Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

new virus? - cant find any info on this infection


  • This topic is locked This topic is locked
25 replies to this topic

#1 indymhr

indymhr

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 22 August 2011 - 08:56 PM

Hi all

My son has a laptop computer - toshiba - that I think has a virus of some sort - I am going to provide as much information about the problem as I can to try to help explain what is going on, but to be fair and honest, I think most of it may be irrelevant, but I have run hijack this and the file is posted below. The computer will startup, but shortly after windows has started, the computer will crash. This happens by the computer going to a blue screen with a bunch of info posted - it happens very quickly but this is a paraphrase of what is printed on the screen:

<A problem has been detected, windows has shutdown to protect your computer. If this is the first time, restart your computer, if not follow these steps:

check to make sure there is adequate diskspace. If driver has stop message, then disable the driver and check for updates check video drivers.

check manufacturer for BIOS update - disable bios shadowing and caching - if you need to use safemode, restart and use F8

stop 0X0000007E (0C0000005 0X8B046B66 0X915F5170 0XBD02ED50)

Address 8B042B66 Base at 8B003000 datestamp 4A7c1638
collecting data for crash dump

initializing dtata for crash dump

beginning dump of physical memory

dumping physical memory to disk
physical memory dump complete>

All these numbers change with each time.

When the computer starts, The following programs wont start: MyToshiba, Toshiba service station, windows live messenger, and avast shields. Also Realtek PCIe FE Family Controller is not connected

Also, after the first crash, upon restart this error message is posted:

<P.E.N. Blue Screen

OS version 6.1.7600.2.0.0.768.3
Locale ID - 1033
BCCode: 1000007e
BCP1:C0000005
BCP2:82EF3419
BCP3:AE777B50
BCP4:AE777730
O.S.Version 6_1_7600
Service Pack: 0_0
Product:768_1

Files that describe the problem
C:\Windows\Minidump\051911-28672-01.dmp
C:\Users\Matt Raymond\Appdata\Local\Temp\WER-46550-0.sysdata.xml>

ok - here is where I think things get a little more important: - with repeated restarts, my adaware program was gradually able to scan the system and eventually identified a couple of spyware programs, but they were low threats - this did however let me use the computer - I was able to run my virus scan (avast)and spybot - I was also able to surf the web to try to troubleshoot the problem - the only thing was that I kept getting a popup from my firewall telling me that a program was trying to access my computer - this was every five minutes or so.

As a result of all the scans, whenever I restart, I get a new popup saying two programs paths were missing:

C:\users\Matt Raymond\AppData\Local|opeluqizevaxikuf.dll

C:\users\Matt Raymond\AppData\Local|irvpils.dll

Here is what I consider strange, I believe both of these are some form of malware and I have searched the net for a mention of them, but I can't find anything referring to them.

I attempted to run hijackthis - I was never able to complete the scan (after I was able to run the virus scans, the restarts would still cause the computer to crash) - so I went into safe mode and I was able to run hijack this and grab the log from there - my only concern is that running it in safe mode may have caused it to miss something - I dont know enough about the process to be sure of that.

Anyway - I found the term "cdehu" preceding the irvpils string in the log and I found the term "Gkejoqevoyoxaji" preceding the opeluqizevaxikuf.dll string in the log

Here is the hijack this log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:40:35 PM, on 7/30/2011
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16766)
Boot mode: Safe mode

Running processes:
C:\windows\Explorer.EXE
C:\Windows\System32\WerFault.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [IgfxTray] C:\windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [TosWaitSrv] %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe
O4 - HKLM\..\Run: [ToshibaServiceStation] "C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
O4 - HKLM\..\Run: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r
O4 - HKLM\..\Run: [TWebCamera] "%ProgramFiles%\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
O4 - HKLM\..\Run: [SmartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe
O4 - HKLM\..\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe
O4 - HKLM\..\Run: [NortonOnlineBackupReminder] "C:\Program Files\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe" UNATTENDED
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MyTOSHIBA] "C:\Program Files\TOSHIBA\My Toshiba\MyToshiba.exe" /AUTO
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Speech Recognition] "C:\windows\Speech\Common\sapisvr.exe" -SpeechUX -Startup
O4 - HKCU\..\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe
O4 - HKCU\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Cdehu] rundll32.exe "C:\Users\Matt Raymond\AppData\Local\irvpils.dll",Startup
O4 - HKCU\..\Run: [Gkejoqevoyoxaji] rundll32.exe "C:\Users\Matt Raymond\AppData\Local\opeluqizevaxikuf.dll",Startup
O4 - HKCU\..\RunOnce: [AutoLaunch] C:\Program Files\Lavasoft\Ad-Aware\AutoLaunch.exe monthly
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: KidzProtection.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MIF5BA~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MIF5BA~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MIF5BA~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIF5BA~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree WiMAX Service (cfWiMAXService) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - Unknown owner - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: TMachInfo - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA eco Utility Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TECO\TecoService.exe
O23 - Service: TOSHIBA HDD SSD Alert Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
O23 - Service: TPCH Service (TPCHSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe

--
End of file - 9846 bytes


I realize this is far from an ideal post, but I have tried to give you all the info I have. I very much appreciate your time and consideration in this

Let me know if you need anything else and I will try to provide it

Many thanks

Mike

Edited by boopme, 22 August 2011 - 08:59 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:10 PM

Posted 27 August 2011 - 09:00 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/415691 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 indymhr

indymhr
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 29 August 2011 - 10:54 PM

Hi

This reply is in response to the autobot message - I did respond to it and state that I still needed help. I am adding additional information that the message requested:

The computer is a Toshiba Satellite L505-S5990 laptop with Windows 7 Home Premium 32 bit OS installed. This OS came installed on the computer, we do not have the original install CD/DVD

Per the request, I have also a DDS and GMER log

Here is the DDS.txt file:



.
DDS (Ver_2011-08-26.01) - NTFSx86 MINIMAL
Internet Explorer: 8.0.7600.16385
Run by Matt Raymond at 22:59:23 on 2011-08-29
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2940.2348 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Outdated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Antivirus *Enabled/Outdated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}
FW: PC Tools Firewall Plus *Enabled* {7352CBFB-3EEC-25C5-276E-DC9378FC688F}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\wbem\unsecapp.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\Explorer.EXE
C:\windows\system32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWWSC.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\windows\System32\svchost.exe -k secsvcs
C:\windows\system32\conhost.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [MyTOSHIBA] "c:\program files\toshiba\my toshiba\MyToshiba.exe" /AUTO
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Speech Recognition] "c:\windows\speech\common\sapisvr.exe" -SpeechUX -Startup
uRun: [RESTART_STICKY_NOTES] c:\windows\system32\StikyNot.exe
uRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Cdehu] rundll32.exe "c:\users\matt raymond\appdata\local\irvpils.dll",Startup
uRun: [Gkejoqevoyoxaji] rundll32.exe "c:\users\matt raymond\appdata\local\opeluqizevaxikuf.dll",Startup
uRunOnce: [AutoLaunch] c:\program files\lavasoft\ad-aware\AutoLaunch.exe monthly
mRun: [<NO NAME>]
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [TosWaitSrv] %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe
mRun: [ToshibaServiceStation] "c:\program files\toshiba\toshiba service station\ToshibaServiceStation.exe" /hide:60
mRun: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r
mRun: [TWebCamera] "%ProgramFiles%\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
mRun: [SmartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe
mRun: [TosSENotify] c:\program files\toshiba\toshiba hdd ssd alert\TosWaitSrv.exe
mRun: [NortonOnlineBackupReminder] "c:\program files\toshiba\toshiba online backup\activation\TobuActivation.exe" UNATTENDED
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [00PCTFW] "c:\program files\pc tools firewall plus\FirewallGUI.exe" -s
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\users\mattra~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\programdata\microsoft\windows\start menu\programs\startup\KidzProtection.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mif5ba~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mif5ba~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{DC38F1D9-54D3-4D58-9E5C-0E86AB36D37E} : DhcpNameServer = 192.168.1.254
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {01250B8F-D947-4F8A-9408-FE8E3EE2EC92} - c:\program files\toshiba\my toshiba\MyToshiba.exe /SETUP
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\matt raymond\appdata\roaming\mozilla\firefox\profiles\ye2srnim.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: XULRunner: {F8FC32AF-EA72-4DDC-9A02-031274FBB0B5} - c:\users\matt raymond\appdata\local\{F8FC32AF-EA72-4DDC-9A02-031274FBB0B5}
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-1-31 64288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328]
R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\drivers\TVALZFL.sys [2009-6-19 12920]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2009-9-15 7680]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-1-31 165584]
S1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2010-1-31 159600]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-1-31 17744]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-1-31 50768]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-20 40384]
S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files\toshiba\configfree\CFIWmxSvcs.exe [2009-8-10 185712]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2009-3-10 46448]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-20 136176]
S2 PCToolsFirewallPlus;PC Tools Firewall Plus;c:\program files\pc tools firewall plus\FWService.exe [2010-1-31 146800]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-1-31 1153368]
S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\toshiba\teco\TecoService.exe [2009-8-11 185712]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-20 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-20 40384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-10-20 136176]
S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [2009-6-10 657408]
S3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [2010-1-31 95640]
S3 PGEffect;Pangu effect driver;c:\windows\system32\drivers\PGEffect.sys [2009-9-15 24064]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-12-19 249888]
S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\drivers\rtl8192se.sys [2010-1-19 996896]
S3 TMachInfo;TMachInfo;c:\program files\toshiba\toshiba service station\TMachInfo.exe [2009-9-15 51512]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\toshiba\toshiba hdd ssd alert\TosSmartSrv.exe [2009-8-3 111960]
S3 TPCHSrv;TPCH Service;c:\program files\toshiba\tphm\TPCHSrv.exe [2009-8-6 685424]
S3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-6-28 1310720]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-6-10 1343400]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
.
============= FINISH: 23:00:17.23 ===============




I have also attached the attach.txt file from DDS as a zip (per the autobot instructions)

Also I am attaching the GMER log, ark.txt:




GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-08-29 23:43:22
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\iaStor0 Hitachi_ rev.PB3O
Running: gmer.exe; Driver: C:\Users\MATTRA~1\AppData\Local\Temp\pwlcrpog.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 8224A569 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 8226F092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text C:\windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x8A941000, 0x3C849, 0xE8000020]
.dsrt C:\windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x8A986000, 0x3DC, 0x48000040]
? C:\Users\MATTRA~1\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\windows\system32\svchost.exe[888] ntdll.dll!NtProtectVirtualMemory 77D851C0 5 Bytes JMP 0030000A
.text C:\windows\system32\svchost.exe[888] ntdll.dll!NtWriteVirtualMemory 77D85D40 5 Bytes JMP 0031000A
.text C:\windows\system32\svchost.exe[888] ntdll.dll!KiUserExceptionDispatcher 77D86298 5 Bytes JMP 002F000A
.text C:\windows\system32\svchost.exe[888] ole32.dll!CoCreateInstance 7772590C 5 Bytes JMP 0059000A
.text C:\windows\system32\svchost.exe[888] USER32.dll!GetCursorPos 761AC198 5 Bytes JMP 006C000A
.text C:\windows\system32\svchost.exe[888] USER32.dll!GetForegroundWindow 761B565D 5 Bytes JMP 006E000A
.text C:\windows\system32\svchost.exe[888] USER32.dll!WindowFromPoint 761D6D0C 5 Bytes JMP 006D000A
.text C:\windows\Explorer.EXE[1300] ntdll.dll!NtProtectVirtualMemory 77D851C0 5 Bytes JMP 0078000A
.text C:\windows\Explorer.EXE[1300] ntdll.dll!NtWriteVirtualMemory 77D85D40 5 Bytes JMP 0079000A
.text C:\windows\Explorer.EXE[1300] ntdll.dll!KiUserExceptionDispatcher 77D86298 5 Bytes JMP 0073000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000059 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----



I also got a warning at the end of the GMER scan that my computer had been altered by rootkits (i'm paraphrasing)

Also, due to the nature of the problem I have, I had to do all of this in safe mode, thus I could not turn on any firewalls as I did not have internet access on that computer.

Ok - I think that covers it, I appreciate any help you can offer

Mike

Attached Files



#4 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:01:10 AM

Posted 30 August 2011 - 12:04 PM

Hello and welcome to Bleeping Computer.

I am currently assessing your situation and will be back with a fix for your problem as soon as possible.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this, click Watch Topic near the top of the page, then select Immediate Notification. Click on Proceed.

Please be patient with me during this time.

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.


#5 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:01:10 AM

Posted 31 August 2011 - 07:09 AM

Hello indymhr :),

Welcome to Bleeping Computer. I am Jack&Jill, and I will be helping you out.

Before we go further, there are a few things that I would like to make clear so that we are share the same understanding.
  • Please observe and follow these Board Rules and Terms of Use.
  • Any advice is for your computer only and is taken at your own risk. Fixes sometimes will cause unexpected results, but I will do my best to assist you.
  • Please read the instructions carefully and follow them closely, in the order they are presented to you.
  • If you have any doubts or problems during the fix, please stop and ask.
  • All the tools that I will ask you to download and use are safe. Please allow if prompted by any of your security softwares.
  • Do not use or run any malware cleaning tools without supervision as they may cause more harm if improperly used.
  • Refrain from installing any new programs except those that I request during the fix to prevent interference to my diagnosis of the problem.
  • Lack of malware symptoms does not mean your computer is clean. Stick to this topic until I give the All Clear.
  • If you do not reply within 5 days, this topic will be closed.
If you are agreeable to the above, then everything should go smoothly :) . We may begin.

--------------------

Please download aswMBR and save it to your desktop. Click here.
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily. They will interfere and may cause unexpected results.
  • If you need help to disable your protection programs see here and here.
  • Double click the aswMBR.exe file to run it. If you are asked to download an antivirus software, please allow.
  • Click on the Scan button to start. The program will launch a scan.
  • When done, you will see Scan finished successfully. Please click on Save log and save the file to your desktop.
  • Please post the contents of the log in your next reply.
--------------------

Please download TDSSKiller© from Kaspersky and save it to your desktop. Click here.
  • Alternatively, you may get the zip version and extract the file to the desktop.
  • Double click on TDSSKiller.exe to execute it.
  • Press Start scan to begin.
  • If anything is found, please change all the actions to Skip only. <-- Important, please select Skip only, DO NOT Cure yet.
  • Then click on Continue at the lower right corner.
  • You may be prompted to reboot your computer, please consent.
  • Once complete, a log will be produced at C:\. It will be named TDSSKiller.Version_Date_Time_log.txt, for example, C:\TDSSKiller.2.4.12.0_26.12.2010_23.12.11_log.txt.
  • Please post the contents of this log.
--------------------

Please post back:
1. aswMBR log
2. TDSSKiller log

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.


#6 indymhr

indymhr
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 04 September 2011 - 08:22 AM

Hi
Yes - I do agree with the rules and guidelines you have mentioned - I will follow the instructions you have left and post another reply, but I wanted to put this up to let you know that I agree and that I still need help. I also realize you are quite busy, so I appreciate the help you are offering when you have the time to

Thanks

Mike

#7 indymhr

indymhr
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 04 September 2011 - 09:04 AM

Ok

I ran those two programs:

Here is the aswMBR log:

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-09-04 09:42:49
-----------------------------
09:42:49.132 OS Version: Windows 6.1.7600
09:42:49.132 Number of processors: 2 586 0x170A
09:42:49.148 ComputerName: MATTRAYMOND-PC UserName: Matt Raymond
09:42:50.021 Initialize success
09:42:51.004 AVAST engine defs: 11070202
09:42:54.498 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
09:42:54.498 Disk 0 Vendor: Hitachi_ PB3O Size: 305245MB BusType: 3
09:42:54.498 Disk 0 MBR read successfully
09:42:54.498 Disk 0 MBR scan
09:42:55.060 Disk 0 MBR:Alureon-G [Rtk]
09:42:55.076 Disk 0 TDL4@MBR code has been found
09:42:55.076 Disk 0 MBR hidden
09:42:55.076 Disk 0 MBR [TDL4] **ROOTKIT**
09:42:55.091 Disk 0 trace - called modules:
09:42:55.107 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8600a6f0]<<
09:42:55.122 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85ff0030]
09:42:55.138 3 CLASSPNP.SYS[8a9d559e] -> nt!IofCallDriver -> [0x863baf08]
09:42:55.138 \Driver\iaStor[0x85ff34e0] -> IRP_MJ_CREATE -> 0x8600a6f0
09:42:55.622 AVAST engine scan C:\windows
09:43:00.239 AVAST engine scan C:\windows\system32
09:44:05.167 AVAST engine scan C:\windows\system32\drivers
09:44:11.641 AVAST engine scan C:\Users\Matt Raymond
09:46:30.153 AVAST engine scan C:\ProgramData
09:51:31.203 Scan finished successfully
09:53:43.584 Disk 0 MBR has been saved successfully to "C:\Users\Matt Raymond\Desktop\MBR.dat"
09:53:43.600 The log file has been saved successfully to "C:\Users\Matt Raymond\Desktop\aswMBR.txt"



and here is the TDSSKiller log:

2011/09/04 09:54:45.0329 1992 TDSS rootkit removing tool 2.5.17.0 Aug 22 2011 15:46:57
2011/09/04 09:54:45.0345 1992 ================================================================================
2011/09/04 09:54:45.0345 1992 SystemInfo:
2011/09/04 09:54:45.0345 1992
2011/09/04 09:54:45.0345 1992 OS Version: 6.1.7600 ServicePack: 0.0
2011/09/04 09:54:45.0345 1992 Product type: Workstation
2011/09/04 09:54:45.0345 1992 ComputerName: MATTRAYMOND-PC
2011/09/04 09:54:45.0345 1992 UserName: Matt Raymond
2011/09/04 09:54:45.0345 1992 Windows directory: C:\windows
2011/09/04 09:54:45.0345 1992 System windows directory: C:\windows
2011/09/04 09:54:45.0345 1992 Processor architecture: Intel x86
2011/09/04 09:54:45.0345 1992 Number of processors: 2
2011/09/04 09:54:45.0345 1992 Page size: 0x1000
2011/09/04 09:54:45.0345 1992 Boot type: Safe boot
2011/09/04 09:54:45.0345 1992 ================================================================================
2011/09/04 09:54:45.0766 1992 Initialize success
2011/09/04 09:54:47.0061 1720 ================================================================================
2011/09/04 09:54:47.0061 1720 Scan started
2011/09/04 09:54:47.0061 1720 Mode: Manual;
2011/09/04 09:54:47.0061 1720 ================================================================================
2011/09/04 09:54:47.0825 1720 1394ohci (6d2aca41739bfe8cb86ee8e85f29697d) C:\windows\system32\DRIVERS\1394ohci.sys
2011/09/04 09:54:47.0872 1720 ACPI (f0e07d144c8685b8774bc32fc8da4df0) C:\windows\system32\DRIVERS\ACPI.sys
2011/09/04 09:54:48.0013 1720 AcpiPmi (98d81ca942d19f7d9153b095162ac013) C:\windows\system32\DRIVERS\acpipmi.sys
2011/09/04 09:54:48.0169 1720 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\windows\system32\DRIVERS\adp94xx.sys
2011/09/04 09:54:48.0293 1720 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\windows\system32\DRIVERS\adpahci.sys
2011/09/04 09:54:48.0340 1720 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\windows\system32\DRIVERS\adpu320.sys
2011/09/04 09:54:48.0481 1720 AFD (ddc040fdb01ef1712a6b13e52afb104c) C:\windows\system32\drivers\afd.sys
2011/09/04 09:54:48.0543 1720 AgereSoftModem (7e10e3bb9b258ad8a9300f91214d67b9) C:\windows\system32\DRIVERS\AGRSM.sys
2011/09/04 09:54:48.0637 1720 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\windows\system32\DRIVERS\agp440.sys
2011/09/04 09:54:48.0715 1720 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\windows\system32\DRIVERS\djsvs.sys
2011/09/04 09:54:48.0808 1720 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\windows\system32\DRIVERS\aliide.sys
2011/09/04 09:54:48.0855 1720 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\windows\system32\DRIVERS\amdagp.sys
2011/09/04 09:54:48.0886 1720 amdide (cd5914170297126b6266860198d1d4f0) C:\windows\system32\DRIVERS\amdide.sys
2011/09/04 09:54:48.0980 1720 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\windows\system32\DRIVERS\amdk8.sys
2011/09/04 09:54:49.0027 1720 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\windows\system32\DRIVERS\amdppm.sys
2011/09/04 09:54:49.0120 1720 amdsata (19ce906b4cdc11fc4fef5745f33a63b6) C:\windows\system32\drivers\amdsata.sys
2011/09/04 09:54:49.0183 1720 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\windows\system32\DRIVERS\amdsbs.sys
2011/09/04 09:54:49.0276 1720 amdxata (869e67d66be326a5a9159fba8746fa70) C:\windows\system32\drivers\amdxata.sys
2011/09/04 09:54:49.0339 1720 AppID (feb834c02ce1e84b6a38f953ca067706) C:\windows\system32\drivers\appid.sys
2011/09/04 09:54:49.0479 1720 arc (2932004f49677bd84dbc72edb754ffb3) C:\windows\system32\DRIVERS\arc.sys
2011/09/04 09:54:49.0588 1720 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\windows\system32\DRIVERS\arcsas.sys
2011/09/04 09:54:49.0682 1720 aswFsBlk (a0d86b8ac93ef95620420c7a24ac5344) C:\windows\system32\drivers\aswFsBlk.sys
2011/09/04 09:54:49.0729 1720 aswMonFlt (bd9119468c32b7ecd1e0544d3f286a73) C:\windows\system32\drivers\aswMonFlt.sys
2011/09/04 09:54:49.0807 1720 aswRdr (69823954bbd461a73d69774928c9737e) C:\windows\system32\drivers\aswRdr.sys
2011/09/04 09:54:49.0869 1720 aswSP (7ecc2776638b04553f9a85bd684c3abf) C:\windows\system32\drivers\aswSP.sys
2011/09/04 09:54:49.0931 1720 aswTdi (095ed820a926aa8189180b305e1bcfc9) C:\windows\system32\drivers\aswTdi.sys
2011/09/04 09:54:50.0009 1720 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\windows\system32\DRIVERS\asyncmac.sys
2011/09/04 09:54:50.0087 1720 atapi (338c86357871c167a96ab976519bf59e) C:\windows\system32\DRIVERS\atapi.sys
2011/09/04 09:54:50.0212 1720 atikmdag (712d8a95e45b070114c5309ada7358ff) C:\windows\system32\DRIVERS\atikmdag.sys
2011/09/04 09:54:50.0446 1720 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\windows\system32\DRIVERS\bxvbdx.sys
2011/09/04 09:54:50.0555 1720 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\windows\system32\DRIVERS\b57nd60x.sys
2011/09/04 09:54:50.0665 1720 Beep (505506526a9d467307b3c393dedaf858) C:\windows\system32\drivers\Beep.sys
2011/09/04 09:54:50.0774 1720 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\windows\system32\DRIVERS\blbdrive.sys
2011/09/04 09:54:50.0852 1720 bowser (9a5c671b7fbae4865149bb11f59b91b2) C:\windows\system32\DRIVERS\bowser.sys
2011/09/04 09:54:50.0930 1720 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\windows\system32\DRIVERS\BrFiltLo.sys
2011/09/04 09:54:50.0945 1720 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\windows\system32\DRIVERS\BrFiltUp.sys
2011/09/04 09:54:51.0055 1720 Brserid (845b8ce732e67f3b4133164868c666ea) C:\windows\System32\Drivers\Brserid.sys
2011/09/04 09:54:51.0117 1720 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\windows\System32\Drivers\BrSerWdm.sys
2011/09/04 09:54:51.0133 1720 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\windows\System32\Drivers\BrUsbMdm.sys
2011/09/04 09:54:51.0195 1720 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\windows\System32\Drivers\BrUsbSer.sys
2011/09/04 09:54:51.0242 1720 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\windows\system32\DRIVERS\bthmodem.sys
2011/09/04 09:54:51.0335 1720 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\windows\system32\DRIVERS\cdfs.sys
2011/09/04 09:54:51.0476 1720 cdrom (ba6e70aa0e6091bc39de29477d866a77) C:\windows\system32\DRIVERS\cdrom.sys
2011/09/04 09:54:51.0616 1720 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\windows\system32\DRIVERS\circlass.sys
2011/09/04 09:54:51.0694 1720 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\windows\system32\CLFS.sys
2011/09/04 09:54:51.0803 1720 CmBatt (dea805815e587dad1dd2c502220b5616) C:\windows\system32\DRIVERS\CmBatt.sys
2011/09/04 09:54:51.0835 1720 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\windows\system32\DRIVERS\cmdide.sys
2011/09/04 09:54:51.0866 1720 CNG (1b675691ed940766149c93e8f4488d68) C:\windows\system32\Drivers\cng.sys
2011/09/04 09:54:51.0959 1720 Compbatt (a6023d3823c37043986713f118a89bee) C:\windows\system32\DRIVERS\compbatt.sys
2011/09/04 09:54:51.0975 1720 CompositeBus (f1724ba27e97d627f808fb0ba77a28a6) C:\windows\system32\DRIVERS\CompositeBus.sys
2011/09/04 09:54:52.0084 1720 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\windows\system32\DRIVERS\crcdisk.sys
2011/09/04 09:54:52.0162 1720 DfsC (8e09e52ee2e3ceb199ef3dd99cf9e3fb) C:\windows\system32\Drivers\dfsc.sys
2011/09/04 09:54:52.0256 1720 discache (1a050b0274bfb3890703d490f330c0da) C:\windows\system32\drivers\discache.sys
2011/09/04 09:54:52.0381 1720 Disk (565003f326f99802e68ca78f2a68e9ff) C:\windows\system32\DRIVERS\disk.sys
2011/09/04 09:54:52.0427 1720 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\windows\system32\drivers\drmkaud.sys
2011/09/04 09:54:52.0521 1720 DXGKrnl (1679a4669326cb1a67cc95658d273234) C:\windows\System32\drivers\dxgkrnl.sys
2011/09/04 09:54:52.0693 1720 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\windows\system32\DRIVERS\evbdx.sys
2011/09/04 09:54:52.0880 1720 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\windows\system32\DRIVERS\elxstor.sys
2011/09/04 09:54:52.0958 1720 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\windows\system32\DRIVERS\errdev.sys
2011/09/04 09:54:53.0036 1720 exfat (2dc9108d74081149cc8b651d3a26207f) C:\windows\system32\drivers\exfat.sys
2011/09/04 09:54:53.0161 1720 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\windows\system32\drivers\fastfat.sys
2011/09/04 09:54:53.0239 1720 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\windows\system32\DRIVERS\fdc.sys
2011/09/04 09:54:53.0348 1720 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\windows\system32\drivers\fileinfo.sys
2011/09/04 09:54:53.0379 1720 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\windows\system32\drivers\filetrace.sys
2011/09/04 09:54:53.0504 1720 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\windows\system32\DRIVERS\flpydisk.sys
2011/09/04 09:54:53.0597 1720 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\windows\system32\drivers\fltmgr.sys
2011/09/04 09:54:53.0707 1720 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\windows\system32\drivers\FsDepends.sys
2011/09/04 09:54:53.0738 1720 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\windows\system32\drivers\Fs_Rec.sys
2011/09/04 09:54:53.0847 1720 fvevol (dafbd9fe39197495aed6d51f3b85b5d2) C:\windows\system32\DRIVERS\fvevol.sys
2011/09/04 09:54:53.0878 1720 FwLnk (0f76e205bdc60364f08a5949082771ca) C:\windows\system32\DRIVERS\FwLnk.sys
2011/09/04 09:54:53.0972 1720 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\windows\system32\DRIVERS\gagp30kx.sys
2011/09/04 09:54:54.0081 1720 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\windows\system32\DRIVERS\GEARAspiWDM.sys
2011/09/04 09:54:54.0237 1720 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\windows\system32\drivers\hcw85cir.sys
2011/09/04 09:54:54.0284 1720 HdAudAddService (3530cad25deba7dc7de8bb51632cbc5f) C:\windows\system32\drivers\HdAudio.sys
2011/09/04 09:54:54.0409 1720 HDAudBus (717a2207fd6f13ad3e664c7d5a43c7bf) C:\windows\system32\DRIVERS\HDAudBus.sys
2011/09/04 09:54:54.0440 1720 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\windows\system32\DRIVERS\HidBatt.sys
2011/09/04 09:54:54.0471 1720 HidBth (89448f40e6df260c206a193a4683ba78) C:\windows\system32\DRIVERS\hidbth.sys
2011/09/04 09:54:54.0580 1720 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\windows\system32\DRIVERS\hidir.sys
2011/09/04 09:54:54.0689 1720 HidUsb (25072fb35ac90b25f9e4e3bacf774102) C:\windows\system32\DRIVERS\hidusb.sys
2011/09/04 09:54:54.0736 1720 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\windows\system32\DRIVERS\HpSAMD.sys
2011/09/04 09:54:54.0845 1720 HTTP (c531c7fd9e8b62021112787c4e2c5a5a) C:\windows\system32\drivers\HTTP.sys
2011/09/04 09:54:54.0923 1720 hwpolicy (8305f33cde89ad6c7a0763ed0b5a8d42) C:\windows\system32\drivers\hwpolicy.sys
2011/09/04 09:54:54.0970 1720 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\windows\system32\DRIVERS\i8042prt.sys
2011/09/04 09:54:55.0064 1720 iaStor (01446278d4563b3013c92830ae6cbb26) C:\windows\system32\DRIVERS\iaStor.sys
2011/09/04 09:54:55.0111 1720 iaStorV (71f1a494fedf4b33c02c4a6a28d6d9e9) C:\windows\system32\drivers\iaStorV.sys
2011/09/04 09:54:55.0329 1720 igfx (315aaaa2bc9bc778adc0454b3ca8dcce) C:\windows\system32\DRIVERS\igdkmd32.sys
2011/09/04 09:54:55.0547 1720 iirsp (4173ff5708f3236cf25195fecd742915) C:\windows\system32\DRIVERS\iirsp.sys
2011/09/04 09:54:55.0672 1720 IntcAzAudAddService (e4a2e810cb2607c9c159c0dfb0bd4c88) C:\windows\system32\drivers\RTKVHDA.sys
2011/09/04 09:54:55.0781 1720 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\windows\system32\DRIVERS\intelide.sys
2011/09/04 09:54:55.0813 1720 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\windows\system32\DRIVERS\intelppm.sys
2011/09/04 09:54:55.0891 1720 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\windows\system32\DRIVERS\ipfltdrv.sys
2011/09/04 09:54:55.0922 1720 IPMIDRV (e4454b6c37d7ffd5649611f6496308a7) C:\windows\system32\DRIVERS\IPMIDrv.sys
2011/09/04 09:54:55.0953 1720 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\windows\system32\drivers\ipnat.sys
2011/09/04 09:54:56.0047 1720 IRENUM (42996cff20a3084a56017b7902307e9f) C:\windows\system32\drivers\irenum.sys
2011/09/04 09:54:56.0078 1720 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\windows\system32\DRIVERS\isapnp.sys
2011/09/04 09:54:56.0109 1720 iScsiPrt (ed46c223ae46c6866ab77cdc41c404b7) C:\windows\system32\DRIVERS\msiscsi.sys
2011/09/04 09:54:56.0218 1720 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\windows\system32\DRIVERS\kbdclass.sys
2011/09/04 09:54:56.0249 1720 kbdhid (3d9f0ebf350edcfd6498057301455964) C:\windows\system32\DRIVERS\kbdhid.sys
2011/09/04 09:54:56.0265 1720 KSecDD (e36a061ec11b373826905b21be10948f) C:\windows\system32\Drivers\ksecdd.sys
2011/09/04 09:54:56.0312 1720 KSecPkg (365c6154bbbc5377173f1ca7bfb6cc59) C:\windows\system32\Drivers\ksecpkg.sys
2011/09/04 09:54:56.0437 1720 Lbd (713cd5267abfb86fe90a72e384e82a38) C:\windows\system32\DRIVERS\Lbd.sys
2011/09/04 09:54:56.0483 1720 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\windows\system32\DRIVERS\lltdio.sys
2011/09/04 09:54:56.0593 1720 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\windows\system32\DRIVERS\lsi_fc.sys
2011/09/04 09:54:56.0608 1720 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\windows\system32\DRIVERS\lsi_sas.sys
2011/09/04 09:54:56.0717 1720 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\windows\system32\DRIVERS\lsi_sas2.sys
2011/09/04 09:54:56.0733 1720 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\windows\system32\DRIVERS\lsi_scsi.sys
2011/09/04 09:54:56.0842 1720 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\windows\system32\drivers\luafv.sys
2011/09/04 09:54:56.0873 1720 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\windows\system32\DRIVERS\megasas.sys
2011/09/04 09:54:56.0967 1720 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\windows\system32\DRIVERS\MegaSR.sys
2011/09/04 09:54:57.0014 1720 Modem (f001861e5700ee84e2d4e52c712f4964) C:\windows\system32\drivers\modem.sys
2011/09/04 09:54:57.0123 1720 monitor (79d10964de86b292320e9dfe02282a23) C:\windows\system32\DRIVERS\monitor.sys
2011/09/04 09:54:57.0170 1720 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\windows\system32\DRIVERS\mouclass.sys
2011/09/04 09:54:57.0263 1720 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\windows\system32\DRIVERS\mouhid.sys
2011/09/04 09:54:57.0279 1720 mountmgr (921c18727c5920d6c0300736646931c2) C:\windows\system32\drivers\mountmgr.sys
2011/09/04 09:54:57.0310 1720 mpio (2af5997438c55fb79d33d015c30e1974) C:\windows\system32\DRIVERS\mpio.sys
2011/09/04 09:54:57.0419 1720 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\windows\system32\drivers\mpsdrv.sys
2011/09/04 09:54:57.0482 1720 MRxDAV (b1be47008d20e43da3adc37c24cdb89d) C:\windows\system32\drivers\mrxdav.sys
2011/09/04 09:54:57.0575 1720 mrxsmb (b4c76ef46322a9711c7b0f4e21ef6ea5) C:\windows\system32\DRIVERS\mrxsmb.sys
2011/09/04 09:54:57.0622 1720 mrxsmb10 (e593d45024a3fdd11e93cc4a6ca91101) C:\windows\system32\DRIVERS\mrxsmb10.sys
2011/09/04 09:54:57.0716 1720 mrxsmb20 (a9f86c82c9cc3b679cc3957e1183a30f) C:\windows\system32\DRIVERS\mrxsmb20.sys
2011/09/04 09:54:57.0731 1720 msahci (4326d168944123f38dd3b2d9c37a0b12) C:\windows\system32\DRIVERS\msahci.sys
2011/09/04 09:54:57.0763 1720 msdsm (455029c7174a2dbb03dba8a0d8bddd9a) C:\windows\system32\DRIVERS\msdsm.sys
2011/09/04 09:54:57.0872 1720 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\windows\system32\drivers\Msfs.sys
2011/09/04 09:54:57.0903 1720 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\windows\System32\drivers\mshidkmdf.sys
2011/09/04 09:54:57.0919 1720 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\windows\system32\DRIVERS\msisadrv.sys
2011/09/04 09:54:58.0028 1720 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\windows\system32\drivers\MSKSSRV.sys
2011/09/04 09:54:58.0121 1720 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\windows\system32\drivers\MSPCLOCK.sys
2011/09/04 09:54:58.0199 1720 MSPQM (f456e973590d663b1073e9c463b40932) C:\windows\system32\drivers\MSPQM.sys
2011/09/04 09:54:58.0231 1720 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\windows\system32\drivers\MsRPC.sys
2011/09/04 09:54:58.0262 1720 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\windows\system32\DRIVERS\mssmbios.sys
2011/09/04 09:54:58.0355 1720 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\windows\system32\drivers\MSTEE.sys
2011/09/04 09:54:58.0387 1720 MTConfig (33599130f44e1f34631cea241de8ac84) C:\windows\system32\DRIVERS\MTConfig.sys
2011/09/04 09:54:58.0418 1720 Mup (159fad02f64e6381758c990f753bcc80) C:\windows\system32\Drivers\mup.sys
2011/09/04 09:54:58.0527 1720 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\windows\system32\DRIVERS\nwifi.sys
2011/09/04 09:54:58.0574 1720 NDIS (23759d175a0a9baaf04d05047bc135a8) C:\windows\system32\drivers\ndis.sys
2011/09/04 09:54:58.0683 1720 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\windows\system32\DRIVERS\ndiscap.sys
2011/09/04 09:54:58.0714 1720 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\windows\system32\DRIVERS\ndistapi.sys
2011/09/04 09:54:58.0808 1720 Ndisuio (b30ae7f2b6d7e343b0df32e6c08fce75) C:\windows\system32\DRIVERS\ndisuio.sys
2011/09/04 09:54:58.0823 1720 NdisWan (267c415eadcbe53c9ca873dee39cf3a4) C:\windows\system32\DRIVERS\ndiswan.sys
2011/09/04 09:54:58.0839 1720 NDProxy (af7e7c63dcef3f8772726f86039d6eb4) C:\windows\system32\drivers\NDProxy.sys
2011/09/04 09:54:58.0886 1720 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\windows\system32\DRIVERS\netbios.sys
2011/09/04 09:54:58.0964 1720 NetBT (dd52a733bf4ca5af84562a5e2f963b91) C:\windows\system32\DRIVERS\netbt.sys
2011/09/04 09:54:59.0073 1720 netr28u (27ee4b406e2f26f6117a9a420bd4cb65) C:\windows\system32\DRIVERS\netr28u.sys
2011/09/04 09:54:59.0167 1720 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\windows\system32\DRIVERS\nfrd960.sys
2011/09/04 09:54:59.0229 1720 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\windows\system32\drivers\Npfs.sys
2011/09/04 09:54:59.0291 1720 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\windows\system32\drivers\nsiproxy.sys
2011/09/04 09:54:59.0369 1720 Ntfs (187002ce05693c306f43c873f821381f) C:\windows\system32\drivers\Ntfs.sys
2011/09/04 09:54:59.0463 1720 Null (f9756a98d69098dca8945d62858a812c) C:\windows\system32\drivers\Null.sys
2011/09/04 09:54:59.0525 1720 nvraid (f1b0bed906f97e16f6d0c3629d2f21c6) C:\windows\system32\drivers\nvraid.sys
2011/09/04 09:54:59.0635 1720 nvstor (4520b63899e867f354ee012d34e11536) C:\windows\system32\drivers\nvstor.sys
2011/09/04 09:54:59.0666 1720 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\windows\system32\DRIVERS\nv_agp.sys
2011/09/04 09:54:59.0759 1720 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\windows\system32\DRIVERS\ohci1394.sys
2011/09/04 09:54:59.0822 1720 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\windows\system32\DRIVERS\parport.sys
2011/09/04 09:54:59.0900 1720 partmgr (ff4218952b51de44fe910953a3e686b9) C:\windows\system32\drivers\partmgr.sys
2011/09/04 09:54:59.0915 1720 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\windows\system32\DRIVERS\parvdm.sys
2011/09/04 09:54:59.0947 1720 pci (c858cb77c577780ecc456a892e7e7d0f) C:\windows\system32\DRIVERS\pci.sys
2011/09/04 09:54:59.0978 1720 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\windows\system32\DRIVERS\pciide.sys
2011/09/04 09:55:00.0009 1720 pcmcia (f396431b31693e71e8a80687ef523506) C:\windows\system32\DRIVERS\pcmcia.sys
2011/09/04 09:55:00.0103 1720 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\windows\system32\Drivers\pcouffin.sys
2011/09/04 09:55:00.0149 1720 pctgntdi (bf770a5817fa8fba1402b2286a7f394c) C:\Windows\System32\drivers\pctgntdi.sys
2011/09/04 09:55:00.0274 1720 pctplfw (0eec24affc5ab0a2bbe4a6a886230aa5) C:\Windows\System32\drivers\pctplfw.sys
2011/09/04 09:55:00.0290 1720 pcw (250f6b43d2b613172035c6747aeeb19f) C:\windows\system32\drivers\pcw.sys
2011/09/04 09:55:00.0321 1720 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\windows\system32\drivers\peauth.sys
2011/09/04 09:55:00.0415 1720 PGEffect (1b5011dd8d57f53aed31ff0f7d635802) C:\windows\system32\DRIVERS\pgeffect.sys
2011/09/04 09:55:00.0508 1720 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\windows\system32\DRIVERS\raspptp.sys
2011/09/04 09:55:00.0586 1720 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\windows\system32\DRIVERS\processr.sys
2011/09/04 09:55:00.0695 1720 Psched (6270ccae2a86de6d146529fe55b3246a) C:\windows\system32\DRIVERS\pacer.sys
2011/09/04 09:55:00.0742 1720 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\windows\system32\DRIVERS\ql2300.sys
2011/09/04 09:55:00.0836 1720 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\windows\system32\DRIVERS\ql40xx.sys
2011/09/04 09:55:00.0883 1720 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\windows\system32\drivers\qwavedrv.sys
2011/09/04 09:55:00.0898 1720 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\windows\system32\DRIVERS\rasacd.sys
2011/09/04 09:55:00.0992 1720 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\windows\system32\DRIVERS\AgileVpn.sys
2011/09/04 09:55:01.0023 1720 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\windows\system32\DRIVERS\rasl2tp.sys
2011/09/04 09:55:01.0117 1720 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\windows\system32\DRIVERS\raspppoe.sys
2011/09/04 09:55:01.0132 1720 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\windows\system32\DRIVERS\rassstp.sys
2011/09/04 09:55:01.0148 1720 rdbss (835d7e81bf517a3b72384bdcc85e1ce6) C:\windows\system32\DRIVERS\rdbss.sys
2011/09/04 09:55:01.0179 1720 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\windows\system32\DRIVERS\rdpbus.sys
2011/09/04 09:55:01.0210 1720 RDPCDD (1e016846895b15a99f9a176a05029075) C:\windows\system32\DRIVERS\RDPCDD.sys
2011/09/04 09:55:01.0304 1720 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\windows\system32\drivers\rdpencdd.sys
2011/09/04 09:55:01.0319 1720 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\windows\system32\drivers\rdprefmp.sys
2011/09/04 09:55:01.0351 1720 RDPWD (801371ba9782282892d00aadb08ee367) C:\windows\system32\drivers\RDPWD.sys
2011/09/04 09:55:01.0491 1720 rdyboost (4ea225bf1cf05e158853f30a99ca29a7) C:\windows\system32\drivers\rdyboost.sys
2011/09/04 09:55:01.0616 1720 rspndr (032b0d36ad92b582d869879f5af5b928) C:\windows\system32\DRIVERS\rspndr.sys
2011/09/04 09:55:01.0756 1720 RTL8167 (06bd46be6141556125f89df738333720) C:\windows\system32\DRIVERS\Rt86win7.sys
2011/09/04 09:55:01.0803 1720 rtl8192se (7ac9f43613cd0ee40bebbf150ff3a189) C:\windows\system32\DRIVERS\rtl8192se.sys
2011/09/04 09:55:01.0928 1720 sbp2port (34ee0c44b724e3e4ce2eff29126de5b5) C:\windows\system32\DRIVERS\sbp2port.sys
2011/09/04 09:55:02.0053 1720 scfilter (a95c54b2ac3cc9c73fcdf9e51a1d6b51) C:\windows\system32\DRIVERS\scfilter.sys
2011/09/04 09:55:02.0099 1720 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\windows\system32\drivers\secdrv.sys
2011/09/04 09:55:02.0209 1720 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\windows\system32\DRIVERS\serenum.sys
2011/09/04 09:55:02.0240 1720 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\windows\system32\DRIVERS\serial.sys
2011/09/04 09:55:02.0333 1720 sermouse (79bffb520327ff916a582dfea17aa813) C:\windows\system32\DRIVERS\sermouse.sys
2011/09/04 09:55:02.0365 1720 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\windows\system32\DRIVERS\sffdisk.sys
2011/09/04 09:55:02.0396 1720 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\windows\system32\DRIVERS\sffp_mmc.sys
2011/09/04 09:55:02.0505 1720 sffp_sd (4f1e5b0fe7c8050668dbfade8999aefb) C:\windows\system32\DRIVERS\sffp_sd.sys
2011/09/04 09:55:02.0536 1720 SFilter (975f4e44fd48c36beed30c96a115b2b8) C:\windows\system32\DRIVERS\pctfw.sys
2011/09/04 09:55:02.0630 1720 sfloppy (db96666cc8312ebc45032f30b007a547) C:\windows\system32\DRIVERS\sfloppy.sys
2011/09/04 09:55:02.0661 1720 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\windows\system32\DRIVERS\sisagp.sys
2011/09/04 09:55:02.0755 1720 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\windows\system32\DRIVERS\SiSRaid2.sys
2011/09/04 09:55:02.0770 1720 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\windows\system32\DRIVERS\sisraid4.sys
2011/09/04 09:55:02.0879 1720 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\windows\system32\DRIVERS\smb.sys
2011/09/04 09:55:02.0911 1720 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\windows\system32\drivers\spldr.sys
2011/09/04 09:55:03.0020 1720 srv (4a9b0f215de2519e2363f91df25c1e97) C:\windows\system32\DRIVERS\srv.sys
2011/09/04 09:55:03.0051 1720 srv2 (14c44875518ae1c982e54ea8c5f7fe28) C:\windows\system32\DRIVERS\srv2.sys
2011/09/04 09:55:03.0067 1720 srvnet (07a14223b0a50e76ade003fdf95d4fec) C:\windows\system32\DRIVERS\srvnet.sys
2011/09/04 09:55:03.0207 1720 stexstor (db32d325c192b801df274bfd12a7e72b) C:\windows\system32\DRIVERS\stexstor.sys
2011/09/04 09:55:03.0269 1720 swenum (e58c78a848add9610a4db6d214af5224) C:\windows\system32\DRIVERS\swenum.sys
2011/09/04 09:55:03.0425 1720 SynTP (8bd10dc8809dc69a1c5a795cb10add76) C:\windows\system32\DRIVERS\SynTP.sys
2011/09/04 09:55:03.0581 1720 Tcpip (bb7f39c31c4a4417fd318e7cd184e225) C:\windows\system32\drivers\tcpip.sys
2011/09/04 09:55:03.0737 1720 TCPIP6 (bb7f39c31c4a4417fd318e7cd184e225) C:\windows\system32\DRIVERS\tcpip.sys
2011/09/04 09:55:03.0831 1720 tcpipreg (e64444523add154f86567c469bc0b17f) C:\windows\system32\drivers\tcpipreg.sys
2011/09/04 09:55:03.0878 1720 tdcmdpst (4084ea00d50c858d6f9038f86ae2e2d0) C:\windows\system32\DRIVERS\tdcmdpst.sys
2011/09/04 09:55:03.0971 1720 TDPIPE (1875c1490d99e70e449e3afae9fcbadf) C:\windows\system32\drivers\tdpipe.sys
2011/09/04 09:55:03.0987 1720 TDTCP (7551e91ea999ee9a8e9c331d5a9c31f3) C:\windows\system32\drivers\tdtcp.sys
2011/09/04 09:55:04.0018 1720 tdx (cb39e896a2a83702d1737bfd402b3542) C:\windows\system32\DRIVERS\tdx.sys
2011/09/04 09:55:04.0096 1720 TermDD (c36f41ee20e6999dbf4b0425963268a5) C:\windows\system32\DRIVERS\termdd.sys
2011/09/04 09:55:04.0252 1720 tos_sps32 (969377943fe7284609babbab4e06b93c) C:\windows\system32\DRIVERS\tos_sps32.sys
2011/09/04 09:55:04.0315 1720 tssecsrv (98ae6fa07d12cb4ec5cf4a9bfa5f4242) C:\windows\system32\DRIVERS\tssecsrv.sys
2011/09/04 09:55:04.0424 1720 tunnel (3e461d890a97f9d4c168f5fda36e1d00) C:\windows\system32\DRIVERS\tunnel.sys
2011/09/04 09:55:04.0471 1720 TVALZ (fc24015b4052600c324c43e3a79c0664) C:\windows\system32\DRIVERS\TVALZ_O.SYS
2011/09/04 09:55:04.0580 1720 TVALZFL (866462f5ae3f375ef83ef9dce436031c) C:\windows\system32\DRIVERS\TVALZFL.sys
2011/09/04 09:55:04.0611 1720 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\windows\system32\DRIVERS\uagp35.sys
2011/09/04 09:55:04.0720 1720 udfs (09cc3e16f8e5ee7168e01cf8fcbe061a) C:\windows\system32\DRIVERS\udfs.sys
2011/09/04 09:55:04.0751 1720 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\windows\system32\DRIVERS\uliagpkx.sys
2011/09/04 09:55:04.0845 1720 umbus (049b3a50b3d646baeeee9eec9b0668dc) C:\windows\system32\DRIVERS\umbus.sys
2011/09/04 09:55:04.0876 1720 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\windows\system32\DRIVERS\umpass.sys
2011/09/04 09:55:04.0985 1720 usbaudio (2436a42aab4ad48a9b714e5b0f344627) C:\windows\system32\drivers\usbaudio.sys
2011/09/04 09:55:05.0032 1720 usbccgp (c31ae588e403042632dc796cf09e30b0) C:\windows\system32\DRIVERS\usbccgp.sys
2011/09/04 09:55:05.0141 1720 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\windows\system32\DRIVERS\usbcir.sys
2011/09/04 09:55:05.0173 1720 usbehci (e4c436d914768ce965d5e659ba7eebd8) C:\windows\system32\DRIVERS\usbehci.sys
2011/09/04 09:55:05.0282 1720 usbhub (bdcd7156ec37448f08633fd899823620) C:\windows\system32\DRIVERS\usbhub.sys
2011/09/04 09:55:05.0329 1720 usbohci (eb2d819a639015253c871cda09d91d58) C:\windows\system32\drivers\usbohci.sys
2011/09/04 09:55:05.0438 1720 USBPNPA (41b758cff0a3c10a69e088f440677399) C:\windows\system32\drivers\CM108.sys
2011/09/04 09:55:05.0563 1720 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\windows\system32\DRIVERS\usbprint.sys
2011/09/04 09:55:05.0594 1720 usbscan (576096ccbc07e7c4ea4f5e6686d6888f) C:\windows\system32\DRIVERS\usbscan.sys
2011/09/04 09:55:05.0641 1720 USBSTOR (1c4287739a93594e57e2a9e6a3ed7353) C:\windows\system32\DRIVERS\USBSTOR.SYS
2011/09/04 09:55:05.0750 1720 usbuhci (22480bf4e5a09192e5e30ba4dde79fa4) C:\windows\system32\DRIVERS\usbuhci.sys
2011/09/04 09:55:05.0859 1720 usbvideo (b5f6a992d996282b7fae7048e50af83a) C:\windows\System32\Drivers\usbvideo.sys
2011/09/04 09:55:05.0906 1720 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\windows\system32\DRIVERS\vdrvroot.sys
2011/09/04 09:55:05.0999 1720 vga (17c408214ea61696cec9c66e388b14f3) C:\windows\system32\DRIVERS\vgapnp.sys
2011/09/04 09:55:06.0015 1720 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\windows\System32\drivers\vga.sys
2011/09/04 09:55:06.0046 1720 vhdmp (3be6e1f3a4f1afec8cee0d7883f93583) C:\windows\system32\DRIVERS\vhdmp.sys
2011/09/04 09:55:06.0124 1720 viaagp (c829317a37b4bea8f39735d4b076e923) C:\windows\system32\DRIVERS\viaagp.sys
2011/09/04 09:55:06.0140 1720 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\windows\system32\DRIVERS\viac7.sys
2011/09/04 09:55:06.0155 1720 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\windows\system32\DRIVERS\viaide.sys
2011/09/04 09:55:06.0187 1720 volmgr (384e5a2aa49934295171e499f86ba6f3) C:\windows\system32\DRIVERS\volmgr.sys
2011/09/04 09:55:06.0218 1720 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\windows\system32\drivers\volmgrx.sys
2011/09/04 09:55:06.0249 1720 volsnap (58df9d2481a56edde167e51b334d44fd) C:\windows\system32\DRIVERS\volsnap.sys
2011/09/04 09:55:06.0358 1720 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\windows\system32\DRIVERS\vsmraid.sys
2011/09/04 09:55:06.0389 1720 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\windows\system32\DRIVERS\vwifibus.sys
2011/09/04 09:55:06.0483 1720 vwififlt (7090d3436eeb4e7da3373090a23448f7) C:\windows\system32\DRIVERS\vwififlt.sys
2011/09/04 09:55:06.0514 1720 vwifimp (a3f04cbea6c2a10e6cb01f8b47611882) C:\windows\system32\DRIVERS\vwifimp.sys
2011/09/04 09:55:06.0608 1720 WacomPen (de3721e89c653aa281428c8a69745d90) C:\windows\system32\DRIVERS\wacompen.sys
2011/09/04 09:55:06.0639 1720 WANARP (692a712062146e96d28ba0b7d75de31b) C:\windows\system32\DRIVERS\wanarp.sys
2011/09/04 09:55:06.0655 1720 Wanarpv6 (692a712062146e96d28ba0b7d75de31b) C:\windows\system32\DRIVERS\wanarp.sys
2011/09/04 09:55:06.0779 1720 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\windows\system32\DRIVERS\wd.sys
2011/09/04 09:55:06.0826 1720 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\windows\system32\drivers\Wdf01000.sys
2011/09/04 09:55:06.0951 1720 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\windows\system32\DRIVERS\wfplwf.sys
2011/09/04 09:55:06.0967 1720 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\windows\system32\drivers\wimmount.sys
2011/09/04 09:55:07.0138 1720 WinUsb (30fc6e5448d0cbaaa95280eeef7fedae) C:\windows\system32\DRIVERS\WinUsb.sys
2011/09/04 09:55:07.0185 1720 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\windows\system32\DRIVERS\wmiacpi.sys
2011/09/04 09:55:07.0310 1720 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\windows\system32\drivers\ws2ifsl.sys
2011/09/04 09:55:07.0357 1720 WudfPf (6f9b6c0c93232cff47d0f72d6db1d21e) C:\windows\system32\drivers\WudfPf.sys
2011/09/04 09:55:07.0466 1720 WUDFRd (f91ff1e51fca30b3c3981db7d5924252) C:\windows\system32\DRIVERS\WUDFRd.sys
2011/09/04 09:55:07.0559 1720 MBR (0x1B8) (ef1fb3fbba60e54cf5e5a0c96abf6c5b) \Device\Harddisk0\DR0
2011/09/04 09:55:07.0559 1720 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/09/04 09:55:07.0591 1720 Boot (0x1200) (d3edeee7ac5d6f517486663ae521eb90) \Device\Harddisk0\DR0\Partition0
2011/09/04 09:55:07.0591 1720 ================================================================================
2011/09/04 09:55:07.0591 1720 Scan finished
2011/09/04 09:55:07.0591 1720 ================================================================================
2011/09/04 09:55:07.0622 1716 Detected object count: 1
2011/09/04 09:55:07.0622 1716 Actual detected object count: 1
2011/09/04 09:55:45.0374 1716 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Skip
2011/09/04 09:56:45.0746 0336 Deinitialize success


Again

Thanks for any help you can offer as you can offer it

Mike

#8 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:01:10 AM

Posted 04 September 2011 - 10:32 AM

Hello indymhr :),

Please uninstall these:
Ad-Aware
Spybot - Search & Destroy

You can install them back later as I do not want any interference to our fixes from their real time protection.

Please make a copy of this file to another location as a backup because it will be overwritten when the aswMBR tool is executed again:
C:\Users\Matt Raymond\Desktop\MBR.dat

--------------------

For Windows Vista or Seven, please use right click and select Run as administrator instead of double click to run all the tools I ask you to, or they may not work properly.

Fix with aswMBR
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily. They will interfere and may cause unexpected results.
  • If you need help to disable your protection programs see here and here.
  • Please rerun aswMBR.
  • Repeat the initial steps by clicking on Scan.
  • When the scan is finished, click Fix for TDL4. The other FixMBR button is greyed out or disabled. <-- Important, please do not proceed if it is other than what is described, and inform me immediately.
  • There may be be a slight pause, please wait until the tool prompt Infection fixed successfully.
  • Then, reboot your computer. In case the computer becomes unresponsive after the fix, please do a hard reboot.
  • Save the log as before and post in your next reply.
--------------------

Please make sure you have rebooted the computer after aswMBR before proceeding below.

Please download ComboFix from one of the links below and save it to your desktop.

Link 1
Link 2

Do not mouse click on ComboFix while it is running. That may cause it to stall. ComboFix is a powerful tool and must not be used without supervision.

Run ComboFix
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running ComboFix. They will interfere and may cause unexpected results.
  • If you need help to disable your protection programs see here and here.
  • Double click on ComboFix.exe and follow the prompts.
  • When finished, a log will be produced as C:\ComboFix.txt. Please post this log in your next reply.
  • If you lose Internet connection after running ComboFix, right click on the network icon at the system tray and select Repair, or you can reboot the computer.
  • Enable back your security softwares as soon as you completed the ComboFix steps.
A detailed step by step tutorial to run ComboFix can be found here if you need help.

--------------------

Please post back:
1. aswMBR log
2. ComboFix log

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.


#9 indymhr

indymhr
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 04 September 2011 - 03:11 PM

Hi

I will do this, but I forgot to mention last time - Everything I'm doing is in safe mode, so I have no internet connection and those programs were not running, but I will take them off and post the logs once I have this done

Thanks

Mike

#10 indymhr

indymhr
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 04 September 2011 - 04:32 PM

Hi

ok - I have that done - I am attaching the logs as requested

For the aswMBR scan, it did not let me save a log before restarting the computer, and the program did not reopen when I restarted in safe mode - so I reran the aswMBR scan and just saved that file (I did not do anything with the second scan)

Otherwise, seemed to go as you said

Thanks again for your help

Mike



aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-09-04 16:54:54
-----------------------------
16:54:54.661 OS Version: Windows 6.1.7600
16:54:54.661 Number of processors: 2 586 0x170A
16:54:54.661 ComputerName: MATTRAYMOND-PC UserName: Matt Raymond
16:54:55.426 Initialize success
16:54:56.346 AVAST engine defs: 11070202
16:55:00.605 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
16:55:00.620 Disk 0 Vendor: Hitachi_ PB3O Size: 305245MB BusType: 3
16:55:00.636 Disk 0 MBR read successfully
16:55:00.636 Disk 0 MBR scan
16:55:01.151 Disk 0 Windows VISTA default MBR code
16:55:01.166 Disk 0 scanning sectors +625141760
16:55:01.946 Disk 0 scanning C:\windows\system32\drivers
16:55:14.224 Service scanning
16:55:16.189 Modules scanning
16:55:22.897 Disk 0 trace - called modules:
16:55:22.929 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys halmacpi.dll
16:55:22.944 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85fba030]
16:55:22.944 3 CLASSPNP.SYS[8a9dc59e] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x848de028]
16:55:23.631 AVAST engine scan C:\windows
16:55:25.050 AVAST engine scan C:\windows\system32
16:56:28.807 AVAST engine scan C:\windows\system32\drivers
16:56:35.110 AVAST engine scan C:\Users\Matt Raymond
16:58:56.228 AVAST engine scan C:\ProgramData
17:07:52.993 Scan finished successfully
17:08:33.086 Disk 0 MBR has been saved successfully to "C:\Users\Matt Raymond\Desktop\MBR.dat"
17:08:33.086 The log file has been saved successfully to "C:\Users\Matt Raymond\Desktop\aswMBR_new.txt"



ComboFix 11-09-04.03 - Matt Raymond 09/04/2011 17:17:52.1.2 - x86 MINIMAL
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2940.2132 [GMT -4:00]
Running from: c:\users\Matt Raymond\Desktop\ComboFix.exe
AV: avast! Antivirus *Enabled/Outdated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
FW: PC Tools Firewall Plus *Disabled* {7352CBFB-3EEC-25C5-276E-DC9378FC688F}
SP: avast! Antivirus *Enabled/Outdated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Matt Raymond\AppData\Local\{F8FC32AF-EA72-4DDC-9A02-031274FBB0B5}
c:\users\Matt Raymond\AppData\Local\{F8FC32AF-EA72-4DDC-9A02-031274FBB0B5}\chrome.manifest
c:\users\Matt Raymond\AppData\Local\{F8FC32AF-EA72-4DDC-9A02-031274FBB0B5}\chrome\content\_cfg.js
c:\users\Matt Raymond\AppData\Local\{F8FC32AF-EA72-4DDC-9A02-031274FBB0B5}\chrome\content\overlay.xul
c:\users\Matt Raymond\AppData\Local\{F8FC32AF-EA72-4DDC-9A02-031274FBB0B5}\install.rdf
c:\users\Matt Raymond\AppData\Roaming\inst.exe
c:\windows\system32\msconfig.exe
c:\windows\system32\odbcad32.exe
c:\windows\system32\Thumbs.db
.
.
((((((((((((((((((((((((( Files Created from 2011-08-04 to 2011-09-04 )))))))))))))))))))))))))))))))
.
.
2011-09-04 21:23 . 2011-09-04 21:24 -------- d-----w- c:\users\Matt Raymond\AppData\Local\temp
2011-09-04 21:23 . 2011-09-04 21:23 -------- d-----w- c:\users\Default\AppData\Local\temp
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-31 00:33 . 2011-07-31 00:33 388096 ----a-r- c:\users\Matt Raymond\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-03 00:21 . 2011-07-03 00:21 0 ----a-w- c:\users\Matt Raymond\AppData\Local\Fzawiruha.bin
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MyTOSHIBA"="c:\program files\TOSHIBA\My Toshiba\MyToshiba.exe" [2009-08-06 264048]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-04 39408]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"Speech Recognition"="c:\windows\Speech\Common\sapisvr.exe" [2009-07-14 51712]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [2009-07-14 354304]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-02 174104]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-02 151064]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-29 7625248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-21 1545512]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2009-08-05 476512]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2009-03-09 55160]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2009-07-28 460088]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2009-08-05 738616]
"TosWaitSrv"="c:\program files\TOSHIBA\TPHM\TosWaitSrv.exe" [2009-08-07 611672]
"ToshibaServiceStation"="c:\program files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-08-17 1294136]
"Teco"="c:\program files\TOSHIBA\TECO\Teco.exe" [2009-08-11 1324384]
"TWebCamera"="c:\program files\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2009-08-11 2446648]
"SmartFaceVWatcher"="c:\program files\Toshiba\SmartFaceV\SmartFaceVWatcher.exe" [2009-07-29 163840]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2009-08-04 611672]
"NortonOnlineBackupReminder"="c:\program files\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe" [2009-07-16 529256]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2009-02-23 2652056]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
.
c:\users\Matt Raymond\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
KidzProtection.exe [2006-3-30 5173319]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKLM\~\startupfolder\C:^Users^Matt Raymond^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office Groove.lnk]
path=c:\users\Matt Raymond\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office Groove.lnk
backup=c:\windows\pss\Microsoft Office Groove.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 23:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-02-20 00:14 1217872 ----a-w- c:\program files\Steam\Steam.exe
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - aswMBR
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{01250B8F-D947-4F8A-9408-FE8E3EE2EC92}]
2009-08-06 16:15 264048 ----a-w- c:\program files\TOSHIBA\My Toshiba\MyToshiba.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-21 02:38]
.
2011-07-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-21 02:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Matt Raymond\AppData\Roaming\Mozilla\Firefox\Profiles\ye2srnim.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKCU-Run-ISUSPM Startup - c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
HKCU-Run-Cdehu - c:\users\Matt Raymond\AppData\Local\irvpils.dll
HKCU-Run-Gkejoqevoyoxaji - c:\users\Matt Raymond\AppData\Local\opeluqizevaxikuf.dll
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-09-04 17:25:21
ComboFix-quarantined-files.txt 2011-09-04 21:25
.
Pre-Run: 262,328,762,368 bytes free
Post-Run: 262,119,718,912 bytes free
.
- - End Of File - - 9FC71CC395FDDBE0A6A50CA0F74AE389

Attached Files


Edited by Jack&Jill, 04 September 2011 - 07:19 PM.
Copy paste logs


#11 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:01:10 AM

Posted 04 September 2011 - 08:10 PM

Hello indymhr :),

I notice from the logs that the usual files appear to be missing. Do you find anything missing? Could you please take a look in a few folders and in C:\Windows?

Please delete this file:
c:\users\Matt Raymond\AppData\Local\Fzawiruha.bin

--------------------

Repeat TDSSKiller
  • Double click on TDSSKiller.exe to execute it.
  • Press Start scan to begin.
  • If any malicious objects are found, the default action will be Cure. If any suspicious objects are found, the default action will be Skip. In case Cure is not an option, please select Skip only.
  • Then click on Continue at the lower right corner.
  • You may be prompted to reboot your computer, please consent.
  • Once complete, a log will be produced at C:\. It will be named TDSSKiller.Version_Date_Time_log.txt, for example, C:\TDSSKiller.2.4.12.0_26.12.2010_23.12.11_log.txt.
  • Please post the contents of this log.
If there are any Cure actions, please reboot the computer after the scan is finished.

--------------------

Upload file(s) to VirusTotal (VT) for an online scan. Click here.
  • Click on the Browse button or the white box beside it. A File Upload prompt will open.
  • Copy and paste the following file and its path to upload:
    C:\Qoobox\Quarantine\C\WINDOWS\system32\msconfig.exe.vir
  • Press Open, then Send file. The file will be uploaded for testing.
  • If there is any indication or prompt that the file has been scanned before, please proceed to have the file rescanned or reanalyzed.
  • Please wait for all the scanners to finish, then copy and paste the result into Notepad and save it to a convenient place.
  • Repeat for
    C:\Qoobox\Quarantine\C\WINDOWS\system32\odbcad32.exe.vir
  • Post the results in your next response.
Alternatively, if VirusTotal is busy or inaccessible, you may try Jotti or VirScan (VS) with similar steps.

A result from either one of the above scanners would be sufficient.

--------------------

Please post back:
1. if anything is missing
2. TDSSKiller log
3. VT results

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.


#12 indymhr

indymhr
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 06 September 2011 - 08:43 PM

Hi again - sorry for the delay

I wasn't really sure what you meant by missing files, but I did look in C:\windows - it seems like all the files and folders are there (so far as I know) - I didn't open any of the folders up - also, the scans were done in safe mode, could that have been a reason these files didn't show up in the scan? Anyway, seems like they are there - Do you have any specific files you want me to look for?

I ran TDSSKiller - it did not find any problems - I have posted the log

I posted those two files to VirusTotal and scanned them - they came up as "goodware" - I copied a bunch of stuff and posted it on wordpad, one for each file - I may have had copied more than I needed, but I wanted to be sure I got it all.

Finally, in order to use the internet, I had to boot in normal mode and the computer didn't crash - it also didnt popup the warning message for the missing files for the two files I thought were viruses (irvpls.dll and opeluqizevaxikuf.dll) which I think is good - MyToshiba and Toshiba Service Station still don't work, but they may just be casualties (could that be caused by the files you think may be missing?

Anyway - I think that is it

Thanks again

Mike

2011/09/06 21:16:26.0758 6020 TDSS rootkit removing tool 2.5.17.0 Aug 22 2011 15:46:57
2011/09/06 21:16:28.0759 6020 ================================================================================
2011/09/06 21:16:28.0759 6020 SystemInfo:
2011/09/06 21:16:28.0759 6020
2011/09/06 21:16:28.0759 6020 OS Version: 6.1.7600 ServicePack: 0.0
2011/09/06 21:16:28.0759 6020 Product type: Workstation
2011/09/06 21:16:28.0760 6020 ComputerName: MATTRAYMOND-PC
2011/09/06 21:16:28.0760 6020 UserName: Matt Raymond
2011/09/06 21:16:28.0760 6020 Windows directory: C:\windows
2011/09/06 21:16:28.0760 6020 System windows directory: C:\windows
2011/09/06 21:16:28.0760 6020 Processor architecture: Intel x86
2011/09/06 21:16:28.0760 6020 Number of processors: 2
2011/09/06 21:16:28.0760 6020 Page size: 0x1000
2011/09/06 21:16:28.0760 6020 Boot type: Normal boot
2011/09/06 21:16:28.0760 6020 ================================================================================
2011/09/06 21:16:29.0389 6020 Initialize success
2011/09/06 21:16:36.0142 4784 ================================================================================
2011/09/06 21:16:36.0142 4784 Scan started
2011/09/06 21:16:36.0142 4784 Mode: Manual;
2011/09/06 21:16:36.0142 4784 ================================================================================
2011/09/06 21:16:37.0065 4784 1394ohci (6d2aca41739bfe8cb86ee8e85f29697d) C:\windows\system32\DRIVERS\1394ohci.sys
2011/09/06 21:16:37.0340 4784 ACPI (f0e07d144c8685b8774bc32fc8da4df0) C:\windows\system32\DRIVERS\ACPI.sys
2011/09/06 21:16:37.0537 4784 AcpiPmi (98d81ca942d19f7d9153b095162ac013) C:\windows\system32\DRIVERS\acpipmi.sys
2011/09/06 21:16:37.0670 4784 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\windows\system32\DRIVERS\adp94xx.sys
2011/09/06 21:16:37.0818 4784 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\windows\system32\DRIVERS\adpahci.sys
2011/09/06 21:16:37.0880 4784 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\windows\system32\DRIVERS\adpu320.sys
2011/09/06 21:16:38.0031 4784 AFD (ddc040fdb01ef1712a6b13e52afb104c) C:\windows\system32\drivers\afd.sys
2011/09/06 21:16:38.0121 4784 AgereSoftModem (7e10e3bb9b258ad8a9300f91214d67b9) C:\windows\system32\DRIVERS\AGRSM.sys
2011/09/06 21:16:38.0245 4784 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\windows\system32\DRIVERS\agp440.sys
2011/09/06 21:16:38.0310 4784 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\windows\system32\DRIVERS\djsvs.sys
2011/09/06 21:16:38.0440 4784 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\windows\system32\DRIVERS\aliide.sys
2011/09/06 21:16:38.0466 4784 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\windows\system32\DRIVERS\amdagp.sys
2011/09/06 21:16:38.0502 4784 amdide (cd5914170297126b6266860198d1d4f0) C:\windows\system32\DRIVERS\amdide.sys
2011/09/06 21:16:38.0597 4784 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\windows\system32\DRIVERS\amdk8.sys
2011/09/06 21:16:38.0637 4784 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\windows\system32\DRIVERS\amdppm.sys
2011/09/06 21:16:38.0743 4784 amdsata (19ce906b4cdc11fc4fef5745f33a63b6) C:\windows\system32\drivers\amdsata.sys
2011/09/06 21:16:38.0783 4784 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\windows\system32\DRIVERS\amdsbs.sys
2011/09/06 21:16:38.0947 4784 amdxata (869e67d66be326a5a9159fba8746fa70) C:\windows\system32\drivers\amdxata.sys
2011/09/06 21:16:39.0069 4784 AppID (feb834c02ce1e84b6a38f953ca067706) C:\windows\system32\drivers\appid.sys
2011/09/06 21:16:39.0209 4784 arc (2932004f49677bd84dbc72edb754ffb3) C:\windows\system32\DRIVERS\arc.sys
2011/09/06 21:16:39.0239 4784 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\windows\system32\DRIVERS\arcsas.sys
2011/09/06 21:16:39.0361 4784 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\windows\system32\DRIVERS\asyncmac.sys
2011/09/06 21:16:39.0484 4784 atapi (338c86357871c167a96ab976519bf59e) C:\windows\system32\DRIVERS\atapi.sys
2011/09/06 21:16:39.0591 4784 atikmdag (712d8a95e45b070114c5309ada7358ff) C:\windows\system32\DRIVERS\atikmdag.sys
2011/09/06 21:16:39.0905 4784 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\windows\system32\DRIVERS\bxvbdx.sys
2011/09/06 21:16:40.0077 4784 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\windows\system32\DRIVERS\b57nd60x.sys
2011/09/06 21:16:40.0199 4784 Beep (505506526a9d467307b3c393dedaf858) C:\windows\system32\drivers\Beep.sys
2011/09/06 21:16:40.0341 4784 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\windows\system32\DRIVERS\blbdrive.sys
2011/09/06 21:16:40.0423 4784 bowser (9a5c671b7fbae4865149bb11f59b91b2) C:\windows\system32\DRIVERS\bowser.sys
2011/09/06 21:16:40.0523 4784 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\windows\system32\DRIVERS\BrFiltLo.sys
2011/09/06 21:16:40.0553 4784 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\windows\system32\DRIVERS\BrFiltUp.sys
2011/09/06 21:16:40.0593 4784 Brserid (845b8ce732e67f3b4133164868c666ea) C:\windows\System32\Drivers\Brserid.sys
2011/09/06 21:16:40.0635 4784 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\windows\System32\Drivers\BrSerWdm.sys
2011/09/06 21:16:40.0745 4784 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\windows\System32\Drivers\BrUsbMdm.sys
2011/09/06 21:16:40.0845 4784 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\windows\System32\Drivers\BrUsbSer.sys
2011/09/06 21:16:40.0865 4784 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\windows\system32\DRIVERS\bthmodem.sys
2011/09/06 21:16:41.0109 4784 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\windows\system32\DRIVERS\cdfs.sys
2011/09/06 21:16:41.0219 4784 cdrom (ba6e70aa0e6091bc39de29477d866a77) C:\windows\system32\DRIVERS\cdrom.sys
2011/09/06 21:16:41.0349 4784 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\windows\system32\DRIVERS\circlass.sys
2011/09/06 21:16:41.0389 4784 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\windows\system32\CLFS.sys
2011/09/06 21:16:41.0509 4784 CmBatt (dea805815e587dad1dd2c502220b5616) C:\windows\system32\DRIVERS\CmBatt.sys
2011/09/06 21:16:41.0549 4784 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\windows\system32\DRIVERS\cmdide.sys
2011/09/06 21:16:41.0581 4784 CNG (1b675691ed940766149c93e8f4488d68) C:\windows\system32\Drivers\cng.sys
2011/09/06 21:16:41.0721 4784 Compbatt (a6023d3823c37043986713f118a89bee) C:\windows\system32\DRIVERS\compbatt.sys
2011/09/06 21:16:41.0843 4784 CompositeBus (f1724ba27e97d627f808fb0ba77a28a6) C:\windows\system32\DRIVERS\CompositeBus.sys
2011/09/06 21:16:42.0003 4784 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\windows\system32\DRIVERS\crcdisk.sys
2011/09/06 21:16:42.0135 4784 DfsC (8e09e52ee2e3ceb199ef3dd99cf9e3fb) C:\windows\system32\Drivers\dfsc.sys
2011/09/06 21:16:42.0165 4784 discache (1a050b0274bfb3890703d490f330c0da) C:\windows\system32\drivers\discache.sys
2011/09/06 21:16:42.0297 4784 Disk (565003f326f99802e68ca78f2a68e9ff) C:\windows\system32\DRIVERS\disk.sys
2011/09/06 21:16:42.0409 4784 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\windows\system32\drivers\drmkaud.sys
2011/09/06 21:16:42.0541 4784 DXGKrnl (1679a4669326cb1a67cc95658d273234) C:\windows\System32\drivers\dxgkrnl.sys
2011/09/06 21:16:42.0726 4784 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\windows\system32\DRIVERS\evbdx.sys
2011/09/06 21:16:42.0963 4784 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\windows\system32\DRIVERS\elxstor.sys
2011/09/06 21:16:43.0093 4784 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\windows\system32\DRIVERS\errdev.sys
2011/09/06 21:16:43.0185 4784 exfat (2dc9108d74081149cc8b651d3a26207f) C:\windows\system32\drivers\exfat.sys
2011/09/06 21:16:43.0395 4784 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\windows\system32\drivers\fastfat.sys
2011/09/06 21:16:43.0469 4784 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\windows\system32\DRIVERS\fdc.sys
2011/09/06 21:16:43.0525 4784 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\windows\system32\drivers\fileinfo.sys
2011/09/06 21:16:43.0652 4784 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\windows\system32\drivers\filetrace.sys
2011/09/06 21:16:43.0785 4784 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\windows\system32\DRIVERS\flpydisk.sys
2011/09/06 21:16:43.0867 4784 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\windows\system32\drivers\fltmgr.sys
2011/09/06 21:16:43.0997 4784 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\windows\system32\drivers\FsDepends.sys
2011/09/06 21:16:44.0047 4784 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\windows\system32\drivers\Fs_Rec.sys
2011/09/06 21:16:44.0147 4784 fvevol (dafbd9fe39197495aed6d51f3b85b5d2) C:\windows\system32\DRIVERS\fvevol.sys
2011/09/06 21:16:44.0257 4784 FwLnk (0f76e205bdc60364f08a5949082771ca) C:\windows\system32\DRIVERS\FwLnk.sys
2011/09/06 21:16:44.0307 4784 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\windows\system32\DRIVERS\gagp30kx.sys
2011/09/06 21:16:44.0447 4784 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\windows\system32\DRIVERS\GEARAspiWDM.sys
2011/09/06 21:16:44.0627 4784 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\windows\system32\drivers\hcw85cir.sys
2011/09/06 21:16:44.0731 4784 HdAudAddService (3530cad25deba7dc7de8bb51632cbc5f) C:\windows\system32\drivers\HdAudio.sys
2011/09/06 21:16:44.0778 4784 HDAudBus (717a2207fd6f13ad3e664c7d5a43c7bf) C:\windows\system32\DRIVERS\HDAudBus.sys
2011/09/06 21:16:44.0859 4784 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\windows\system32\DRIVERS\HidBatt.sys
2011/09/06 21:16:44.0889 4784 HidBth (89448f40e6df260c206a193a4683ba78) C:\windows\system32\DRIVERS\hidbth.sys
2011/09/06 21:16:45.0011 4784 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\windows\system32\DRIVERS\hidir.sys
2011/09/06 21:16:45.0133 4784 HidUsb (25072fb35ac90b25f9e4e3bacf774102) C:\windows\system32\DRIVERS\hidusb.sys
2011/09/06 21:16:45.0197 4784 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\windows\system32\DRIVERS\HpSAMD.sys
2011/09/06 21:16:45.0305 4784 HTTP (c531c7fd9e8b62021112787c4e2c5a5a) C:\windows\system32\drivers\HTTP.sys
2011/09/06 21:16:45.0397 4784 hwpolicy (8305f33cde89ad6c7a0763ed0b5a8d42) C:\windows\system32\drivers\hwpolicy.sys
2011/09/06 21:16:45.0457 4784 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\windows\system32\DRIVERS\i8042prt.sys
2011/09/06 21:16:45.0529 4784 iaStor (01446278d4563b3013c92830ae6cbb26) C:\windows\system32\DRIVERS\iaStor.sys
2011/09/06 21:16:45.0621 4784 iaStorV (71f1a494fedf4b33c02c4a6a28d6d9e9) C:\windows\system32\drivers\iaStorV.sys
2011/09/06 21:16:45.0832 4784 igfx (315aaaa2bc9bc778adc0454b3ca8dcce) C:\windows\system32\DRIVERS\igdkmd32.sys
2011/09/06 21:16:46.0064 4784 iirsp (4173ff5708f3236cf25195fecd742915) C:\windows\system32\DRIVERS\iirsp.sys
2011/09/06 21:16:46.0185 4784 IntcAzAudAddService (e4a2e810cb2607c9c159c0dfb0bd4c88) C:\windows\system32\drivers\RTKVHDA.sys
2011/09/06 21:16:46.0320 4784 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\windows\system32\DRIVERS\intelide.sys
2011/09/06 21:16:46.0367 4784 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\windows\system32\DRIVERS\intelppm.sys
2011/09/06 21:16:46.0482 4784 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\windows\system32\DRIVERS\ipfltdrv.sys
2011/09/06 21:16:46.0529 4784 IPMIDRV (e4454b6c37d7ffd5649611f6496308a7) C:\windows\system32\DRIVERS\IPMIDrv.sys
2011/09/06 21:16:46.0624 4784 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\windows\system32\drivers\ipnat.sys
2011/09/06 21:16:46.0741 4784 IRENUM (42996cff20a3084a56017b7902307e9f) C:\windows\system32\drivers\irenum.sys
2011/09/06 21:16:46.0784 4784 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\windows\system32\DRIVERS\isapnp.sys
2011/09/06 21:16:46.0825 4784 iScsiPrt (ed46c223ae46c6866ab77cdc41c404b7) C:\windows\system32\DRIVERS\msiscsi.sys
2011/09/06 21:16:46.0933 4784 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\windows\system32\DRIVERS\kbdclass.sys
2011/09/06 21:16:46.0987 4784 kbdhid (3d9f0ebf350edcfd6498057301455964) C:\windows\system32\DRIVERS\kbdhid.sys
2011/09/06 21:16:47.0023 4784 KSecDD (e36a061ec11b373826905b21be10948f) C:\windows\system32\Drivers\ksecdd.sys
2011/09/06 21:16:47.0062 4784 KSecPkg (365c6154bbbc5377173f1ca7bfb6cc59) C:\windows\system32\Drivers\ksecpkg.sys
2011/09/06 21:16:47.0207 4784 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\windows\system32\DRIVERS\lltdio.sys
2011/09/06 21:16:47.0274 4784 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\windows\system32\DRIVERS\lsi_fc.sys
2011/09/06 21:16:47.0370 4784 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\windows\system32\DRIVERS\lsi_sas.sys
2011/09/06 21:16:47.0470 4784 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\windows\system32\DRIVERS\lsi_sas2.sys
2011/09/06 21:16:47.0675 4784 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\windows\system32\DRIVERS\lsi_scsi.sys
2011/09/06 21:16:47.0753 4784 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\windows\system32\drivers\luafv.sys
2011/09/06 21:16:47.0881 4784 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\windows\system32\DRIVERS\megasas.sys
2011/09/06 21:16:47.0951 4784 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\windows\system32\DRIVERS\MegaSR.sys
2011/09/06 21:16:48.0081 4784 Modem (f001861e5700ee84e2d4e52c712f4964) C:\windows\system32\drivers\modem.sys
2011/09/06 21:16:48.0142 4784 monitor (79d10964de86b292320e9dfe02282a23) C:\windows\system32\DRIVERS\monitor.sys
2011/09/06 21:16:48.0254 4784 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\windows\system32\DRIVERS\mouclass.sys
2011/09/06 21:16:48.0344 4784 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\windows\system32\DRIVERS\mouhid.sys
2011/09/06 21:16:48.0455 4784 mountmgr (921c18727c5920d6c0300736646931c2) C:\windows\system32\drivers\mountmgr.sys
2011/09/06 21:16:48.0493 4784 mpio (2af5997438c55fb79d33d015c30e1974) C:\windows\system32\DRIVERS\mpio.sys
2011/09/06 21:16:48.0524 4784 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\windows\system32\drivers\mpsdrv.sys
2011/09/06 21:16:48.0588 4784 MRxDAV (b1be47008d20e43da3adc37c24cdb89d) C:\windows\system32\drivers\mrxdav.sys
2011/09/06 21:16:48.0644 4784 mrxsmb (b4c76ef46322a9711c7b0f4e21ef6ea5) C:\windows\system32\DRIVERS\mrxsmb.sys
2011/09/06 21:16:48.0740 4784 mrxsmb10 (e593d45024a3fdd11e93cc4a6ca91101) C:\windows\system32\DRIVERS\mrxsmb10.sys
2011/09/06 21:16:48.0802 4784 mrxsmb20 (a9f86c82c9cc3b679cc3957e1183a30f) C:\windows\system32\DRIVERS\mrxsmb20.sys
2011/09/06 21:16:48.0851 4784 msahci (4326d168944123f38dd3b2d9c37a0b12) C:\windows\system32\DRIVERS\msahci.sys
2011/09/06 21:16:48.0977 4784 msdsm (455029c7174a2dbb03dba8a0d8bddd9a) C:\windows\system32\DRIVERS\msdsm.sys
2011/09/06 21:16:49.0024 4784 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\windows\system32\drivers\Msfs.sys
2011/09/06 21:16:49.0124 4784 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\windows\System32\drivers\mshidkmdf.sys
2011/09/06 21:16:49.0165 4784 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\windows\system32\DRIVERS\msisadrv.sys
2011/09/06 21:16:49.0308 4784 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\windows\system32\drivers\MSKSSRV.sys
2011/09/06 21:16:49.0348 4784 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\windows\system32\drivers\MSPCLOCK.sys
2011/09/06 21:16:49.0460 4784 MSPQM (f456e973590d663b1073e9c463b40932) C:\windows\system32\drivers\MSPQM.sys
2011/09/06 21:16:49.0504 4784 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\windows\system32\drivers\MsRPC.sys
2011/09/06 21:16:49.0549 4784 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\windows\system32\DRIVERS\mssmbios.sys
2011/09/06 21:16:49.0679 4784 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\windows\system32\drivers\MSTEE.sys
2011/09/06 21:16:49.0719 4784 MTConfig (33599130f44e1f34631cea241de8ac84) C:\windows\system32\DRIVERS\MTConfig.sys
2011/09/06 21:16:49.0759 4784 Mup (159fad02f64e6381758c990f753bcc80) C:\windows\system32\Drivers\mup.sys
2011/09/06 21:16:49.0922 4784 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\windows\system32\DRIVERS\nwifi.sys
2011/09/06 21:16:49.0972 4784 NDIS (23759d175a0a9baaf04d05047bc135a8) C:\windows\system32\drivers\ndis.sys
2011/09/06 21:16:50.0103 4784 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\windows\system32\DRIVERS\ndiscap.sys
2011/09/06 21:16:50.0159 4784 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\windows\system32\DRIVERS\ndistapi.sys
2011/09/06 21:16:50.0292 4784 Ndisuio (b30ae7f2b6d7e343b0df32e6c08fce75) C:\windows\system32\DRIVERS\ndisuio.sys
2011/09/06 21:16:50.0321 4784 NdisWan (267c415eadcbe53c9ca873dee39cf3a4) C:\windows\system32\DRIVERS\ndiswan.sys
2011/09/06 21:16:50.0351 4784 NDProxy (af7e7c63dcef3f8772726f86039d6eb4) C:\windows\system32\drivers\NDProxy.sys
2011/09/06 21:16:50.0473 4784 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\windows\system32\DRIVERS\netbios.sys
2011/09/06 21:16:50.0521 4784 NetBT (dd52a733bf4ca5af84562a5e2f963b91) C:\windows\system32\DRIVERS\netbt.sys
2011/09/06 21:16:50.0705 4784 netr28u (27ee4b406e2f26f6117a9a420bd4cb65) C:\windows\system32\DRIVERS\netr28u.sys
2011/09/06 21:16:50.0831 4784 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\windows\system32\DRIVERS\nfrd960.sys
2011/09/06 21:16:50.0882 4784 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\windows\system32\drivers\Npfs.sys
2011/09/06 21:16:50.0995 4784 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\windows\system32\drivers\nsiproxy.sys
2011/09/06 21:16:51.0078 4784 Ntfs (187002ce05693c306f43c873f821381f) C:\windows\system32\drivers\Ntfs.sys
2011/09/06 21:16:51.0227 4784 Null (f9756a98d69098dca8945d62858a812c) C:\windows\system32\drivers\Null.sys
2011/09/06 21:16:51.0343 4784 nvraid (f1b0bed906f97e16f6d0c3629d2f21c6) C:\windows\system32\drivers\nvraid.sys
2011/09/06 21:16:51.0471 4784 nvstor (4520b63899e867f354ee012d34e11536) C:\windows\system32\drivers\nvstor.sys
2011/09/06 21:16:51.0610 4784 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\windows\system32\DRIVERS\nv_agp.sys
2011/09/06 21:16:51.0755 4784 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\windows\system32\DRIVERS\ohci1394.sys
2011/09/06 21:16:51.0890 4784 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\windows\system32\DRIVERS\parport.sys
2011/09/06 21:16:51.0929 4784 partmgr (ff4218952b51de44fe910953a3e686b9) C:\windows\system32\drivers\partmgr.sys
2011/09/06 21:16:51.0968 4784 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\windows\system32\DRIVERS\parvdm.sys
2011/09/06 21:16:52.0007 4784 pci (c858cb77c577780ecc456a892e7e7d0f) C:\windows\system32\DRIVERS\pci.sys
2011/09/06 21:16:52.0134 4784 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\windows\system32\DRIVERS\pciide.sys
2011/09/06 21:16:52.0268 4784 pcmcia (f396431b31693e71e8a80687ef523506) C:\windows\system32\DRIVERS\pcmcia.sys
2011/09/06 21:16:52.0372 4784 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\windows\system32\Drivers\pcouffin.sys
2011/09/06 21:16:52.0434 4784 pctgntdi (bf770a5817fa8fba1402b2286a7f394c) C:\Windows\System32\drivers\pctgntdi.sys
2011/09/06 21:16:52.0570 4784 pctplfw (0eec24affc5ab0a2bbe4a6a886230aa5) C:\Windows\System32\drivers\pctplfw.sys
2011/09/06 21:16:52.0649 4784 pcw (250f6b43d2b613172035c6747aeeb19f) C:\windows\system32\drivers\pcw.sys
2011/09/06 21:16:52.0770 4784 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\windows\system32\drivers\peauth.sys
2011/09/06 21:16:52.0908 4784 PGEffect (1b5011dd8d57f53aed31ff0f7d635802) C:\windows\system32\DRIVERS\pgeffect.sys
2011/09/06 21:16:53.0062 4784 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\windows\system32\DRIVERS\raspptp.sys
2011/09/06 21:16:53.0092 4784 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\windows\system32\DRIVERS\processr.sys
2011/09/06 21:16:53.0243 4784 Psched (6270ccae2a86de6d146529fe55b3246a) C:\windows\system32\DRIVERS\pacer.sys
2011/09/06 21:16:53.0300 4784 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\windows\system32\DRIVERS\ql2300.sys
2011/09/06 21:16:53.0422 4784 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\windows\system32\DRIVERS\ql40xx.sys
2011/09/06 21:16:53.0467 4784 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\windows\system32\drivers\qwavedrv.sys
2011/09/06 21:16:53.0624 4784 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\windows\system32\DRIVERS\rasacd.sys
2011/09/06 21:16:53.0732 4784 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\windows\system32\DRIVERS\AgileVpn.sys
2011/09/06 21:16:53.0783 4784 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\windows\system32\DRIVERS\rasl2tp.sys
2011/09/06 21:16:54.0050 4784 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\windows\system32\DRIVERS\raspppoe.sys
2011/09/06 21:16:54.0183 4784 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\windows\system32\DRIVERS\rassstp.sys
2011/09/06 21:16:54.0311 4784 rdbss (835d7e81bf517a3b72384bdcc85e1ce6) C:\windows\system32\DRIVERS\rdbss.sys
2011/09/06 21:16:54.0368 4784 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\windows\system32\DRIVERS\rdpbus.sys
2011/09/06 21:16:54.0519 4784 RDPCDD (1e016846895b15a99f9a176a05029075) C:\windows\system32\DRIVERS\RDPCDD.sys
2011/09/06 21:16:54.0652 4784 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\windows\system32\drivers\rdpencdd.sys
2011/09/06 21:16:54.0706 4784 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\windows\system32\drivers\rdprefmp.sys
2011/09/06 21:16:54.0752 4784 RDPWD (801371ba9782282892d00aadb08ee367) C:\windows\system32\drivers\RDPWD.sys
2011/09/06 21:16:54.0879 4784 rdyboost (4ea225bf1cf05e158853f30a99ca29a7) C:\windows\system32\drivers\rdyboost.sys
2011/09/06 21:16:54.0979 4784 rspndr (032b0d36ad92b582d869879f5af5b928) C:\windows\system32\DRIVERS\rspndr.sys
2011/09/06 21:16:55.0197 4784 RTL8167 (06bd46be6141556125f89df738333720) C:\windows\system32\DRIVERS\Rt86win7.sys
2011/09/06 21:16:55.0331 4784 rtl8192se (7ac9f43613cd0ee40bebbf150ff3a189) C:\windows\system32\DRIVERS\rtl8192se.sys
2011/09/06 21:16:55.0493 4784 sbp2port (34ee0c44b724e3e4ce2eff29126de5b5) C:\windows\system32\DRIVERS\sbp2port.sys
2011/09/06 21:16:55.0531 4784 scfilter (a95c54b2ac3cc9c73fcdf9e51a1d6b51) C:\windows\system32\DRIVERS\scfilter.sys
2011/09/06 21:16:55.0674 4784 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\windows\system32\drivers\secdrv.sys
2011/09/06 21:16:55.0760 4784 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\windows\system32\DRIVERS\serenum.sys
2011/09/06 21:16:55.0876 4784 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\windows\system32\DRIVERS\serial.sys
2011/09/06 21:16:55.0923 4784 sermouse (79bffb520327ff916a582dfea17aa813) C:\windows\system32\DRIVERS\sermouse.sys
2011/09/06 21:16:55.0995 4784 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\windows\system32\DRIVERS\sffdisk.sys
2011/09/06 21:16:56.0143 4784 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\windows\system32\DRIVERS\sffp_mmc.sys
2011/09/06 21:16:56.0236 4784 sffp_sd (4f1e5b0fe7c8050668dbfade8999aefb) C:\windows\system32\DRIVERS\sffp_sd.sys
2011/09/06 21:16:56.0327 4784 SFilter (975f4e44fd48c36beed30c96a115b2b8) C:\windows\system32\DRIVERS\pctfw.sys
2011/09/06 21:16:56.0460 4784 sfloppy (db96666cc8312ebc45032f30b007a547) C:\windows\system32\DRIVERS\sfloppy.sys
2011/09/06 21:16:56.0563 4784 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\windows\system32\DRIVERS\sisagp.sys
2011/09/06 21:16:56.0691 4784 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\windows\system32\DRIVERS\SiSRaid2.sys
2011/09/06 21:16:56.0733 4784 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\windows\system32\DRIVERS\sisraid4.sys
2011/09/06 21:16:56.0851 4784 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\windows\system32\DRIVERS\smb.sys
2011/09/06 21:16:56.0929 4784 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\windows\system32\drivers\spldr.sys
2011/09/06 21:16:57.0059 4784 srv (4a9b0f215de2519e2363f91df25c1e97) C:\windows\system32\DRIVERS\srv.sys
2011/09/06 21:16:57.0101 4784 srv2 (14c44875518ae1c982e54ea8c5f7fe28) C:\windows\system32\DRIVERS\srv2.sys
2011/09/06 21:16:57.0141 4784 srvnet (07a14223b0a50e76ade003fdf95d4fec) C:\windows\system32\DRIVERS\srvnet.sys
2011/09/06 21:16:57.0301 4784 stexstor (db32d325c192b801df274bfd12a7e72b) C:\windows\system32\DRIVERS\stexstor.sys
2011/09/06 21:16:57.0343 4784 swenum (e58c78a848add9610a4db6d214af5224) C:\windows\system32\DRIVERS\swenum.sys
2011/09/06 21:16:57.0433 4784 SynTP (8bd10dc8809dc69a1c5a795cb10add76) C:\windows\system32\DRIVERS\SynTP.sys
2011/09/06 21:16:57.0604 4784 Tcpip (bb7f39c31c4a4417fd318e7cd184e225) C:\windows\system32\drivers\tcpip.sys
2011/09/06 21:16:57.0747 4784 TCPIP6 (bb7f39c31c4a4417fd318e7cd184e225) C:\windows\system32\DRIVERS\tcpip.sys
2011/09/06 21:16:57.0872 4784 tcpipreg (e64444523add154f86567c469bc0b17f) C:\windows\system32\drivers\tcpipreg.sys
2011/09/06 21:16:58.0006 4784 tdcmdpst (4084ea00d50c858d6f9038f86ae2e2d0) C:\windows\system32\DRIVERS\tdcmdpst.sys
2011/09/06 21:16:58.0055 4784 TDPIPE (1875c1490d99e70e449e3afae9fcbadf) C:\windows\system32\drivers\tdpipe.sys
2011/09/06 21:16:58.0152 4784 TDTCP (7551e91ea999ee9a8e9c331d5a9c31f3) C:\windows\system32\drivers\tdtcp.sys
2011/09/06 21:16:58.0193 4784 tdx (cb39e896a2a83702d1737bfd402b3542) C:\windows\system32\DRIVERS\tdx.sys
2011/09/06 21:16:58.0245 4784 TermDD (c36f41ee20e6999dbf4b0425963268a5) C:\windows\system32\DRIVERS\termdd.sys
2011/09/06 21:16:58.0417 4784 tos_sps32 (969377943fe7284609babbab4e06b93c) C:\windows\system32\DRIVERS\tos_sps32.sys
2011/09/06 21:16:58.0511 4784 tssecsrv (98ae6fa07d12cb4ec5cf4a9bfa5f4242) C:\windows\system32\DRIVERS\tssecsrv.sys
2011/09/06 21:16:58.0642 4784 tunnel (3e461d890a97f9d4c168f5fda36e1d00) C:\windows\system32\DRIVERS\tunnel.sys
2011/09/06 21:16:58.0712 4784 TVALZ (fc24015b4052600c324c43e3a79c0664) C:\windows\system32\DRIVERS\TVALZ_O.SYS
2011/09/06 21:16:58.0808 4784 TVALZFL (866462f5ae3f375ef83ef9dce436031c) C:\windows\system32\DRIVERS\TVALZFL.sys
2011/09/06 21:16:58.0863 4784 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\windows\system32\DRIVERS\uagp35.sys
2011/09/06 21:16:58.0971 4784 udfs (09cc3e16f8e5ee7168e01cf8fcbe061a) C:\windows\system32\DRIVERS\udfs.sys
2011/09/06 21:16:59.0016 4784 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\windows\system32\DRIVERS\uliagpkx.sys
2011/09/06 21:16:59.0053 4784 umbus (049b3a50b3d646baeeee9eec9b0668dc) C:\windows\system32\DRIVERS\umbus.sys
2011/09/06 21:16:59.0139 4784 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\windows\system32\DRIVERS\umpass.sys
2011/09/06 21:16:59.0216 4784 usbaudio (2436a42aab4ad48a9b714e5b0f344627) C:\windows\system32\drivers\usbaudio.sys
2011/09/06 21:16:59.0343 4784 usbccgp (c31ae588e403042632dc796cf09e30b0) C:\windows\system32\DRIVERS\usbccgp.sys
2011/09/06 21:16:59.0440 4784 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\windows\system32\DRIVERS\usbcir.sys
2011/09/06 21:16:59.0564 4784 usbehci (e4c436d914768ce965d5e659ba7eebd8) C:\windows\system32\DRIVERS\usbehci.sys
2011/09/06 21:16:59.0667 4784 usbhub (bdcd7156ec37448f08633fd899823620) C:\windows\system32\DRIVERS\usbhub.sys
2011/09/06 21:16:59.0747 4784 usbohci (eb2d819a639015253c871cda09d91d58) C:\windows\system32\drivers\usbohci.sys
2011/09/06 21:16:59.0859 4784 USBPNPA (41b758cff0a3c10a69e088f440677399) C:\windows\system32\drivers\CM108.sys
2011/09/06 21:16:59.0986 4784 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\windows\system32\DRIVERS\usbprint.sys
2011/09/06 21:17:00.0056 4784 usbscan (576096ccbc07e7c4ea4f5e6686d6888f) C:\windows\system32\DRIVERS\usbscan.sys
2011/09/06 21:17:00.0165 4784 USBSTOR (1c4287739a93594e57e2a9e6a3ed7353) C:\windows\system32\DRIVERS\USBSTOR.SYS
2011/09/06 21:17:00.0235 4784 usbuhci (22480bf4e5a09192e5e30ba4dde79fa4) C:\windows\system32\DRIVERS\usbuhci.sys
2011/09/06 21:17:00.0369 4784 usbvideo (b5f6a992d996282b7fae7048e50af83a) C:\windows\System32\Drivers\usbvideo.sys
2011/09/06 21:17:00.0441 4784 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\windows\system32\DRIVERS\vdrvroot.sys
2011/09/06 21:17:00.0562 4784 vga (17c408214ea61696cec9c66e388b14f3) C:\windows\system32\DRIVERS\vgapnp.sys
2011/09/06 21:17:00.0595 4784 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\windows\System32\drivers\vga.sys
2011/09/06 21:17:00.0641 4784 vhdmp (3be6e1f3a4f1afec8cee0d7883f93583) C:\windows\system32\DRIVERS\vhdmp.sys
2011/09/06 21:17:00.0752 4784 viaagp (c829317a37b4bea8f39735d4b076e923) C:\windows\system32\DRIVERS\viaagp.sys
2011/09/06 21:17:00.0782 4784 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\windows\system32\DRIVERS\viac7.sys
2011/09/06 21:17:00.0809 4784 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\windows\system32\DRIVERS\viaide.sys
2011/09/06 21:17:00.0840 4784 volmgr (384e5a2aa49934295171e499f86ba6f3) C:\windows\system32\DRIVERS\volmgr.sys
2011/09/06 21:17:00.0883 4784 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\windows\system32\drivers\volmgrx.sys
2011/09/06 21:17:00.0926 4784 volsnap (58df9d2481a56edde167e51b334d44fd) C:\windows\system32\DRIVERS\volsnap.sys
2011/09/06 21:17:01.0044 4784 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\windows\system32\DRIVERS\vsmraid.sys
2011/09/06 21:17:01.0089 4784 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\windows\system32\DRIVERS\vwifibus.sys
2011/09/06 21:17:01.0202 4784 vwififlt (7090d3436eeb4e7da3373090a23448f7) C:\windows\system32\DRIVERS\vwififlt.sys
2011/09/06 21:17:01.0250 4784 vwifimp (a3f04cbea6c2a10e6cb01f8b47611882) C:\windows\system32\DRIVERS\vwifimp.sys
2011/09/06 21:17:01.0367 4784 WacomPen (de3721e89c653aa281428c8a69745d90) C:\windows\system32\DRIVERS\wacompen.sys
2011/09/06 21:17:01.0420 4784 WANARP (692a712062146e96d28ba0b7d75de31b) C:\windows\system32\DRIVERS\wanarp.sys
2011/09/06 21:17:01.0448 4784 Wanarpv6 (692a712062146e96d28ba0b7d75de31b) C:\windows\system32\DRIVERS\wanarp.sys
2011/09/06 21:17:01.0581 4784 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\windows\system32\DRIVERS\wd.sys
2011/09/06 21:17:01.0635 4784 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\windows\system32\drivers\Wdf01000.sys
2011/09/06 21:17:01.0796 4784 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\windows\system32\DRIVERS\wfplwf.sys
2011/09/06 21:17:01.0831 4784 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\windows\system32\drivers\wimmount.sys
2011/09/06 21:17:02.0033 4784 WinUsb (30fc6e5448d0cbaaa95280eeef7fedae) C:\windows\system32\DRIVERS\WinUsb.sys
2011/09/06 21:17:02.0098 4784 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\windows\system32\DRIVERS\wmiacpi.sys
2011/09/06 21:17:02.0278 4784 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\windows\system32\drivers\ws2ifsl.sys
2011/09/06 21:17:02.0355 4784 WudfPf (6f9b6c0c93232cff47d0f72d6db1d21e) C:\windows\system32\drivers\WudfPf.sys
2011/09/06 21:17:02.0501 4784 WUDFRd (f91ff1e51fca30b3c3981db7d5924252) C:\windows\system32\DRIVERS\WUDFRd.sys
2011/09/06 21:17:02.0630 4784 MBR (0x1B8) (5b5e648d12fcadc244c1ec30318e1eb9) \Device\Harddisk0\DR0
2011/09/06 21:17:02.0666 4784 Boot (0x1200) (d3edeee7ac5d6f517486663ae521eb90) \Device\Harddisk0\DR0\Partition0
2011/09/06 21:17:02.0680 4784 ================================================================================
2011/09/06 21:17:02.0680 4784 Scan finished
2011/09/06 21:17:02.0680 4784 ================================================================================
2011/09/06 21:17:02.0704 4468 Detected object count: 0
2011/09/06 21:17:02.0704 4468 Actual detected object count: 0




1 VT Community user(s) with a total of 679 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name:
msconfig.exe.vir
Submission date:
2011-09-07 01:20:19 (UTC)
Current status:
queued queued analysing finished
Result:
0/ 44 (0.0%)

VT Community

goodware
Safety score: 100.0%
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.09.07.00 2011.09.06 -
AntiVir 7.11.14.125 2011.09.06 -
Antiy-AVL 2.0.3.7 2011.09.06 -
Avast 4.8.1351.0 2011.09.07 -
Avast5 5.0.677.0 2011.09.07 -
AVG 10.0.0.1190 2011.09.06 -
BitDefender 7.2 2011.09.07 -
ByteHero 1.0.0.1 2011.09.03 -
CAT-QuickHeal 11.00 2011.09.06 -
ClamAV 0.97.0.0 2011.09.07 -
Commtouch 5.3.2.6 2011.09.07 -
Comodo 10018 2011.09.07 -
DrWeb 5.0.2.03300 2011.09.07 -
Emsisoft 5.1.0.11 2011.09.07 -
eSafe 7.0.17.0 2011.09.06 -
eTrust-Vet 36.1.8543 2011.09.06 -
F-Prot 4.6.2.117 2011.09.07 -
F-Secure 9.0.16440.0 2011.09.07 -
Fortinet 4.3.370.0 2011.09.06 -
GData 22 2011.09.07 -
Ikarus T3.1.1.107.0 2011.09.07 -
Jiangmin 13.0.900 2011.09.06 -
K7AntiVirus 9.112.5096 2011.09.06 -
Kaspersky 9.0.0.837 2011.09.07 -
McAfee 5.400.0.1158 2011.09.06 -
McAfee-GW-Edition 2010.1D 2011.09.06 -
Microsoft 1.7604 2011.09.06 -
NOD32 6442 2011.09.07 -
Norman 6.07.11 2011.09.06 -
nProtect 2011-09-06.01 2011.09.06 -
Panda 10.0.3.5 2011.09.06 -
PCTools 8.0.0.5 2011.09.07 -
Prevx 3.0 2011.09.07 -
Rising 23.74.01.03 2011.09.06 -
Sophos 4.69.0 2011.09.07 -
SUPERAntiSpyware 4.40.0.1006 2011.09.07 -
Symantec 20111.2.0.82 2011.09.07 -
TheHacker 6.7.0.1.290 2011.09.03 -
TrendMicro 9.500.0.1008 2011.09.06 -
TrendMicro-HouseCall 9.500.0.1008 2011.09.07 -
VBA32 3.12.16.4 2011.09.05 -
VIPRE 10393 2011.09.07 -
ViRobot 2011.9.6.4659 2011.09.06 -
VirusBuster 14.0.202.1 2011.09.06 -
Additional information
Show all
MD5 : 93ba58f2cfa194a23a72fe86eabd680d
SHA1 : a11af3d2731e035fb86835700bf0dfc1c0f53ea0
SHA256: 48c3a55ecb4f0319ae06d04b2beec4a1b942c45f527c26fd46ae9c35a8945945
ssdeep: 3072:2Fd7bV+aLWr1baULkdfONFyHNCXqX8wXuQJYfPj+7A0nFOjffUd0/HlGJRA1E6:2Df6kdm
NFygXY8wKi7AkOjXUdSGJRWx
File size : 233984 bytes
First seen: 2009-07-19 03:00:07
Last seen : 2011-09-07 01:20:19
TrID:
Windows Screen Saver (39.4%)
Win32 Executable Generic (25.6%)
Win32 Dynamic Link Library (generic) (22.8%)
Generic Win/DOS Executable (6.0%)
DOS Executable Generic (6.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: © Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: System Configuration Utility
original name: msconfig.EXE
internal name: msconfig.EXE
file version.: 6.1.7600.16385 (win7_rtm.090713-1255)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x134BB
timedatestamp....: 0x4A5BC11F (Mon Jul 13 23:19:59 2009)
machinetype......: 0x14c (I386)

[[ 4 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x23A96, 0x23C00, 6.31, bfdf6fadfd6bd4ac2072776a3c615c7f
.data, 0x25000, 0xC28, 0x600, 4.59, 2e29634a2b82ffac3840a31d88a9e065
.rsrc, 0x26000, 0x12768, 0x12800, 7.19, 8fbc484ad8499cdc982336667f883891
.reloc, 0x39000, 0x23C4, 0x2400, 6.07, 719877be79540795c5be8dd7e30885e4

[[ 12 import(s) ]]
ADVAPI32.dll: RegCloseKey, RegQueryValueExW, RegSetValueExW, QueryServiceConfigW, RegOpenKeyExW, RegCreateKeyExW, RegEnumKeyExW, CloseServiceHandle, OpenServiceW, EnumServicesStatusW, OpenSCManagerW, ChangeServiceConfigW, RegDeleteValueW, RegEnumValueW, RegQueryInfoKeyW, InitiateShutdownW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken
KERNEL32.dll: CloseHandle, CreateThread, GlobalFree, GlobalUnlock, FreeResource, GlobalLock, GlobalAlloc, SizeofResource, LockResource, LoadResource, FindResourceW, FlushInstructionCache, GetCurrentProcess, GlobalMemoryStatusEx, GetPhysicallyInstalledSystemMemory, CopyFileW, FindClose, LocalFree, FormatMessageW, CreateSemaphoreW, CompareStringW, GetCommandLineW, GetCurrentThreadId, CreateDirectoryW, SetFileAttributesW, OpenProcess, GetCurrentProcessId, RegisterApplicationRestart, HeapSetInformation, lstrcmpiW, MultiByteToWideChar, WideCharToMultiByte, DeleteFileW, FindFirstFileW, GetSystemInfo, FindNextFileW, GetLastError, QueryDosDeviceW, LocalAlloc, UnhandledExceptionFilter, TerminateProcess, GetSystemTimeAsFileTime, GetTickCount, QueryPerformanceCounter, GetModuleHandleA, SetUnhandledExceptionFilter, GetStartupInfoW, InterlockedCompareExchange, Sleep, InterlockedExchange, VirtualAlloc, VirtualFree, LoadLibraryA, HeapAlloc, GetProcessHeap, HeapFree, GetNativeSystemInfo, MoveFileExW, lstrlenW, ExpandEnvironmentStringsW, GetDateFormatW, GetTimeFormatW, GetModuleHandleW, GetProcAddress, LoadLibraryW, FreeLibrary
GDI32.dll: GetTextMetricsW, GetTextExtentPoint32W, SelectObject
USER32.dll: LoadCursorW, GetSystemMetrics, IsWindowEnabled, MessageBoxW, ShowWindow, EndDialog, IsDlgButtonChecked, SetFocus, LoadStringW, SetCursor, CheckDlgButton, GetDlgItemTextW, SetDlgItemInt, SetDlgItemTextW, GetDlgItem, CharNextW, LoadIconW, GetWindowLongW, GetKeyState, GetFocus, GetClientRect, SendMessageW, EnableWindow, IsIconic, FindWindowW, GetLastActivePopup, SetForegroundWindow, SetWindowTextW, SetWindowLongW, GetWindowTextW, GetWindowTextLengthW, GetActiveWindow, ReleaseDC, GetDC, CallWindowProcW
MFC42u.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -
msvcrt.dll: _unlock, __dllonexit, _lock, _onexit, _except_handler4_common, _controlfp, __1type_info@@UAE@XZ, _terminate@@YAXXZ, __set_app_type, __p__fmode, __p__commode, __setusermatherr, _amsg_exit, _initterm, _wcmdln, exit, _XcptFilter, _exit, _cexit, __wgetmainargs, _callnewh, iswdigit, wcsrchr, _wtoi, memmove, _wtol, calloc, _snwscanf_s, _wcsupr, strncmp, wcsnlen, wcsncpy_s, swprintf_s, _wcsnicmp, _ftol2_sse, _itow_s, _vsnwprintf, memcpy, wcschr, _ultow_s, wcstoul, wcscat_s, wcscpy_s, __CxxFrameHandler3, _wcsicmp, __0exception@@QAE@XZ, memset, _wcslwr, wcsstr, wcstok, malloc, free, _CxxThrowException, _purecall, __0exception@@QAE@ABV0@@Z, __1exception@@UAE@XZ, _what@exception@@UBEPBDXZ, __0exception@@QAE@ABQBD@Z, memcpy_s, memmove_s, _wcsicoll
ATL.DLL: -, -, -, -, -, -, -, -, -, -
SHELL32.dll: ShellExecuteW, SHEvaluateSystemCommandTemplate, SHGetSpecialFolderPathW
OLEAUT32.dll: -, -, -, -, -
ole32.dll: CoUninitialize, CoInitialize, CreateStreamOnHGlobal, CoInitializeEx, CoTaskMemFree, CoCreateInstance
VERSION.dll: GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
ntdll.dll: RtlInitUnicodeString, RtlNtStatusToDosError, WinSqmAddToStream, WinSqmIncrementDWORD, RtlCompareMemory, NtOpenSymbolicLinkObject, NtQuerySymbolicLinkObject, RtlGetVersion, NtResetEvent, NtQueryVolumeInformationFile, NtQueryInformationFile, NtDeleteFile, RtlFreeHeap, RtlAllocateHeap, NtClose, NtWaitForSingleObject, NtDeviceIoControlFile, NtCreateEvent, NtOpenFile, NtQuerySystemInformation, RtlStringFromGUID, RtlFreeUnicodeString, RtlGUIDFromString, NtOpenKey, NtEnumerateKey, NtQueryKey, NtQueryAttributesFile, NtUnloadKey, NtLoadKey, NtAdjustPrivilegesToken, NtOpenProcessToken, NtOpenThreadToken, RtlFreeSid, RtlSetOwnerSecurityDescriptor, RtlLengthSecurityDescriptor, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, RtlAddAccessAllowedAceEx, RtlCreateAcl, RtlLengthSid, RtlAllocateAndInitializeSid, NtSetSecurityObject, NtCreateKey, NtDeleteValueKey, NtQueryValueKey, NtSetValueKey, NtSaveKey, NtCreateFile, NtDeleteKey, LdrGetProcedureAddress, RtlInitAnsiString, LdrGetDllHandle, NtAllocateUuids





1 VT Community user(s) with a total of 679 reputation credit(s) say(s) this sample is goodware. 1 VT Community user(s) with a total of 1 reputation credit(s) say(s) this sample is malware.
File name:
odbcad32.exe.vir
Submission date:
2011-09-07 01:25:39 (UTC)
Current status:
queued queued analysing finished
Result:
0/ 44 (0.0%)

VT Community

goodware
Safety score: 99.9%
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.09.07.00 2011.09.06 -
AntiVir 7.11.14.125 2011.09.06 -
Antiy-AVL 2.0.3.7 2011.09.06 -
Avast 4.8.1351.0 2011.09.07 -
Avast5 5.0.677.0 2011.09.07 -
AVG 10.0.0.1190 2011.09.06 -
BitDefender 7.2 2011.09.07 -
ByteHero None 2011.09.07 -
CAT-QuickHeal 11.00 2011.09.06 -
ClamAV 0.97.0.0 2011.09.07 -
Commtouch 5.3.2.6 2011.09.07 -
Comodo 10018 2011.09.07 -
DrWeb 5.0.2.03300 2011.09.07 -
Emsisoft 5.1.0.11 2011.09.07 -
eSafe 7.0.17.0 2011.09.06 -
eTrust-Vet 36.1.8543 2011.09.06 -
F-Prot 4.6.2.117 2011.09.07 -
F-Secure 9.0.16440.0 2011.09.07 -
Fortinet 4.3.370.0 2011.09.06 -
GData 22 2011.09.07 -
Ikarus T3.1.1.107.0 2011.09.07 -
Jiangmin 13.0.900 2011.09.06 -
K7AntiVirus 9.112.5096 2011.09.06 -
Kaspersky 9.0.0.837 2011.09.07 -
McAfee 5.400.0.1158 2011.09.06 -
McAfee-GW-Edition 2010.1D 2011.09.06 -
Microsoft 1.7604 2011.09.06 -
NOD32 6442 2011.09.07 -
Norman 6.07.11 2011.09.06 -
nProtect 2011-09-06.01 2011.09.06 -
Panda 10.0.3.5 2011.09.06 -
PCTools 8.0.0.5 2011.09.07 -
Prevx 3.0 2011.09.07 -
Rising 23.74.01.03 2011.09.06 -
Sophos 4.69.0 2011.09.07 -
SUPERAntiSpyware 4.40.0.1006 2011.09.07 -
Symantec 20111.2.0.82 2011.09.07 -
TheHacker 6.7.0.1.290 2011.09.03 -
TrendMicro 9.500.0.1008 2011.09.06 -
TrendMicro-HouseCall 9.500.0.1008 2011.09.07 -
VBA32 3.12.16.4 2011.09.05 -
VIPRE 10393 2011.09.07 -
ViRobot 2011.9.6.4659 2011.09.06 -
VirusBuster 14.0.202.1 2011.09.06 -
Additional information
Show all
MD5 : 76b5a48d429d29f69485bd314b9866a6
SHA1 : 9bbd0a11e2af4c81df70625f55bebb81256422fb
SHA256: 92a3e32b54aeac213db9d5d927113a500884fd45882f6cae79b151dcb68352c7
ssdeep: 1536:LuEN3Dytv3Jrz6q9EyYt9FlUIlbvBjIloW:yA3UUKI9jo
File size : 86016 bytes
First seen: 2010-06-14 14:43:27
Last seen : 2011-09-07 01:25:39
TrID:
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: © Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: ODBC Administrator
original name: odbcad32.exe
internal name: odbcad32.exe
file version.: 6.1.7600.16385 (win7_rtm.090713-1255)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x1950
timedatestamp....: 0x4A5BCD4C (Tue Jul 14 00:11:56 2009)
machinetype......: 0x14c (I386)

[[ 4 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x16C4, 0x2000, 4.81, 668feca799680a93fc927e7f1957c663
.data, 0x3000, 0x37C, 0x1000, 0.06, ed6b27ff07af399f3d525c0a70e6808d
.rsrc, 0x4000, 0xF3B0, 0x10000, 7.09, ab52a29de35fd7462e3358c9c5e9eb9d
.reloc, 0x14000, 0x31C, 0x1000, 0.99, ee730724c6bfdb8e27092f248cc5ac7a

[[ 3 import(s) ]]
KERNEL32.dll: FreeLibrary, RegisterApplicationRestart, LoadLibraryW, HeapSetInformation, Sleep, InterlockedCompareExchange, GetStartupInfoA, SetUnhandledExceptionFilter, GetModuleHandleA, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, LoadLibraryA, GetSystemDirectoryA, GetModuleFileNameA, GetProcAddress, InterlockedExchange
USER32.dll: MessageBoxA, GetLastActivePopup, IsIconic, OpenIcon, SetForegroundWindow, BringWindowToTop, MessageBoxW, LoadStringW, LoadStringA, LoadIconW, RegisterClassW, CreateWindowExW, ShowWindow, UpdateWindow, GetDesktopWindow, GetWindowRect, MoveWindow, DestroyWindow, DefWindowProcW, FindWindowW
msvcrt.dll: _controlfp, _except_handler4_common, _terminate@@YAXXZ, __set_app_type, __p__fmode, __p__commode, __setusermatherr, _initterm, _acmdln, exit, _ismbblead, _XcptFilter, _exit, _cexit, __getmainargs, _amsg_exit, _vsnprintf, memset

Attached Files


Edited by Jack&Jill, 07 September 2011 - 12:00 AM.
Copy paste logs


#13 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:01:10 AM

Posted 07 September 2011 - 12:08 AM

Hello indymhr :),

Upload files
  • Open Notepad. Copy and paste the following text into it:
    @echo off
    for %%g in (
    C:\Qoobox\Quarantine\C\WINDOWS\system32\msconfig.exe.vir
    C:\Qoobox\Quarantine\C\WINDOWS\system32\odbcad32.exe.vir
    ) do zip Files_for_submission %%g
    del %0
  • Save it as grab.bat at the desktop. Make sure the Save as type: is All Files (*.*).
  • Double click on grab.bat to run it. Allow if prompted by any security software.
  • A file Files_for_submission.zip will appear on your desktop.
  • Please upload the zip file to this upload channel and follow the steps accordingly.
--------------------

Do an online scan with ESET Online Scanner.
Please be patient as scanning will take quite some time. If you have problem running the scan, you might want to disable any real time protection that you have.
  • Click here to go to ESET Online Scanner page.
  • Click on Run ESET Online Scanner. A new window will open.
    For FireFox user, you will need to download and install esetsmartinstaller_enu.exe. Click on it and save the file to a convenient location. Double click on it to install and a new window will open.
  • After reading through the Terms of Use, check YES, I accept the Terms of Use and click Start to begin scan.
  • You will be prompted to install an ActiveX Control from ESET. Please install.
  • At the Computer scan settings section, uncheck (untick) Remove found threats. <-- Important, do not remove anything yet.
  • Then, check Scan archives.
  • Now, click on Advanced settings and make sure all these are checked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click on Scan to proceed.
  • When done, the scan result will be shown. Look for C:\Program Files\ESET\ESET Online Scanner\log.txt and open the file.
  • Post the contents in your reply.
If the contents of log.txt do not reflect what is shown in the result window, click on List of found threats, then Export to text file..., save a file and post that instead.

--------------------

Please post back:
1. if upload is successful
2. the ESET online scan result
3. how is the computer now?

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.


#14 indymhr

indymhr
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 08 September 2011 - 01:39 PM

Hi

Ok - 1. - the upload was successful

2. - the ESET scan was clean - I have attached the log

3. - the computer seems to be running fine, the only thing I noticed was that MS messenger failed to start this time - there had been issues with it, but it didn't try to start, just said it wasn't found or that it couldn't open (I didn't notice which) - I think this is a result of having had the rootkit, not of a continuing issue, but I thought I would mention it

Anyway Thanks as always


ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=a2125dacc630534799e3aeb3bd1a93e3
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-09-08 06:31:42
# local_time=2011-09-08 02:31:42 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=512 16777215 100 0 2509295 2509295 0 0
# compatibility_mode=768 16777215 100 0 26694888 26694888 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=5893 16776573 100 94 0 67048094 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=208964
# found=0
# cleaned=0
# scan_time=3400

Attached Files


Edited by Jack&Jill, 08 September 2011 - 06:31 PM.
Copy paste log


#15 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:01:10 AM

Posted 09 September 2011 - 09:42 AM

Hello indymhr :),

Things are looking good and thanks for the upload. I will be giving you some security recommendations after this.

For any logs or results, please post them by copy and pasting the texts. Please do not attach unless I specifically request.

3. - the computer seems to be running fine, the only thing I noticed was that MS messenger failed to start this time - there had been issues with it, but it didn't try to start, just said it wasn't found or that it couldn't open (I didn't notice which) - I think this is a result of having had the rootkit, not of a continuing issue, but I thought I would mention it

Uninstall / reinstall it. Should fix the problem.

--------------------

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use. Do not mouse click on ComboFix while it is running. That may cause it to stall.

Run ComboFix script
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running ComboFix. They will interfere and may cause unexpected results.
  • If you need help to disable your protection programs see here and here.
  • Open Notepad. Copy and paste the following text into it:
    DeQuarantine::
    C:\Qoobox\Quarantine\C\WINDOWS\system32\msconfig.exe.vir
    C:\Qoobox\Quarantine\C\WINDOWS\system32\odbcad32.exe.vir
    Quit::
    
    
  • Save it as CFScript.txt at the desktop. Make sure the Save as type: is All Files (*.*).

    Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update, please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, a log will be produced as C:\ComboFix.txt. Copy and paste the contents of the log in your next reply.
  • If you lose Internet connection after running ComboFix, right click on the network icon at the system tray and select Repair, or you can reboot the computer.
  • Enable back your security softwares as soon as you completed the ComboFix steps.
--------------------

Your Adobe Reader is outdated. Older versions have security vulnerabilities that can be exploited.

Please update your Adobe Reader to the latest.
It is important that you uninstall any previous versions by using Add/Remove Programs in your Control Panel before installing a newer version. Please uninstall:

Adobe Reader 9.1

  • Go to the Adobe download page. Click here.
  • If your OS is not the same as stated, click on Do you have a different language or operating system? link.
    • Under the Select an operating system title, choose the OS that you have.
    • Change the language at the Select a language title.
    • Next, select the version of the reader at the Select a Version title.
    • Uncheck (untick) to opt out of Google Chrome installation.
    • Click the Download now button to proceed. Allow if prompted and save the file to a convenient location.
    • Run the downloaded file to continue with the installation.
  • If your OS is the same, uncheck (untick) to opt out of McAfee Security Scan Plus installation.
  • Click Download to proceed. Allow if prompted and save the file to a convenient location.
  • Run the downloaded file to continue with the installation.
Alternatively, you can try Foxit Reader Portable or Nuance PDF Reader.

--------------------

Your Java Runtime Environment is outdated. Older versions have security vulnerabilities that can be exploited.

Please update JRE to the latest.
It is important that you uninstall any previous versions by using Add/Remove Programs in your Control Panel before installing a newer version. Please uninstall:

Java™ 6 Update 14

  • Go to the Java SE download page. Click here.
  • Under the Windows title, click on Windows 7, XP Offline (32-bit) or Windows 7, XP Offline (64-bit) and save the file to your desktop.
  • Close any programs you may have running, especially your web browser.
  • Then, from your desktop, double click on the download to install the newest version. Reboot your computer.
--------------------

Your Firefox browser is outdated. Older versions have security vulnerabilities that can be exploited.

Please update your Firefox browser to the latest. You may need to use Internet Explorer temporarily for this, or download the program first before continuing the uninstall step.
It is important that you uninstall any previous versions by using Add/Remove Programs in your Control Panel before installing a newer version. Please uninstall:

Mozilla Firefox (3.0.19)

  • Go to the Mozilla Firefox download page. Click here.
  • Click on the Free Download button and save the setup file to a convenient location.
  • Double click on the setup file and follow the steps accordingly.
--------------------

Please post back:
1. the ComboFix log
2. any more problems?

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users