Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan horse Agent_r.XJ


  • This topic is locked This topic is locked
14 replies to this topic

#1 Alessandra9

Alessandra9

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 29 April 2011 - 11:53 AM

hi! Recently I've been have huge problems trying to remove this trojan that only AVG seems to detect, I know there are already topics that talk about it but the didn't seem to help me,
I tried with kaspersky TDSSKiller,MlwareBytes and TrojanRemover with no success.
here is my log from HijackThis, any suggestion would be really appreciated!

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 17:48:48, on 29/04/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe
C:\Program Files\Chiavetta Internet\Chiavetta Internet.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Sony\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FSGQSFSQ\HiJackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - (no file)
R3 - URLSearchHook: (no name) - {cc05a3e3-64c3-4af2-bfc1-af0d66b69065} - (no file)
R3 - URLSearchHook: (no name) - {a1e75a0e-4397-4ba8-bb50-e19fb66890f4} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe"
O4 - HKLM\..\Run: [UpdatePPShortCut] "C:\Program Files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerProducer" update "Software\CyberLink\PowerProducer\4.0"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [NokiaOviSuite2] C:\Program Files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe -tray
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKUS\S-1-5-18\..\Run: [AMService] C:\Windows\TEMP\ladn\setup.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AMService] C:\Windows\TEMP\ladn\setup.exe (User 'Default user')
O4 - Startup: GigaTribe.lnk = C:\Program Files\GigaTribe\gigatribe.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
O9 - Extra button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NO.....1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5168BC48-C731-40D8-ACB9-884A7C5AFAB5}: NameServer = 213.230.130.222 217.200.200.42
O17 - HKLM\System\CS1\Services\Tcpip\..\{5168BC48-C731-40D8-ACB9-884A7C5AFAB5}: NameServer = 213.230.130.222 217.200.200.42
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: AMService - Unknown owner - C:\Windows\TEMP\myua\setup.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: VAIO Content Metadata Intelligent Analyzing Manager (VcmIAlzMgr) - Sony Corporation - C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe
O23 - Service: VAIO Content Metadata XML Interface (VcmXmlIfHelper) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe
O23 - Service: VUAgent - Sony Corporation - C:\Program Files\Sony\VAIO Update 5\VUAgent.exe

--
End of file - 11503 bytes

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:37 PM

Posted 08 May 2011 - 04:16 AM

Hello ,
And :welcome: to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Alessandra9

Alessandra9
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 08 May 2011 - 11:48 AM

hi Elise, thank you very much for your time to help me with my issue, I am pasting the DDS.txt and attaching the Attach.txt as requested. Hope this will do.
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Sony at 18:29:32.67 on 08/05/2011
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_22
Microsoft Windows 7 Professional 6.1.7601.1.1252.44.1033.18.3070.1473 [GMT 2:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Sony\VAIO Update 5\VAIOUpdt.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\AVG\AVG10\avgui.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\AVG\AVG10\avgscanx.exe
C:\Windows\system32\conhost.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Chiavetta Internet\Chiavetta Internet.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Sony\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2475029
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: flvdome: {73ba1019-7fcc-cace-a2aa-ad0ff2df550f} - c:\windows\system32\In-2O_J---.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No File
TB: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
TB: {CC05A3E3-64C3-4AF2-BFC1-AF0D66B69065} - No File
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
uRun: [NokiaOviSuite2] c:\program files\nokia\nokia ovi suite\NokiaOviSuite.exe -tray
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [AdobeBridge]
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10o_Plugin.exe -update plugin
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [EverioService] "c:\program files\cyberlink\pcm4everio\EverioService.exe"
mRun: [UpdatePPShortCut] "c:\program files\cyberlink\powerproducer\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerproducer" update "software\cyberlink\powerproducer\4.0"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
StartupFolder: c:\users\sony\appdata\roaming\micros~1\windows\startm~1\programs\startup\gigatr~1.lnk - c:\program files\gigatribe\gigatribe.exe
StartupFolder: c:\users\sony\appdata\roaming\micros~1\windows\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\users\sony\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {5168BC48-C731-40D8-ACB9-884A7C5AFAB5} = 213.230.130.222 217.200.200.42
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\sony\appdata\roaming\mozilla\firefox\profiles\uw4anpbb.default\
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-1-19 32464]
R1 AvgLdx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]
R1 AvgMfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]
R1 AvgTdiX;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-2-10 296400]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-2-15 7421280]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-8-24 92008]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-3-30 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 21968]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2011-1-20 201168]
R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2011-1-20 101120]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
R3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\drivers\SFEP.sys [2007-8-3 9344]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-14 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-14 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-14 661504]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-7-14 311296]
S2 AMService;AMService;c:\windows\temp\myua\setup.exe run --> c:\windows\temp\myua\setup.exe run [?]
S2 avg9wd;AVG Free WatchDog;"c:\program files\avg\avg9\avgwdsvc.exe" --> c:\program files\avg\avg9\avgwdsvc.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-27 135664]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 bsusbser;PHD USB Device for Legacy Serial Communication;c:\windows\system32\drivers\bsusbser.sys [2010-8-2 99456]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2010-10-21 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-27 135664]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2009-7-14 20992]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-2-23 52224]
S3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\sony\vcm intelligent analyzing manager\VcmIAlzMgr.exe [2010-4-4 480624]
S3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\common files\sony shared\vcmxml\VcmXmlIfHelper.exe [2010-4-4 83312]
S3 VUAgent;VUAgent;c:\program files\sony\vaio update 5\VUAgent.exe [2010-4-4 722288]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-7-25 1343400]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2009-7-14 17920]
S3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\drivers\WSDScan.sys [2009-7-14 20480]
.
=============== Created Last 30 ================
.
2011-05-01 13:53:33 -------- d-----w- c:\users\sony\appdata\roaming\AVG10
2011-04-30 16:43:01 -------- d-----w- c:\users\sony\appdata\roaming\SUPERAntiSpyware.com
2011-04-30 16:43:01 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2011-04-30 16:42:50 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-04-29 10:45:46 -------- d-----w- c:\users\sony\appdata\roaming\Uned
2011-04-29 10:45:46 -------- d-----w- c:\users\sony\appdata\roaming\Alakz
2011-04-27 09:20:19 -------- d-----w- c:\progra~2\AVG10
2011-04-27 08:44:12 -------- d-----w- c:\progra~2\MFAData
2011-04-26 19:10:49 159080 ----a-w- c:\progra~2\microsoft\windows\sqm\manifest\Sqm10138.bin
2011-04-25 16:24:39 -------- d-----w- c:\users\sony\appdata\roaming\Malwarebytes
2011-04-25 16:24:35 -------- d-----w- c:\progra~2\Malwarebytes
2011-04-25 16:24:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-25 16:14:13 -------- d-----w- c:\program files\Ask.com
2011-04-17 06:58:49 -------- d-----w- C:\4023ba9534a4d2ed8d
2011-04-16 15:24:22 311808 ----a-w- c:\windows\system32\drivers\srv.sys
2011-04-16 15:24:22 310272 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-04-16 15:24:22 114176 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-04-16 15:16:35 28672 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-04-16 15:16:35 132608 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-04-16 15:16:32 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-04-16 15:16:32 294912 ----a-w- c:\windows\system32\atmfd.dll
2011-04-16 15:16:27 2333184 ----a-w- c:\windows\system32\win32k.sys
2011-04-16 15:15:20 191488 ----a-w- c:\windows\system32\FXSCOVER.exe
2011-04-16 15:15:16 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-04-16 15:15:11 741376 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-16 15:15:09 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-04-16 15:15:08 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-04-16 15:15:00 96768 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-04-16 15:15:00 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-04-16 15:15:00 223232 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-04-16 15:15:00 123904 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-15 17:29:39 -------- d-----w- c:\users\sony\appdata\roaming\Ashampoo
2011-04-15 17:29:20 -------- d-----w- c:\users\sony\appdata\local\ashampoo
2011-04-15 17:29:20 -------- d-----w- c:\progra~2\ashampoo
2011-04-15 17:29:14 -------- d-----w- c:\program files\Ashampoo
2011-04-14 06:56:52 -------- d-----w- c:\users\sony\appdata\local\Shalsoft
2011-04-14 06:56:46 -------- d-----w- c:\program files\GigaTribe
2011-04-14 01:39:02 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-04-14 01:39:02 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2011-02-23 09:04:13 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-02-19 06:30:54 805376 ----a-w- c:\windows\system32\FntCache.dll
2011-02-19 06:30:51 1076736 ----a-w- c:\windows\system32\DWrite.dll
2011-02-19 06:30:50 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-02-16 09:41:20 203576 ----a-w- c:\windows\system32\richtx32.ocx
2011-02-16 09:41:20 140288 ----a-w- c:\windows\system32\comdlg32.ocx
2011-02-16 09:41:20 124688 ----a-w- c:\windows\system32\mswinsck.ocx
.
============= FINISH: 18:31:46.05 ===============

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:37 PM

Posted 08 May 2011 - 01:42 PM

Can you give me the exact detection by AVG (filepath if possible) and also describe what actual problems you are having besides this detection.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Alessandra9

Alessandra9
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 09 May 2011 - 08:40 AM

Avg detects:
"Object name";"C:\Windows\explorer.exe (404):\memory_00010000"
"Detection name";"Trojan horse Agent_r.XJ"
"Object type";"file"
"SDK Type";"Core"
"Result";"Infected"
"Action history";""


"Object name";"C:\Program Files\Mozilla Firefox\firefox.exe (4916):\memory_00010000"
"Detection name";"Trojan horse Agent_r.XJ"
"Object type";"file"
"SDK Type";"Core"
"Result";"Infected"
"Action history";""

and


"Object name";"C:\Program Files\Mozilla Firefox\firefox.exe (4628):\memory_00010000"
"Detection name";"Trojan horse Agent_r.XJ"
"Object type";"file"
"SDK Type";"Core"
"Result";"Infected"
"Action history";""


I had blueScreen several times and had to reinstall mozilla firefox three times because it would not start.
Also my laptop was behaving real slow recently.

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:37 PM

Posted 09 May 2011 - 09:09 AM

Thanks for the additional information! :)

COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Alessandra9

Alessandra9
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 11 May 2011 - 08:20 AM

HI, I have downloaded Combofix.exe but it would give me BlueScreen each time i tried to run it, I also tried to start it on Safe Mode and i disabled Avg but the same thing happened.
My laptop was Windows Vista upgraded to Windows 7, so i don't have the Windows Sistem Recovery Console, I made a brief research and it says i have to contact my manufacturer, http://support.microsoft.com/kb/975321
Do you think there is a way around it or is it possible to run Combofix without it?
Thank you very much

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:37 PM

Posted 11 May 2011 - 08:43 AM

As you can see in the instructions, the Recovery Console is only for XP, not for Vista/7.

Please try to run the following if combofix won't run.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Alessandra9

Alessandra9
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 11 May 2011 - 10:00 AM

hi!I finally managed to remove it!
I had tried the tdssKiller before but it didn't work , it might be that the version i downloaded before was 2.4.21 and the one i downloaded now is 2.5.0.
By the way thank you very much for your help!
I'm gonna paste the tdssKiller log.
Thanks Again!


2011/05/11 16:03:39.0070 3648 TDSS rootkit removing tool 2.5.0.0 May 1 2011 14:20:16
2011/05/11 16:03:41.0072 3648 ================================================================================
2011/05/11 16:03:41.0072 3648 SystemInfo:
2011/05/11 16:03:41.0072 3648
2011/05/11 16:03:41.0072 3648 OS Version: 6.1.7601 ServicePack: 1.0
2011/05/11 16:03:41.0072 3648 Product type: Workstation
2011/05/11 16:03:41.0072 3648 ComputerName: VAIO-PC
2011/05/11 16:03:41.0073 3648 UserName: Sony
2011/05/11 16:03:41.0073 3648 Windows directory: C:\Windows
2011/05/11 16:03:41.0073 3648 System windows directory: C:\Windows
2011/05/11 16:03:41.0073 3648 Processor architecture: Intel x86
2011/05/11 16:03:41.0073 3648 Number of processors: 2
2011/05/11 16:03:41.0073 3648 Page size: 0x1000
2011/05/11 16:03:41.0073 3648 Boot type: Normal boot
2011/05/11 16:03:41.0073 3648 ================================================================================
2011/05/11 16:03:41.0671 3648 Initialize success
2011/05/11 16:03:47.0471 7092 ================================================================================
2011/05/11 16:03:47.0472 7092 Scan started
2011/05/11 16:03:47.0472 7092 Mode: Manual;
2011/05/11 16:03:47.0472 7092 ================================================================================
2011/05/11 16:03:49.0837 7092 1394ohci (1b133875b8aa8ac48969bd3458afe9f5) C:\Windows\system32\drivers\1394ohci.sys
2011/05/11 16:03:49.0967 7092 ACPI (cea80c80bed809aa0da6febc04733349) C:\Windows\system32\drivers\ACPI.sys
2011/05/11 16:03:49.0999 7092 AcpiPmi (1efbc664abff416d1d07db115dcb264f) C:\Windows\system32\drivers\acpipmi.sys
2011/05/11 16:03:50.0104 7092 adfs (6d7f09cd92a9fef3a8efce66231fdd79) C:\Windows\system32\drivers\adfs.sys
2011/05/11 16:03:50.0311 7092 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\DRIVERS\adp94xx.sys
2011/05/11 16:03:50.0370 7092 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\DRIVERS\adpahci.sys
2011/05/11 16:03:50.0409 7092 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\DRIVERS\adpu320.sys
2011/05/11 16:03:50.0495 7092 AFD (1151fd4fb0216cfed887bfde29ebd516) C:\Windows\system32\drivers\afd.sys
2011/05/11 16:03:50.0620 7092 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\drivers\agp440.sys
2011/05/11 16:03:50.0694 7092 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\DRIVERS\djsvs.sys
2011/05/11 16:03:50.0774 7092 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\drivers\aliide.sys
2011/05/11 16:03:50.0861 7092 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\drivers\amdagp.sys
2011/05/11 16:03:50.0890 7092 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\drivers\amdide.sys
2011/05/11 16:03:50.0993 7092 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\DRIVERS\amdk8.sys
2011/05/11 16:03:51.0044 7092 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\DRIVERS\amdppm.sys
2011/05/11 16:03:51.0114 7092 amdsata (e7f4d42d8076ec60e21715cd11743a0d) C:\Windows\system32\drivers\amdsata.sys
2011/05/11 16:03:51.0151 7092 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\DRIVERS\amdsbs.sys
2011/05/11 16:03:51.0271 7092 amdxata (146459d2b08bfdcbfa856d9947043c81) C:\Windows\system32\drivers\amdxata.sys
2011/05/11 16:03:51.0368 7092 AppID (aea177f783e20150ace5383ee368da19) C:\Windows\system32\drivers\appid.sys
2011/05/11 16:03:51.0586 7092 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\DRIVERS\arc.sys
2011/05/11 16:03:51.0646 7092 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\DRIVERS\arcsas.sys
2011/05/11 16:03:51.0694 7092 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/05/11 16:03:51.0765 7092 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\drivers\atapi.sys
2011/05/11 16:03:51.0997 7092 AVGIDSDriver (2177e7448c1ecfb35a5db417603d205a) C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys
2011/05/11 16:03:52.0082 7092 AVGIDSEH (13256fc72fa5b3f6d6e8c5957e579b7c) C:\Windows\system32\DRIVERS\AVGIDSEH.Sys
2011/05/11 16:03:52.0138 7092 AVGIDSFilter (fa0685cc51de5cfd804e7deaa6488e0e) C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys
2011/05/11 16:03:52.0188 7092 AVGIDSShim (f788b51100d0f40ea176798cce954a1a) C:\Windows\system32\DRIVERS\AVGIDSShim.Sys
2011/05/11 16:03:52.0288 7092 AvgLdx86 (4e796d3d2c3182b13b3e3b5a2ad4ef0a) C:\Windows\system32\DRIVERS\avgldx86.sys
2011/05/11 16:03:52.0338 7092 AvgMfx86 (5639de66b37d02bd22df4cf3155fba60) C:\Windows\system32\DRIVERS\avgmfx86.sys
2011/05/11 16:03:52.0463 7092 Avgrkx86 (d1baf652eda0ae70896276a1fb32c2d4) C:\Windows\system32\DRIVERS\avgrkx86.sys
2011/05/11 16:03:52.0529 7092 AvgTdiX (aaf0ebcad95f2164cffb544e00392498) C:\Windows\system32\DRIVERS\avgtdix.sys
2011/05/11 16:03:52.0768 7092 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\DRIVERS\bxvbdx.sys
2011/05/11 16:03:52.0820 7092 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys
2011/05/11 16:03:52.0897 7092 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
2011/05/11 16:03:53.0018 7092 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys
2011/05/11 16:03:53.0138 7092 bowser (8f2da3028d5fcbd1a060a3de64cd6506) C:\Windows\system32\DRIVERS\bowser.sys
2011/05/11 16:03:53.0184 7092 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\DRIVERS\BrFiltLo.sys
2011/05/11 16:03:53.0220 7092 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\DRIVERS\BrFiltUp.sys
2011/05/11 16:03:53.0267 7092 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys
2011/05/11 16:03:53.0303 7092 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys
2011/05/11 16:03:53.0334 7092 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys
2011/05/11 16:03:53.0355 7092 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys
2011/05/11 16:03:53.0537 7092 bsusbser (b9daec1d8a8a65740c222419c8d808fe) C:\Windows\system32\DRIVERS\bsusbser.sys
2011/05/11 16:03:53.0604 7092 BthEnum (2865a5c8e98c70c605f417908cebb3a4) C:\Windows\system32\drivers\BthEnum.sys
2011/05/11 16:03:53.0654 7092 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\DRIVERS\bthmodem.sys
2011/05/11 16:03:53.0801 7092 BthPan (ad1872e5829e8a2c3b5b4b641c3eab0e) C:\Windows\system32\DRIVERS\bthpan.sys
2011/05/11 16:03:53.0874 7092 BTHPORT (195c41cc67e9e1cedd960ccb74925920) C:\Windows\System32\Drivers\BTHport.sys
2011/05/11 16:03:53.0946 7092 BTHUSB (43b3206dd654e783aa7e4ead340a43b8) C:\Windows\System32\Drivers\BTHUSB.sys
2011/05/11 16:03:54.0028 7092 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
2011/05/11 16:03:54.0182 7092 cdrom (be167ed0fdb9c1fa1133953c18d5a6c9) C:\Windows\system32\DRIVERS\cdrom.sys
2011/05/11 16:03:54.0234 7092 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\DRIVERS\circlass.sys
2011/05/11 16:03:54.0302 7092 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
2011/05/11 16:03:54.0519 7092 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys
2011/05/11 16:03:54.0576 7092 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\drivers\cmdide.sys
2011/05/11 16:03:54.0614 7092 CNG (1b675691ed940766149c93e8f4488d68) C:\Windows\system32\Drivers\cng.sys
2011/05/11 16:03:54.0750 7092 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys
2011/05/11 16:03:55.0247 7092 CompositeBus (cbe8c58a8579cfe5fccf809e6f114e89) C:\Windows\system32\drivers\CompositeBus.sys
2011/05/11 16:03:55.0439 7092 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys
2011/05/11 16:03:55.0506 7092 CSC (3c2177a897b4ca2788c6fb0c3fd81d4b) C:\Windows\system32\drivers\csc.sys
2011/05/11 16:03:55.0614 7092 DfsC (f024449c97ec1e464aaffda18593db88) C:\Windows\system32\Drivers\dfsc.sys
2011/05/11 16:03:55.0777 7092 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
2011/05/11 16:03:55.0864 7092 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys
2011/05/11 16:03:55.0950 7092 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys
2011/05/11 16:03:56.0039 7092 DXGKrnl (23f5d28378a160352ba8f817bd8c71cb) C:\Windows\System32\drivers\dxgkrnl.sys
2011/05/11 16:03:56.0186 7092 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\DRIVERS\evbdx.sys
2011/05/11 16:03:56.0381 7092 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\DRIVERS\elxstor.sys
2011/05/11 16:03:56.0486 7092 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\drivers\errdev.sys
2011/05/11 16:03:56.0640 7092 ewusbnet (dafc7e1b2ffa35ccbddf95ae3e31bfae) C:\Windows\system32\DRIVERS\ewusbnet.sys
2011/05/11 16:03:56.0749 7092 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys
2011/05/11 16:03:56.0805 7092 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys
2011/05/11 16:03:56.0908 7092 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\DRIVERS\fdc.sys
2011/05/11 16:03:56.0951 7092 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys
2011/05/11 16:03:56.0982 7092 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys
2011/05/11 16:03:57.0145 7092 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/05/11 16:03:57.0260 7092 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys
2011/05/11 16:03:57.0313 7092 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys
2011/05/11 16:03:57.0369 7092 fssfltr (d909075fa72c090f27aa926c32cb4612) C:\Windows\system32\DRIVERS\fssfltr.sys
2011/05/11 16:03:57.0476 7092 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\Windows\system32\drivers\Fs_Rec.sys
2011/05/11 16:03:57.0537 7092 fvevol (8a73e79089b282100b9393b644cb853b) C:\Windows\system32\DRIVERS\fvevol.sys
2011/05/11 16:03:57.0644 7092 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\DRIVERS\gagp30kx.sys
2011/05/11 16:03:57.0714 7092 GEARAspiWDM (df6e37b27a9a1a498c6d9f29995b7a03) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
2011/05/11 16:03:58.0030 7092 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys
2011/05/11 16:03:58.0106 7092 HdAudAddService (a5ef29d5315111c80a5c1abad14c8972) C:\Windows\system32\drivers\HdAudio.sys
2011/05/11 16:03:58.0217 7092 HDAudBus (9036377b8a6c15dc2eec53e489d159b5) C:\Windows\system32\drivers\HDAudBus.sys
2011/05/11 16:03:58.0244 7092 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\DRIVERS\HidBatt.sys
2011/05/11 16:03:58.0296 7092 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\DRIVERS\hidbth.sys
2011/05/11 16:03:58.0420 7092 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\DRIVERS\hidir.sys
2011/05/11 16:03:58.0487 7092 HidUsb (10c19f8290891af023eaec0832e1eb4d) C:\Windows\system32\DRIVERS\hidusb.sys
2011/05/11 16:03:58.0615 7092 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\drivers\HpSAMD.sys
2011/05/11 16:03:58.0683 7092 HTTP (871917b07a141bff43d76d8844d48106) C:\Windows\system32\drivers\HTTP.sys
2011/05/11 16:03:58.0817 7092 hwdatacard (1fc7a63148e4f2bd831dab0dc732026d) C:\Windows\system32\DRIVERS\ewusbmdm.sys
2011/05/11 16:03:58.0929 7092 hwpolicy (0c4e035c7f105f1299258c90886c64c5) C:\Windows\system32\drivers\hwpolicy.sys
2011/05/11 16:03:58.0991 7092 hwusbdev (a259d3619aa23d4562581067f85e2006) C:\Windows\system32\DRIVERS\ewusbdev.sys
2011/05/11 16:03:59.0125 7092 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\drivers\i8042prt.sys
2011/05/11 16:03:59.0175 7092 iaStorV (a3cae5d281db4cff7cff8233507ee5ad) C:\Windows\system32\drivers\iaStorV.sys
2011/05/11 16:03:59.0319 7092 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\DRIVERS\iirsp.sys
2011/05/11 16:03:59.0431 7092 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\drivers\intelide.sys
2011/05/11 16:03:59.0484 7092 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys
2011/05/11 16:03:59.0554 7092 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/05/11 16:03:59.0675 7092 IPMIDRV (4bd7134618c1d2a27466a099062547bf) C:\Windows\system32\drivers\IPMIDrv.sys
2011/05/11 16:03:59.0790 7092 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys
2011/05/11 16:03:59.0833 7092 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys
2011/05/11 16:03:59.0878 7092 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\drivers\isapnp.sys
2011/05/11 16:03:59.0957 7092 iScsiPrt (cb7a9abb12b8415bce5d74994c7ba3ae) C:\Windows\system32\drivers\msiscsi.sys
2011/05/11 16:04:00.0007 7092 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\drivers\kbdclass.sys
2011/05/11 16:04:00.0104 7092 kbdhid (9e3ced91863e6ee98c24794d05e27a71) C:\Windows\system32\drivers\kbdhid.sys
2011/05/11 16:04:00.0166 7092 KSecDD (412cea1aa78cc02a447f5c9e62b32ff1) C:\Windows\system32\Drivers\ksecdd.sys
2011/05/11 16:04:00.0228 7092 KSecPkg (26c046977e85b95036453d7b88ba1820) C:\Windows\system32\Drivers\ksecpkg.sys
2011/05/11 16:04:00.0417 7092 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys
2011/05/11 16:04:00.0478 7092 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\DRIVERS\lsi_fc.sys
2011/05/11 16:04:00.0516 7092 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\DRIVERS\lsi_sas.sys
2011/05/11 16:04:00.0556 7092 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\DRIVERS\lsi_sas2.sys
2011/05/11 16:04:00.0609 7092 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\DRIVERS\lsi_scsi.sys
2011/05/11 16:04:00.0732 7092 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys
2011/05/11 16:04:00.0892 7092 mcdbus (8fd868e32459ece2a1bb0169f513d31e) C:\Windows\system32\DRIVERS\mcdbus.sys
2011/05/11 16:04:00.0943 7092 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\DRIVERS\megasas.sys
2011/05/11 16:04:01.0000 7092 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\DRIVERS\MegaSR.sys
2011/05/11 16:04:01.0130 7092 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys
2011/05/11 16:04:01.0202 7092 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys
2011/05/11 16:04:01.0304 7092 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\DRIVERS\mouclass.sys
2011/05/11 16:04:01.0379 7092 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys
2011/05/11 16:04:01.0433 7092 mountmgr (fc8771f45ecccfd89684e38842539b9b) C:\Windows\system32\drivers\mountmgr.sys
2011/05/11 16:04:01.0539 7092 mpio (2d699fb6e89ce0d8da14ecc03b3edfe0) C:\Windows\system32\drivers\mpio.sys
2011/05/11 16:04:01.0585 7092 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys
2011/05/11 16:04:01.0688 7092 MRxDAV (ceb46ab7c01c9f825f8cc6babc18166a) C:\Windows\system32\drivers\mrxdav.sys
2011/05/11 16:04:01.0736 7092 mrxsmb (ed3d3419b064f28d812995ed8cadc541) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/05/11 16:04:01.0819 7092 mrxsmb10 (dc914446049169a964e27fd8888ffaee) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/05/11 16:04:01.0886 7092 mrxsmb20 (e7d90388d14fae057c166c1801e0bf94) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/05/11 16:04:01.0939 7092 msahci (012c5f4e9349e711e11e0f19a8589f0a) C:\Windows\system32\drivers\msahci.sys
2011/05/11 16:04:02.0041 7092 msdsm (55055f8ad8be27a64c831322a780a228) C:\Windows\system32\drivers\msdsm.sys
2011/05/11 16:04:02.0134 7092 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys
2011/05/11 16:04:02.0209 7092 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys
2011/05/11 16:04:02.0276 7092 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\drivers\msisadrv.sys
2011/05/11 16:04:02.0334 7092 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys
2011/05/11 16:04:02.0369 7092 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/05/11 16:04:02.0442 7092 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys
2011/05/11 16:04:02.0478 7092 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys
2011/05/11 16:04:02.0569 7092 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\drivers\mssmbios.sys
2011/05/11 16:04:02.0640 7092 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys
2011/05/11 16:04:02.0670 7092 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\DRIVERS\MTConfig.sys
2011/05/11 16:04:02.0721 7092 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys
2011/05/11 16:04:02.0784 7092 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys
2011/05/11 16:04:02.0912 7092 NDIS (e7c54812a2aaf43316eb6930c1ffa108) C:\Windows\system32\drivers\ndis.sys
2011/05/11 16:04:03.0033 7092 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys
2011/05/11 16:04:03.0152 7092 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/05/11 16:04:03.0199 7092 Ndisuio (d8a65dafb3eb41cbb622745676fcd072) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/05/11 16:04:03.0241 7092 NdisWan (38fbe267e7e6983311179230facb1017) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/05/11 16:04:03.0279 7092 NDProxy (a4bdc541e69674fbff1a8ff00be913f2) C:\Windows\system32\drivers\NDProxy.sys
2011/05/11 16:04:03.0406 7092 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys
2011/05/11 16:04:03.0498 7092 NetBT (280122ddcf04b378edd1ad54d71c1e54) C:\Windows\system32\DRIVERS\netbt.sys
2011/05/11 16:04:03.0704 7092 netw5v32 (58218ec6b61b1169cf54aab0d00f5fe2) C:\Windows\system32\DRIVERS\netw5v32.sys
2011/05/11 16:04:03.0912 7092 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\DRIVERS\nfrd960.sys
2011/05/11 16:04:04.0109 7092 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys
2011/05/11 16:04:04.0152 7092 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys
2011/05/11 16:04:04.0225 7092 Ntfs (33c3093d09017cfe2e219f2472bff6eb) C:\Windows\system32\drivers\Ntfs.sys
2011/05/11 16:04:04.0395 7092 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys
2011/05/11 16:04:04.0699 7092 nvlddmkm (61cc6e7237973caa4e384ce97fd7a7b9) C:\Windows\system32\DRIVERS\nvlddmkm.sys
2011/05/11 16:04:05.0004 7092 nvraid (af2eec9580c1d32fb7eaf105d9784061) C:\Windows\system32\drivers\nvraid.sys
2011/05/11 16:04:05.0042 7092 nvstor (9283c58ebaa2618f93482eb5dabcec82) C:\Windows\system32\drivers\nvstor.sys
2011/05/11 16:04:05.0089 7092 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\drivers\nv_agp.sys
2011/05/11 16:04:05.0141 7092 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\drivers\ohci1394.sys
2011/05/11 16:04:05.0290 7092 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys
2011/05/11 16:04:05.0393 7092 partmgr (bf8f6af06da75b336f07e23aef97d93b) C:\Windows\system32\drivers\partmgr.sys
2011/05/11 16:04:05.0423 7092 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys
2011/05/11 16:04:05.0516 7092 pci (673e55c3498eb970088e812ea820aa8f) C:\Windows\system32\drivers\pci.sys
2011/05/11 16:04:05.0630 7092 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\drivers\pciide.sys
2011/05/11 16:04:05.0738 7092 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\DRIVERS\pcmcia.sys
2011/05/11 16:04:05.0768 7092 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys
2011/05/11 16:04:05.0814 7092 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys
2011/05/11 16:04:06.0053 7092 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys
2011/05/11 16:04:06.0170 7092 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\DRIVERS\processr.sys
2011/05/11 16:04:06.0257 7092 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys
2011/05/11 16:04:06.0397 7092 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\DRIVERS\ql2300.sys
2011/05/11 16:04:06.0532 7092 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\DRIVERS\ql40xx.sys
2011/05/11 16:04:06.0577 7092 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys
2011/05/11 16:04:06.0660 7092 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys
2011/05/11 16:04:06.0717 7092 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys
2011/05/11 16:04:06.0775 7092 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/05/11 16:04:06.0828 7092 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/05/11 16:04:07.0001 7092 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys
2011/05/11 16:04:07.0047 7092 rdbss (d528bc58a489409ba40334ebf96a311b) C:\Windows\system32\DRIVERS\rdbss.sys
2011/05/11 16:04:07.0092 7092 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys
2011/05/11 16:04:07.0131 7092 RDPCDD (23dae03f29d253ae74c44f99e515f9a1) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/05/11 16:04:07.0186 7092 RDPDR (b973fcfc50dc1434e1970a146f7e3885) C:\Windows\system32\drivers\rdpdr.sys
2011/05/11 16:04:07.0288 7092 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys
2011/05/11 16:04:07.0381 7092 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys
2011/05/11 16:04:07.0433 7092 RDPWD (288b06960d78428ff89e811632684e20) C:\Windows\system32\drivers\RDPWD.sys
2011/05/11 16:04:07.0488 7092 rdyboost (518395321dc96fe2c9f0e96ac743b656) C:\Windows\system32\drivers\rdyboost.sys
2011/05/11 16:04:07.0700 7092 regi (001b4278407f4303efc902a2b16f2453) C:\Windows\system32\drivers\regi.sys
2011/05/11 16:04:07.0798 7092 RFCOMM (cb928d9e6daf51879dd6ba8d02f01321) C:\Windows\system32\DRIVERS\rfcomm.sys
2011/05/11 16:04:07.0964 7092 RimUsb (92d33f76769a028ddc54a863eb7de4a2) C:\Windows\system32\Drivers\RimUsb.sys
2011/05/11 16:04:08.0103 7092 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\Windows\system32\DRIVERS\RimSerial.sys
2011/05/11 16:04:08.0181 7092 ROOTMODEM (564297827d213f52c7a3a2ff749568ca) C:\Windows\system32\Drivers\RootMdm.sys
2011/05/11 16:04:08.0261 7092 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys
2011/05/11 16:04:08.0408 7092 s3cap (7fa7f2e249a5dcbb7970630e15e1f482) C:\Windows\system32\drivers\vms3cap.sys
2011/05/11 16:04:08.0464 7092 sbp2port (05d860da1040f111503ac416ccef2bca) C:\Windows\system32\drivers\sbp2port.sys
2011/05/11 16:04:08.0515 7092 scfilter (0693b5ec673e34dc147e195779a4dcf6) C:\Windows\system32\DRIVERS\scfilter.sys
2011/05/11 16:04:08.0615 7092 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2011/05/11 16:04:08.0731 7092 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys
2011/05/11 16:04:08.0778 7092 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\DRIVERS\serial.sys
2011/05/11 16:04:08.0835 7092 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\DRIVERS\sermouse.sys
2011/05/11 16:04:09.0048 7092 SFEP (8b7c1768d2cde2e02e09a66563ddfd16) C:\Windows\system32\DRIVERS\SFEP.sys
2011/05/11 16:04:09.0089 7092 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\drivers\sffdisk.sys
2011/05/11 16:04:09.0113 7092 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\drivers\sffp_mmc.sys
2011/05/11 16:04:09.0139 7092 sffp_sd (6d4ccaedc018f1cf52866bbbaa235982) C:\Windows\system32\drivers\sffp_sd.sys
2011/05/11 16:04:09.0202 7092 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\DRIVERS\sfloppy.sys
2011/05/11 16:04:09.0325 7092 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\drivers\sisagp.sys
2011/05/11 16:04:09.0355 7092 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\DRIVERS\SiSRaid2.sys
2011/05/11 16:04:09.0419 7092 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\DRIVERS\sisraid4.sys
2011/05/11 16:04:09.0468 7092 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys
2011/05/11 16:04:09.0612 7092 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys
2011/05/11 16:04:09.0685 7092 srv (4e636465a8653ba3bf29f929aa578e6f) C:\Windows\system32\DRIVERS\srv.sys
2011/05/11 16:04:09.0759 7092 srv2 (4e4e17a3865f650ee8c67726872d9431) C:\Windows\system32\DRIVERS\srv2.sys
2011/05/11 16:04:09.0830 7092 SrvHsfHDA (e00fdfaff025e94f9821153750c35a6d) C:\Windows\system32\DRIVERS\VSTAZL3.SYS
2011/05/11 16:04:09.0980 7092 SrvHsfV92 (ceb4e3b6890e1e42dca6694d9e59e1a0) C:\Windows\system32\DRIVERS\VSTDPV3.SYS
2011/05/11 16:04:10.0133 7092 SrvHsfWinac (bc0c7ea89194c299f051c24119000e17) C:\Windows\system32\DRIVERS\VSTCNXT3.SYS
2011/05/11 16:04:10.0194 7092 srvnet (1346dff5be932939997d373d61a35626) C:\Windows\system32\DRIVERS\srvnet.sys
2011/05/11 16:04:10.0339 7092 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\DRIVERS\stexstor.sys
2011/05/11 16:04:10.0441 7092 storflt (472af0311073dceceaa8fa18ba2bdf89) C:\Windows\system32\drivers\vmstorfl.sys
2011/05/11 16:04:10.0478 7092 storvsc (dcaffd62259e0bdb433dd67b5bb37619) C:\Windows\system32\drivers\storvsc.sys
2011/05/11 16:04:10.0522 7092 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\drivers\swenum.sys
2011/05/11 16:04:10.0623 7092 Tcpip (37e8fa3779668837ca9e2c36d2415949) C:\Windows\system32\drivers\tcpip.sys
2011/05/11 16:04:10.0785 7092 TCPIP6 (37e8fa3779668837ca9e2c36d2415949) C:\Windows\system32\DRIVERS\tcpip.sys
2011/05/11 16:04:10.0849 7092 tcpipreg (cca24162e055c3714ce5a88b100c64ed) C:\Windows\system32\drivers\tcpipreg.sys
2011/05/11 16:04:10.0895 7092 TDPIPE (1cb91b2bd8f6dd367dfc2ef26fd751b2) C:\Windows\system32\drivers\tdpipe.sys
2011/05/11 16:04:10.0932 7092 TDTCP (2c10395baa4847f83042813c515cc289) C:\Windows\system32\drivers\tdtcp.sys
2011/05/11 16:04:10.0984 7092 tdx (b459575348c20e8121d6039da063c704) C:\Windows\system32\DRIVERS\tdx.sys
2011/05/11 16:04:11.0031 7092 TermDD (04dbf4b01ea4bf25a9a3e84affac9b20) C:\Windows\system32\drivers\termdd.sys
2011/05/11 16:04:11.0244 7092 tssecsrv (254bb140eee3c59d6114c1a86b636877) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/05/11 16:04:11.0311 7092 TsUsbFlt (fd1d6c73e6333be727cbcc6054247654) C:\Windows\system32\drivers\tsusbflt.sys
2011/05/11 16:04:11.0374 7092 tunnel (b2fa25d9b17a68bb93d58b0556e8c90d) C:\Windows\system32\DRIVERS\tunnel.sys
2011/05/11 16:04:11.0480 7092 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\DRIVERS\uagp35.sys
2011/05/11 16:04:11.0597 7092 udfs (ee43346c7e4b5e63e54f927babbb32ff) C:\Windows\system32\DRIVERS\udfs.sys
2011/05/11 16:04:11.0677 7092 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\drivers\uliagpkx.sys
2011/05/11 16:04:11.0730 7092 umbus (d295bed4b898f0fd999fcfa9b32b071b) C:\Windows\system32\drivers\umbus.sys
2011/05/11 16:04:11.0813 7092 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\DRIVERS\umpass.sys
2011/05/11 16:04:11.0935 7092 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\Windows\system32\Drivers\usbaapl.sys
2011/05/11 16:04:12.0010 7092 usbaudio (1d9f2bd026e8e2d45033a4df3f16b78c) C:\Windows\system32\drivers\usbaudio.sys
2011/05/11 16:04:12.0088 7092 usbccgp (7e72e7d7e0757d59481d530fd2b0bfae) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/05/11 16:04:12.0176 7092 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\drivers\usbcir.sys
2011/05/11 16:04:12.0289 7092 usbehci (1c333bfd60f2fed2c7ad5daf533cb742) C:\Windows\system32\DRIVERS\usbehci.sys
2011/05/11 16:04:12.0357 7092 usbhub (9d22aad9ac6a07c691a1113e5f860868) C:\Windows\system32\drivers\usbhub.sys
2011/05/11 16:04:12.0530 7092 usbohci (a6fb7957ea7afb1165991e54ce934b74) C:\Windows\system32\DRIVERS\usbohci.sys
2011/05/11 16:04:12.0601 7092 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys
2011/05/11 16:04:12.0683 7092 usbscan (576096ccbc07e7c4ea4f5e6686d6888f) C:\Windows\system32\DRIVERS\usbscan.sys
2011/05/11 16:04:12.0791 7092 usbser (88701eca76145e2c011c0eeff0f7b70e) C:\Windows\system32\DRIVERS\usbser.sys
2011/05/11 16:04:12.0903 7092 USBSTOR (bf63ebfc6979fefb2bc03df7989a0c1a) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/05/11 16:04:12.0940 7092 usbuhci (78780c3ebce17405b1ccd07a3a8a7d72) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/05/11 16:04:13.0046 7092 usbvideo (45f4e7bf43db40a6c6b4d92c76cbc3f2) C:\Windows\System32\Drivers\usbvideo.sys
2011/05/11 16:04:13.0251 7092 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\drivers\vdrvroot.sys
2011/05/11 16:04:13.0379 7092 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/05/11 16:04:13.0402 7092 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys
2011/05/11 16:04:13.0458 7092 vhdmp (5461686cca2fda57b024547733ab42e3) C:\Windows\system32\drivers\vhdmp.sys
2011/05/11 16:04:13.0494 7092 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\drivers\viaagp.sys
2011/05/11 16:04:13.0527 7092 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\DRIVERS\viac7.sys
2011/05/11 16:04:13.0624 7092 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\drivers\viaide.sys
2011/05/11 16:04:13.0699 7092 vmbus (c2f2911156fdc7817c52829c86da494e) C:\Windows\system32\drivers\vmbus.sys
2011/05/11 16:04:13.0774 7092 VMBusHID (d4d77455211e204f370d08f4963063ce) C:\Windows\system32\drivers\VMBusHID.sys
2011/05/11 16:04:13.0860 7092 volmgr (4c63e00f2f4b5f86ab48a58cd990f212) C:\Windows\system32\drivers\volmgr.sys
2011/05/11 16:04:13.0924 7092 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys
2011/05/11 16:04:14.0018 7092 volsnap (f497f67932c6fa693d7de2780631cfe7) C:\Windows\system32\drivers\volsnap.sys
2011/05/11 16:04:14.0067 7092 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\DRIVERS\vsmraid.sys
2011/05/11 16:04:14.0192 7092 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\System32\drivers\vwifibus.sys
2011/05/11 16:04:14.0247 7092 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\DRIVERS\wacompen.sys
2011/05/11 16:04:14.0389 7092 WANARP (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
2011/05/11 16:04:14.0409 7092 Wanarpv6 (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
2011/05/11 16:04:14.0505 7092 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\DRIVERS\wd.sys
2011/05/11 16:04:14.0551 7092 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
2011/05/11 16:04:14.0745 7092 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys
2011/05/11 16:04:14.0832 7092 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys
2011/05/11 16:04:14.0927 7092 WinUsb (a67e5f9a400f3bd1be3d80613b45f708) C:\Windows\system32\DRIVERS\WinUsb.sys
2011/05/11 16:04:14.0989 7092 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\drivers\wmiacpi.sys
2011/05/11 16:04:15.0068 7092 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys
2011/05/11 16:04:15.0132 7092 WSDPrintDevice (553f6ccd7c58eb98d4a8fbdaf283d7a9) C:\Windows\system32\DRIVERS\WSDPrint.sys
2011/05/11 16:04:15.0249 7092 WSDScan (7dc0270cfd4a05b4112e3ebbf083b595) C:\Windows\system32\DRIVERS\WSDScan.sys
2011/05/11 16:04:15.0313 7092 WudfPf (e714a1c0354636837e20ccbf00888ee7) C:\Windows\system32\drivers\WudfPf.sys
2011/05/11 16:04:15.0375 7092 WUDFRd (1023ee888c9b47178c5293ed5336ab69) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/05/11 16:04:15.0532 7092 yukonw7 (b07c5b7efdf936ff93d4f540938725be) C:\Windows\system32\DRIVERS\yk62x86.sys
2011/05/11 16:04:15.0981 7092 {95808DC4-FA4A-4C74-92FE-5B863F82066B} (5867ce254625645345c833510d24f124) C:\Program Files\CyberLink\PowerDVD\000.fcl
2011/05/11 16:04:16.0076 7092 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/05/11 16:04:16.0083 7092 ================================================================================
2011/05/11 16:04:16.0083 7092 Scan finished
2011/05/11 16:04:16.0083 7092 ================================================================================
2011/05/11 16:04:16.0105 7636 Detected object count: 1
2011/05/11 16:04:34.0414 7636 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/05/11 16:04:34.0415 7636 \HardDisk0 - ok
2011/05/11 16:04:34.0509 7636 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/05/11 16:04:43.0976 1028 Deinitialize success

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:37 PM

Posted 11 May 2011 - 10:42 AM

Yes, the tool has been updated recently. Older versions did not catch this rootkit yet.

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and cleaned, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


If you want to continue with the cleanup, please try to rerun Combofix and post me the log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Alessandra9

Alessandra9
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 12 May 2011 - 06:25 AM

hi , I run combofix, it told me it was expired and it was gonna scan in
reduced functionality mode, if is necessary i'll download it again, this is the log

ComboFix 11-05-04.04 - Sony 12/05/2011 13:13:47.1.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.44.1033.18.3070.2222 [GMT 2:00]
Running from: c:\users\Sony\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
- REDUCED FUNCTIONALITY MODE -
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\users\Sony\AppData\Roaming\Adobe\plugs
c:\users\Sony\AppData\Roaming\Adobe\shed
c:\windows\jestertb.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-04-12 to 2011-05-12 )))))))))))))))))))))))))))))))
.
.
2011-05-12 11:15 . 2011-05-12 11:16 -------- d-----w- c:\users\Sony\AppData\Local\temp
2011-05-12 11:15 . 2011-05-12 11:15 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-11 16:41 . 2011-03-12 11:23 870912 ----a-w- c:\windows\system32\XpsPrint.dll
2011-05-11 16:40 . 2011-02-25 05:30 2616320 ----a-w- c:\windows\explorer.exe
2011-05-11 16:40 . 2011-04-09 06:02 3967872 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-05-11 16:40 . 2011-04-09 06:02 3912576 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-05-01 13:53 . 2011-05-01 13:53 -------- d-----w- c:\users\Sony\AppData\Roaming\AVG10
2011-04-30 16:43 . 2011-04-30 16:43 -------- d-----w- c:\users\Sony\AppData\Roaming\SUPERAntiSpyware.com
2011-04-30 16:43 . 2011-04-30 16:43 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-04-30 16:42 . 2011-05-01 07:10 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-04-29 10:45 . 2011-04-29 10:52 -------- d-----w- c:\users\Sony\AppData\Roaming\Uned
2011-04-29 10:45 . 2011-04-29 10:46 -------- d-----w- c:\users\Sony\AppData\Roaming\Alakz
2011-04-29 10:45 . 2011-04-29 10:45 -------- d-----w- c:\windows\Sun
2011-04-27 09:20 . 2011-05-12 11:07 -------- d-----w- c:\programdata\AVG10
2011-04-27 08:44 . 2011-05-12 11:06 -------- d-----w- c:\programdata\MFAData
2011-04-26 19:10 . 2011-04-26 19:10 159080 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10138.bin
2011-04-25 16:24 . 2011-04-25 16:24 -------- d-----w- c:\users\Sony\AppData\Roaming\Malwarebytes
2011-04-25 16:24 . 2011-04-25 16:24 -------- d-----w- c:\programdata\Malwarebytes
2011-04-25 16:24 . 2011-05-01 07:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-25 16:14 . 2011-04-25 21:13 -------- d-----w- c:\program files\Ask.com
2011-04-17 06:58 . 2011-04-17 07:00 -------- d-----w- C:\4023ba9534a4d2ed8d
2011-04-16 15:24 . 2011-02-23 04:48 311808 ----a-w- c:\windows\system32\drivers\srv.sys
2011-04-16 15:24 . 2011-02-23 04:48 310272 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-04-16 15:24 . 2011-02-23 04:47 114176 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-04-16 15:16 . 2011-03-03 05:38 132608 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-04-16 15:16 . 2011-03-03 05:36 28672 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-04-16 15:16 . 2011-02-19 06:30 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-04-16 15:16 . 2011-02-19 04:34 294912 ----a-w- c:\windows\system32\atmfd.dll
2011-04-16 15:16 . 2011-03-03 03:42 2333184 ----a-w- c:\windows\system32\win32k.sys
2011-04-16 15:15 . 2011-02-12 05:35 191488 ----a-w- c:\windows\system32\FXSCOVER.exe
2011-04-16 15:15 . 2011-02-24 05:38 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-04-16 15:15 . 2011-03-08 05:28 741376 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-16 15:15 . 2011-03-11 05:33 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-04-16 15:15 . 2011-03-11 05:33 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-04-16 15:15 . 2011-02-23 04:47 223232 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-04-16 15:15 . 2011-02-23 04:47 96768 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-04-16 15:15 . 2011-02-23 04:47 123904 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-16 15:15 . 2011-02-23 04:47 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-04-15 17:29 . 2011-04-15 17:29 -------- d-----w- c:\users\Sony\AppData\Roaming\Ashampoo
2011-04-15 17:29 . 2011-04-15 17:29 -------- d-----w- c:\users\Sony\AppData\Local\ashampoo
2011-04-15 17:29 . 2011-04-15 17:29 -------- d-----w- c:\programdata\ashampoo
2011-04-15 17:29 . 2011-05-01 07:08 -------- d-----w- c:\program files\Ashampoo
2011-04-14 06:56 . 2011-04-14 06:56 -------- d-----w- c:\users\Sony\AppData\Local\Shalsoft
2011-04-14 06:56 . 2011-05-01 07:08 -------- d-----w- c:\program files\GigaTribe
2011-04-14 01:39 . 2011-04-14 01:39 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-04-14 01:39 . 2011-04-14 01:39 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-12 10:46 . 2011-04-12 10:46 86528 ----a-w- c:\windows\system32\iesysprep.dll
2011-04-12 10:46 . 2011-04-12 10:46 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-04-12 10:46 . 2011-04-12 10:46 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-04-12 10:46 . 2011-04-12 10:46 63488 ----a-w- c:\windows\system32\tdc.ocx
2011-04-12 10:46 . 2011-04-12 10:46 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-04-12 10:46 . 2011-04-12 10:46 367104 ----a-w- c:\windows\system32\html.iec
2011-04-12 10:46 . 2011-04-12 10:46 161792 ----a-w- c:\windows\system32\msls31.dll
2011-04-12 10:46 . 2011-04-12 10:46 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-04-12 10:46 . 2011-04-12 10:46 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-04-12 10:46 . 2011-04-12 10:46 74752 ----a-w- c:\windows\system32\iesetup.dll
2011-04-12 10:46 . 2011-04-12 10:46 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-04-12 10:46 . 2011-04-12 10:46 35840 ----a-w- c:\windows\system32\imgutil.dll
2011-04-12 10:46 . 2011-04-12 10:46 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-04-12 10:46 . 2011-04-12 10:46 23552 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-12 10:46 . 2011-04-12 10:46 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-04-12 10:46 . 2011-04-12 10:46 152064 ----a-w- c:\windows\system32\wextract.exe
2011-04-12 10:46 . 2011-04-12 10:46 150528 ----a-w- c:\windows\system32\iexpress.exe
2011-04-12 10:46 . 2011-04-12 10:46 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2011-04-12 10:46 . 2011-04-12 10:46 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-12 10:46 . 2011-04-12 10:46 11776 ----a-w- c:\windows\system32\mshta.exe
2011-04-12 10:46 . 2011-04-12 10:46 101888 ----a-w- c:\windows\system32\admparse.dll
2011-02-23 09:04 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-02-19 06:30 . 2011-03-14 15:07 805376 ----a-w- c:\windows\system32\FntCache.dll
2011-02-19 06:30 . 2011-03-14 15:07 1076736 ----a-w- c:\windows\system32\DWrite.dll
2011-02-19 06:30 . 2011-03-14 15:07 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-02-16 09:41 . 2011-02-16 09:41 203576 ----a-w- c:\windows\system32\richtx32.ocx
2011-02-16 09:41 . 2011-02-16 09:41 140288 ----a-w- c:\windows\system32\comdlg32.ocx
2011-02-16 09:41 . 2011-02-16 09:41 124688 ----a-w- c:\windows\system32\mswinsck.ocx
2011-04-14 16:41 . 2011-05-01 11:40 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-01-20 39408]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2010-08-24 247144]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2009-05-26 92704]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-26 8530464]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-05-26 88608]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2008-01-22 81920]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-10-11 62760]
"EverioService"="c:\program files\CyberLink\PCM4Everio\EverioService.exe" [2008-05-21 151552]
"UpdatePPShortCut"="c:\program files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2008-02-21 222504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
.
c:\users\Sony\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
GigaTribe.lnk - c:\program files\GigaTribe\gigatribe.exe [2011-4-14 2993664]
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2010-5-30 576000]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux3"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 AMService;AMService;c:\windows\TEMP\myua\setup.exe run [x]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 135664]
R3 bsusbser;PHD USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\bsusbser.sys [2008-01-23 99456]
R3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys [x]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [2009-12-07 201168]
R3 gtstusbser;Option210 USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\gtstusbser.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 135664]
R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys [2009-10-12 101120]
R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\DRIVERS\massfilter.sys [x]
R3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [2009-09-16 480624]
R3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe [2009-09-08 83312]
R3 VUAgent;VUAgent;c:\program files\Sony\VAIO Update 5\VUAgent.exe [2010-04-09 722288]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-07-25 1343400]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 17920]
R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys [2009-07-14 20480]
R3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\DRIVERS\ZTEusbnet.sys [x]
R3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\DRIVERS\ZTEusbvoice.sys [x]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-17 11032]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2010-08-24 92008]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\DRIVERS\SFEP.sys [2007-08-03 9344]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-07-13 311296]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\shell\AutoRun\command - D:\AutoRun.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{11be2066-f61f-11df-8a05-001f3b8260d5}]
\shell\AutoRun\command - d:\windowsui\Autorun.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{168e3bf5-24cb-11e0-ab12-001a80f4ade6}]
\shell\AutoRun\command - D:\AutoRun.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{26acd013-7611-11e0-91cb-001a80f4ade6}]
\shell\AutoRun\command - D:\AutoRun.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3a6530a1-052f-11df-8a86-001e3d8af4b9}]
\shell\AutoRun\command - D:\setup_vmc_lite.exe /checkApplicationPresence
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4edc73ca-977e-11df-bbed-001f3b8260d5}]
\shell\AutoRun\command - D:\AutoRun.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4edc73dd-977e-11df-bbed-001a80f4ade6}]
\shell\AutoRun\command - D:\AutoRun.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{573c5c85-9e75-11df-a118-001f3b8260d5}]
\shell\AutoRun\command - D:\QsSetup.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{573c5c8d-9e75-11df-a118-001f3b8260d5}]
\shell\AutoRun\command - D:\QsSetup.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{70aa0917-c0b1-11df-938d-001a80f4ade6}]
\shell\AutoRun\command - H:\LaunchU3.exe -a
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{805a15d5-24ca-11e0-ab3b-806e6f6e6963}]
\shell\AutoRun\command - D:\AutoRun.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98ab4601-14df-11df-bbf9-001a80f4ade6}]
\shell\AutoRun\command - e:\windows\Install.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b715cafe-bf5b-11df-9ca1-001f3b8260d5}]
\shell\AutoRun\command - d:\windowsui\Autorun.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c2967a36-26bb-11e0-a101-001a80f4ade6}]
\shell\AutoRun\command - D:\AutoRun.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dc357084-2de1-11e0-a15a-001a80f4ade6}]
\shell\AutoRun\command - D:\AutoRun.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ee5a63a1-2b4f-11df-b5f5-001e3d8af4b9}]
\shell\AutoRun\command - D:\QsSetup.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 11:20]
.
2011-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 11:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2475029
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
FF - ProfilePath - c:\users\Sony\AppData\Roaming\Mozilla\Firefox\Profiles\uw4anpbb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.it/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en-GB&q=
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - (no file)
URLSearchHooks-{cc05a3e3-64c3-4af2-bfc1-af0d66b69065} - (no file)
URLSearchHooks-{a1e75a0e-4397-4ba8-bb50-e19fb66890f4} - (no file)
BHO-{73ba1019-7fcc-cace-a2aa-ad0ff2df550f} - c:\windows\system32\In-2O_J---.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
WebBrowser-{CC05A3E3-64C3-4AF2-BFC1-AF0D66B69065} - (no file)
HKCU-Run-NokiaOviSuite2 - c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe
HKCU-Run-AdobeBridge - (no file)
HKCU-Run-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe
HKLM-Run-AVG9_TRAY - c:\progra~1\AVG\AVG9\avgtray.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
AddRemove-{459E93B6-150E-45d5-8D4B-45C66FC035FE} - c:\program files\NOS\bin\getPlus_Helper.dll
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0009\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-05-12 13:18:15
ComboFix-quarantined-files.txt 2011-05-12 11:18
.
Pre-Run: 86,903,603,200 bytes free
Post-Run: 90,111,818,752 bytes free
.
- - End Of File - - 343B08A34824E817B2C9EC60C22BFD1A

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:37 PM

Posted 12 May 2011 - 07:16 AM

Hi, how are things running at this point? What problems do you still have left?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Alessandra9

Alessandra9
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 12 May 2011 - 10:15 AM

it seems to be doing good, I didn't get any Bluescreen or particular slowness since,
About the back door infection is still there ? and if it's not am i gonna know if it comes back?
thank you

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:37 PM

Posted 12 May 2011 - 10:22 AM

Hi, please rerun DDS and post me attach.txt

The infection is gone, but the backdoor remains. It is a vulnerability that may or may not be exploited. The whole problem is that we have no way to verify everything the rootkit might have altered to create a backdoor. The only way to make sure it is gone, is reformatting/reinstalling.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:37 PM

Posted 22 May 2011 - 03:58 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users