Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can only access internet in safe mode, keep getting redirected, problems stemming from systemtool infection?


  • This topic is locked This topic is locked
9 replies to this topic

#1 MillionsTx

MillionsTx

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 19 March 2011 - 10:32 AM

Hi all, ive thoroughly read the preparation thread, however i can't run any applications in normal mode, so i doubt DDS or GMER wont run. However once ive posted this thread i will try again.

Over the past fortnight i have had about 6 SytemTool infections. I have completed various Complete SystemTool Removal guides and i have been under the impression that i HAVE completely removed it everytime. The laptop would run fine after removal (no pop ups, no blocked programs, no wallpaper changes, no slow running) but after a period of time anything up to 6 hours. SystemTool would of re-installed its self.

The SystemTool installation always seemed to be prompted by a Sun Microsystems Java splash screen which would appear of its own accord, then dissappear (apart from the Java icon in the bottom right corner) 5 minutes later, hey presto, SystemTool would be back.

Since removing system tool the last time, i am now unable to access the internet in normal start up mode (the network icon has the exclamation mark) and i cannot open up any programs, the start menu loads quickly, however nothing will load off it.

In the system tray i get a pop up (off windows, not systemtool) telling me windows has blocked up start up programs, the only program is has blocked is antimalware.

When i check my eventlog (which i can only do through safe mode) i get these errors

DCOM got error "1084" while attempting to start the service MDM with arguments "" in order to run the server

I have a long list of those errors, also

Security - Audit errors

"Windows firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network"

ALSO, i get redirected to various websites when using the internet (safe mode), i get sent to websites such as

www.premmo.com
click-to-validate
..i will add to the list when they pop up again as there are more than just these two.
EDIT Additions: www.searchpro.. (it directed me to the click-to-validate site then quickly to searchpro so i didnt have time to read the url

http://clicks.myfastresult.com/xtr_new................
http://secure.bidvertiser.com/performance/bdv_rd.dbm?enparms2=9219,398795,1180158,9020,9025,9025,9228,0,0,9024,0,396510,8137,182169,9869,9024,-141543148&ioa=0&ncm=1&bd_ref_v=www.bidvertiser.com&TREF=1&WIN_NAME=&Category=7&ownid=915745&u_agnt=&skter=rnzmfhg%2Bvhvmzkzq%2Bvsg%2Bwmz%2Bmlln%2Bvsg&frdto=oh%3Df%26f%3Diz%26z%3Dhg%26x%3Dgz%26547519_677983%3Dwrg%26rnzmfhg%2Bvhvmzkzq%2Bvsg%2Bwmz%2Bmlln%2Bvsg%3Dnivg%2682811%3Dwrwz%3FpxroXwz%2FveivHwz%2Fnlx.hwzpox%2F%2F%3Akggs

http://filter.ekind.com/ncp/Default.aspx?term=the moon and the japanese tsunami&u=8227912

http://virtualfindit.com/search.php?q=the+moon+and+the+japanese+tsunami&sa=5&sid=4869772&p=1&s=99920&qt=1300556131&mk=1

Im going to restart now into normal mode and attempt DDS and GMER

I hope this is in the right section,
Thanks in Advance,
Max

Edited by MillionsTx, 19 March 2011 - 12:38 PM.


BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:12 AM

Posted 19 March 2011 - 10:40 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Note:
If you are unable to run a Gmer scan due the fact you are running a64bit machine please run the following tool and post its log.

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.



Thanks and again sorry for the delay.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 MillionsTx

MillionsTx
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 19 March 2011 - 11:29 AM

operating system: Windows Vista Home Basic
Laptop: HP 530

No backup CD

ALSO, after my last post, when i closed the browser there was a message off windows defender saying

WINDOWS DEFENDER IS TURNED OFF BY GROUP POLICY

upon restarting windows to normal mode i got a windows installer box upon start up which said:

Windows installer... microsoft SQL server desktop installer?

ALSO, my internet connection has resolved and im now on the net in normal mode

DDS:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by martine at 16:00:11.62 on 19/03/2011
Internet Explorer: 7.0.6000.16982 BrowserJavaVersion: 1.6.0_15
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.atcomet.com/b/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=74&bd=smb&pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=74&bd=smb&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=74&bd=smb&pf=laptop
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [rjwGgQaLHJ.exe] c:\programdata\rjwGgQaLHJ.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SoftAuto.exe] "c:\program files\creative\software update 3\SoftAuto.exe"
uRun: [Center Agent] c:\program files\peak multimedia\hypermediacenter 3.5\dtvr\Scheduled.exe
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [HTC Sync Loader] "c:\program files\htc\htc sync 3.0\htcUPCTLoader.exe" -startup
mRun: [WatchDog] c:\program files\intervideo\dvd check\DVDCheck.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [PCSuiteTrayApplication] c:\program files\nokia\nokia pc suite 6\LaunchApplication.exe -startup
mRun: [Microsoft] system32.exe
mRun: [FLSDeviceControlPanel] c:\windows\system32\FLSDEVCP.EXE
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [Nokia.PCSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog
StartupFolder: c:\users\martine\appdata\roaming\micros~1\windows\startm~1\programs\startup\71efb8.lnk - c:\windows\system32\2a43f1\71EFB8.EXE
StartupFolder: c:\users\martine\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\users\martine\appdata\roaming\micros~1\windows\startm~1\programs\startup\remote~1.lnk - c:\program files\peak multimedia\dvb-t utilities\AFRCtl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\dvdche~1.lnk - c:\program files\intervideo\dvd check\DVDCheck.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\martine\appdata\roaming\mozilla\firefox\profiles\w3zy6qtl.default\
FF - component: c:\users\martine\appdata\roaming\mozilla\firefox\profiles\w3zy6qtl.default\extensions\{b042753d-f57e-4e8e-a01b-7379a6d4cefb}\components\IBitCometExtension.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: BitComet Video Downloader: {B042753D-F57E-4e8e-A01B-7379A6D4CEFB} - %profile%\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2011-03-19 15:00:43 -------- d-----w- c:\users\martine\appdata\local\Safe mirror
2011-03-19 15:00:14 -------- d-----w- c:\program files\Cobian Backup 10
2011-03-16 23:40:19 -------- d-----w- c:\progra~2\gAfPdBl06504
2011-03-16 16:06:18 -------- d-----w- c:\windows\Profiles
2011-03-15 19:47:20 -------- d-----w- c:\users\martine\appdata\roaming\Ugnaad
2011-03-15 19:47:20 -------- d-----w- c:\users\martine\appdata\roaming\Avhi
2011-03-13 17:31:18 0 ----a-w- c:\windows\system32\null0.8034381608171317.exe
2011-03-12 22:35:40 -------- d-----w- c:\progra~2\fAoEfIm06504
2011-03-11 18:16:30 5943120 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{7efe2b25-5f24-45aa-aea1-a7c41bede2f5}\mpengine.dll
2011-03-08 22:35:21 -------- d-----w- c:\progra~2\eJhNlNl06504
2011-03-04 21:57:34 -------- d-----w- c:\progra~2\gOnLpPa09000
2011-03-04 19:54:26 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2011-03-04 19:45:41 -------- d-----w- c:\users\martine\appdata\roaming\Malwarebytes
2011-03-04 19:45:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-04 19:45:35 -------- d-----w- c:\progra~2\Malwarebytes
2011-03-04 19:45:32 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-04 19:45:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-03 00:00:43 -------- d-----w- c:\progra~2\oMjBcCi06504
2011-02-18 23:12:45 -------- d-----w- c:\progra~2\gMdObLo06504
2011-02-18 19:23:13 293376 ----a-w- c:\windows\system32\browserchoice.exe
2011-02-18 19:10:54 3502480 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-02-18 19:10:53 3468168 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-02-18 19:10:37 396800 ----a-w- c:\windows\system32\drivers\http.sys
2011-02-18 19:10:37 31232 ----a-w- c:\windows\system32\httpapi.dll
2011-02-18 19:10:37 24064 ----a-w- c:\windows\system32\nshhttp.dll
2011-02-18 19:09:49 216576 ----a-w- c:\windows\system32\msv1_0.dll
2011-02-18 19:09:42 378368 ----a-w- c:\windows\system32\winhttp.dll
2011-02-18 19:09:21 2048 ----a-w- c:\windows\system32\tzres.dll
2011-02-18 19:08:21 58368 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-02-18 19:08:21 211968 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-02-18 19:08:21 102400 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-18 19:08:09 171520 ----a-w- c:\windows\system32\wintrust.dll
2011-02-18 19:08:03 62464 ----a-w- c:\windows\system32\l3codeca.acm
2011-02-18 19:08:03 220672 ----a-w- c:\windows\system32\l3codecp.acm
2011-02-18 19:06:51 1418240 ----a-w- c:\program files\windows media player\setup_wm.exe
2011-02-18 19:06:50 311296 ----a-w- c:\windows\system32\unregmp2.exe
2011-02-18 19:06:47 7680 ----a-w- c:\windows\system32\spwmp.dll
2011-02-18 19:06:47 168960 ----a-w- c:\program files\windows media player\wmplayer.exe
2011-02-18 19:06:46 4096 ----a-w- c:\windows\system32\msdxm.ocx
2011-02-18 19:06:46 4096 ----a-w- c:\windows\system32\dxmasf.dll
2011-02-18 19:06:46 107520 ----a-w- c:\program files\windows media player\wmpshare.exe
2011-02-18 19:06:46 107520 ----a-w- c:\program files\windows media player\wmpconfig.exe
2011-02-18 19:06:37 8147968 ----a-w- c:\windows\system32\wmploc.DLL
2011-02-18 19:04:30 60928 ----a-w- c:\windows\system32\msasn1.dll
2011-02-18 19:04:19 713728 ----a-w- c:\windows\system32\timedate.cpl
2011-02-18 19:04:08 274432 ----a-w- c:\windows\system32\raschap.dll
2011-02-18 19:04:08 232960 ----a-w- c:\windows\system32\rastls.dll
2011-02-18 19:02:53 1327616 ----a-w- c:\windows\system32\quartz.dll
2011-02-18 19:02:52 31232 ----a-w- c:\windows\system32\msvidc32.dll
2011-02-18 19:02:51 22528 ----a-w- c:\windows\system32\msyuv.dll
2011-02-18 19:02:49 13312 ----a-w- c:\windows\system32\msrle32.dll
2011-02-18 19:02:48 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2011-02-18 19:02:48 11776 ----a-w- c:\windows\system32\tsbyuv.dll
2011-02-18 19:02:45 82944 ----a-w- c:\windows\system32\mciavi32.dll
2011-02-18 19:02:43 88576 ----a-w- c:\windows\system32\avifil32.dll
2011-02-18 19:02:41 123904 ----a-w- c:\windows\system32\msvfw32.dll
2011-02-18 19:02:40 65024 ----a-w- c:\windows\system32\avicap32.dll
2011-02-18 19:02:07 321536 ----a-w- c:\windows\system32\WSDApi.dll
2011-02-18 18:54:23 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
.
==================== Find3M ====================
.
2011-02-02 17:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-31 08:40:33 20480 ----a-w- c:\windows\system32\cliconfg.728
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6000 Disk: FUJITSU_MHY2120BH rev.890B -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-4
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x853EF5D9]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x853f5970]; MOV EAX, [0x853f59ec]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x82027F3B] -> \Device\Harddisk0\DR0[0x84E59AD8]
3 nt[0x820B07E2] -> ntkrnlpa!IofCallDriver[0x82027F3B] -> [0x8480C030]
\Driver\atapi[0x853DBB00] -> IRP_MJ_CREATE -> 0x853EF5D9
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x147; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-4 -> \??\IDE#DiskFUJITSU_MHY2120BH_______________________890B____#5&12457447&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi -> 0x846ff1f8
user != kernel MBR !!!
sectors 234441646 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 16:13:25.36 ===============

Attached Files



#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:12 AM

Posted 19 March 2011 - 01:39 PM

Hello,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.

If the following tools will not run in Normal mode they can be ran in Safemode with Networking.

1.
We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
  • Open Windows Defender.
  • Click on Tools, General Settings.
  • Scroll down and uncheck Turn on real-time protection (recommended).
  • After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.

2.
We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy

3.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

4.
Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

5.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
TDSSKILLER log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 MillionsTx

MillionsTx
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 20 March 2011 - 06:15 AM

Upon restarting laptop a windows installer dialogue box is still appearing, it is trying to install Microsoft SQL server Desktop Engine?
Also twice now Windows UAC has popped up asking me if i want to start Sun Microsystems JAVA, which i keep clicking cancel as im sure thats the backdoor which is the virus/malware is using. Here are the TDSS and Rkill logs, i had some trouble with Rkill but it ran in the end. IM now going to go onto combofix etc, thanks very much for your help fireman, it is greatly appreciated!

2011/03/20 10:54:50.0044 1132 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/03/20 10:54:50.0388 1132 ================================================================================
2011/03/20 10:54:50.0388 1132 SystemInfo:
2011/03/20 10:54:50.0388 1132
2011/03/20 10:54:50.0388 1132 OS Version: 6.0.6000 ServicePack: 0.0
2011/03/20 10:54:50.0388 1132 Product type: Workstation
2011/03/20 10:54:50.0388 1132 ComputerName: MARTINE-PC
2011/03/20 10:54:50.0388 1132 UserName: martine
2011/03/20 10:54:50.0388 1132 Windows directory: C:\Windows
2011/03/20 10:54:50.0388 1132 System windows directory: C:\Windows
2011/03/20 10:54:50.0388 1132 Processor architecture: Intel x86
2011/03/20 10:54:50.0388 1132 Number of processors: 2
2011/03/20 10:54:50.0388 1132 Page size: 0x1000
2011/03/20 10:54:50.0388 1132 Boot type: Normal boot
2011/03/20 10:54:50.0388 1132 ================================================================================
2011/03/20 10:54:56.0128 1132 Initialize success
2011/03/20 10:55:02.0665 3744 ================================================================================
2011/03/20 10:55:02.0665 3744 Scan started
2011/03/20 10:55:02.0665 3744 Mode: Manual;
2011/03/20 10:55:02.0665 3744 ================================================================================
2011/03/20 10:55:03.0866 3744 ACPI (84fc6df81212d16be5c4f441682feccc) C:\Windows\system32\drivers\acpi.sys
2011/03/20 10:55:03.0944 3744 adfs (6d7f09cd92a9fef3a8efce66231fdd79) C:\Windows\system32\drivers\adfs.sys
2011/03/20 10:55:04.0038 3744 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
2011/03/20 10:55:04.0131 3744 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
2011/03/20 10:55:04.0272 3744 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
2011/03/20 10:55:04.0381 3744 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
2011/03/20 10:55:04.0521 3744 AF15BDA (6e1cc5aa9817cd13fbceb35dac0a77f7) C:\Windows\system32\DRIVERS\AF15BDA.sys
2011/03/20 10:55:04.0615 3744 AFD (5d24caf8efd924a875698ff28384db8b) C:\Windows\system32\drivers\afd.sys
2011/03/20 10:55:04.0755 3744 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
2011/03/20 10:55:04.0802 3744 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2011/03/20 10:55:04.0864 3744 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
2011/03/20 10:55:04.0942 3744 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
2011/03/20 10:55:04.0989 3744 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
2011/03/20 10:55:05.0083 3744 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
2011/03/20 10:55:05.0130 3744 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\DRIVERS\amdk8.sys
2011/03/20 10:55:05.0239 3744 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
2011/03/20 10:55:05.0270 3744 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
2011/03/20 10:55:05.0379 3744 AsyncMac (e86cf7ce67d5de898f27ef884dc357d8) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/03/20 10:55:05.0442 3744 atapi (b35cfcef838382ab6490b321c87edf17) C:\Windows\system32\drivers\atapi.sys
2011/03/20 10:55:05.0551 3744 b57nd60x (8e287eb3a52fd30c999482c576f4a61b) C:\Windows\system32\DRIVERS\b57nd60x.sys
2011/03/20 10:55:05.0629 3744 BCM43XV (cf6a67c90951e3e763d2135dede44b85) C:\Windows\system32\DRIVERS\bcmwl6.sys
2011/03/20 10:55:05.0769 3744 Beep (ac3dd1708b22761ebd7cbe14dcc3b5d7) C:\Windows\system32\drivers\Beep.sys
2011/03/20 10:55:05.0925 3744 bowser (913cd06fbe9105ce6077e90fd4418561) C:\Windows\system32\DRIVERS\bowser.sys
2011/03/20 10:55:05.0972 3744 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2011/03/20 10:55:06.0003 3744 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2011/03/20 10:55:06.0050 3744 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2011/03/20 10:55:06.0097 3744 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2011/03/20 10:55:06.0159 3744 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2011/03/20 10:55:06.0206 3744 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2011/03/20 10:55:06.0300 3744 BthEnum (a820438255f37ab8baa2bd59753a8d81) C:\Windows\system32\DRIVERS\BthEnum.sys
2011/03/20 10:55:06.0393 3744 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2011/03/20 10:55:06.0456 3744 BthPan (b8c3d9ddf85fd197c3e5f849fef71144) C:\Windows\system32\DRIVERS\bthpan.sys
2011/03/20 10:55:06.0565 3744 BTHPORT (4a74bbb2b6761789f42a6613479bdb1d) C:\Windows\system32\Drivers\BTHport.sys
2011/03/20 10:55:06.0643 3744 BTHUSB (1a407f9b707a06f55aa150f9aa072b09) C:\Windows\system32\Drivers\BTHUSB.sys
2011/03/20 10:55:06.0768 3744 cdfs (6c3a437fc873c6f6a4fc620b6888cb86) C:\Windows\system32\DRIVERS\cdfs.sys
2011/03/20 10:55:06.0892 3744 cdrom (8d1866e61af096ae8b582454f5e4d303) C:\Windows\system32\DRIVERS\cdrom.sys
2011/03/20 10:55:07.0033 3744 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
2011/03/20 10:55:07.0095 3744 CLFS (1b84fd0937d3b99af9ba38ddff3daf54) C:\Windows\system32\CLFS.sys
2011/03/20 10:55:07.0204 3744 CmBatt (ed97ad3df1b9005989eaf149bf06c821) C:\Windows\system32\DRIVERS\CmBatt.sys
2011/03/20 10:55:07.0267 3744 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
2011/03/20 10:55:07.0360 3744 CnxtHdAudService (b6e7991e3d6146c04c85cd31af22a381) C:\Windows\system32\drivers\CHDRT32.sys
2011/03/20 10:55:07.0516 3744 Compbatt (722936afb75a7f509662b69b5632f48a) C:\Windows\system32\DRIVERS\compbatt.sys
2011/03/20 10:55:07.0594 3744 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
2011/03/20 10:55:07.0657 3744 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
2011/03/20 10:55:07.0813 3744 DfsC (a7179de59ae269ab70345527894ccd7c) C:\Windows\system32\Drivers\dfsc.sys
2011/03/20 10:55:07.0984 3744 disk (841af4c4d41d3e3b2f244e976b0f7963) C:\Windows\system32\drivers\disk.sys
2011/03/20 10:55:08.0062 3744 dk2drv (55a9360122ce675e9785a41fca0f0547) C:\Windows\SYSTEM32\Drivers\dk2drv.sys
2011/03/20 10:55:08.0156 3744 drmkaud (ee472cd2c01f6f8e8aa1fa06ffef61b6) C:\Windows\system32\drivers\drmkaud.sys
2011/03/20 10:55:08.0234 3744 DXGKrnl (334988883de69adb27e2cf9f9715bbdb) C:\Windows\System32\drivers\dxgkrnl.sys
2011/03/20 10:55:08.0374 3744 E100B (5c940a174dfb2c42b9f6ba6edc2baa0b) C:\Windows\system32\DRIVERS\e100b325.sys
2011/03/20 10:55:08.0452 3744 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
2011/03/20 10:55:08.0546 3744 Ecache (0efc7531b936ee57fdb4e837664c509f) C:\Windows\system32\drivers\ecache.sys
2011/03/20 10:55:08.0671 3744 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
2011/03/20 10:55:08.0827 3744 fastfat (84a317cb0b3954d3768cdcd018dbf670) C:\Windows\system32\drivers\fastfat.sys
2011/03/20 10:55:08.0889 3744 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
2011/03/20 10:55:08.0983 3744 FileInfo (65773d6115c037ffd7ef8280ae85eb9d) C:\Windows\system32\drivers\fileinfo.sys
2011/03/20 10:55:09.0076 3744 Filetrace (c226dd0de060745f3e042f58dcf78402) C:\Windows\system32\drivers\filetrace.sys
2011/03/20 10:55:09.0154 3744 FLE5WNNT (ea7ed2075d7eed73dd5658835b61c558) C:\Windows\System32\Drivers\fle5wnnt.sys
2011/03/20 10:55:09.0248 3744 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/03/20 10:55:09.0357 3744 FLSIFACE (ebacbf7f420bbaa0cfd98bfc02a0ec40) C:\Windows\System32\Drivers\flsiface.sys
2011/03/20 10:55:09.0420 3744 FLSPAR (f85ec1ad593b1f889cf664d68da27274) C:\Windows\System32\Drivers\flspar.sys
2011/03/20 10:55:09.0591 3744 FLSSER (84bf89b463893461c664880463e3eede) C:\Windows\System32\Drivers\flsser.sys
2011/03/20 10:55:09.0654 3744 FLSVCOM (ac6c7936569d9e08c27ca9e622eae367) C:\Windows\System32\Drivers\flsvcom.sys
2011/03/20 10:55:09.0716 3744 FltMgr (a6a8da7ae4d53394ab22ac3ab6d3f5d3) C:\Windows\system32\drivers\fltmgr.sys
2011/03/20 10:55:09.0778 3744 Fs_Rec (66a078591208baa210c7634b11eb392c) C:\Windows\system32\drivers\Fs_Rec.sys
2011/03/20 10:55:09.0841 3744 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
2011/03/20 10:55:09.0950 3744 HBtnKey (de15777902a5d9121857d155873a1d1b) C:\Windows\system32\DRIVERS\cpqbttn.sys
2011/03/20 10:55:10.0028 3744 HdAudAddService (07eee11d6e2b78122e17db3878b4c687) C:\Windows\system32\drivers\CHDART.sys
2011/03/20 10:55:10.0106 3744 HDAudBus (0db613a7e427b5663563677796fd5258) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/03/20 10:55:10.0215 3744 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2011/03/20 10:55:10.0278 3744 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2011/03/20 10:55:10.0324 3744 HidUsb (01e7971e9f4bd6ac6a08db52d0ea0418) C:\Windows\system32\DRIVERS\hidusb.sys
2011/03/20 10:55:10.0402 3744 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
2011/03/20 10:55:10.0449 3744 HpqKbFiltr (cfb73efdf77d7d18242b9b12cdc72a8f) C:\Windows\system32\DRIVERS\HpqKbFiltr.sys
2011/03/20 10:55:10.0512 3744 HSFHWAZL (46d67209550973257601a533e2ac5785) C:\Windows\system32\DRIVERS\VSTAZL3.SYS
2011/03/20 10:55:10.0636 3744 HSF_DPV (0d7a055a840c3099c37d576573a42cd5) C:\Windows\system32\DRIVERS\HSX_DPV.sys
2011/03/20 10:55:10.0808 3744 HSXHWAZL (bcc074692882c056b0e1ac97f3331a02) C:\Windows\system32\DRIVERS\HSXHWAZL.sys
2011/03/20 10:55:10.0902 3744 HTTP (3c3cba3ce1a66439a960d4531a167c39) C:\Windows\system32\drivers\HTTP.sys
2011/03/20 10:55:11.0011 3744 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
2011/03/20 10:55:11.0104 3744 i8042prt (1c9ee072baa3abb460b91d7ee9152660) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/03/20 10:55:11.0276 3744 ialm (bbace0293b73bf8c7cb591f2d06f26fa) C:\Windows\system32\DRIVERS\igdkmd32.sys
2011/03/20 10:55:11.0432 3744 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
2011/03/20 10:55:11.0588 3744 igfx (bbace0293b73bf8c7cb591f2d06f26fa) C:\Windows\system32\DRIVERS\igdkmd32.sys
2011/03/20 10:55:11.0666 3744 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2011/03/20 10:55:11.0744 3744 intelide (97469037714070e45194ed318d636401) C:\Windows\system32\drivers\intelide.sys
2011/03/20 10:55:11.0838 3744 intelppm (ce44cc04262f28216dd4341e9e36a16f) C:\Windows\system32\DRIVERS\intelppm.sys
2011/03/20 10:55:11.0931 3744 IpFilterDriver (880c6f86cc3f551b8fea2c11141268c0) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/03/20 10:55:12.0056 3744 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
2011/03/20 10:55:12.0118 3744 IPNAT (10077c35845101548037df04fd1a420b) C:\Windows\system32\DRIVERS\ipnat.sys
2011/03/20 10:55:12.0181 3744 IRENUM (a82f328f4792304184642d6d397bb1e3) C:\Windows\system32\drivers\irenum.sys
2011/03/20 10:55:12.0259 3744 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
2011/03/20 10:55:12.0368 3744 iScsiPrt (4dca456d4d5723f8fa9c6760d240b0df) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/03/20 10:55:12.0399 3744 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2011/03/20 10:55:12.0462 3744 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2011/03/20 10:55:12.0571 3744 kbdclass (b076b2ab806b3f696dab21375389101c) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/03/20 10:55:12.0664 3744 kbdhid (ed61dbc6603f612b7338283edbacbc4b) C:\Windows\system32\DRIVERS\kbdhid.sys
2011/03/20 10:55:12.0758 3744 KSecDD (0a829977b078dea11641fc2af87ceade) C:\Windows\system32\Drivers\ksecdd.sys
2011/03/20 10:55:12.0961 3744 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\Windows\system32\DRIVERS\Lbd.sys
2011/03/20 10:55:13.0054 3744 lltdio (fd015b4f95daa2b712f0e372a116fbad) C:\Windows\system32\DRIVERS\lltdio.sys
2011/03/20 10:55:13.0148 3744 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
2011/03/20 10:55:13.0210 3744 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
2011/03/20 10:55:13.0257 3744 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
2011/03/20 10:55:13.0351 3744 luafv (42885bb44b6e065b8575a8dd6c430c52) C:\Windows\system32\drivers\luafv.sys
2011/03/20 10:55:13.0507 3744 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
2011/03/20 10:55:13.0569 3744 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
2011/03/20 10:55:13.0694 3744 Modem (21755967298a46fb6adfec9db6012211) C:\Windows\system32\drivers\modem.sys
2011/03/20 10:55:13.0772 3744 monitor (7446e104a5fe5987ca9e4983fbac4f97) C:\Windows\system32\DRIVERS\monitor.sys
2011/03/20 10:55:13.0834 3744 mouclass (5fba13c1a1841b0885d316ed3589489d) C:\Windows\system32\DRIVERS\mouclass.sys
2011/03/20 10:55:13.0881 3744 mouhid (a3a6dff7e9e757db3df51a833bc28885) C:\Windows\system32\drivers\mouhid.sys
2011/03/20 10:55:13.0912 3744 MountMgr (01f1e5a3e4877c931cbb31613fec16a6) C:\Windows\system32\drivers\mountmgr.sys
2011/03/20 10:55:14.0022 3744 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
2011/03/20 10:55:14.0100 3744 mpsdrv (6e7a7f0c1193ee5648443fe2d4b789ec) C:\Windows\system32\drivers\mpsdrv.sys
2011/03/20 10:55:14.0146 3744 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2011/03/20 10:55:14.0209 3744 MRxDAV (1d8828b98ee309d65e006f0829e280e5) C:\Windows\system32\drivers\mrxdav.sys
2011/03/20 10:55:14.0287 3744 mrxsmb (8af705ce1bb907932157fab821170f27) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/03/20 10:55:14.0365 3744 mrxsmb10 (47e13ab23371be3279eef22bbfa2c1be) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/03/20 10:55:14.0427 3744 mrxsmb20 (90b3fc7bd6b3d7ee7635debba2187f66) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/03/20 10:55:14.0505 3744 msahci (b2efb263600314babcf9dadb1cbba994) C:\Windows\system32\drivers\msahci.sys
2011/03/20 10:55:14.0583 3744 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
2011/03/20 10:55:14.0708 3744 Msfs (729eafefd4e7417165f353a18dbe947d) C:\Windows\system32\drivers\Msfs.sys
2011/03/20 10:55:14.0802 3744 msisadrv (2c3f1983cd3629573cb9e9658247847a) C:\Windows\system32\drivers\msisadrv.sys
2011/03/20 10:55:14.0880 3744 MSKSSRV (892cedefa7e0ffe7be8da651b651d047) C:\Windows\system32\drivers\MSKSSRV.sys
2011/03/20 10:55:14.0958 3744 MSPCLOCK (ae2cb1da69b2676b4cee2a501af5871c) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/03/20 10:55:15.0036 3744 MSPQM (f910da84fa90c44a3addb7cd874463fd) C:\Windows\system32\drivers\MSPQM.sys
2011/03/20 10:55:15.0114 3744 MsRPC (84571c0ae07647ba38d493f5f0015df7) C:\Windows\system32\drivers\MsRPC.sys
2011/03/20 10:55:15.0192 3744 mssmbios (1f6f7159c75e4b27d138b5225808860f) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/03/20 10:55:15.0316 3744 MSTEE (c826dd1373f38afd9ca46ec3c436a14e) C:\Windows\system32\drivers\MSTEE.sys
2011/03/20 10:55:15.0379 3744 Mup (fa7aa70050cf5e2d15de00941e5665e5) C:\Windows\system32\Drivers\mup.sys
2011/03/20 10:55:15.0472 3744 NativeWifiP (6da4a0fc7c0e83df0cb3cfd0a514c3bc) C:\Windows\system32\DRIVERS\nwifi.sys
2011/03/20 10:55:15.0550 3744 NDIS (227c11e1e7cf6ef8afb2a238d209760c) C:\Windows\system32\drivers\ndis.sys
2011/03/20 10:55:15.0691 3744 NdisTapi (81659cdcbd0f9a9e07e6878ad8c78d3f) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/03/20 10:55:15.0769 3744 Ndisuio (5de5ee546bf40838ebe0e01cb629df64) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/03/20 10:55:15.0831 3744 NdisWan (397402adcbb8946223a1950101f6cd94) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/03/20 10:55:15.0894 3744 NDProxy (1b24fa907af283199a81b3bb37e5e526) C:\Windows\system32\drivers\NDProxy.sys
2011/03/20 10:55:15.0956 3744 NetBIOS (356dbb9f98e8dc1028dd3092fceeb877) C:\Windows\system32\DRIVERS\netbios.sys
2011/03/20 10:55:16.0050 3744 netbt (e3a168912e7eefc3bd3b814720d68b41) C:\Windows\system32\DRIVERS\netbt.sys
2011/03/20 10:55:16.0268 3744 NETw4v32 (25acccfc33dd448b9d3037c5e439e830) C:\Windows\system32\DRIVERS\NETw4v32.sys
2011/03/20 10:55:16.0393 3744 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2011/03/20 10:55:16.0486 3744 nmwcd (696b37ea78f9d9767a2f18ba0304a51a) C:\Windows\system32\drivers\nmwcd.sys
2011/03/20 10:55:16.0580 3744 nmwcdc (bbb6010fc01d9239d88fcdf133e03ff0) C:\Windows\system32\drivers\nmwcdc.sys
2011/03/20 10:55:16.0689 3744 nmwcdcj (4c3726467d67483f054c88f058e9c153) C:\Windows\system32\drivers\nmwcdcj.sys
2011/03/20 10:55:16.0736 3744 nmwcdcm (4c3726467d67483f054c88f058e9c153) C:\Windows\system32\drivers\nmwcdcm.sys
2011/03/20 10:55:16.0783 3744 Npfs (4f9832beb9fafd8ceb0e541f1323b26e) C:\Windows\system32\drivers\Npfs.sys
2011/03/20 10:55:16.0845 3744 nsiproxy (b488dfec274de1fc9d653870ef2587be) C:\Windows\system32\drivers\nsiproxy.sys
2011/03/20 10:55:16.0970 3744 Ntfs (37430aa7a66d7a63407adc2c0d05e9f6) C:\Windows\system32\drivers\Ntfs.sys
2011/03/20 10:55:17.0095 3744 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2011/03/20 10:55:17.0142 3744 Null (ec5efb3c60f1b624648344a328bce596) C:\Windows\system32\drivers\Null.sys
2011/03/20 10:55:17.0251 3744 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
2011/03/20 10:55:17.0298 3744 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
2011/03/20 10:55:17.0344 3744 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
2011/03/20 10:55:17.0500 3744 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\DRIVERS\ohci1394.sys
2011/03/20 10:55:17.0610 3744 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\DRIVERS\parport.sys
2011/03/20 10:55:17.0672 3744 partmgr (555a5b2c8022983bc7467bc925b222ee) C:\Windows\system32\drivers\partmgr.sys
2011/03/20 10:55:17.0734 3744 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\DRIVERS\parvdm.sys
2011/03/20 10:55:17.0828 3744 pci (5bedd5e1416da009c4f24adf8da13773) C:\Windows\system32\drivers\pci.sys
2011/03/20 10:55:17.0922 3744 pciide (caba65e9c41cd2900d4c92d4f825c5f8) C:\Windows\system32\DRIVERS\pciide.sys
2011/03/20 10:55:18.0000 3744 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\DRIVERS\pcmcia.sys
2011/03/20 10:55:18.0109 3744 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2011/03/20 10:55:18.0296 3744 pgfilter (2cf226173b467ab48f89d77e89936951) C:\Program Files\PeerGuardian2\pgfilter.sys
2011/03/20 10:55:18.0468 3744 PptpMiniport (c04dec5ace67c5247b150c4223970bb7) C:\Windows\system32\DRIVERS\raspptp.sys
2011/03/20 10:55:18.0530 3744 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
2011/03/20 10:55:18.0624 3744 PSched (2c8bae55247c4e09352e870292e4d1ab) C:\Windows\system32\DRIVERS\pacer.sys
2011/03/20 10:55:18.0702 3744 PxHelp20 (feffcfdc528764a04c8ed63d5fa6e711) C:\Windows\system32\Drivers\PxHelp20.sys
2011/03/20 10:55:18.0858 3744 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
2011/03/20 10:55:18.0951 3744 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2011/03/20 10:55:19.0014 3744 QWAVEdrv (d2b3e2b7426dc23e185fbc73c8936c12) C:\Windows\system32\drivers\qwavedrv.sys
2011/03/20 10:55:19.0170 3744 R300 (e642b131fb74caf4bb8a014f31113142) C:\Windows\system32\DRIVERS\atikmdag.sys
2011/03/20 10:55:19.0326 3744 RasAcd (bd7b30f55b3649506dd8b3d38f571d2a) C:\Windows\system32\DRIVERS\rasacd.sys
2011/03/20 10:55:19.0388 3744 Rasl2tp (68b0019fee429ec49d29017af937e482) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/03/20 10:55:19.0450 3744 RasPppoe (ccf4e9c6cbbac81437f88cb2ae0b6c96) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/03/20 10:55:19.0513 3744 rdbss (54129c5d9581bbec8bd1ebd3ba813f47) C:\Windows\system32\DRIVERS\rdbss.sys
2011/03/20 10:55:19.0560 3744 RDPCDD (794585276b5d7fca9f3fc15543f9f0b9) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/03/20 10:55:19.0700 3744 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
2011/03/20 10:55:19.0747 3744 RDPENCDD (980b56e2e273e19d3a9d72d5c420f008) C:\Windows\system32\drivers\rdpencdd.sys
2011/03/20 10:55:19.0840 3744 RDPWD (8830e790a74a96605faba74f9665bb3c) C:\Windows\system32\drivers\RDPWD.sys
2011/03/20 10:55:19.0950 3744 RFCOMM (7ec90c316177ba3f1bce92005264b447) C:\Windows\system32\DRIVERS\rfcomm.sys
2011/03/20 10:55:20.0059 3744 rspndr (97e939d2128fec5d5a3e6e79b290a2f4) C:\Windows\system32\DRIVERS\rspndr.sys
2011/03/20 10:55:20.0137 3744 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2011/03/20 10:55:20.0246 3744 sdbus (4339a2585708c7d9b0c0ce5aad3dd6ff) C:\Windows\system32\DRIVERS\sdbus.sys
2011/03/20 10:55:20.0324 3744 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2011/03/20 10:55:20.0418 3744 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
2011/03/20 10:55:20.0496 3744 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
2011/03/20 10:55:20.0574 3744 sermouse (450accd77ec5cea720c1cdb9e26b953b) C:\Windows\system32\drivers\sermouse.sys
2011/03/20 10:55:20.0683 3744 sffdisk (51cf56aa8bcc241f134b420b8f850406) C:\Windows\system32\drivers\sffdisk.sys
2011/03/20 10:55:20.0761 3744 sffp_mmc (96ded8b20c734ac41641ce275250e55d) C:\Windows\system32\drivers\sffp_mmc.sys
2011/03/20 10:55:20.0808 3744 sffp_sd (8b08cab1267b2c377883fc9e56981f90) C:\Windows\system32\drivers\sffp_sd.sys
2011/03/20 10:55:20.0901 3744 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2011/03/20 10:55:20.0995 3744 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
2011/03/20 10:55:21.0198 3744 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
2011/03/20 10:55:21.0260 3744 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
2011/03/20 10:55:21.0307 3744 Smb (ac0d90738adb51a6fd12ff00874a2162) C:\Windows\system32\DRIVERS\smb.sys
2011/03/20 10:55:21.0400 3744 spldr (426f9b029aa9162ceccf65369457d046) C:\Windows\system32\drivers\spldr.sys
2011/03/20 10:55:21.0525 3744 sptd (d15da1ba189770d93eea2d7e18f95af9) C:\Windows\system32\Drivers\sptd.sys
2011/03/20 10:55:21.0541 3744 Suspicious file (NoAccess): C:\Windows\system32\Drivers\sptd.sys. md5: d15da1ba189770d93eea2d7e18f95af9
2011/03/20 10:55:21.0541 3744 sptd - detected Locked file (1)
2011/03/20 10:55:21.0650 3744 srv (038579c35f7cad4a4bbf735dbf83277d) C:\Windows\system32\DRIVERS\srv.sys
2011/03/20 10:55:21.0728 3744 srv2 (6971a757af8cb5e2cbcbb76cc530db6c) C:\Windows\system32\DRIVERS\srv2.sys
2011/03/20 10:55:21.0790 3744 srvnet (9e1a4603b874eebce0298113951abefb) C:\Windows\system32\DRIVERS\srvnet.sys
2011/03/20 10:55:21.0962 3744 swenum (92894dd7fdd62af808b1409b73af9c73) C:\Windows\system32\DRIVERS\swenum.sys
2011/03/20 10:55:22.0087 3744 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2011/03/20 10:55:22.0118 3744 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2011/03/20 10:55:22.0180 3744 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2011/03/20 10:55:22.0227 3744 SynTP (8327106d1c93e9a7b98e63b9fcc24bb7) C:\Windows\system32\DRIVERS\SynTP.sys
2011/03/20 10:55:22.0368 3744 Tcpip (4a82fa8f0df67aa354580c3faaf8bde3) C:\Windows\system32\drivers\tcpip.sys
2011/03/20 10:55:22.0508 3744 Tcpip6 (4a82fa8f0df67aa354580c3faaf8bde3) C:\Windows\system32\DRIVERS\tcpip.sys
2011/03/20 10:55:22.0617 3744 tcpipreg (5ce0c4a7b12d0067dad527d72b68c726) C:\Windows\system32\drivers\tcpipreg.sys
2011/03/20 10:55:22.0664 3744 TDPIPE (964248aef49c31fa6a93201a73ffaf50) C:\Windows\system32\drivers\tdpipe.sys
2011/03/20 10:55:22.0742 3744 TDTCP (7d2c1ae1648a60fce4aa0f7982e419d3) C:\Windows\system32\drivers\tdtcp.sys
2011/03/20 10:55:22.0804 3744 tdx (ab4fde8af4a0270a46a001c08cbce1c2) C:\Windows\system32\DRIVERS\tdx.sys
2011/03/20 10:55:22.0867 3744 TermDD (85908da29af0ab835048107ad2ad07d1) C:\Windows\system32\DRIVERS\termdd.sys
2011/03/20 10:55:22.0960 3744 TPM (6d9ad3534a9cf7e4b86c6eae8bc335f6) C:\Windows\system32\drivers\tpm.sys
2011/03/20 10:55:23.0070 3744 tssecsrv (29f0eca726f0d51f7e048bdb0b372f29) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/03/20 10:55:23.0210 3744 tunmp (65e953bc0084d44498b51f59784d2a82) C:\Windows\system32\DRIVERS\tunmp.sys
2011/03/20 10:55:23.0304 3744 tunnel (4a39bda5e0fd30bdf4884f9d33ae6105) C:\Windows\system32\DRIVERS\tunnel.sys
2011/03/20 10:55:23.0366 3744 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
2011/03/20 10:55:23.0428 3744 udfs (6348da98707ceda8a0dfb05820e17732) C:\Windows\system32\DRIVERS\udfs.sys
2011/03/20 10:55:23.0553 3744 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
2011/03/20 10:55:23.0616 3744 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
2011/03/20 10:55:23.0709 3744 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2011/03/20 10:55:23.0756 3744 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2011/03/20 10:55:23.0803 3744 umbus (3fb78f1d1dd86d87bececd9dffa24dd9) C:\Windows\system32\DRIVERS\umbus.sys
2011/03/20 10:55:23.0896 3744 upperdev (bb16932a4189e82d6c455042c11849b6) C:\Windows\system32\DRIVERS\usbser_lowerflt.sys
2011/03/20 10:55:24.0006 3744 usbccgp (51480458e6e9863f856ebf35aae801b4) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/03/20 10:55:24.0068 3744 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2011/03/20 10:55:24.0146 3744 usbehci (11fa3acbf0de0286829c69e01fe705e4) C:\Windows\system32\DRIVERS\usbehci.sys
2011/03/20 10:55:24.0255 3744 usbhub (6a7858a38b5105731e219e7c6a238730) C:\Windows\system32\DRIVERS\usbhub.sys
2011/03/20 10:55:24.0318 3744 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\DRIVERS\usbohci.sys
2011/03/20 10:55:24.0380 3744 usbprint (b51e52acf758be00ef3a58ea452fe360) C:\Windows\system32\drivers\usbprint.sys
2011/03/20 10:55:24.0536 3744 usbser (c0488cc01a1c686b08a3d360c7f50324) C:\Windows\system32\DRIVERS\usbser.sys
2011/03/20 10:55:24.0676 3744 UsbserFilt (e748d50b3b2ec7f40a2ba67fb094cf01) C:\Windows\system32\DRIVERS\usbser_lowerfltj.sys
2011/03/20 10:55:24.0754 3744 USBSTOR (7887ce56934e7f104e98c975f47353c5) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/03/20 10:55:24.0848 3744 usbuhci (4013315fed70a2d293b998cbba4022ee) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/03/20 10:55:24.0942 3744 usb_rndisx (db4721908daa0383ee82ffe430aebae1) C:\Windows\system32\DRIVERS\usb8023x.sys
2011/03/20 10:55:25.0207 3744 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/03/20 10:55:25.0254 3744 VgaSave (17a8f877314e4067f8c8172cc6d9101c) C:\Windows\System32\drivers\vga.sys
2011/03/20 10:55:25.0300 3744 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
2011/03/20 10:55:25.0363 3744 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
2011/03/20 10:55:25.0394 3744 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
2011/03/20 10:55:25.0456 3744 volmgr (d9e9490c960624c416fbde080deeb7fe) C:\Windows\system32\drivers\volmgr.sys
2011/03/20 10:55:25.0550 3744 volmgrx (294da8d3f965f6a8db934a83c7b461ff) C:\Windows\system32\drivers\volmgrx.sys
2011/03/20 10:55:25.0644 3744 volsnap (ab3e98894bec5b655e1eaf6ae593b063) C:\Windows\system32\drivers\volsnap.sys
2011/03/20 10:55:25.0659 3744 volsnap - detected Rootkit.Win32.TDSS.tdl3 (0)
2011/03/20 10:55:25.0722 3744 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
2011/03/20 10:55:25.0815 3744 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2011/03/20 10:55:25.0940 3744 Wanarp (6798c1209a53b5a0ded8d437c45145ff) C:\Windows\system32\DRIVERS\wanarp.sys
2011/03/20 10:55:25.0971 3744 Wanarpv6 (6798c1209a53b5a0ded8d437c45145ff) C:\Windows\system32\DRIVERS\wanarp.sys
2011/03/20 10:55:26.0065 3744 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
2011/03/20 10:55:26.0143 3744 Wdf01000 (7b5f66e4a2219c7d9daf9e738480e534) C:\Windows\system32\drivers\Wdf01000.sys
2011/03/20 10:55:26.0377 3744 WimFltr (f9ad3a5e3fd7e0bdb18b8202b0fdd4e4) C:\Windows\system32\DRIVERS\wimfltr.sys
2011/03/20 10:55:26.0517 3744 winachsf (3b4522d0e750bac8fe7ae61622a57014) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
2011/03/20 10:55:26.0673 3744 WmiAcpi (17eac0d023a65fa9b02114cc2baacad5) C:\Windows\system32\DRIVERS\wmiacpi.sys
2011/03/20 10:55:26.0798 3744 WpdUsb (2d27171b16a577ef14c1273668753485) C:\Windows\system32\DRIVERS\wpdusb.sys
2011/03/20 10:55:26.0876 3744 ws2ifsl (84620aecdcfd2a7a14e6263927d8c0ed) C:\Windows\system32\drivers\ws2ifsl.sys
2011/03/20 10:55:27.0016 3744 WUDFRd (a2aafcc8a204736296d937c7c545b53f) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/03/20 10:55:27.0094 3744 XAudio (88af537264f2b818da15479ceeaf5d7c) C:\Windows\system32\DRIVERS\xaudio.sys
2011/03/20 10:55:27.0188 3744 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/03/20 10:55:27.0282 3744 ================================================================================
2011/03/20 10:55:27.0282 3744 Scan finished
2011/03/20 10:55:27.0282 3744 ================================================================================
2011/03/20 10:55:27.0313 1896 Detected object count: 3
2011/03/20 10:57:41.0281 1896 HKLM\SYSTEM\ControlSet001\services\sptd - will be deleted after reboot
2011/03/20 10:57:41.0328 1896 HKLM\SYSTEM\ControlSet003\services\sptd - will be deleted after reboot
2011/03/20 10:57:41.0344 1896 C:\Windows\system32\Drivers\sptd.sys - will be deleted after reboot
2011/03/20 10:57:41.0344 1896 Locked file(sptd) - User select action: Delete
2011/03/20 10:57:41.0453 1896 volsnap (ab3e98894bec5b655e1eaf6ae593b063) C:\Windows\system32\drivers\volsnap.sys
2011/03/20 10:57:41.0859 1896 Backup copy found, using it..
2011/03/20 10:57:41.0874 1896 C:\Windows\system32\drivers\volsnap.sys - will be cured after reboot
2011/03/20 10:57:41.0874 1896 Rootkit.Win32.TDSS.tdl3(volsnap) - User select action: Cure
2011/03/20 10:57:42.0061 1896 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/03/20 10:57:42.0061 1896 \HardDisk0 - ok
2011/03/20 10:57:42.0155 1896 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/03/20 10:57:48.0395 5560 Deinitialize success

Rkill: installation failed THIS CAME UP 3 TIMES
Then the command prompt box appeared, inside it said

THE PROCESS CANNOT BE USED AS IT IS BEING USED BY ANOTHER FILE? or something like that

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 20/03/2011 at 11:08:16.
Operating System: Windows Vista ™ Home Basic


Processes terminated by Rkill or while it was running:

C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe


Rkill completed on 20/03/2011 at 11:08:54.

#6 MillionsTx

MillionsTx
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 20 March 2011 - 06:46 AM

ComboFix 11-03-19.03 - martine 20/03/2011 11:25:51.1.2 - x86
Running from: c:\users\martine\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\null0.8034381608171317.exe
F:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-02-20 to 2011-03-20 )))))))))))))))))))))))))))))))
.
.
2011-03-20 11:38 . 2011-03-20 11:38 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-03-20 11:38 . 2011-03-20 11:38 -------- d-----w- c:\users\Martine_2\AppData\Local\temp
2011-03-20 11:38 . 2011-03-20 11:38 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-19 15:00 . 2011-03-19 15:00 -------- d-----w- c:\users\martine\AppData\Local\Safe mirror
2011-03-19 15:00 . 2011-03-19 15:00 -------- d-----w- c:\program files\Cobian Backup 10
2011-03-16 23:40 . 2011-03-17 11:41 -------- d-----w- c:\programdata\gAfPdBl06504
2011-03-16 16:15 . 2011-03-16 16:17 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\HTC
2011-03-16 16:06 . 2011-03-16 16:06 -------- d-----w- c:\windows\Profiles
2011-03-15 19:47 . 2011-03-17 11:41 -------- d-----w- c:\users\martine\AppData\Roaming\Ugnaad
2011-03-15 19:47 . 2011-03-16 23:36 -------- d-----w- c:\users\martine\AppData\Roaming\Avhi
2011-03-12 22:35 . 2011-03-14 10:48 -------- d-----w- c:\programdata\fAoEfIm06504
2011-03-11 18:16 . 2011-02-11 06:54 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{7EFE2B25-5F24-45AA-AEA1-A7C41BEDE2F5}\mpengine.dll
2011-03-08 22:35 . 2011-03-11 18:34 -------- d-----w- c:\programdata\eJhNlNl06504
2011-03-04 21:57 . 2011-03-08 22:16 -------- d-----w- c:\programdata\gOnLpPa09000
2011-03-04 19:54 . 2011-03-04 19:54 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-03-04 19:45 . 2011-03-04 19:45 -------- d-----w- c:\users\martine\AppData\Roaming\Malwarebytes
2011-03-04 19:45 . 2011-03-04 19:45 -------- d-----w- c:\programdata\Malwarebytes
2011-03-04 19:45 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-04 19:45 . 2011-03-04 19:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-04 19:45 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-03 00:00 . 2011-03-04 19:53 -------- d-----w- c:\programdata\oMjBcCi06504
2011-02-18 23:12 . 2011-02-26 22:54 -------- d-----w- c:\programdata\gMdObLo06504
2011-02-18 19:23 . 2010-02-12 10:49 293376 ----a-w- c:\windows\system32\browserchoice.exe
2011-02-18 19:10 . 2010-02-18 14:54 3502480 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-02-18 19:10 . 2010-02-18 14:54 3468168 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-02-18 19:10 . 2009-11-03 13:01 24064 ----a-w- c:\windows\system32\nshhttp.dll
2011-02-18 19:10 . 2009-11-03 12:57 31232 ----a-w- c:\windows\system32\httpapi.dll
2011-02-18 19:10 . 2009-11-03 10:37 396800 ----a-w- c:\windows\system32\drivers\http.sys
2011-02-18 19:09 . 2009-09-10 17:38 216576 ----a-w- c:\windows\system32\msv1_0.dll
2011-02-18 19:09 . 2009-08-24 12:47 378368 ----a-w- c:\windows\system32\winhttp.dll
2011-02-18 19:09 . 2010-01-23 08:05 2048 ----a-w- c:\windows\system32\tzres.dll
2011-02-18 19:08 . 2010-02-23 13:14 211968 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-02-18 19:08 . 2010-02-23 13:14 58368 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-02-18 19:08 . 2010-02-23 13:14 102400 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-18 19:08 . 2009-12-23 12:45 171520 ----a-w- c:\windows\system32\wintrust.dll
2011-02-18 19:08 . 2010-01-21 16:02 62464 ----a-w- c:\windows\system32\l3codeca.acm
2011-02-18 19:08 . 2010-01-21 16:02 220672 ----a-w- c:\windows\system32\l3codecp.acm
2011-02-18 19:06 . 2009-09-10 15:29 1418240 ----a-w- c:\program files\Windows Media Player\setup_wm.exe
2011-02-18 19:06 . 2009-09-10 15:29 311296 ----a-w- c:\windows\system32\unregmp2.exe
2011-02-18 19:06 . 2009-09-10 17:39 7680 ----a-w- c:\windows\system32\spwmp.dll
2011-02-18 19:06 . 2009-09-10 15:29 168960 ----a-w- c:\program files\Windows Media Player\wmplayer.exe
2011-02-18 19:06 . 2009-09-10 17:40 4096 ----a-w- c:\windows\system32\msdxm.ocx
2011-02-18 19:06 . 2009-09-10 17:40 4096 ----a-w- c:\windows\system32\dxmasf.dll
2011-02-18 19:06 . 2009-09-10 15:29 107520 ----a-w- c:\program files\Windows Media Player\wmpconfig.exe
2011-02-18 19:06 . 2009-09-10 15:29 107520 ----a-w- c:\program files\Windows Media Player\wmpshare.exe
2011-02-18 19:06 . 2009-09-10 15:29 8147968 ----a-w- c:\windows\system32\wmploc.DLL
2011-02-18 19:04 . 2009-09-04 12:38 60928 ----a-w- c:\windows\system32\msasn1.dll
2011-02-18 19:04 . 2009-10-23 17:54 713728 ----a-w- c:\windows\system32\timedate.cpl
2011-02-18 19:04 . 2009-10-07 12:47 232960 ----a-w- c:\windows\system32\rastls.dll
2011-02-18 19:04 . 2009-10-07 12:47 274432 ----a-w- c:\windows\system32\raschap.dll
2011-02-18 19:02 . 2009-12-28 12:35 1327616 ----a-w- c:\windows\system32\quartz.dll
2011-02-18 19:02 . 2009-12-28 12:34 31232 ----a-w- c:\windows\system32\msvidc32.dll
2011-02-18 19:02 . 2009-12-28 12:34 22528 ----a-w- c:\windows\system32\msyuv.dll
2011-02-18 19:02 . 2009-12-28 12:34 13312 ----a-w- c:\windows\system32\msrle32.dll
2011-02-18 19:02 . 2009-12-28 12:36 11776 ----a-w- c:\windows\system32\tsbyuv.dll
2011-02-18 19:02 . 2009-12-28 12:32 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2011-02-18 19:02 . 2009-12-28 12:33 82944 ----a-w- c:\windows\system32\mciavi32.dll
2011-02-18 19:02 . 2009-12-28 12:30 88576 ----a-w- c:\windows\system32\avifil32.dll
2011-02-18 19:02 . 2009-12-28 12:34 123904 ----a-w- c:\windows\system32\msvfw32.dll
2011-02-18 19:02 . 2009-12-28 12:30 65024 ----a-w- c:\windows\system32\avicap32.dll
2011-02-18 19:02 . 2009-08-10 13:08 321536 ----a-w- c:\windows\system32\WSDApi.dll
2011-02-18 18:54 . 2009-04-02 11:50 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-20 11:00 . 2008-05-30 02:12 211000 ----a-w- c:\windows\system32\drivers\volsnap.sys
2011-02-02 17:11 . 2009-10-12 12:11 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-31 08:40 . 2011-01-31 08:40 20480 ----a-w- c:\windows\system32\cliconfg.728
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-02-06 1232896]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"SoftAuto.exe"="c:\program files\Creative\Software Update 3\SoftAuto.exe" [2008-08-13 405504]
"Center Agent"="c:\program files\PEAK Multimedia\HyperMediaCenter 3.5\DTVR\Scheduled.exe" [2008-04-14 1519616]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2010-04-06 4608]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-12 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-12 129560]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-06-05 71176]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-12 149280]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"HTC Sync Loader"="c:\program files\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2010-08-18 249856]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2007-05-23 192512]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 271360]
"FLSDeviceControlPanel"="c:\windows\system32\FLSDEVCP.EXE" [2010-03-11 91696]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 376912]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]
.
c:\users\martine\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
71EFB8.lnk - c:\windows\System32\2A43F1\71EFB8.EXE [N/A]
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]
Remote Control.lnk - c:\program files\PEAK Multimedia\DVB-T Utilities\AFRCtl.exe [2009-10-24 81920]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2008-1-14 192512]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-04 135664]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-07-03 1352832]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2006-11-02 167936]
R3 CTUPnPSv;Creative Centrale Media Server;c:\program files\Creative\Creative Centrale\CTUPnPSv.exe [2008-05-21 64000]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-07-03 64288]
S1 dk2drv;DK2 WindowsNT Driver;c:\windows\SYSTEM32\Drivers\dk2drv.sys [2010-03-11 49720]
S2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\Cobian Backup 10\cbVSCService.exe [2010-09-23 67584]
S2 FLE5WNNT;FLE-5 WindowsNT Driver;c:\windows\System32\Drivers\fle5wnnt.sys [2010-03-11 33404]
S2 FLSIFACE;FLSIFACE;c:\windows\System32\Drivers\flsiface.sys [2010-03-11 13440]
S2 FLSPAR;FLSPAR;c:\windows\System32\Drivers\flspar.sys [2010-03-11 16314]
S2 FLSSER;FLSSER;c:\windows\System32\Drivers\flsser.sys [2010-03-11 8344]
S2 FLSVCOM;FLSVCOM;c:\windows\System32\Drivers\flsvcom.sys [2010-03-11 34080]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - KLMDB
*Deregistered* - klmdb
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-04 17:21]
.
2011-03-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-04 17:21]
.
2011-03-20 c:\windows\Tasks\User_Feed_Synchronization-{17AB9983-311B-4798-A912-6F35B55FA9FE}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.atcomet.com/b/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=74&bd=smb&pf=laptop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\martine\AppData\Roaming\Mozilla\Firefox\Profiles\w3zy6qtl.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: BitComet Video Downloader: {B042753D-F57E-4e8e-A01B-7379A6D4CEFB} - %profile%\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-rjwGgQaLHJ.exe - c:\programdata\rjwGgQaLHJ.exe
HKLM-Run-hpWirelessAssistant - %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
HKLM-Run-WAWifiMessage - %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
HKLM-Run-QlbCtrl - %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
SafeBoot-klmdb.sys
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-20 11:39
Windows 6.0.6000 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-03-20 11:43:26
ComboFix-quarantined-files.txt 2011-03-20 11:43
.
Pre-Run: 10,954,911,744 bytes free
Post-Run: 10,879,258,624 bytes free
.
- - End Of File - - 919D01B76D8905867493B5E8B97C57A2



My computer is running alot better now, im going to restart it and see if the installer dialogue still appears, i may also run secunia to scan for vulnerabilities,

Thanks for your help again mate

#7 MillionsTx

MillionsTx
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 20 March 2011 - 07:04 AM

Just restarted the laptop and its booted up alot quicker, im still faced with the SQL server desktop engine installer though and UAC appears asking for permission to run java, i clicked on the details box and this is the file location:


"c:\programfiles\java\jre6\bin\jucheck.exe" auto

Also the java icon in the system bar keeps popping up saying an update is available shall i do it?

AND

Windows start up is blocking malwarebytes from starting up, how can i alleviate this problem?

Thanks

#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:12 AM

Posted 20 March 2011 - 01:14 PM

Hello,

Please make no changes to your system without my prior consent. Doing this could bring us right back where we started.
The next time windows starts up let the installer run sql is a service you need. Also please let java go ahead and update. Please do these 2 things before performing any of the steps below.


1.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

File::
c:\windows\System32\2A43F1\71EFB8.EXE

Folder::
c:\programdata\gAfPdBl06504
c:\users\martine\AppData\Roaming\Ugnaad
c:\users\martine\AppData\Roaming\Avhi
c:\programdata\fAoEfIm06504
c:\programdata\eJhNlNl06504
c:\programdata\gOnLpPa09000
c:\programdata\oMjBcCi06504
c:\programdata\gMdObLo06504

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=-


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


2.
Please download Malwarebytes' Anti-Malware (v1.50) and save it to your desktop.
Download Link 1
Download Link 2Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes' when done.
Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.

3.
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

Things to include in your next reply::
Combofix.txt
MBAM log
Eset log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:12 AM

Posted 23 March 2011 - 06:32 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 2-3 days the topic will need to be closed.

Thanks for understanding :)

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:12 AM

Posted 25 March 2011 - 10:47 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users