Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware Problem?


  • This topic is locked This topic is locked
37 replies to this topic

#1 raprap100

raprap100

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 06 February 2011 - 02:45 AM

Hello there!

I am 100% positive that this is caused by spyware. In the first place, I couldn't post a HJT log because I can't install HJT and a BSOD will appear stating that the cause is ntfs.sys file. Anyway, I tried to install HJT in safe mode, but without avail. Other behaviors that I found is, first, I couldn't update my anti-virus software, Avira to be exact, second is that whenever I use Firefox, it would not load, except if I use it in Safe Mode, which sometime fails and I don't know why. Third is that my homepage is clearly hijacked, redirecting me to some incorpriado.com something, couldn't remember.

I really want to install HJT but a BSOD prevents me to, as I have mentioned above.

I hope you can enlighten and help me fix it.

Thank You.

[EDIT]
Found HJT though when I tried searching for it. Here is the HJT log that I can provide for the moment due to the BSOD conflict. Also managed to use DDS but when I used Gmer, half way through the scan, my pc hangs. Any help?


DDS (Ver_10-12-12.02) - NTFSx86
Run by Trisha at 21:04:56.35 on Sun 02/06/2011
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.363 [GMT 8:00]

AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\USB Disk Security\USBGuard.exe
C:\WINDOWS\Domino.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\VMSnap3.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\ranga.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\drivers\svajnager.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Trisha\My Documents\Downloads\RO\dds.scr

============== Pseudo HJT Report ===============

uWindow Title = Microsoft Internet Explorer
mDefault_Page_URL = hxxp://www.microsoft.com
mStart Page = hxxp://www.microsoft.com
mWindow Title = Microsoft Internet Explorer
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [USB Antivirus] c:\program files\usb disk security\USBGuard.exe
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [Domino] c:\windows\Domino.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [VMSnap3] c:\windows\VMSnap3.EXE
mRun: [Service Noits] ranga.exe
dRun: [wuaucldt] c:\documents and settings\localservice\wuaucldt.exe
dRun: [DAT80.tmp.exe] "c:\windows\temp\DAT80.tmp.exe" /run
StartupFolder: c:\docume~1\trisha\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
mPolicies-explorer: RestrictRun = 0 (0x0)
mPolicies-explorer: NoStartMenuEjectPC = 0 (0x0)
mPolicies-explorer: NoSimpleStartMenu = 0 (0x0)
mPolicies-explorer: NoWindowsUpdate = 0 (0x0)
mPolicies-explorer: NoStartMenuMyMusic = 0 (0x0)
mPolicies-explorer: NoSMMyPictures = 0 (0x0)
mPolicies-explorer: NoResolveTrack = 0 (0x0)
mPolicies-explorer: NoInstrumentation = 0 (0x0)
mPolicies-explorer: NoFileAssociate = 0 (0x0)
mPolicies-explorer: RestrictCpl = 0 (0x0)
mPolicies-explorer: NoThemesTab = 0 (0x0)
mPolicies-system: NoDispSettingsPage = 0 (0x0)
mPolicies-system: NoDispAppearancePage = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mgemfdyf.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\trisha\applic~1\mozilla\firefox\profiles\4m5zwhwc.default\
FF - plugin: d:\program files\adobe\reader 8.0\reader\browser\nppdf32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: DAEMON Tools Toolbar: DTToolbar@toolbarnet.com - %profile%\extensions\DTToolbar@toolbarnet.com
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 32
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 750
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0

============= SERVICES / DRIVERS ===============

R0 DeepFrz;DeepFrz;c:\windows\system32\drivers\DeepFrz.sys [2006-11-28 127896]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-11-11 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-11-11 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-11-11 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-12 56816]
R2 svajnag;sv_ajnag;c:\windows\system32\drivers\svajnager.exe [2011-2-5 158960]
S0 hzozfdkojysgp;hzozfdkojysgp;c:\windows\system32\drivers\wdloopyppokfr.sys --> c:\windows\system32\drivers\wdloopyppokfr.sys [?]
S0 tuncwtqlailbrar;tuncwtqlailbrar;c:\windows\system32\drivers\ddeiic.sys --> c:\windows\system32\drivers\ddeiic.sys [?]
S2 GoogleUpdateBeta;Google Update Service;c:\documents and settings\localservice\local settings\application data\google\update\GoogleUpdateBeta.exe [2011-2-6 40960]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-11-8 1684736]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-3-9 38224]
S3 vmfilter303;vmfilter303;c:\windows\system32\drivers\vmfilter303.sys [2009-1-19 428160]

=============== Created Last 30 ================

2011-02-06 07:55:04 -------- d-----w- c:\windows\system32\Lang
2011-02-05 11:39:49 158960 ----a-w- c:\windows\system32\drivers\svajnager.exe
2011-02-04 12:26:01 90112 ----a-w- c:\windows\apix.exe
2011-02-04 00:42:49 114688 --sh--r- c:\windows\ranga.exe
2011-02-03 08:37:46 54016 ----a-w- c:\windows\system32\drivers\btlkq.sys
2011-02-01 14:29:46 18298 ----a-w- c:\windows\system32\MAI81.tmp
2011-02-01 14:29:21 18298 ----a-w- c:\windows\system32\MAI7F.tmp
2011-02-01 07:41:47 0 ----a-w- c:\windows\system32\tmp.tmp
2011-01-27 22:53:49 -------- d-----w- c:\program files\Traffic Simulator Configuration Tool
2011-01-27 22:46:19 -------- d-----w- c:\docume~1\trisha\applic~1\Rovio
2011-01-25 10:11:09 2829 ----a-w- c:\windows\War3Unin.pif
2011-01-25 10:11:09 139264 ----a-w- c:\windows\War3Unin.exe

==================== Find3M ====================

2010-12-18 10:18:38 45056 ----a-w- c:\windows\NCUNINST.EXE
2010-12-18 10:15:50 1388544 ----a-w- c:\windows\system32\msvbvm60.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_6N040T0 rev.NAN51680 -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-e

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86D2A5AF]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86d307b0]; MOV EAX, [0x86d3082c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF0BC] -> \Device\Harddisk0\DR0[0x86CA6AB8]
3 CLASSPNP[0xF757F05B] -> ntkrnlpa!IofCallDriver[0x804EF0BC] -> \Device\00000071[0x86DDE030]
5 ACPI[0xF730A620] -> ntkrnlpa!IofCallDriver[0x804EF0BC] -> [0x86CA4D98]
\Driver\atapi[0x86D23D10] -> IRP_MJ_CREATE -> 0x86D2A5AF
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-e -> \??\IDE#DiskMaxtor_6N040T0__________________________NAN51680#314e413035354750202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86D2A3F5
\Driver\atapi -> 0x86d671f8
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 21:06:25.51 ===============



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:09:05 PM, on 2/6/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Documents and Settings\LocalService\Local Settings\Application Data\Google\Update\GoogleUpdateBeta.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\drivers\svajnager.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\USB Disk Security\USBGuard.exe
C:\WINDOWS\Domino.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\VMSnap3.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\ranga.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [USB Antivirus] C:\Program Files\USB Disk Security\USBGuard.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.EXE
O4 - HKLM\..\Run: [Service Noits] ranga.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [wuaucldt] c:\documents and settings\localservice\wuaucldt.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DAT80.tmp.exe] "C:\WINDOWS\TEMP\DAT80.tmp.exe" /run (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [wuaucldt] c:\documents and settings\localservice\wuaucldt.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (GoogleUpdateBeta) - Google Inc - C:\Documents and Settings\LocalService\Local Settings\Application Data\Google\Update\GoogleUpdateBeta.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: sv_ajnag (svajnag) - Unknown owner - C:\WINDOWS\system32\drivers\svajnager.exe

--
End of file - 4840 bytes

Attached Files


Edited by raprap100, 06 February 2011 - 09:20 AM.


BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:01:39 AM

Posted 08 February 2011 - 01:54 PM

Hi,

Welcome to Bleeping Computer.

My name is Shannon and I will be working with you to remove the malware that is on your machine.

I apologize for the delay in replying to your post, but this forum is extremely busy.

Please Track this topic - On the top right on this tread, click on the Option button, and, in the drop-down list, click on 'Track this topic'. Under Subscription Information, click on 'Immediate Email Notification' and then click on the Proceed button at the bottom.

Do Not make any changes on your own to the infected computer.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Now, let's look more thoroughly at the infected computer -

We need to see some information about what is happening in your machine. Please perform the following scan:
  • We need to create an OTL Report
  • Please download OTL from here:
  • Main Mirror
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "Use SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them into your reply:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Once you have the above logs, click on the Add Reply button below, copy in the contents of the two OTL logs. Also include any comments that you might have concerning the infection(s) and the infected computer.
Shannon

#3 raprap100

raprap100
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 09 February 2011 - 10:05 AM

This is very strange, I can't copy all the contents and the contents seem to be broken. And also, whenever I modify, I get an error that says the connection was reset.

Edited by raprap100, 09 February 2011 - 10:42 AM.


#4 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:01:39 AM

Posted 09 February 2011 - 12:53 PM

Hi-

I reviewed your earlier scan logs and they did show some problems. At least one of them was a backdoor trojan. A backdoor trojan allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide to continue with the cleanup -

First, please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
  • If TDSSKiller does not run, try renaming it.

    To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.

  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
Next, download Combofix from either of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: how-to-use-combofix

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How to Temporarily Disable your Anti-virusl


Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please copy the "C:\ComboFix.txt" into your reply.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


In your reply, copy in the contents of the TDSSKiller and ComboFix reports. Also, give me an update on how your computer is running.
Shannon

#5 raprap100

raprap100
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 09 February 2011 - 08:43 PM

Yes, I would like to proceed, but when I downloaded TDSS and I ran it, the computer will display a BSOD stating again that the problem is from the ntfs.sys and I have to restart. Currently, I am downloading combofix, but the crawling connection is getting on my nerves :<

But I'll have to be patient ;D
Anyways, I'll be on the watch.

Thanks

#6 raprap100

raprap100
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 10 February 2011 - 05:28 AM

Getting complicated now, as I have observed. When I ran Combofix, it says it was outdated, and according to it, running an old version would reduce its functionality. Anyway, I proceeded with the update. As I mentioned before, my connection is at a turtle's pace, so I canceled the update, hoping I can have the opportunity to update it later, cause of the increased speed. However, I ran it again, and the program was saying that it is a corrupt file, and I must download a fresh copy, which I did then running the fresh copy of it will again display the same problem that it was corrupted.

I'm willing to take whatever solutions you have in mind.

Many many many thanks!

#7 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:01:39 AM

Posted 10 February 2011 - 08:26 AM

Hi-

Have you tried them in safe mode?

This can be done by tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option with networking support.
Please see here for additional details.
Shannon

#8 raprap100

raprap100
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 11 February 2011 - 06:45 AM

Bad news.. I ran Combofix, 3 minutes into scanning, the same BSOD still appeared, all about the ntfs.sys thing.

I think when the computer modifies or adds new programs, the BSOD will appear, preventing any action from being executed.

#9 raprap100

raprap100
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 11 February 2011 - 09:09 AM

Managed to scan it with Combofix, but after the start up, Avira detected two new trojans namely 'TR/Scar.dmrp [trojan]' located at C:\WINDOWS\ranga.exe AND 'TR/Scar.dmkw.1 [trojan] located at C:\WINDOWS\apix.exe, in which I ignored it, because I was afraid that something might go wrong. Here is the log of Combofix:

ComboFix 11-02-09.05 - Trisha 02/11/2011 21:39:38.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.529 [GMT 8:00]
Running from: c:\documents and settings\Trisha\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Local Settings\Application Data\Google\Update\GoogleUpdateBeta.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\Google\Update\GoogleUpdateBeta.exe
C:\khq
c:\windows\keys.ini
c:\windows\system32\drivers\svajnager.exe
c:\windows\system32\tmp.tmp
D:\khq

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CDFSS
-------\Legacy_GOOGLEUPDATEBETA
-------\Legacy_SVAJNAG
-------\Service_cdfss
-------\Service_GoogleUpdateBeta
-------\Service_svajnag


((((((((((((((((((((((((( Files Created from 2011-01-11 to 2011-02-11 )))))))))))))))))))))))))))))))
.

2011-02-10 23:04 . 2011-02-10 23:06 90112 ----a-w- c:\windows\ax.exe
2011-02-10 02:54 . 2011-02-10 13:52 9766 ----a-w- c:\windows\fd.exe
2011-02-09 13:54 . 2011-02-09 13:56 85838 ----a-w- c:\windows\zx.exe
2011-02-08 10:33 . 2011-02-11 10:29 118784 --sh--r- c:\windows\xanga.exe
2011-02-06 07:55 . 2011-02-06 07:55 -------- d-----w- c:\windows\system32\Lang
2011-02-06 05:10 . 2011-02-06 05:10 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2011-02-04 12:26 . 2011-02-04 12:31 90112 ----a-w- c:\windows\apix.exe
2011-02-04 00:42 . 2011-02-07 12:31 114688 --sh--r- c:\windows\ranga.exe
2011-02-04 00:42 . 2011-02-04 00:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2011-02-03 08:37 . 2011-02-03 08:37 54016 ----a-w- c:\windows\system32\drivers\btlkq.sys
2011-02-01 14:29 . 2011-02-01 14:29 18298 ----a-w- c:\windows\system32\MAI81.tmp
2011-02-01 14:29 . 2011-02-01 14:29 18298 ----a-w- c:\windows\system32\MAI7F.tmp
2011-02-01 07:39 . 2011-02-01 07:39 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2011-01-27 22:53 . 2011-01-27 22:56 -------- d-----w- c:\program files\Traffic Simulator Configuration Tool
2011-01-27 22:46 . 2011-01-27 22:46 -------- d-----w- c:\documents and settings\Trisha\Application Data\Rovio
2011-01-25 10:11 . 2011-01-25 10:15 2829 ----a-w- c:\windows\War3Unin.pif
2011-01-25 10:11 . 2011-01-25 10:15 139264 ----a-w- c:\windows\War3Unin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-18 10:18 . 2009-11-20 22:34 45056 ----a-w- c:\windows\NCUNINST.EXE
2010-12-18 10:15 . 2004-08-03 17:07 1388544 ----a-w- c:\windows\system32\msvbvm60.dll
.

------- Sigcheck -------

[-] 2008-04-15 . 32272BF10467C8ACF1F83138C61D541E . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\sfcfiles.dll
[7] 2004-08-03 . 30A609E00BD1D4FFC49D6B5A432BE7F2 . 1580544 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\2bc0b3c55e0c166e04844934d1c7c342\backup\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"USB Antivirus"="c:\program files\USB Disk Security\USBGuard.exe" [2010-11-08 824224]
"Domino"="c:\windows\Domino.EXE" [2006-06-28 49152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"RTHDCPL"="RTHDCPL.EXE" [2009-03-26 17567744]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-28 148888]
"VMSnap3"="c:\windows\VMSnap3.EXE" [2006-08-30 49152]
"Service Noits"="xanga.exe" [2011-02-11 118784]

c:\documents and settings\Trisha\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuEjectPC"= 0 (0x0)
"NoSimpleStartMenu"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoSMMyPictures"= 0 (0x0)
"NoResolveTrack"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)
"RestrictCpl"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /k:C /k:D *

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mgemfdyf.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Trisha^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Trisha\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-03 17:07 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-10-30 11:57 369200 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C45 Series]
2004-01-13 18:00 99840 -c--a-w- c:\windows\system32\spool\drivers\w32x86\3\E_S4I3T1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 16:47 31016 -c--a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2009-11-11 02:57 1451520 -c--a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2008-08-03 07:02 36352 -c--a-w- c:\program files\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"d:\\Games\\Warcraft III\\Warcraft III.exe"=
"c:\\WINDOWS\\ranga.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8370:TCP"= 8370:TCP:League of Legends Launcher
"8370:UDP"= 8370:UDP:League of Legends Launcher
"8371:TCP"= 8371:TCP:League of Legends Launcher
"8371:UDP"= 8371:UDP:League of Legends Launcher
"8372:TCP"= 8372:TCP:League of Legends Launcher
"8372:UDP"= 8372:UDP:League of Legends Launcher

R0 DeepFrz;DeepFrz;c:\windows\system32\drivers\DeepFrz.sys [11/28/2006 10:57 AM 127896]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/15/2010 8:33 PM 691696]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/11/2009 2:09 PM 108289]
S0 hzozfdkojysgp;hzozfdkojysgp;c:\windows\system32\drivers\wdloopyppokfr.sys --> c:\windows\system32\drivers\wdloopyppokfr.sys [?]
S0 tuncwtqlailbrar;tuncwtqlailbrar;c:\windows\system32\drivers\ddeiic.sys --> c:\windows\system32\drivers\ddeiic.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [11/8/2009 10:27 PM 1684736]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [3/9/2010 8:43 PM 38224]
S3 vmfilter303;vmfilter303;c:\windows\system32\drivers\vmfilter303.sys [1/19/2009 7:54 PM 428160]
.
Contents of the 'Scheduled Tasks' folder

2011-02-06 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2010-10-13 10:08]

2011-02-11 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-09-06 14:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://iniciorapido.info
mStart Page = hxxp://www.microsoft.com
mWindow Title = Microsoft Internet Explorer
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Trisha\Application Data\Mozilla\Firefox\Profiles\4m5zwhwc.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: DAEMON Tools Toolbar: DTToolbar@toolbarnet.com - %profile%\extensions\DTToolbar@toolbarnet.com
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 32
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 750
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Cmaudio - cmicnfg.cpl
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-11 21:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\zbshareware]
@DACL=(02 0000)
"times"="8"
"lastcheck"="1"
"Name"="ledworld"
"Code"="BHJDH17937"
"autorun"="1"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\xanga.exe
.
**************************************************************************
.
Completion time: 2011-02-11 21:57:33 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-11 13:57

Pre-Run: 3,179,536,384 bytes free
Post-Run: 3,069,526,016 bytes free

- - End Of File - - CF8A6754E92D26F8A2CCDA6AB31E865F

#10 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:01:39 AM

Posted 11 February 2011 - 09:34 AM

Hi-

Good! Now try the TDSSKiller. If he won't run try to rename him. If still a no-go, try safe mode.
Shannon

#11 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:01:39 AM

Posted 11 February 2011 - 09:56 AM

Hi-

ComboFix listed a few files that need to be check for infections.

First, before we start, please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows


Please click this link-->Jotti
When the Jotti page has finished loading, click Jotti's Browse button and navigate to the following files in turn and click the Submit file button within Jotti.

c:\windows\ax.exe
c:\windows\fd.exe
c:\windows\zx.exe
c:\windows\xanga.exe
c:\windows\apix.exe
c:\windows\system32\drivers\btlkq.sys
c:\windows\ranga.exe


If Jotti reports that the file has been scanned before and gives you those results, click on the Scan Again button.
To scan the next file, click on the Next File button.
Please post back the results of the scan in your next post.
If Jotti is busy, try the same at Virustotal

In your reply, let me know the Jotti results for each file.

Edited by Shannon2012, 11 February 2011 - 09:59 AM.

Shannon

#12 raprap100

raprap100
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 11 February 2011 - 05:18 PM

I have a question.

How can I exactly post the logs of Jotti?

#13 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:01:39 AM

Posted 11 February 2011 - 05:39 PM

Hi-

If they are clear of infections, just let me know that. If they are not, you can copy the contents in your reply or attach them.
Shannon

#14 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:01:39 AM

Posted 11 February 2011 - 07:03 PM

or you can copy in the link to the each report.
Shannon

#15 raprap100

raprap100
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 12 February 2011 - 06:37 AM

Oh, didn't thought about that :D

Here are the Jotti links and TDSS log after:

(apix.exe)
http://virusscan.jotti.org/en/scanresult/c1bc871f31801376c1cde334bf0dfe6401d43907
(ax.exe)
http://virusscan.jotti.org/en/scanresult/5008167e01bf16dcb89c8bf8b938e90076964c89/a91b4887db9ddc16a57451f23a145f7543dfeb43
(fd.exe)
http://virusscan.jotti.org/en/scanresult/a32ff437cddf4dafe5917e6d0b6a008b71b55d31
(zx.exe)
http://virusscan.jotti.org/en/scanresult/31970fa0baabada0050bdef65c3e7ed86f51aaa1
(xanga.exe)
http://virusscan.jotti.org/en/scanresult/e0c28f260bd6af9a6ed3feabb6c74ab9e742b3b4
(ranga.exe)
http://virusscan.jotti.org/en/scanresult/90e7eb122360e2ca2029c9a38a32613a59924d22
(bltkq.sys)
http://virusscan.jotti.org/en/scanresult/b632100fc0e925e06d5c9b193ff82ce63dd10dc2

2011/02/12 06:06:59.0500 2584 TDSS rootkit removing tool 2.4.17.0 Feb 10 2011 11:07:20
2011/02/12 06:07:00.0359 2584 ================================================================================
2011/02/12 06:07:00.0359 2584 SystemInfo:
2011/02/12 06:07:00.0359 2584
2011/02/12 06:07:00.0359 2584 OS Version: 5.1.2600 ServicePack: 2.0
2011/02/12 06:07:00.0359 2584 Product type: Workstation
2011/02/12 06:07:00.0359 2584 ComputerName: PERSOANL
2011/02/12 06:07:00.0359 2584 UserName: Trisha
2011/02/12 06:07:00.0359 2584 Windows directory: C:\WINDOWS
2011/02/12 06:07:00.0359 2584 System windows directory: C:\WINDOWS
2011/02/12 06:07:00.0359 2584 Processor architecture: Intel x86
2011/02/12 06:07:00.0359 2584 Number of processors: 2
2011/02/12 06:07:00.0359 2584 Page size: 0x1000
2011/02/12 06:07:00.0359 2584 Boot type: Normal boot
2011/02/12 06:07:00.0359 2584 ================================================================================
2011/02/12 06:07:01.0421 2584 Initialize success
2011/02/12 06:07:04.0031 2760 ================================================================================
2011/02/12 06:07:04.0031 2760 Scan started
2011/02/12 06:07:04.0031 2760 Mode: Manual;
2011/02/12 06:07:04.0031 2760 ================================================================================
2011/02/12 06:07:05.0906 2760 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/02/12 06:07:06.0312 2760 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/02/12 06:07:06.0828 2760 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
2011/02/12 06:07:07.0093 2760 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
2011/02/12 06:07:08.0671 2760 Ambfilt (f6af59d6eee5e1c304f7f73706ad11d8) C:\WINDOWS\system32\drivers\Ambfilt.sys
2011/02/12 06:07:10.0343 2760 AsIO (2b4e66fac6503494a2c6f32bb6ab3826) C:\WINDOWS\system32\drivers\AsIO.sys
2011/02/12 06:07:10.0609 2760 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/02/12 06:07:10.0875 2760 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/02/12 06:07:11.0328 2760 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/02/12 06:07:11.0593 2760 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/02/12 06:07:11.0687 2760 avgio (6a646c46b9415e13095aa9b352040a7a) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
2011/02/12 06:07:11.0953 2760 avgntflt (14fe36d8f2c6a2435275338d061a0b66) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
2011/02/12 06:07:12.0234 2760 avipbb (452e382340bb0c5e694ed9d3625356d0) C:\WINDOWS\system32\DRIVERS\avipbb.sys
2011/02/12 06:07:12.0468 2760 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/02/12 06:07:12.0750 2760 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/02/12 06:07:13.0015 2760 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/02/12 06:07:13.0468 2760 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/02/12 06:07:13.0718 2760 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/02/12 06:07:13.0968 2760 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/02/12 06:07:14.0875 2760 cmuda (ddcde8ced6e753f9ebbd07659f808d9d) C:\WINDOWS\system32\drivers\cmuda.sys
2011/02/12 06:07:16.0062 2760 DeepFrz (838f4f02228a6e6625fd38d8af8182a3) C:\WINDOWS\system32\drivers\DeepFrz.sys
2011/02/12 06:07:16.0328 2760 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/02/12 06:07:16.0796 2760 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2011/02/12 06:07:17.0296 2760 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\DRIVERS\dmio.sys
2011/02/12 06:07:17.0578 2760 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/02/12 06:07:17.0843 2760 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2011/02/12 06:07:18.0312 2760 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/02/12 06:07:18.0687 2760 EL90XBC (6e883bf518296a40959131c2304af714) C:\WINDOWS\system32\DRIVERS\el90xbc5.sys
2011/02/12 06:07:19.0109 2760 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/02/12 06:07:19.0390 2760 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/02/12 06:07:19.0640 2760 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2011/02/12 06:07:19.0859 2760 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/02/12 06:07:20.0140 2760 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/02/12 06:07:20.0421 2760 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/02/12 06:07:20.0718 2760 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/02/12 06:07:21.0000 2760 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/02/12 06:07:21.0296 2760 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/02/12 06:07:21.0546 2760 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/02/12 06:07:22.0062 2760 HSFHWBS2 (881d1c3a64904f4b6068013a99a5855b) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
2011/02/12 06:07:22.0656 2760 HSF_DP (8ed6714c8e754520dd8a939f91383ea0) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
2011/02/12 06:07:23.0265 2760 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/02/12 06:07:23.0578 2760 hwdatacard (008ada74e3028fced5145f4f74230d4b) C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys
2011/02/12 06:07:24.0468 2760 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/02/12 06:07:25.0218 2760 ialm (c5db546f9028cd00e64335091860d8f3) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2011/02/12 06:07:26.0000 2760 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/02/12 06:07:27.0875 2760 IntcAzAudAddService (1ae3cff80017ef89da959350724c7194) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/02/12 06:07:28.0125 2760 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/02/12 06:07:28.0375 2760 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/02/12 06:07:28.0609 2760 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/02/12 06:07:28.0859 2760 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/02/12 06:07:29.0109 2760 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/02/12 06:07:29.0390 2760 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/02/12 06:07:29.0625 2760 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/02/12 06:07:29.0875 2760 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/02/12 06:07:30.0140 2760 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/02/12 06:07:30.0375 2760 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/02/12 06:07:30.0703 2760 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
2011/02/12 06:07:31.0031 2760 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/02/12 06:07:31.0515 2760 MBAMSwissArmy (c7dd7d9739785bd3a6b8499eec1dee7e) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2011/02/12 06:07:31.0765 2760 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/02/12 06:07:32.0000 2760 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/02/12 06:07:32.0234 2760 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2011/02/12 06:07:32.0484 2760 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2011/02/12 06:07:33.0109 2760 Monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\Monfilt.sys
2011/02/12 06:07:33.0765 2760 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/02/12 06:07:34.0031 2760 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/02/12 06:07:34.0281 2760 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/02/12 06:07:34.0796 2760 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/02/12 06:07:35.0140 2760 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/02/12 06:07:35.0437 2760 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2011/02/12 06:07:35.0703 2760 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/02/12 06:07:35.0984 2760 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/02/12 06:07:36.0234 2760 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/02/12 06:07:36.0484 2760 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/02/12 06:07:36.0718 2760 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/02/12 06:07:36.0953 2760 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
2011/02/12 06:07:37.0218 2760 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2011/02/12 06:07:37.0515 2760 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/02/12 06:07:37.0812 2760 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2011/02/12 06:07:38.0125 2760 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/02/12 06:07:38.0375 2760 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/02/12 06:07:38.0609 2760 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/02/12 06:07:38.0859 2760 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/02/12 06:07:39.0125 2760 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/02/12 06:07:39.0375 2760 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/02/12 06:07:39.0656 2760 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/02/12 06:07:39.0953 2760 nmwcd (357ddb51e03cae598c096d95497373d0) C:\WINDOWS\system32\drivers\ccdcmb.sys
2011/02/12 06:07:40.0218 2760 nmwcdc (7cd443f9d36c80e152fadb274089577a) C:\WINDOWS\system32\drivers\ccdcmbo.sys
2011/02/12 06:07:40.0484 2760 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2011/02/12 06:07:40.0890 2760 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/02/12 06:07:41.0218 2760 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/02/12 06:07:41.0468 2760 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/02/12 06:07:41.0734 2760 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/02/12 06:07:42.0000 2760 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/02/12 06:07:42.0265 2760 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/02/12 06:07:42.0500 2760 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/02/12 06:07:42.0765 2760 pccsmcfd (fd2041e9ba03db7764b2248f02475079) C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys
2011/02/12 06:07:43.0046 2760 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/02/12 06:07:43.0500 2760 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/02/12 06:07:43.0781 2760 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/02/12 06:07:45.0343 2760 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/02/12 06:07:45.0671 2760 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/02/12 06:07:45.0968 2760 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/02/12 06:07:46.0203 2760 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/02/12 06:07:47.0515 2760 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/02/12 06:07:47.0750 2760 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/02/12 06:07:48.0015 2760 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/02/12 06:07:48.0265 2760 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/02/12 06:07:48.0546 2760 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/02/12 06:07:48.0796 2760 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/02/12 06:07:49.0093 2760 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/02/12 06:07:49.0437 2760 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/02/12 06:07:49.0687 2760 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/02/12 06:07:49.0984 2760 rtl8139 (d0ac0b0355a3ffb85eb77b083cd0627c) C:\WINDOWS\system32\DRIVERS\R8139n51.SYS
2011/02/12 06:07:50.0281 2760 RTLE8023xp (b0e1648aae1e59bdd0854af07a605399) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2011/02/12 06:07:50.0640 2760 Secdrv (ba0d892d2f786bcebdf03b0a252b47f3) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/02/12 06:07:50.0875 2760 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/02/12 06:07:51.0156 2760 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/02/12 06:07:51.0437 2760 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/02/12 06:07:51.0890 2760 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/02/12 06:07:52.0343 2760 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
2011/02/12 06:07:52.0781 2760 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\system32\Drivers\sptd.sys
2011/02/12 06:07:52.0781 2760 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
2011/02/12 06:07:52.0796 2760 sptd - detected Locked file (1)
2011/02/12 06:07:53.0046 2760 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/02/12 06:07:53.0406 2760 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/02/12 06:07:53.0890 2760 ssmdrv (654dfea96bc82b4acda4f37e5e4a3bbf) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
2011/02/12 06:07:54.0234 2760 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/02/12 06:07:54.0500 2760 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/02/12 06:07:54.0750 2760 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2011/02/12 06:07:55.0937 2760 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/02/12 06:07:56.0296 2760 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/02/12 06:07:56.0578 2760 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/02/12 06:07:56.0828 2760 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/02/12 06:07:57.0093 2760 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/02/12 06:07:57.0812 2760 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2011/02/12 06:07:58.0328 2760 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
2011/02/12 06:07:58.0625 2760 upperdev (15629e4d65f97ab5432d6d9597cf6a33) C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys
2011/02/12 06:07:59.0078 2760 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/02/12 06:07:59.0343 2760 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/02/12 06:07:59.0593 2760 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/02/12 06:07:59.0859 2760 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/02/12 06:08:00.0140 2760 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/02/12 06:08:00.0406 2760 usbser (49106ee29074e6a3d3ac9e24c6d791d8) C:\WINDOWS\system32\drivers\usbser.sys
2011/02/12 06:08:00.0671 2760 UsbserFilt (5c17e6a11aa8be53f79fd364ba19f0ce) C:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys
2011/02/12 06:08:00.0953 2760 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/02/12 06:08:01.0203 2760 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/02/12 06:08:01.0453 2760 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2011/02/12 06:08:02.0031 2760 vmfilter303 (233509e1ad024a3e451d8df6795eeed5) C:\WINDOWS\system32\drivers\vmfilter303.sys
2011/02/12 06:08:02.0406 2760 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/02/12 06:08:02.0671 2760 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/02/12 06:08:03.0062 2760 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
2011/02/12 06:08:03.0687 2760 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/02/12 06:08:04.0125 2760 winachsf (7dd2ec1efd9f48843ffc5815aebf1068) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/02/12 06:08:04.0625 2760 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/02/12 06:08:05.0000 2760 ZSMC303 (3de80baa4af21883cf938197d508b848) C:\WINDOWS\system32\Drivers\usbVM303.sys
2011/02/12 06:08:05.0328 2760 ================================================================================
2011/02/12 06:08:05.0328 2760 Scan finished
2011/02/12 06:08:05.0328 2760 ================================================================================
2011/02/12 06:08:05.0343 2756 Detected object count: 1
2011/02/12 06:08:08.0812 2756 Locked file(sptd) - User select action: Skip




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users