Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Jumped the gun running Combofix before finding this site


  • This topic is locked This topic is locked
34 replies to this topic

#1 CPD

CPD

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 12 April 2011 - 02:25 AM

I was hit with Antivirus 2008 three years ago and successfully recovered using Combofix before it became a more expansive program. After being hit with what I suspect was a drive-by virus last Friday Avira quarantined two trojans noted in the description, afterward scanning with Malwarebytes showed nothing else detected. Shortly afterward I noticed 4 or 5 ports opened in Windows firewall under the name 'services" and 7 files with odd letter extensions constantly being added to C:\windows\system32 directory no matter how many times I deleted them and rebooted. Also 2 or 3 weird number-only files were created in C:\windows\temp at reboot. At this point I assumed the Avira quarantine / removal and non-detection in Malwarebytes was missing something. I also noticed that the computer (Acer TM4202) would suddenly no longer go into standby or hibernate. To resolve this particular problem I ran Winsockfix (twice) to reset network settings to default and for a day everything seemed fine - able to standby or hibernate, no odd file regenerations in system32, no new ports opening in the firewall. Then tonight I had an odd error pop up about NTVDM.exe not able to read a memory address. I OK'ed to exit and immediately went to the system32 directory where the same 7 files had been regenerated. Also 4 new "services" entries in the firewall exception list.

I immediately d/loaded and ran Combofix before seeking assistance and reading this forum's recommended procedures. It installed the Recovery Console (unlike 2008), ran a 50-point scan in 15 minutes and after rebooting itself I have a log file that I'm not able to completely interpret for further diagnosis. Maybe whatever it was has been eradicated but I need expert assistance. In the process Combofix installed program directories, CMDCONS and QOOBOX, along the root, some backed up boot logs and an executable file cmldr and put ERDNT in the windows directory - maybe other things too, I haven't fully investigated everything. Is there something I should do to remove all these assuming the problem has been resolved? Is there a command line switch to uninstall or should everything be selectively deleted and left as is? I'm sorry I jumped the gun. I was desperate and stressed out after fighting this for three days. The only thing I've done since then is updated Java to 6.0.240.7 assuming that was the vulnerability.

Thanks for any help you can offer, Craig

Here's the Combofix.txt log -

ComboFix 11-04-11.02 - Owner 04/11/2011 22:05:53.1.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.669 [GMT -5:00]
Running from: c:\documents and settings\Owner\My Documents\Download Files\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Owner\WINDOWS
c:\program files\WinPCap
c:\program files\WinPCap\daemon_mgm.exe
c:\program files\WinPCap\npf_mgm.exe
c:\program files\WinPCap\rpcapd.exe
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
.
----- BITS: Possible infected sites -----
.
hxxp://prov.icdn.comcast.net
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2011-03-12 to 2011-04-12 )))))))))))))))))))))))))))))))
.
.
2011-04-09 10:51 . 2006-01-20 20:56 225350 ----a-w- c:\windows\system32\Epm-Po.dll
2011-04-09 02:23 . 2011-04-09 02:23 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-01 17:56 . 2011-04-01 17:56 -------- d-----w- c:\program files\OperaPortable
2011-03-20 00:56 . 2011-03-20 00:56 -------- d-----w- c:\program files\Wise Registry Cleaner
2011-03-19 20:42 . 2011-03-19 20:42 -------- d-----w- c:\program files\VS Revo Group
2011-03-19 00:25 . 2011-03-19 00:25 -------- d-----w- c:\program files\Common Files\DivX Shared
2011-03-18 20:24 . 2011-03-18 20:24 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"RTHDCPL"="RTHDCPL.EXE" [2005-11-17 15600128]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-10-19 69632]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2005-11-24 589824]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2005-11-16 397312]
"ADMTray.exe"="c:\acer\Empowering Technology\admtray.exe" [2005-10-24 2462208]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-07-20 729177]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-04-14 344064]
"Acer ePower Management"="c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-01-20 3080192]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 53760]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
IntelliMouse Explorer 3.0 Fix.lnk - c:\program files\MouseFix\MouseFix.exe [2010-6-12 40960]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\System32\\FXSCLNT.exe"=
"c:\\Program Files\\WS_FTP Pro\\ftp95pro.exe"=
"c:\\WINDOWS\\System32\\mmc.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Callcentric\\Callcentric Softphone\\Callcentric.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"g:\\OperaPortable\\opera.exe"=
"g:\\OperaBeta\\opera.exe"=
"c:\\Program Files\\OperaPortable\\opera.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:Remote Desktop
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/30/2009 6:20 PM 108289]
S3 cpuz131;cpuz131;\??\c:\docume~1\Owner\LOCALS~1\Temp\cpuz131\cpuz_x32.sys --> c:\docume~1\Owner\LOCALS~1\Temp\cpuz131\cpuz_x32.sys [?]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [12/31/2009 10:14 AM 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [12/31/2009 10:14 AM 8456]
S3 RRMONX;RRMONX;\??\c:\docume~1\Owner\LOCALS~1\Temp\rrmon.sys --> c:\docume~1\Owner\LOCALS~1\Temp\rrmon.sys [?]
S4 mrtRate;mrtRate; [x]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-12 c:\windows\Tasks\Clean System Memory.job
- c:\windows\system32\CleanMem.exe [2010-07-11 05:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://finance.yahoo.com/
IE: &Highlight - c:\windows\WEB\highlight.htm
IE: &Links List - c:\windows\WEB\urllist.htm
IE: &Sample Toolband Serach - c:\windows\system32\ToolBand.dll/MENUSEARCH.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: I&mages List - c:\windows\Web\imglist.htm
IE: Open Frame in &New Window - c:\windows\WEB\frm2new.htm
IE: Zoom &In - c:\windows\WEB\zoomin.htm
IE: Zoom O&ut - c:\windows\WEB\zoomout.htm
Trusted Zone: ameritrade.com
Trusted Zone: portfolioaccess.com\www
Trusted Zone: tdameritrade.com
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-11 22:15
Windows 5.1.2600 Service Pack 2 FAT NTAPI
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1200948128-3328411972-3752116554-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-1200948128-3328411972-3752116554-1005\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-1200948128-3328411972-3752116554-1005)
@Allowed: (Read) (S-1-5-21-1200948128-3328411972-3752116554-1005)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(156)
c:\windows\system32\MSNChatHook.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\MSVCR71.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\acer\Empowering Technology\admServ.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\unsecapp.exe
c:\docume~1\Owner\LOCALS~1\Temp\RtkBtMnt.exe
.
**************************************************************************
.
Completion time: 2011-04-11 22:17:49 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-12 03:17
.
Pre-Run: 37,144,723,456 bytes free
Post-Run: 37,026,463,744 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 965E545D23DCBB7E6BECCF576F543279

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:52 AM

Posted 21 April 2011 - 02:56 PM

Hello ,
And :welcome: to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 CPD

CPD
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 21 April 2011 - 05:23 PM

Hi Elise,
Thanks for your assistance. I'm still quite definitely in need of your expertise. If you read the original post most everything remains unchanged. As mentioned I updated Java and for nearly a week I didn't have any similar eruptions after running Combofix. I thought the only remaining issue was interpreting the log details after I realized that it had quarantined a few files and directories that had been on my computer for 5 years with no known ill effects, namely:

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\WinPCap
c:\program files\WinPCap\daemon_mgm.exe
c:\program files\WinPCap\npf_mgm.exe
c:\program files\WinPCap\rpcapd.exe
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll

So I was at a loss to restore them to my system if everything behaved properly from that point but would like to get them back if that's still possible.

Then almost a week to the day on Tuesday I had another NTVDM.exe warning pop-up stating it couldn't read some memory address range. I immediately went to Windows\System32 directory and 7 new files had been added with odd letter extensions, 2 number-only files in Windows\Temp that could only be deleted using Unlocker and 4 new firewall activations opened named "services". Clearly Combofix hadn't resolved the problem. I reran Malwarebytes; nothing. I reran another Avira full rootkit, memory and system scan; nothing. I held my own against the bad guys just long enough to finish my tax return filing on Monday and then on Tuesday I went at it with more resolve. I knew after my first posting that I should have run the DDS scan but was reluctant to repost and get knocked further down the help queue waiting list and I tried to resist doing anything more invasive like installing another malware fix. Yesterday afternoon I finally proceeded to remove Avira and installed Avast. I figured if Avira failed me after 3 years of no incidents then I needed to try another AV program for better protection. And I'm glad I did.

As soon as Avast installed it popped up a warning of MBR rootkit\\.\physicaldrive0. Then a few moments later another similarly named rootkit detection. I chose to delete and rebooted as it suggested. Avast ran a boot scan but found nothing. Then when the computer rebooted it took over 10 minutes for the desktop icons and Windows security alerts service to initialize in the system tray. Before this infection on 4/8 that would always occur in less than 30-45 seconds. I figured the computer was nearly cooked. Then when the icons finally returned and services started Avast popped up with the same rootkit detections. I repeated the process to delete and reboot again, but it was a vicious cycle that is unresolved. At least Avast detected what Malwarebytes or Avira wouldn't recognize but without solution.

Today, still waiting patiently, I began researching MBR rootkits. If you hadn't contacted me when you did I was about to try using the Recovery Console that Combofix installed last week and attempt a fixmbr command. If that didn't work I was reading about another ARK program similar to GMER, one in particular named rootrepeal. One way or another I was intent on repairing this without wiping the HD or resorting to the Acer hidden recovery partition, which I've never had to use before so I'm even more reluctant to act radically.

What's odd now is that neither the Combofix log or DDS mentions anything about a MBR detection. Maybe I'm overloaded after reading about rootkit removal tools today, but I believe that remains a core problem after removing the two trojans noted last week with Avira.

Thanks again for your assistance.


Here's the DDS scan log with attach.zip (separately uploaded).
.
DDS (Ver_11-03-05.01) - FAT32x86
Run by Owner at 16:11:13.73 on Thu 04/21/2011
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.686 [GMT -5:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
SVCHOST.EXE
SVCHOST.EXE
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\MouseFix\MouseFix.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\RtkBtMnt.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Trayconizer\Trayconizer.exe
C:\Program Files\HWMonitor\HWMonitor.exe
C:\Program Files\OperaPortable\opera.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://finance.yahoo.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Acer eDataSecurity Management: {0e1230f8-ea50-42a9-983c-d22abc2eed3b} - c:\windows\system32\ToolBand.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
mRun: [LaunchApp] Alaunch
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\Monitor.exe
mRun: [ADMTray.exe] "c:\acer\empowering technology\admtray.exe"
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ePower_DMC] c:\acer\empowering technology\epower\ePower_DMC.exe
mRun: [Acer ePower Management] c:\acer\empowering technology\epower\Acer ePower Management.exe boot
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\intell~1.lnk - c:\program files\mousefix\MouseFix.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: &Highlight - c:\windows\web\highlight.htm
IE: &Links List - c:\windows\web\urllist.htm
IE: &Sample Toolband Serach - c:\windows\system32\ToolBand.dll/MENUSEARCH.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: I&mages List - c:\windows\web\imglist.htm
IE: Open Frame in &New Window - c:\windows\web\frm2new.htm
IE: Zoom &In - c:\windows\web\zoomin.htm
IE: Zoom O&ut - c:\windows\web\zoomout.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: ameritrade.com
Trusted Zone: portfolioaccess.com\www
Trusted Zone: tdameritrade.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {43E3F87D-DE7F-4087-BD4F-0DC854981158} - hxxp://download.microsoft.com/download/7/3/8/7384c441-3721-41ee-ae15-b678888f00dd/clearadj.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5466/mcfscan.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-4-20 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-4-20 307288]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-4-20 19544]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-4-20 42184]
R2 AWService;AdminWorks Agent X6;c:\acer\empowering technology\admServ.exe [2005-10-24 1314816]
R3 cpuz131;cpuz131;\??\c:\docume~1\owner\locals~1\temp\cpuz131\cpuz_x32.sys --> c:\docume~1\owner\locals~1\temp\cpuz131\cpuz_x32.sys [?]
R3 xcpip;TCP/IP Protocol Driver;c:\windows\system32\drivers\xcpip.sys --> c:\windows\system32\drivers\xcpip.sys [?]
R3 xpsec;IPSEC driver;c:\windows\system32\drivers\xpsec.sys --> c:\windows\system32\drivers\xpsec.sys [?]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-12-31 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-12-31 8456]
S3 RRMONX;RRMONX;\??\c:\docume~1\owner\locals~1\temp\rrmon.sys --> c:\docume~1\owner\locals~1\temp\rrmon.sys [?]
S4 mrtRate;mrtRate; [x]
.
=============== Created Last 30 ================
.
2011-04-20 18:47:49 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-04-20 18:47:33 40112 ----a-w- c:\windows\avastSS.scr
2011-04-20 18:47:11 -------- d-----w- c:\program files\AVAST Software
2011-04-20 18:47:11 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVAST Software
2011-04-20 00:58:40 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-20 00:58:40 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-15 22:52:53 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
2011-04-12 05:51:08 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-12 04:10:20 -------- d-sh--w- C:\Recycled
2011-04-12 03:04:45 -------- d-sha-r- C:\cmdcons
2011-04-12 03:03:15 98816 ----a-w- c:\windows\sed.exe
2011-04-12 03:03:15 89088 ----a-w- c:\windows\MBR.exe
2011-04-12 03:03:15 256512 ----a-w- c:\windows\PEV.exe
2011-04-12 03:03:15 161792 ----a-w- c:\windows\SWREG.exe
2011-04-09 10:51:34 225350 ----a-w- c:\windows\system32\Epm-Po.dll
2011-04-01 17:56:24 -------- d-----w- c:\program files\OperaPortable
.
==================== Find3M ====================
.
2011-04-12 05:50:54 472808 ----a-w- c:\windows\system32\deployJava1.dll
.
============= FINISH: 16:12:24.64 ===============

Edited by CPD, 21 April 2011 - 05:35 PM.


#4 CPD

CPD
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 21 April 2011 - 05:39 PM

Elise,
For some reason the attach.zip file didn't upload. I may have forgotten to hit the attach button after choosing the file.

Attached Files



#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:52 AM

Posted 22 April 2011 - 02:20 AM

Hi again,

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 CPD

CPD
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 22 April 2011 - 03:15 AM

Hi Elise,
The new version is 2.4.21.0 so maybe there's a difference in the default selection. I didn't see anything indicating "cure" - only skip, copy to quarantine or restore. None implied cure so the scan completed by skipping. I attached an image and here's the log. I haven't rebooted or tried the scan again without your clarification.

2011/04/22 02:55:59.0390 3384 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/04/22 02:55:59.0421 3384 ================================================================================
2011/04/22 02:55:59.0421 3384 SystemInfo:
2011/04/22 02:55:59.0421 3384
2011/04/22 02:55:59.0421 3384 OS Version: 5.1.2600 ServicePack: 2.0
2011/04/22 02:55:59.0421 3384 Product type: Workstation
2011/04/22 02:55:59.0421 3384 ComputerName: ACER-E8F5014F99
2011/04/22 02:55:59.0421 3384 UserName: Owner
2011/04/22 02:55:59.0421 3384 Windows directory: C:\WINDOWS
2011/04/22 02:55:59.0421 3384 System windows directory: C:\WINDOWS
2011/04/22 02:55:59.0421 3384 Processor architecture: Intel x86
2011/04/22 02:55:59.0421 3384 Number of processors: 2
2011/04/22 02:55:59.0421 3384 Page size: 0x1000
2011/04/22 02:55:59.0421 3384 Boot type: Normal boot
2011/04/22 02:55:59.0421 3384 ================================================================================
2011/04/22 02:55:59.0875 3384 Initialize success
2011/04/22 02:56:01.0750 0324 ================================================================================
2011/04/22 02:56:01.0750 0324 Scan started
2011/04/22 02:56:01.0750 0324 Mode: Manual;
2011/04/22 02:56:01.0750 0324 ================================================================================
2011/04/22 02:56:02.0703 0324 Aavmker4 (78a4db23bb4e8d4349e164d1d90af73f) C:\WINDOWS\system32\drivers\Aavmker4.sys
2011/04/22 02:56:03.0593 0324 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/04/22 02:56:03.0859 0324 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/04/22 02:56:03.0984 0324 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/04/22 02:56:04.0328 0324 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/04/22 02:56:05.0031 0324 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
2011/04/22 02:56:05.0453 0324 AegisP (12dafd934641dcf61e446313bc261ec2) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2011/04/22 02:56:05.0671 0324 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys
2011/04/22 02:56:06.0031 0324 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/04/22 02:56:06.0500 0324 agpCPQ (67288b07d6aba6c1267b626e67bc56fd) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/04/22 02:56:06.0875 0324 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/04/22 02:56:07.0234 0324 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/04/22 02:56:07.0578 0324 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/04/22 02:56:08.0000 0324 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/04/22 02:56:08.0343 0324 alim1541 (f312b7cef21eff52fa23056b9d815fad) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/04/22 02:56:08.0656 0324 amdagp (675c16a3c1f8482f85ee4a97fc0dde3d) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/04/22 02:56:09.0046 0324 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/04/22 02:56:09.0296 0324 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/04/22 02:56:09.0953 0324 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/04/22 02:56:10.0328 0324 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/04/22 02:56:10.0703 0324 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/04/22 02:56:11.0203 0324 aswFsBlk (9bdb29e81abceb883556df44649696c4) C:\WINDOWS\system32\drivers\aswFsBlk.sys
2011/04/22 02:56:11.0359 0324 aswMon2 (2ce6da466687cbb3b97e59f8831a27cb) C:\WINDOWS\system32\drivers\aswMon2.sys
2011/04/22 02:56:11.0656 0324 aswRdr (a90cf680ca7a323913ca3a0810c8e02d) C:\WINDOWS\system32\drivers\aswRdr.sys
2011/04/22 02:56:11.0843 0324 aswSnx (f7969934cca2e566e95df17380a3cb11) C:\WINDOWS\system32\drivers\aswSnx.sys
2011/04/22 02:56:12.0218 0324 aswSP (478d6a0e0630c31bf4a7f5eb0a05b92c) C:\WINDOWS\system32\drivers\aswSP.sys
2011/04/22 02:56:12.0515 0324 aswTdi (e52e45743e27fd6184c55618a10b81ab) C:\WINDOWS\system32\drivers\aswTdi.sys
2011/04/22 02:56:12.0843 0324 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/04/22 02:56:13.0265 0324 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/04/22 02:56:14.0000 0324 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/04/22 02:56:14.0328 0324 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/04/22 02:56:14.0671 0324 bcm4sbxp (c768c8a463d32c219ce291645a0621a4) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
2011/04/22 02:56:14.0750 0324 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/04/22 02:56:14.0968 0324 Bridge (e4e6a0922e3d983728c9ad4e8d466954) C:\WINDOWS\system32\DRIVERS\bridge.sys
2011/04/22 02:56:14.0984 0324 BridgeMP (e4e6a0922e3d983728c9ad4e8d466954) C:\WINDOWS\system32\DRIVERS\bridge.sys
2011/04/22 02:56:15.0156 0324 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/04/22 02:56:15.0234 0324 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/04/22 02:56:15.0578 0324 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/04/22 02:56:15.0656 0324 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/04/22 02:56:15.0890 0324 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/04/22 02:56:16.0062 0324 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/04/22 02:56:16.0859 0324 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/04/22 02:56:17.0265 0324 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/04/22 02:56:17.0546 0324 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/04/22 02:56:17.0921 0324 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/04/22 02:56:18.0468 0324 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/04/22 02:56:18.0890 0324 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/04/22 02:56:19.0156 0324 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/04/22 02:56:19.0593 0324 DKbFltr (08d30af92c270f2e76787c81589dbad6) C:\WINDOWS\system32\DRIVERS\DKbFltr.sys
2011/04/22 02:56:19.0906 0324 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2011/04/22 02:56:20.0062 0324 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2011/04/22 02:56:20.0125 0324 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/04/22 02:56:20.0453 0324 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2011/04/22 02:56:20.0812 0324 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/04/22 02:56:21.0109 0324 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/04/22 02:56:21.0421 0324 EMSCR (4621cc7456c09b5133e640b381ef0847) C:\WINDOWS\system32\DRIVERS\EMS7SK.sys
2011/04/22 02:56:24.0687 0324 epmntdrv (f07ba56b0235f15eff8f10dc6389c42e) C:\WINDOWS\system32\epmntdrv.sys
2011/04/22 02:56:25.0125 0324 EpmPsd (d68564fcfbdfc04280cdbbb37cf7ef7f) C:\WINDOWS\system32\drivers\epm-psd.sys
2011/04/22 02:56:25.0671 0324 EpmShd (50425cbd80468bf53ba90f0d7cc61805) C:\WINDOWS\system32\drivers\epm-shd.sys
2011/04/22 02:56:26.0000 0324 ESDCR (d17f9f75931743ca6dc1f19dcf68c5a1) C:\WINDOWS\system32\DRIVERS\ESD7SK.sys
2011/04/22 02:56:26.0312 0324 ESMCR (c90928614992a319fc15ea0571f51d93) C:\WINDOWS\system32\DRIVERS\ESM7SK.sys
2011/04/22 02:56:29.0812 0324 EuGdiDrv (1f2f4ab15ce03ecc257feb2f6dc5a013) C:\WINDOWS\system32\EuGdiDrv.sys
2011/04/22 02:56:30.0093 0324 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/04/22 02:56:30.0281 0324 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
2011/04/22 02:56:30.0375 0324 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2011/04/22 02:56:30.0562 0324 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/04/22 02:56:31.0031 0324 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/04/22 02:56:31.0140 0324 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/04/22 02:56:31.0453 0324 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/04/22 02:56:31.0656 0324 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/04/22 02:56:32.0062 0324 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/04/22 02:56:32.0562 0324 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/04/22 02:56:32.0937 0324 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/04/22 02:56:33.0390 0324 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/04/22 02:56:33.0859 0324 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/04/22 02:56:34.0296 0324 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/04/22 02:56:34.0421 0324 HSFHWAZL (a902a7e76c245210eee9ef5185158e9c) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
2011/04/22 02:56:34.0765 0324 HSF_DPV (c9f4e7da78a02623abf78a4a34ce79b1) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
2011/04/22 02:56:35.0250 0324 HTTP (cb77bb47e67e84deb17ba29632501730) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/04/22 02:56:35.0640 0324 i2omgmt (8f09f91b5c91363b77bcd15599570f2c) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/04/22 02:56:36.0046 0324 i2omp (ed6bf9e441fdea13292a6d30a64a24c3) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/04/22 02:56:36.0546 0324 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/04/22 02:56:36.0953 0324 ialm (bc1f1ff8d5800398937966cdb0a97fdc) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/04/22 02:56:37.0203 0324 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/04/22 02:56:37.0625 0324 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/04/22 02:56:38.0312 0324 IntcAzAudAddService (4078d4795e394bf2adbed6fcc9827f78) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/04/22 02:56:38.0937 0324 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/04/22 02:56:39.0156 0324 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/04/22 02:56:39.0390 0324 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/04/22 02:56:39.0500 0324 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/04/22 02:56:39.0718 0324 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/04/22 02:56:40.0187 0324 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/04/22 02:56:40.0375 0324 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/04/22 02:56:40.0703 0324 irda (86c204836feec22510d434982d4221b8) C:\WINDOWS\system32\DRIVERS\irda.sys
2011/04/22 02:56:41.0000 0324 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/04/22 02:56:41.0296 0324 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/04/22 02:56:41.0375 0324 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/04/22 02:56:41.0828 0324 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/04/22 02:56:42.0296 0324 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
2011/04/22 02:56:42.0531 0324 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/04/22 02:56:43.0343 0324 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/04/22 02:56:43.0468 0324 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/04/22 02:56:43.0656 0324 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2011/04/22 02:56:44.0109 0324 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/04/22 02:56:44.0515 0324 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/04/22 02:56:44.0812 0324 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/04/22 02:56:45.0203 0324 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/04/22 02:56:45.0828 0324 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/04/22 02:56:46.0296 0324 MRxSmb (025af03ce51645c62f3b6907a7e2be5e) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/04/22 02:56:46.0453 0324 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2011/04/22 02:56:46.0781 0324 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/04/22 02:56:47.0015 0324 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/04/22 02:56:47.0296 0324 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/04/22 02:56:47.0484 0324 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/04/22 02:56:47.0640 0324 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2011/04/22 02:56:47.0796 0324 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2011/04/22 02:56:48.0234 0324 NdisFilt (1f76996253071cbae0a5ab5d8551ef88) C:\WINDOWS\system32\Drivers\NdisFilt.sys
2011/04/22 02:56:48.0312 0324 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/04/22 02:56:48.0515 0324 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/04/22 02:56:48.0687 0324 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/04/22 02:56:48.0750 0324 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/04/22 02:56:48.0890 0324 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/04/22 02:56:49.0093 0324 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/04/22 02:56:49.0562 0324 NETMNT (6a25f27202f3122a44a6b74ee46e7a76) C:\WINDOWS\system32\DRIVERS\NETMNT.sys
2011/04/22 02:56:49.0843 0324 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/04/22 02:56:50.0015 0324 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2011/04/22 02:56:50.0312 0324 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/04/22 02:56:50.0656 0324 NTIDrvr (7f1c1f78d709c4a54cbb46ede7e0b48d) C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys
2011/04/22 02:56:50.0765 0324 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/04/22 02:56:50.0875 0324 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/04/22 02:56:51.0093 0324 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/04/22 02:56:51.0390 0324 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/04/22 02:56:51.0828 0324 OsaFsLoc (26c4a4b64d1dd8e6fdfb2f4897be029c) C:\WINDOWS\system32\drivers\OsaFsLoc.sys
2011/04/22 02:56:52.0265 0324 osaio (9d1177c2a8de936b33d85ff75e8cbf1a) C:\WINDOWS\system32\drivers\osaio.sys
2011/04/22 02:56:52.0687 0324 osanbm (3245bee5176697faf0744a2e1288dc77) C:\WINDOWS\system32\drivers\osanbm.sys
2011/04/22 02:56:52.0906 0324 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys
2011/04/22 02:56:52.0953 0324 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/04/22 02:56:53.0031 0324 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/04/22 02:56:53.0359 0324 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/04/22 02:56:54.0203 0324 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/04/22 02:56:54.0515 0324 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/04/22 02:56:56.0781 0324 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/04/22 02:56:57.0156 0324 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/04/22 02:56:57.0484 0324 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/04/22 02:56:57.0718 0324 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/04/22 02:56:57.0796 0324 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/04/22 02:56:58.0171 0324 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/04/22 02:56:58.0546 0324 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/04/22 02:56:58.0921 0324 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/04/22 02:56:59.0312 0324 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/04/22 02:56:59.0703 0324 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/04/22 02:56:59.0796 0324 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/04/22 02:57:00.0125 0324 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
2011/04/22 02:57:00.0296 0324 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/04/22 02:57:00.0468 0324 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/04/22 02:57:00.0546 0324 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/04/22 02:57:01.0031 0324 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/04/22 02:57:01.0125 0324 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/04/22 02:57:01.0359 0324 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/04/22 02:57:01.0828 0324 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/04/22 02:57:02.0171 0324 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/04/22 02:57:02.0859 0324 s24trans (1cc074e0d48383d4e9bffc6a26c2a58a) C:\WINDOWS\system32\DRIVERS\s24trans.sys
2011/04/22 02:57:03.0156 0324 sdbus (02fc71b020ec8700ee8a46c58bc6f276) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2011/04/22 02:57:03.0406 0324 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/04/22 02:57:03.0609 0324 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\drivers\Serial.sys
2011/04/22 02:57:03.0921 0324 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/04/22 02:57:04.0796 0324 sisagp (732d859b286da692119f286b21a2a114) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/04/22 02:57:05.0125 0324 SMCIRDA (a8eb0aa07632a4c936ff6f8eda5bdead) C:\WINDOWS\system32\DRIVERS\smcirda.sys
2011/04/22 02:57:05.0390 0324 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/04/22 02:57:05.0875 0324 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
2011/04/22 02:57:06.0218 0324 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/04/22 02:57:06.0703 0324 Srv (ea554a3ffc3f536fe8320eb38f5e4843) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/04/22 02:57:07.0062 0324 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/04/22 02:57:07.0359 0324 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2011/04/22 02:57:07.0718 0324 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/04/22 02:57:08.0093 0324 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/04/22 02:57:08.0453 0324 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/04/22 02:57:08.0828 0324 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/04/22 02:57:09.0328 0324 SynTP (f914182084600f2c0b721f79dd690407) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2011/04/22 02:57:09.0640 0324 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/04/22 02:57:10.0140 0324 Tcpip (1dbf125862891817f374f407626967f4) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/04/22 02:57:10.0609 0324 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/04/22 02:57:10.0984 0324 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/04/22 02:57:11.0265 0324 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/04/22 02:57:11.0687 0324 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/04/22 02:57:12.0015 0324 UBHelper (e0c67be430c6de490d6ccaecfa071f9e) C:\WINDOWS\system32\drivers\UBHelper.sys
2011/04/22 02:57:12.0296 0324 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2011/04/22 02:57:12.0687 0324 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/04/22 02:57:12.0968 0324 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
2011/04/22 02:57:13.0250 0324 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/04/22 02:57:13.0453 0324 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/04/22 02:57:13.0593 0324 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/04/22 02:57:14.0062 0324 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/04/22 02:57:14.0500 0324 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/04/22 02:57:14.0953 0324 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/04/22 02:57:15.0125 0324 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/04/22 02:57:15.0359 0324 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2011/04/22 02:57:15.0703 0324 viaagp (d92e7c8a30cfd14d8e15b5f7f032151b) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/04/22 02:57:16.0109 0324 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/04/22 02:57:16.0281 0324 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/04/22 02:57:16.0906 0324 w39n51 (73395a19fc86461a151d3c330604e8b3) C:\WINDOWS\system32\DRIVERS\w39n51.sys
2011/04/22 02:57:17.0171 0324 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/04/22 02:57:18.0125 0324 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/04/22 02:57:18.0343 0324 winachsf (c1d5cbd8aa0d674da1ba1bb189696396) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/04/22 02:57:18.0687 0324 WmiAcpi (ae2c8544e747c20062db27456ea2d67a) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/04/22 02:57:19.0234 0324 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/04/22 02:57:19.0703 0324 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/04/22 02:57:20.0859 0324 \HardDisk0 - detected Rootkit.Win32.BackBoot.gen (1)
2011/04/22 02:57:20.0875 0324 ================================================================================
2011/04/22 02:57:20.0875 0324 Scan finished
2011/04/22 02:57:20.0875 0324 ================================================================================
2011/04/22 02:57:20.0890 3044 Detected object count: 1
2011/04/22 03:01:48.0484 3044 Rootkit.Win32.BackBoot.gen(\HardDisk0) - User select action: Skip
2011/04/22 03:02:58.0453 2084 Deinitialize success

Attached Files



#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:52 AM

Posted 22 April 2011 - 03:49 AM

That looks indeed like an MBR infection, but not a regular one. Before attempting to fix, I'd like first to have a backup.

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following and press enter:

    dd if=/dev/sda of=mbr.bin bs=512 count=1

  • Press Enter
  • After it has finished a file will be located on your USB drive named mbr.bin
  • Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.

This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 CPD

CPD
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 22 April 2011 - 04:01 AM

Elise,
What are you considering to be my "clean" computer? This one with the possible MBR rootkit? If not I'll need to use someone else's machine tomorrow morning. So I was correct not to copy to quarantine that suspicious Rootkit.Win32.BackBoot.gen detected by TDSSKiller?

Edited by CPD, 22 April 2011 - 04:04 AM.


#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:52 AM

Posted 22 April 2011 - 04:05 AM

Sorry, you can create this disk on this computer. I often use this on non-booting computers, which is why the reference to a clean computer. I forgot to adjust the instructions. :)

And yes, skip was the best option in this case.

Edited by elise025, 22 April 2011 - 04:06 AM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 CPD

CPD
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 22 April 2011 - 04:16 AM

Elise,
That's better for me. Each time I reboot it seems to be taking longer so I may be in that situation pretty soon ;) When you say USB drive do you mean a flash (memory) drive or an external USB connected IDE hard drive. I have both available.

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:52 AM

Posted 22 April 2011 - 04:51 AM

A simple flashdrive will do. :)

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 CPD

CPD
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 22 April 2011 - 06:53 PM

Elise,
No luck with xPUD. It installed fine and burned the xpud_0.9.2.iso to a blank CD, booted the computer and xPUD interface appeared. I navigated to FILE then MNT and saw sda1 thru 4 (hard disk partitions?). sda1 apparently is the Acer hidden restore partition, sda2 is C:, sda3 is D: and sda4 is E:. I recognized folder and file names in each of them. But selecting any of the sdb1 thru sdb4 icons (for USB drives?) no contents showed even though my USB flash drive had some files in the root directory. I ran your command four times from TERMINAL highlighting each of them (sdb1 thru sdb4) but only if I set it to "show hidden objects" could I see a mbr.bin file appear in the directory(?) of the USB drive each time. If I turned off "show hidden objects" they'd disappear. Each time the terminal screen output read:

1+0 records in
1+0 records out

When I'd exit the xPUD interface and the computer rebooted there was never a mbr.bin file on the USB flash drive. What am I doing wrong or, more precisely, why isn't xPUD showing any contents of the USB drive(s) as it does for the HDD partitions? It's as if I'm issuing a command that copies something off into a void but I don't know what the 1+0 records in/out indicates.

Edited by CPD, 22 April 2011 - 06:59 PM.


#13 CPD

CPD
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 22 April 2011 - 11:45 PM

Duplicate moved below. Can't delete.

Edited by CPD, 22 April 2011 - 11:55 PM.


#14 CPD

CPD
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 22 April 2011 - 11:49 PM

Elise,
I rebooted using the xPUD CD a couple more times. At first it wouldn't bring up the GUI - only a black screen with errors about not reading USB ports but I didn't write anything down. Then I force powered down and tried again. This time I connected an external USB drive (not flash memory) AFTER xPUD booted. Two new MNT options registered as sdc1 and sdc5 ( C and not B ). Using tool > open terminal with your command seemed to copy mbr.bin to the external drive. After booting there was a mbr.bin on that drive. :thumbup2: Hopefully its the one you need.

I viewed it in notepad. Binary code and some ASCII reading "Invalid partition table", "Error loading operating system", "Missing operating system". After zipping I (mistakenly) right clicked to view inside the archive again which opened it and a new Avast virus warning popped up immediately. I've included a screen shot. The warning about PHYSICALD is one of two warnings that consistently appear a few minutes after booting since installing Avast. The trojan warning Win32:MBRoot-J [Trj] was due to opening mbr.bin in the archive.

Attached Files


Edited by CPD, 22 April 2011 - 11:56 PM.


#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:52 AM

Posted 23 April 2011 - 07:21 AM

Hi, although the MBR does not seem complete, the warning Avast gave you indeed indicates a Mebroot infection. Please read the following first.

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


You mention you have an Acer recovery partition. Do you also have recovery disks? This is important to know since fixing the MBR might result in losin gaccess to the recovery partition. If that happens, we'll need to repair the partition table.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users