Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDL4 Rootkit Infection, Google redirecting


  • This topic is locked This topic is locked
26 replies to this topic

#1 <Stealth>

<Stealth>

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 15 April 2011 - 08:39 AM

I think I'm yet another victim of this blasted thing. Both Firefox and IE start and run normally, but links from Google have a high chance of redirecting somewhere else - I have not recorded the exact sites, but the redirection targets included some fake antivirus sites and also eBay's homepage. In particular, Google links to Wikipedia seem to always be redirected elsewhere. Travelling there via URL presents no such problems. Suspicion of TDL4 is from DDS and GMER output.

DDS Log follows:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Scott at 13:33:25.73 on 15/04/2011
Internet Explorer: 8.0.6001.19019 BrowserJavaVersion: 1.6.0_23
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3068.961 [GMT 1:00]
.
AV: CA Anti-Virus Plus *Enabled/Updated* {3EED0195-0A4B-4EF3-CC4F-4F401BDC245F}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: CA Anti-Virus Plus *Enabled/Updated* {858CE071-2C71-417D-F6FF-7432605B6EE2}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\RtkAudioService.exe
C:\Program Files\WTouch\WTouchService.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\Windows\system32\WLANExt.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\3 Mobile Broadband\3Connect\BecHelperService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\caamsvc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\isafe.exe
C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Windows\system32\lkcitdl.exe
C:\Windows\system32\lkads.exe
C:\Windows\system32\lktsrv.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\Program Files\National Instruments\Shared\NI WebServer\SystemWebServer.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\Program Files\Sony\Network Utility\NSUService.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\PSIService.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Pen_Tablet.exe
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\ccEvtMgr.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Sony\VAIO Update 4\VAIOUpdt.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\CA\CA Internet Security Suite\casc.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Bamboo Dock\BambooCore.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony\Network Utility\LANUtil.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Users\Scott\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\WTouch\WTouchUser.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Sony\VAIO Power Management\SPMService.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Windows\system32\Pen_Tablet.exe
C:\Program Files\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe
C:\Program Files\Sony\VAIO Event Service\VESMgrSub.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Apoint\Apntex.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\DllHost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\National Instruments\Shared\NI WebServer\ApplicationWebServer.exe
C:\Program Files\National Instruments\Shared\mDNS Responder\nimdnsResponder.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\System32\mobsync.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrobat.exe
C:\PROGRA~1\Java\jre6\bin\jp2launcher.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Users\Scott\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.bittersweetcandybowl.com/
uDefault_Page_URL = hxxp://www.club-vaio.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.club-vaio.com
uInternet Settings,ProxyOverride = *.local
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\progra~1\google~1\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [NSUFloatingUI] "c:\program files\sony\network utility\LANUtil.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [<NO NAME>]
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [cctray] "c:\program files\ca\ca internet security suite\casc.exe"
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [BambooCore] c:\program files\bamboo dock\BambooCore.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\users\scott\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\scott\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: c:\windows\system32\VetRedir.dll
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: PFW - UmxWnp.Dll
Notify: VESWinlogon - VESWinlogon.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\scott\appdata\roaming\mozilla\firefox\profiles\2jlrgsjh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\users\scott\appdata\roaming\mozilla\firefox\profiles\2jlrgsjh.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nplv2010win32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nplv90win32.dll
FF - plugin: c:\program files\tabletplugins\npwacom.dll
FF - plugin: c:\program files\vlc\npvlc.dll
FF - plugin: c:\users\scott\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\users\scott\appdata\roaming\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\users\scott\appdata\roaming\facebook\npfbplugin_1_0_3.dll
.
============= SERVICES / DRIVERS ===============
.
R0 KmxAMRT;KmxAMRT;c:\windows\system32\drivers\KmxAMRT.sys [2010-9-17 135248]
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2010-10-3 59240]
R1 ExpanDrive;ExpanDrive;c:\windows\system32\drivers\ExpanDrive.sys [2009-3-20 294472]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2010-3-22 79864]
R1 RapportCerberus_25973;RapportCerberus_25973;c:\programdata\trusteer\rapport\store\exts\rapportcerberus\25973\RapportCerberus_25973.sys [2011-4-13 57144]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-10-3 169320]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 BecHelperService;BecHelperService;c:\program files\3 mobile broadband\3connect\BecHelperService.exe [2010-10-6 1737464]
R2 CAAMSvc;CAAMSvc;c:\program files\ca\ca internet security suite\ca anti-virus plus\CAAMSvc.exe [2010-10-29 206152]
R2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus plus\isafe.exe [2010-4-4 212992]
R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\ca\ca internet security suite\ccschedulersvc.exe [2010-4-4 206160]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-18 11032]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2010-6-9 244304]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2009-5-28 4233728]
R3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\drivers\SFEP.sys [2008-8-11 9344]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-1-21 16896]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-8-22 133104]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2008-8-11 29736]
S3 KmxAMVet;KmxAMVet;c:\windows\system32\drivers\KmxAMVet.sys [2009-3-27 598656]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2010-10-6 9216]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2010-6-2 16168]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-23 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
.
=============== Created Last 30 ================
.
2011-04-14 21:36:53 -------- d-----w- c:\users\scott\appdata\roaming\Malwarebytes
2011-04-14 21:36:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-14 21:36:45 -------- d-----w- c:\progra~2\Malwarebytes
2011-04-14 21:36:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-14 21:36:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-14 21:07:39 -------- d-----w- c:\users\scott\appdata\local\Trusteer
2011-04-13 18:56:50 -------- d-----w- c:\users\scott\appdata\roaming\PC Remote
2011-04-12 11:29:27 6792528 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{dce67509-17b6-42c7-9bf3-047063794938}\mpengine.dll
2011-04-07 18:28:56 -------- d-----w- c:\users\scott\appdata\roaming\Design Science
2011-04-05 16:12:27 -------- d-----w- c:\program files\MathType
2011-03-31 10:33:43 -------- d-----w- c:\progra~2\WEBREG
2011-03-31 10:30:34 320512 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpfpp101.dll
2011-03-31 10:25:21 -------- d-----w- c:\program files\common files\HP
2011-03-31 10:25:16 -------- d-----w- c:\program files\common files\Hewlett-Packard
2011-03-31 10:23:22 966656 ----a-w- c:\windows\system32\hpost_p04b.dll
2011-03-31 10:23:22 887296 ----a-w- c:\windows\system32\hposwia_p04b.dll
2011-03-31 10:23:22 372736 ----a-w- c:\windows\system32\hppldcoi.dll
2011-03-31 10:23:22 315392 ----a-w- c:\windows\system32\hposc_p04a.dll
2011-03-31 10:23:22 309760 ----a-w- c:\windows\system32\difxapi.dll
2011-03-31 10:23:01 452736 ----a-w- c:\windows\system32\hpzids01.dll
2011-03-31 10:22:57 125440 ----a-w- c:\windows\system32\hpf3l101.dll
2011-03-24 20:31:47 -------- d-----w- c:\users\scott\appdata\local\LAG
2011-03-24 20:31:47 -------- d-----w- c:\progra~2\LAG
2011-03-24 19:55:18 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-03-24 19:55:17 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-03-24 19:55:17 728024 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-03-24 19:55:17 1975768 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-03-24 19:55:17 1893336 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-03-24 19:55:17 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-03-24 19:55:17 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-03-24 19:55:17 142296 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-03-24 19:39:49 -------- d-----w- c:\windows\system32\AGEIA
2011-03-24 19:39:30 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2011-03-24 17:09:45 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-03-24 17:09:45 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-03-24 17:09:44 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-03-19 15:20:02 -------- d-----w- c:\program files\BCBDateSim Alpha
.
==================== Find3M ====================
.
2011-02-02 18:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-20 16:08:16 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08:06 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08:06 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:08:06 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08:06 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:07:58 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07:42 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07:16 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06:38 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06:35 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04:54 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 16:04:54 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 14:28:38 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26:30 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24:26 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15:10 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14:03 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14:03 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47:51 683008 ----a-w- c:\windows\system32\d2d1.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: TOSHIBA_ rev.LV01 -> Harddisk0\DR0 -> \Device\Ide\iaStor0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x89E04439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89e0a7d0]; MOV EAX, [0x89e0a84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x8487C912] -> \Device\Harddisk0\DR0[0x8986B8B0]
3 CLASSPNP[0x8CFB88B3] -> ntkrnlpa!IofCallDriver[0x8487C912] -> [0x88147F08]
5 acpi[0x8068D6BC] -> ntkrnlpa!IofCallDriver[0x8487C912] -> [0x88149028]
\Driver\iaStor[0x89DE9EF0] -> IRP_MJ_CREATE -> 0x89E04439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x147; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskTOSHIBA_MK2552GSX_______________________LV010A__#4&390b30ad&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 488397166 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 13:35:45.69 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:39 PM

Posted 15 April 2011 - 11:02 AM

Hello <Stealth>,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.


1.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


2.
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Things to include in your next reply::
TDSSKiller log
Gmer log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 <Stealth>

<Stealth>
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 15 April 2011 - 12:02 PM

(Posted from my other (clean) computer):

TDSSKiller spotted the TDL4 infection and ran the 'cure'. It seems to have worked, but GMER is still running after about 40 minutes. This was a slight problem, since I'd only Snoozed my Antivirus for half an hour. No red flags, though, so I've re-snoozed it for another hour and left GMER alone to carry on.

I'll send both log files over in my next post, but I just wanted to keep you updated.

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:39 PM

Posted 15 April 2011 - 01:16 PM

Hello,


Thanks for the information. Please try some websites and searching to see how the machine is running.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 <Stealth>

<Stealth>
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 15 April 2011 - 01:19 PM

(Posted from clean computer):

Oh, I'd love to. Unfortunately, GMER is STILL running. After a brief search back through my notes, it seems that leaving IAT/EAT turned on in the GMER settings might have been the cause of this rather major delay.

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:39 PM

Posted 15 April 2011 - 01:28 PM

Gmer is very slow but will let us know if the TDL4 infection is gone :)

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 <Stealth>

<Stealth>
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 15 April 2011 - 01:32 PM

(Posted from mobile phone. :P )

Fair enough. You can expect both logs and an analysis of the computer's behaviour as soon as this thing finishes. Just one question: when it does finish and I've saved the log, should I reboot?

#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:39 PM

Posted 15 April 2011 - 01:41 PM

Yes go ahead and reboot :dance:

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 <Stealth>

<Stealth>
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 15 April 2011 - 04:11 PM

OK, I'm calling this test off for the moment. GMER was still running up to ten minutes ago, with no red flags, and for the last two hours has been stuck in C:\Windows\winsxs\Manifests\. I'm sorry, but I can't believe that's right.

The Google issue seems to have gone, although browsing and general usage are a little sluggish. That's quite likely to be from a lack of recent tuneups, though - this system is probably well overdue a nice defrag.

Here's the TDSSKiller log, followed by the (aborted) GMER log file. I'll run it again if you like, although I suspect I should clear that checkbox next time.

2011/04/15 17:10:09.0968 6856 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/04/15 17:10:10.0013 6856 ================================================================================
2011/04/15 17:10:10.0013 6856 SystemInfo:
2011/04/15 17:10:10.0013 6856
2011/04/15 17:10:10.0013 6856 OS Version: 6.0.6002 ServicePack: 2.0
2011/04/15 17:10:10.0013 6856 Product type: Workstation
2011/04/15 17:10:10.0013 6856 ComputerName: SCOTT-PC
2011/04/15 17:10:10.0013 6856 UserName: Scott
2011/04/15 17:10:10.0013 6856 Windows directory: C:\Windows
2011/04/15 17:10:10.0013 6856 System windows directory: C:\Windows
2011/04/15 17:10:10.0013 6856 Processor architecture: Intel x86
2011/04/15 17:10:10.0013 6856 Number of processors: 2
2011/04/15 17:10:10.0013 6856 Page size: 0x1000
2011/04/15 17:10:10.0013 6856 Boot type: Normal boot
2011/04/15 17:10:10.0013 6856 ================================================================================
2011/04/15 17:10:10.0572 6856 Initialize success
2011/04/15 17:10:26.0372 6988 ================================================================================
2011/04/15 17:10:26.0372 6988 Scan started
2011/04/15 17:10:26.0372 6988 Mode: Manual;
2011/04/15 17:10:26.0372 6988 ================================================================================
2011/04/15 17:10:45.0138 6988 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
2011/04/15 17:10:45.0483 6988 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
2011/04/15 17:10:45.0701 6988 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
2011/04/15 17:10:47.0262 6988 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
2011/04/15 17:10:47.0381 6988 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
2011/04/15 17:10:47.0830 6988 AFD (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys
2011/04/15 17:10:48.0014 6988 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys
2011/04/15 17:10:48.0327 6988 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2011/04/15 17:10:48.0590 6988 aliide (9eaef5fc9b8e351afa7e78a6fae91f91) C:\Windows\system32\drivers\aliide.sys
2011/04/15 17:10:48.0698 6988 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
2011/04/15 17:10:48.0764 6988 amdide (9b78a39a4c173fdbc1321e0dd659b34c) C:\Windows\system32\drivers\amdide.sys
2011/04/15 17:10:48.0910 6988 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
2011/04/15 17:10:49.0021 6988 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\drivers\amdk8.sys
2011/04/15 17:10:49.0143 6988 ApfiltrService (9325e49d555d8f12ce1735227dbb3d80) C:\Windows\system32\DRIVERS\Apfiltr.sys
2011/04/15 17:10:49.0495 6988 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
2011/04/15 17:10:49.0690 6988 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
2011/04/15 17:10:50.0250 6988 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/04/15 17:10:50.0497 6988 atapi (2d9c903dc76a66813d350a562de40ed9) C:\Windows\system32\drivers\atapi.sys
2011/04/15 17:10:51.0517 6988 atikmdag (71c98afef4bf7a5bb54cbaaddb5d7972) C:\Windows\system32\DRIVERS\atikmdag.sys
2011/04/15 17:10:52.0073 6988 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2011/04/15 17:10:52.0319 6988 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
2011/04/15 17:10:52.0690 6988 bowser (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys
2011/04/15 17:10:53.0171 6988 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2011/04/15 17:10:53.0643 6988 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2011/04/15 17:10:54.0021 6988 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2011/04/15 17:10:54.0344 6988 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2011/04/15 17:10:54.0682 6988 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2011/04/15 17:10:55.0046 6988 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2011/04/15 17:10:55.0302 6988 BthEnum (6d39c954799b63ba866910234cf7d726) C:\Windows\system32\DRIVERS\BthEnum.sys
2011/04/15 17:10:55.0656 6988 BTHMODEM (9a966a8e86d1771911ae34a20d11bff3) C:\Windows\system32\DRIVERS\bthmodem.sys
2011/04/15 17:10:56.0095 6988 BthPan (5904efa25f829bf84ea6fb045134a1d8) C:\Windows\system32\DRIVERS\bthpan.sys
2011/04/15 17:10:56.0553 6988 BTHPORT (5a3abaa2f8eece7aefb942773766e3db) C:\Windows\system32\Drivers\BTHport.sys
2011/04/15 17:10:57.0106 6988 BTHUSB (94e2941280e3756a5e0bcb467865c43a) C:\Windows\system32\Drivers\BTHUSB.sys
2011/04/15 17:10:57.0434 6988 btwaudio (ed97cd06ef748004b8aac56c2d0aa5db) C:\Windows\system32\drivers\btwaudio.sys
2011/04/15 17:10:57.0645 6988 btwavdt (4871b5ed4757197135ff65be61da44b3) C:\Windows\system32\drivers\btwavdt.sys
2011/04/15 17:10:57.0903 6988 btwl2cap (6af9fd2aeebdc16a98d3e30e68440c5c) C:\Windows\system32\DRIVERS\btwl2cap.sys
2011/04/15 17:10:57.0957 6988 btwrchid (f5da7df99cf11fcb68e2bea12002f63a) C:\Windows\system32\DRIVERS\btwrchid.sys
2011/04/15 17:10:58.0307 6988 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2011/04/15 17:10:58.0400 6988 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
2011/04/15 17:10:58.0781 6988 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\drivers\circlass.sys
2011/04/15 17:10:59.0194 6988 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
2011/04/15 17:10:59.0678 6988 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
2011/04/15 17:10:59.0900 6988 cmdide (0ca25e686a4928484e9fdabd168ab629) C:\Windows\system32\drivers\cmdide.sys
2011/04/15 17:11:00.0058 6988 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
2011/04/15 17:11:00.0263 6988 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
2011/04/15 17:11:00.0733 6988 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
2011/04/15 17:11:01.0515 6988 cvintdrv (dbd89bc0dbe00dcd245be8f61dbee291) C:\Windows\system32\drivers\cvintdrv.sys
2011/04/15 17:11:01.0699 6988 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys
2011/04/15 17:11:02.0912 6988 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
2011/04/15 17:11:03.0895 6988 DMICall (f206e28ed74c491fd5d7c0a1119ce37f) C:\Windows\system32\DRIVERS\DMICall.sys
2011/04/15 17:11:04.0827 6988 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2011/04/15 17:11:05.0182 6988 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
2011/04/15 17:11:05.0495 6988 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
2011/04/15 17:11:05.0785 6988 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
2011/04/15 17:11:06.0502 6988 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
2011/04/15 17:11:06.0851 6988 ErrDev (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys
2011/04/15 17:11:07.0298 6988 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
2011/04/15 17:11:07.0699 6988 ExpanDrive (eb8a29b0158e0632c69558820af4fe61) C:\Windows\system32\drivers\ExpanDrive.sys
2011/04/15 17:11:08.0216 6988 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
2011/04/15 17:11:08.0924 6988 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
2011/04/15 17:11:09.0227 6988 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2011/04/15 17:11:09.0800 6988 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2011/04/15 17:11:10.0126 6988 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/04/15 17:11:10.0664 6988 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
2011/04/15 17:11:11.0028 6988 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2011/04/15 17:11:11.0326 6988 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
2011/04/15 17:11:12.0274 6988 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\Drivers\GEARAspiWDM.sys
2011/04/15 17:11:13.0145 6988 HdAudAddService (3f90e001369a07243763bd5a523d8722) C:\Windows\system32\drivers\HdAudio.sys
2011/04/15 17:11:13.0505 6988 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/04/15 17:11:14.0121 6988 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2011/04/15 17:11:14.0380 6988 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2011/04/15 17:11:14.0877 6988 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
2011/04/15 17:11:15.0126 6988 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
2011/04/15 17:11:15.0960 6988 HSFHWAZL (46d67209550973257601a533e2ac5785) C:\Windows\system32\DRIVERS\VSTAZL3.SYS
2011/04/15 17:11:16.0281 6988 HSF_DPV (7bc42c65b5c6281777c1a7605b253ba8) C:\Windows\system32\DRIVERS\HSX_DPV.sys
2011/04/15 17:11:16.0842 6988 HSXHWAZL (9ebf2d102ccbb6bcdfbf1b7922f8ba2e) C:\Windows\system32\DRIVERS\HSXHWAZL.sys
2011/04/15 17:11:18.0086 6988 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
2011/04/15 17:11:18.0846 6988 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
2011/04/15 17:11:19.0270 6988 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/04/15 17:11:20.0235 6988 iaStor (db0cc620b27a928d968c1a1e9cd9cb87) C:\Windows\system32\DRIVERS\iaStor.sys
2011/04/15 17:11:20.0436 6988 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
2011/04/15 17:11:20.0965 6988 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2011/04/15 17:11:21.0925 6988 IntcAzAudAddService (4a0f260df9a5333c07f4ab40ca9d4f4b) C:\Windows\system32\drivers\RTKVHDA.sys
2011/04/15 17:11:22.0265 6988 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
2011/04/15 17:11:22.0528 6988 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
2011/04/15 17:11:23.0094 6988 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/04/15 17:11:23.0909 6988 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys
2011/04/15 17:11:24.0907 6988 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2011/04/15 17:11:25.0677 6988 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2011/04/15 17:11:26.0450 6988 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
2011/04/15 17:11:27.0457 6988 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/04/15 17:11:28.0497 6988 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2011/04/15 17:11:28.0842 6988 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2011/04/15 17:11:28.0945 6988 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/04/15 17:11:29.0058 6988 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
2011/04/15 17:11:29.0758 6988 KmxAgent (bf236f7a7a4b437dae22cf7665055e71) C:\Windows\system32\DRIVERS\kmxagent.sys
2011/04/15 17:11:30.0116 6988 KmxAMRT (431f909c73deaf60522e0be5e81aa6ef) C:\Windows\system32\DRIVERS\KmxAMRT.sys
2011/04/15 17:11:30.0381 6988 KmxAMVet (041b29c8e3bed6e833ade367ecfa51f9) C:\WINDOWS\system32\Drivers\KmxAMVet.sys
2011/04/15 17:11:30.0527 6988 KmxCfg (ebec5bc094f7127de83751deba0111c7) C:\Windows\system32\DRIVERS\kmxcfg.sys
2011/04/15 17:11:30.0630 6988 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
2011/04/15 17:11:30.0882 6988 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2011/04/15 17:11:31.0403 6988 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
2011/04/15 17:11:31.0727 6988 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
2011/04/15 17:11:32.0024 6988 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
2011/04/15 17:11:32.0269 6988 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2011/04/15 17:11:32.0547 6988 massfilter (59a2783aba6019bed0c843c706e10a6a) C:\Windows\system32\drivers\massfilter.sys
2011/04/15 17:11:32.0845 6988 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
2011/04/15 17:11:33.0095 6988 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
2011/04/15 17:11:33.0399 6988 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
2011/04/15 17:11:33.0664 6988 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2011/04/15 17:11:33.0896 6988 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2011/04/15 17:11:34.0410 6988 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
2011/04/15 17:11:34.0792 6988 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
2011/04/15 17:11:34.0971 6988 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2011/04/15 17:11:35.0243 6988 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
2011/04/15 17:11:35.0627 6988 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2011/04/15 17:11:35.0907 6988 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2011/04/15 17:11:36.0300 6988 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
2011/04/15 17:11:36.0623 6988 mrxsmb (454341e652bdf5e01b0f2140232b073e) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/04/15 17:11:36.0873 6988 mrxsmb10 (2a4901aff069944fa945ed5bbf4dcde3) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/04/15 17:11:37.0077 6988 mrxsmb20 (28b3f1ab44bdd4432c041581412f17d9) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/04/15 17:11:37.0163 6988 msahci (28023e86f17001f7cd9b15a5bc9ae07d) C:\Windows\system32\drivers\msahci.sys
2011/04/15 17:11:37.0455 6988 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
2011/04/15 17:11:37.0792 6988 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2011/04/15 17:11:38.0090 6988 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2011/04/15 17:11:38.0535 6988 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2011/04/15 17:11:38.0815 6988 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/04/15 17:11:39.0244 6988 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2011/04/15 17:11:39.0546 6988 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
2011/04/15 17:11:39.0897 6988 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/04/15 17:11:40.0217 6988 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2011/04/15 17:11:40.0581 6988 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
2011/04/15 17:11:40.0860 6988 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
2011/04/15 17:11:41.0074 6988 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
2011/04/15 17:11:41.0634 6988 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/04/15 17:11:41.0834 6988 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/04/15 17:11:42.0032 6988 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/04/15 17:11:42.0308 6988 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2011/04/15 17:11:42.0511 6988 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2011/04/15 17:11:42.0758 6988 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
2011/04/15 17:11:43.0596 6988 NETw5v32 (f0c42e0cdce558d658fa53a222b4ccb1) C:\Windows\system32\DRIVERS\NETw5v32.sys
2011/04/15 17:11:43.0836 6988 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2011/04/15 17:11:44.0169 6988 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
2011/04/15 17:11:44.0421 6988 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2011/04/15 17:11:44.0798 6988 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
2011/04/15 17:11:44.0960 6988 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2011/04/15 17:11:44.0988 6988 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2011/04/15 17:11:45.0065 6988 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys
2011/04/15 17:11:45.0280 6988 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys
2011/04/15 17:11:45.0568 6988 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys
2011/04/15 17:11:45.0857 6988 ohci1394 (6f310e890d46e246e0e261a63d9b36b4) C:\Windows\system32\DRIVERS\ohci1394.sys
2011/04/15 17:11:46.0023 6988 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
2011/04/15 17:11:46.0180 6988 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
2011/04/15 17:11:46.0382 6988 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
2011/04/15 17:11:46.0608 6988 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
2011/04/15 17:11:46.0934 6988 pciide (fc175f5ddab666d7f4d17449a547626f) C:\Windows\system32\drivers\pciide.sys
2011/04/15 17:11:47.0200 6988 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
2011/04/15 17:11:47.0513 6988 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2011/04/15 17:11:47.0853 6988 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2011/04/15 17:11:48.0054 6988 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\drivers\processr.sys
2011/04/15 17:11:48.0281 6988 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
2011/04/15 17:11:48.0455 6988 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\Windows\system32\Drivers\PxHelp20.sys
2011/04/15 17:11:48.0885 6988 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
2011/04/15 17:11:49.0105 6988 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2011/04/15 17:11:49.0286 6988 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2011/04/15 17:11:49.0768 6988 RapportCerberus_25973 (3d80f6fb972cffab9a760892f9ab7232) C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys
2011/04/15 17:11:49.0931 6988 RapportKELL (b64262f33c53d690ed662fde57102b10) C:\Windows\system32\Drivers\RapportKELL.sys
2011/04/15 17:11:50.0127 6988 RapportPG (c9b8a131aaf77d969cbc3987537b319d) C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
2011/04/15 17:11:50.0410 6988 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2011/04/15 17:11:50.0681 6988 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/04/15 17:11:50.0809 6988 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/04/15 17:11:50.0904 6988 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
2011/04/15 17:11:51.0188 6988 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
2011/04/15 17:11:51.0336 6988 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/04/15 17:11:51.0400 6988 rdpdr (fbc0bacd9c3d7f6956853f64a66e252d) C:\Windows\system32\drivers\rdpdr.sys
2011/04/15 17:11:51.0628 6988 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
2011/04/15 17:11:51.0944 6988 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
2011/04/15 17:11:52.0297 6988 regi (001b4278407f4303efc902a2b16f2453) C:\Windows\system32\drivers\regi.sys
2011/04/15 17:11:52.0600 6988 RFCOMM (6482707f9f4da0ecbab43b2e0398a101) C:\Windows\system32\DRIVERS\rfcomm.sys
2011/04/15 17:11:52.0836 6988 rimsptsk (d0c2a0ce1091e08efb7ccba6cea4c3f9) C:\Windows\system32\DRIVERS\rimsptsk.sys
2011/04/15 17:11:53.0049 6988 risdptsk (c22e4e27ccdf9aa5fe8143104f28cde3) C:\Windows\system32\DRIVERS\risdptsk.sys
2011/04/15 17:11:53.0260 6988 RsFx0103 (fd692c6ffade58f7c4c3c3c9a0ec35bd) C:\Windows\system32\DRIVERS\RsFx0103.sys
2011/04/15 17:11:53.0337 6988 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
2011/04/15 17:11:53.0656 6988 RTHDMIAzAudService (065a51298212455584f1811b033b617e) C:\Windows\system32\drivers\RtHDMIV.sys
2011/04/15 17:11:54.0010 6988 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2011/04/15 17:11:54.0301 6988 sdbus (126ea89bcc413ee45e3004fb0764888f) C:\Windows\system32\DRIVERS\sdbus.sys
2011/04/15 17:11:54.0562 6988 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2011/04/15 17:11:54.0865 6988 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
2011/04/15 17:11:55.0015 6988 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
2011/04/15 17:11:55.0145 6988 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
2011/04/15 17:11:55.0458 6988 SFEP (8b7c1768d2cde2e02e09a66563ddfd16) C:\Windows\system32\DRIVERS\SFEP.sys
2011/04/15 17:11:55.0718 6988 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys
2011/04/15 17:11:55.0913 6988 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys
2011/04/15 17:11:55.0953 6988 sffp_sd (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys
2011/04/15 17:11:56.0190 6988 sfloppy (c33bfbd6e9e41fcd9ffef9729e9faed6) C:\Windows\system32\DRIVERS\sfloppy.sys
2011/04/15 17:11:56.0465 6988 sisagp (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys
2011/04/15 17:11:56.0811 6988 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys
2011/04/15 17:11:56.0991 6988 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys
2011/04/15 17:11:57.0190 6988 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
2011/04/15 17:11:57.0462 6988 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
2011/04/15 17:11:57.0739 6988 srv (ff3cbc13db84d81f56931bc922cc37c4) C:\Windows\system32\DRIVERS\srv.sys
2011/04/15 17:11:57.0914 6988 srv2 (d15959d9f69f0d39a0153e9c244f20dd) C:\Windows\system32\DRIVERS\srv2.sys
2011/04/15 17:11:57.0956 6988 srvnet (faa0d553a49e85008c6bb3781987c574) C:\Windows\system32\DRIVERS\srvnet.sys
2011/04/15 17:11:58.0127 6988 ss_bus (5a1d0ca8a5f1e7b4ec50b9d76c001f0e) C:\Windows\system32\DRIVERS\ss_bus.sys
2011/04/15 17:11:58.0255 6988 ss_mdfl (f0a85580e36a3a85059037d39a9cf079) C:\Windows\system32\DRIVERS\ss_mdfl.sys
2011/04/15 17:11:58.0456 6988 ss_mdm (84c3dbfd1bfa4adc0a950b3d5506cb00) C:\Windows\system32\DRIVERS\ss_mdm.sys
2011/04/15 17:11:58.0558 6988 StarOpen (306521935042fc0a6988d528643619b3) C:\Windows\system32\drivers\StarOpen.sys
2011/04/15 17:11:58.0817 6988 StillCam (ef70b3d22b4bffda6ea851ecb063efaa) C:\Windows\system32\DRIVERS\serscan.sys
2011/04/15 17:11:59.0018 6988 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
2011/04/15 17:11:59.0076 6988 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2011/04/15 17:11:59.0350 6988 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2011/04/15 17:11:59.0662 6988 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2011/04/15 17:11:59.0907 6988 Tcpip (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\drivers\tcpip.sys
2011/04/15 17:12:00.0209 6988 Tcpip6 (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\DRIVERS\tcpip.sys
2011/04/15 17:12:00.0447 6988 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
2011/04/15 17:12:00.0663 6988 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
2011/04/15 17:12:00.0790 6988 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
2011/04/15 17:12:00.0922 6988 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
2011/04/15 17:12:01.0064 6988 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
2011/04/15 17:12:01.0378 6988 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/04/15 17:12:01.0570 6988 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
2011/04/15 17:12:01.0620 6988 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
2011/04/15 17:12:01.0905 6988 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys
2011/04/15 17:12:02.0123 6988 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
2011/04/15 17:12:02.0350 6988 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys
2011/04/15 17:12:02.0407 6988 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys
2011/04/15 17:12:02.0577 6988 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2011/04/15 17:12:02.0628 6988 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2011/04/15 17:12:02.0817 6988 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
2011/04/15 17:12:03.0023 6988 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\Windows\system32\Drivers\usbaapl.sys
2011/04/15 17:12:03.0118 6988 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/04/15 17:12:03.0374 6988 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2011/04/15 17:12:03.0563 6988 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
2011/04/15 17:12:03.0799 6988 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
2011/04/15 17:12:04.0047 6988 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
2011/04/15 17:12:04.0399 6988 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
2011/04/15 17:12:04.0643 6988 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
2011/04/15 17:12:04.0844 6988 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/04/15 17:12:04.0987 6988 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/04/15 17:12:05.0108 6988 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys
2011/04/15 17:12:05.0433 6988 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/04/15 17:12:05.0596 6988 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
2011/04/15 17:12:05.0685 6988 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys
2011/04/15 17:12:05.0752 6988 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys
2011/04/15 17:12:05.0837 6988 viaide (aadf5587a4063f52c2c3fed7887426fc) C:\Windows\system32\drivers\viaide.sys
2011/04/15 17:12:06.0050 6988 vmm (c01604eaea9c89035cff58cdb322476c) C:\Windows\system32\Drivers\vmm.sys
2011/04/15 17:12:06.0126 6988 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
2011/04/15 17:12:06.0670 6988 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
2011/04/15 17:12:06.0995 6988 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
2011/04/15 17:12:07.0228 6988 vpnva (1b7c80c66742dafaa31f98af4c3a5bc2) C:\Windows\system32\DRIVERS\vpnva.sys
2011/04/15 17:12:07.0330 6988 vsmraid (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys
2011/04/15 17:12:07.0617 6988 wacmoumonitor (8724531219ae3f9e3729012b61dce527) C:\Windows\system32\DRIVERS\wacmoumonitor.sys
2011/04/15 17:12:07.0980 6988 wacommousefilter (427a8bc96f16c40df81c2d2f4edd32dd) C:\Windows\system32\DRIVERS\wacommousefilter.sys
2011/04/15 17:12:08.0485 6988 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2011/04/15 17:12:08.0619 6988 wacomvhid (51d580f30d1a1f2ea4965af6abc2bcb2) C:\Windows\system32\DRIVERS\wacomvhid.sys
2011/04/15 17:12:08.0743 6988 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/04/15 17:12:08.0782 6988 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/04/15 17:12:09.0039 6988 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
2011/04/15 17:12:09.0368 6988 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
2011/04/15 17:12:09.0669 6988 WimFltr (090a2b8f055343815556a01f725f6c35) C:\Windows\system32\DRIVERS\wimfltr.sys
2011/04/15 17:12:09.0909 6988 winachsf (5a77ac34a0ffb70ce8b35b524fede9ba) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
2011/04/15 17:12:10.0111 6988 winusb (676f4b665bdd8053eaa53ac1695b8074) C:\Windows\system32\DRIVERS\winusb.sys
2011/04/15 17:12:10.0252 6988 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\drivers\wmiacpi.sys
2011/04/15 17:12:10.0557 6988 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
2011/04/15 17:12:10.0757 6988 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
2011/04/15 17:12:10.0843 6988 WSDPrintDevice (4422ac5ed8d4c2f0db63e71d4c069dd7) C:\Windows\system32\DRIVERS\WSDPrint.sys
2011/04/15 17:12:11.0063 6988 WudfPf (6f9b6c0c93232cff47d0f72d6db1d21e) C:\Windows\system32\drivers\WudfPf.sys
2011/04/15 17:12:11.0122 6988 WUDFRd (f91ff1e51fca30b3c3981db7d5924252) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/04/15 17:12:11.0355 6988 XAudio (88af537264f2b818da15479ceeaf5d7c) C:\Windows\system32\DRIVERS\xaudio.sys
2011/04/15 17:12:11.0565 6988 yukonwlh (67e3d2af24c3873e6a0cac89de78d63b) C:\Windows\system32\DRIVERS\yk60x86.sys
2011/04/15 17:12:11.0691 6988 ZTEusbmdm6k (3862318f85be7a91957ada5e814ed58c) C:\Windows\system32\DRIVERS\ZTEusbmdm6k.sys
2011/04/15 17:12:11.0820 6988 ZTEusbnmea (3862318f85be7a91957ada5e814ed58c) C:\Windows\system32\DRIVERS\ZTEusbnmea.sys
2011/04/15 17:12:12.0019 6988 ZTEusbser6k (3862318f85be7a91957ada5e814ed58c) C:\Windows\system32\DRIVERS\ZTEusbser6k.sys
2011/04/15 17:12:12.0111 6988 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/04/15 17:12:12.0152 6988 ================================================================================
2011/04/15 17:12:12.0152 6988 Scan finished
2011/04/15 17:12:12.0152 6988 ================================================================================
2011/04/15 17:12:12.0170 6984 Detected object count: 1
2011/04/15 17:13:28.0799 6984 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/04/15 17:13:28.0799 6984 \HardDisk0 - ok
2011/04/15 17:13:28.0801 6984 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/04/15 17:13:34.0815 6704 Deinitialize success



##### Now for GMER... #####



GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-15 21:58:08
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.LV01
Running: 9500fs6n.exe; Driver: C:\Users\Scott\AppData\Local\Temp\fgloypow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwAssignProcessToJobObject [0x92801FE4]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwCreateFile [0x92802996]
SSDT \??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys ZwCreateThread [0x9282EDB6]
SSDT \??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys ZwDeleteFile [0x9282DE12]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteKey [0x9280636C]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteValueKey [0x9280639E]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwLoadKey [0x92806500]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwOpenFile [0x92802A5A]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwOpenProcess [0x92802128]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwOpenThread [0x9280231A]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwProtectVirtualMemory [0x9280244C]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwQueryValueKey [0x92806476]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwRenameKey [0x928063E0]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwReplaceKey [0x92806412]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwRestoreKey [0x92806444]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetContextThread [0x92801F8A]
SSDT \??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys ZwSetInformationFile [0x9282DE86]
SSDT \??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys ZwSetValueKey [0x9282EC92]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSuspendThread [0x92801F26]
SSDT \??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys ZwTerminateProcess [0x9282DD98]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwTerminateThread [0x92801EC2]
SSDT \??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys ZwCreateThreadEx [0x9282EE54]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 191 848EE914 4 Bytes [E4, 1F, 80, 92]
.text ntkrnlpa.exe!KeSetEvent + 1D9 848EE95C 4 Bytes [96, 29, 80, 92]
.text ntkrnlpa.exe!KeSetEvent + 221 848EE9A4 4 Bytes [B6, ED, 82, 92]
.text ntkrnlpa.exe!KeSetEvent + 2D1 848EEA54 8 Bytes [12, DE, 82, 92, 6C, 63, 80, ...]
.text ntkrnlpa.exe!KeSetEvent + 2E1 848EEA64 4 Bytes [9E, 63, 80, 92]
.text ...
PAGE ntkrnlpa.exe!FsRtlCancellableWaitForMultipleObjects + 2AE 84A20355 7 Bytes JMP 8EF43B18
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x90E0C000, 0x24DFB2, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1156] ntdll.dll!KiUserApcDispatcher 77515B48 5 Bytes JMP 00414C10 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (RapportMgmtService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1156] USER32.dll!InSendMessageEx + 3B1 76F1E6B0 6 Bytes JMP 716E001E
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1156] WS2_32.dll!getaddrinfo 775F418A 5 Bytes JMP 71640022
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1156] WS2_32.dll!gethostbyname 776062D4 5 Bytes JMP 71670022
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[6064] ntdll.dll!KiUserApcDispatcher 77515B48 5 Bytes JMP 004397C0 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe (RapportService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[6064] WS2_32.dll!getaddrinfo 775F418A 5 Bytes JMP 71670022
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[6064] WS2_32.dll!gethostbyname 776062D4 5 Bytes JMP 716E0022

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[5528] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74347817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[5528] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7439A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[5528] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7434BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[5528] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7433F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[5528] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [743475E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[5528] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7433E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[5528] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74378395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[5528] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7434DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[5528] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7433FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[5528] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7433FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[5528] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [743371CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[5528] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [743CCAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[5528] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7436C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[5528] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7433D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[5528] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74336853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[5528] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7433687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[5528] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74342AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e3dea765c
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00214f4bdf9d
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00214f4bdf9d@0023d6015cd0 0xC2 0x28 0x02 0x09 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00214f4bdf9d@0025d0236f11 0x3F 0xFF 0x9F 0xFB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00214f4bdf9d@902155f0acd5 0x1A 0x52 0xC4 0x3F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00214f5171e3
Reg HKLM\SYSTEM\ControlSet039\Services\BTHPORT\Parameters\Keys\001e3dea765c (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet039\Services\BTHPORT\Parameters\Keys\00214f4bdf9d (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet039\Services\BTHPORT\Parameters\Keys\00214f4bdf9d@0023d6015cd0 0xC2 0x28 0x02 0x09 ...
Reg HKLM\SYSTEM\ControlSet039\Services\BTHPORT\Parameters\Keys\00214f4bdf9d@0025d0236f11 0x3F 0xFF 0x9F 0xFB ...
Reg HKLM\SYSTEM\ControlSet039\Services\BTHPORT\Parameters\Keys\00214f4bdf9d@902155f0acd5 0x1A 0x52 0xC4 0x3F ...
Reg HKLM\SYSTEM\ControlSet039\Services\BTHPORT\Parameters\Keys\00214f5171e3 (not active ControlSet)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\B57E3A100C45F704B8597B77507CCD4C\Usage@Core 1049578680

#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:39 PM

Posted 15 April 2011 - 04:40 PM

Hello,

There is no need to run Gmer again. We will run a couple other scanners to make sure nothing else was on the machine with the TDL4 infection.

1.
Please download Malwarebytes' Anti-Malware (v1.50) and save it to your desktop.
Download Link 1
Download Link 2Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes' when done.
Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.


2.
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

3.
Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Microsoft: ‘Unprecedented Wave of Java Exploitation’
Drive-by Trojan preying on out-of-date Java installations
Ghosts of Java Haunt UsersPlease follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows" (32-bit) or "Windows x64" (64-bit).
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "I agree to the Java SE...License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u24-windows-i586.exe to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.

4.
Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:
  • Download the latest version of Adobe Reader Version X and save it to your desktop.
  • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
  • Click the download button at the bottom.
  • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
  • Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
    If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
  • Then from your desktop double-click on Adobe Reader to install the newest version.
    If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the "Adobe Setup - Welcome" window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • Once the installation is finished, go here: Adobe Update Page and scroll down to UPDATES/PROGRAMS. From there download: Adobe Reader X update - multiple languages and save it to your desktop.
  • Double-click the file AdbeRdrUpd932_all_incr.msp on your desktop to start installing the update and follow the prompts.
  • Once the update is done click Exit.
Your Adobe Reader is now up to date!


Things to include in your next reply::
MBAM log
Eset log
A new DDS log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 <Stealth>

<Stealth>
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 15 April 2011 - 04:54 PM

(From clean computer):

OK, I'm making a start on these. Fortunately, I had a copy of Malwarebytes v1.50.1.1100 on the system, which I've updated to database 6370 just now, so that'll make the first step easier.

#12 <Stealth>

<Stealth>
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 15 April 2011 - 05:41 PM

ESET seems to be stuck on a .iso of Visual Studio 2010 from Dreamspark. It's safe, but it's pretty large. Anyway, ESET's timer is almost up to 30 minutes, and it's been on this thing (and 43% progress) for most of that. Should I leave it to cook, or just get rid of the file?

1 hour 15 minutes as of now. I'm killing the scan and deleting the file; this thing'll clearly sit at 43% forever. I'll rerun it next.

Edited by <Stealth>, 15 April 2011 - 06:29 PM.


#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:39 PM

Posted 15 April 2011 - 06:56 PM

Hello,

Be patient as it may take some time for Eset to run. Make sure to disable and anti malware or antivirus you have running this will help speed it up a little

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 <Stealth>

<Stealth>
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 15 April 2011 - 06:59 PM

Well, it's still going, but at least the progress bar's moving this time. I've got CA antivirus and Windows Defender off, and so far it seems to have turned up 8 Win32/Ramnit.A viruses. Thoughts?

EDIT:
Actually, this is going to take a while, and it's well past midnight here. If you don't mind, I'll let this run on overnight, and resume tackling this (and hopefully completing all of the steps you mentioned) tomorrow morning.

Edited by <Stealth>, 15 April 2011 - 07:16 PM.


#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:39 PM

Posted 15 April 2011 - 07:33 PM

Hello,


Please take not of those files it detected and the name of the infection for each. Just in case you don't get a log

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users