Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Rootkit Problem?


  • This topic is locked This topic is locked
39 replies to this topic

#1 falshed

falshed

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:03:16 AM

Posted 26 May 2011 - 06:29 AM

Hi, I'm sad to discover such a great site in circumstances like this but windows is not treating me well.

Whilst browsing the XP Security 2011 rogue popped up, I googled it and was led to the instructions for its removal on this site. I attempted too follow those instructions but the PC immediately crashed.

On trying to reboot it showed this message: STOP: 0X0000007B (0XF78BF528, 0XC0000034, 0X00000000, 0X00000000).

I rebooted in Safe Mode, although internet connectivity was not available. I carried out the removal instructions via and ran Superantispyware as well as MBAM and rkill.

The PC continued to be unable to go into normal start up mode or connect successfully to the net. I used an AVG Rescue CD which picked up a few things, including: WINDOWS/system32/drivers/volsnap.sys Trojan horse Rootkit-Pakes.BI; Object is white-listed (critical/system file that should not be removed).

I have since consulted the Preparation guide and have got the Windows Firewall on; used Defogger; and run DDS and GMER scans.

Thanks.

.
DDS (Ver_11-05-19.01) - NTFSx86 NETWORK
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_22
Run by ermine at 19:13:44 on 2011-05-26
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.793 [GMT 10:00]
.
AV: AVG 7.5.560 *Enabled/Outdated* {41564737-3200-1071-989B-0000E87B4FB1}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\ermine\Desktop\dds.scr
C:\WINDOWS\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyServer = ftp=wwwproxy.unimelb.edu.au:8000;gopher=wwwproxy.unimelb.edu.au:8000;http=wwwproxy.unimelb.edu.au:8000;https=wwwproxy.unimelb.edu.au:8000;socks=wwwproxy.unimelb.edu.au:8000
uInternet Settings,ProxyOverride = localhost; 127.0.0.1;*.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [InternodeUsage] g:\progra~1\intern~1\mum.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] g:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [AudCtrl] RunDll32 AudCtrl.dll,RCMonitor
mRun: [WatchDog] g:\program files\mobile phonetools\WatchDog.exe
mRun: [AVG7_CC] g:\progra~1\grisoft\avgfre~1\avgcc.exe /STARTUP
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Control Center] g:\program files\asus\wlan card utilities\Center.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "g:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "g:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [Malwarebytes' Anti-Malware] g:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\ermine\startm~1\programs\startup\openof~1.lnk - g:\program files\openoffice.org 2.0\program\quickstart.exe
StartupFolder: c:\docume~1\ermine\startm~1\programs\startup\sidreg~1.lnk - i:\ATR1.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - g:\program files\cisco systems\vpn client\vpngui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\GAMEUT~1.LNK -
IE: Download all by Free Download Manager - file://g:\program files\free download manager\dlall.htm
IE: Download by Free Download Manager - file://g:\program files\free download manager\dllink.htm
IE: Download selected by Free Download Manager - file://g:\program files\free download manager\dlselected.htm
IE: Download web site by Free Download Manager - file://g:\program files\free download manager\dlpage.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\windows\system32\ua_lsp.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - g:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - g:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\ermine\application data\mozilla\firefox\profiles\hmc0urrz.default\
FF - prefs.js: browser.startup.homepage - hxxps://sso.portal.unimelb.edu.au/UnimelbSSO/login.jsp?site2pstoretoken=v1.2~AD64F60A~CD7C38D2F2C5A54C626EA57418CA6019EFCF1391FA5432FF4673266739C55D78469A0F74B3FA60EE2327BA55C1299EBC14762CD0EA90D095E113DE7D526004740543034EF8C3B57F17F5BAF29255CE5EA02696AA019622E9832B5BA18422BE7CBDEF932573F5FF4DA8D5059C6DFDE263E214D7AB355190790BA46DCA8E6406162698F519A5B582C528562B4013B2AC2B5A233BE3675D40E2CB7FB24091FF7C2447A9645FD86E79C3BC08E2EA86DF3A0F613BEE5B940700CF75F5CEC5777CEE2376B978C0AC6C8B877F3D14C0C27BA7965F8DAEAC756F85B3525BBDE4A552E432227B54DDD9787FCDD8BDB83FEDF0D38E&p_error_code=&p_submit_url=https%3A%2F%2Fsso.portal.unimelb.edu.au%2Fsso%2Fauth&p_cancel_url=https%3A%2F%2Fapp.portal.unimelb.edu.au%2Fportal%2Fpls%2Fportal%2FPORTAL.home&ssousername=|https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F%3Fnsr%3D1%26ui%3Dhtml%26zy%3Dl&ltmpl=default&ltmplcache=2|http://www.facebook.com/|http://www.google.com.au/
FF - prefs.js: network.proxy.ftp - wwwproxy.unimelb.edu.au
FF - prefs.js: network.proxy.ftp_port - 8000
FF - prefs.js: network.proxy.gopher - wwwproxy.unimelb.edu.au
FF - prefs.js: network.proxy.gopher_port - 8000
FF - prefs.js: network.proxy.http - wwwproxy.unimelb.edu.au
FF - prefs.js: network.proxy.http_port - 8000
FF - prefs.js: network.proxy.socks - wwwproxy.unimelb.edu.au
FF - prefs.js: network.proxy.socks_port - 8000
FF - prefs.js: network.proxy.ssl - wwwproxy.unimelb.edu.au
FF - prefs.js: network.proxy.ssl_port - 8000
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: g:\program files\itunes\mozilla plugins\npitunes.dll
FF - plugin: g:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: g:\program files\real alternative\browser\plugins\nppl3260.dll
FF - plugin: g:\program files\real alternative\browser\plugins\nprpjplug.dll
FF - plugin: g:\program files\videolan\vlc\npvlc.dll
.
============= SERVICES / DRIVERS ===============
.
R0 iteraid;ITERAID_Service_Install;c:\windows\system32\drivers\iteraid.sys [2004-3-8 24539]
R1 AvgClean;AVG Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-4-7 10760]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2010-3-30 722432]
S0 tclondrv;tclondrv;c:\windows\system32\drivers\tclondrv.sys --> c:\windows\system32\drivers\tclondrv.sys [?]
S1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2007-3-4 821856]
S1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2007-3-4 4224]
S1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2007-3-4 27776]
S1 SASDIFSV;SASDIFSV;g:\program files\superantispyware\sasdifsv.sys [2010-2-18 12872]
S1 SASKUTIL;SASKUTIL;g:\program files\superantispyware\SASKUTIL.SYS [2010-5-11 67656]
S2 Avg7Alrt;AVG7 Alert Manager Server;g:\progra~1\grisoft\avgfre~1\avgamsvr.exe [2007-4-7 418816]
S2 Avg7UpdSvc;AVG7 Update Service;g:\progra~1\grisoft\avgfre~1\avgupsvc.exe [2007-4-7 49664]
S2 DCYNQDKZ;DCYNQDKZ;\??\c:\windows\system32\dcynqdkz.onx --> c:\windows\system32\dcynqdkz.onx [?]
S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);c:\windows\system32\drivers\ctlsb16.sys [2005-4-20 96256]
S3 kbeepm;kbeepm;\??\c:\docume~1\ermine\locals~1\temp\kbeepm.sys --> c:\docume~1\ermine\locals~1\temp\kbeepm.sys [?]
S3 Probe;Probe;c:\windows\system32\drivers\probe.sys [2003-4-12 6009]
S3 sbext;Sound Blaster Extigy Audio Driver;c:\windows\system32\drivers\sbext.sys [2005-12-27 1152916]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-5-28 280344]
.
=============== Created Last 30 ================
.
2011-05-26 04:22:36 -------- d-----w- c:\documents and settings\ermine\application data\SUPERAntiSpyware.com
2011-05-26 04:22:36 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-05-22 01:54:37 -------- d-----w- c:\documents and settings\ermine\application data\Malwarebytes
2011-05-22 01:54:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-22 01:54:27 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-05-22 01:54:24 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-22 00:31:01 0 ----a-w- c:\windows\Eyihuvebuqavi.bin
2011-05-22 00:30:59 -------- d-----w- c:\documents and settings\ermine\local settings\application data\{73687B2D-D658-4543-824C-4F956D1CA2DD}
.
==================== Find3M ====================
.
2011-04-02 02:35:51 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-02 02:35:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST36424A rev.3.10 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8735C4D0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x873627f0]; MOV EAX, [0x8736286c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E3D45] -> \Device\Harddisk0\DR0[0x87352030]
3 CLASSPNP[0xF775F05B] -> nt!IofCallDriver[0x804E3D45] -> \Device\0000007a[0x8732CF18]
5 ACPI[0xF76A5620] -> nt!IofCallDriver[0x804E3D45] -> [0x8732B940]
\Driver\atapi[0x8734F380] -> IRP_MJ_CREATE -> 0x8735C4D0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8735C31B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 19:14:25.57 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:16 AM

Posted 28 May 2011 - 10:39 AM

**In any case where you happen to be busy or unable to give us a reply, we would be grateful if you keep us informed in advance and we will be more than happy to wait. Failure to do so we will have your thread closed in THREE(3) days. :)


Hello there, falshed

:welcome:

I'm Conspire, I'll be glad to help you with your computer problems.

Please observe these rules while we work:
  • Read the entire procedure
  • It is important to perform ALL actions in sequence.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with me till you're given the all clear.
  • Remember, absence of symptoms does not mean the infection is all gone.
  • Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process.

IMPORTANT NOTE : Please do not delete anything unless instructed to.
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#3 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:16 AM

Posted 28 May 2011 - 10:40 AM

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#4 falshed

falshed
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:03:16 AM

Posted 28 May 2011 - 11:27 PM

Hi Conspire, thanks for the assitance. Here is the TDSSKiller report:

2011/05/29 14:17:31.0437 0824 TDSS rootkit removing tool 2.5.3.0 May 25 2011 07:09:24
2011/05/29 14:17:31.0546 0824 ================================================================================
2011/05/29 14:17:31.0546 0824 SystemInfo:
2011/05/29 14:17:31.0546 0824
2011/05/29 14:17:31.0546 0824 OS Version: 5.1.2600 ServicePack: 2.0
2011/05/29 14:17:31.0546 0824 Product type: Workstation
2011/05/29 14:17:31.0546 0824 ComputerName: CHRIS
2011/05/29 14:17:31.0546 0824 UserName: ermine
2011/05/29 14:17:31.0546 0824 Windows directory: C:\WINDOWS
2011/05/29 14:17:31.0546 0824 System windows directory: C:\WINDOWS
2011/05/29 14:17:31.0546 0824 Processor architecture: Intel x86
2011/05/29 14:17:31.0546 0824 Number of processors: 1
2011/05/29 14:17:31.0546 0824 Page size: 0x1000
2011/05/29 14:17:31.0546 0824 Boot type: Safe boot with network
2011/05/29 14:17:31.0546 0824 ================================================================================
2011/05/29 14:17:37.0406 0824 Initialize success
2011/05/29 14:17:50.0296 1928 ================================================================================
2011/05/29 14:17:50.0296 1928 Scan started
2011/05/29 14:17:50.0296 1928 Mode: Manual;
2011/05/29 14:17:50.0296 1928 ================================================================================
2011/05/29 14:17:52.0984 1928 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/05/29 14:17:53.0281 1928 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/05/29 14:17:53.0796 1928 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
2011/05/29 14:17:54.0109 1928 AegisP (15e655baa989444f56787ef558823643) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2011/05/29 14:17:54.0406 1928 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys
2011/05/29 14:17:55.0390 1928 ALCXWDM (2d8a586d71a377096d26092852416523) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2011/05/29 14:17:56.0312 1928 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/05/29 14:17:57.0281 1928 Aspi32 (54ab078660e536da72b21a27f56b035b) C:\WINDOWS\system32\drivers\aspi32.sys
2011/05/29 14:17:57.0656 1928 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/05/29 14:17:57.0953 1928 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/05/29 14:17:58.0796 1928 ati2mtag (9cf018b4d7a31f7ae0bd386d491e6dbf) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/05/29 14:17:59.0437 1928 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/05/29 14:17:59.0718 1928 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/05/29 14:18:00.0140 1928 Avg7Core (400e920d2e3f42bf6f1f75dd1b069ce3) C:\WINDOWS\System32\Drivers\avg7core.sys
2011/05/29 14:18:00.0625 1928 Avg7RsW (8a7e25876955e06142ef65b52c906cf1) C:\WINDOWS\System32\Drivers\avg7rsw.sys
2011/05/29 14:18:00.0906 1928 Avg7RsXP (04d823d681f0d53191a172c3e667fc33) C:\WINDOWS\System32\Drivers\avg7rsxp.sys
2011/05/29 14:18:01.0203 1928 AvgClean (603dc17a48c65c637623a9bb5a5e6008) C:\WINDOWS\system32\drivers\avgclean.sys
2011/05/29 14:18:01.0593 1928 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/05/29 14:18:01.0937 1928 Bridge (e4e6a0922e3d983728c9ad4e8d466954) C:\WINDOWS\system32\DRIVERS\bridge.sys
2011/05/29 14:18:02.0031 1928 BridgeMP (e4e6a0922e3d983728c9ad4e8d466954) C:\WINDOWS\system32\DRIVERS\bridge.sys
2011/05/29 14:18:02.0281 1928 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/05/29 14:18:02.0593 1928 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/05/29 14:18:03.0062 1928 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/05/29 14:18:03.0328 1928 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/05/29 14:18:03.0687 1928 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/05/29 14:18:04.0671 1928 ctlsb16 (e2b1aedb62845581d848037f0a614ee6) C:\WINDOWS\system32\drivers\ctlsb16.sys
2011/05/29 14:18:04.0937 1928 CVirtA (5c706c06c1279952d2cc1a609ca948bf) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
2011/05/29 14:18:05.0265 1928 CVPNDRVA (5ba042bcab6246c6bba51606afd7b488) C:\WINDOWS\System32\Drivers\CVPNDRVA.sys
2011/05/29 14:18:06.0078 1928 DCamUSBSQTECH (100ff3d9e16afb3163bd6f9aaaab7c55) C:\WINDOWS\system32\Drivers\SQcaptur.sys
2011/05/29 14:18:06.0718 1928 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/05/29 14:18:07.0140 1928 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2011/05/29 14:18:07.0968 1928 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2011/05/29 14:18:08.0296 1928 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/05/29 14:18:08.0687 1928 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2011/05/29 14:18:08.0968 1928 DNE (2eddbb3ef1dd5a28cb07c149d36e7286) C:\WINDOWS\system32\DRIVERS\dne2000.sys
2011/05/29 14:18:09.0437 1928 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/05/29 14:18:09.0781 1928 enodpl (b4556f3d468c8dcb0b259d9d866cd4c4) C:\WINDOWS\system32\drivers\enodpl.sys
2011/05/29 14:18:10.0109 1928 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/05/29 14:18:10.0421 1928 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/05/29 14:18:10.0750 1928 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2011/05/29 14:18:11.0046 1928 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/05/29 14:18:11.0437 1928 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/05/29 14:18:11.0750 1928 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/05/29 14:18:12.0031 1928 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/05/29 14:18:12.0343 1928 gameenum (5f92fd09e5610a5995da7d775eadcd12) C:\WINDOWS\system32\DRIVERS\gameenum.sys
2011/05/29 14:18:12.0687 1928 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/05/29 14:18:12.0953 1928 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/05/29 14:18:13.0281 1928 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/05/29 14:18:14.0359 1928 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/05/29 14:18:14.0703 1928 HTTP (c19b522a9ae0bbc3293397f3055e80a1) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/05/29 14:18:15.0421 1928 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/05/29 14:18:15.0796 1928 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/05/29 14:18:16.0546 1928 ip6fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/05/29 14:18:16.0828 1928 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/05/29 14:18:17.0109 1928 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/05/29 14:18:17.0468 1928 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/05/29 14:18:17.0796 1928 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/05/29 14:18:18.0093 1928 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/05/29 14:18:18.0359 1928 iteraid (f03f1fea588c44115b40a5586a5af7cb) C:\WINDOWS\system32\DRIVERS\iteraid.sys
2011/05/29 14:18:18.0703 1928 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/05/29 14:18:19.0250 1928 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
2011/05/29 14:18:19.0609 1928 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/05/29 14:18:20.0171 1928 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/05/29 14:18:20.0484 1928 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2011/05/29 14:18:20.0750 1928 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/05/29 14:18:21.0062 1928 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/05/29 14:18:21.0343 1928 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/05/29 14:18:21.0875 1928 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/05/29 14:18:22.0265 1928 MRxSmb (1fd607fc67f7f7c633c3da65bfc53d18) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/05/29 14:18:22.0703 1928 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2011/05/29 14:18:23.0000 1928 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/05/29 14:18:23.0281 1928 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/05/29 14:18:23.0812 1928 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/05/29 14:18:24.0078 1928 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/05/29 14:18:24.0375 1928 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/05/29 14:18:24.0765 1928 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2011/05/29 14:18:25.0093 1928 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/05/29 14:18:25.0406 1928 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2011/05/29 14:18:25.0765 1928 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/05/29 14:18:26.0031 1928 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/05/29 14:18:26.0281 1928 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/05/29 14:18:26.0640 1928 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/05/29 14:18:26.0921 1928 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/05/29 14:18:27.0187 1928 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/05/29 14:18:27.0484 1928 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/05/29 14:18:27.0921 1928 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/05/29 14:18:28.0203 1928 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2011/05/29 14:18:28.0625 1928 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/05/29 14:18:29.0062 1928 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/05/29 14:18:29.0328 1928 NVENET (e3a4ab772e7b02fefe2a044f1feda836) C:\WINDOWS\system32\DRIVERS\NVENET.sys
2011/05/29 14:18:29.0703 1928 nv_agp (55cd3f687b731bb0ba2e4994b03c6d51) C:\WINDOWS\system32\DRIVERS\nv_agp.sys
2011/05/29 14:18:29.0953 1928 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/05/29 14:18:30.0187 1928 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/05/29 14:18:30.0484 1928 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/05/29 14:18:30.0765 1928 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/05/29 14:18:31.0062 1928 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/05/29 14:18:31.0328 1928 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/05/29 14:18:31.0671 1928 PCASp50 (5f0ed2f6da0df347ab7777eedd5253bb) C:\WINDOWS\system32\Drivers\PCASp50.sys
2011/05/29 14:18:31.0968 1928 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/05/29 14:18:32.0421 1928 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/05/29 14:18:32.0734 1928 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/05/29 14:18:34.0343 1928 PfModNT (2f5532f9b0f903b26847da674b4f55b2) C:\WINDOWS\System32\PfModNT.sys
2011/05/29 14:18:34.0765 1928 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/05/29 14:18:35.0062 1928 PQNTDrv (474543751522111dd7c0cf09e17f6d9f) C:\WINDOWS\system32\drivers\PQNTDrv.sys
2011/05/29 14:18:35.0328 1928 Probe (dc9657389544c12bc0917d7008006f50) C:\WINDOWS\system32\DRIVERS\probe.sys
2011/05/29 14:18:35.0656 1928 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/05/29 14:18:35.0968 1928 prodrv06 (f0801ae96bf679a3dba23d48ba74a98f) C:\WINDOWS\System32\drivers\prodrv06.sys
2011/05/29 14:18:36.0281 1928 prohlp02 (2409b32e691cb5dda39ea40bd154a50b) C:\WINDOWS\system32\drivers\prohlp02.sys
2011/05/29 14:18:36.0671 1928 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/05/29 14:18:36.0937 1928 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/05/29 14:18:37.0218 1928 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys
2011/05/29 14:18:38.0437 1928 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/05/29 14:18:38.0765 1928 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/05/29 14:18:39.0046 1928 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/05/29 14:18:39.0328 1928 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/05/29 14:18:39.0937 1928 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/05/29 14:18:40.0281 1928 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/05/29 14:18:40.0671 1928 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/05/29 14:18:41.0031 1928 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/05/29 14:18:41.0328 1928 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/05/29 14:18:42.0125 1928 rt2870 (b9b17aca28d3e60caabd92402de413d5) C:\WINDOWS\system32\DRIVERS\rt2870.sys
2011/05/29 14:18:42.0593 1928 RTL8023 (4c5ff2cbdfa37d0adb82bf6584cb064a) C:\WINDOWS\system32\DRIVERS\Rtlnic51.sys
2011/05/29 14:18:42.0765 1928 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) G:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/05/29 14:18:42.0828 1928 SASKUTIL (61db0d0756a99506207fd724e3692b25) G:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/05/29 14:18:43.0140 1928 sbext (c5d8cc129720797547c133487289f7e3) C:\WINDOWS\system32\DRIVERS\sbext.sys
2011/05/29 14:18:43.0500 1928 sbp2port (3e2c3b180872be4120f246d85560b734) C:\WINDOWS\system32\DRIVERS\sbp2port.sys
2011/05/29 14:18:43.0796 1928 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/05/29 14:18:44.0109 1928 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/05/29 14:18:44.0375 1928 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/05/29 14:18:44.0671 1928 sfdrv01 (b659e4af7534e3516ddc0b820db8f910) C:\WINDOWS\system32\drivers\sfdrv01.sys
2011/05/29 14:18:45.0000 1928 sfhlp01 (462aee0ea0481ea8bd45cac876a4ccc4) C:\WINDOWS\system32\drivers\sfhlp01.sys
2011/05/29 14:18:45.0281 1928 sfhlp02 (64b9ab76f1b16eb059cb6cdd906c067a) C:\WINDOWS\system32\drivers\sfhlp02.sys
2011/05/29 14:18:45.0578 1928 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/05/29 14:18:45.0890 1928 SI3112 (112611d9d69eedd74e7ec610b0fde8f1) C:\WINDOWS\system32\DRIVERS\SI3112.sys
2011/05/29 14:18:46.0156 1928 SiFilter (e393a2822fdbb3ec3648fd64e54cdda0) C:\WINDOWS\system32\DRIVERS\SiWinAcc.sys
2011/05/29 14:18:46.0718 1928 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/05/29 14:18:47.0015 1928 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
2011/05/29 14:18:47.0468 1928 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
2011/05/29 14:18:47.0906 1928 sptd (e8b705f9abe446aaf7a315ef8b4aea5a) C:\WINDOWS\System32\Drivers\sptd.sys
2011/05/29 14:18:48.0296 1928 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/05/29 14:18:48.0718 1928 Srv (20b7e396720353e4117d64d9dcb926ca) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/05/29 14:18:49.0109 1928 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/05/29 14:18:49.0375 1928 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/05/29 14:18:49.0765 1928 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2011/05/29 14:18:50.0875 1928 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/05/29 14:18:51.0171 1928 tandpl (126d7b3b4c7b724491c604060e1f4e14) C:\WINDOWS\system32\drivers\tandpl.sys
2011/05/29 14:18:51.0828 1928 Tcpip (9f4b36614a0fc234525ba224957de55c) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/05/29 14:18:52.0171 1928 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/05/29 14:18:52.0437 1928 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/05/29 14:18:52.0734 1928 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/05/29 14:18:53.0265 1928 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2011/05/29 14:18:53.0796 1928 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
2011/05/29 14:18:54.0156 1928 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/05/29 14:18:54.0453 1928 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/05/29 14:18:54.0828 1928 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/05/29 14:18:55.0078 1928 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/05/29 14:18:55.0359 1928 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/05/29 14:18:55.0984 1928 usbohci (bdfe799a8531bad8a5a985821fe78760) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/05/29 14:18:56.0296 1928 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/05/29 14:18:56.0765 1928 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/05/29 14:18:57.0062 1928 usbser (49106ee29074e6a3d3ac9e24c6d791d8) C:\WINDOWS\system32\DRIVERS\usbser.sys
2011/05/29 14:18:57.0328 1928 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/05/29 14:18:57.0640 1928 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2011/05/29 14:18:58.0078 1928 VolSnap (e33edbb864a22f7474d2b297e44ee0b6) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/05/29 14:18:58.0125 1928 VolSnap - detected Rootkit.Win32.TDSS.tdl3 (0)
2011/05/29 14:18:58.0359 1928 vsdatant (27b3dd12a19eec50220df15b64913dda) C:\WINDOWS\System32\vsdatant.sys
2011/05/29 14:18:58.0812 1928 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/05/29 14:18:59.0296 1928 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/05/29 14:18:59.0750 1928 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/05/29 14:19:00.0046 1928 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/05/29 14:19:00.0250 1928 MBR (0x1B8) (2839639fa37b8353e792a2a30a12ced3) \Device\Harddisk0\DR0
2011/05/29 14:19:00.0265 1928 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/05/29 14:19:00.0281 1928 MBR (0x1B8) (671b81004fdd1588fa9ed1331c9ceca9) \Device\Harddisk1\DR1
2011/05/29 14:19:00.0343 1928 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk2\DR2
2011/05/29 14:19:00.0531 1928 ================================================================================
2011/05/29 14:19:00.0531 1928 Scan finished
2011/05/29 14:19:00.0531 1928 ================================================================================
2011/05/29 14:19:00.0593 0860 Detected object count: 2
2011/05/29 14:19:00.0593 0860 Actual detected object count: 2
2011/05/29 14:19:24.0765 0860 VolSnap (e33edbb864a22f7474d2b297e44ee0b6) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/05/29 14:19:30.0078 0860 Backup copy found, using it..
2011/05/29 14:19:30.0109 0860 C:\WINDOWS\system32\drivers\VolSnap.sys - will be cured after reboot
2011/05/29 14:19:30.0109 0860 Rootkit.Win32.TDSS.tdl3(VolSnap) - User select action: Cure
2011/05/29 14:19:30.0187 0860 \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/05/29 14:19:30.0296 0860 \Device\Harddisk0\DR0 - ok
2011/05/29 14:19:30.0296 0860 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure
2011/05/29 14:19:55.0968 0980 Deinitialize success

#5 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:16 AM

Posted 29 May 2011 - 01:11 AM

Hello there,

***Read through this entire procedure and if you have any questions, please ask them before you begin. Copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. Do take note that if you could not run any tools requested, carry on with the next instruction(if any) and let us know.


You're welcome.

This will take more than one round to properly eradicate this infection. Please stay with me on this.

Please read through these instructions to familarize yourself with what to expect when this tool runs

Refer to the ComboFix User's Guide

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs

    Regarding AVG - Due to recent changes in AVG and how it interacts with ComboFix, before running ComboFix, AVG must be uninstalled via Start>Control Panel>Add or Remove programs panel.

    If you have difficulty uninstalling AVG, download Opswat AppRemover for AVG. The download for the AVG uninstaller can be found here > http://www.appremover.com/appremover/avg/AppRemover.exe

    **********************************************
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#6 falshed

falshed
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:03:16 AM

Posted 30 May 2011 - 02:39 AM

Hi Conspire, I ran ComboFix which successfully installed the Recovery Console, but it has just been showing:

Scanning for infected files...
This typically doesn't take more than 10 minutes
However, scan times for badly infected machines may easily double

for almost 2 hours with no sign of any progress.

#7 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:16 AM

Posted 30 May 2011 - 05:30 AM

Did you turn off your security programs especially with AVG removed?

Also, where does it stop now?
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#8 falshed

falshed
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:03:16 AM

Posted 30 May 2011 - 06:57 PM

Hi Conspire,

I unistalled AVG and disabled the AV software before I ran ComboFix; it ran for another hour or so with no progress before completely locking up the computer. I restarted manually. ComboFix seems partially installed, but there is no log. Should I try it again / uninstall it and try again?

#9 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:16 AM

Posted 30 May 2011 - 10:49 PM

No, please run DDS log again and post back in your next reply. Thank you. :)
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#10 falshed

falshed
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:03:16 AM

Posted 31 May 2011 - 01:12 AM

I have tried to run DDS but it seems to be having the same problems as ComboFix; it starts up and the #### goes about 3/4 of the way across the screen and then nothing happens; after leaving it for quite some time it froze and i had to reboot manually again; the same occurs in safe mode.

#11 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:16 AM

Posted 31 May 2011 - 05:25 AM

I'd like you to navigate to C:\Qoobox\Quarantine. If you see a ComboFix-quarantined-files.txt. Please attach that for me. Otherwise, don't worry about it.

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply
Posted Image
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#12 falshed

falshed
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:03:16 AM

Posted 31 May 2011 - 06:44 PM

There was no Combo-Fix-quarantined-files.txt but here is the aswMBR log:

aswMBR version 0.9.5.317 Copyright© 2011 AVAST Software
Run date: 2011-06-01 09:39:47
-----------------------------
09:39:47.125 OS Version: Windows 5.1.2600 Service Pack 2
09:39:47.125 Number of processors: 1 586 0x408
09:39:47.125 ComputerName: CHRIS UserName:
09:39:48.218 Initialize success
09:40:00.656 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
09:40:00.656 Disk 0 Vendor: ST36424A 3.10 Size: 6149MB BusType: 3
09:40:00.656 Disk 1 \Device\Harddisk1\DR1 -> \Device\Scsi\SI31121Port2Path0Target0Lun0
09:40:00.656 Disk 1 Vendor: WDC_WD25 02.0 Size: 238475MB BusType: 1
09:40:00.656 Disk 2 \Device\Harddisk2\DR2 -> \Device\Scsi\SI31121Port2Path1Target0Lun0
09:40:00.656 Disk 2 Vendor: ST312002 3.18 Size: 114473MB BusType: 1
09:40:00.687 Disk 0 MBR read successfully
09:40:00.687 Disk 0 MBR scan
09:40:00.687 Disk 0 Windows XP default MBR code
09:40:00.687 Disk 0 scanning sectors +12594960
09:40:01.515 Disk 0 scanning C:\WINDOWS\system32\drivers
09:40:12.140 Service scanning
09:40:14.484 Disk 0 trace - called modules:
09:40:14.484 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
09:40:15.000 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x870bbab8]
09:40:15.000 3 CLASSPNP.SYS[f750d05b] -> nt!IofCallDriver -> \Device\00000079[0x871a8258]
09:40:15.000 5 ACPI.sys[f7373620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x87102940]
09:40:27.343 Unsigned kernel modules:
09:40:27.343 0xf74ec000 C:\WINDOWS\system32\drivers\SI3112.sys
09:40:27.765 0xf772c000 C:\WINDOWS\system32\drivers\iteraid.sys
09:40:28.984 0xf7734000 C:\WINDOWS\system32\drivers\PxHelp20.sys
09:40:29.125 0xf78b0000 C:\WINDOWS\system32\drivers\SiWinAcc.sys
09:40:30.234 0xf773c000 C:\WINDOWS\system32\drivers\sfhlp02.sys
09:40:30.375 0xf79a2000 C:\WINDOWS\system32\drivers\sfhlp01.sys
09:40:30.531 0xf71d4000 C:\WINDOWS\system32\drivers\sfdrv01.sys
09:40:30.968 0xf71b7000 C:\WINDOWS\system32\drivers\prohlp02.sys
09:40:31.125 0xf7744000 C:\WINDOWS\system32\drivers\nv_agp.sys
09:40:32.593 0xf6d7a000 C:\WINDOWS\System32\DRIVERS\NVENET.sys
09:40:32.968 0xf6cc4000 C:\WINDOWS\system32\drivers\ALCXWDM.SYS
09:40:36.859 0xf6e35000 C:\WINDOWS\System32\DRIVERS\Rtlnic51.sys
09:40:56.781 0xa9863000 C:\WINDOWS\System32\drivers\prodrv06.sys
09:40:56.937 0xf7b02000 C:\WINDOWS\System32\Drivers\PQNTDrv.SYS
09:41:03.187 0xa8f39000 C:\WINDOWS\System32\DRIVERS\AegisP.sys
09:41:04.234 0xa8f21000 C:\WINDOWS\System32\drivers\aspi32.sys
09:41:04.421 0xa5c56000 C:\WINDOWS\System32\Drivers\CVPNDRVA.sys
09:41:04.593 0xf7a18000 C:\WINDOWS\System32\drivers\enodpl.sys
09:41:05.703 0xf7a3a000 C:\WINDOWS\System32\PfModNT.sys
09:41:06.062 0xf7a54000 C:\WINDOWS\System32\drivers\tandpl.sys
09:41:06.203 0xa5b4a000 C:\WINDOWS\system32\ASNDIS5.SYS
09:41:08.078 Scan finished successfully
09:41:44.875 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\ermine\Desktop\MBR.dat"
09:41:44.875 The log file has been saved successfully to "C:\Documents and Settings\ermine\Desktop\aswMBR.txt"

#13 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:16 AM

Posted 01 June 2011 - 04:56 AM

Delete the existing copy of Combofix and download a fresh one using the link given earlier on my post. Don't run it just yet.

Now I need to check if CF did manage to install Recovery Console.

Please download BootCheck.exe to your desktop.
  • Double click BootCheck.exe to run the check
  • When complete, a Notepad window will open with some text in it
  • Save the Notepad file to your desktop as BootCheck.txt
  • Copy the contents of BootCheck.txt and post it in your next reply

Edited by Conspire, 01 June 2011 - 04:57 AM.

Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#14 falshed

falshed
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:03:16 AM

Posted 01 June 2011 - 08:08 AM

Should I just delete the .exe file? Or uninstall combofix completely?

#15 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:16 AM

Posted 01 June 2011 - 10:18 AM

Just delete it will do.
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users