Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected but cant get rid of rootkit


  • This topic is locked This topic is locked
9 replies to this topic

#1 Darkfoo

Darkfoo

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 09 June 2011 - 06:01 AM

Hi I recently picked up a virus and now have no way I know of getting rid of it. Im pretty sure its the google redirect virus. I ran a scan using Avira and also search and destroy but they found nothing. So I used TDSSKiller and it found "Rootkit.Win32.TDSS.tdl3" I tried to cure it and it said processing error. I then tried running TDSSKiller in safe mode but the same results. Ive had a look around but most people say reinstall my os but I really dont want to do that. Also im pretty sure the thing is messing with my registry as I ran a free windows registry repair several times in the space of 1 day and each time I fix all of the problems about 100 more pop up each time. So can anybody help me rid my computer of this evil thing!

Any help you can give is greatly appreciated!

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:02 AM

Posted 09 June 2011 - 07:35 AM

TDSSKiller was updated yesterday to v2.5.4.0. Is that the version you used?

Can you post the log?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Darkfoo

Darkfoo
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 09 June 2011 - 03:52 PM

Yes thats the version i'm using and it finds the virus and another suspicious file I select cure and then it says processing error heres the log:

2011/06/09 21:48:56.0074 4700 TDSS rootkit removing tool 2.5.4.0 Jun 7 2011 17:31:48
2011/06/09 21:48:56.0254 4700 ================================================================================
2011/06/09 21:48:56.0254 4700 SystemInfo:
2011/06/09 21:48:56.0254 4700
2011/06/09 21:48:56.0254 4700 OS Version: 6.0.6000 ServicePack: 0.0
2011/06/09 21:48:56.0254 4700 Product type: Workstation
2011/06/09 21:48:56.0254 4700 ComputerName: edit to remove
2011/06/09 21:48:56.0255 4700 UserName: Administrator_
2011/06/09 21:48:56.0255 4700 Windows directory: C:\Windows
2011/06/09 21:48:56.0255 4700 System windows directory: C:\Windows
2011/06/09 21:48:56.0255 4700 Processor architecture: Intel x86
2011/06/09 21:48:56.0255 4700 Number of processors: 2
2011/06/09 21:48:56.0255 4700 Page size: 0x1000
2011/06/09 21:48:56.0255 4700 Boot type: Normal boot
2011/06/09 21:48:56.0255 4700 ================================================================================
2011/06/09 21:48:59.0636 4700 Initialize success
2011/06/09 21:49:08.0896 4292 ================================================================================
2011/06/09 21:49:08.0896 4292 Scan started
2011/06/09 21:49:08.0896 4292 Mode: Manual;
2011/06/09 21:49:08.0896 4292 ================================================================================
2011/06/09 21:49:10.0357 4292 ACPI (84fc6df81212d16be5c4f441682feccc) C:\Windows\system32\drivers\acpi.sys
2011/06/09 21:49:10.0469 4292 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
2011/06/09 21:49:10.0574 4292 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
2011/06/09 21:49:10.0662 4292 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
2011/06/09 21:49:10.0708 4292 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
2011/06/09 21:49:10.0852 4292 AFD (5d24caf8efd924a875698ff28384db8b) C:\Windows\system32\drivers\afd.sys
2011/06/09 21:49:10.0949 4292 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
2011/06/09 21:49:11.0010 4292 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2011/06/09 21:49:11.0066 4292 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
2011/06/09 21:49:11.0143 4292 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
2011/06/09 21:49:11.0197 4292 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
2011/06/09 21:49:11.0266 4292 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
2011/06/09 21:49:11.0310 4292 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys
2011/06/09 21:49:11.0430 4292 ApfiltrService (18bff317bdb10c64a35e1ca85f1ec051) C:\Windows\system32\DRIVERS\Apfiltr.sys
2011/06/09 21:49:11.0507 4292 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
2011/06/09 21:49:11.0561 4292 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
2011/06/09 21:49:11.0677 4292 ASPI (e54e27976e2c5a6465d44c10b1d87ac0) C:\Windows\System32\DRIVERS\ASPI32.sys
2011/06/09 21:49:11.0770 4292 AsyncMac (e86cf7ce67d5de898f27ef884dc357d8) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/06/09 21:49:11.0842 4292 atapi (b35cfcef838382ab6490b321c87edf17) C:\Windows\system32\drivers\atapi.sys
2011/06/09 21:49:11.0960 4292 athr (fa4e39b289d3a9606f03c90a933b2b1f) C:\Windows\system32\DRIVERS\athr.sys
2011/06/09 21:49:12.0089 4292 avgntflt (47b879406246ffdced59e18d331a0e7d) C:\Windows\system32\DRIVERS\avgntflt.sys
2011/06/09 21:49:12.0123 4292 avipbb (5fedef54757b34fb611b9ec8fb399364) C:\Windows\system32\DRIVERS\avipbb.sys
2011/06/09 21:49:12.0181 4292 Beep (ac3dd1708b22761ebd7cbe14dcc3b5d7) C:\Windows\system32\drivers\Beep.sys
2011/06/09 21:49:12.0286 4292 bowser (913cd06fbe9105ce6077e90fd4418561) C:\Windows\system32\DRIVERS\bowser.sys
2011/06/09 21:49:12.0358 4292 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2011/06/09 21:49:12.0398 4292 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2011/06/09 21:49:12.0454 4292 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2011/06/09 21:49:12.0495 4292 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2011/06/09 21:49:12.0560 4292 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2011/06/09 21:49:12.0614 4292 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2011/06/09 21:49:12.0719 4292 BthAvrcp (5eab553a9f317b07d7a5912ff182357c) C:\Windows\system32\DRIVERS\BthAvrcp.sys
2011/06/09 21:49:12.0792 4292 BthEnum (cf97c2d6a011ee9403b42191b5f95ba8) C:\Windows\system32\DRIVERS\BthEnum.sys
2011/06/09 21:49:12.0868 4292 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\DRIVERS\bthmodem.sys
2011/06/09 21:49:12.0941 4292 BthPan (b8c3d9ddf85fd197c3e5f849fef71144) C:\Windows\system32\DRIVERS\bthpan.sys
2011/06/09 21:49:13.0053 4292 BTHPORT (b4ce8000aab30a9ab16cd0fb3db4d7cf) C:\Windows\system32\Drivers\BTHport.sys
2011/06/09 21:49:13.0111 4292 BTHUSB (9a4ddc8544c1459aa2a118a8858dade3) C:\Windows\system32\Drivers\BTHUSB.sys
2011/06/09 21:49:13.0171 4292 cdfs (6c3a437fc873c6f6a4fc620b6888cb86) C:\Windows\system32\DRIVERS\cdfs.sys
2011/06/09 21:49:13.0233 4292 cdrom (8d1866e61af096ae8b582454f5e4d303) C:\Windows\system32\DRIVERS\cdrom.sys
2011/06/09 21:49:13.0324 4292 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
2011/06/09 21:49:13.0386 4292 CLFS (1b84fd0937d3b99af9ba38ddff3daf54) C:\Windows\system32\CLFS.sys
2011/06/09 21:49:13.0458 4292 CmBatt (ed97ad3df1b9005989eaf149bf06c821) C:\Windows\system32\DRIVERS\CmBatt.sys
2011/06/09 21:49:13.0520 4292 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
2011/06/09 21:49:13.0556 4292 Compbatt (722936afb75a7f509662b69b5632f48a) C:\Windows\system32\DRIVERS\compbatt.sys
2011/06/09 21:49:13.0590 4292 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
2011/06/09 21:49:13.0636 4292 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
2011/06/09 21:49:13.0778 4292 DfsC (a7179de59ae269ab70345527894ccd7c) C:\Windows\system32\Drivers\dfsc.sys
2011/06/09 21:49:13.0848 4292 disk (841af4c4d41d3e3b2f244e976b0f7963) C:\Windows\system32\drivers\disk.sys
2011/06/09 21:49:13.0904 4292 DMICall (f206e28ed74c491fd5d7c0a1119ce37f) C:\Windows\system32\DRIVERS\DMICall.sys
2011/06/09 21:49:14.0013 4292 Dot4 (57b2d433a08b95e4f1b53a919937f3e5) C:\Windows\system32\DRIVERS\Dot4.sys
2011/06/09 21:49:14.0050 4292 Dot4Print (d93fa484bb62fbe7e5ef335c5415d3cf) C:\Windows\system32\DRIVERS\Dot4Prt.sys
2011/06/09 21:49:14.0153 4292 dot4usb (599742c4260fb3e8edb3be148b8ce856) C:\Windows\system32\DRIVERS\dot4usb.sys
2011/06/09 21:49:14.0256 4292 drmkaud (ee472cd2c01f6f8e8aa1fa06ffef61b6) C:\Windows\system32\drivers\drmkaud.sys
2011/06/09 21:49:14.0326 4292 dtsoftbus01 (16c5891c6d1fa0b5d9014f85a482eb20) C:\Windows\system32\DRIVERS\dtsoftbus01.sys
2011/06/09 21:49:14.0417 4292 DXGKrnl (334988883de69adb27e2cf9f9715bbdb) C:\Windows\System32\drivers\dxgkrnl.sys
2011/06/09 21:49:14.0515 4292 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
2011/06/09 21:49:14.0595 4292 Ecache (0efc7531b936ee57fdb4e837664c509f) C:\Windows\system32\drivers\ecache.sys
2011/06/09 21:49:14.0682 4292 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
2011/06/09 21:49:14.0804 4292 fastfat (84a317cb0b3954d3768cdcd018dbf670) C:\Windows\system32\drivers\fastfat.sys
2011/06/09 21:49:14.0855 4292 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
2011/06/09 21:49:14.0934 4292 FileInfo (65773d6115c037ffd7ef8280ae85eb9d) C:\Windows\system32\drivers\fileinfo.sys
2011/06/09 21:49:15.0017 4292 Filetrace (c226dd0de060745f3e042f58dcf78402) C:\Windows\system32\drivers\filetrace.sys
2011/06/09 21:49:15.0091 4292 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/06/09 21:49:15.0172 4292 FltMgr (a6a8da7ae4d53394ab22ac3ab6d3f5d3) C:\Windows\system32\drivers\fltmgr.sys
2011/06/09 21:49:15.0224 4292 Fs_Rec (66a078591208baa210c7634b11eb392c) C:\Windows\system32\drivers\Fs_Rec.sys
2011/06/09 21:49:15.0264 4292 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
2011/06/09 21:49:15.0526 4292 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
2011/06/09 21:49:15.0658 4292 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
2011/06/09 21:49:15.0698 4292 HDAudBus (0db613a7e427b5663563677796fd5258) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/06/09 21:49:15.0739 4292 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\DRIVERS\hidbth.sys
2011/06/09 21:49:15.0817 4292 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2011/06/09 21:49:15.0880 4292 HidUsb (01e7971e9f4bd6ac6a08db52d0ea0418) C:\Windows\system32\DRIVERS\hidusb.sys
2011/06/09 21:49:15.0985 4292 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
2011/06/09 21:49:16.0151 4292 HSFHWAZL (46d67209550973257601a533e2ac5785) C:\Windows\system32\DRIVERS\VSTAZL3.SYS
2011/06/09 21:49:16.0324 4292 HSF_DPV (7bc42c65b5c6281777c1a7605b253ba8) C:\Windows\system32\DRIVERS\HSX_DPV.sys
2011/06/09 21:49:16.0394 4292 HSXHWAZL (9ebf2d102ccbb6bcdfbf1b7922f8ba2e) C:\Windows\system32\DRIVERS\HSXHWAZL.sys
2011/06/09 21:49:16.0483 4292 HTTP (ea24fe637d974a8a31bc650f478e3533) C:\Windows\system32\drivers\HTTP.sys
2011/06/09 21:49:16.0615 4292 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
2011/06/09 21:49:16.0721 4292 i8042prt (1c9ee072baa3abb460b91d7ee9152660) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/06/09 21:49:16.0793 4292 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
2011/06/09 21:49:17.0014 4292 igfx (1b954f2bcb244596da704dc8c7729930) C:\Windows\system32\DRIVERS\igdkmd32.sys
2011/06/09 21:49:17.0153 4292 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2011/06/09 21:49:17.0479 4292 IntcAzAudAddService (7bd4e0428776d11c8e8e26f9f5508690) C:\Windows\system32\drivers\RTKVHDA.sys
2011/06/09 21:49:17.0600 4292 intelide (988981c840084f480ba9e3319cebde1b) C:\Windows\system32\drivers\intelide.sys
2011/06/09 21:49:17.0674 4292 intelppm (ce44cc04262f28216dd4341e9e36a16f) C:\Windows\system32\DRIVERS\intelppm.sys
2011/06/09 21:49:17.0755 4292 IpFilterDriver (880c6f86cc3f551b8fea2c11141268c0) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/06/09 21:49:17.0899 4292 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
2011/06/09 21:49:17.0965 4292 IPNAT (10077c35845101548037df04fd1a420b) C:\Windows\system32\DRIVERS\ipnat.sys
2011/06/09 21:49:18.0025 4292 IRENUM (a82f328f4792304184642d6d397bb1e3) C:\Windows\system32\drivers\irenum.sys
2011/06/09 21:49:18.0069 4292 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
2011/06/09 21:49:18.0106 4292 iScsiPrt (4dca456d4d5723f8fa9c6760d240b0df) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/06/09 21:49:18.0153 4292 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2011/06/09 21:49:18.0231 4292 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2011/06/09 21:49:18.0387 4292 kbdclass (b076b2ab806b3f696dab21375389101c) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/06/09 21:49:18.0572 4292 kbdhid (ed61dbc6603f612b7338283edbacbc4b) C:\Windows\system32\DRIVERS\kbdhid.sys
2011/06/09 21:49:18.0671 4292 KSecDD (0a829977b078dea11641fc2af87ceade) C:\Windows\system32\Drivers\ksecdd.sys
2011/06/09 21:49:18.0764 4292 lltdio (fd015b4f95daa2b712f0e372a116fbad) C:\Windows\system32\DRIVERS\lltdio.sys
2011/06/09 21:49:18.0837 4292 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
2011/06/09 21:49:18.0904 4292 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
2011/06/09 21:49:18.0962 4292 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
2011/06/09 21:49:19.0029 4292 luafv (42885bb44b6e065b8575a8dd6c430c52) C:\Windows\system32\drivers\luafv.sys
2011/06/09 21:49:19.0123 4292 MBAMProtector (3d2c13377763eeac0ca6fb46f57217ed) C:\Windows\system32\drivers\mbam.sys
2011/06/09 21:49:19.0186 4292 MBAMSwissArmy (b309912717c29fc67e1ba4730a82b6dd) C:\Windows\system32\drivers\mbamswissarmy.sys
2011/06/09 21:49:19.0252 4292 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
2011/06/09 21:49:19.0334 4292 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
2011/06/09 21:49:19.0402 4292 Modem (21755967298a46fb6adfec9db6012211) C:\Windows\system32\drivers\modem.sys
2011/06/09 21:49:19.0487 4292 monitor (7446e104a5fe5987ca9e4983fbac4f97) C:\Windows\system32\DRIVERS\monitor.sys
2011/06/09 21:49:19.0616 4292 mouclass (5fba13c1a1841b0885d316ed3589489d) C:\Windows\system32\DRIVERS\mouclass.sys
2011/06/09 21:49:19.0701 4292 mouhid (b569b5c5d3bde545df3a6af512cccdba) C:\Windows\system32\DRIVERS\mouhid.sys
2011/06/09 21:49:19.0772 4292 MountMgr (01f1e5a3e4877c931cbb31613fec16a6) C:\Windows\system32\drivers\mountmgr.sys
2011/06/09 21:49:19.0828 4292 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
2011/06/09 21:49:19.0862 4292 mpsdrv (6e7a7f0c1193ee5648443fe2d4b789ec) C:\Windows\system32\drivers\mpsdrv.sys
2011/06/09 21:49:19.0911 4292 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2011/06/09 21:49:19.0977 4292 MRxDAV (1d8828b98ee309d65e006f0829e280e5) C:\Windows\system32\drivers\mrxdav.sys
2011/06/09 21:49:20.0067 4292 mrxsmb (8af705ce1bb907932157fab821170f27) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/06/09 21:49:20.0114 4292 mrxsmb10 (47e13ab23371be3279eef22bbfa2c1be) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/06/09 21:49:20.0165 4292 mrxsmb20 (90b3fc7bd6b3d7ee7635debba2187f66) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/06/09 21:49:20.0226 4292 msahci (b2efb263600314babcf9dadb1cbba994) C:\Windows\system32\drivers\msahci.sys
2011/06/09 21:49:20.0308 4292 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
2011/06/09 21:49:20.0385 4292 Msfs (729eafefd4e7417165f353a18dbe947d) C:\Windows\system32\drivers\Msfs.sys
2011/06/09 21:49:20.0438 4292 msisadrv (5f454a16a5146cd91a176d70f0cfa3ec) C:\Windows\system32\drivers\msisadrv.sys
2011/06/09 21:49:20.0526 4292 MSKSSRV (892cedefa7e0ffe7be8da651b651d047) C:\Windows\system32\drivers\MSKSSRV.sys
2011/06/09 21:49:20.0568 4292 MSPCLOCK (ae2cb1da69b2676b4cee2a501af5871c) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/06/09 21:49:20.0650 4292 MSPQM (f910da84fa90c44a3addb7cd874463fd) C:\Windows\system32\drivers\MSPQM.sys
2011/06/09 21:49:20.0721 4292 MsRPC (84571c0ae07647ba38d493f5f0015df7) C:\Windows\system32\drivers\MsRPC.sys
2011/06/09 21:49:20.0787 4292 mssmbios (4385c80ede885e25492d408cad91bd6f) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/06/09 21:49:20.0826 4292 MSTEE (c826dd1373f38afd9ca46ec3c436a14e) C:\Windows\system32\drivers\MSTEE.sys
2011/06/09 21:49:20.0862 4292 Mup (fa7aa70050cf5e2d15de00941e5665e5) C:\Windows\system32\Drivers\mup.sys
2011/06/09 21:49:20.0953 4292 NativeWifiP (6da4a0fc7c0e83df0cb3cfd0a514c3bc) C:\Windows\system32\DRIVERS\nwifi.sys
2011/06/09 21:49:21.0029 4292 NDIS (6c145071038db34df3c52b691724a70b) C:\Windows\system32\drivers\ndis.sys
2011/06/09 21:49:21.0034 4292 Suspicious file (Forged): C:\Windows\system32\drivers\ndis.sys. Real md5: 6c145071038db34df3c52b691724a70b, Fake md5: 227c11e1e7cf6ef8afb2a238d209760c
2011/06/09 21:49:21.0044 4292 NDIS - detected Rootkit.Win32.TDSS.tdl3 (0)
2011/06/09 21:49:21.0096 4292 NdisTapi (81659cdcbd0f9a9e07e6878ad8c78d3f) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/06/09 21:49:21.0133 4292 Ndisuio (5de5ee546bf40838ebe0e01cb629df64) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/06/09 21:49:21.0211 4292 NdisWan (397402adcbb8946223a1950101f6cd94) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/06/09 21:49:21.0279 4292 NDProxy (1b24fa907af283199a81b3bb37e5e526) C:\Windows\system32\drivers\NDProxy.sys
2011/06/09 21:49:21.0331 4292 NetBIOS (356dbb9f98e8dc1028dd3092fceeb877) C:\Windows\system32\DRIVERS\netbios.sys
2011/06/09 21:49:21.0369 4292 netbt (e3a168912e7eefc3bd3b814720d68b41) C:\Windows\system32\DRIVERS\netbt.sys
2011/06/09 21:49:21.0687 4292 NETw4v32 (25acccfc33dd448b9d3037c5e439e830) C:\Windows\system32\DRIVERS\NETw4v32.sys
2011/06/09 21:49:21.0785 4292 NetworkX (0fd030fe433ec06ebb27fcfb6c366374) C:\Windows\system32\ckldrv.sys
2011/06/09 21:49:21.0852 4292 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2011/06/09 21:49:21.0940 4292 Npfs (4f9832beb9fafd8ceb0e541f1323b26e) C:\Windows\system32\drivers\Npfs.sys
2011/06/09 21:49:21.0985 4292 nsiproxy (b488dfec274de1fc9d653870ef2587be) C:\Windows\system32\drivers\nsiproxy.sys
2011/06/09 21:49:22.0121 4292 Ntfs (37430aa7a66d7a63407adc2c0d05e9f6) C:\Windows\system32\drivers\Ntfs.sys
2011/06/09 21:49:22.0243 4292 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2011/06/09 21:49:22.0292 4292 Null (ec5efb3c60f1b624648344a328bce596) C:\Windows\system32\drivers\Null.sys
2011/06/09 21:49:22.0335 4292 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
2011/06/09 21:49:22.0392 4292 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
2011/06/09 21:49:22.0453 4292 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
2011/06/09 21:49:22.0808 4292 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\DRIVERS\ohci1394.sys
2011/06/09 21:49:22.0893 4292 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
2011/06/09 21:49:22.0969 4292 partmgr (555a5b2c8022983bc7467bc925b222ee) C:\Windows\system32\drivers\partmgr.sys
2011/06/09 21:49:23.0008 4292 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
2011/06/09 21:49:23.0096 4292 pci (1085d75657807e0e8b32f9e19a1647c3) C:\Windows\system32\drivers\pci.sys
2011/06/09 21:49:23.0175 4292 pciide (caba65e9c41cd2900d4c92d4f825c5f8) C:\Windows\system32\DRIVERS\pciide.sys
2011/06/09 21:49:23.0207 4292 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\DRIVERS\pcmcia.sys
2011/06/09 21:49:23.0312 4292 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\Windows\system32\Drivers\pcouffin.sys
2011/06/09 21:49:23.0407 4292 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2011/06/09 21:49:23.0858 4292 PptpMiniport (c04dec5ace67c5247b150c4223970bb7) C:\Windows\system32\DRIVERS\raspptp.sys
2011/06/09 21:49:23.0956 4292 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
2011/06/09 21:49:24.0039 4292 PSched (2c8bae55247c4e09352e870292e4d1ab) C:\Windows\system32\DRIVERS\pacer.sys
2011/06/09 21:49:24.0109 4292 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\Windows\system32\Drivers\PxHelp20.sys
2011/06/09 21:49:24.0233 4292 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
2011/06/09 21:49:24.0316 4292 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2011/06/09 21:49:24.0383 4292 QWAVEdrv (d2b3e2b7426dc23e185fbc73c8936c12) C:\Windows\system32\drivers\qwavedrv.sys
2011/06/09 21:49:24.0417 4292 RasAcd (bd7b30f55b3649506dd8b3d38f571d2a) C:\Windows\system32\DRIVERS\rasacd.sys
2011/06/09 21:49:24.0467 4292 Rasl2tp (68b0019fee429ec49d29017af937e482) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/06/09 21:49:24.0554 4292 RasPppoe (ccf4e9c6cbbac81437f88cb2ae0b6c96) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/06/09 21:49:24.0592 4292 rdbss (54129c5d9581bbec8bd1ebd3ba813f47) C:\Windows\system32\DRIVERS\rdbss.sys
2011/06/09 21:49:24.0643 4292 RDPCDD (794585276b5d7fca9f3fc15543f9f0b9) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/06/09 21:49:24.0763 4292 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
2011/06/09 21:49:24.0800 4292 RDPENCDD (980b56e2e273e19d3a9d72d5c420f008) C:\Windows\system32\drivers\rdpencdd.sys
2011/06/09 21:49:24.0887 4292 RDPWD (8830e790a74a96605faba74f9665bb3c) C:\Windows\system32\drivers\RDPWD.sys
2011/06/09 21:49:24.0995 4292 RFCOMM (7ec90c316177ba3f1bce92005264b447) C:\Windows\system32\DRIVERS\rfcomm.sys
2011/06/09 21:49:25.0051 4292 rspndr (97e939d2128fec5d5a3e6e79b290a2f4) C:\Windows\system32\DRIVERS\rspndr.sys
2011/06/09 21:49:25.0171 4292 s117bus (1f561844318914e7eb6e54673a4cc54c) C:\Windows\system32\DRIVERS\s117bus.sys
2011/06/09 21:49:25.0249 4292 s117mdfl (ba93eec3cdf6a63b77ae66221aa4f902) C:\Windows\system32\DRIVERS\s117mdfl.sys
2011/06/09 21:49:25.0325 4292 s117mdm (cba12fd8a8ee5b5cdfbbae2381cd6703) C:\Windows\system32\DRIVERS\s117mdm.sys
2011/06/09 21:49:25.0413 4292 s117mgmt (bd6483e64b1da17e812b34bcdefd9459) C:\Windows\system32\DRIVERS\s117mgmt.sys
2011/06/09 21:49:25.0560 4292 s117nd5 (c7ca36c3054b4cd47a1f6611b046e2f9) C:\Windows\system32\DRIVERS\s117nd5.sys
2011/06/09 21:49:25.0768 4292 s117obex (e290b3a6b58fb72ca97dd48d64e4fc1c) C:\Windows\system32\DRIVERS\s117obex.sys
2011/06/09 21:49:25.0862 4292 s117unic (5c4d1ba23c7511ac880e8ba7baa80dba) C:\Windows\system32\DRIVERS\s117unic.sys
2011/06/09 21:49:25.0923 4292 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2011/06/09 21:49:26.0030 4292 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2011/06/09 21:49:26.0107 4292 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
2011/06/09 21:49:26.0170 4292 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
2011/06/09 21:49:26.0237 4292 sermouse (450accd77ec5cea720c1cdb9e26b953b) C:\Windows\system32\drivers\sermouse.sys
2011/06/09 21:49:26.0316 4292 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
2011/06/09 21:49:26.0379 4292 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
2011/06/09 21:49:26.0423 4292 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
2011/06/09 21:49:26.0487 4292 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\DRIVERS\sfloppy.sys
2011/06/09 21:49:26.0580 4292 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
2011/06/09 21:49:26.0619 4292 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
2011/06/09 21:49:26.0667 4292 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
2011/06/09 21:49:26.0751 4292 Smb (ac0d90738adb51a6fd12ff00874a2162) C:\Windows\system32\DRIVERS\smb.sys
2011/06/09 21:49:26.0850 4292 SNC (db31d8989b3450569c29780e7fa98c48) C:\Windows\system32\Drivers\SonyNC.sys
2011/06/09 21:49:26.0954 4292 spldr (426f9b029aa9162ceccf65369457d046) C:\Windows\system32\drivers\spldr.sys
2011/06/09 21:49:27.0169 4292 sptd (8ea0fd60a5b047e0c734d51aace531c9) C:\Windows\System32\Drivers\sptd.sys
2011/06/09 21:49:27.0170 4292 Suspicious file (NoAccess): C:\Windows\System32\Drivers\sptd.sys. md5: 8ea0fd60a5b047e0c734d51aace531c9
2011/06/09 21:49:27.0178 4292 sptd - detected LockedFile.Multi.Generic (1)
2011/06/09 21:49:27.0251 4292 srv (038579c35f7cad4a4bbf735dbf83277d) C:\Windows\system32\DRIVERS\srv.sys
2011/06/09 21:49:27.0342 4292 srv2 (6971a757af8cb5e2cbcbb76cc530db6c) C:\Windows\system32\DRIVERS\srv2.sys
2011/06/09 21:49:27.0446 4292 srvnet (9e1a4603b874eebce0298113951abefb) C:\Windows\system32\DRIVERS\srvnet.sys
2011/06/09 21:49:27.0555 4292 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\Windows\system32\DRIVERS\ssmdrv.sys
2011/06/09 21:49:27.0679 4292 swenum (1379bdb336f8158c176a465e30759f57) C:\Windows\system32\DRIVERS\swenum.sys
2011/06/09 21:49:27.0730 4292 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2011/06/09 21:49:27.0896 4292 symsnap (5c66e6aa29dad1875cc74662dd13c87e) C:\Windows\system32\DRIVERS\symsnap.sys
2011/06/09 21:49:27.0944 4292 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2011/06/09 21:49:27.0983 4292 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2011/06/09 21:49:28.0127 4292 Tcpip (4a82fa8f0df67aa354580c3faaf8bde3) C:\Windows\system32\drivers\tcpip.sys
2011/06/09 21:49:28.0215 4292 Tcpip6 (4a82fa8f0df67aa354580c3faaf8bde3) C:\Windows\system32\DRIVERS\tcpip.sys
2011/06/09 21:49:28.0257 4292 tcpipreg (5ce0c4a7b12d0067dad527d72b68c726) C:\Windows\system32\drivers\tcpipreg.sys
2011/06/09 21:49:28.0300 4292 TDPIPE (964248aef49c31fa6a93201a73ffaf50) C:\Windows\system32\drivers\tdpipe.sys
2011/06/09 21:49:28.0353 4292 TDTCP (7d2c1ae1648a60fce4aa0f7982e419d3) C:\Windows\system32\drivers\tdtcp.sys
2011/06/09 21:49:28.0394 4292 tdx (ab4fde8af4a0270a46a001c08cbce1c2) C:\Windows\system32\DRIVERS\tdx.sys
2011/06/09 21:49:28.0436 4292 TermDD (2c549bd9dd091fbfaa0a2a48e82ec2fb) C:\Windows\system32\DRIVERS\termdd.sys
2011/06/09 21:49:28.0532 4292 ti21sony (909cd987b54a8179c9aee874d754721a) C:\Windows\system32\drivers\ti21sony.sys
2011/06/09 21:49:28.0926 4292 tssecsrv (29f0eca726f0d51f7e048bdb0b372f29) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/06/09 21:49:28.0991 4292 tunmp (65e953bc0084d44498b51f59784d2a82) C:\Windows\system32\DRIVERS\tunmp.sys
2011/06/09 21:49:29.0045 4292 tunnel (4a39bda5e0fd30bdf4884f9d33ae6105) C:\Windows\system32\DRIVERS\tunnel.sys
2011/06/09 21:49:29.0119 4292 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
2011/06/09 21:49:29.0181 4292 udfs (6348da98707ceda8a0dfb05820e17732) C:\Windows\system32\DRIVERS\udfs.sys
2011/06/09 21:49:29.0346 4292 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
2011/06/09 21:49:29.0398 4292 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
2011/06/09 21:49:29.0461 4292 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2011/06/09 21:49:29.0505 4292 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2011/06/09 21:49:29.0550 4292 umbus (3fb78f1d1dd86d87bececd9dffa24dd9) C:\Windows\system32\DRIVERS\umbus.sys
2011/06/09 21:49:29.0659 4292 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\Windows\system32\Drivers\usbaapl.sys
2011/06/09 21:49:29.0732 4292 usbccgp (51480458e6e9863f856ebf35aae801b4) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/06/09 21:49:29.0825 4292 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2011/06/09 21:49:29.0884 4292 usbehci (11fa3acbf0de0286829c69e01fe705e4) C:\Windows\system32\DRIVERS\usbehci.sys
2011/06/09 21:49:29.0961 4292 usbhub (6a7858a38b5105731e219e7c6a238730) C:\Windows\system32\DRIVERS\usbhub.sys
2011/06/09 21:49:30.0043 4292 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
2011/06/09 21:49:30.0089 4292 usbprint (b51e52acf758be00ef3a58ea452fe360) C:\Windows\system32\DRIVERS\usbprint.sys
2011/06/09 21:49:30.0169 4292 usbscan (b1f95285c08ddfe00c0b955462637ec7) C:\Windows\system32\DRIVERS\usbscan.sys
2011/06/09 21:49:30.0237 4292 USBSTOR (7887ce56934e7f104e98c975f47353c5) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/06/09 21:49:30.0285 4292 usbuhci (4013315fed70a2d293b998cbba4022ee) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/06/09 21:49:30.0393 4292 v2imount (16662738e1ab857fb91ed2d4065440b0) C:\Windows\system32\DRIVERS\v2imount.sys
2011/06/09 21:49:30.0612 4292 VClone (1cdaa48cb2f7744b8d25650e050766a5) C:\Windows\system32\DRIVERS\VClone.sys
2011/06/09 21:49:30.0703 4292 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/06/09 21:49:30.0755 4292 VgaSave (17a8f877314e4067f8c8172cc6d9101c) C:\Windows\System32\drivers\vga.sys
2011/06/09 21:49:30.0829 4292 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
2011/06/09 21:49:30.0888 4292 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
2011/06/09 21:49:30.0979 4292 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
2011/06/09 21:49:31.0050 4292 volmgr (103e84c95832d0ed93507997cc7b54e8) C:\Windows\system32\drivers\volmgr.sys
2011/06/09 21:49:31.0112 4292 volmgrx (294da8d3f965f6a8db934a83c7b461ff) C:\Windows\system32\drivers\volmgrx.sys
2011/06/09 21:49:31.0178 4292 volsnap (80dc0c9bcb579ed9815001a4d37cbfd5) C:\Windows\system32\drivers\volsnap.sys
2011/06/09 21:49:31.0236 4292 VProEventMonitor (6666a8ddcf315635fc3c13f18c944b19) C:\Windows\system32\DRIVERS\vproeventmonitor.sys
2011/06/09 21:49:31.0296 4292 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
2011/06/09 21:49:31.0394 4292 vtcdrv (cc337768cfe8834047c9130f96923b42) C:\Windows\system32\DRIVERS\vtcdrv_x86.sys
2011/06/09 21:49:31.0498 4292 w300bus (d4baa1ac8dcea1382e81aa6fe48cdd7c) C:\Windows\system32\DRIVERS\w300bus.sys
2011/06/09 21:49:31.0547 4292 w300mdfl (12d415ab0ddd86c42cdc5f120a381f24) C:\Windows\system32\DRIVERS\w300mdfl.sys
2011/06/09 21:49:31.0600 4292 w300mdm (f470d5e61ee7f951883f70d676551c89) C:\Windows\system32\DRIVERS\w300mdm.sys
2011/06/09 21:49:31.0813 4292 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2011/06/09 21:49:31.0924 4292 Wanarp (6798c1209a53b5a0ded8d437c45145ff) C:\Windows\system32\DRIVERS\wanarp.sys
2011/06/09 21:49:31.0970 4292 Wanarpv6 (6798c1209a53b5a0ded8d437c45145ff) C:\Windows\system32\DRIVERS\wanarp.sys
2011/06/09 21:49:32.0181 4292 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
2011/06/09 21:49:32.0283 4292 Wdf01000 (7b5f66e4a2219c7d9daf9e738480e534) C:\Windows\system32\drivers\Wdf01000.sys
2011/06/09 21:49:32.0423 4292 WimFltr (f9ad3a5e3fd7e0bdb18b8202b0fdd4e4) C:\Windows\system32\DRIVERS\wimfltr.sys
2011/06/09 21:49:32.0529 4292 winachsf (5a77ac34a0ffb70ce8b35b524fede9ba) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
2011/06/09 21:49:32.0655 4292 WmiAcpi (701a9f884a294327e9141d73746ee279) C:\Windows\system32\drivers\wmiacpi.sys
2011/06/09 21:49:32.0773 4292 WpdUsb (2d27171b16a577ef14c1273668753485) C:\Windows\system32\DRIVERS\wpdusb.sys
2011/06/09 21:49:33.0108 4292 ws2ifsl (84620aecdcfd2a7a14e6263927d8c0ed) C:\Windows\system32\drivers\ws2ifsl.sys
2011/06/09 21:49:34.0489 4292 WUDFRd (a2aafcc8a204736296d937c7c545b53f) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/06/09 21:49:34.0635 4292 XAudio (88af537264f2b818da15479ceeaf5d7c) C:\Windows\system32\DRIVERS\xaudio.sys
2011/06/09 21:49:34.0828 4292 yukonwlh (2d07e65ed0023bb10b13a912b27dfb1a) C:\Windows\system32\DRIVERS\yk60x86.sys
2011/06/09 21:49:35.0077 4292 ZTEusbmdm6k (3e854b8cf8eb41bfc763e9c90d2b9b24) C:\Windows\system32\DRIVERS\ZTEusbmdm6k.sys
2011/06/09 21:49:35.0157 4292 ZTEusbnmea (3e854b8cf8eb41bfc763e9c90d2b9b24) C:\Windows\system32\DRIVERS\ZTEusbnmea.sys
2011/06/09 21:49:35.0293 4292 ZTEusbser6k (3e854b8cf8eb41bfc763e9c90d2b9b24) C:\Windows\system32\DRIVERS\ZTEusbser6k.sys
2011/06/09 21:49:35.0448 4292 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0
2011/06/09 21:49:35.0531 4292 ================================================================================
2011/06/09 21:49:35.0531 4292 Scan finished
2011/06/09 21:49:35.0531 4292 ================================================================================
2011/06/09 21:49:35.0552 4192 Detected object count: 2
2011/06/09 21:49:35.0552 4192 Actual detected object count: 2
2011/06/09 21:49:49.0067 4192 C:\Windows\system32\drivers\ndis.sys - processing error
2011/06/09 21:49:49.0067 4192 Rootkit.Win32.TDSS.tdl3(NDIS) - User select action: Cure
2011/06/09 21:49:49.0071 4192 LockedFile.Multi.Generic(sptd) - User select action: Skip

Edited by quietman7, 22 June 2011 - 06:07 AM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:02 AM

Posted 09 June 2011 - 05:41 PM

Before doing anything, if you have not already done so, you should back up all your important documents, personal data files and photos to a CD or DVD drive as some infections may render your computer unbootable during or before the disinfection process. If that occurs there may be no option but to reformat and reinstall the OS or perform a full system recovery. The safest practice is not to backup any files with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.
Please download aswMBR.exe and save it to your Desktop.
  • Double click on aswMBR.exe to run it. Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Scan button to start scan.

    Posted Image
  • On completion of the scan click, click the Save log button and save it to your Desktop.
  • Do not select any Fix options at this time.
  • Copy and paste the contents of that log in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Darkfoo

Darkfoo
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 09 June 2011 - 05:56 PM

When I bought the computer it came pre installed with vista and no os install disk or anything like that if the computer does become unbootable do I have to buy one? Any idea what the virus is or how to get rid of it?

Heres the log, thanks for your help I really appreciate it!

aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-06-09 23:51:36
-----------------------------
23:51:36.968 OS Version: Windows 6.0.6000
23:51:36.968 Number of processors: 2 586 0xF0D
23:51:36.972 ComputerName: MYLOV UserName:
23:51:40.282 Initialize success
23:51:41.728 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdePort4
23:51:41.732 Disk 0 Vendor: ST9160821AS 3.ALC Size: 152627MB BusType: 3
23:51:41.736 Disk 1 \Device\Harddisk1\DR1 -> \Device\0000006e
23:51:41.739 Disk 1 Vendor: ( Size: 152627MB BusType: 0
23:51:41.743 Disk 2 \Device\Harddisk2\DR2 -> \Device\0000006f
23:51:41.748 Disk 2 Vendor: ( Size: 152627MB BusType: 0
23:51:41.752 Device \Device\Ide\IdeDeviceP4T0L0-8 -> \??\IDE#DiskST9160821AS_____________________________3.ALC___#5&104e72c1&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
23:51:41.757 Device \Driver\atapi -> DriverStartIo 850efaf1
23:51:43.818 Disk 0 MBR read successfully
23:51:43.823 Disk 0 MBR scan
23:51:43.836 Disk 0 unknown MBR code
23:51:45.853 Disk 0 scanning sectors +312579760
23:51:45.954 Disk 0 scanning C:\Windows\system32\drivers
23:51:58.689 File C:\Windows\system32\drivers\sptd.sys TDL3 **ROOTKIT**
23:51:58.692 Disk 0 trace - called modules:
23:51:58.708 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x850efecc]<<
23:51:58.709 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x857aaad8]
23:51:58.709 3 ntkrnlpa.exe[824b07e2] -> nt!IofCallDriver -> [0x85d81d20]
23:51:58.710 [0x85db6748] -> IRP_MJ_CREATE -> 0x850efecc
23:51:58.710 Scan finished successfully
23:52:32.736 Disk 0 MBR has been saved successfully to "C:\Users\Ali\Desktop\MBR.dat"
23:52:32.744 The log file has been saved successfully to "C:\Users\Ali\Desktop\aswMBR.txt"

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:02 AM

Posted 09 June 2011 - 06:44 PM

Are you using Daemon Tools or another CD Emulator like Alchohol 120%, Astroburn, AnyDVD?

sptd.sys is a legitimate driver used by CD Emulator programs like Daemon Tools, Alchohol 120%, Astroburn, AnyDVD. The file is often detected as suspicious by security tools because CD Emulators use rootkit-like techniques to hide from other applications. Daemon Tools uses this technology to hide and to circumvent copy protection schemes. AnyDVD uses a driver that allows decryption of DVDs on-the-fly and targeted removal of copy preventions/user operation prohibitions. Alcohol uses a technology similar to hide it's drivers on the system so that game copy protection schemes are unable to detect and blacklist Alcohol virtual drives.

There is discussion at the avast forums that a recent detection of sptd.sys is likely a false positive.

However, essexboy said in this discussion thread that it may not be a false alarm.

Go to one of the following online services that analyzes suspicious files:In the "File to upload & scan" box, click the "browse" button and locate the following file:
C:\WINDOWS\System32\sptd.sys <- this file
Click "Open", then click the "Submit" button. If you get a message saying "File has already been analyzed", click Reanalyze file now.
-- Post back with the results of the file analysis in your next reply.


When I bought the computer it came pre installed with vista and no os install disk

By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. If the recovery partition has become infected, you will need to contact the manufacturer, explain what happened and ask them to send full recovery disks to use instead. [color=green]If you lost or misplaced your recover disks, again you can contact and advise the manufacturer. In many cases they will send replacements as part of their support.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Darkfoo

Darkfoo
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 09 June 2011 - 07:43 PM

Yes I did use daemon tools before and left it on the computer so thats most likely the sptd.sys file. I tried it in all three sites but they will not upload the file to be scaned.

Jottis virus scan says: No file loaded
VirSCAN brings up the upload progress bar but doesnt load 1kb
VirusTotal loaded and said nothing just returned to the previous screen

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:02 AM

Posted 09 June 2011 - 08:18 PM

This is the pertinent part of the TDSSKiller log but its not able to deal with it.

2011/06/09 21:49:49.0067 4192 C:\Windows\system32\drivers\ndis.sys - processing error
2011/06/09 21:49:49.0067 4192 Rootkit.Win32.TDSS.tdl3(NDIS) - User select action: Cure

I'm not sure at this point why aswMBR did not pick it up so I recommend further investigation. Many of the tools we use in this forum are not capable of detecting (repairing/removing) all malware variants so more advanced tools are needed to investigate. Before that can be done you will need you to create and post a DDS log for further investigation.

Please read the "Preparation Guide".
  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.
When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, please reply back here with a link to the new topic so we can closed this one.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Darkfoo

Darkfoo
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 10 June 2011 - 12:01 PM

Ok thanks for your help here is the new topic:

http://www.bleepingcomputer.com/forums/topic402960.html

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:02 AM

Posted 10 June 2011 - 09:36 PM

Now that your log is posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Response Team member...nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process or make things worst which would extend the time it takes to clean your computer.

From this point on the Malware Response Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Response Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have posted your log and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the Malware Response Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Response Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic until you are cleared by the Malware Response Team. If you still need assistance after your log has been reviewed and you have been cleared, please PM me or another moderator and we will re-open this topic.

Good luck with your log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users