Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware resisting removal.


  • This topic is locked This topic is locked
22 replies to this topic

#1 thobth

thobth

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 23 March 2011 - 02:52 AM

This is my first time posting, so I hope I'm not giving too much unimportant info. And sorry for the REALLY long post...

I have an old Toshiba Satellite running Windows XP Media Center Edition Version 2002 with Service Pack 3.

I KNOW this computer is infected with something. First time I noticed something was wrong was a few months ago. It has been a while since I last attempted to boot up the computer, but I'm beginning the process of cleaning it and need assistance.

I currently have Free Avast! 4.8, Malwarebytes, and ZoneAlarm Free Firewall installed and active.

First thing I noticed is that I was unable to download any .exe file from the internet. I was able to run the ones I had on my computer, but could not download any new .exe files.

I also remember at some point having my computer stuck in a repeating loop where it would boot, reach the windows logo with the green progress bar, and then shut off with an internal 'click' sound. I don't remember how it stopped, or if/what I did to stop it, but it no longer does that.

My home page (when I do manage to boot my web browser) is always reset to Ask.com.

And When I would log into my computer, my background would load, but none of my desktop icons or the start bar. Instead a box appeared that seemed to be offering some sort of virus protection called Palladium that I had not installed, and only gave me the option to accept and install or something.

I did not want to click on it, as alarms went off in my head. fortunately I quickly discovered a work-around. I started Windows Task Manager and ended a few tasks that seemed highly suspicious which that I did not recognize, in addition to a process that had a name very similar to "palladium." The box disappeared and I was left with only my background and the Task manager window. I managed to find the "run" command and ran explorer.exe and my system returned to a functional state, restoring the appearance of my start bar and my desktop icons.

There are many process running on my machine that I think are malware, but aren't turning up in the scans...

I just did a scan with Malwarebytes, and the program found +40 infections. During the scan, Avast! would interrupt and periodically say that it had suddenly found something, and prompt moving to it's chest. Malwarebytes managed to quarantine to it's chest folder all but one file. This is what the log said about that file:

HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows NT\CurrentVersion\Winlogon\shell (Rouge.Palladium) -> Delete on reboot.


When I told the computer to reboot, it sat there doing nothing for a while, so I hit Start>Turn Off Computer>Reboot, it began the shut down process, but when it tried to reboot, something went wrong and it shut it's self off suddenly and went to the Recovery Screen where it gives you the option to select "safe mode" or "last known good configuration". When I tried to continue, something happened and it looped back to the same place. Selecting "last known good configuration" fixed it (temporarily?). I have no idea if the file was removed or not.

Today I tried to schedule a Boot-Time-Scan in Avast!, and it initialized properly, but about 3-5 minutes in, crashed and went to the windows log-in screen. It has repeated the same process the last 3 times I attempted it.

The computer (avast!, I believe) has also been blocking assess attempts to or from various servers when I don't have the ZoneAlarm Internet Lock engaged.

It's working (mostly) now and I have Avast! running a thorough level scan through all files ri- The program just crashed. "Virus scanner has encountered a problem and needs to close."

I'm getting frustrated.

Please advise.

-Thobth
Computer #1: OS: Microsoft Windows 7 Home Premium MFR & Model: Dell Inc. Inspiron 1464 PROC: Intel Core i3 CPU, M 350 @ 2.27GHz, 2 Cores, 4 Logical PROC RAM: 4.00 GB HD: 500GB ATA VC: Intel HD Graphics (Core i3) Network: COMTREND Wireless ADSL2+ Router Browser & Email: Firefox 4.0, Gmail Anti-Virus/Spyware: McAfee Security Center Firewall: McAfee Security Center
Computer #2: OS: Microsoft Windows XP Professional, Media Center Edition 2002, SP3 MFR & Model: Toshiba Sattelite M115 PROC: Intel T2050 @ 1.60GHz (2 CPUs) RAM: 512 MB HD: 75 GB VC: Mobile Intel 945GM Express Chipset Family Network: COMTREND Wireless ADSL2+ Router Browser and Email: Firefox 4.0, Gmail Anti-Virus/Spyware: Avast! Antivirus 4.8, MalwareBytes, SUPERAntiSpyware Firewall: ZoneAlarm Free Firewall

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:08 PM

Posted 23 March 2011 - 08:48 PM

Hello and welcome. Let's do this next and review the logs.

Reboot into Safe Mode with Networking
How to enter safe mode(XP/Vista)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode with Networking using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.


>>>> Download this file and doubleclick on it to run it. Allow the information to be merged with the registry.

RKill....

Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.


If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.



Next run Superantisypware (SAS):

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 thobth

thobth
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 24 March 2011 - 10:58 PM

Thank you for the detailed instructions. I will write this response on my other computer as I attempt each process step by step.

1. I rebooted and selected Safe Mode with Networking. Safe mode booted successfully and I logged into my own account.

2. Booted up Firefox. Home page was set to this: [ http://zms [dot] asksearch [dot] com/?cfg=2-393-0-0&engine_id=2&provider_id=2&product_id=393&country= ] As a public announcement to others, please use caution as the link may contain viruses!

3. I found this page, and attempted to download the first file [FixExe.reg]. The download was immediately canceled, which concerned me. When I clicked "Retry", it downloaded instantly with a file size of 335 bytes.

4. In the firefox downloads window, I right clicked and noticed that the option to "Open" and "Open Containing Folder" wre present, but could not be selected...

5. Currently searching for the file [FixExe.reg] I "downloaded" with Search... "Search is complete. There are no results to display." Restarting search looking in system and hidden files and folders... "Search is complete. There are no results to display."

6. Downloading the file on my other computer to a USB drive I will use to attempt to transfer the file to my infected computer. Download successful, downloading all other needed files in advance. All other files, and alternate/backup files downloaded successfully.

7. Connecting USB to infected computer and attempting to run [FixExe.reg]. Selecting "Yes" to add information to the registry. "Information in E:\FixExe.reg has been successfully entered into the registry."

8. As far as I am aware, all my antivirus programs are not running. Attempting to run RKill. Windows command opened and states "Preparing Rkill." "Terminating known malware processes." The window closed, and a text file opened. One process [C:\WINDOWS\system32\grpconv.exe] was terminated by Rkill.

9. Attempting to install SUPERAntiSpyware. Installation completed faster than expected. Updating SUPERAntiSpyware definitions. Completed setup. Selected to protect home page, set home page. A notification that an attempt to change the home page immediately appeared, the web address was the same as the one I posted earlier, denied change. Checked update status. Up to date. Set Scan options, checked those as instructed and un-checked the rest. Began complete scan.

10. Scan completed after +4 hours. Clicked next to begin removal process. About halfway through I noticed the green check marks on the bug symbol turn to red Xes. A window popped up informing me a reboot was needed to complete spyware removal. I clicked yes.

11. System shut down appeared normal. Toshiba loading screen. Black screen. "Windows did not start successfully. A recent hardware or software change might have caused this." Selected "Start Windows Normally."

12. Went to Windows loading screen with a blue progress bar. Bar stopped and screen went black. Toshiba loading screen. "Windows did not start successfully. A recent hardware or software change might have caused this." Selected "Safe Mode."

13. A list of drivers appeared. List stopped. Black screen. Toshiba Loading screen. "Windows did not start successfully. A recent hardware or software change might have caused this." I am holding here awaiting further instruction.

-Thobth
Computer #1: OS: Microsoft Windows 7 Home Premium MFR & Model: Dell Inc. Inspiron 1464 PROC: Intel Core i3 CPU, M 350 @ 2.27GHz, 2 Cores, 4 Logical PROC RAM: 4.00 GB HD: 500GB ATA VC: Intel HD Graphics (Core i3) Network: COMTREND Wireless ADSL2+ Router Browser & Email: Firefox 4.0, Gmail Anti-Virus/Spyware: McAfee Security Center Firewall: McAfee Security Center
Computer #2: OS: Microsoft Windows XP Professional, Media Center Edition 2002, SP3 MFR & Model: Toshiba Sattelite M115 PROC: Intel T2050 @ 1.60GHz (2 CPUs) RAM: 512 MB HD: 75 GB VC: Mobile Intel 945GM Express Chipset Family Network: COMTREND Wireless ADSL2+ Router Browser and Email: Firefox 4.0, Gmail Anti-Virus/Spyware: Avast! Antivirus 4.8, MalwareBytes, SUPERAntiSpyware Firewall: ZoneAlarm Free Firewall

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:08 PM

Posted 24 March 2011 - 11:11 PM

So can you boot to windows in safe or normal mode?
I am unsure if you are in a reboot loop or not.

Edited by boopme, 24 March 2011 - 11:11 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 thobth

thobth
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 25 March 2011 - 12:52 AM

I can not boot my computer using either "Safe Mode" or "Start Windows Normally."

It goes back to the same screen where it lists the boot options of:

Safe Mode
Safe Mode with Networking
Safe Mode with Command Prompt
Last Known Good Configuration
Start windows Normally

I have attempted "Safe Mode," "Safe Mode with Networking," "Safe Mode with Command Prompt," and "Start Windows Normally"

I have not yet attempted to select "Last known Good Configuration," but it appears I may have no choice.

EDIT: I selected all the other options again, and it kept looping back to the same spot. I selected "Last known Good Configuration" and the computer screen went black for about a minute and now shows my log in screen.

I am awaiting further instruction.

Edited by thobth, 25 March 2011 - 01:01 AM.

Computer #1: OS: Microsoft Windows 7 Home Premium MFR & Model: Dell Inc. Inspiron 1464 PROC: Intel Core i3 CPU, M 350 @ 2.27GHz, 2 Cores, 4 Logical PROC RAM: 4.00 GB HD: 500GB ATA VC: Intel HD Graphics (Core i3) Network: COMTREND Wireless ADSL2+ Router Browser & Email: Firefox 4.0, Gmail Anti-Virus/Spyware: McAfee Security Center Firewall: McAfee Security Center
Computer #2: OS: Microsoft Windows XP Professional, Media Center Edition 2002, SP3 MFR & Model: Toshiba Sattelite M115 PROC: Intel T2050 @ 1.60GHz (2 CPUs) RAM: 512 MB HD: 75 GB VC: Mobile Intel 945GM Express Chipset Family Network: COMTREND Wireless ADSL2+ Router Browser and Email: Firefox 4.0, Gmail Anti-Virus/Spyware: Avast! Antivirus 4.8, MalwareBytes, SUPERAntiSpyware Firewall: ZoneAlarm Free Firewall

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:08 PM

Posted 25 March 2011 - 04:44 PM

Hi, :welcome:

Les give it a try.

We will need to view the system status from an external environment. You will need a USB drive and a CD to burn. There will be several steps to follow.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download driver.sh to your USB drive
  • Also Download Query.exe to the USB drive. In your working computer, navigate to the USB drive and click on the Query.exe. A folder and a file, query.sh, will be extracted.
  • Remove the USB & CD and insert them in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • In some computers you need to tap F12 and choose to boot from the CD, in others is the Esc key. Please consult your computer's documentation.
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Then type bash driver.sh -af
  • Press Enter
  • You will be prompted to input a filename.
  • Type the following:

    Winlogon.exe

  • Press Enter
  • If successful, the script will search for this file.
  • After it has completed the search enter the next file to be searched
  • Type the following:

    explorer.exe

  • Press Enter
  • After it has completed the search enter the next file to be searched
  • Type the following:

    Userinit.exe

  • Press Enter
  • After the search is completed type Exit and press Enter.
  • After it has finished a report will be located in the USB drive as filefind.txt
  • While still in the Open Terminal, type bash query.sh
  • Press Enter
  • After it has finished a report will be located in the USB drive as RegReport.txt
  • Then type dd if=/dev/sda of=mbr.bin bs=512 count=1


    Leave a space among the following Statements:

    dd is the executable application used to create the backup
    if=/dev/sda is the device the backup is created from - the hard drive when only one HDD exists
    of=mbr.bin is the backup file to create - note the lack of a path - it will be created in the directory currently open in the Terminal
    bs=512 is the number of bytes in the backup
    count=1 says to backup just 1 sector


    It is extremely important that the if and of statements are correctly entered.

  • Press Enter
  • After it has finished a report will be located in the USB drive as mbr.bin
  • Plug the USB back into the clean computer, zip the mbr.bin, and except for the mbr.bin zipped file, post the contents of the report.txt, filefind.txt and RegReport.txt in your next reply. The mbr.bin zipped file must be attached to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 thobth

thobth
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 25 March 2011 - 10:35 PM

Okay, I used a DVD-R instead of a CD, but it looks like that worked out okay.

I will use "--------------------" to separate the files visually.

As for posting the zipped mbr.bin file, I can not find any option to upload a file through bleeping-computer... Please include instructions how to do so, or advise the preferred alternative method of uploading.

-Thobth

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

report.txt

Fri Mar 25 18:43:20 UTC 2011
Driver report for /mnt/sda1/WINDOWS/system32/drivers
0c0004ced8a90d09e6a59bd389ca6799 CSIIDecoder_kern_i386.sys has NO Company Name!
e6d35f3aa51a65eb35c1f2340154a25e ghcpgqyf.sys has NO Company Name!
7147b0575bcc93a6ab7d5c90f47c0b9f tbiosdrv.sys has NO Company Name!
4011a07b10a320e2f227c4572c468184 TSXT_kern_i386.sys has NO Company Name!

c1536905ad2067812a238bce998f4bff 1394bus.sys
Microsoft Corporation

2ccfa74242741ca22a4267cce9b586f4 aavmker4.sys
ALWIL Software

9859c0f6936e723e4892d7141b1327d5 acpiec.sys
Microsoft Corporation

8fd99680a539792a30e97944fdaecf17 acpi.sys
Microsoft Corporation

8bed39e3c35d6a489438b8141717a557 aec.sys
Microsoft Corporation

15e655baa989444f56787ef558823643 AegisP.sys
Meetinghouse Data Communications

7e775010ef291da96ad17ca4b17137d7 afd.sys
Microsoft Corporation

08fd04aa961bdc77fb983f328334e3d7 agp440.sys
Microsoft Corporation

03a7e0922acfe1b07d5db2eeb0773063 agpcpq.sys
Microsoft Corporation

4458fcb8a00da31fdcc086449274c40d AGRSM.sys
Agere Systems

cb08aed0de2dd889a8a820cd8082d83c alim1541.sys
Microsoft Corporation

95b4fb835e28aa1336ceeb07fd5b9398 amdagp.sys
Advanced Micro Devices

d7701d7e72243286cc88c9973d891057 amdk6.sys
Microsoft Corporation

8fce268cdbdd83b23419d1f35f42c7b1 amdk7.sys
Microsoft Corporation

b5b8a80875c1dededa8b02765642c32f arp1394.sys
Microsoft Corporation

d880831279ed91f9a4190a2db9539ea9 asctrm.sys
Windows DDK provider

b4079a98f294a3e262872cb76f4849f0 aswFsBlk.sys
ALWIL Software

dbee7b5ecb50fc2cf9323f52cbf41141 aswmon2.sys
ALWIL Software

f5296ecfcbfe5935253ae6c29e6d086e aswmon.sys
ALWIL Software

8080d683489c99cbace813f6fa4069cc aswRdr.sys
ALWIL Software

2e5a2ad5004b55df39b7606130a88142 aswSP.sys
ALWIL Software

d4c83a37efadfa2c398362e0776e3773 aswTdi.sys
ALWIL Software

b153affac761e7f5fcfa822b9c4e97bc asyncmac.sys
Microsoft Corporation

9f3a2f5aa6875c72bf062c712cfa2674 atapi.sys
Microsoft Corporation

d649c57da6fa762c64013747e5d7d2d6 ati1btxx.sys
ATI Technologies

60b6aa2dc1521da343f781b70eb7895a ati1mdxx.sys
ATI Technologies

6fdc61e8e8e17f6ecc2d9a10fa8df347 ati1pdxx.sys
ATI Technologies

9d318099bf3876a4af4bc75966d27603 ati1raxx.sys
ATI Technologies

bcaf267b10620f8c93f6e87ab726e145 ati1rvxx.sys
ATI Technologies

dac7d785cf62f5bd41441e9d6f5a6efe ati1snxx.sys
ATI Technologies

f7706dae7d101f1b19ce552d772ebfce ati1ttxx.sys
ATI Technologies

6f714b4720dd80ffa9f8d2731594ea4c ati1tuxx.sys
ATI Technologies

67ffbc158dd4d27ba3fc92c6acd87f73 ati1xbxx.sys
ATI Technologies

0d8cab1f08f7d3c4de228b49e12e596a ati1xsxx.sys
ATI Technologies

2d030c2f6b036ca0bc243e1b16d924d1 ati2mtaa.sys
ATI Technologies

8759322ffc1a50569c1e5528ee8026b7 ati2mtag.sys
ATI Technologies

993e7bd6438fe989e328c6b4bca246a9 atinbtxx.sys
ATI Technologies

ed4c2bf8403f4437987c0ba09cf48716 atinmdxx.sys
ATI Technologies

e90ac2b14e98f1a4372e5891b4278784 atinpdxx.sys
ATI Technologies

da36687d701c833430605a298731410b atinraxx.sys
ATI Technologies

a7a01b907db63898d40b0a14248ff9a2 atinrvxx.sys
ATI Technologies

ceddee2e0591894d19654d458fd3b9be atinsnxx.sys
ATI Technologies

d80a8f6c0a717446496c3a06d33b0d9c atinttxx.sys
ATI Technologies

edd66332608d27f4fd5069bcd0bc5164 atintuxx.sys
ATI Technologies

3e7d485cbd0b0d9f6ea2ad9442411831 atinxbxx.sys
ATI Technologies

77b575d7aab35d5908ae6ce681608d62 atinxsxx.sys
ATI Technologies

9916c1225104ba14794209cfa8012159 atmarpc.sys
Microsoft Corporation

39a0a59180f19946374275745b21aeba atmepvc.sys
Microsoft Corporation

ae76348a2605fb197fa8ff1d6f547836 atmlane.sys
Microsoft Corporation

e7ef69b38d17ba01f914ae8f66216a38 atmuni.sys
Microsoft Corporation

97c7beffffa146037acff84a9b5f0da1 atwpkt264.sys
America Online

85f31d62f5480630dc7034cdcfcacf9b atwpkt2.sys
America Online

d9f724aa26c010a217c97606b160ed68 audstub.sys
Microsoft Corporation

0d93976f7801b7fcd8135cc77257bbd0 battc.sys
Microsoft Corporation

da1f27d85e0d1525f6621372e7b685e9 beep.sys
Microsoft Corporation

f934d1b230f84e1d19dd00ac5a7a83ed bridge.sys
Microsoft Corporation

b279426e3c0c344893ed78a613a73bde bthenum.sys
Microsoft Corporation

fca6f069597b62d42495191ace3fc6c1 bthmodem.sys
Microsoft Corporation

80602b8746d3738f5886ce3d67ef06b6 bthpan.sys
Microsoft Corporation

662bfd909447dd9cc15b1a1c366583b4 bthport.sys
Microsoft Corporation

bb68cebffd181e18a26112d1b9f90f3d bthprint.sys
Microsoft Corporation

61364cd71ef63b0f038b7e9df00f1efa bthusb.sys
Microsoft Corporation

90a673fc8e12a79afbed2576f6a7aaf9 cbidf2k.sys
Microsoft Corporation

c1b486a7658353d33a10cc15211a873b cdaudio.sys
Microsoft Corporation

c885b02847f5d2fd45a24e219ed93b32 cdfs.sys
Microsoft Corporation

bf79e659c506674c0497cc9c61f1a165 cdr4_xp.sys
Sonic Solutions

2c41cd49d82d5fd85c72d57b6ca25471 cdralw2k.sys
Sonic Solutions

1f4260cc5b42272d71f79e570a27a4fe cdrom.sys
Microsoft Corporation

b562592b7f5759c99e179ca467ecfb4c cinemst2.sys
Ravisent Technologies

fe47dd8fe6d7768ff94ebec6c74b2719 classpnp.sys
Microsoft Corporation

0f6c187d38d98f8df904589a5f94d411 cmbatt.sys
Microsoft Corporation

6e4c9f21f0fae8940661144f41b13203 compbatt.sys
Microsoft Corporation

9624293e55ad405415862b504ca95b73 cpqdap01.sys
Compaq Computer Corp

f50d9bdbb25cce075e514dc07472a22f crusoe.sys
Microsoft Corporation

0c0004ced8a90d09e6a59bd389ca6799 CSIIDecoder_kern_i386.sys

e65e2353a5d74ea89971cb918eeeb2f6 diskdump.sys
Microsoft Corporation

044452051f3e02e7963599fc8f4f3e25 disk.sys
Microsoft Corporation

d992fe1274bde0f84ad826acae022a41 dmboot.sys
Microsoft Corp

7c824cf7bbde77d95c08005717a95f6f dmio.sys
Microsoft Corp

e9317282a63ca4d188c0df5e09c6ac5f dmload.sys
Microsoft Corp

8a208dfcf89792a484e76c40e5f50b45 dmusic.sys
Microsoft Corporation

8f5fcff8e8848afac920905fbd9d33c8 drmkaud.sys
Microsoft Corporation

6cb08593487f5701d2d2254e693eafce drmk.sys
Microsoft Corporation

fe97d0343acfdebdd578fc67cc91fa87 dxapi.sys
Microsoft Corporation

ac7280566a7bb85cb3291f04ddc1198e dxg.sys
Microsoft Corporation

a73f5d6705b1d820c19b18782e176efd dxgthk.sys
Microsoft Corporation

66029e6c4b19223c24d8710eed3aaeab EMS7SK.sys
?baStringFileInfoBHCompanyNameENETechnologyInc.x(FileDescriptionENEPCIMemoryStickCardReaderDriverRFileVersion..builtby:WinDDKvInternalNameEMSSK.sysv)LegalCopyrightENETechnologyInc.Allrightsreserved.>vOriginalFilenameEMSSK.sysp(ProductNameENEPCIMemoryStickCardReaderDriver@ProductVersion...DVarFileInfo$Translationt

16ebd8bf1d5090923694cc972c7ce1b4 Entech.sys
H`><<VS_VERSION_INFO?aStringFileInfoxbComments<CompanyNameEnTechTaiwan(FileDescription(FileVersion.vInternalNameENTECH.SYSr'LegalCopyrightCopyright©EnTechTaiwan.-(LegalTrademarks>vOriginalFilenameENTECH.SYSPrivateBuildvProductNamePowerStrip.ProductVersion.SpecialBuildDVarFileInfo$TranslationttDHLP

80d1b490b60e74e002dc116ec5d41748 enum1394.sys
Microsoft Corporation

9f0fa60836e1d1148cc0c1b6e67aa6f7 ESD7SK.sys
?baStringFileInfoBHCompanyNameENETechnologyInc.FileDescriptionENEPCISecureDigital/MMCCardReaderDriverRFileVersion..builtby:WinDDKvInternalNameESDSK.sysv)LegalCopyrightENETechnologyInc.Allrightsreserved.>vOriginalFilenameESDSK.sysProductNameENEPCISecureDigital/MMCCardReaderDriver@ProductVersion...DVarFileInfo$Translationt

d9da881be71b74b328471ccf28b5f0a9 ESM7SK.sys
?baStringFileInfoBHCompanyNameENETechnologyInc.~+FileDescriptionENEPCISmartMedia/XDCardReaderDriverRFileVersion..builtby:WinDDKvInternalNameESMSK.sysv)LegalCopyrightENETechnologyInc.Allrightsreserved.>vOriginalFilenameESMSK.sysv+ProductNameENEPCISmartMedia/XDCardReaderDriver@ProductVersion...DVarFileInfo$Translationt

38d332a6d56af32635675f132548343e fastfat.sys
Microsoft Corporation

92cdd60b6730b9f50f6a1a0c1f8cdc81 fdc.sys
Microsoft Corporation

d45926117eb9fa946a6af572fbe1caa3 fips.sys
Microsoft Corporation

9d27e7b80bfcdf1cdd9b555862d5e7f0 flpydisk.sys
Microsoft Corporation

b2cf4b0786f8212cb92ed2b50c6db6b0 fltmgr.sys
Microsoft Corporation

3e1e2bd4f39b0e2b7dc4f4d2bcc2779a fs_rec.sys
Microsoft Corporation

455f778ee14368468560bd7cb8c854d0 fsvga.sys
Microsoft Corporation

6ac26732762483366c3969c9e4d2259d ftdisk.sys
Microsoft Corporation

3a74c423cf6bcca6982715878f450a3b gagp30kx.sys
Microsoft Corporation

8182ff89c65e4d38b2de4bb0fb18564e GEARAspiWDM.sys
GEAR Software

e6d35f3aa51a65eb35c1f2340154a25e ghcpgqyf.sys

573c7d0a32852b48f3058cfd8026f511 hdaudbus.sys
Windows Server DDK provider

2a013e7530beab6e569faa83f517e836 Hdaudio.sys
Windows Server DDK provider

7bd2de4c85eb4241eed57672b16a7d8d hidbth.sys
Microsoft Corporation

1af592532532a402ed7c060f6954004f hidclass.sys
Microsoft Corporation

bb1a6fb7d35a91e599973fa74a619056 hidir.sys
Microsoft Corporation

96eccf28fdbf1b2cc12725818a63628d hidparse.sys
Microsoft Corporation

ccf82c5ec8a7326c3066de870c06daf1 hidusb.sys
Microsoft Corporation

970178e8e003eb1481293830069624b9 hsfbs2s2.sys
Conexant

1225ebea76aac3c84df6c54fe5e5d8be hsfcxts2.sys
Conexant

ebb354438a4c5a3327fb97306260714a hsfdpsp2.sys
Conexant

f80a415ef82cd06ffaf0d971528ead38 http.sys
Microsoft Corporation

4a0b06aa8943c1e332520f7440c0aa30 i8042prt.sys
Microsoft Corporation

0f0194c4b635c10c3f785e4fee52d641 ialmnt5.sys
Intel Corporation

083a052659f5310dd8b6a6cb05edcf8e imapi.sys
Microsoft Corporation

8c953733d8f36eb2133f5bb58808b66b intelppm.sys
Microsoft Corporation

3bb22519a194418d5fec05d800a19ad0 ip6fw.sys
Microsoft Corporation

731f22ba402ee4b62748adaf6363c182 ipfltdrv.sys
Microsoft Corporation

b87ab476dcf76e72010632b5550955f5 ipinip.sys
Microsoft Corporation

cc748ea12c6effde940ee98098bf96bb ipnat.sys
Microsoft Corporation

23c74d75e36e7158768dd63d92789a91 ipsec.sys
Microsoft Corporation

b43b36b382aea10861f7c7a37f9d4ae2 irbus.sys
Microsoft Corporation

c93c9ff7b04d772627a3646d89f7bf89 irenum.sys
Microsoft Corporation

05a299ec56e52649b1cf2fc52d20f2d7 isapnp.sys
Microsoft Corporation

f59c3569a2f2c464bb78cb1bdcdca55e iviaspi.sys
InterVideo

463c1ec80cd17420a542b7f36a36f128 kbdclass.sys
Microsoft Corporation

9ef487a186dea361aa06913a75b3fa99 kbdhid.sys
Microsoft Corporation

692bcf44383d056aed41b045a323d378 kmixer.sys
Microsoft Corporation

b467646c54cc746128904e1654c750c1 ksecdd.sys
Microsoft Corporation

0753515f78df7f271a5e61c20bcd36a1 ks.sys
Microsoft Corporation

c7dd7d9739785bd3a6b8499eec1dee7e mbamswissarmy.sys
Malwarebytes Corporation

67b48a903430c6d4fb58cbaca1866601 mbam.sys
Malwarebytes Corporation

d1f8be91ed4ddb671d42e473e3fe71ab mcd.sys
Microsoft Corporation

195741aee20369980796b557358cd774 mdmxsdk.sys
Conexant

7efac183a25b30fb5d64cc9d484b1eb6 meiudf.sys
HVS_VERSION_INFOa?aStringFileInfobp(CompanyNameMatsubleepaElectricIndustrialCo.,Ltd.fFileDescriptionDVD-RAMUDFFileSystemDriverbFileVersion...LegalCopyright©MatsubleepaElectricIndustrialCo.,Ltd.->vOriginalFilenamemeiudf.sysDVarFileInfo$Translationt|

a7da20ab18a1bdae28b0f349e57da0d1 mf.sys
Microsoft Corporation

7f2f1d2815a6449d346fcccbc569fbd6 mhndrv.sys
Microsoft Corporation

4ae068242760a1fb6e1a44bf4e16afa6 mnmdd.sys
Microsoft Corporation

dfcbad3cec1c5f964962ae10e0bcc8e1 modem.sys
Microsoft Corporation

35c9e97194c8cfb8430125f8dbc34d04 mouclass.sys
Microsoft Corporation

b1c303e17fb9d46e87a98e4ba6769685 mouhid.sys
Microsoft Corporation

a80b9a0bad1b73637dbcbba7df72d3fd mountmgr.sys
Microsoft Corporation

70c14f5cca5cf73f8a645c73a01d8726 mqac.sys
Microsoft Corporation

11d42bb6206f33fbb3ba0288d3ef81bd mrxdav.sys
Microsoft Corporation

f3aefb11abc521122b67095044169e98 mrxsmb.sys
Microsoft Corporation

c941ea2454ba8350021d774daf0f1027 msfs.sys
Microsoft Corporation

0a02c63c8b144bd8c86b103dee7c86a2 msgpc.sys
Microsoft Corporation

d1575e71568f4d9e14ca56b7b0453bf1 mskssrv.sys
Microsoft Corporation

325bb26842fc7ccc1fcce2c457317f3e mspclock.sys
Microsoft Corporation

bad59648ba099da4a17680b39730cb3d mspqm.sys
Microsoft Corporation

af5f4f3f14a8ea2c26de30f7a1e17136 mssmbios.sys
Microsoft Corporation

c53775780148884ac87c455489a0c070 mtlmnt5.sys
Smart Link

54886a652bf5685192141df304e923fd mtlstrm.sys
Smart Link

6dda78a0be692b61b668fab860f276cf mtxparhm.sys
Matrox Graphics

2f625d11385b1a94360bfc70aaefdee1 mup.sys
Microsoft Corporation

b538dcd9816ea35fa4f637cfc261aaa8 mutohpen.sys
Microsoft Corporation

676db15ddf2e0ff6ec03068dea428b8b NBSMI.sys
Toshiba Corporation

1df7f42665c94b825322fae71721130d ndis.sys
Microsoft Corporation

1ab3d00c991ab086e69db84b6c0ed78f ndistapi.sys
Microsoft Corporation

f927a4434c5028758a842943ef1a3849 ndisuio.sys
Microsoft Corporation

edc1531a49c80614b2cfda43ca8659ab ndiswan.sys
Microsoft Corporation

9282bd12dfb069d3889eb3fcc1000a9b ndproxy.sys
Microsoft Corporation

5d81cf9a2f1a3a756b66cf684911cdf0 netbios.sys
Microsoft Corporation

74b2b2f5bea5e9a3dc021d685551bd3d netbt.sys
Microsoft Corporation

1265eb253ed4ebe4acb3bd5f548ff796 Netdevio.sys
Toshiba Corporation

f886500c285af271fdd33bf8ba7b32ef NETw3x32.sys
Intel Corporation

e9e47cfb2d461fa0fc75b7a74c6383ea nic1394.sys
Microsoft Corporation

be984d604d91c217355cdd3737aad25d nikedrv.sys
Diamond Multimedia Systems

1e421a6bcf2203cc61b821ada9de878b nmnt.sys
Microsoft Corporation

3182d64ae053d6fb034f44b6def8034a npfs.sys
Microsoft Corporation

d21fee8db254ba762656878168ac1db6 npf.sys
HuVS_VERSION_INFO?aStringFileInfobCommentsDCompanyNameCACETechnologiesFileDescriptionnpfbFileVersion,,,vInternalNameNPF+TME[LegalCopyrightCopyrightCACETechnologies.Copyright-NetGroup,PolitecnicodiTorino.(LegalTrademarksbOriginalFilenamenpf.sysPrivateBuildl&ProductNameWinPcapNetgroupPacketFilterDriver<bProductVersion,,,SpecialBuildDVarFileInfo$Translation*

78a08dd6a8d65e697c18e1db01c5cdca ntfs.sys
Microsoft Corporation

576b34ceae5b7e5d9fd2775e93b3db53 ntmtlfax.sys
Smart Link

73c1e1f395918bc2c6dd67af7591a3ad null.sys
Microsoft Corporation

2b298519edbfcf451d43e0f1e8f1006d nv4_mini.sys
NVIDIA Corporation

b305f3fad35083837ef46a0bbce2fc57 nwlnkflt.sys
Microsoft Corporation

c99b3415198d1aab7227f2c88fd664b9 nwlnkfwd.sys
Microsoft Corporation

8b8b1be2dba4025da6786c645f77f123 nwlnkipx.sys
Microsoft Corporation

56d34a67c05e94e16377c60609741ff8 nwlnknb.sys
Microsoft Corporation

c0bb7d1615e1acbdc99757f6ceaf8cf0 nwlnkspx.sys
Microsoft Corporation

36b9b950e3d2e100970a48d8bad86740 nwrdr.sys
Microsoft Corporation

ca33832df41afb202ee7aeb05145922f ohci1394.sys
Microsoft Corporation

4bb30ddc53ebc76895e38694580cdfe9 oprghdlr.sys
Microsoft Corporation

c90018bafdc7098619a4a95b046b30f3 p3.sys
Microsoft Corporation

5575faf8f97ce5e713d108c2a58d7c7c parport.sys
Microsoft Corporation

beb3ba25197665d82ec7065b724171c6 partmgr.sys
Microsoft Corporation

70e98b3fd8e963a6a46a2e6247e0bea1 parvdm.sys
Microsoft Corporation

ccf5f451bb1a5a2a522a76e670000ff0 pciide.sys
Microsoft Corporation

52e60f29221d0d1ac16737e8dbf7c3e9 pciidex.sys
Microsoft Corporation

a219903ccf74233761d92bef471a07b1 pci.sys
Microsoft Corporation

9e89ef60e9ee05e3f2eef2da7397f1c1 pcmcia.sys
Microsoft Corporation

444f122e68db44c0589227781f3c8b3f pfc.sys
Padus

dcdf0421a1c14f2923e298a30fd7636d point32.sys
Microsoft Corporation

e82a496c3961efc6828b508c310ce98f portcls.sys
Microsoft Corporation

a32bebaf723557681bfc6bd93e98bd26 processr.sys
Microsoft Corporation

09298ec810b07e5d582cb3a3f9255424 psched.sys
Microsoft Corporation

80d317bd1c3dbc5d4fe7b1678c60cadd ptilink.sys
Parallel Technologies

1962166e0ceb740704f30fa55ad3d509 pxhelp20.sys
Sonic Solutions

fe0d99d6f31e4fad8159f690d68ded9c rasacd.sys
Microsoft Corporation

11b4a627bc9614b885c4969bfa5ff8a6 rasl2tp.sys
Microsoft Corporation

5bc962f2654137c9909c3d4603587dee raspppoe.sys
Microsoft Corporation

efeec01b1d3cf84f16ddd24d9d9d8f99 raspptp.sys
Microsoft Corporation

fdbb1d60066fcfbb7452fd8f9829b242 raspti.sys
Microsoft Corporation

01524cd237223b18adbb48f70083f101 rawwan.sys
Microsoft Corporation

7ad224ad1a1437fe28d89cf22b17780a rdbss.sys
Microsoft Corporation

4912d5b403614ce99c28420f75353332 rdpcdd.sys
Microsoft Corporation

15cabd0f7c00c47c70124907916af3f1 rdpdr.sys
Microsoft Corporation

6728e45b66f93c08f11de2e316fc70dd rdpwd.sys
Microsoft Corporation

e9aaa0092d74a9d371659c4c38882e12 recagent.sys
Smart Link

f828dd7e1419b6653894a8f97a0094c5 redbook.sys
Microsoft Corporation

851c30df2807fcfa21e4c681a7d6440e rfcomm.sys
Microsoft Corporation

a56fe08ec7473e8580a390bb1081cdd7 rio8drv.sys
Diamond Multimedia Systems

0a854df84c77a0be205bfeab2ae4f0ec riodrv.sys
Diamond Multimedia Systems

96f7a9a7bf0c9c0440a967440065d33c rmcast.sys
Microsoft Corporation

601844cbcf617ff8c868130ca5b2039d rndismp.sys
Microsoft Corporation

726548542afeca56257ff01eb13bb6d7 rndismpx.sys
Microsoft Corporation

d8b0b4ade32574b2d9c5cc34dc0dbbe7 rootmdm.sys
Microsoft Corporation

0e74171ee80a8640de564b72dbbb397b Rtenicxp.sys
Realtek Semiconductor

7385944d4f025bd8c498bfd97981e336 RtkHDAud.Sys
Realtek Semiconductor

d4661148e44816b6501be8f4466d65b0 s24trans.sys
Intel Corporation

0dbcc071a268e0340a2ba6bdd98bace4 s3gnbm.sys
SGraphics

76c465f570e90c28942d52ccb2580a10 scsiport.sys
Microsoft Corporation

8d04819a3ce51b9eb47e5689b44d43c4 sdbus.sys
Microsoft Corporation

90a3935d05b494a5a39d37e71f09a677 secdrv.sys
Macrovision Corporation

0f29512ccd6bead730039fb4bd2c85ce serenum.sys
Microsoft Corporation

cca207a8896d4c6a0c9ce29a4ae411a7 serial.sys
Microsoft Corporation

0fa803c64df0914b41f807ea276bf2a6 sffdisk.sys
Microsoft Corporation

d66d22d76878bf3483a6be30183fb648 sffp_mmc.sys
Microsoft Corporation

c17c331e435ed8737525c86a7557b3ac sffp_sd.sys
Microsoft Corporation

8e6b8c671615d126fdc553d1e2de5562 sfloppy.sys
Microsoft Corporation

6b33d0ebd30db32e27d1d78fe946a754 sisagp.sys
Silicon Integrated Systems

d9673011648a71ed1e1f77b831bc85e6 slnt7554.sys
Smart Link

2c1779c0feb1f4a6033600305eba623a slntamr.sys
Smart Link

f9b8e30e82ee95cf3e1d3e495599b99c slnthal.sys
Smart Link

db56bb2c55723815cf549d7fc50cfceb slwdmsup.sys
Smart Link

895be38a993b9bd5abbe570d63d88a2e smbali.sys
Microsoft Corporation

017daecf0ed3aa731313433601ec40fa smclib.sys
Microsoft Corporation

489703624dac94ed943c2abda022a1cd sonydcam.sys
Microsoft Corporation

ab8b92451ecb048a4d1de7c3ffcb4a9f splitter.sys
Microsoft Corporation

76bb022c2fb6902fd5bdd4f78fc13a5d sr.sys
Microsoft Corporation

0f6aefad3641a657e18081f52d0c15af srv.sys
Microsoft Corporation

3e5d89099ded9e86e5639f411693218f stream.sys
Microsoft Corporation

3941d127aef12e93addf6fe6ee027e0f swenum.sys
Microsoft Corporation

8ce882bcc6cf8a62f2b2323d95cb3d01 swmidi.sys
Microsoft Corporation

a6cc8c28d5aad4179ef32f05bed55e91 SynTP.sys
Synaptics

8b83f3ed0f1688b4958f77cd6d2bf290 sysaudio.sys
Microsoft Corporation

fd6093e3decd925f1cffc8a0dd539d72 tape.sys
Microsoft Corporation

7147b0575bcc93a6ab7d5c90f47c0b9f tbiosdrv.sys

4e53bbcc4be37d7a4bd6ef1098c89ff7 tcpip6.sys
Microsoft Corporation

9aefa14bd6b182d61e3119fa5f436d3d tcpip.sys
Microsoft Corporation

fc6fe02f400308606a911640e72326b5 tcusb.sys
tHfppVS_VERSION_INFObbbStringFileInfoenCompanyNameUPEKInc.`FileDescriptionTouchChipUSBKernelDrivertFileVersion...,InternalNametcusbh"LegalCopyrightCopyright©-UPEKInc.<nLegalTrademarksTouchChip<nOriginalFilenametcusb.sysXProductNameTouchChipUSBKernelDriverProductVersion..bSpecialBuildw-rel.stdDVarFileInfo$Translationt

cc1d7bc6a3632c55ee6d8877e9b936f3 tdcmdpst.sys
Toshiba Corporation

0539d5e53587f82d1b4fd74c5be205cf tdi.sys
Microsoft Corporation

6471a66807f5e104e4885f5b67349397 tdpipe.sys
Microsoft Corporation

c56b6d0402371cf3700eb322ef3aaf61 tdtcp.sys
Microsoft Corporation

09aa3cf863793f92276b39e74878c386 tdudf.sys
Toshiba Corporation

88155247177638048422893737429d9e termdd.sys
Microsoft Corporation

78e9819e076b909541bd4a37f8f0668b tosbtsd2.sys
Toshiba Corporation

1ec9eff84e14c4aec45925b062744440 tosdbt.sys
Toshiba Corporation

699450901c5ccfd82357cbc531cedd23 tosdvd.sys
Microsoft Corporation

e362d54fd394999c4178936396664e57 toshidpt.sys
Toshiba Corporation

aeb0a824ddb4f3cc7b476174c8692d47 tosporte.sys
Toshiba Corporation

c1e77b1033969ea316c76f61adff2ad1 tosrfbd.sys
?baStringFileInfoBHCompanyNameTOSHIBACORPORATIONXFileDescriptionBluetoothRFBusDriverXFileVersion...builtby:WinDDKbInternalNametosrfbd.sys|,LegalCopyrightCopyright©-,TOSHIBACORPORATION@bOriginalFilenametosrfbd.sysx,ProductNameBluetoothBUSDriver(WindowsXP,Windows):vProductVersion...DVarFileInfo$Translationt*

1ae2ba74b2a4f5a358b13fcd35258c30 tosrfbnp.sys
Toshiba Corporation

5ba1ca3b3cddb1ddc67df473f05d1ec2 tosrfcom.sys
Toshiba Corporation

cc069342ee0eae55b32a0ae99cf6185c tosrfec.sys
Toshiba Corporation

7dfd6b1077b3ff19877fd67a04fed2a2 tosrfhid.sys
Toshiba Corporation

ae5b75c86574a1bd0a093a9159f829f9 tosrflan.sys
Toshiba Corporation

c52fd27b9adf3a1f22cb90e6bcf9b0cb tosrfnds.sys
Toshiba Corporation

87031831486f7ed4eafef27125bb56c8 tosrfpcc.sys
Toshiba Corporation

ab6fd13d7efa2634fa6bdf84c7ef0696 tosrfsnd.sys
Toshiba Corporation

730a65f13398a1737f1a78a7b1620ec6 tosrfusb.sys
?aXStringFileInfobCommentsHCompanyNameTOSHIBACORPORATIONdFileDescriptionBluetoothUSBMiniportDriver<FileVersion,,,:rInternalNameTOSRFUSB.SYS|,LegalCopyrightCopyright©-,TOSHIBACORPORATION(LegalTrademarksBrOriginalFilenameTOSRFUSB.SYSPrivateBuildx,ProductNameMicrosoft®WindowsNT®OperatingSystem@ProductVersion,,,SpecialBuildDVarFileInfo$Translationt*

306e19413eadb0ca8842d5381a0354fc tostrans.sys
Toshiba Corporation

d74a8ec75305f1d3cfde7c7fc1bd62a9 tsbvcap.sys
Toshiba Corporation

4011a07b10a320e2f227c4572c468184 TSXT_kern_i386.sys

8f861eda21c05857eb8197300a92501c tunmp.sys
Microsoft Corporation

546dfba6486569120d33f7ad6e94efdd Tvs.sys
Toshiba Corporation

d85938f272d1bcf3db3a31fc0a048928 uagp35.sys
Microsoft Corporation

5787b80c2e3c5e2f56c2a233d91fa2c9 udfs.sys
Microsoft Corporation

402ddc88356b1bac0ee3dd1580c76a31 update.sys
Microsoft Corporation

bee793d4a059caea55d6ac20e19b3a8f usb8023.sys
Microsoft Corporation

b6cc50279d6cd28e090a5d33244adc9a usb8023x.sys
Microsoft Corporation

1df89c499bf45d878b87ebd4421d462d usbaapl.sys
Apple

e919708db44ed8543a7c017953148330 usbaudio.sys
Microsoft Corporation

ce97845d2e3f0d274b8bac1ed07c6149 usbcamd2.sys
Microsoft Corporation

1c1a47b40c23358245aa8d0443b6935e usbcamd.sys
Microsoft Corporation

173f317ce0db8e21322e71b7e60a27e8 usbccgp.sys
Microsoft Corporation

596eb39b50d6ebd9b734dc4ae0544693 usbd.sys
Microsoft Corporation

65dcf09d0e37d4c6b11b5b0b76d470a7 usbehci.sys
Microsoft Corporation

1ab3cdde553b6e064d2e754efe20285c usbhub.sys
Microsoft Corporation

290913dc4f1125e5a82de52579a44c43 usbintel.sys
Microsoft Corporation

791912e524cc2cc6f50b5f2b52d1eb71 usbport.sys
Microsoft Corporation

a717c8721046828520c9edf31288fc00 usbprint.sys
Microsoft Corporation

a0b8cf9deb1184fbdd20784a58fa75d4 usbscan.sys
Microsoft Corporation

a32426d9b14a089eaa1d922e0c5801a9 usbstor.sys
Microsoft Corporation

26496f9dee2d787fc3e61ad54821ffe6 usbuhci.sys
Microsoft Corporation

63bbfca7f390f4c49ed4b96bfb1633e0 usbvideo.sys
Microsoft Corporation

55e01061c74a8cefff58dc36114a8d3f vdmindvd.sys
Ravisent Technologies

0d3a8fafceacd8b7625cd549757a7df1 vga.sys
Microsoft Corporation

754292ce5848b3738281b4f3607eaef4 viaagp.sys
Microsoft Corporation

e28726b72c46821a28830e077d39a55b videoprt.sys
Microsoft Corporation

4c8fcb5cc53aab716d810740fe59d025 volsnap.sys
Microsoft Corporation

aced8c149b30f8496c237bcba3727b48 wacompen.sys
Microsoft Corporation

0308aef61941e4af478fa1a0f83812f5 wadv07nt.sys
Intel Corporation

714038a8aa5de08e12062202cd7eaeb5 wadv08nt.sys
Intel Corporation

7bb3aa595e4507a788de1cdc63f4c8c4 wadv09nt.sys
Intel Corporation

36e6c405b6143d09687f4056fd9a0d10 wadv11nt.sys
Intel Corporation

e20b95baedb550f32dd489265c1da1f6 wanarp.sys
Microsoft Corporation

0a716c08cb13c3a8f4f51e882dbf7416 wanatw4.sys
America Online

352fa0e98bc461ce1ce5d41f64db558d watv06nt.sys
Intel Corporation

791cc45de6e50445be72e8ad6401ff45 watv10nt.sys
Intel Corporation

6768acf64b18196494413695f0c3a00f wdmaud.sys
Microsoft Corporation

2f31b7f954bed437f2c75026c65caf7b wmilib.sys
Microsoft Corporation

2cb38f49f130b4b923652bc499d18c75 WOWHD_kern_i386.sys
tH`_VS_VERSION_INFOnStringFileInfob>CompanyNameSRSLabs,Inc.n#FileDescriptionWOWHDkernelmodeDLLforWindowsvFileVersion,,,HInternalNamewowhd_kern_i.sysh"LegalCopyrightCopyright©SRSLabs,Inc.HLegalTrademarksWOWHD,TruBassPOriginalFilenamewowhd_kern_i.sysb!ProductNameWOWHDKernelDLLforWindowsXP:vProductVersion,,,DVarFileInfo$Translationt*

cf4def1bf66f06964dc0d91844239104 wpdusb.sys
Microsoft Corporation

6abe6e225adb5a751622a9cc3bc19ce8 ws2ifsl.sys
Microsoft Corporation

6ff66513d372d479ef1810223c8d20ce WudfPf.sys
Microsoft Corporation

ac13cb789d93412106b0fb6c7eb2bcb6 WudfRd.sys
Microsoft Corporation

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

filefind.txt

Search results for Winlogon.exe

ed0ef0a136dec83df69f04118870003e /mnt/sda1/WINDOWS/ServicePackFiles/i386/winlogon.exe
496.0K Apr 14 2008

ed0ef0a136dec83df69f04118870003e /mnt/sda1/WINDOWS/system32/winlogon.exe
496.0K Apr 14 2008

01c3346c241652f43aed8e2149881bfe /mnt/sda1/WINDOWS/$NtServicePackUninstall$/winlogon.exe
490.5K Aug 10 2004


Search results for explorer.exe

7712df0cdde3a5ac89843e61cd5b3658 /mnt/sda1/WINDOWS/$hf_mig$/KB938828/SP2QFE/explorer.exe
1009.0K Jun 13 2007

12896823fb95bfb3dc9b46bcaedc9923 /mnt/sda1/WINDOWS/explorer.exe
1009.5K Apr 14 2008

12896823fb95bfb3dc9b46bcaedc9923 /mnt/sda1/WINDOWS/ServicePackFiles/i386/explorer.exe
1009.5K Apr 14 2008

a0732187050030ae399b241436565e64 /mnt/sda1/WINDOWS/$NtUninstallKB938828$/explorer.exe
1008.0K Aug 10 2004

97bd6515465659ff8f3b7be375b2ea87 /mnt/sda1/WINDOWS/$NtServicePackUninstall$/explorer.exe
1009.0K Jun 13 2007


Search results for Userinit.exe

a93aee1928a9d7ce3e16d24ec7380f89 /mnt/sda1/WINDOWS/ServicePackFiles/i386/userinit.exe
25.5K Apr 14 2008

a93aee1928a9d7ce3e16d24ec7380f89 /mnt/sda1/WINDOWS/system32/userinit.exe
25.5K Apr 14 2008

39b1ffb03c2296323832acbae50d2aff /mnt/sda1/WINDOWS/$NtServicePackUninstall$/userinit.exe
24.0K Aug 10 2004


Search results for Exit


--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

RegReport.txt

Remote Registry Report

Hive </mnt/sda1/WINDOWS/system32/config/software>
\Microsoft\Windows NT\CurrentVersion> Value <ProductName> of type REG_SZ, data length 42 [0x2a]
Microsoft Windows XP
\Microsoft\Windows NT\CurrentVersion> Value <CSDVersion> of type REG_SZ, data length 30 [0x1e]
Service Pack 3
\Microsoft\Windows NT\CurrentVersion> Value <SystemRoot> of type REG_SZ, data length 22 [0x16]
C:\WINDOWS
\Microsoft\Windows NT\CurrentVersion\Windows> cat_vk: No such value <AppInit_DLLs>
(...)\Windows NT\CurrentVersion\Winlogon> Value <Shell> of type REG_SZ, data length 26 [0x1a]
Explorer.exe
(...)\Windows NT\CurrentVersion\Winlogon> Value <Userinit> of type REG_SZ, data length 68 [0x44]
C:\WINDOWS\system32\userinit.exe,
(...)\Windows NT\CurrentVersion\Winlogon\Notify> Node has 13 subkeys and 0 values
<!SASWinLogon>
<crypt32chain>
<cryptnet>
<cscdll>
<dimsntfy>
<igfxcui>
<ScCertProp>
<Schedule>
<sclgntfy>
<SensLogn>
<termsrv>
<WgaLogon>
<wlballoon>
\Microsoft\Windows\CurrentVersion\Run> Node has 2 subkeys and 11 values
<AutorunsDisabled>
<OptionalComponents>
size type value name [value if type DWORD]
106 REG_SZ <PadTouch>
80 REG_SZ <avast!>
82 REG_SZ <Tvs>
104 REG_SZ <THotkey>
92 REG_SZ <SynTPEnh>
104 REG_SZ <QuickTime Task>
104 REG_SZ <ZoneAlarm Client>
146 REG_SZ <ISW>
106 REG_SZ <dleamon.exe>
106 REG_SZ <EzPrint>
110 REG_SZ <Cqavep>
(...)\Windows\CurrentVersion\policies\system> Node has 0 subkeys and 7 values
4 REG_DWORD <dontdisplaylastusername> 0 [0x0]
4 REG_DWORD <legalnoticecaption> 1 [0x1]
8 REG_SZ <legalnoticetext>
4 REG_DWORD <shutdownwithoutlogon> 1 [0x1]
4 REG_DWORD <undockwithoutlogon> 1 [0x1]
102 REG_EXPAND_SZ <InstallVisualStyle>
82 REG_EXPAND_SZ <InstallTheme>


Hive </mnt/sda1/Documents and Settings/Administrator/NTUSER.DAT>
(...)\Microsoft\Windows\CurrentVersion\Run> Node has 0 subkeys and 3 values
size type value name [value if type DWORD]
62 REG_SZ <ctfmon.exe>
94 REG_SZ <TOSCDSPD>
104 REG_SZ <MSMSGS>
(...)\Windows\CurrentVersion\Policies\Explorer> Node has 0 subkeys and 1 values
4 REG_DWORD <NoDriveTypeAutoRun> 145 [0x91]


Hive </mnt/sda1/Documents and Settings/Guest/NTUSER.DAT>
(...)\Microsoft\Windows\CurrentVersion\Run> Node has 0 subkeys and 5 values
size type value name [value if type DWORD]
62 REG_SZ <ctfmon.exe>
94 REG_SZ <TOSCDSPD>
104 REG_SZ <QuickTime Task>
132 REG_SZ <msnmsgr>
110 REG_SZ <Cqavep>
(...)\Windows\CurrentVersion\Policies\Explorer> Node has 0 subkeys and 1 values
4 REG_DWORD <NoDriveTypeAutoRun> 145 [0x91]


Hive </mnt/sda1/Documents and Settings/Mom/NTUSER.DAT>
(...)\Microsoft\Windows\CurrentVersion\Run> Node has 0 subkeys and 5 values
size type value name [value if type DWORD]
62 REG_SZ <ctfmon.exe>
94 REG_SZ <TOSCDSPD>
104 REG_SZ <MSMSGS>
126 REG_SZ <Veoh>
2 REG_SZ <>
(...)\Windows\CurrentVersion\Policies\Explorer> Node has 0 subkeys and 1 values
4 REG_DWORD <NoDriveTypeAutoRun> 145 [0x91]


Hive </mnt/sda1/Documents and Settings/Nick Sander/NTUSER.DAT>
(...)\Microsoft\Windows\CurrentVersion\Run> Node has 0 subkeys and 4 values
size type value name [value if type DWORD]
94 REG_SZ <TOSCDSPD>
62 REG_SZ <ctfmon.exe>
96 REG_SZ <Sjatohek>
110 REG_SZ <SUPERAntiSpyware>
(...)\Windows\CurrentVersion\Policies\Explorer> Node has 0 subkeys and 1 values
4 REG_DWORD <NoDriveTypeAutoRun> 0 [0x0]
(...)\Windows\CurrentVersion\Policies\System> Node has 0 subkeys and 0 values
Computer #1: OS: Microsoft Windows 7 Home Premium MFR & Model: Dell Inc. Inspiron 1464 PROC: Intel Core i3 CPU, M 350 @ 2.27GHz, 2 Cores, 4 Logical PROC RAM: 4.00 GB HD: 500GB ATA VC: Intel HD Graphics (Core i3) Network: COMTREND Wireless ADSL2+ Router Browser & Email: Firefox 4.0, Gmail Anti-Virus/Spyware: McAfee Security Center Firewall: McAfee Security Center
Computer #2: OS: Microsoft Windows XP Professional, Media Center Edition 2002, SP3 MFR & Model: Toshiba Sattelite M115 PROC: Intel T2050 @ 1.60GHz (2 CPUs) RAM: 512 MB HD: 75 GB VC: Mobile Intel 945GM Express Chipset Family Network: COMTREND Wireless ADSL2+ Router Browser and Email: Firefox 4.0, Gmail Anti-Virus/Spyware: Avast! Antivirus 4.8, MalwareBytes, SUPERAntiSpyware Firewall: ZoneAlarm Free Firewall

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:08 PM

Posted 26 March 2011 - 12:25 AM

For the zipped file, I am requesting the topic to be moved to the Malware Removal Forum. Once you are notified the topic has been moved, click on Add Reply. Scroll down to Attachments, click on and Browse to the zipped file and then click on Open (or doubleclick on it). Once the path is on the Browse box, click on Attach This File, then on Add Reply. Chances are that you may need to write something short on the main windows.

I need you to copy the following file to the USB drive:

/mnt/sda1/WINDOWS/system32/drivers/ghcpgqyf.sys

It looks suspicious. Have it scanned at Virustotal and once scanned, post the link to the scan results on your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 thobth

thobth
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 26 March 2011 - 03:10 AM

Unfortunately as I was trying to figure out a way to easily transfer the information from VirusTotal to here, I forced my browser to quit and had to resubmit the file, so I lost the last seen data, which was reset to the last time I scanned the file. :o

9 VT Community user(s) with a total of 7612 reputation credit(s) say(s) this sample is goodware. 4 VT Community user(s) with a total of 2519 reputation credit(s) say(s) this sample is malware. 



File name:
ghcpgqyf.sys
Submission date:
2011-03-26 07:49:37 (UTC)
Current status:
finished
Result:
2/ 41 (4.9%)



Antivirus 		Version 		Last Update 	Result

AhnLab-V3		2011.03.23.01		2011.03.23	-
AntiVir			7.11.5.43		2011.03.23	-
Antiy-AVL		2.0.3.7			2011.03.22	-
Avast			4.8.1351.0		2011.03.23	-
Avast5			5.0.677.0		2011.03.23	-
AVG			10.0.0.1190		2011.03.23	-
BitDefender		7.2			2011.03.23	-
CAT-QuickHeal		11.00			2011.03.23	-
ClamAV			0.96.4.0		2011.03.23	BC.Heuristics.Rootkit.B-11.MV
Commtouch		5.2.11.5		2011.03.22	-
Comodo			8073			2011.03.23	-
DrWeb			5.0.2.03300		2011.03.23	-
eSafe			7.0.17.0		2011.03.22	Win32.TrojanHorse
eTrust-Vet		36.1.8231		2011.03.23	-
F-Prot			4.6.2.117		2011.03.22	-
F-Secure		9.0.16440.0		2011.03.23	-
Fortinet		4.2.254.0		2011.03.23	-
GData			21			2011.03.23	-
Ikarus			T3.1.1.97.0		2011.03.23	-
Jiangmin		13.0.900		2011.03.23	-
K7AntiVirus		9.94.4188		2011.03.23	-
McAfee			5.400.0.1158		2011.03.23	-
McAfee-GW-Edition	2010.1C			2011.03.23	-
Microsoft		1.6603			2011.03.23	-
NOD32			5977			2011.03.23	-
Norman			6.07.03			2011.03.22	-
nProtect		2011-02-10.01		2011.02.15	-
Panda			10.0.3.5		2011.03.22	-
PCTools			7.0.3.5			2011.03.21	-
Prevx			3.0			2011.03.26	-
Rising			23.50.01.06		2011.03.22	-
Sophos			4.63.0			2011.03.23	-
SUPERAntiSpyware	4.40.0.1006		2011.03.23	-
Symantec		20101.3.0.103		2011.03.23	-
TheHacker		6.7.0.1.155		2011.03.23	-
TrendMicro		9.200.0.1012		2011.03.23	-
TrendMicro-HouseCall	9.200.0.1012		2011.03.23	-
VBA32			3.12.14.3		2011.03.23	-
VIPRE			8790			2011.03.23	-
ViRobot			2011.3.23.4372		2011.03.23	-
VirusBuster		13.6.264.0		2011.03.22	-



Additional information

MD5   : e6d35f3aa51a65eb35c1f2340154a25e

SHA1  : aabbd57e20d2e7041f9e7abce6cfd8a53c366537

SHA256: 3da4f51682e7d42c5569f1fb1adc6295182962e36f748219e1d0c8f2389ba516

ssdeep: 768:Bosx0q2ph6P2Jpz8ftoSUiJP7hYTCMrhwYKUzY4q:j076P2Jpz8ftBUMPaCMrhwY

File size : 54016 bytes

First seen: 2009-09-18 00:44:25

Last seen : 2011-03-26 07:49:37

TrID:
Clipper DOS Executable (33.3%)
Generic Win/DOS Executable (33.0%)
DOS Executable Generic (33.0%)
VXD Driver (0.5%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)

sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0xC505
timedatestamp....: 0x4A9EE5B5 (Wed Sep 02 21:37:57 2009)
machinetype......: 0x14c (I386)

[[ 5 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x480, 0xBD9F, 0xBE00, 5.83, 9474f39576a0e15bdbaa2ea3355f0a4a
.rdata, 0xC280, 0x126, 0x180, 3.78, 375b710d9f213cfced30e9fdb29567e1
.data, 0xC400, 0xC0, 0x100, 0.33, 786971ca2b109729eda604b44d6c72ad
INIT, 0xC500, 0x3C8, 0x400, 5.20, eea49a93a73afb6afc178455582133c6
.reloc, 0xC900, 0x9EC, 0xA00, 6.62, bddd5a40c508bfc84ec87de5f8e6a5d3

[[ 1 import(s) ]]
ntoskrnl.exe: ZwWriteFile, RtlUpcaseUnicodeChar, ZwClose, ZwCreateFile, RtlInitUnicodeString, _wcsicmp, ZwQueryValueKey, ZwOpenKey, ZwDeleteKey, swprintf, ZwEnumerateKey, ExFreePoolWithTag, DbgPrint, ExAllocatePool, RtlPrefixUnicodeString, memcpy, RtlDeleteRegistryValue, ZwSetValueKey, RtlWriteRegistryValue, ZwEnumerateValueKey, ZwSetInformationFile, ZwQueryInformationFile, ZwQueryDirectoryFile, ZwOpenFile, KeTickCount, KeBugCheck, MmGetSystemRoutineAddress, ZwFlushKey, PsTerminateSystemThread, KeSetPriorityThread, KeGetCurrentThread, RtlCheckRegistryKey, KeDelayExecutionThread, ZwReadFile, PsCreateSystemThread, PsGetVersion, KeBugCheckEx

Computer #1: OS: Microsoft Windows 7 Home Premium MFR & Model: Dell Inc. Inspiron 1464 PROC: Intel Core i3 CPU, M 350 @ 2.27GHz, 2 Cores, 4 Logical PROC RAM: 4.00 GB HD: 500GB ATA VC: Intel HD Graphics (Core i3) Network: COMTREND Wireless ADSL2+ Router Browser & Email: Firefox 4.0, Gmail Anti-Virus/Spyware: McAfee Security Center Firewall: McAfee Security Center
Computer #2: OS: Microsoft Windows XP Professional, Media Center Edition 2002, SP3 MFR & Model: Toshiba Sattelite M115 PROC: Intel T2050 @ 1.60GHz (2 CPUs) RAM: 512 MB HD: 75 GB VC: Mobile Intel 945GM Express Chipset Family Network: COMTREND Wireless ADSL2+ Router Browser and Email: Firefox 4.0, Gmail Anti-Virus/Spyware: Avast! Antivirus 4.8, MalwareBytes, SUPERAntiSpyware Firewall: ZoneAlarm Free Firewall

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:08 PM

Posted 26 March 2011 - 08:59 AM

Hello, just letting you know I moved this topic to Here in the Virus, Trojan, Spyware, and Malware Removal Logss forum where it will stay.

Please remember to click the Watch Topic button at the top right and select Immediate Notification so you do not miss any replies now that you were moved.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:08 PM

Posted 26 March 2011 - 01:46 PM

Please browse back to /mnt/sda1/WINDOWS/system32/drivers folder and rename the ghcpgqyf.sys file to ghcpgqyf.sys.vir.

See if you can now upload the mbr.bin zipped file.

Boot in Normal Mode.

If successful, run Combofix as follows:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If any of these applications will not uninstall, it is first recommended to uninstall it with AppRemover by Opswat. http://www.appremover.com/supported-applications. Do not use AppRemover on Norton

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • Install the Recovery Console if prompted.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

Edited by JSntgRvr, 26 March 2011 - 01:47 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 thobth

thobth
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 26 March 2011 - 04:33 PM

Uploading the zipped mbr.bin file as requested.


Booting of infected computer in normal load successful, yet extremely slow loading and navigating the desktop.

Avast! Antivirus blocked a connection, and then alerted that a virus was found as I attempted to load Firefox to download the file. I successfully screenshot the alert and the blocked connection, and selected move file to chest.

Attempted to open firefox.

Another alert that a virus was found popped up. The name of the virus is: C:\WINDOWS\OZVIVGAMEPIXOHAY.DLL, which is very similar to the last virus name, if not identical, but in all caps instead. Attempted to move to chest, an Avast! error message appeared, "avast!: The system cannot find the file specified. Cannot process "C:\WINDOWS\OZVIVGAMEPIXOHAY.DLL" file." Selected "okay." Went back to the same alert message. It appeared to do nothing.

Firefox loaded and an error window popped up. "Windows Explorer has encountered a problem and needs to close. We are sorry for the inconvenience." I selected "close."

An error message popped up stating: "DrWatson Postmortem Debugger has encountered a problem and needs to close. We are sorry... etc. Please tell Microsoft about this problem." I selected "Don't Send." I do not recognize DrWatson Postmortem Debugger. This is concerning to me...

Nothing seems to be happening. The mouse pointer is still moveable, but is stuck at the hourglass. Nowhere I click does anything. Not even the Start bar.

Waited fifteen minutes. I am forcing a hard shut-down by holding the power button and will download Combofix to my USB stick.

Forced hard shut-down successful. Downloaded and saved combo fix to my USB drive.

Turned the power switch for my wireless card off. Attempting to boot computer into normal mode. A "Windows did not start successfully" error appeared. Selected "Start Windows Normally." Looped back to same spot. Selecting "Last known Good Configuration." Looped back to same error screen. Selected "Start Windows Normally." Looped back to same error screen. Selecting "Last known Good Configuration." Looped back to same error screen. Selecting "Safe Mode." Looped back to same error screen.

... Oh &#!%. I think I screwed up...

I am going to leave it alone and see how long it loops, or if it will fix it's self some how...

EDIT: Forgot to say that I renamed ghcpgqyf.sys to ghcpgqyf.sys.vir sucessfully.

EDIT2: Immediately after I posted this and selected "Start Windows normally to try and see how long it would loop, it started normally. Now attempting to load the desktop and run Combofix. Will copy Combofix to the desktop before running.

Attached Files

  • Attached File  mbr.zip   540bytes   5 downloads

Edited by thobth, 26 March 2011 - 04:39 PM.

Computer #1: OS: Microsoft Windows 7 Home Premium MFR & Model: Dell Inc. Inspiron 1464 PROC: Intel Core i3 CPU, M 350 @ 2.27GHz, 2 Cores, 4 Logical PROC RAM: 4.00 GB HD: 500GB ATA VC: Intel HD Graphics (Core i3) Network: COMTREND Wireless ADSL2+ Router Browser & Email: Firefox 4.0, Gmail Anti-Virus/Spyware: McAfee Security Center Firewall: McAfee Security Center
Computer #2: OS: Microsoft Windows XP Professional, Media Center Edition 2002, SP3 MFR & Model: Toshiba Sattelite M115 PROC: Intel T2050 @ 1.60GHz (2 CPUs) RAM: 512 MB HD: 75 GB VC: Mobile Intel 945GM Express Chipset Family Network: COMTREND Wireless ADSL2+ Router Browser and Email: Firefox 4.0, Gmail Anti-Virus/Spyware: Avast! Antivirus 4.8, MalwareBytes, SUPERAntiSpyware Firewall: ZoneAlarm Free Firewall

#13 thobth

thobth
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 26 March 2011 - 06:13 PM

Logged into desktop sucessfully.

I shut down ZoneAlarm, SUPERAntiSpyware, and disabled Avast! On-Access Protection services. Network card external power switch is turned off.

Copying Combofix to desktop. Closed the explorer window.

Double-checking that Avast! antivirus services are disabled. Running Combofix from the desktop.

A message popped up stating that 'Microsoft Windows recovery console' needed to be installed or updated. Enabling the power to my Network card. Network successfully connected. Selecting 'Yes' to have Combofix download/install it. Downloading. Agreed to the EULA as directed by Combofix. Message appeared stating the the Microsoft Recovery Console was successfully installed. Clicked 'Yes' to continue scanning.

Combofix detected a rootkit and asked to reboot the computer. Selected 'Yes'

Reboot successful. Logged into desktop. Combofix loaded before start bar and desktop icons. I am assuming this is normal. Combofix appears to be running normally.

I worry that my computer may have gone into standby mode or something for a second. The screen went black and came back when I moved my mouse, but Combofix hasn't done anything for about 10-15 minutes. It's last displayed message is "Completed Stage_50" and the desktop icons and Start bar have still not loaded.

Has something gone wrong? Or is this normal and I should just keep waiting?

EDIT: My screen went to sleep again, and Combofix has done nothing. It's been almost an hour since I started running Combofix, and about half an hour or more with no change. I believe the program has stalled.

Edited by thobth, 26 March 2011 - 07:01 PM.

Computer #1: OS: Microsoft Windows 7 Home Premium MFR & Model: Dell Inc. Inspiron 1464 PROC: Intel Core i3 CPU, M 350 @ 2.27GHz, 2 Cores, 4 Logical PROC RAM: 4.00 GB HD: 500GB ATA VC: Intel HD Graphics (Core i3) Network: COMTREND Wireless ADSL2+ Router Browser & Email: Firefox 4.0, Gmail Anti-Virus/Spyware: McAfee Security Center Firewall: McAfee Security Center
Computer #2: OS: Microsoft Windows XP Professional, Media Center Edition 2002, SP3 MFR & Model: Toshiba Sattelite M115 PROC: Intel T2050 @ 1.60GHz (2 CPUs) RAM: 512 MB HD: 75 GB VC: Mobile Intel 945GM Express Chipset Family Network: COMTREND Wireless ADSL2+ Router Browser and Email: Firefox 4.0, Gmail Anti-Virus/Spyware: Avast! Antivirus 4.8, MalwareBytes, SUPERAntiSpyware Firewall: ZoneAlarm Free Firewall

#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:08 PM

Posted 26 March 2011 - 08:27 PM

The boot sector is infected.

  • Download NTBR_CD by noahdfear.
  • Extract its contents to the desktop.
  • Once extracted, open the NTBR_CD folder and click on the BurnItCD application.
  • Insert a blank CD when prompted. The .iso image will be burned to the CD.
  • Boot the computer with the CD you just burned and follow the prompts.
  • Press Enter for English.
  • At the menu type 1 to select MBRWORK then hit Enter

    This screen will show the hard drive configuration.
    Posted Image
  • Type 5 to Install standard MBR code then hit Enter
  • Type 1 to select Standard then hit Enter
  • Type Y then hit Enter to confirm
  • Type E then hit Enter to exit
  • Back at the menu, type 6 to Quit.
  • Press Ctrl+Alt+Del to restart the machine.
  • Eject the CD upon restart and boot normally.

Let me know the outcome.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 thobth

thobth
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 26 March 2011 - 08:59 PM

I burned the disk and followed instructions as ordered.

Hit Ctrl+Alt+Del, Screen went black, Showed the Toshiba loading screen, Windows recovery screen, black screen for about 20 seconds, the mouse pointer appeared, and I am at the windows log in screen.

Should I attempt to run Combofix again?
Computer #1: OS: Microsoft Windows 7 Home Premium MFR & Model: Dell Inc. Inspiron 1464 PROC: Intel Core i3 CPU, M 350 @ 2.27GHz, 2 Cores, 4 Logical PROC RAM: 4.00 GB HD: 500GB ATA VC: Intel HD Graphics (Core i3) Network: COMTREND Wireless ADSL2+ Router Browser & Email: Firefox 4.0, Gmail Anti-Virus/Spyware: McAfee Security Center Firewall: McAfee Security Center
Computer #2: OS: Microsoft Windows XP Professional, Media Center Edition 2002, SP3 MFR & Model: Toshiba Sattelite M115 PROC: Intel T2050 @ 1.60GHz (2 CPUs) RAM: 512 MB HD: 75 GB VC: Mobile Intel 945GM Express Chipset Family Network: COMTREND Wireless ADSL2+ Router Browser and Email: Firefox 4.0, Gmail Anti-Virus/Spyware: Avast! Antivirus 4.8, MalwareBytes, SUPERAntiSpyware Firewall: ZoneAlarm Free Firewall




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users