15:52:52.0492 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
2010/12/04 15:52:52.0565 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
2010/12/04 15:52:52.0642 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2010/12/04 15:52:52.0684 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2010/12/04 15:52:52.0735 FlexBios (83d52312ff3608917bdee924753a0ca1) C:\Windows\System32\Drivers\FlexBios.sys
2010/12/04 15:52:52.0780 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
2010/12/04 15:52:52.0834 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
2010/12/04 15:52:52.0905 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2010/12/04 15:52:52.0966 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
2010/12/04 15:52:53.0040 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\Drivers\GEARAspiWDM.sys
2010/12/04 15:52:53.0101 hamachi (833051c6c6c42117191935f734cfbd97) C:\Windows\system32\DRIVERS\hamachi.sys
2010/12/04 15:52:53.0163 HdAudAddService (3f90e001369a07243763bd5a523d8722) C:\Windows\system32\drivers\HdAudio.sys
2010/12/04 15:52:53.0239 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
2010/12/04 15:52:53.0291 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2010/12/04 15:52:53.0326 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2010/12/04 15:52:53.0411 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
2010/12/04 15:52:53.0482 hitmanpro35 (30b90793a568281bef70fa57dde305a2) C:\Windows\system32\drivers\hitmanpro35.sys
2010/12/04 15:52:53.0546 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
2010/12/04 15:52:53.0626 HssDrv (ed05784548ced1ccc746204ce3448a45) C:\Windows\system32\DRIVERS\HssDrv.sys
2010/12/04 15:52:53.0717 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
2010/12/04 15:52:53.0758 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
2010/12/04 15:52:53.0806 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2010/12/04 15:52:53.0897 iaStor (d483687eace0c065ee772481a96e05f5) C:\Windows\system32\DRIVERS\iaStor.sys
2010/12/04 15:52:53.0948 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
2010/12/04 15:52:54.0048 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2010/12/04 15:52:54.0102 IntelDH (b7a420e4b137176234272d5ca9d51a49) C:\Windows\system32\Drivers\IntelDH.sys
2010/12/04 15:52:54.0148 intelide (97469037714070e45194ed318d636401) C:\Windows\system32\drivers\intelide.sys
2010/12/04 15:52:54.0190 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
2010/12/04 15:52:54.0241 Invoker (5310f16dbb32ce9813d51b9667f6d753) C:\Windows\System32\Drivers\Invoker.sys
2010/12/04 15:52:54.0300 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2010/12/04 15:52:54.0383 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
2010/12/04 15:52:54.0443 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2010/12/04 15:52:54.0522 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2010/12/04 15:52:54.0577 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
2010/12/04 15:52:54.0622 iScsiPrt (014cf9e5c73f5651a002a8826c299c0f) C:\Windows\system32\DRIVERS\msiscsi.sys
2010/12/04 15:52:54.0662 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2010/12/04 15:52:54.0689 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2010/12/04 15:52:54.0783 jumi (a5186d9c38328dd4f457158baa260402) C:\Windows\system32\DRIVERS\jumi.sys
2010/12/04 15:52:54.0821 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
2010/12/04 15:52:54.0861 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
2010/12/04 15:52:54.0937 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
2010/12/04 15:52:54.0985 LachesisFltr (5e34cd48b7eb440bb77e93528cc9f0cc) C:\Windows\system32\drivers\Lachesis.sys
2010/12/04 15:52:55.0078 LHidFlt2 (27bbea62dfafc495e956d3911ebc3045) C:\Windows\system32\DRIVERS\LHidFlt2.sys
2010/12/04 15:52:55.0119 libusb0 (34d6730e198a5b0fce0790a6b4769ef2) C:\Windows\system32\drivers\libusb0.sys
2010/12/04 15:52:55.0168 LKbdFlt2 (bbc297ea4fc97fc7b85f70915345c80a) C:\Windows\system32\DRIVERS\LKbdFlt2.sys
2010/12/04 15:52:55.0213 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2010/12/04 15:52:55.0278 LMouFlt2 (45df10f44f6a140a4f3dd377676603f2) C:\Windows\system32\DRIVERS\LMouFlt2.sys
2010/12/04 15:52:55.0372 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
2010/12/04 15:52:55.0410 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
2010/12/04 15:52:55.0448 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
2010/12/04 15:52:55.0472 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2010/12/04 15:52:55.0519 LycoFltr (40b844cbe235b1a20557eec28c38f3da) C:\Windows\system32\Drivers\Lycosa.sys
2010/12/04 15:52:55.0575 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
2010/12/04 15:52:55.0633 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2010/12/04 15:52:55.0682 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2010/12/04 15:52:55.0724 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
2010/12/04 15:52:55.0777 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
2010/12/04 15:52:55.0826 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2010/12/04 15:52:55.0869 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
2010/12/04 15:52:55.0910 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2010/12/04 15:52:55.0947 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2010/12/04 15:52:56.0008 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
2010/12/04 15:52:56.0090 mrxsmb (454341e652bdf5e01b0f2140232b073e) C:\Windows\system32\DRIVERS\mrxsmb.sys
2010/12/04 15:52:56.0128 mrxsmb10 (2a4901aff069944fa945ed5bbf4dcde3) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2010/12/04 15:52:56.0179 mrxsmb20 (28b3f1ab44bdd4432c041581412f17d9) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2010/12/04 15:52:56.0206 msahci (742aed7939e734c36b7e8d6228ce26b7) C:\Windows\system32\drivers\msahci.sys
2010/12/04 15:52:56.0241 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
2010/12/04 15:52:56.0312 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2010/12/04 15:52:56.0357 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2010/12/04 15:52:56.0415 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2010/12/04 15:52:56.0462 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2010/12/04 15:52:56.0494 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2010/12/04 15:52:56.0560 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
2010/12/04 15:52:56.0592 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2010/12/04 15:52:56.0645 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2010/12/04 15:52:56.0688 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
2010/12/04 15:52:56.0769 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
2010/12/04 15:52:56.0857 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
2010/12/04 15:52:56.0932 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2010/12/04 15:52:56.0971 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2010/12/04 15:52:57.0009 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
2010/12/04 15:52:57.0051 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2010/12/04 15:52:57.0102 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2010/12/04 15:52:57.0171 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
2010/12/04 15:52:57.0441 NETw2v32 (6e9edc1020b319e7676387b8cdf2398c) C:\Windows\system32\DRIVERS\NETw2v32.sys
2010/12/04 15:52:57.0580 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2010/12/04 15:52:57.0640 nmsgopro (acc8d7fc0da793450f5f257d9ce4ff75) C:\Windows\system32\DRIVERS\nmsgopro.sys
2010/12/04 15:52:57.0693 nmsunidr (64fa28c15dd71a80bef3527e1ef07df6) C:\Windows\system32\DRIVERS\nmsunidr.sys
2010/12/04 15:52:57.0735 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
2010/12/04 15:52:57.0928 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2010/12/04 15:52:58.0117 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
2010/12/04 15:52:58.0211 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2010/12/04 15:52:58.0326 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2010/12/04 15:52:58.0389 NVR0Dev (9ce1b0e5cfa8223cec3be1c7616e9f63) C:\Windows\nvoclock.sys
2010/12/04 15:52:58.0507 ohci1394 (6f310e890d46e246e0e261a63d9b36b4) C:\Windows\system32\DRIVERS\ohci1394.sys
2010/12/04 15:52:58.0632 Parport (8a79fdf04a73428597e2caf9d0d67850) C:\Windows\system32\DRIVERS\parport.sys
2010/12/04 15:52:58.0691 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
2010/12/04 15:52:58.0739 Parvdm (6c580025c81caf3ae9e3617c22cad00e) C:\Windows\system32\DRIVERS\parvdm.sys
2010/12/04 15:52:58.0781 pavboot (210a628a0d7b3f45257850efbff27538) C:\Windows\system32\drivers\pavboot.sys
2010/12/04 15:52:58.0869 pbfilter (4dfe4cef1aeec1025380d7ebf40e8e2b) C:\Program Files\PeerBlock\pbfilter.sys
2010/12/04 15:52:58.0961 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
2010/12/04 15:52:59.0129 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\DRIVERS\pciide.sys
2010/12/04 15:52:59.0245 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\DRIVERS\pcmcia.sys
2010/12/04 15:52:59.0500 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2010/12/04 15:52:59.0848 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2010/12/04 15:52:59.0929 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
2010/12/04 15:53:00.0003 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
2010/12/04 15:53:00.0069 PSI (365622e1f0b6d5f9871d76e89bf0501a) C:\Windows\system32\DRIVERS\psi_mf.sys
2010/12/04 15:53:00.0145 PSINAflt (235af4d494143f80a5584447ad7fc402) C:\Windows\system32\DRIVERS\PSINAflt.sys
2010/12/04 15:53:00.0238 PSINFile (3a70c37f4f4a35c79102848db26d019a) C:\Windows\system32\DRIVERS\PSINFile.sys
2010/12/04 15:53:00.0322 PSINKNC (4df82733423974ce5ac8ff24fec43899) C:\Windows\system32\DRIVERS\psinknc.sys
2010/12/04 15:53:00.0395 PSINProc (af6714cd8fb9e47d034a235629d0ab1d) C:\Windows\system32\DRIVERS\PSINProc.sys
2010/12/04 15:53:00.0435 PSINProt (bb88a601beafd1bc25028ea10bc268d4) C:\Windows\system32\DRIVERS\PSINProt.sys
2010/12/04 15:53:00.0528 PxHelp20 (d970470f8f39470bdae94d313a1ccdce) C:\Windows\system32\Drivers\PxHelp20.sys
2010/12/04 15:53:00.0783 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
2010/12/04 15:53:00.0925 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2010/12/04 15:53:01.0014 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2010/12/04 15:53:01.0055 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2010/12/04 15:53:01.0100 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2010/12/04 15:53:01.0148 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
2010/12/04 15:53:01.0171 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
2010/12/04 15:53:01.0224 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
2010/12/04 15:53:01.0298 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
2010/12/04 15:53:01.0373 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
2010/12/04 15:53:01.0416 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
2010/12/04 15:53:01.0471 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
2010/12/04 15:53:01.0552 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
2010/12/04 15:53:01.0686 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Users\MATTHE~1\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS
2010/12/04 15:53:01.0808 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Users\MATTHE~1\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.SYS
2010/12/04 15:53:01.0948 SbieDrv (0e5a3d6b8362d7b44dbf56acd2c090ce) C:\Program Files\Sandboxie\SbieDrv.sys
2010/12/04 15:53:02.0204 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2010/12/04 15:53:02.0292 SCDEmu (e9bbd87afd80dc1212ecd762858b45c7) C:\Windows\system32\drivers\SCDEmu.sys
2010/12/04 15:53:02.0360 sdbus (4339a2585708c7d9b0c0ce5aad3dd6ff) C:\Windows\system32\DRIVERS\sdbus.sys
2010/12/04 15:53:02.0483 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2010/12/04 15:53:02.0561 Serenum (ce9ec966638ef0b10b864ddedf62a099) C:\Windows\system32\DRIVERS\serenum.sys
2010/12/04 15:53:02.0987 Serial (6d663022db3e7058907784ae14b69898) C:\Windows\system32\DRIVERS\serial.sys
2010/12/04 15:53:03.0057 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
2010/12/04 15:53:03.0159 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
2010/12/04 15:53:03.0190 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
2010/12/04 15:53:03.0218 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
2010/12/04 15:53:03.0245 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2010/12/04 15:53:03.0296 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
2010/12/04 15:53:03.0489 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
2010/12/04 15:53:03.0575 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
2010/12/04 15:53:03.0687 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
2010/12/04 15:53:03.0769 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
2010/12/04 15:53:03.0893 sptd (cdddec541bc3c96f91ecb48759673505) C:\Windows\system32\Drivers\sptd.sys
2010/12/04 15:53:03.0893 Suspicious file (NoAccess): C:\Windows\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
2010/12/04 15:53:03.0901 sptd - detected Locked file (1)
2010/12/04 15:53:04.0034 sp_rsdrv2 (8831252bcf05fcfb5abd116a22e552d8) C:\Windows\system32\drivers\sp_rsdrv2.sys
2010/12/04 15:53:04.0175 srv (96a5e2c642af8f591a7366429809506b) C:\Windows\system32\DRIVERS\srv.sys
2010/12/04 15:53:04.0298 srv2 (71da2d64880c97e5ffc3c81761632751) C:\Windows\system32\DRIVERS\srv2.sys
2010/12/04 15:53:04.0365 srvnet (0c5ab1892ae0fa504218db094bf6d041) C:\Windows\system32\DRIVERS\srvnet.sys
2010/12/04 15:53:04.0488 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\Windows\system32\DRIVERS\ssmdrv.sys
2010/12/04 15:53:04.0598 STHDA (591e0da800f1a5833a0ff6c865c395ea) C:\Windows\system32\DRIVERS\stwrt.sys
2010/12/04 15:53:04.0671 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
2010/12/04 15:53:04.0736 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2010/12/04 15:53:04.0871 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2010/12/04 15:53:04.0906 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2010/12/04 15:53:05.0052 tap0801 (f6587c800ce0ad14e755c4605febf3f9) C:\Windows\system32\DRIVERS\tap0801.sys
2010/12/04 15:53:05.0134 taphss (0c3b2a9c4bd2dd9a6c2e4084314dd719) C:\Windows\system32\DRIVERS\taphss.sys
2010/12/04 15:53:05.0528 Tcpip (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\drivers\tcpip.sys
2010/12/04 15:53:05.0774 Tcpip6 (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\DRIVERS\tcpip.sys
2010/12/04 15:53:05.0987 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
2010/12/04 15:53:06.0148 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
2010/12/04 15:53:06.0188 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
2010/12/04 15:53:06.0237 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
2010/12/04 15:53:06.0278 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
2010/12/04 15:53:06.0492 TMPassthru (690acb48dac04e44a3d5e7654ca3260d) C:\Windows\system32\DRIVERS\TMPassthru.sys
2010/12/04 15:53:06.0519 TMPassthruMP (690acb48dac04e44a3d5e7654ca3260d) C:\Windows\system32\DRIVERS\TMPassthru.sys
2010/12/04 15:53:06.0846 TSHWMDTCP (3f6dc449398b21c213dcdd18f460df72) C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.sys
2010/12/04 15:53:06.0957 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
2010/12/04 15:53:07.0051 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
2010/12/04 15:53:07.0165 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
2010/12/04 15:53:07.0210 TVICHW32 (e266683fc95abdec17cd378564e1b54b) C:\Windows\system32\DRIVERS\TVICHW32.SYS
2010/12/04 15:53:07.0258 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
2010/12/04 15:53:07.0376 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
2010/12/04 15:53:07.0583 uisp (1c768107ac5bd510686c8f0e4da30c48) C:\Windows\system32\Drivers\usbicp.sys
2010/12/04 15:53:07.0641 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
2010/12/04 15:53:07.0724 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
2010/12/04 15:53:07.0774 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2010/12/04 15:53:07.0827 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2010/12/04 15:53:07.0922 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
2010/12/04 15:53:08.0133 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\Windows\system32\Drivers\usbaapl.sys
2010/12/04 15:53:08.0193 usbaudio (32db9517628ff0d070682aab61e688f0) C:\Windows\system32\drivers\usbaudio.sys
2010/12/04 15:53:08.0300 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
2010/12/04 15:53:08.0368 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2010/12/04 15:53:08.0412 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
2010/12/04 15:53:08.0485 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
2010/12/04 15:53:08.0553 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
2010/12/04 15:53:08.0611 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
2010/12/04 15:53:08.0646 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
2010/12/04 15:53:08.0724 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2010/12/04 15:53:08.0763 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
2010/12/04 15:53:08.0799 Suspicious service (NoAccess): vbma92a1
2010/12/04 15:53:08.0849 vbma92a1 (ddee22db950665328cd67e1b8797866a) C:\Windows\system32\drivers\vbma92a1.sys
2010/12/04 15:53:08.0849 Suspicious file (NoAccess): C:\Windows\system32\drivers\vbma92a1.sys. md5: ddee22db950665328cd67e1b8797866a
2010/12/04 15:53:08.0859 vbma92a1 - detected Locked service (1)
2010/12/04 15:53:08.0900 VBoxNetAdp (a61c32d0606d0a8bb590568504420370) C:\Windows\system32\DRIVERS\VBoxNetAdp.sys
2010/12/04 15:53:08.0984 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
2010/12/04 15:53:09.0038 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
2010/12/04 15:53:09.0098 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
2010/12/04 15:53:09.0139 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
2010/12/04 15:53:09.0169 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
2010/12/04 15:53:09.0271 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
2010/12/04 15:53:09.0331 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
2010/12/04 15:53:09.0385 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
2010/12/04 15:53:09.0451 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
2010/12/04 15:53:09.0534 vvftav302 (b952b84bf21c13027258a3f027511dda) C:\Windows\system32\drivers\vvftav302.sys
2010/12/04 15:53:09.0614 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2010/12/04 15:53:09.0677 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2010/12/04 15:53:09.0707 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2010/12/04 15:53:09.0787 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
2010/12/04 15:53:09.0836 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
2010/12/04 15:53:10.0050 WmiAcpi (701a9f884a294327e9141d73746ee279) C:\Windows\system32\drivers\wmiacpi.sys
2010/12/04 15:53:10.0176 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
2010/12/04 15:53:10.0227 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
2010/12/04 15:53:10.0327 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
2010/12/04 15:53:10.0420 ZSMC301b (a1a3f0e6a4584f601e8acc92f526f5be) C:\Windows\system32\Drivers\usbVM302.sys
2010/12/04 15:53:10.0597 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} (5867ce254625645345c833510d24f124) C:\Program Files\CyberLink\PowerDVD8\000.fcl
2010/12/04 15:53:10.0770 ================================================================================
2010/12/04 15:53:10.0770 Scan finished
2010/12/04 15:53:10.0770 ================================================================================
2010/12/04 15:53:10.0785 Detected object count: 2
2010/12/04 15:56:59.0186 Locked file(sptd) - User select action: Skip
2010/12/04 15:56:59.0197 HKLM\SYSTEM\ControlSet001\services\vbma92a1 - will be deleted after reboot
2010/12/04 15:56:59.0317 HKLM\SYSTEM\ControlSet004\services\vbma92a1 - will be deleted after reboot
2010/12/04 15:56:59.0340 C:\Windows\system32\drivers\vbma92a1.sys - will be deleted after reboot
2010/12/04 15:56:59.0340 Locked service(vbma92a1) - User select action: Delete
2010/12/04 15:57:11.0003 Deinitialize success

I will submit a ComboFix log if I can.

#10 PostPerInfection

PostPerInfection
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 04 December 2010 - 04:21 PM

Unfortunately once more, ComboFix failed again. I redid another TDSSKiller scan, and I found out it is back along with this other service file. I will attach it. Should I delete them both?

Posted Image

P.S. And one more thing, I think you should see this:

Avira AntiVir Personal logs on 2/12/2010.

Virus or unwanted program 'TR/Rootkit.Gen [trojan]'
detected in file 'C:\WINDOWS\System32\drivers\msiscsi.sys.
Action performed: Deny access

Virus or unwanted program 'TR/Rootkit.Gen [trojan]'
detected in file 'C:\WINDOWS\System32\drivers\HssDrv.sys.
Action performed: Deny access

Edited by PostPerInfection, 04 December 2010 - 04:34 PM.


#11 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:06:49 PM

Posted 04 December 2010 - 11:04 PM

Hi PostPerInfection,


You have a new nasty variant of Rootkit Agent.

Please open the Device Manager.

Click Start => Run type in the following text and click OK:

devmgmt.msc

The Device Manager window should now be open. In the menu at the top, click the View tab and click 'Show hidden devices'

Scroll down to System Devices. Click the + sign to expand, and look for a device with [cmz vmkd] in the name. If it is there, right click the device and select 'disable'.


Please reboot the computer and try to boot in Normal Mode. If no joy please boot back in Safe Mode and log into your usual account.

Now try again to run ComboFix again and post the content of its log (C:\ComboFix.txt) in your next reply.




IMPORTANT NOTE:

If you do not see it listed there, can you take a screen shot of the expanded System Devices and post it for me?

Click here for more information about how to create it.



Regards,
Georgi

cXfZ4wS.png


#12 PostPerInfection

PostPerInfection
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 04 December 2010 - 11:18 PM

Wow, it's actually there... Rebooting now :)

On this post from MalwareBytes which may be a variant of my malicious file.

Link: http://forums.malwarebytes.org/index.php?showtopic=68439&mode=threaded&pid=350492

May this be any of support?

#13 PostPerInfection

PostPerInfection
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 04 December 2010 - 11:33 PM

Its back on... Unfortunately.

I tried to follow the MalwareBytes steps from http://forums.malwarebytes.org/index.php?showtopic=68439&mode=threaded&pid=350492 and wasn't able to get to C:\WINDOWS\assembly\GAC\ folder in possible way. Like the victim in the forums, I think it is a possible solution for me to get a LiveCD of Linux, go into C:\WINDOWS\assembly\GAC\ and delete __AssemblyInfo__.ini. Do you think it is possible?

P.S. I can log back into my system.

P.P.S Now I have no volume... :(

P.P.P.S. Sorry, no volume for Firefox.

Edited by PostPerInfection, 04 December 2010 - 11:47 PM.


#14 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:06:49 PM

Posted 05 December 2010 - 11:01 AM

Hi PostPerInfection,


Please DO NOT follow other instructions then mine ! :nono:
I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.




Please delete your copy of Combofix on your desktop and download a fresh version from the here.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image

It is important you rename Combofix during the download, but not after.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combo-Fix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\Combo-Fix.txt" in your next reply.


Regards,
Georgi

cXfZ4wS.png


#15 PostPerInfection

PostPerInfection
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 05 December 2010 - 03:07 PM

Combo-Fix didn't work as well. :( Is it normal to be unable to access C:\WINDOWS\assembly\GAC\? I didn't tamper anything with it, but it might make some sense if something were to be inside it.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users