Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected: Win32:ZAccess-D rootkit found by Avast!


  • This topic is locked This topic is locked
8 replies to this topic

#1 FerrisBueller

FerrisBueller

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 02 June 2011 - 03:56 PM

OS: Windows XP
Avast software & virus defs up to date as of 6/1/2011
Malwarebytes Anti-Malware software & virus defs up to date as of 5/29/2011
No new software or systems changes before infection.

Surfing search results when Avast encountered Win32:ZAccess-D.
Immediately turned off wireless connection. PC is not connect to Internet.
Ran rkill to terminate possible rogue processes.
Scheduled Avast boot scan and rebooted pc.

Results: viruses found.
1) MIDI:CVE-2010-1885-G
2) Win32:ZAccess-D
3) Java:Agent-IF
4) MIDI:CVE_2010_0842

The Avast scan log only lists viruses #3 & 4 found & moved to virus chest but all 4 are listed in the virus chest at the time the scan took place.

After booting the avast virus real-time & web shields are turned off. They can not be turned back on.
The Windows Firewall is turned off and can't be turned on. When trying to turn the firewall back on the following message is given:
'Windows Firewall settings cannot be displayed because the associated service is not running. Do you want to start the Windows Firewall/Internet Connection Sharing (ICS) service? Yes/No' Clicking Yes results in this message: 'Windows cannot start the Windows Firewall/Internet Connection Sharing (ICS) service.'

There is a considerable time difference in booting completely to Windows XP post infection.
Difficult time diagnosing other virus/rootkit issues because cpu is running at 100%.

Finally able to have MBAM complete its full scan. No malicious items detected.

I thought Avast had caught the rootkit in time saved the pc but that seems to not be the case!

DDS.txt log
.
DDS (Ver_2011-06-02.02) - NTFSx86
Internet Explorer: 7.0.5730.11
Run by TPapais at 13:55:41 on 2011-06-02
.
============== Running Processes ===============
.
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\IBM\Lotus\Notes\nslsvice.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\IBM\Lotus\Notes\ntmulti.exe
C:\Program Files\Lenovo\PM Driver\PMSveH.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Yahoo!\Common\YMailAdvisor.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Lenovo\Client Security Solution\password_manager.exe
C:\Documents and Settings\TPapais\Desktop\dds.scr
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://lenovo.live.com
mDefault_Page_URL = hxxp://lenovo.live.com
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Yahooo Search Protection: {25bc7718-0bfa-40ea-b381-4b2d9732d686} - c:\program files\yahoo!\search protection\ysp.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: IePasswordManagerHelper Class: {bf468356-bb7e-42d7-9f15-4f3b9bcfced2} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: ChromeFrame BHO: {ecb3c477-1a0a-44bd-bb57-78f9efe34fa7} - c:\program files\google\chrome frame\application\11.0.696.71\npchrome_frame.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn3\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [Gizmo5] "c:\program files\gizmo5\Gizmo5.exe"
uRun: [Google Update] "c:\documents and settings\tpapais\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [PMHandler] c:\progra~1\lenovo\pmdriv~1\PMHandler.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPFNF7] c:\progra~1\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [TPWAUDAP] c:\program files\lenovo\hotkey\TpWAudAp.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\audio\installshield\AzMixerSel.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>]
mRun: [FingerPrintSoftware] "c:\program files\lenovo fingerprint software\fpapp.exe" \s
mRun: [LPManager] c:\progra~1\lenovo\lenovo~2\LPMGR.exe
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [YMailAdvisor] "c:\program files\yahoo!\common\YMailAdvisor.exe"
mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {BBF74FB9-ABCD-4678-880A-2511DAABB5E1} - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - c:\program files\yahoo!\search protection\ysp.dll
IE: {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1227924538421
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1227877401453
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://emeetings.webex.com/client/T27L10NSP11EP1-emeetings/event/ieatgpc.cab
Handler: cf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - c:\program files\google\chrome frame\application\11.0.696.71\npchrome_frame.dll
Handler: gcf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - c:\program files\google\chrome frame\application\11.0.696.71\npchrome_frame.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: ACNotify - ACNotify.dll
Notify: ATFUS - c:\windows\system32\FpWinLogonNp.dll
Notify: igfxcui - igfxdev.dll
Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll
LSA: Notification Packages = scecli ACGina
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\tpapais\application data\mozilla\firefox\profiles\9rxo0v8i.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\tpapais\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\tpapais\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\tpapais\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\tpapais\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
.
============= SERVICES / DRIVERS ===============
.
R? BOKWJA;BOKWJA
R? FingerprintServer;Fingerprint Server
R? gupdate;Google Update Service (gupdate)
R? gupdatem;Google Update Service (gupdatem)
R? PCD5SRVC{DF187064-5DA14001-05040000};PCD5SRVC{DF187064-5DA14001-05040000} - PCDR Kernel Mode Service Helper Driver
S? aswFsBlk;aswFsBlk
S? aswSnx;aswSnx
S? aswSP;aswSP
S? avast! Antivirus;avast! Antivirus
S? FNF5SVC;Fn+F5 Service
S? ioloFileInfoList;iolo FileInfoList Service
S? ioloSystemService;iolo System Service
S? McAfeeFramework;McAfee Framework Service
S? McShield;McAfee McShield
S? McTaskManager;McAfee Task Manager
S? mfeavfk;McAfee Inc.
S? mfebopk;McAfee Inc.
S? mfehidk;McAfee Inc.
S? mferkdk;VSCore mferkdk
S? PMHler;PMHler
S? TVTI2C;Lenovo SM bus driver
.
=============== File Associations ===============
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.
=============== Created Last 30 ================
.
2011-06-01 18:36:11 29907 ----a-w- c:\program files\mozilla firefox\0.49204468137940194.exe
2011-05-26 18:31:57 -------- d-----w- c:\program files\Citrix
2011-05-26 18:31:15 72080 ----a-w- c:\documents and settings\tpapais\g2mdlhlpx.exe
2011-05-26 00:19:01 49664 ----a-w- c:\windows\system32\camcodec.dll
2011-05-26 00:19:01 -------- d-----w- c:\program files\CamStudio 2.6b
2011-05-18 16:14:47 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-15 18:17:35 -------- d-----w- c:\documents and settings\tpapais\application data\Malwarebytes
2011-05-15 18:17:17 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-15 18:17:16 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-05-15 18:17:12 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-15 18:17:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-15 01:47:43 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
.
==================== Find3M ====================
.
2011-05-10 12:10:59 40112 ----a-w- c:\windows\avastSS.scr
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
============= FINISH: 14:04:55.25 ===============

I have attached the DDS attach.zip & GMER ark.txt files as requested.

Hopefully you can provide some insight into this issue.
Thanks in advance for taking your time to help another.
Cheers!

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:14 AM

Posted 02 June 2011 - 04:58 PM

Hello FerrisBueller,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.


1.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
TDSSKILLER log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 FerrisBueller

FerrisBueller
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 02 June 2011 - 08:06 PM

Thanks for the fast attention.

Seems luck is right now not on my side.

Downloaded TDSSkiller.exe which is now at ver. 2.5.3.0.
Scanned computer. Did not use pc.
System scan completed.
infection: not found

TDSSKiller_2_5_3_0_02_06_2011_18_37_14_log.txt
2011/06/02 18:37:14.0031 3184 TDSS rootkit removing tool 2.5.3.0 May 25 2011 07:09:24
2011/06/02 18:37:14.0343 3184 ================================================================================
2011/06/02 18:37:14.0343 3184 SystemInfo:
2011/06/02 18:37:14.0343 3184
2011/06/02 18:37:14.0343 3184 OS Version: 5.1.2600 ServicePack: 3.0
2011/06/02 18:37:14.0343 3184 Product type: Workstation
2011/06/02 18:37:14.0343 3184 ComputerName: CSC-ZFS-TT6
2011/06/02 18:37:14.0343 3184 UserName: TPapais
2011/06/02 18:37:14.0343 3184 Windows directory: C:\WINDOWS
2011/06/02 18:37:14.0343 3184 System windows directory: C:\WINDOWS
2011/06/02 18:37:14.0343 3184 Processor architecture: Intel x86
2011/06/02 18:37:14.0343 3184 Number of processors: 2
2011/06/02 18:37:14.0343 3184 Page size: 0x1000
2011/06/02 18:37:14.0343 3184 Boot type: Normal boot
2011/06/02 18:37:14.0343 3184 ================================================================================
2011/06/02 18:37:14.0968 3184 Initialize success
2011/06/02 18:37:33.0406 3948 ================================================================================
2011/06/02 18:37:33.0406 3948 Scan started
2011/06/02 18:37:33.0406 3948 Mode: Manual;
2011/06/02 18:37:33.0406 3948 ================================================================================
2011/06/02 18:37:33.0671 3948 Aavmker4 (3f6884eff406238d39aaa892218f1df7) C:\WINDOWS\system32\drivers\Aavmker4.sys
2011/06/02 18:37:33.0828 3948 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/06/02 18:37:33.0937 3948 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys
2011/06/02 18:37:34.0062 3948 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/06/02 18:37:34.0156 3948 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/06/02 18:37:34.0234 3948 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/06/02 18:37:34.0328 3948 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/06/02 18:37:34.0390 3948 AegisP (a1ad1a4a9f18d900ca9c93fa3efdcb56) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2011/06/02 18:37:34.0531 3948 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
2011/06/02 18:37:34.0687 3948 AgereSoftModem (4e6294a06be883c9bd685a8dfd9fcd4e) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
2011/06/02 18:37:34.0875 3948 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/06/02 18:37:35.0000 3948 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/06/02 18:37:35.0046 3948 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/06/02 18:37:35.0187 3948 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/06/02 18:37:35.0281 3948 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/06/02 18:37:35.0359 3948 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/06/02 18:37:35.0453 3948 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/06/02 18:37:35.0500 3948 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/06/02 18:37:35.0546 3948 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/06/02 18:37:35.0687 3948 ANC (11ab185a7af224800bbfb5b836974a17) C:\WINDOWS\system32\drivers\ANC.SYS
2011/06/02 18:37:35.0859 3948 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/06/02 18:37:35.0921 3948 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/06/02 18:37:35.0984 3948 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/06/02 18:37:36.0062 3948 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/06/02 18:37:36.0203 3948 aswFsBlk (7f08d9c504b015d81a8abd75c80028c5) C:\WINDOWS\system32\drivers\aswFsBlk.sys
2011/06/02 18:37:36.0343 3948 aswMon2 (c2181ef6b54752273a0759a968c59279) C:\WINDOWS\system32\drivers\aswMon2.sys
2011/06/02 18:37:36.0468 3948 aswRdr (ac48bdd4cd5d44af33087c06d6e9511c) C:\WINDOWS\system32\drivers\aswRdr.sys
2011/06/02 18:37:36.0593 3948 aswSnx (b64134316fcd1f20e0f10ef3e65bd522) C:\WINDOWS\system32\drivers\aswSnx.sys
2011/06/02 18:37:36.0796 3948 aswSP (d6788e3211afa9951ed7a4d617f68a4f) C:\WINDOWS\system32\drivers\aswSP.sys
2011/06/02 18:37:36.0968 3948 aswTdi (4d100c45517809439c7b6dd98997fa00) C:\WINDOWS\system32\drivers\aswTdi.sys
2011/06/02 18:37:37.0125 3948 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/06/02 18:37:37.0171 3948 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/06/02 18:37:37.0328 3948 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/06/02 18:37:37.0437 3948 ATSWPDRV (f70d2392158cb68e775f8c4cd3d12fbb) C:\WINDOWS\system32\DRIVERS\ATSwpDrv.sys
2011/06/02 18:37:37.0562 3948 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/06/02 18:37:37.0625 3948 b57w2k (f96038aa1ec4013a93d2420fc689d1e9) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2011/06/02 18:37:37.0765 3948 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/06/02 18:37:37.0843 3948 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/06/02 18:37:37.0937 3948 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/06/02 18:37:37.0984 3948 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/06/02 18:37:38.0109 3948 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/06/02 18:37:38.0171 3948 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/06/02 18:37:38.0234 3948 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/06/02 18:37:38.0328 3948 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/06/02 18:37:38.0421 3948 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/06/02 18:37:38.0531 3948 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/06/02 18:37:38.0593 3948 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/06/02 18:37:38.0671 3948 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/06/02 18:37:38.0703 3948 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/06/02 18:37:38.0796 3948 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/06/02 18:37:38.0843 3948 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/06/02 18:37:39.0000 3948 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/06/02 18:37:39.0046 3948 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/06/02 18:37:39.0109 3948 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/06/02 18:37:39.0140 3948 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/06/02 18:37:39.0203 3948 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/06/02 18:37:39.0296 3948 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/06/02 18:37:39.0437 3948 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/06/02 18:37:39.0500 3948 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/06/02 18:37:39.0562 3948 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/06/02 18:37:39.0671 3948 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/06/02 18:37:39.0703 3948 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/06/02 18:37:39.0812 3948 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/06/02 18:37:39.0859 3948 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/06/02 18:37:39.0984 3948 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/06/02 18:37:40.0093 3948 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/06/02 18:37:40.0156 3948 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/06/02 18:37:40.0250 3948 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/06/02 18:37:40.0390 3948 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/06/02 18:37:40.0468 3948 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/06/02 18:37:40.0546 3948 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/06/02 18:37:40.0625 3948 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/06/02 18:37:40.0875 3948 ialm (28423512370705aeda6a652fedb25468) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2011/06/02 18:37:41.0062 3948 iaStor (fd7f9d74c2b35dbda400804a3f5ed5d8) C:\WINDOWS\system32\DRIVERS\iaStor.sys
2011/06/02 18:37:41.0109 3948 IBMTPCHK (3a7dbe81ec5edb96a0a61c7d4af3198d) C:\WINDOWS\system32\Drivers\IBMBLDID.sys
2011/06/02 18:37:41.0250 3948 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/06/02 18:37:41.0312 3948 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/06/02 18:37:41.0656 3948 IntcAzAudAddService (8f924588c272fdaa28cf31a9bbc21a72) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/06/02 18:37:41.0875 3948 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/06/02 18:37:41.0937 3948 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/06/02 18:37:41.0984 3948 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/06/02 18:37:42.0031 3948 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/06/02 18:37:42.0062 3948 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/06/02 18:37:42.0125 3948 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/06/02 18:37:42.0250 3948 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/06/02 18:37:42.0343 3948 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/06/02 18:37:42.0421 3948 Iviaspi (f59c3569a2f2c464bb78cb1bdcdca55e) C:\WINDOWS\system32\drivers\iviaspi.sys
2011/06/02 18:37:42.0546 3948 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/06/02 18:37:42.0640 3948 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/06/02 18:37:42.0734 3948 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/06/02 18:37:42.0937 3948 mfeapfk (11115e2281dd9b885b038abb11dd8a75) C:\WINDOWS\system32\drivers\mfeapfk.sys
2011/06/02 18:37:43.0078 3948 mfeavfk (a14941aea876c395214f918b011a1371) C:\WINDOWS\system32\drivers\mfeavfk.sys
2011/06/02 18:37:43.0125 3948 mfebopk (59b8443b78c46d2ac4767938e778f043) C:\WINDOWS\system32\drivers\mfebopk.sys
2011/06/02 18:37:43.0187 3948 mfehidk (116689b95a37efca0acc2ac421795e60) C:\WINDOWS\system32\drivers\mfehidk.sys
2011/06/02 18:37:43.0359 3948 mferkdk (6e1e4bb2866260f2949a3b7a0759e3c6) C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys
2011/06/02 18:37:43.0500 3948 mfetdik (8468969c92d1dd1fa872cc6c936e4d60) C:\WINDOWS\system32\drivers\mfetdik.sys
2011/06/02 18:37:43.0593 3948 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/06/02 18:37:43.0640 3948 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/06/02 18:37:43.0687 3948 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/06/02 18:37:43.0781 3948 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/06/02 18:37:43.0859 3948 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/06/02 18:37:43.0953 3948 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/06/02 18:37:44.0078 3948 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/06/02 18:37:44.0171 3948 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/06/02 18:37:44.0312 3948 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/06/02 18:37:44.0359 3948 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/06/02 18:37:44.0437 3948 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/06/02 18:37:44.0484 3948 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/06/02 18:37:44.0515 3948 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/06/02 18:37:44.0578 3948 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/06/02 18:37:44.0640 3948 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/06/02 18:37:44.0718 3948 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/06/02 18:37:44.0781 3948 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/06/02 18:37:44.0843 3948 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/06/02 18:37:44.0875 3948 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/06/02 18:37:44.0968 3948 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/06/02 18:37:45.0078 3948 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/06/02 18:37:45.0265 3948 NETw4x32 (18b2d3e11ed7a3c898ade6a6692b6929) C:\WINDOWS\system32\DRIVERS\NETw4x32.sys
2011/06/02 18:37:45.0437 3948 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/06/02 18:37:45.0531 3948 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/06/02 18:37:45.0578 3948 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/06/02 18:37:45.0687 3948 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/06/02 18:37:45.0812 3948 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/06/02 18:37:45.0953 3948 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/06/02 18:37:46.0000 3948 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/06/02 18:37:46.0109 3948 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/06/02 18:37:46.0140 3948 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/06/02 18:37:46.0171 3948 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/06/02 18:37:46.0218 3948 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/06/02 18:37:46.0328 3948 PCD5SRVC{DF187064-5DA14001-05040000} (0aad6f0a129ddf453b2f99ee0a495923) C:\PROGRA~1\PCDR5\PCD5SRVC.pkms
2011/06/02 18:37:46.0515 3948 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/06/02 18:37:46.0578 3948 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/06/02 18:37:46.0640 3948 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/06/02 18:37:46.0781 3948 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/06/02 18:37:46.0984 3948 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/06/02 18:37:47.0109 3948 pmem (dedef40e1d05842639491365cb2c069e) C:\WINDOWS\System32\drivers\pmemnt.sys
2011/06/02 18:37:47.0218 3948 PMHler (c6114ccd63db3925a0450b1089ece503) C:\WINDOWS\system32\drivers\PMHler.sys
2011/06/02 18:37:47.0328 3948 pnarp (dea06627596015263360097c2608384e) C:\WINDOWS\system32\DRIVERS\pnarp.sys
2011/06/02 18:37:47.0500 3948 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/06/02 18:37:47.0593 3948 PROCDD (c9ca089787aa4ca892f2173a8e15c1b0) C:\WINDOWS\system32\DRIVERS\PROCDD.SYS
2011/06/02 18:37:47.0750 3948 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/06/02 18:37:47.0796 3948 psadd (aac08defb15aaab00b30341c716efa35) C:\WINDOWS\system32\DRIVERS\psadd.sys
2011/06/02 18:37:47.0953 3948 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/06/02 18:37:48.0015 3948 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/06/02 18:37:48.0109 3948 purendis (c0cdb9f7ce42c3487f0bea409bf5d153) C:\WINDOWS\system32\DRIVERS\purendis.sys
2011/06/02 18:37:48.0203 3948 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/06/02 18:37:48.0328 3948 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/06/02 18:37:48.0390 3948 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/06/02 18:37:48.0484 3948 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/06/02 18:37:48.0515 3948 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/06/02 18:37:48.0531 3948 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/06/02 18:37:48.0578 3948 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/06/02 18:37:48.0640 3948 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/06/02 18:37:48.0687 3948 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/06/02 18:37:48.0734 3948 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/06/02 18:37:48.0828 3948 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/06/02 18:37:48.0890 3948 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/06/02 18:37:48.0953 3948 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/06/02 18:37:49.0031 3948 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/06/02 18:37:49.0140 3948 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/06/02 18:37:49.0296 3948 rimmptsk (355aac141b214bef1dbc1483afd9bd50) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
2011/06/02 18:37:49.0390 3948 rimsptsk (a4216c71dd4f60b26418ccfd99cd0815) C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
2011/06/02 18:37:49.0453 3948 rismxdp (c663af77e2f4eabf8eb08b388d2f1f36) C:\WINDOWS\system32\DRIVERS\rixdptsk.sys
2011/06/02 18:37:49.0609 3948 s24trans (2220783b32a9f91df87f3e8315f091e7) C:\WINDOWS\system32\DRIVERS\s24trans.sys
2011/06/02 18:37:49.0718 3948 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2011/06/02 18:37:49.0765 3948 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/06/02 18:37:49.0875 3948 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/06/02 18:37:49.0906 3948 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/06/02 18:37:50.0000 3948 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/06/02 18:37:50.0062 3948 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/06/02 18:37:50.0140 3948 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/06/02 18:37:50.0250 3948 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/06/02 18:37:50.0328 3948 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/06/02 18:37:50.0453 3948 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/06/02 18:37:50.0578 3948 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/06/02 18:37:50.0671 3948 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/06/02 18:37:50.0828 3948 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/06/02 18:37:50.0921 3948 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/06/02 18:37:51.0031 3948 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/06/02 18:37:51.0125 3948 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/06/02 18:37:51.0281 3948 SynTP (ae4052fc36bd4c390cee45a38ec1199a) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2011/06/02 18:37:51.0406 3948 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/06/02 18:37:51.0562 3948 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/06/02 18:37:51.0656 3948 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/06/02 18:37:51.0703 3948 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/06/02 18:37:51.0750 3948 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/06/02 18:37:51.0906 3948 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/06/02 18:37:51.0953 3948 TPPWRIF (44672de6cea9569c21c4b7a8d2560750) C:\WINDOWS\_tpb0000.tmp\TPPWRIF.sys
2011/06/02 18:37:52.0062 3948 TSMAPIP (f10f36e20448a5500a5f83f67ee4aad4) C:\WINDOWS\system32\drivers\TSMAPIP.SYS
2011/06/02 18:37:52.0156 3948 tvtfilter (49258a02a1e8d304ed88b0f1c56b1738) C:\WINDOWS\system32\DRIVERS\tvtfilter.sys
2011/06/02 18:37:52.0234 3948 TVTI2C (8ab24d4b7da715c2c80455137910e792) C:\WINDOWS\system32\DRIVERS\Tvti2c.sys
2011/06/02 18:37:52.0500 3948 TVTPktFilter (0727cce3ff1a4446f4a1d507361567ab) C:\WINDOWS\system32\DRIVERS\tvtpktfilter.sys
2011/06/02 18:37:52.0656 3948 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/06/02 18:37:52.0781 3948 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/06/02 18:37:53.0000 3948 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/06/02 18:37:53.0046 3948 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/06/02 18:37:53.0093 3948 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/06/02 18:37:53.0234 3948 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/06/02 18:37:53.0281 3948 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/06/02 18:37:53.0328 3948 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/06/02 18:37:53.0375 3948 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/06/02 18:37:53.0437 3948 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/06/02 18:37:53.0593 3948 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/06/02 18:37:53.0671 3948 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/06/02 18:37:53.0843 3948 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/06/02 18:37:53.0953 3948 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/06/02 18:37:54.0062 3948 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/06/02 18:37:54.0812 3948 MBR (0x1B8) (e5fa06aca0d60ba9c870d0ef3d9898c9) \Device\Harddisk1\DR7
2011/06/02 18:37:54.0890 3948 ================================================================================
2011/06/02 18:37:54.0890 3948 Scan finished
2011/06/02 18:37:54.0890 3948 ================================================================================
2011/06/02 18:37:54.0906 1840 Detected object count: 0
2011/06/02 18:37:54.0906 1840 Actual detected object count: 0

Downloaded ComboFix.
Wondering about opening up connection to internet because of virus issue!
Decided to connect to internet because Windows Recovery Console installation requires active internet connection. Was this a good idea?
Disabled all Avast shields for 1 hour.
Tried to execute ComboFix.
This brought up a warning message that McAfee VirusScan Enterprise + AntiSpyware Enterprise is still active.
Did not realize this product was running because I was never notified of any viruses by McAfee.
ComboFix wants to me to disable and then click OK to its message.

Here are the details:
McAfee AutoUpdate ver. 3.6.0.569
Product Coverage Report ver. 3.6.0.569
McAfee VirusScan Enterprise Workstation ver. 8.5.0.781
virus def ver 6363.0000 install 6/1/2011 created 5/31/2011
scan engine ver. 5400.1158 install 11/19/2009
McAfee AntiSpyware Enterprise Module ver. 8.5.0.163

I brought up the VirusScan Console and right clicked Access Protection to disable it.
The disable option is not available for selection.

This pc is on loan from a friend and I or he do not have the password to unlock the user interface to make disable possible.

I tried to cancel the execution of ComboFix by exiting the popup message.
This did not have the intended result. ComboFix is still trying to execute and provided an additional popup message:
'Warning!! antivirus VirusScan Enterprise + AntiSpyware Enterprise
The above real time scanner(s) are still active but ComboFix shall continue to run. Kindly note that this is at your own risk - click OK'

I have let the message remain and wait on how to proceed. I didn't click OK and risk further possible damage to the pc.

What are the next steps? How do I disable McAfee? How to stop ComboFix until McAfee get disabled? Should I connect to internet if I need to install Windows Recovery Console?

By the way, just to be complete, since TDSSKiller found nothing system status is the same - no change, CPU at 100% as expected.

Cheers!

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:14 AM

Posted 03 June 2011 - 03:58 PM

Hello,


Combofix is picking up that Mcafee is on your system even though it may not be active. We will run Combofix in Safemode with Networking and you can ignore any warnings about McAfee or Avast and just let it run.

Now reboot into Safe Mode with Networking.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option with networking support.
Please see here for additional details.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 FerrisBueller

FerrisBueller
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 04 June 2011 - 08:27 AM

Hello fireman4it,

Tried proceeding with next step - Boot into safe mode w/networking
Not completely successful.

I have used safe mode before but not with networking so this is a first.
After booting, I wanted to check the internet connection before executing ComboFix.

I can't get an ip address.
To double check, the modem, router & pc have been rebooted. (multiple attempts)
A 2nd pc using a wireles connection is able to access the router and the internet (that's why I can post).
The 2nd pc is the only client listed by the router as a host that has been assigned an ip address by dchp and is using the 1st available address.
Now I checked the infected pc which is connected by ethernet cable to the router because of booting into safe mode w/networking.
I went into network connections and looked at the local area connection.
status: connected but no activity, packets sent & received is 0.
There is no ip address listed. It is blank not even set to 0.0.0.0.
Tried to repair the connection but received the following message:
'Windows could not finish repairing the problem because the following action cannot be completed: Failed to query TCP/IP settings of the connection, cannot proceed.'

I'm not sure what I did incorrectly when booting up? Where there additional steps required to make the internet connection?
The Broadcom ethernet adapter is working correctly and TCP/IP is checked under the listed connection items being used. I don't know what to check next.

Do you need any other info to diagnose the lack of internet connection by ethernet? I need that to continue with the ComboFix process.

Cheers!

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:14 AM

Posted 04 June 2011 - 09:23 PM

Hello,

Go ahead and boot just into Safemode without the Networking support and run Combofix. Remember to ignore any Warnigs about Avast or Mcafee.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:14 AM

Posted 08 June 2011 - 04:20 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 3-5 days the topic will need to be closed.

Thanks for understanding :)

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 FerrisBueller

FerrisBueller
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 08 June 2011 - 05:50 PM

I am still here. (even though many think Ferris just took the day off)
I have run into a time constraint because of an emergency and haven't been able to mess with the pc. I think I will be able to do the posted instructions in the next couple of days. Thanks for the attentiveness and I hope to post positive results soon.

Cheers!

#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:14 AM

Posted 13 June 2011 - 05:20 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users