Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

First exe blocker, then Vista Security 2012, now redirects


  • This topic is locked This topic is locked
31 replies to this topic

#1 Acidline303

Acidline303

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 23 June 2011 - 04:55 PM

Hello everyone at bleepingcomputer. I've used your forums in the past to resolve some trojan issues. This one seems to go beyond simply using rkill and Malwarebytes.

I'm running Vista Home premium with Firefox 3.6.18

The issues started off this time with the system crashing into blue screen, or denying access to any executable file action. When run in safe mode, both Malwarebytes and Super Anti spyware kept pointing to files called mqv.exe. After running what I thought was a fix to those, the computer was fine in regular Windows mode for about 20 minutes and then all the classic symptoms of VistaAntivirus 2012 started showing with tons of pop ups, taskbar warnings, and locked executables even in safe mode. I was using a combo of fixNCR and rkill to get around those temporarily, then running malwarebytes, superantispyware, and spybot S&D. They all seemed to find problems and erase them.

This time around, As soon as I boot my Avira detector goes off indicating the following files

grpconv.exe
TR/dropperGen in temp\3E5.tmp

I can run executables UNTIL Igo onto firefox to look for guidance, then all requests for task manager, opening programs, ect are just hung up. Al google searches are redirected to scour.com. Tabs in firefox randomly open up to various merchandise sites.

Sometimes the system will recover long enough for me to get to a forum topic here. Other times I got the BSOD and have to reboot.

At this point I'm completely open to reformatting this laptop, though I'd rather not go through the process of reinstalling all of my audio programs again. I've dealt with the Vista Security 2010 issue in the past and my patience is wearing thin for what seems to be a "greatest hits" collection of malware. Any help is immeasurably appreciated.


All logs posted from Safe mode



Heres the DDS log:

.
DDS (Ver_2011-06-23.01) - NTFSx86 NETWORK
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_26
Run by Administrate at 16:19:55 on 2011-06-23
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.893.447 [GMT -5:00]
.
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
mStart Page = hxxp://en.us.acer.yahoo.com
mDefault_Page_URL = hxxp://en.us.acer.yahoo.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [<NO NAME>]
uRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
uRun: [Creative Detector U] "c:\program files\creative\mediasource5\CTDetctu.exe" /R
uRun: [Google Update] "c:\users\administrate\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Audio Kontrol 1] c:\program files\native instruments\audio kontrol 1\Audio Kontrol 1.exe
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SetPanel]
mRun: [eRecoveryService]
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [4ECYTQ9SIC] c:\windows\temp\Wqr.exe
dRunOnce: [bM28601GdCnM28601] c:\programdata\bm28601gdcnm28601\bM28601GdCnM28601.exe
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-explorer: HideSCAHealth = 1 (0x1)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{0DCE61E6-5F1F-464E-A203-0B7D4BB765E8} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{409639A6-FF0D-4EA3-87D9-5133D331A085} : DhcpNameServer = 192.168.1.1
mASetup: ccc-core-static - msiexec /fums {35BDA760-4905-19AA-54A0-C118ABB5BF0C} /qb
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\administrate\appdata\roaming\mozilla\firefox\profiles\sf2bkkyo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\users\administrate\appdata\local\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\users\administrate\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\administrate\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Aero Fox: {5c8bfb7c-9a54-11dc-8314-0800200c9a66} - %profile%\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2011-6-19 57312]
S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-4 11608]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
S2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-11-26 21504]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-4 136360]
S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-4 269480]
S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-4 61960]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-6-21 136176]
S2 NIHardwareService;NIHardwareService;c:\program files\common files\native instruments\hardware\NIHardwareService.exe [2010-3-25 3622912]
S3 ak1avs;ak1avs;c:\windows\system32\drivers\ak1avs.sys [2010-7-26 25088]
S3 ak1usb;ak1usb;c:\windows\system32\drivers\ak1usb.sys [2010-7-26 84992]
S3 kore2avs;kore2avs;c:\windows\system32\drivers\kore2avs.sys [2009-10-8 35408]
S3 kore2usb;kore2usb;c:\windows\system32\drivers\kore2usb.sys [2009-10-8 276432]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2008-11-26 21504]
S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2011-6-19 16472]
S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2011-6-19 11104]
S3 SMSCIRDA;SMSC Infrared Device Driver;c:\windows\system32\drivers\smscirda.sys [2007-3-10 31232]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-06-23 18:57:28 -------- d-----w- c:\programdata\bM28601GdCnM28601
2011-06-22 04:01:39 -------- d-----w- C:\!KillBox
2011-06-21 23:57:02 -------- d-----w- c:\users\administrate\appdata\roaming\SUPERAntiSpyware.com
2011-06-21 23:57:02 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-06-21 23:56:50 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-06-21 10:43:26 -------- d--h--w- c:\windows\PIF
2011-06-21 06:55:47 -------- d-----w- c:\programdata\oK28601FfElP28601
2011-06-19 16:13:43 -------- d-----w- c:\program files\PowerDataRecovery
2011-06-19 15:56:05 747592 ----a-w- c:\windows\system32\pwNative.exe
2011-06-19 15:56:05 16472 ------w- c:\windows\system32\pwdrvio.sys
2011-06-19 15:56:02 11104 ------w- c:\windows\system32\pwdspio.sys
2011-06-19 15:55:50 -------- d-----w- c:\program files\MiniTool Partition Wizard Home Edition 6.0
2011-06-19 15:50:15 -------- d-----w- c:\programdata\createpart
2011-06-19 15:49:13 -------- d-----w- c:\programdata\deletepart
2011-06-19 15:48:59 -------- d-----w- c:\programdata\explauncher
2011-06-19 15:48:57 -------- d-----w- c:\programdata\launcher
2011-06-19 15:45:00 57312 ----a-w- c:\windows\system32\drivers\hotcore3.sys
2011-06-19 15:44:26 -------- d-----w- c:\program files\Paragon Software
2011-05-30 17:04:40 -------- d-----w- c:\program files\VideoLAN
2011-05-25 04:44:49 18690 ----a-w- c:\windows\system32\drivers\usbhsb.sys
2011-05-25 04:44:49 -------- d-----w- c:\program files\Genesys Logic
2011-05-25 04:44:41 306688 ----a-w- c:\windows\IsUninst.exe
.
==================== Find3M ====================
.
2011-05-29 14:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 14:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-18 00:03:48 249936 ----a-w- c:\windows\system32\prgiso.dll
2011-05-04 09:52:22 472808 ----a-w- c:\windows\system32\deployJava1.dll
.
============= FINISH: 16:21:52.69 ===============

Attached Files


Edited by Acidline303, 23 June 2011 - 05:09 PM.


BC AdBot (Login to Remove)

 


#2 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:11:11 AM

Posted 06 July 2011 - 01:39 AM

Hello and welcome to Bleeping Computer.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

I am currently assessing your situation and will be back with a fix for your problem as soon as possible.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this, click Watch Topic near the top of the page, then select Immediate Notification. Click on Proceed.

Please be patient with me during this time.

Meanwhile, please make a reply to this topic to acknowledge that you have read this and is still with me to tackle the problem until the end. If I do not get any response within 5 days, this topic will be closed. If you have since resolved the original problem you were having, we would appreciate you letting us know.

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.


#3 Acidline303

Acidline303
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 06 July 2011 - 05:24 PM

Hello and welcome to Bleeping Computer.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

I am currently assessing your situation and will be back with a fix for your problem as soon as possible.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this, click Watch Topic near the top of the page, then select Immediate Notification. Click on Proceed.

Please be patient with me during this time.

Meanwhile, please make a reply to this topic to acknowledge that you have read this and is still with me to tackle the problem until the end. If I do not get any response within 5 days, this topic will be closed. If you have since resolved the original problem you were having, we would appreciate you letting us know.



Hello. Thanks for the update. I would still greatly appreciate any help. Many of the exe blocker issues have disappeared using superantispyware and TDSSKiller, but there are still popup windows and google search and other browser hijacks occuring. I can post new logs on request.

#4 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:11:11 AM

Posted 06 July 2011 - 08:35 PM

Hello Acidline303 :),

Welcome to Bleeping Computer. I am Jack&Jill, and I will be helping you out.

Before we go further, there are a few things that I would like to make clear so that we are share the same understanding.
  • Please observe and follow these Board Rules and Terms of Use.
  • Any advice is for your computer only and is taken at your own risk. Fixes sometimes will cause unexpected results, but I will do my best to assist you.
  • Please read the instructions carefully and follow them closely, in the order they are presented to you.
  • If you have any doubts or problems during the fix, please stop and ask.
  • All the tools that I will ask you to download and use are safe. Please allow if prompted by any of your security softwares.
  • Do not use or run any malware cleaning tools without supervision as they may cause more harm if improperly used.
  • Refrain from installing any new programs except those that I request during the fix to prevent interference to my diagnosis of the problem.
  • Lack of malware symptoms does not mean your computer is clean. Stick to this topic until I give the All Clear.
  • If you do not reply within 5 days, this topic will be closed.
If you are agreeable to the above, then everything should go smoothly :) . We may begin.

--------------------

You have Malwarebytes' Anti-Malware (MBAM) on your machine. I wish to take a look at the most recent log file. Open MBAM and click on the Logs tab. Open the file at the bottom of the list and post the contents back here. If there is no log or you have yet to run MBAM, please let me know.

Since you have ran TDSSKiller as well, please post the TDSSKiller log. It is located at C:\ as TDSSKiller.Version_Date_Time_log.txt, for example, C:\TDSSKiller.2.4.12.0_26.12.2010_23.12.11_log.txt.

--------------------

Please uninstall these security programs to prevent interference with the fixes that we are going to perform:
Spybot - Search & Destroy
SUPERAntiSpyware

--------------------

For Windows Vista or Windows 7, please use right click and select Run as administrator instead of double click to run all the tools I ask you to, or they may not work properly.

Please rerun DDS and post back DDS.txt. I would like to have a look at the latest situation as things may have changed after a while since the last log.

--------------------

Please download aswMBR and save it to your desktop. Click here.
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily. They will interfere and may cause unexpected results.
  • If you need help to disable your protection programs see here and here.
  • Double click the aswMBR.exe file to run it.
  • Click on the Scan button to start. The program will launch a scan.
  • When done, you will see Scan finished successfully. Please click on Save log and save the file to your desktop.
  • Please post the contents of the log in your next reply.
--------------------

Please post back:
1. previous MBAM result
2. TDSSKiller log
3. fresh DDS.txt
4. aswMBR result

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.


#5 Acidline303

Acidline303
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 07 July 2011 - 11:21 AM

OK. starting with the MBAM log from 6-30. It's been while since I ran MBAM.

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6990

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

6/30/2011 8:05:07 PM
mbam-log-2011-06-30 (20-05-07).txt

Scan type: Quick scan
Objects scanned: 165082
Time elapsed: 6 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

TDSS log

2011/06/26 13:59:08.0387 6360 TDSS rootkit removing tool 2.5.5.0 Jun 16 2011 15:25:15
2011/06/26 13:59:09.0011 6360 ================================================================================
2011/06/26 13:59:09.0011 6360 SystemInfo:
2011/06/26 13:59:09.0011 6360
2011/06/26 13:59:09.0011 6360 OS Version: 6.0.6001 ServicePack: 1.0
2011/06/26 13:59:09.0011 6360 Product type: Workstation
2011/06/26 13:59:09.0011 6360 ComputerName: KILLEVERYONE2
2011/06/26 13:59:09.0012 6360 UserName: Administrate
2011/06/26 13:59:09.0012 6360 Windows directory: C:\Windows
2011/06/26 13:59:09.0012 6360 System windows directory: C:\Windows
2011/06/26 13:59:09.0012 6360 Processor architecture: Intel x86
2011/06/26 13:59:09.0012 6360 Number of processors: 1
2011/06/26 13:59:09.0012 6360 Page size: 0x1000
2011/06/26 13:59:09.0012 6360 Boot type: Normal boot
2011/06/26 13:59:09.0012 6360 ================================================================================
2011/06/26 13:59:10.0358 6360 Initialize success
2011/06/26 13:59:17.0363 10756 ================================================================================
2011/06/26 13:59:17.0363 10756 Scan started
2011/06/26 13:59:17.0363 10756 Mode: Manual;
2011/06/26 13:59:17.0363 10756 ================================================================================
2011/06/26 13:59:18.0907 10756 ACPI (fcb8c7210f0135e24c6580f7f649c73c) C:\Windows\system32\drivers\acpi.sys
2011/06/26 13:59:19.0102 10756 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
2011/06/26 13:59:19.0248 10756 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
2011/06/26 13:59:19.0352 10756 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
2011/06/26 13:59:19.0495 10756 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
2011/06/26 13:59:19.0683 10756 AFD (48eb99503533c27ac6135648e5474457) C:\Windows\system32\drivers\afd.sys
2011/06/26 13:59:19.0860 10756 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
2011/06/26 13:59:19.0913 10756 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2011/06/26 13:59:19.0998 10756 ak1avs (99a047d6056f2dbab9a8d3673623d48c) C:\Windows\system32\Drivers\ak1avs.sys
2011/06/26 13:59:20.0175 10756 ak1usb (fbc0fa45dee3aa2dbfd13e3363785a20) C:\Windows\system32\Drivers\ak1usb.sys
2011/06/26 13:59:20.0414 10756 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
2011/06/26 13:59:20.0465 10756 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
2011/06/26 13:59:20.0515 10756 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
2011/06/26 13:59:20.0666 10756 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
2011/06/26 13:59:20.0743 10756 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\DRIVERS\amdk8.sys
2011/06/26 13:59:20.0981 10756 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
2011/06/26 13:59:21.0054 10756 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
2011/06/26 13:59:21.0245 10756 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/06/26 13:59:21.0307 10756 atapi (2d9c903dc76a66813d350a562de40ed9) C:\Windows\system32\drivers\atapi.sys
2011/06/26 13:59:21.0547 10756 athr (dcdfc3a5a8b239055aab6bd975ada889) C:\Windows\system32\DRIVERS\athr.sys
2011/06/26 13:59:21.0918 10756 atikmdag (3f785fe4b890ebc17e1f4df684da060d) C:\Windows\system32\DRIVERS\atikmdag.sys
2011/06/26 13:59:23.0447 10756 avgio (6a646c46b9415e13095aa9b352040a7a) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
2011/06/26 13:59:23.0619 10756 avgntflt (47b879406246ffdced59e18d331a0e7d) C:\Windows\system32\DRIVERS\avgntflt.sys
2011/06/26 13:59:23.0702 10756 avipbb (5fedef54757b34fb611b9ec8fb399364) C:\Windows\system32\DRIVERS\avipbb.sys
2011/06/26 13:59:23.0876 10756 BCM43XV (cf6a67c90951e3e763d2135dede44b85) C:\Windows\system32\DRIVERS\bcmwl6.sys
2011/06/26 13:59:24.0061 10756 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2011/06/26 13:59:24.0202 10756 bowser (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys
2011/06/26 13:59:24.0354 10756 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2011/06/26 13:59:24.0411 10756 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2011/06/26 13:59:24.0481 10756 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2011/06/26 13:59:24.0640 10756 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2011/06/26 13:59:24.0682 10756 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2011/06/26 13:59:24.0720 10756 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2011/06/26 13:59:24.0770 10756 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2011/06/26 13:59:24.0992 10756 Cam5603D (d55f57bf8717c0c0870c771d6e921af8) C:\Windows\system32\Drivers\BisonCam.sys
2011/06/26 13:59:25.0192 10756 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2011/06/26 13:59:25.0275 10756 cdrom (1ec25cea0de6ac4718bf89f9e1778b57) C:\Windows\system32\DRIVERS\cdrom.sys
2011/06/26 13:59:25.0463 10756 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
2011/06/26 13:59:25.0528 10756 CLFS (465745561c832b29f7c48b488aab3842) C:\Windows\system32\CLFS.sys
2011/06/26 13:59:25.0751 10756 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
2011/06/26 13:59:25.0805 10756 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
2011/06/26 13:59:25.0848 10756 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
2011/06/26 13:59:25.0898 10756 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
2011/06/26 13:59:25.0959 10756 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
2011/06/26 13:59:26.0196 10756 DfsC (9e635ae5e8ad93e2b5989e2e23679f97) C:\Windows\system32\Drivers\dfsc.sys
2011/06/26 13:59:26.0432 10756 disk (64109e623abd6955c8fb110b592e68b7) C:\Windows\system32\drivers\disk.sys
2011/06/26 13:59:26.0493 10756 DKbFltr (73baf270d24fe726b9cd7f80bb17a23d) C:\Windows\system32\DRIVERS\DKbFltr.sys
2011/06/26 13:59:26.0632 10756 DritekPortIO (5c918d413f5837e67a85775c9873775e) C:\PROGRA~1\LAUNCH~1\DPortIO.sys
2011/06/26 13:59:26.0784 10756 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2011/06/26 13:59:26.0870 10756 DXGKrnl (85f33880b8cfb554bd3d9ccdb486845a) C:\Windows\System32\drivers\dxgkrnl.sys
2011/06/26 13:59:27.0102 10756 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
2011/06/26 13:59:27.0232 10756 Ecache (dd2cd259d83d8b72c02c5f2331ff9d68) C:\Windows\system32\drivers\ecache.sys
2011/06/26 13:59:27.0437 10756 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
2011/06/26 13:59:27.0632 10756 EMSCR (1fa3f9df8983873746fa6b72dd7e3c2c) C:\Windows\system32\DRIVERS\EMS7SK.sys
2011/06/26 13:59:27.0702 10756 ESDCR (9c7487253aad6bf61f9bc83d50e32ccc) C:\Windows\system32\DRIVERS\ESD7SK.sys
2011/06/26 13:59:27.0754 10756 ESMCR (99589d975da04f8bd31f124428fcc797) C:\Windows\system32\DRIVERS\ESM7SK.sys
2011/06/26 13:59:27.0971 10756 exfat (0d858eb20589a34efb25695acaa6aa2d) C:\Windows\system32\drivers\exfat.sys
2011/06/26 13:59:28.0026 10756 fastfat (3c489390c2e2064563727752af8eab9e) C:\Windows\system32\drivers\fastfat.sys
2011/06/26 13:59:28.0097 10756 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
2011/06/26 13:59:28.0283 10756 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2011/06/26 13:59:28.0355 10756 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2011/06/26 13:59:28.0541 10756 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/06/26 13:59:28.0605 10756 FltMgr (05ea53afe985443011e36dab07343b46) C:\Windows\system32\drivers\fltmgr.sys
2011/06/26 13:59:28.0680 10756 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2011/06/26 13:59:28.0837 10756 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
2011/06/26 13:59:29.0074 10756 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
2011/06/26 13:59:29.0160 10756 HDAudBus (c87b1ee051c0464491c1a7b03fa0bc99) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/06/26 13:59:29.0303 10756 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2011/06/26 13:59:29.0350 10756 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2011/06/26 13:59:29.0438 10756 HidUsb (854ca287ab7faf949617a788306d967e) C:\Windows\system32\DRIVERS\hidusb.sys
2011/06/26 13:59:29.0615 10756 hotcore3 (1bdaa8baf47f4cd68f4ee65f49302db8) C:\Windows\system32\DRIVERS\hotcore3.sys
2011/06/26 13:59:29.0676 10756 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
2011/06/26 13:59:29.0830 10756 HSFHWAZL (46d67209550973257601a533e2ac5785) C:\Windows\system32\DRIVERS\VSTAZL3.SYS
2011/06/26 13:59:29.0936 10756 HSF_DPV (53229dcf431d76434816cd29251168a0) C:\Windows\system32\DRIVERS\HSX_DPV.sys
2011/06/26 13:59:30.0107 10756 HSXHWAZL (31f949d452201f2f0af0c88d7db512cd) C:\Windows\system32\DRIVERS\HSXHWAZL.sys
2011/06/26 13:59:30.0192 10756 HTTP (96e241624c71211a79c84f50a8e71cab) C:\Windows\system32\drivers\HTTP.sys
2011/06/26 13:59:30.0341 10756 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
2011/06/26 13:59:30.0477 10756 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/06/26 13:59:30.0626 10756 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
2011/06/26 13:59:30.0711 10756 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2011/06/26 13:59:30.0833 10756 int15 (9d64201c9e5ac8d1f088762ba00ff3ab) C:\Acer\Empowering Technology\eRecovery\int15.sys
2011/06/26 13:59:31.0053 10756 IntcAzAudAddService (04bef1c4aa990e0d5851c7532fc8642c) C:\Windows\system32\drivers\RTKVHDA.sys
2011/06/26 13:59:31.0238 10756 intelide (97469037714070e45194ed318d636401) C:\Windows\system32\drivers\intelide.sys
2011/06/26 13:59:31.0316 10756 intelppm (ce44cc04262f28216dd4341e9e36a16f) C:\Windows\system32\DRIVERS\intelppm.sys
2011/06/26 13:59:31.0505 10756 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/06/26 13:59:31.0616 10756 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
2011/06/26 13:59:31.0679 10756 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2011/06/26 13:59:31.0873 10756 irda (e50a95179211b12946f7e035d60af560) C:\Windows\system32\DRIVERS\irda.sys
2011/06/26 13:59:31.0931 10756 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2011/06/26 13:59:31.0996 10756 irsir (d04da73127ffed720dfc4eb673a23e04) C:\Windows\system32\DRIVERS\irsir.sys
2011/06/26 13:59:32.0160 10756 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
2011/06/26 13:59:32.0229 10756 iScsiPrt (f247eec28317f6c739c16de420097301) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/06/26 13:59:32.0281 10756 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2011/06/26 13:59:32.0663 10756 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2011/06/26 13:59:33.0026 10756 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/06/26 13:59:33.0361 10756 kbdhid (18247836959ba67e3511b62846b9c2e0) C:\Windows\system32\DRIVERS\kbdhid.sys
2011/06/26 13:59:33.0808 10756 kore2avs (f4113231a526f7f7a3242048c3c2a67c) C:\Windows\system32\Drivers\kore2avs.sys
2011/06/26 13:59:34.0281 10756 kore2usb (8481f266d67ce78e130ef63d29ab6e95) C:\Windows\system32\Drivers\kore2usb.sys
2011/06/26 13:59:34.0810 10756 KSecDD (7a0cf7908b6824d6a2a1d313e5ae3dca) C:\Windows\system32\Drivers\ksecdd.sys
2011/06/26 13:59:35.0352 10756 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2011/06/26 13:59:35.0553 10756 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
2011/06/26 13:59:35.0604 10756 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
2011/06/26 13:59:35.0659 10756 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
2011/06/26 13:59:35.0729 10756 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2011/06/26 13:59:35.0918 10756 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
2011/06/26 13:59:36.0004 10756 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
2011/06/26 13:59:36.0204 10756 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2011/06/26 13:59:36.0271 10756 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2011/06/26 13:59:36.0308 10756 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
2011/06/26 13:59:36.0482 10756 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
2011/06/26 13:59:36.0540 10756 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2011/06/26 13:59:36.0599 10756 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
2011/06/26 13:59:36.0769 10756 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2011/06/26 13:59:36.0849 10756 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2011/06/26 13:59:36.0998 10756 MRxDAV (ae3de84536b6799d2267443cec8edbb9) C:\Windows\system32\drivers\mrxdav.sys
2011/06/26 13:59:37.0066 10756 mrxsmb (5734a0f2be7e495f7d3ed6efd4b9f5a1) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/06/26 13:59:37.0125 10756 mrxsmb10 (cf6e972f8e0d0f2970360a17572b366b) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/06/26 13:59:37.0209 10756 mrxsmb20 (5c80d8159181c7abf1b14ba703b01e0b) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/06/26 13:59:37.0338 10756 msahci (742aed7939e734c36b7e8d6228ce26b7) C:\Windows\system32\drivers\msahci.sys
2011/06/26 13:59:37.0418 10756 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
2011/06/26 13:59:37.0598 10756 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2011/06/26 13:59:37.0672 10756 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2011/06/26 13:59:37.0767 10756 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2011/06/26 13:59:37.0913 10756 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/06/26 13:59:38.0042 10756 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2011/06/26 13:59:38.0178 10756 MsRPC (b5614aecb05a9340aa0fb55bf561cc63) C:\Windows\system32\drivers\MsRPC.sys
2011/06/26 13:59:38.0313 10756 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/06/26 13:59:38.0372 10756 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2011/06/26 13:59:38.0552 10756 Mup (6dfd1d322de55b0b7db7d21b90bec49c) C:\Windows\system32\Drivers\mup.sys
2011/06/26 13:59:38.0665 10756 NativeWifiP (3c21ce48ff529bb73dadb98770b54025) C:\Windows\system32\DRIVERS\nwifi.sys
2011/06/26 13:59:38.0835 10756 NDIS (9bdc71790fa08f0a0b5f10462b1bd0b1) C:\Windows\system32\drivers\ndis.sys
2011/06/26 13:59:39.0019 10756 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/06/26 13:59:39.0085 10756 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/06/26 13:59:39.0288 10756 NdisWan (3d14c3b3496f88890d431e8aa022a411) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/06/26 13:59:39.0348 10756 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2011/06/26 13:59:39.0411 10756 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2011/06/26 13:59:39.0618 10756 netbt (7c5fee5b1c5728507cd96fb4a13e7a02) C:\Windows\system32\DRIVERS\netbt.sys
2011/06/26 13:59:39.0715 10756 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2011/06/26 13:59:39.0937 10756 Npfs (ecb5003f484f9ed6c608d6d6c7886cbb) C:\Windows\system32\drivers\Npfs.sys
2011/06/26 13:59:40.0050 10756 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2011/06/26 13:59:40.0307 10756 Ntfs (b4effe29eb4f15538fd8a9681108492d) C:\Windows\system32\drivers\Ntfs.sys
2011/06/26 13:59:40.0506 10756 NTIDrvr (7f1c1f78d709c4a54cbb46ede7e0b48d) C:\Windows\system32\DRIVERS\NTIDrvr.sys
2011/06/26 13:59:40.0599 10756 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2011/06/26 13:59:40.0848 10756 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2011/06/26 13:59:41.0229 10756 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
2011/06/26 13:59:41.0628 10756 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
2011/06/26 13:59:41.0700 10756 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
2011/06/26 13:59:42.0390 10756 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\DRIVERS\ohci1394.sys
2011/06/26 13:59:42.0769 10756 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
2011/06/26 13:59:43.0093 10756 partmgr (3b38467e7c3daed009dfe359e17f139f) C:\Windows\system32\drivers\partmgr.sys
2011/06/26 13:59:43.0353 10756 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
2011/06/26 13:59:43.0693 10756 pci (01b94418deb235dff777cc80076354b4) C:\Windows\system32\drivers\pci.sys
2011/06/26 13:59:44.0081 10756 pciide (fc175f5ddab666d7f4d17449a547626f) C:\Windows\system32\drivers\pciide.sys
2011/06/26 13:59:44.0419 10756 pcmcia (b7c5a8769541900f6dfa6fe0c5e4d513) C:\Windows\system32\DRIVERS\pcmcia.sys
2011/06/26 13:59:44.0856 10756 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2011/06/26 13:59:45.0285 10756 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2011/06/26 13:59:45.0598 10756 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
2011/06/26 13:59:45.0882 10756 PSched (bfef604508a0ed1eae2a73e872555ffb) C:\Windows\system32\DRIVERS\pacer.sys
2011/06/26 13:59:46.0139 10756 pwdrvio (31c396331f61990ce235b046a03be0a1) C:\Windows\system32\pwdrvio.sys
2011/06/26 13:59:46.0425 10756 pwdspio (cee974ef297015b9600dcd16a82821b4) C:\Windows\system32\pwdspio.sys
2011/06/26 13:59:46.0867 10756 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
2011/06/26 13:59:47.0231 10756 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2011/06/26 13:59:47.0511 10756 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2011/06/26 13:59:48.0318 10756 R300 (3f785fe4b890ebc17e1f4df684da060d) C:\Windows\system32\DRIVERS\atikmdag.sys
2011/06/26 13:59:48.0695 10756 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2011/06/26 13:59:48.0874 10756 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/06/26 13:59:49.0237 10756 RasPppoe (3e9d9b048107b40d87b97df2e48e0744) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/06/26 13:59:49.0544 10756 RasSstp (a7d141684e9500ac928a772ed8e6b671) C:\Windows\system32\DRIVERS\rassstp.sys
2011/06/26 13:59:49.0874 10756 rdbss (6e1c5d0457622f9ee35f683110e93d14) C:\Windows\system32\DRIVERS\rdbss.sys
2011/06/26 13:59:50.0243 10756 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/06/26 13:59:50.0567 10756 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
2011/06/26 13:59:50.0883 10756 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
2011/06/26 13:59:51.0208 10756 RDPWD (e1c18f4097a5abcec941dc4b2f99db7e) C:\Windows\system32\drivers\RDPWD.sys
2011/06/26 13:59:51.0572 10756 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
2011/06/26 13:59:51.0768 10756 RTL8023xp (166911eada13cd34dd8f8c667707be94) C:\Windows\system32\DRIVERS\Rtnicxp.sys
2011/06/26 13:59:51.0829 10756 RTL8169 (ec8bd9a495dd4231553b8f9258ca3b2a) C:\Windows\system32\DRIVERS\Rtlh86.sys
2011/06/26 13:59:51.0938 10756 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/06/26 13:59:52.0020 10756 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/06/26 13:59:52.0198 10756 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2011/06/26 13:59:52.0295 10756 sdbus (126ea89bcc413ee45e3004fb0764888f) C:\Windows\system32\DRIVERS\sdbus.sys
2011/06/26 13:59:52.0358 10756 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2011/06/26 13:59:52.0537 10756 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
2011/06/26 13:59:52.0748 10756 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
2011/06/26 13:59:52.0935 10756 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
2011/06/26 13:59:53.0048 10756 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
2011/06/26 13:59:53.0100 10756 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
2011/06/26 13:59:53.0282 10756 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
2011/06/26 13:59:53.0346 10756 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2011/06/26 13:59:53.0441 10756 SI3112 (f459dd5ee69d4b68cb6767c9731b5faf) C:\Windows\system32\DRIVERS\SI3112.sys
2011/06/26 13:59:53.0619 10756 SiFilter (96b43459e9bd1dad1873a47ddde9bdf4) C:\Windows\system32\DRIVERS\SiWinAcc.sys
2011/06/26 13:59:53.0685 10756 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
2011/06/26 13:59:53.0733 10756 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
2011/06/26 13:59:53.0781 10756 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
2011/06/26 13:59:54.0101 10756 Smb (031e6bcd53c9b2b9ace111eafec347b6) C:\Windows\system32\DRIVERS\smb.sys
2011/06/26 13:59:54.0686 10756 SMSCIRDA (ced16c76469ba00e2ab310857cd4c767) C:\Windows\system32\DRIVERS\SMSCirda.sys
2011/06/26 13:59:55.0072 10756 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
2011/06/26 13:59:55.0427 10756 srv (8e5fc19b3b38364c5f44ccecec5248e9) C:\Windows\system32\DRIVERS\srv.sys
2011/06/26 13:59:55.0900 10756 srv2 (4ceeb95e0b79e48b81f2da0a6c24c64b) C:\Windows\system32\DRIVERS\srv2.sys
2011/06/26 13:59:56.0205 10756 srvnet (f9c65e1e00a6bbf7c57d9b8ea068c525) C:\Windows\system32\DRIVERS\srvnet.sys
2011/06/26 13:59:56.0642 10756 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\Windows\system32\DRIVERS\ssmdrv.sys
2011/06/26 13:59:57.0029 10756 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
2011/06/26 13:59:57.0570 10756 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2011/06/26 13:59:57.0878 10756 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2011/06/26 13:59:58.0029 10756 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2011/06/26 13:59:58.0265 10756 SynTP (f7a4250bb3e3afcd4af100e551509352) C:\Windows\system32\DRIVERS\SynTP.sys
2011/06/26 13:59:58.0982 10756 Tcpip (782568ab6a43160a159b6215b70bcce9) C:\Windows\system32\drivers\tcpip.sys
2011/06/26 13:59:59.0749 10756 Tcpip6 (782568ab6a43160a159b6215b70bcce9) C:\Windows\system32\DRIVERS\tcpip.sys
2011/06/26 14:00:00.0181 10756 tcpipreg (d4a2e4a4b011f3a883af77315a5ae76b) C:\Windows\system32\drivers\tcpipreg.sys
2011/06/26 14:00:00.0570 10756 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
2011/06/26 14:00:00.0946 10756 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
2011/06/26 14:00:01.0332 10756 tdx (d09276b1fab033ce1d40dcbdf303d10f) C:\Windows\system32\DRIVERS\tdx.sys
2011/06/26 14:00:01.0886 10756 TermDD (a048056f5e1a96a9bf3071b91741a5aa) C:\Windows\system32\DRIVERS\termdd.sys
2011/06/26 14:00:02.0246 10756 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/06/26 14:00:02.0843 10756 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
2011/06/26 14:00:03.0315 10756 tunnel (6042505ff6fa9ac1ef7684d0e03b6940) C:\Windows\system32\DRIVERS\tunnel.sys
2011/06/26 14:00:03.0819 10756 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
2011/06/26 14:00:04.0148 10756 udfs (8b5088058fa1d1cd897a2113ccff6c58) C:\Windows\system32\DRIVERS\udfs.sys
2011/06/26 14:00:04.0322 10756 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
2011/06/26 14:00:04.0457 10756 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
2011/06/26 14:00:04.0569 10756 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2011/06/26 14:00:04.0682 10756 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2011/06/26 14:00:04.0752 10756 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
2011/06/26 14:00:04.0910 10756 usbaudio (292a25bb75a568ae2c67169ba2c6365a) C:\Windows\system32\drivers\usbaudio.sys
2011/06/26 14:00:05.0038 10756 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/06/26 14:00:05.0107 10756 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2011/06/26 14:00:05.0255 10756 usbehci (cebe90821810e76320155beba722fcf9) C:\Windows\system32\DRIVERS\usbehci.sys
2011/06/26 14:00:05.0324 10756 usbhub (cc6b28e4ce39951357963119ce47b143) C:\Windows\system32\DRIVERS\usbhub.sys
2011/06/26 14:00:05.0441 10756 usbohci (7bdb7b0e7d45ac0402d78b90789ef47c) C:\Windows\system32\DRIVERS\usbohci.sys
2011/06/26 14:00:05.0668 10756 usbprint (b51e52acf758be00ef3a58ea452fe360) C:\Windows\system32\drivers\usbprint.sys
2011/06/26 14:00:05.0779 10756 USBSTOR (87ba6b83c5d19b69160968d07d6e2982) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/06/26 14:00:05.0962 10756 usbuhci (325dbbacb8a36af9988ccf40eac228cc) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/06/26 14:00:06.0054 10756 usb_rndisx (ee181a08e09db23cf4a49b46a1e66bb8) C:\Windows\system32\DRIVERS\usb8023x.sys
2011/06/26 14:00:06.0366 10756 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/06/26 14:00:06.0768 10756 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
2011/06/26 14:00:06.0929 10756 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
2011/06/26 14:00:06.0988 10756 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
2011/06/26 14:00:07.0064 10756 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
2011/06/26 14:00:07.0222 10756 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
2011/06/26 14:00:07.0508 10756 volmgrx (98f5ffe6316bd74e9e2c97206c190196) C:\Windows\system32\drivers\volmgrx.sys
2011/06/26 14:00:07.0636 10756 volsnap (d8b4a53dd2769f226b3eb374374987c9) C:\Windows\system32\drivers\volsnap.sys
2011/06/26 14:00:07.0728 10756 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
2011/06/26 14:00:07.0840 10756 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2011/06/26 14:00:08.0140 10756 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/06/26 14:00:08.0231 10756 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/06/26 14:00:08.0529 10756 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
2011/06/26 14:00:08.0663 10756 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
2011/06/26 14:00:09.0019 10756 winachsf (6d2350bb6e77e800fc4be4e5b7a2e89a) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
2011/06/26 14:00:09.0584 10756 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
2011/06/26 14:00:10.0105 10756 WpdUsb (0cec23084b51b8288099eb710224e955) C:\Windows\system32\DRIVERS\wpdusb.sys
2011/06/26 14:00:10.0321 10756 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
2011/06/26 14:00:10.0445 10756 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/06/26 14:00:10.0611 10756 XAudio (5a7ff9a18ff6d7e0527fe3abf9204ef8) C:\Windows\system32\DRIVERS\xaudio.sys
2011/06/26 14:00:10.0744 10756 MBR (0x1B8) (9a60a21600304533d523088c7b447e29) \Device\Harddisk0\DR0
2011/06/26 14:00:10.0759 10756 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/06/26 14:00:10.0774 10756 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk1\DR1
2011/06/26 14:00:10.0794 10756 ================================================================================
2011/06/26 14:00:10.0794 10756 Scan finished
2011/06/26 14:00:10.0794 10756 ================================================================================
2011/06/26 14:00:10.0808 12872 Detected object count: 1
2011/06/26 14:00:10.0808 12872 Actual detected object count: 1
2011/06/26 14:00:23.0576 12872 \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/06/26 14:00:23.0576 12872 \Device\Harddisk0\DR0 - ok
2011/06/26 14:00:23.0631 12872 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure
2011/06/26 14:00:50.0387 9024 Deinitialize success



DDS Log

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_26
Run by Administrate at 10:46:08 on 2011-07-07
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.893.170 [GMT -5:00]
.
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k Akamai
C:\Windows\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Secunia\PSI\sua.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Creative\MediaSource5\CTDetctu.exe
C:\Program Files\Native Instruments\Audio Kontrol 1\Audio Kontrol 1.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Creative\Software Update 3\SoftAuto.exe
C:\ProgramData\U3\U3Launcher\LaunchU3.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\explorer.exe
C:\Windows\system32\REGSVR32.exe
.
============== Pseudo HJT Report ===============
.
mStart Page = hxxp://en.us.acer.yahoo.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
uRun: [Creative Detector U] "c:\program files\creative\mediasource5\CTDetctu.exe" /R
uRun: [Audio Kontrol 1] c:\program files\native instruments\audio kontrol 1\Audio Kontrol 1.exe
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SoftAuto.exe] "c:\program files\creative\software update 3\SoftAuto.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\launch~1.lnk - c:\windows\installer\{d8e363a7-88b7-446d-b2c0-e26ce4dc8e54}\_294823.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-explorer: HideSCAHealth = 1 (0x1)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{0DCE61E6-5F1F-464E-A203-0B7D4BB765E8} : DhcpNameServer = 192.168.1.1
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\administrate\appdata\roaming\mozilla\firefox\profiles\sf2bkkyo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\users\administrate\appdata\local\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\users\administrate\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\administrate\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Aero Fox: {5c8bfb7c-9a54-11dc-8314-0800200c9a66} - %profile%\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2011-6-19 57312]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-11-26 21504]
R2 NIHardwareService;NIHardwareService;c:\program files\common files\native instruments\hardware\NIHardwareService.exe [2010-3-25 3622912]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-4-19 399416]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-6-21 136176]
S3 ak1avs;ak1avs;c:\windows\system32\drivers\ak1avs.sys [2010-7-26 25088]
S3 ak1usb;ak1usb;c:\windows\system32\drivers\ak1usb.sys [2010-7-26 84992]
S3 CTUPnPSv;Creative Centrale Media Server;c:\program files\creative\creative centrale\CTUPnPSv.exe [2008-5-21 64000]
S3 kore2avs;kore2avs;c:\windows\system32\drivers\kore2avs.sys [2009-10-8 35408]
S3 kore2usb;kore2usb;c:\windows\system32\drivers\kore2usb.sys [2009-10-8 276432]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2008-11-26 21504]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2011-6-19 16472]
S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2011-6-19 11104]
S3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-4-19 993848]
S3 SMSCIRDA;SMSC Infrared Device Driver;c:\windows\system32\drivers\smscirda.sys [2007-3-10 31232]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-07-04 14:12:15 -------- d-----w- c:\program files\UltraISO
2011-07-04 14:12:15 -------- d-----w- c:\program files\common files\EZB Systems
2011-07-04 13:48:56 -------- d-----w- C:\pebuilder3110a
2011-07-03 22:02:59 -------- d-----w- c:\programdata\U3
2011-07-02 22:25:01 -------- d-----w- c:\users\administrate\appdata\roaming\NetMedia Providers
2011-07-02 22:20:24 -------- d-----w- c:\program files\Sony
2011-07-02 22:18:51 -------- d-----w- c:\program files\Sony Setup
2011-07-02 22:01:00 -------- d-----w- c:\users\administrate\appdata\local\Sony
2011-07-02 16:43:17 -------- d-sh--w- C:\$RECYCLE.BIN
2011-07-02 16:43:01 -------- d-----w- c:\users\administrate\appdata\local\temp
2011-07-02 15:47:02 98816 ----a-w- c:\windows\sed.exe
2011-07-02 15:47:02 518144 ----a-w- c:\windows\SWREG.exe
2011-07-02 15:47:02 256000 ----a-w- c:\windows\PEV.exe
2011-07-02 15:47:02 208896 ----a-w- c:\windows\MBR.exe
2011-07-02 15:45:50 -------- d-----w- C:\ComboFix
2011-07-01 04:51:17 -------- d-----w- c:\program files\ESET
2011-07-01 01:40:45 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-01 01:19:08 -------- d-----w- c:\users\administrate\appdata\local\Secunia PSI
2011-07-01 01:18:59 -------- d-----w- c:\program files\Secunia
2011-07-01 00:57:25 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-27 03:53:31 -------- d-----w- c:\programdata\PMS
2011-06-27 03:53:11 -------- d-----w- c:\program files\PS3 Media Server
2011-06-26 19:34:48 -------- dc----w- c:\programdata\{4A818508-3355-4FBC-B302-D53B599DD9D5}
2011-06-24 04:58:36 -------- d-----w- c:\programdata\{26D901A1-2540-4430-81DC-0317F01BD7BE}
2011-06-24 04:56:46 -------- d-----w- c:\programdata\{C17AF831-2435-4E42-AE5D-EF8ACAC1285F}
2011-06-24 04:34:13 231936 ----a-w- c:\windows\system32\msshsq.dll
2011-06-24 04:13:13 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2011-06-24 04:11:39 40448 ----a-w- c:\windows\system32\winrs.exe
2011-06-24 04:11:39 20480 ----a-w- c:\windows\system32\winrshost.exe
2011-06-24 04:11:39 12800 ----a-w- c:\windows\system32\wsmprovhost.exe
2011-06-24 04:11:32 10240 ----a-w- c:\windows\system32\wsmplpxy.dll
2011-06-24 04:11:32 10240 ----a-w- c:\windows\system32\winrssrv.dll
2011-06-24 04:11:11 81408 ----a-w- c:\windows\system32\wevtfwd.dll
2011-06-24 04:11:11 79872 ----a-w- c:\windows\system32\wecutil.exe
2011-06-24 04:11:11 56320 ----a-w- c:\windows\system32\wecapi.dll
2011-06-24 04:11:10 146944 ----a-w- c:\windows\system32\wecsvc.dll
2011-06-24 04:11:09 54272 ----a-w- c:\windows\system32\WsmRes.dll
2011-06-24 04:11:08 41472 ----a-w- c:\windows\system32\pwrshplugin.dll
2011-06-24 04:10:24 201184 ----a-w- c:\windows\system32\winrm.vbs
2011-06-24 04:10:16 145408 ----a-w- c:\windows\system32\WsmAuto.dll
2011-06-24 04:10:15 214016 ----a-w- c:\windows\system32\WsmWmiPl.dll
2011-06-24 04:10:14 252416 ----a-w- c:\windows\system32\WSManMigrationPlugin.dll
2011-06-24 04:10:14 241152 ----a-w- c:\windows\system32\winrscmd.dll
2011-06-24 04:10:13 246272 ----a-w- c:\windows\system32\WSManHTTPConfig.exe
2011-06-24 04:10:12 1181696 ----a-w- c:\windows\system32\WsmSvc.dll
2011-06-24 04:05:33 10926592 ----a-w- c:\program files\movie maker\MOVIEMK.dll
2011-06-24 04:05:31 150016 ----a-w- c:\program files\movie maker\MOVIEMK.exe
2011-06-24 04:02:03 1257472 ----a-w- c:\windows\system32\msxml3.dll
2011-06-24 04:00:35 157184 ----a-w- c:\windows\system32\t2embed.dll
2011-06-24 04:00:31 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2011-06-24 04:00:27 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-06-24 04:00:26 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-06-24 03:59:55 81920 ----a-w- c:\windows\system32\consent.exe
2011-06-24 03:59:39 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-06-24 03:59:38 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-06-24 03:59:27 430080 ----a-w- c:\windows\system32\vbscript.dll
2011-06-24 03:59:22 563200 ----a-w- c:\windows\system32\oleaut32.dll
2011-06-24 03:57:26 738816 ----a-w- c:\windows\system32\inetcomm.dll
2011-06-24 03:57:12 345088 ----a-w- c:\windows\system32\wmicmiplugin.dll
2011-06-24 03:57:11 603648 ----a-w- c:\windows\system32\schedsvc.dll
2011-06-24 03:57:11 171520 ----a-w- c:\windows\system32\taskeng.exe
2011-06-24 03:57:10 357376 ----a-w- c:\windows\system32\taskschd.dll
2011-06-24 03:57:10 270336 ----a-w- c:\windows\system32\taskcomp.dll
2011-06-24 03:54:33 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-06-24 03:54:33 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-24 03:54:32 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-06-24 03:54:30 954752 ----a-w- c:\windows\system32\mfc40.dll
2011-06-24 03:54:30 954288 ----a-w- c:\windows\system32\mfc40u.dll
2011-06-24 03:54:25 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-06-23 19:33:34 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-06-23 19:15:36 531968 ----a-w- c:\windows\system32\comctl32.dll
2011-06-23 18:57:28 -------- d-----w- c:\programdata\bM28601GdCnM28601
2011-06-22 04:01:39 -------- d-----w- C:\!KillBox
2011-06-21 23:57:02 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-06-21 10:43:26 -------- d-----w- c:\windows\PIF
2011-06-21 06:55:47 -------- d-----w- c:\programdata\oK28601FfElP28601
2011-06-19 16:13:43 -------- d-----w- c:\program files\PowerDataRecovery
2011-06-19 15:56:05 747592 ----a-w- c:\windows\system32\pwNative.exe
2011-06-19 15:56:05 16472 ------w- c:\windows\system32\pwdrvio.sys
2011-06-19 15:56:02 11104 ------w- c:\windows\system32\pwdspio.sys
2011-06-19 15:55:50 -------- d-----w- c:\program files\MiniTool Partition Wizard Home Edition 6.0
2011-06-19 15:50:15 -------- d-----w- c:\programdata\createpart
2011-06-19 15:49:13 -------- d-----w- c:\programdata\deletepart
2011-06-19 15:48:59 -------- d-----w- c:\programdata\explauncher
2011-06-19 15:48:57 -------- d-----w- c:\programdata\launcher
2011-06-19 15:45:00 57312 ----a-w- c:\windows\system32\drivers\hotcore3.sys
2011-06-19 15:44:26 -------- d-----w- c:\program files\Paragon Software
.
==================== Find3M ====================
.
2011-05-18 00:03:48 249936 ----a-w- c:\windows\system32\prgiso.dll
2011-05-04 09:52:22 472808 ----a-w- c:\windows\system32\deployJava1.dll
.
============= FINISH: 10:52:33.85 ===============



aswMBR log to follow

Attached Files


Edited by Acidline303, 07 July 2011 - 11:24 AM.


#6 Acidline303

Acidline303
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 07 July 2011 - 12:56 PM

aswMBR log

aswMBR version 0.9.7.705 Copyright© 2011 AVAST Software
Run date: 2011-07-07 10:59:23
-----------------------------
10:59:23.404 OS Version: Windows 6.0.6001 Service Pack 1
10:59:23.404 Number of processors: 1 586 0x4C02
10:59:23.405 ComputerName: KILLEVERYONE2 UserName: Administrate
10:59:24.999 Initialize success
11:00:39.251 AVAST engine defs: 11070700
11:00:54.110 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi\SI31121Port2Path0Target0Lun0
11:00:54.113 Disk 0 Vendor: Hitachi_ SBDO Size: 114473MB BusType: 11
11:00:54.116 Device \Driver\SI3112 -> DriverStartIo SCSIPORT.SYS 8258f931
11:00:54.134 Disk 0 MBR read successfully
11:00:54.137 Disk 0 MBR scan
11:00:54.143 Disk 0 unknown MBR code
11:00:54.146 Disk 0 MBR hidden
11:00:54.152 Disk 0 scanning sectors +234436545
11:00:54.209 Disk 0 scanning C:\Windows\system32\drivers
11:01:11.979 Service scanning
11:01:14.522 Disk 0 trace - called modules:
11:01:14.543 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x847cdf16]<<
11:01:14.548 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x847b2030]
11:01:14.571 3 CLASSPNP.SYS[863a5745] -> nt!IofCallDriver -> [0x83a75830]
11:01:14.576 5 acpi.sys[824116a0] -> nt!IofCallDriver -> \Device\Scsi\SI31121Port2Path0Target0Lun0[0x84418030]
11:01:14.582 \Driver\SI3112[0x83a75f38] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x847cdf16
11:01:15.834 AVAST engine scan C:\Windows
12:31:44.300 AVAST engine scan C:\Users\Administrate
12:50:31.226 AVAST engine scan C:\ProgramData
12:54:21.253 Scan finished successfully
12:55:19.874 Disk 0 MBR has been saved successfully to "C:\Users\Administrate\Desktop\MBR.dat"
12:55:19.896 The log file has been saved successfully to "C:\Users\Administrate\Desktop\aswMBR.txt"

#7 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:11:11 AM

Posted 07 July 2011 - 06:52 PM

Hello Acidline303 :),

I see signs of Combofix on your computer.

While you may see ComboFix being used quite often and without incident, the tool should not be run unsupervised (as stated in the Disclaimer that is first displayed by ComboFix when you run the tool).

Going forward, I highly recommend you heed such instructions.

As stated by the author of ComboFix:

ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.

We first need to verify if there are any rootkits present and how they could affect our tools. Thus, we use preliminary scans like DDS and GMER and their logs to map our strategy for attack.

With these logs, we can determine the infections present and decide whether to deploy ComboFix.


That said, the log it produced contains valuable information. Kindly post the ComboFix log, C:\ComboFix.txt.

--------------------

Delete the TDSSKiller copy that you have and download a new copy. Please save it to your desktop. Click here.
  • Alternatively, you may get the zip version and extract the file to the desktop.
  • Double click on TDSSKiller.exe to execute it.
  • Press Start scan to begin.
  • If anything is found, please change all the actions to Skip only. <-- Important, please select Skip only, DO NOT Cure yet.
  • Then click on Continue at the lower right corner.
  • You may be prompted to reboot your computer, please consent.
  • Once complete, a log will be produced at C:\. It will be named TDSSKiller.Version_Date_Time_log.txt, for example, C:\TDSSKiller.2.4.12.0_26.12.2010_23.12.11_log.txt.
  • Please post the contents of this log.
--------------------

Please post back:
1. ComboFix log
2. fresh TDSSKiller log

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.


#8 Acidline303

Acidline303
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 07 July 2011 - 08:52 PM

Understood. Unfortunately I have not been able to run TDSSKiller since the very first time. I have deleted all previous copies and extracted from zip to the desktop. There is simply no response after clicking on the icon or selecting "run as admin"

The newer symptom of the problem is that now IExplorer will open hidden in the task manager, eventually give a crash notice, but remain active using up CPU cycles.




Combofix log

ComboFix 11-07-01.02 - Administrate 07/02/2011 10:55:54.1.1 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.893.420 [GMT -5:00]
Running from: c:\users\Administrate\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
.
----- BITS: Possible infected sites -----
.
hxxp://apnmedia.ask.com
.
((((((((((((((((((((((((( Files Created from 2011-06-02 to 2011-07-02 )))))))))))))))))))))))))))))))
.
.
2011-07-02 16:24 . 2011-07-02 16:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-07-02 16:24 . 2011-07-02 16:25 -------- d-----w- c:\users\Administrate\AppData\Local\temp
2011-07-02 16:24 . 2011-07-02 16:24 -------- d-----w- c:\users\DJ\AppData\Local\temp
2011-07-02 15:41 . 2011-07-02 15:45 -------- d-----w- C:\32788R22FWJFW
2011-07-01 04:51 . 2011-07-01 04:51 -------- d-----w- c:\program files\ESET
2011-07-01 02:16 . 2011-07-01 02:16 -------- d-----w- c:\users\DJ\AppData\Local\Secunia PSI
2011-07-01 01:40 . 2011-07-01 01:40 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-01 01:19 . 2011-07-01 01:19 -------- d-----w- c:\users\Administrate\AppData\Local\Secunia PSI
2011-07-01 01:18 . 2011-07-01 01:18 -------- d-----w- c:\program files\Secunia
2011-07-01 01:00 . 2011-07-01 01:00 -------- d-----w- c:\programdata\WindowsSearch
2011-07-01 00:57 . 2011-05-29 14:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-01 00:32 . 2011-07-01 00:32 -------- d-----w- c:\users\Administrate\AppData\Roaming\SUPERAntiSpyware.com
2011-07-01 00:32 . 2011-07-01 00:32 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-06-27 03:53 . 2011-06-27 03:54 -------- d-----w- c:\programdata\PMS
2011-06-27 03:53 . 2011-06-29 04:00 -------- d-----w- c:\program files\PS3 Media Server
2011-06-26 19:34 . 2011-06-26 19:34 -------- dc----w- c:\programdata\{4A818508-3355-4FBC-B302-D53B599DD9D5}
2011-06-24 04:58 . 2011-06-24 04:58 -------- d-----w- c:\programdata\{26D901A1-2540-4430-81DC-0317F01BD7BE}
2011-06-24 04:56 . 2011-06-24 06:15 -------- d-----w- c:\programdata\{C17AF831-2435-4E42-AE5D-EF8ACAC1285F}
2011-06-24 04:34 . 2010-09-20 09:25 231936 ----a-w- c:\windows\system32\msshsq.dll
2011-06-24 04:13 . 2009-10-09 21:56 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2011-06-24 04:11 . 2009-10-09 21:56 12800 ----a-w- c:\windows\system32\wsmprovhost.exe
2011-06-24 04:11 . 2009-10-09 21:56 20480 ----a-w- c:\windows\system32\winrshost.exe
2011-06-24 04:11 . 2009-10-09 21:56 40448 ----a-w- c:\windows\system32\winrs.exe
2011-06-24 04:11 . 2009-10-09 21:56 10240 ----a-w- c:\windows\system32\wsmplpxy.dll
2011-06-24 04:11 . 2009-10-09 21:56 10240 ----a-w- c:\windows\system32\winrssrv.dll
2011-06-24 04:11 . 2009-10-09 21:55 79872 ----a-w- c:\windows\system32\wecutil.exe
2011-06-24 04:11 . 2009-10-09 21:55 81408 ----a-w- c:\windows\system32\wevtfwd.dll
2011-06-24 04:11 . 2009-10-09 21:55 56320 ----a-w- c:\windows\system32\wecapi.dll
2011-06-24 04:11 . 2009-10-09 21:55 146944 ----a-w- c:\windows\system32\wecsvc.dll
2011-06-24 04:11 . 2009-10-09 21:55 54272 ----a-w- c:\windows\system32\WsmRes.dll
2011-06-24 04:11 . 2009-10-09 21:56 41472 ----a-w- c:\windows\system32\pwrshplugin.dll
2011-06-24 04:10 . 2009-08-01 06:27 201184 ----a-w- c:\windows\system32\winrm.vbs
2011-06-24 04:10 . 2009-10-09 21:56 145408 ----a-w- c:\windows\system32\WsmAuto.dll
2011-06-24 04:10 . 2009-10-09 21:56 214016 ----a-w- c:\windows\system32\WsmWmiPl.dll
2011-06-24 04:10 . 2009-10-09 21:56 241152 ----a-w- c:\windows\system32\winrscmd.dll
2011-06-24 04:10 . 2009-10-09 21:55 252416 ----a-w- c:\windows\system32\WSManMigrationPlugin.dll
2011-06-24 04:10 . 2009-10-09 21:56 246272 ----a-w- c:\windows\system32\WSManHTTPConfig.exe
2011-06-24 04:10 . 2009-10-09 21:56 1181696 ----a-w- c:\windows\system32\WsmSvc.dll
2011-06-24 04:05 . 2010-06-17 17:15 10926592 ----a-w- c:\program files\Movie Maker\MOVIEMK.dll
2011-06-24 04:05 . 2010-06-17 15:49 150016 ----a-w- c:\program files\Movie Maker\MOVIEMK.exe
2011-06-24 04:02 . 2010-06-11 15:30 1257472 ----a-w- c:\windows\system32\msxml3.dll
2011-06-24 04:00 . 2010-08-26 16:07 157184 ----a-w- c:\windows\system32\t2embed.dll
2011-06-24 04:00 . 2011-04-21 13:16 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2011-06-24 04:00 . 2010-12-17 16:43 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-06-24 04:00 . 2010-12-17 15:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-06-24 03:59 . 2010-10-18 14:01 81920 ----a-w- c:\windows\system32\consent.exe
2011-06-24 03:59 . 2010-08-26 16:01 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-06-24 03:59 . 2010-08-26 14:11 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-06-24 03:59 . 2011-02-16 15:35 430080 ----a-w- c:\windows\system32\vbscript.dll
2011-06-24 03:59 . 2010-12-20 15:39 563200 ----a-w- c:\windows\system32\oleaut32.dll
2011-06-24 03:57 . 2011-05-02 15:58 738816 ----a-w- c:\windows\system32\inetcomm.dll
2011-06-24 03:57 . 2010-11-06 11:10 345088 ----a-w- c:\windows\system32\wmicmiplugin.dll
2011-06-24 03:57 . 2010-11-06 11:09 603648 ----a-w- c:\windows\system32\schedsvc.dll
2011-06-24 03:57 . 2010-11-05 00:53 171520 ----a-w- c:\windows\system32\taskeng.exe
2011-06-24 03:57 . 2010-11-06 11:10 357376 ----a-w- c:\windows\system32\taskschd.dll
2011-06-24 03:57 . 2010-11-06 11:10 270336 ----a-w- c:\windows\system32\taskcomp.dll
2011-06-24 03:54 . 2011-04-29 12:49 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-24 03:54 . 2011-04-29 12:49 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-06-24 03:54 . 2011-04-29 12:49 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-06-24 03:54 . 2010-08-31 15:41 954752 ----a-w- c:\windows\system32\mfc40.dll
2011-06-24 03:54 . 2010-08-31 15:41 954288 ----a-w- c:\windows\system32\mfc40u.dll
2011-06-24 03:54 . 2010-06-16 15:59 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-06-23 19:33 . 2011-05-02 12:00 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-06-23 19:15 . 2010-08-31 15:40 531968 ----a-w- c:\windows\system32\comctl32.dll
2011-06-23 18:57 . 2011-06-23 20:55 -------- d-----w- c:\programdata\bM28601GdCnM28601
2011-06-22 04:01 . 2011-06-22 04:08 -------- d-----w- C:\!KillBox
2011-06-22 02:37 . 2011-06-22 02:38 -------- d-----w- c:\program files\Google
2011-06-21 23:57 . 2011-06-21 23:57 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-06-21 10:43 . 2011-06-21 10:43 -------- d-----w- c:\windows\PIF
2011-06-21 06:55 . 2011-06-22 02:31 -------- d-----w- c:\programdata\oK28601FfElP28601
2011-06-19 16:13 . 2011-06-19 16:14 -------- d-----w- c:\program files\PowerDataRecovery
2011-06-19 15:56 . 2011-05-06 19:30 747592 ----a-w- c:\windows\system32\pwNative.exe
2011-06-19 15:56 . 2011-05-06 19:30 16472 ------w- c:\windows\system32\pwdrvio.sys
2011-06-19 15:56 . 2011-05-06 19:29 11104 ------w- c:\windows\system32\pwdspio.sys
2011-06-19 15:55 . 2011-06-19 15:55 -------- d-----w- c:\program files\MiniTool Partition Wizard Home Edition 6.0
2011-06-19 15:50 . 2011-06-19 15:50 -------- d-----w- c:\programdata\createpart
2011-06-19 15:49 . 2011-06-19 15:49 -------- d-----w- c:\programdata\deletepart
2011-06-19 15:48 . 2011-06-19 15:48 -------- d-----w- c:\programdata\explauncher
2011-06-19 15:48 . 2011-06-19 15:48 -------- d-----w- c:\programdata\launcher
2011-06-19 15:45 . 2011-06-19 15:45 -------- dc----w- c:\windows\system32\DRVSTORE
2011-06-19 15:45 . 2011-05-18 00:03 57312 ----a-w- c:\windows\system32\drivers\hotcore3.sys
2011-06-19 15:44 . 2011-06-19 15:44 -------- d-----w- c:\program files\Paragon Software
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-18 00:03 . 2011-05-18 00:03 249936 ----a-w- c:\windows\system32\prgiso.dll
2011-05-04 09:52 . 2010-07-30 01:27 472808 ----a-w- c:\windows\system32\deployJava1.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"Creative Detector U"="c:\program files\Creative\MediaSource5\CTDetctu.exe" [2006-06-27 110592]
"Audio Kontrol 1"="c:\program files\Native Instruments\Audio Kontrol 1\Audio Kontrol 1.exe" [2006-11-30 7008256]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 700416]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"SoftAuto.exe"="c:\program files\Creative\Software Update 3\SoftAuto.exe" [2008-08-13 405504]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2006-12-01 4186112]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-23 815104]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2010-03-06 08:44 500208 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2006-12-08 08:24 614400 ----a-w- c:\progra~1\LAUNCH~1\LManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MtdAcqu]
2006-03-08 13:56 278528 ------w- c:\program files\Creative\MediaSource5\MtdAcqu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2008-01-19 07:33 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-19 21504]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-06-22 136176]
R2 NIHardwareService;NIHardwareService;c:\program files\Common Files\Native Instruments\Hardware\NIHardwareService.exe [2010-03-25 3622912]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [2011-04-19 399416]
R3 ak1avs;ak1avs;c:\windows\system32\Drivers\ak1avs.sys [2006-09-20 25088]
R3 ak1usb;ak1usb;c:\windows\system32\Drivers\ak1usb.sys [2006-09-20 84992]
R3 CTUPnPSv;Creative Centrale Media Server;c:\program files\Creative\Creative Centrale\CTUPnPSv.exe [2008-05-21 64000]
R3 kore2avs;kore2avs;c:\windows\system32\Drivers\kore2avs.sys [2009-10-08 35408]
R3 kore2usb;kore2usb;c:\windows\system32\Drivers\kore2usb.sys [2009-10-08 276432]
R3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe [2008-01-19 21504]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2010-09-01 15544]
R3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2011-05-06 16472]
R3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2011-05-06 11104]
R3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\PSIA.exe [2011-04-19 993848]
R3 SMSCIRDA;SMSC Infrared Device Driver;c:\windows\system32\DRIVERS\SMSCirda.sys [2006-10-18 31232]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 hotcore3;hc3ServiceName;c:\windows\system32\DRIVERS\hotcore3.sys [2011-05-18 57312]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-22 02:37]
.
2011-07-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-22 02:37]
.
2011-07-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-421102275-2993789643-2027994333-1001Core.job
- c:\users\Administrate\AppData\Local\Google\Update\GoogleUpdate.exe [2010-07-08 16:21]
.
2011-07-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-421102275-2993789643-2027994333-1001UA.job
- c:\users\Administrate\AppData\Local\Google\Update\GoogleUpdate.exe [2010-07-08 16:21]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://en.us.acer.yahoo.com
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Administrate\AppData\Roaming\Mozilla\Firefox\Profiles\sf2bkkyo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Aero Fox: {5c8bfb7c-9a54-11dc-8314-0800200c9a66} - %profile%\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SetPanel - (no file)
HKLM-Run-eRecoveryService - (no file)
HKU-Default-RunOnce-bM28601GdCnM28601 - c:\programdata\bM28601GdCnM28601\bM28601GdCnM28601.exe
MSConfigStartUp-AdobeBridge - c:\program files\Adobe\Adobe Bridge CS5\Bridge.exe
HKLM_ActiveSetup-ccc-core-static - msiexec
AddRemove-Native Instruments - Audio Kontrol 1 Driver - c:\program files\Native Instruments\Audio Kontrol 1 Driver\uninst.exe Software\Native Instruments\Audio Kontrol 1 Driver\Setup
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-02 11:25
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-07-02 11:42:27
ComboFix-quarantined-files.txt 2011-07-02 16:42
.
Pre-Run: 17,701,769,216 bytes free
Post-Run: 17,716,879,360 bytes free
.
- - End Of File - - F7AB9CCD0E9FEF1F5C89CD8B6AF77E64

#9 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:11:11 AM

Posted 08 July 2011 - 01:14 AM

Hello Acidline303 :),

Did you uninstall the Antivirus (AV)? Appears no longer present. Can you get into Normal mode?

Do you have the Windows CD or do you know how to get into the Recovery Environment? I am asking because I need to be sure we have another way out, just in case.

Does renaming TDSSKiller work?

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.


#10 Acidline303

Acidline303
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 08 July 2011 - 08:23 PM

I have uninstalled both spybot and superantispyware. renaming tdskiller does not work unfortunately. I am able to boot windows into normal mode.

I dont have a windows cd for this laptop. Is recovery attainable through the boot options?

#11 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:11:11 AM

Posted 09 July 2011 - 01:35 PM

Hello Acidline303 :),

Yes, the Windows Recovery Environment is accessible via the Advanced Boot Options. You can get there through pressing F8 repeatedly while the computer is booting up. There is a repair option that gives entry to the Recovery Environment. Could you please confirm that you have this access to the Recovery Environment? Continue below if you have this access.

--------------------

Fix with aswMBR
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily. They will interfere and may cause unexpected results.
  • If you need help to disable your protection programs see here and here.
  • Please rerun aswMBR.
  • Repeat the initial steps by clicking on Scan.
  • When the scan is finished, click Fix. The other fix button is greyed out or disabled. <-- Important, please do not proceed if it is other than what is described, and inform me immediately.
  • There may be be a slight pause, please wait until the tool prompt Infection fixed successfully.
  • Then, reboot your computer. In case the computer becomes unresponsive after the fix, please do a hard reboot.
  • Save the log as before and post in your next reply.
--------------------

Please post back:
1. if you can get to the Recovery Environment
2. the aswMBR log, only if the Recovery Environment is accessible and the fix option is as described

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.


#12 Acidline303

Acidline303
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 09 July 2011 - 08:51 PM

I'm not able to get into recovery options. After gong into the repair section from advanced boot options, I get to a Vista logon screen that does not allow me to enter either user profile. I get a message saying "cant connect to XX domain or profile" or something to that effect.

#13 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:11:11 AM

Posted 10 July 2011 - 06:00 AM

Hello Acidline303 :),

If that is the case, lets prepare a boot CD, then only proceed with the fixing with aswMBR.

Please download GETxPUD and save it to your desktop. Click here.
  • Double click on GETxPUD.exe to execute it. A new folder GETxPUD will be created on the desktop.
  • Go into the folder and run get&burn.bat. xpud_0.9.2.iso will be downloaded.
  • Upon completion of download, BurnCDCC will be initiated, ready for burning of image.
  • Click on Start and follow the prompts to burn the image to a CD.
--------------------

Fix with aswMBR
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily. They will interfere and may cause unexpected results.
  • If you need help to disable your protection programs see here and here.
  • Please rerun aswMBR.
  • Repeat the initial steps by clicking on Scan.
  • When the scan is finished, click Fix. The other fix button is greyed out or disabled. <-- Important, please do not proceed if it is other than what is described, and inform me immediately.
  • There may be be a slight pause, please wait until the tool prompt Infection fixed successfully.
  • Then, reboot your computer. In case the computer becomes unresponsive after the fix, please do a hard reboot.
  • Save the log as before and post in your next reply.
--------------------

Please post back:
1. the aswMBR log, only if the fix option is as described

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.


#14 Acidline303

Acidline303
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 10 July 2011 - 04:30 PM

I was a little confused by the directions so I hope I didnt mess up.

After the scan the "FixMBR" tab was clickable, but "fix" tab was still greyed out. I hit the first one and it just said Disk 0 Windows 600 MBR fixed successfully.

The computer seems to boot 10x faster now, but there are still browser hijacks and ieexplorer is still running in ghost mode hogging resources.




aswMBR version 0.9.7.705 Copyright© 2011 AVAST Software
Run date: 2011-07-10 14:29:10
-----------------------------
14:29:10.111 OS Version: Windows 6.0.6001 Service Pack 1
14:29:10.111 Number of processors: 1 586 0x4C02
14:29:10.112 ComputerName: KILLEVERYONE2 UserName: Administrate
14:29:11.266 Initialize success
14:31:53.609 AVAST engine defs: 11071000
14:32:49.315 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi\SI31121Port2Path0Target0Lun0
14:32:49.318 Disk 0 Vendor: Hitachi_ SBDO Size: 114473MB BusType: 11
14:32:49.321 Device \Driver\SI3112 -> DriverStartIo SCSIPORT.SYS 82593931
14:32:49.344 Disk 0 MBR read successfully
14:32:49.349 Disk 0 MBR scan
14:32:49.353 Disk 0 unknown MBR code
14:32:49.356 Disk 0 MBR hidden
14:32:49.362 Disk 0 scanning sectors +234436545
14:32:49.396 Disk 0 scanning C:\Windows\system32\drivers
14:33:06.545 Service scanning
14:33:09.991 Disk 0 trace - called modules:
14:33:10.065 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x847cdf16]<<
14:33:10.069 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x847b2030]
14:33:10.426 3 CLASSPNP.SYS[863a8745] -> nt!IofCallDriver -> [0x843e2f08]
14:33:10.434 5 acpi.sys[824156a0] -> nt!IofCallDriver -> \Device\Scsi\SI31121Port2Path0Target0Lun0[0x8441c030]
14:33:10.440 \Driver\SI3112[0x83a73f38] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x847cdf16
14:33:10.783 AVAST engine scan C:\Windows
15:49:17.535 AVAST engine scan C:\Users\Administrate
16:01:17.048 AVAST engine scan C:\ProgramData
16:04:14.307 Scan finished successfully
16:16:38.592 Disk 0 Windows 600 MBR fixed successfully
16:19:53.972 Disk 0 MBR has been saved successfully to "C:\Users\Administrate\Desktop\MBR.dat"
16:19:54.031 The log file has been saved successfully to "C:\Users\Administrate\Desktop\aswMBR.txt"

#15 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:11:11 AM

Posted 10 July 2011 - 10:26 PM

Hello Acidline303 :),

I was a little confused by the directions so I hope I didnt mess up.

You should ask if there are any doubts. Fortunately, nothing goes wrong.

After the below steps, we may need to use the boot CD to retrieve some information outside of the Windows Operating System.

--------------------

Rerun TDSSKiller
  • Double click on TDSSKiller.exe to execute it.
  • Press Start scan to begin.
  • If anything is found, please change all the actions to Skip only. <-- Important, please select Skip only, DO NOT Cure yet.
  • Then click on Continue at the lower right corner.
  • You may be prompted to reboot your computer, please consent.
  • Once complete, a log will be produced at C:\. It will be named TDSSKiller.Version_Date_Time_log.txt, for example, C:\TDSSKiller.2.4.12.0_26.12.2010_23.12.11_log.txt.
  • Please post the contents of this log.
--------------------

Rerun GMER
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running GMER. They may cause the computer to freeze.
  • If you need help to disable your protection programs see here and here.
  • Double click on gmer.exe to run it.
  • If it gives you a warning about rootkit activity and asks if you want to run scan, click on No.
  • In the right panel, you will see several boxes that have been checked (ticked).
    • Uncheck IAT/EAT
    • Uncheck All other Drives/Partitions except C:\ (leave C:\ checked)
    • Uncheck Show All (don't miss this one)
  • Then click the Scan button and wait for it to finish.
  • Once done, click on the Save... button and save it as "Gmer.txt" at a convenient location. Post the contents of that report.
  • Enable back your security softwares as soon as you completed the GMER steps.
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries.
--------------------

Please post back:
1. TDSSKiller log
2. GMER log

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users