Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Small blue window appears and computer shuts down automatically


  • This topic is locked This topic is locked
10 replies to this topic

#1 James2001

James2001

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 03 August 2011 - 06:55 AM

Hi, a small blue windows appears quickly only when the computer is connected to the internet, and then the computer shuts down. The window appears too quickly to read it thouroughly, but it may say something about dumpreg. I've attached the logs, editing the name of one of my friend's folders to "...," as the folder name is my friend's real name. The viruses appear to be in the startup folder, but when I go there I can't find them. Thanks. p.s. I like the caveat that appears in the DDS download about the volunteers at bleeping computer not being paid staff, so common courtesy is appreciated. Must have gotten a lot of disgruntled responses (and maybe still do :) before from people who want you to "hurry up and fix my bleeping computer!" :)

Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,207 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:22 AM

Posted 10 August 2011 - 04:22 AM

Hello ,
And :welcome: to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 James2001

James2001
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 11 August 2011 - 02:25 PM

Hi, if you can look at this in the next two days, that would be great. It's my friend's computer, and I'm leaving on a long trip soon. Also, I didn't rerun the DDS scan b/c I haven't touched the computer since the first one. I've posted in the results of the original scan. Also, as I mentioned, the viruses appear to be in the Startup Folder, but nothing I do seems to remove them. Thanks.

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 6.0.2900.5512
Run by ... at 16:21:46 on 2011-08-03
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.73 [GMT 5.5:30]
.
AV: avast! Antivirus *Enabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\PixArt\PAC7302\Monitor.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\NetMeter\NetMeter.exe
C:\Program Files\RamBooster 2.0\Rambooster.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
E:\Defogger.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.gmail.com/
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [c:\program files\netmeter\netmeter.exe] c:\program files\netmeter\NetMeter.exe
uRun: [RamBooster] c:\program files\rambooster 2.0\Rambooster.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [PAC7302_Monitor] c:\windows\pixart\pac7302\Monitor.exe
mRun: [MotiveReportAgent] "c:\program files\common files\motive\mccibootstrapper.exe" /url="-appkey=motive -windowcontext=reportagent -url=file://c:\program files\common files\motive\reportagent.html" /browsertype=custommsie /browserpath="c:\program files\common files\motive\MotiveBrowser.exe" /hidden
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\documents and settings\...\start menu\programs\startup\0zhoobf.exe
StartupFolder: c:\documents and settings\...\start menu\programs\startup\lgycxfas.exe
StartupFolder: c:\documents and settings\...\start menu\programs\startup\wypakv5cw.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: Interfaces\{08D6264C-5D21-4C17-9F42-34287E543155} : NameServer = 218.240.248.208,218.240.248.24
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-6-20 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-6-20 307928]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-6-20 19544]
S2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-6-20 42184]
S2 rorizlvz;rorizlvz;c:\windows\system32\drivers\rorizlvz.sys [2011-6-18 103936]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-7-31 41272]
.
=============== Created Last 30 ================
.
2011-07-31 07:01:06 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-07-31 07:00:37 -------- d-----w- c:\documents and settings\...\application data\Malwarebytes
2011-07-31 06:59:54 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-31 06:59:51 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-07-31 06:59:47 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-31 06:59:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-31 06:56:59 -------- d-----w- c:\documents and settings\all users\application data\MFAData
.
==================== Find3M ====================
.
2011-06-20 13:33:24 90112 ----a-w- c:\windows\DUMP747e.tmp
2011-06-19 17:28:34 90112 ----a-w- c:\windows\DUMP6d74.tmp
2011-06-18 13:14:11 0 ----a-w- c:\windows\06BC5C62.exe
2011-06-18 13:13:29 103936 ----a-w- c:\windows\system32\drivers\rorizlvz.sys
2011-06-10 17:17:56 1033728 ----a-w- c:\windows\explorer.exe
2011-05-10 12:10:59 40112 ----a-w- c:\windows\avastSS.scr
2011-05-10 12:03:54 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
.
============= FINISH: 16:23:26.22 ===============

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,207 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:22 AM

Posted 11 August 2011 - 02:51 PM

Hi again, first lets do a rootkit scan.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 James2001

James2001
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 12 August 2011 - 06:20 AM

Hi, I did as instructed and then found what looked like the viruses in Startup in msconfig afterwards. Next step? Thanks.

2011/08/12 08:43:32.0425 1352 TDSS rootkit removing tool 2.5.15.0 Aug 11 2011 16:32:13
2011/08/12 08:43:32.0565 1352 ================================================================================
2011/08/12 08:43:32.0565 1352 SystemInfo:
2011/08/12 08:43:32.0565 1352
2011/08/12 08:43:32.0565 1352 OS Version: 5.1.2600 ServicePack: 3.0
2011/08/12 08:43:32.0565 1352 Product type: Workstation
2011/08/12 08:43:32.0565 1352 ComputerName: BABA
2011/08/12 08:43:32.0565 1352 UserName: Gokaran Shrivastava
2011/08/12 08:43:32.0565 1352 Windows directory: C:\WINDOWS
2011/08/12 08:43:32.0565 1352 System windows directory: C:\WINDOWS
2011/08/12 08:43:32.0565 1352 Processor architecture: Intel x86
2011/08/12 08:43:32.0565 1352 Number of processors: 1
2011/08/12 08:43:32.0565 1352 Page size: 0x1000
2011/08/12 08:43:32.0565 1352 Boot type: Safe boot
2011/08/12 08:43:32.0565 1352 ================================================================================
2011/08/12 08:43:37.0742 1352 Initialize success
2011/08/12 08:44:58.0719 1392 ================================================================================
2011/08/12 08:44:58.0719 1392 Scan started
2011/08/12 08:44:58.0719 1392 Mode: Manual;
2011/08/12 08:44:58.0719 1392 ================================================================================
2011/08/12 08:45:00.0531 1392 Aavmker4 (3f6884eff406238d39aaa892218f1df7) C:\WINDOWS\system32\drivers\Aavmker4.sys
2011/08/12 08:45:01.0583 1392 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/08/12 08:45:02.0083 1392 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/08/12 08:45:02.0825 1392 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/08/12 08:45:03.0325 1392 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/08/12 08:45:03.0736 1392 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/08/12 08:45:05.0408 1392 allegro (bc129f409af5fcf46e978c1c144e31be) C:\WINDOWS\system32\drivers\es198x.sys
2011/08/12 08:45:07.0021 1392 aswFsBlk (7f08d9c504b015d81a8abd75c80028c5) C:\WINDOWS\system32\drivers\aswFsBlk.sys
2011/08/12 08:45:07.0401 1392 aswMon2 (c2181ef6b54752273a0759a968c59279) C:\WINDOWS\system32\drivers\aswMon2.sys
2011/08/12 08:45:07.0822 1392 aswRdr (ac48bdd4cd5d44af33087c06d6e9511c) C:\WINDOWS\system32\drivers\aswRdr.sys
2011/08/12 08:45:08.0312 1392 aswSnx (b64134316fcd1f20e0f10ef3e65bd522) C:\WINDOWS\system32\drivers\aswSnx.sys
2011/08/12 08:45:08.0893 1392 aswSP (d6788e3211afa9951ed7a4d617f68a4f) C:\WINDOWS\system32\drivers\aswSP.sys
2011/08/12 08:45:09.0314 1392 aswTdi (4d100c45517809439c7b6dd98997fa00) C:\WINDOWS\system32\drivers\aswTdi.sys
2011/08/12 08:45:09.0674 1392 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/08/12 08:45:10.0105 1392 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/08/12 08:45:10.0516 1392 AtapiDrv (98a5eb35e495ad38cb657e137e48e7cf) C:\WINDOWS\system32\drivers\AtapiDrv.sys
2011/08/12 08:45:10.0516 1392 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\AtapiDrv.sys. md5: 98a5eb35e495ad38cb657e137e48e7cf
2011/08/12 08:45:10.0516 1392 Suspicious file (Hidden): C:\WINDOWS\system32\drivers\AtapiDrv.sys. md5: 98a5eb35e495ad38cb657e137e48e7cf
2011/08/12 08:45:10.0556 1392 AtapiDrv - detected LockedFile.Multi.Generic (1)
2011/08/12 08:45:11.0227 1392 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/08/12 08:45:11.0637 1392 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/08/12 08:45:12.0158 1392 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/08/12 08:45:12.0609 1392 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/08/12 08:45:13.0019 1392 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/08/12 08:45:13.0750 1392 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/08/12 08:45:14.0191 1392 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/08/12 08:45:14.0601 1392 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/08/12 08:45:15.0393 1392 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/08/12 08:45:16.0054 1392 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/08/12 08:45:17.0656 1392 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/08/12 08:45:18.0267 1392 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/08/12 08:45:18.0888 1392 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/08/12 08:45:19.0308 1392 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/08/12 08:45:19.0709 1392 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/08/12 08:45:20.0530 1392 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/08/12 08:45:21.0151 1392 Edspport (643b3b3d9addffc1aa7606cb80a104ac) C:\WINDOWS\system32\DRIVERS\es56cvmp.sys
2011/08/12 08:45:21.0842 1392 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/08/12 08:45:22.0293 1392 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/08/12 08:45:22.0693 1392 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/08/12 08:45:23.0124 1392 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/08/12 08:45:23.0504 1392 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/08/12 08:45:23.0895 1392 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/08/12 08:45:24.0345 1392 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/08/12 08:45:24.0696 1392 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/08/12 08:45:25.0607 1392 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/08/12 08:45:26.0639 1392 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/08/12 08:45:27.0059 1392 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/08/12 08:45:27.0921 1392 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/08/12 08:45:28.0291 1392 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/08/12 08:45:28.0642 1392 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/08/12 08:45:29.0052 1392 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/08/12 08:45:29.0693 1392 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/08/12 08:45:30.0454 1392 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/08/12 08:45:30.0845 1392 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/08/12 08:45:31.0295 1392 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/08/12 08:45:31.0686 1392 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/08/12 08:45:32.0117 1392 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/08/12 08:45:32.0537 1392 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/08/12 08:45:33.0459 1392 MBAMSwissArmy (b18225739ed9caa83ba2df966e9f43e8) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2011/08/12 08:45:33.0919 1392 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/08/12 08:45:34.0330 1392 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/08/12 08:45:34.0710 1392 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/08/12 08:45:35.0151 1392 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/08/12 08:45:35.0682 1392 MREMPR5 (2bc9e43f55de8c30fc817ed56d0ee907) C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS
2011/08/12 08:45:35.0952 1392 MRENDIS5 (594b9d8194e3f4ecbf0325bd10bbeb05) C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS
2011/08/12 08:45:36.0503 1392 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/08/12 08:45:37.0084 1392 MRxSmb (60ae98742484e7ab80c3c1450e708148) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/08/12 08:45:37.0635 1392 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/08/12 08:45:38.0065 1392 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/08/12 08:45:38.0416 1392 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/08/12 08:45:38.0806 1392 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/08/12 08:45:39.0267 1392 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/08/12 08:45:39.0587 1392 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/08/12 08:45:39.0968 1392 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/08/12 08:45:40.0369 1392 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/08/12 08:45:40.0779 1392 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/08/12 08:45:41.0170 1392 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/08/12 08:45:41.0550 1392 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/08/12 08:45:41.0991 1392 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/08/12 08:45:42.0341 1392 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/08/12 08:45:42.0742 1392 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/08/12 08:45:43.0153 1392 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/08/12 08:45:43.0523 1392 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/08/12 08:45:44.0134 1392 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/08/12 08:45:44.0595 1392 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/08/12 08:45:45.0266 1392 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/08/12 08:45:45.0596 1392 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/08/12 08:45:46.0007 1392 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/08/12 08:45:46.0457 1392 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
2011/08/12 08:45:46.0958 1392 PAC7302 (81a0921e2a3fdcf840e43af64bf96ea2) C:\WINDOWS\system32\DRIVERS\PAC7302.SYS
2011/08/12 08:45:47.0579 1392 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/08/12 08:45:47.0949 1392 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/08/12 08:45:48.0340 1392 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/08/12 08:45:48.0711 1392 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/08/12 08:45:49.0732 1392 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/08/12 08:45:52.0266 1392 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/08/12 08:45:52.0706 1392 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/08/12 08:45:53.0107 1392 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/08/12 08:45:54.0859 1392 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/08/12 08:45:55.0270 1392 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/08/12 08:45:55.0721 1392 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/08/12 08:45:56.0081 1392 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/08/12 08:45:56.0482 1392 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/08/12 08:45:56.0872 1392 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/08/12 08:45:57.0383 1392 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/08/12 08:45:57.0784 1392 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/08/12 08:45:58.0374 1392 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/08/12 08:45:58.0875 1392 rorizlvz (6dd921ab5e0164cb0ea639fa59799804) C:\WINDOWS\system32\drivers\rorizlvz.sys
2011/08/12 08:45:58.0875 1392 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\rorizlvz.sys. md5: 6dd921ab5e0164cb0ea639fa59799804
2011/08/12 08:45:58.0915 1392 rorizlvz - detected LockedFile.Multi.Generic (1)
2011/08/12 08:45:59.0386 1392 S3SavageMX (9deda55453d355c5a0f285e80dbbb341) C:\WINDOWS\system32\DRIVERS\s3savmxm.sys
2011/08/12 08:45:59.0877 1392 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/08/12 08:46:00.0337 1392 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/08/12 08:46:00.0738 1392 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/08/12 08:46:01.0108 1392 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/08/12 08:46:01.0829 1392 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/08/12 08:46:02.0580 1392 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/08/12 08:46:03.0001 1392 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\drivers\sr.sys
2011/08/12 08:46:03.0522 1392 Srv (3bb03f2ba89d2be417206c373d2af17c) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/08/12 08:46:04.0173 1392 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/08/12 08:46:04.0573 1392 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/08/12 08:46:04.0934 1392 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/08/12 08:46:06.0526 1392 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/08/12 08:46:07.0057 1392 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/08/12 08:46:07.0598 1392 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/08/12 08:46:07.0988 1392 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/08/12 08:46:08.0389 1392 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/08/12 08:46:09.0320 1392 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/08/12 08:46:10.0011 1392 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/08/12 08:46:10.0552 1392 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/08/12 08:46:10.0942 1392 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/08/12 08:46:11.0393 1392 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/08/12 08:46:11.0794 1392 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/08/12 08:46:12.0174 1392 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/08/12 08:46:12.0575 1392 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/08/12 08:46:12.0955 1392 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/08/12 08:46:13.0346 1392 usb_rndis (bee793d4a059caea55d6ac20e19b3a8f) C:\WINDOWS\system32\DRIVERS\usb8023.sys
2011/08/12 08:46:13.0727 1392 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/08/12 08:46:14.0417 1392 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/08/12 08:46:14.0898 1392 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/08/12 08:46:15.0609 1392 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/08/12 08:46:16.0430 1392 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/08/12 08:46:16.0741 1392 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/08/12 08:46:17.0161 1392 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk1\DR2
2011/08/12 08:46:17.0322 1392 Boot (0x1200) (156c41d77b1aaac1c96118c73c3dbfb5) \Device\Harddisk0\DR0\Partition0
2011/08/12 08:46:17.0432 1392 Boot (0x1200) (8073ca70387423636efd8ab3e6573aac) \Device\Harddisk1\DR2\Partition0
2011/08/12 08:46:17.0502 1392 ================================================================================
2011/08/12 08:46:17.0502 1392 Scan finished
2011/08/12 08:46:17.0502 1392 ================================================================================
2011/08/12 08:46:17.0622 1384 Detected object count: 2
2011/08/12 08:46:17.0622 1384 Actual detected object count: 2
2011/08/12 08:47:59.0999 1384 AtapiDrv (98a5eb35e495ad38cb657e137e48e7cf) C:\WINDOWS\system32\drivers\AtapiDrv.sys
2011/08/12 08:47:59.0999 1384 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\AtapiDrv.sys. md5: 98a5eb35e495ad38cb657e137e48e7cf
2011/08/12 08:47:59.0999 1384 Suspicious file (Hidden): C:\WINDOWS\system32\drivers\AtapiDrv.sys. md5: 98a5eb35e495ad38cb657e137e48e7cf
2011/08/12 08:48:00.0029 1384 C:\WINDOWS\system32\drivers\AtapiDrv.sys - copied to quarantine
2011/08/12 08:48:00.0029 1384 LockedFile.Multi.Generic(AtapiDrv) - User select action: Quarantine
2011/08/12 08:48:00.0390 1384 rorizlvz (6dd921ab5e0164cb0ea639fa59799804) C:\WINDOWS\system32\drivers\rorizlvz.sys
2011/08/12 08:48:00.0390 1384 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\rorizlvz.sys. md5: 6dd921ab5e0164cb0ea639fa59799804
2011/08/12 08:48:00.0400 1384 C:\WINDOWS\system32\drivers\rorizlvz.sys - copied to quarantine
2011/08/12 08:48:00.0400 1384 LockedFile.Multi.Generic(rorizlvz) - User select action: Quarantine
2011/08/12 08:48:38.0825 1432 ================================================================================
2011/08/12 08:48:38.0825 1432 Scan started
2011/08/12 08:48:38.0825 1432 Mode: Manual;
2011/08/12 08:48:38.0825 1432 ================================================================================
2011/08/12 08:48:39.0556 1432 Aavmker4 (3f6884eff406238d39aaa892218f1df7) C:\WINDOWS\system32\drivers\Aavmker4.sys
2011/08/12 08:48:40.0468 1432 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/08/12 08:48:40.0848 1432 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/08/12 08:48:41.0589 1432 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/08/12 08:48:41.0990 1432 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/08/12 08:48:42.0350 1432 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/08/12 08:48:43.0922 1432 allegro (bc129f409af5fcf46e978c1c144e31be) C:\WINDOWS\system32\drivers\es198x.sys
2011/08/12 08:48:45.0505 1432 aswFsBlk (7f08d9c504b015d81a8abd75c80028c5) C:\WINDOWS\system32\drivers\aswFsBlk.sys
2011/08/12 08:48:45.0885 1432 aswMon2 (c2181ef6b54752273a0759a968c59279) C:\WINDOWS\system32\drivers\aswMon2.sys
2011/08/12 08:48:46.0266 1432 aswRdr (ac48bdd4cd5d44af33087c06d6e9511c) C:\WINDOWS\system32\drivers\aswRdr.sys
2011/08/12 08:48:46.0727 1432 aswSnx (b64134316fcd1f20e0f10ef3e65bd522) C:\WINDOWS\system32\drivers\aswSnx.sys
2011/08/12 08:48:47.0157 1432 aswSP (d6788e3211afa9951ed7a4d617f68a4f) C:\WINDOWS\system32\drivers\aswSP.sys
2011/08/12 08:48:47.0568 1432 aswTdi (4d100c45517809439c7b6dd98997fa00) C:\WINDOWS\system32\drivers\aswTdi.sys
2011/08/12 08:48:47.0928 1432 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/08/12 08:48:48.0349 1432 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/08/12 08:48:48.0789 1432 AtapiDrv (98a5eb35e495ad38cb657e137e48e7cf) C:\WINDOWS\system32\drivers\AtapiDrv.sys
2011/08/12 08:48:48.0789 1432 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\AtapiDrv.sys. md5: 98a5eb35e495ad38cb657e137e48e7cf
2011/08/12 08:48:48.0799 1432 Suspicious file (Hidden): C:\WINDOWS\system32\drivers\AtapiDrv.sys. md5: 98a5eb35e495ad38cb657e137e48e7cf
2011/08/12 08:48:48.0870 1432 AtapiDrv - detected LockedFile.Multi.Generic (1)
2011/08/12 08:48:49.0541 1432 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/08/12 08:48:49.0921 1432 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/08/12 08:48:50.0342 1432 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/08/12 08:48:50.0762 1432 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/08/12 08:48:51.0113 1432 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/08/12 08:48:51.0784 1432 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/08/12 08:48:52.0134 1432 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/08/12 08:48:52.0525 1432 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/08/12 08:48:53.0156 1432 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/08/12 08:48:53.0847 1432 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/08/12 08:48:55.0279 1432 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/08/12 08:48:55.0890 1432 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/08/12 08:48:56.0280 1432 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/08/12 08:48:56.0651 1432 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/08/12 08:48:57.0011 1432 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/08/12 08:48:57.0752 1432 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/08/12 08:48:58.0283 1432 Edspport (643b3b3d9addffc1aa7606cb80a104ac) C:\WINDOWS\system32\DRIVERS\es56cvmp.sys
2011/08/12 08:48:58.0814 1432 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/08/12 08:48:59.0224 1432 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/08/12 08:48:59.0655 1432 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/08/12 08:48:59.0996 1432 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/08/12 08:49:00.0416 1432 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/08/12 08:49:00.0767 1432 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/08/12 08:49:01.0157 1432 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/08/12 08:49:01.0538 1432 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/08/12 08:49:02.0389 1432 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/08/12 08:49:03.0350 1432 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/08/12 08:49:03.0721 1432 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/08/12 08:49:04.0492 1432 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/08/12 08:49:04.0883 1432 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/08/12 08:49:05.0233 1432 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/08/12 08:49:05.0644 1432 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/08/12 08:49:06.0014 1432 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/08/12 08:49:06.0445 1432 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/08/12 08:49:06.0785 1432 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/08/12 08:49:07.0206 1432 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/08/12 08:49:07.0617 1432 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/08/12 08:49:08.0007 1432 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/08/12 08:49:08.0378 1432 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/08/12 08:49:09.0189 1432 MBAMSwissArmy (b18225739ed9caa83ba2df966e9f43e8) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2011/08/12 08:49:09.0659 1432 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/08/12 08:49:10.0050 1432 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/08/12 08:49:10.0421 1432 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/08/12 08:49:10.0791 1432 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/08/12 08:49:11.0292 1432 MREMPR5 (2bc9e43f55de8c30fc817ed56d0ee907) C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS
2011/08/12 08:49:11.0542 1432 MRENDIS5 (594b9d8194e3f4ecbf0325bd10bbeb05) C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS
2011/08/12 08:49:11.0943 1432 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/08/12 08:49:12.0453 1432 MRxSmb (60ae98742484e7ab80c3c1450e708148) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/08/12 08:49:12.0874 1432 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/08/12 08:49:13.0245 1432 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/08/12 08:49:13.0635 1432 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/08/12 08:49:13.0976 1432 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/08/12 08:49:14.0326 1432 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/08/12 08:49:14.0697 1432 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/08/12 08:49:15.0097 1432 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/08/12 08:49:15.0478 1432 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/08/12 08:49:15.0928 1432 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/08/12 08:49:16.0279 1432 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/08/12 08:49:16.0640 1432 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/08/12 08:49:17.0010 1432 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/08/12 08:49:17.0411 1432 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/08/12 08:49:17.0811 1432 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/08/12 08:49:18.0192 1432 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/08/12 08:49:18.0592 1432 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/08/12 08:49:19.0133 1432 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/08/12 08:49:19.0704 1432 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/08/12 08:49:20.0155 1432 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/08/12 08:49:20.0555 1432 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/08/12 08:49:20.0906 1432 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/08/12 08:49:21.0306 1432 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
2011/08/12 08:49:21.0767 1432 PAC7302 (81a0921e2a3fdcf840e43af64bf96ea2) C:\WINDOWS\system32\DRIVERS\PAC7302.SYS
2011/08/12 08:49:22.0147 1432 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/08/12 08:49:22.0538 1432 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/08/12 08:49:22.0899 1432 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/08/12 08:49:23.0249 1432 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/08/12 08:49:24.0170 1432 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/08/12 08:49:26.0554 1432 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/08/12 08:49:26.0954 1432 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/08/12 08:49:27.0315 1432 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/08/12 08:49:29.0168 1432 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/08/12 08:49:29.0628 1432 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/08/12 08:49:30.0079 1432 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/08/12 08:49:30.0439 1432 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/08/12 08:49:30.0810 1432 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/08/12 08:49:31.0180 1432 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/08/12 08:49:31.0681 1432 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/08/12 08:49:32.0192 1432 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/08/12 08:49:32.0663 1432 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/08/12 08:49:33.0123 1432 rorizlvz (6dd921ab5e0164cb0ea639fa59799804) C:\WINDOWS\system32\drivers\rorizlvz.sys
2011/08/12 08:49:33.0123 1432 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\rorizlvz.sys. md5: 6dd921ab5e0164cb0ea639fa59799804
2011/08/12 08:49:33.0163 1432 rorizlvz - detected LockedFile.Multi.Generic (1)
2011/08/12 08:49:33.0654 1432 S3SavageMX (9deda55453d355c5a0f285e80dbbb341) C:\WINDOWS\system32\DRIVERS\s3savmxm.sys
2011/08/12 08:49:34.0105 1432 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/08/12 08:49:34.0685 1432 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/08/12 08:49:35.0086 1432 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/08/12 08:49:35.0527 1432 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/08/12 08:49:36.0228 1432 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/08/12 08:49:36.0849 1432 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/08/12 08:49:37.0279 1432 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\drivers\sr.sys
2011/08/12 08:49:37.0770 1432 Srv (3bb03f2ba89d2be417206c373d2af17c) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/08/12 08:49:38.0251 1432 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/08/12 08:49:38.0621 1432 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/08/12 08:49:38.0972 1432 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/08/12 08:49:40.0594 1432 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/08/12 08:49:41.0115 1432 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/08/12 08:49:41.0485 1432 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/08/12 08:49:41.0776 1432 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/08/12 08:49:42.0136 1432 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/08/12 08:49:42.0997 1432 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/08/12 08:49:43.0829 1432 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/08/12 08:49:44.0309 1432 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/08/12 08:49:44.0710 1432 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/08/12 08:49:45.0130 1432 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/08/12 08:49:45.0531 1432 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/08/12 08:49:45.0852 1432 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/08/12 08:49:46.0262 1432 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/08/12 08:49:46.0653 1432 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/08/12 08:49:47.0003 1432 usb_rndis (bee793d4a059caea55d6ac20e19b3a8f) C:\WINDOWS\system32\DRIVERS\usb8023.sys
2011/08/12 08:49:47.0394 1432 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/08/12 08:49:48.0035 1432 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/08/12 08:49:48.0636 1432 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/08/12 08:49:49.0296 1432 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/08/12 08:49:50.0028 1432 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/08/12 08:49:50.0308 1432 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/08/12 08:49:50.0789 1432 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk1\DR2
2011/08/12 08:49:50.0999 1432 Boot (0x1200) (156c41d77b1aaac1c96118c73c3dbfb5) \Device\Harddisk0\DR0\Partition0
2011/08/12 08:49:51.0089 1432 Boot (0x1200) (8073ca70387423636efd8ab3e6573aac) \Device\Harddisk1\DR2\Partition0
2011/08/12 08:49:51.0149 1432 ================================================================================
2011/08/12 08:49:51.0149 1432 Scan finished
2011/08/12 08:49:51.0149 1432 ================================================================================
2011/08/12 08:49:51.0239 1424 Detected object count: 2
2011/08/12 08:49:51.0239 1424 Actual detected object count: 2
2011/08/12 08:50:49.0183 1424 HKLM\SYSTEM\ControlSet001\services\AtapiDrv - will be deleted after reboot
2011/08/12 08:50:49.0243 1424 HKLM\SYSTEM\ControlSet002\services\AtapiDrv - will be deleted after reboot
2011/08/12 08:50:49.0263 1424 HKLM\SYSTEM\ControlSet003\services\AtapiDrv - will be deleted after reboot
2011/08/12 08:50:49.0293 1424 C:\WINDOWS\system32\drivers\AtapiDrv.sys - will be deleted after reboot
2011/08/12 08:50:49.0293 1424 LockedFile.Multi.Generic(AtapiDrv) - User select action: Delete
2011/08/12 08:50:49.0333 1424 HKLM\SYSTEM\ControlSet001\services\rorizlvz - will be deleted after reboot
2011/08/12 08:50:49.0333 1424 HKLM\SYSTEM\ControlSet001\control\safeboot\Minimal\rorizlvz - will be deleted after reboot
2011/08/12 08:50:49.0343 1424 HKLM\SYSTEM\ControlSet001\control\safeboot\Network\rorizlvz - will be deleted after reboot
2011/08/12 08:50:49.0353 1424 HKLM\SYSTEM\ControlSet002\services\rorizlvz - will be deleted after reboot
2011/08/12 08:50:49.0363 1424 HKLM\SYSTEM\ControlSet002\control\safeboot\Minimal\rorizlvz - will be deleted after reboot
2011/08/12 08:50:49.0363 1424 HKLM\SYSTEM\ControlSet002\control\safeboot\Network\rorizlvz - will be deleted after reboot
2011/08/12 08:50:49.0363 1424 HKLM\SYSTEM\ControlSet003\services\rorizlvz - will be deleted after reboot
2011/08/12 08:50:49.0363 1424 HKLM\SYSTEM\ControlSet003\control\safeboot\Minimal\rorizlvz - will be deleted after reboot
2011/08/12 08:50:49.0363 1424 HKLM\SYSTEM\ControlSet003\control\safeboot\Network\rorizlvz - will be deleted after reboot
2011/08/12 08:50:49.0393 1424 C:\WINDOWS\system32\drivers\rorizlvz.sys - will be deleted after reboot
2011/08/12 08:50:49.0393 1424 LockedFile.Multi.Generic(rorizlvz) - User select action: Delete

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,207 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:22 AM

Posted 12 August 2011 - 06:28 AM

Lets see what else need to be done. :)

COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 James2001

James2001
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 13 August 2011 - 05:44 AM

Hi, unfortunately it would not produce the log, so I created another dds log, which is down below. I'm afraid I have to leave on my trip tomorrow, so is there anyway that you could provide links to all the tools in the anti-malware toolbox, so to speak, and I can try them all in order? Thanks for all your help! That's cool that you're in Romania.


.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 6.0.2900.5512
Run by Gokaran Shrivastava at 16:03:38 on 2011-08-13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.105 [GMT 5.5:30]
.
AV: avast! Antivirus *Enabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\PixArt\PAC7302\Monitor.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.gmail.com/
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [c:\program files\netmeter\netmeter.exe] c:\program files\netmeter\NetMeter.exe
uRun: [RamBooster] c:\program files\rambooster 2.0\Rambooster.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [PAC7302_Monitor] c:\windows\pixart\pac7302\Monitor.exe
mRun: [MotiveReportAgent] "c:\program files\common files\motive\mccibootstrapper.exe" /url="-appkey=motive -windowcontext=reportagent -url=file://c:\program files\common files\motive\reportagent.html" /browsertype=custommsie /browserpath="c:\program files\common files\motive\MotiveBrowser.exe" /hidden
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\documents and settings\gokaran shrivastava\start menu\programs\startup\0zhoobf.exe
StartupFolder: c:\documents and settings\gokaran shrivastava\start menu\programs\startup\lgycxfas.exe
StartupFolder: c:\documents and settings\gokaran shrivastava\start menu\programs\startup\wypakv5cw.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: Interfaces\{08D6264C-5D21-4C17-9F42-34287E543155} : NameServer = 218.240.248.208,218.240.248.24
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-6-20 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-6-20 307928]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-6-20 19544]
S2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-6-20 42184]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-7-31 41272]
.
=============== Created Last 30 ================
.
2011-08-12 20:16:25 98816 ----a-w- c:\windows\sed.exe
2011-08-12 20:16:25 518144 ----a-w- c:\windows\SWREG.exe
2011-08-12 20:16:25 256000 ----a-w- c:\windows\PEV.exe
2011-08-12 20:16:25 208896 ----a-w- c:\windows\MBR.exe
2011-08-12 20:16:07 -------- d-----w- C:\ComboFix
2011-08-12 03:17:59 -------- d-----w- C:\TDSSKiller_Quarantine
2011-07-31 07:01:06 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-07-31 07:00:37 -------- d-----w- c:\documents and settings\gokaran shrivastava\application data\Malwarebytes
2011-07-31 06:59:54 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-31 06:59:51 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-07-31 06:59:47 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-31 06:59:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-31 06:56:59 -------- d-----w- c:\documents and settings\all users\application data\MFAData
.
==================== Find3M ====================
.
2011-06-20 13:33:24 90112 ----a-w- c:\windows\DUMP747e.tmp
2011-06-19 17:28:34 90112 ----a-w- c:\windows\DUMP6d74.tmp
2011-06-10 17:17:56 1033728 ----a-w- c:\windows\explorer.exe
.
============= FINISH: 16:05:17.73 ===============

Edited by James2001, 13 August 2011 - 05:50 AM.


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,207 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:22 AM

Posted 13 August 2011 - 05:50 AM

Sorry, there's no "standard set of tools". If combofix did not create a log, try running it again from safe mode.

Rerun also TDSSkiller and post me the new log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 James2001

James2001
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 13 August 2011 - 08:11 AM

Hi, here are the logs for the Combofix and DDS. Thanks.

ComboFix 11-08-12.01 - Gokaran Shrivastava 13/08/2011 17:09:32.2.1 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.43 [GMT 5.5:30]
Running from: E:\ComboFix.exe
AV: avast! Antivirus *Enabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\...\My Documents\~WRL0001.tmp
c:\documents and settings\...\My Documents\~WRL0002.tmp
c:\documents and settings\...\My Documents\~WRL0004.tmp
c:\documents and settings\Gokaran Shrivastava\My Documents\~WRL0160.tmp
c:\documents and settings\Gokaran Shrivastava\My Documents\~WRL0418.tmp
c:\documents and settings\Gokaran Shrivastava\My Documents\~WRL0710.tmp
c:\documents and settings\Gokaran Shrivastava\My Documents\~WRL1332.tmp
c:\documents and settings\Gokaran Shrivastava\My Documents\~WRL1585.tmp
c:\documents and settings\Gokaran Shrivastava\My Documents\~WRL1998.tmp
c:\documents and settings\Gokaran Shrivastava\My Documents\~WRL2001.tmp
c:\documents and settings\Gokaran Shrivastava\My Documents\~WRL2413.tmp
c:\documents and settings\Gokaran Shrivastava\My Documents\~WRL2574.tmp
c:\documents and settings\Gokaran Shrivastava\My Documents\~WRL2802.tmp
c:\documents and settings\Gokaran Shrivastava\My Documents\~WRL3076.tmp
c:\documents and settings\Gokaran Shrivastava\My Documents\~WRL3121.tmp
c:\documents and settings\Gokaran Shrivastava\My Documents\~WRL3301.tmp
c:\documents and settings\Gokaran Shrivastava\My Documents\~WRL3416.tmp
c:\documents and settings\Gokaran Shrivastava\My Documents\~WRL3666.tmp
c:\documents and settings\Gokaran Shrivastava\My Documents\~WRL3901.tmp
c:\windows\06BC5C62.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_ATAPIDRV
.
.
((((((((((((((((((((((((( Files Created from 2011-07-13 to 2011-08-13 )))))))))))))))))))))))))))))))
.
.
2011-08-12 03:17 . 2011-08-12 03:17 -------- d-----w- C:\TDSSKiller_Quarantine
2011-07-31 07:01 . 2011-07-31 07:01 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-07-31 07:00 . 2011-07-31 07:00 -------- d-----w- c:\documents and settings\Gokaran Shrivastava\Application Data\Malwarebytes
2011-07-31 06:59 . 2011-07-06 14:22 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-31 06:59 . 2011-07-31 06:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-07-31 06:59 . 2011-07-31 06:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-31 06:59 . 2011-07-06 14:22 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-31 06:56 . 2011-07-31 07:01 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-20 13:33 . 2009-05-18 16:58 90112 ----a-w- c:\windows\DUMP747e.tmp
2011-06-19 17:28 . 2009-05-18 16:58 90112 ----a-w- c:\windows\DUMP6d74.tmp
2011-06-10 17:17 . 2004-08-04 01:07 1033728 ----a-w- c:\windows\explorer.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-01-28 11:24 1487240 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-01-28 1487240]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-01-28 1487240]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c:\program files\NetMeter\NetMeter.exe"="c:\program files\NetMeter\NetMeter.exe" [2007-08-11 331264]
"RamBooster"="c:\program files\RamBooster 2.0\Rambooster.exe" [2005-11-17 561664]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-23 176128]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]
"MotiveReportAgent"="c:\program files\Common Files\Motive\McciBootStrapper.exe" [2007-09-13 202240]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\
0zhoobf.exe [2011-7-26 43008]
lgycxfas.exe [2011-7-26 43008]
wypakv5cw.exe [2011-6-20 42496]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0aswBoot.exe /M:5e99a98b1b
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^00jnkav.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\00jnkav.exe
backup=c:\windows\pss\00jnkav.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^00ltwop.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\00ltwop.exe
backup=c:\windows\pss\00ltwop.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^00xdkub.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\00xdkub.exe
backup=c:\windows\pss\00xdkub.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^00zhqwh.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\00zhqwh.exe
backup=c:\windows\pss\00zhqwh.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^01busff.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\01busff.exe
backup=c:\windows\pss\01busff.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^01buspr.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\01buspr.exe
backup=c:\windows\pss\01buspr.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^01duipc.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\01duipc.exe
backup=c:\windows\pss\01duipc.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^01juijh.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\01juijh.exe
backup=c:\windows\pss\01juijh.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^0bwyvxu.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\0bwyvxu.exe
backup=c:\windows\pss\0bwyvxu.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^0jsijhu.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\0jsijhu.exe
backup=c:\windows\pss\0jsijhu.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^0lbuspr.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\0lbuspr.exe
backup=c:\windows\pss\0lbuspr.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^0ltwopc.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\0ltwopc.exe
backup=c:\windows\pss\0ltwopc.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^0nmiazv.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\0nmiazv.exe
backup=c:\windows\pss\0nmiazv.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^0xluahp.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\0xluahp.exe
backup=c:\windows\pss\0xluahp.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^1hzyavt.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\1hzyavt.exe
backup=c:\windows\pss\1hzyavt.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^1lwopcs.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\1lwopcs.exe
backup=c:\windows\pss\1lwopcs.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^1tveizh.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\1tveizh.exe
backup=c:\windows\pss\1tveizh.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^1vigpfo.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\1vigpfo.exe
backup=c:\windows\pss\1vigpfo.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^1vkymrx.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\1vkymrx.exe
backup=c:\windows\pss\1vkymrx.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^a01bjuvruak.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\a01bjuvruak.exe
backup=c:\windows\pss\a01bjuvruak.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^acfzi00zn.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\acfzi00zn.exe
backup=c:\windows\pss\acfzi00zn.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^aczby01xw.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\aczby01xw.exe
backup=c:\windows\pss\aczby01xw.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^bwyvxugx.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\bwyvxugx.exe
backup=c:\windows\pss\bwyvxugx.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^cfl00nbkgt.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\cfl00nbkgt.exe
backup=c:\windows\pss\cfl00nbkgt.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^cwjxacvx.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\cwjxacvx.exe
backup=c:\windows\pss\cwjxacvx.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^d55sqtpyite.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\d55sqtpyite.exe
backup=c:\windows\pss\d55sqtpyite.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^daczlq00z.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\daczlq00z.exe
backup=c:\windows\pss\daczlq00z.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^dmgjlc01n.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\dmgjlc01n.exe
backup=c:\windows\pss\dmgjlc01n.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^g01jgifhegd.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\g01jgifhegd.exe
backup=c:\windows\pss\g01jgifhegd.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^hc01hegtxra.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\hc01hegtxra.exe
backup=c:\windows\pss\hc01hegtxra.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^i55ozdaczlq.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\i55ozdaczlq.exe
backup=c:\windows\pss\i55ozdaczlq.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^ix55wnpmewf.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\ix55wnpmewf.exe
backup=c:\windows\pss\ix55wnpmewf.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^j00hhuyzveo.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\j00hhuyzveo.exe
backup=c:\windows\pss\j00hhuyzveo.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^kbtmopru.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\kbtmopru.exe
backup=c:\windows\pss\kbtmopru.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^kemhpu00n.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\kemhpu00n.exe
backup=c:\windows\pss\kemhpu00n.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^ljikfdvi.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\ljikfdvi.exe
backup=c:\windows\pss\ljikfdvi.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^loabh001b.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\loabh001b.exe
backup=c:\windows\pss\loabh001b.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^m55uhvpajdl.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\m55uhvpajdl.exe
backup=c:\windows\pss\m55uhvpajdl.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^mvfikntu.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\mvfikntu.exe
backup=c:\windows\pss\mvfikntu.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^nvitjm01t.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\nvitjm01t.exe
backup=c:\windows\pss\nvitjm01t.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^odlg00rfac.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\odlg00rfac.exe
backup=c:\windows\pss\odlg00rfac.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^ozdaczlq.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\ozdaczlq.exe
backup=c:\windows\pss\ozdaczlq.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^pbikntu0.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\pbikntu0.exe
backup=c:\windows\pss\pbikntu0.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^reifbeqf.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\reifbeqf.exe
backup=c:\windows\pss\reifbeqf.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^rq01luidfce.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\rq01luidfce.exe
backup=c:\windows\pss\rq01luidfce.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^sltowrzt.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\sltowrzt.exe
backup=c:\windows\pss\sltowrzt.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^tjiadpuy.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\tjiadpuy.exe
backup=c:\windows\pss\tjiadpuy.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^tq01bjgdfsq.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\tq01bjgdfsq.exe
backup=c:\windows\pss\tq01bjgdfsq.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^u01xsaudxga.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\u01xsaudxga.exe
backup=c:\windows\pss\u01xsaudxga.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^ui556gpznsu.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\ui556gpznsu.exe
backup=c:\windows\pss\ui556gpznsu.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^usoxr001l.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\usoxr001l.exe
backup=c:\windows\pss\usoxr001l.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^veyhbk00d.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\veyhbk00d.exe
backup=c:\windows\pss\veyhbk00d.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^vigpfoe5.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\vigpfoe5.exe
backup=c:\windows\pss\vigpfoe5.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^vkibjqq5.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\vkibjqq5.exe
backup=c:\windows\pss\vkibjqq5.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^wdfcebd0.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\wdfcebd0.exe
backup=c:\windows\pss\wdfcebd0.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gokaran Shrivastava^Start Menu^Programs^Startup^xucghjas.exe]
path=c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\xucghjas.exe
backup=c:\windows\pss\xucghjas.exeStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tooquabou
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-05-19 11:34 133104 ----atw- c:\documents and settings\Gokaran Shrivastava\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-10-23 14:21 233472 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2003-06-25 05:54 49152 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PAC7302_Monitor]
2006-11-03 05:31 319488 -c--a-w- c:\windows\PixArt\PAC7302\Monitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCBoost]
2010-12-05 07:56 1722616 ----a-w- c:\program files\PGWARE\PCBoost\PCBoostTray.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [20/06/2011 18:43 441176]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [20/06/2011 18:43 307928]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [20/06/2011 18:43 19544]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [31/07/2011 12:29 41272]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-21 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2010-04-21 07:33]
.
2011-07-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-842925246-2146754083-1003Core.job
- c:\documents and settings\Gokaran Shrivastava\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-19 11:34]
.
2011-08-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-842925246-2146754083-1003UA.job
- c:\documents and settings\Gokaran Shrivastava\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-19 11:34]
.
2011-08-12 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2011-01-28 11:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gmail.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: Interfaces\{08D6264C-5D21-4C17-9F42-34287E543155}: NameServer = 218.240.248.208,218.240.248.24
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-84303845.sys
MSConfigStartUp-faruj - c:\windows\system32\douhooze.exe
MSConfigStartUp-Fredg Application - c:\recycler\S-1-5-21-0243556031-888888379-781863308-1455\fresd.exe
MSConfigStartUp-userini - c:\windows\system32\userini.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-13 17:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-08-13 17:25:18
ComboFix-quarantined-files.txt 2011-08-13 11:55
.
Pre-Run: 1,811,152,896 bytes free
Post-Run: 1,795,530,752 bytes free
.
- - End Of File - - CA40D6B4920FB31DF2767D1E3DABB19F


.
DDS (Ver_2011-06-23.01) - NTFSx86 MINIMAL
Internet Explorer: 6.0.2900.5512
Run by ... at 17:57:38 on 2011-08-13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.127 [GMT 5.5:30]
.
AV: avast! Antivirus *Enabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\explorer.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.gmail.com/
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [c:\program files\netmeter\netmeter.exe] c:\program files\netmeter\NetMeter.exe
uRun: [RamBooster] c:\program files\rambooster 2.0\Rambooster.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [PAC7302_Monitor] c:\windows\pixart\pac7302\Monitor.exe
mRun: [MotiveReportAgent] "c:\program files\common files\motive\mccibootstrapper.exe" /url="-appkey=motive -windowcontext=reportagent -url=file://c:\program files\common files\motive\reportagent.html" /browsertype=custommsie /browserpath="c:\program files\common files\motive\MotiveBrowser.exe" /hidden
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\documents and settings\...\start menu\programs\startup\0zhoobf.exe
StartupFolder: c:\documents and settings\...\start menu\programs\startup\lgycxfas.exe
StartupFolder: c:\documents and settings\... shrivastava\start menu\programs\startup\wypakv5cw.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: Interfaces\{08D6264C-5D21-4C17-9F42-34287E543155} : NameServer = 218.240.248.208,218.240.248.24
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
.
============= SERVICES / DRIVERS ===============
.
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-6-20 441176]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-6-20 307928]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-6-20 19544]
S2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-6-20 42184]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-7-31 41272]
.
=============== Created Last 30 ================
.
2011-08-12 20:16:25 98816 ----a-w- c:\windows\sed.exe
2011-08-12 20:16:25 518144 ----a-w- c:\windows\SWREG.exe
2011-08-12 20:16:25 256000 ----a-w- c:\windows\PEV.exe
2011-08-12 20:16:25 208896 ----a-w- c:\windows\MBR.exe
2011-08-12 03:17:59 -------- d-----w- C:\TDSSKiller_Quarantine
2011-07-31 07:01:06 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-07-31 07:00:37 -------- d-----w- c:\documents and settings\... \application data\Malwarebytes
2011-07-31 06:59:54 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-31 06:59:51 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-07-31 06:59:47 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-31 06:59:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-31 06:56:59 -------- d-----w- c:\documents and settings\all users\application data\MFAData
.
==================== Find3M ====================
.
2011-06-20 13:33:24 90112 ----a-w- c:\windows\DUMP747e.tmp
2011-06-19 17:28:34 90112 ----a-w- c:\windows\DUMP6d74.tmp
2011-06-10 17:17:56 1033728 ----a-w- c:\windows\explorer.exe
.
============= FINISH: 17:58:15.83 ===============

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,207 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:22 AM

Posted 13 August 2011 - 09:00 AM

Hi again, still some work to do here. :)

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
"BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,00

File::
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\0zhoobf.exe
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\lgycxfas.exe
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\wypakv5cw.exe
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\00jnkav.exe
c:\windows\pss\00jnkav.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\00ltwop.exe
c:\windows\pss\00ltwop.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\00xdkub.exe
c:\windows\pss\00xdkub.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\00zhqwh.exe
c:\windows\pss\00zhqwh.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\01busff.exe
c:\windows\pss\01busff.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\01buspr.exe
c:\windows\pss\01buspr.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\01duipc.exe
c:\windows\pss\01duipc.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\01juijh.exe
c:\windows\pss\01juijh.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\0bwyvxu.exe
c:\windows\pss\0bwyvxu.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\0jsijhu.exe
c:\windows\pss\0jsijhu.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\0lbuspr.exe
c:\windows\pss\0lbuspr.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\0ltwopc.exe
c:\windows\pss\0ltwopc.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\0nmiazv.exe
c:\windows\pss\0nmiazv.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\0xluahp.exe
c:\windows\pss\0xluahp.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\1hzyavt.exe
c:\windows\pss\1hzyavt.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\1lwopcs.exe
c:\windows\pss\1lwopcs.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\1tveizh.exe
c:\windows\pss\1tveizh.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\1vigpfo.exe
c:\windows\pss\1vigpfo.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\1vkymrx.exe
c:\windows\pss\1vkymrx.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\a01bjuvruak.exe
c:\windows\pss\a01bjuvruak.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\acfzi00zn.exe
c:\windows\pss\acfzi00zn.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\aczby01xw.exe
c:\windows\pss\aczby01xw.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\bwyvxugx.exe
c:\windows\pss\bwyvxugx.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\cfl00nbkgt.exe
c:\windows\pss\cfl00nbkgt.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\cwjxacvx.exe
c:\windows\pss\cwjxacvx.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\d55sqtpyite.exe
c:\windows\pss\d55sqtpyite.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\daczlq00z.exe
c:\windows\pss\daczlq00z.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\dmgjlc01n.exe
c:\windows\pss\dmgjlc01n.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\g01jgifhegd.exe
c:\windows\pss\g01jgifhegd.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\hc01hegtxra.exe
c:\windows\pss\hc01hegtxra.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\i55ozdaczlq.exe
c:\windows\pss\i55ozdaczlq.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\ix55wnpmewf.exe
c:\windows\pss\ix55wnpmewf.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\j00hhuyzveo.exe
c:\windows\pss\j00hhuyzveo.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\kbtmopru.exe
c:\windows\pss\kbtmopru.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\kemhpu00n.exe
c:\windows\pss\kemhpu00n.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\ljikfdvi.exe
c:\windows\pss\ljikfdvi.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\loabh001b.exe
c:\windows\pss\loabh001b.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\m55uhvpajdl.exe
c:\windows\pss\m55uhvpajdl.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\mvfikntu.exe
c:\windows\pss\mvfikntu.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\nvitjm01t.exe
c:\windows\pss\nvitjm01t.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\odlg00rfac.exe
c:\windows\pss\odlg00rfac.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\ozdaczlq.exe
c:\windows\pss\ozdaczlq.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\pbikntu0.exe
c:\windows\pss\pbikntu0.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\reifbeqf.exe
c:\windows\pss\reifbeqf.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\rq01luidfce.exe
c:\windows\pss\rq01luidfce.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\sltowrzt.exe
c:\windows\pss\sltowrzt.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\tjiadpuy.exe
c:\windows\pss\tjiadpuy.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\tq01bjgdfsq.exe
c:\windows\pss\tq01bjgdfsq.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\u01xsaudxga.exe
c:\windows\pss\u01xsaudxga.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\ui556gpznsu.exe
c:\windows\pss\ui556gpznsu.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\usoxr001l.exe
c:\windows\pss\usoxr001l.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\veyhbk00d.exe
c:\windows\pss\veyhbk00d.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\vigpfoe5.exe
c:\windows\pss\vigpfoe5.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\vkibjqq5.exe
c:\windows\pss\vkibjqq5.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\wdfcebd0.exe
c:\windows\pss\wdfcebd0.exeStartup
c:\documents and settings\Gokaran Shrivastava\Start Menu\Programs\Startup\xucghjas.exe
c:\windows\pss\xucghjas.exeStartup

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,207 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:22 AM

Posted 28 August 2011 - 04:27 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users