Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with trojan agrent_r AOB


  • This topic is locked This topic is locked
23 replies to this topic

#1 IMDuru

IMDuru

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:33 PM

Posted 02 September 2011 - 09:03 AM

HI,

My AVG Antivirus 2011 alerts is saying it identifies the trojan horse agent_r AOB. A file called conhost.exe is identified in the windows temp file. This is happening every few min.
Computer freezes, start button freezes and I have a weird windows installer for scandisc auto starting at start-up wanting me to install. The only way to get out when the PC feezes is to force the computer to shutdown via the PC.

Computer is XP 2000
Malaware and super antispyware installed and do not detect the problem.

Please help me out!

Many thanks,
Duru

Edited by IMDuru, 02 September 2011 - 09:10 AM.

Have a great day!

BC AdBot (Login to Remove)

 


m

#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 70,887 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:33 PM

Posted 02 September 2011 - 02:15 PM

Hello, I suspect a Rootkit. Lets lok at these logs please.

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

>>>>
Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.


>>>
Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware

>>>
Lastly
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 IMDuru

IMDuru
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:33 PM

Posted 02 September 2011 - 04:15 PM

Hi,

Thanks for your help!

I already have MBAM installed so I updated the dbs and scanned again as instructed, it found nothing.

Here are the log contents:

Security Check log:

Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Disabled!
AVG 2011
AVG PC Tuneup 2011
AVG 2011
Antivirus up to date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
AVG PC Tuneup 2011
CCleaner
Java™ 6 Update 20
Out of date Java installed!
Adobe Flash Player 10.3.183.5
Adobe Reader 8.3.0
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent

AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
``````````End of Log````````````
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
MiniToolBox log

MiniToolBox by Farbar
Ran by Shira (administrator) on 02-09-2011 at 23:52:28
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************

========================= Flush DNS: ===================================
Windows IP ConfigurationSuccessfully flushed the DNS Resolver Cache.
========================= IE Proxy Settings: ==============================

Proxy is enabled.
ProxyServer: socks=localhost:1234

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================

"network.proxy.socks", "localhost"
"network.proxy.socks_port", 1234
"network.proxy.type", 1

"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================


127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com

There are 14238 more lines starting with "127.0.0.1"

========================= IP Configuration: ================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp

# Interface IP Configuration for "{036DAF14-B645-4025-A6C0-332A62B2E2B2}"

set address name="{036DAF14-B645-4025-A6C0-332A62B2E2B2}" source=dhcp
set dns name="{036DAF14-B645-4025-A6C0-332A62B2E2B2}" source=dhcp register=NONE
set wins name="{036DAF14-B645-4025-A6C0-332A62B2E2B2}" source=dhcp


popd
# End of interface IP configuration


Windows IP Configuration Host Name . . . . . . . . . . . . : Shira Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : NoEthernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : VIA Rhine II Fast Ethernet Adapter Physical Address. . . . . . . . . : 00-1A-4D-71-F9-31 Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 10.0.0.2 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.0.0.138 DHCP Server . . . . . . . . . . . : 10.0.0.138 DNS Servers . . . . . . . . . . . : 10.0.0.138 Lease Obtained. . . . . . . . . . : 02 September 2011 23:54:48 Lease Expires . . . . . . . . . . : 03 September 2011 00:54:48Ethernet adapter {036DAF14-B645-4025-A6C0-332A62B2E2B2}: Media State . . . . . . . . . . . : Media disconnected Description . . . . . . . . . . . : Check Point Virtual Network Adapter For SSL Network Extender - Packet Scheduler Miniport Physical Address. . . . . . . . . : 54-1F-B6-79-48-0CDNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 10.0.0.138

Name: google.com
Addresses: 74.125.39.147, 74.125.39.99, 74.125.39.106, 74.125.39.105
74.125.39.103, 74.125.39.104

Pinging google.com [209.85.148.99] with 32 bytes of data:Reply from 209.85.148.99: bytes=32 time=98ms TTL=54Reply from 209.85.148.99: bytes=32 time=85ms TTL=54Ping statistics for 209.85.148.99: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 85ms, Maximum = 98ms, Average = 91msDNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 10.0.0.138

Name: yahoo.com
Addresses: 98.137.149.56, 209.191.122.70, 67.195.160.76, 69.147.125.65
72.30.2.43

Pinging yahoo.com [72.30.2.43] with 32 bytes of data:Reply from 72.30.2.43: bytes=32 time=267ms TTL=42Reply from 72.30.2.43: bytes=32 time=252ms TTL=42Ping statistics for 72.30.2.43: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 252ms, Maximum = 267ms, Average = 259msPinging 127.0.0.1 with 32 bytes of data:Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Ping statistics for 127.0.0.1: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 1a 4d 71 f9 31 ...... VIA Compatable Fast Ethernet Adapter - Packet Scheduler Miniport
0x3 ...54 1f b6 79 48 0c ...... Check Point Virtual Network Adapter For SSL Network Extender - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.138 10.0.0.2 20
10.0.0.0 255.255.255.0 10.0.0.2 10.0.0.2 20
10.0.0.2 255.255.255.255 127.0.0.1 127.0.0.1 20
10.255.255.255 255.255.255.255 10.0.0.2 10.0.0.2 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 10.0.0.2 10.0.0.2 20
255.255.255.255 255.255.255.255 10.0.0.2 10.0.0.2 1
255.255.255.255 255.255.255.255 10.0.0.2 3 1
Default Gateway: 10.0.0.138
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (09/02/2011 02:28:03 AM) (Source: MsiInstaller) (User: Shira)Shira
Description: Product: ScanSoft PaperPort 10 -- Error 1712.One or more of the files required to restore your computer to its previous state could not be found. Restoration will not be possible.

Error: (09/02/2011 02:27:38 AM) (Source: MsiInstaller) (User: Shira)Shira
Description: Product: ScanSoft PaperPort 10 -- Error 1706.No valid source could be found for product ScanSoft PaperPort 10. The Windows Installer cannot continue.

Error: (08/27/2011 09:07:51 PM) (Source: MsiInstaller) (User: Shira)Shira
Description: Product: ScanSoft PaperPort 10 -- Error 1706.No valid source could be found for product ScanSoft PaperPort 10. The Windows Installer cannot continue.

Error: (08/26/2011 06:13:30 PM) (Source: MsiInstaller) (User: Shira)Shira
Description: Product: ScanSoft PaperPort 10 -- Error 1706.No valid source could be found for product ScanSoft PaperPort 10. The Windows Installer cannot continue.

Error: (08/26/2011 06:13:18 PM) (Source: MsiInstaller) (User: Shira)Shira
Description: Product: ScanSoft PaperPort 10 -- Error 1706.No valid source could be found for product ScanSoft PaperPort 10. The Windows Installer cannot continue.

Error: (08/26/2011 06:13:12 PM) (Source: MsiInstaller) (User: Shira)Shira
Description: Product: ScanSoft PaperPort 10 -- Error 1706.No valid source could be found for product ScanSoft PaperPort 10. The Windows Installer cannot continue.


System errors:
=============
Error: (09/02/2011 02:26:19 AM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
Lbd

Error: (09/02/2011 02:21:47 AM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
Lbd

Error: (08/26/2011 08:51:22 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
Lbd

Error: (08/26/2011 06:14:00 PM) (Source: DCOM) (User: Shira)
Description: The server {FFF2D28F-E4EE-44D9-8104-8E71556757F6} did not register with DCOM within the required timeout.

Error: (08/26/2011 06:12:19 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
Lbd

Error: (08/25/2011 05:15:23 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
Lbd

Error: (08/25/2011 02:45:38 AM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
Lbd

Error: (08/23/2011 02:40:43 PM) (Source: DCOM) (User: Shira)
Description: The server {FFF2D28F-E4EE-44D9-8104-8E71556757F6} did not register with DCOM within the required timeout.

Error: (08/23/2011 02:38:23 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
Lbd

Error: (08/22/2011 05:06:56 AM) (Source: DCOM) (User: Shira)
Description: The server {FFF2D28F-E4EE-44D9-8104-8E71556757F6} did not register with DCOM within the required timeout.


Microsoft Office Sessions:
=========================
Error: (09/22/2010 07:24:29 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6535.5002, Microsoft Office Version: 12.0.6425.1000. This session lasted 9 seconds with 0 seconds of active time. This session ended with a crash.

Error: (07/19/2010 05:33:12 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6535.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 26 seconds with 0 seconds of active time. This session ended with a crash.


=========================== Installed Programs ============================


ACDSee 5.0 PowerPack (Version: 5.0.0)
Adobe Acrobat 5.0 (Version: 5.1)
Adobe AIR (Version: 2.0.2.12610)
Adobe Flash Player 10 ActiveX (Version: 10.1.102.64)
Adobe Flash Player 10 Plugin (Version: 10.3.183.5)
Adobe Media Player (Version: 1.8)
Adobe Reader 8.3.0 (Version: 8.3.0)
Alamoon Watermark v1.4
Amazon Kindle For PC v1.1
Apple Application Support (Version: 1.2.1)
Apple Software Update (Version: 2.1.1.116)
AudibleManager (Version: 2089882838.2089882900.2090328352.2089882858)
AVG 2011 (Version: 10.0.1392)
AVG 2011 (Version: 10.0.1520)
AVG PC Tuneup 2011
Camtasia Studio 6 (Version: 6.0.3)
CCleaner (Version: 3.08)
Check Point SSL Network Extender (Version: 7.01.0000)
Choice Guard (Version: 1.2.87.0)
Compatibility Pack for the 2007 Office system (Version: 12.0.6425.1000)
Content Bully (Version: 1.0.17)
Digital Photo Navigator 1.5
Document Poster (Version: 1.0.0)
EVO2 (Version: 7.39)
Foxit Creator (Version: 3,0,2,0506)
Foxit PDF Editor (Version: 2.2.0.0205)
Foxit Reader
Foxit Toolbar (Version: 4.1.0.5)
GoodSync
Google Goggles (Version: 72)
InstantLP (Version: 2.1)
Java Auto Updater (Version: 2.0.2.1)
Java™ 6 Update 20 (Version: 6.0.200)
Junk Mail filter update (Version: 14.0.8064.206)
Malwarebytes' Anti-Malware version 1.51.1.1800 (Version: 1.51.1.1800)
Market Samurai (Version: 0.86.18)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 English User Interface Pack (Version: 11.0.8173.0)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Access MUI (Hebrew) 2007 (Version: 12.0.6425.1000)
Microsoft Office Access Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Enterprise 2007 (Version: 12.0.6425.1000)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Excel MUI (Hebrew) 2007 (Version: 12.0.6425.1000)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Groove MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Groove Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Groove Setup Metadata MUI (Hebrew) 2007 (Version: 12.0.6425.1000)
Microsoft Office InfoPath MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office InfoPath MUI (Hebrew) 2007 (Version: 12.0.6425.1000)
Microsoft Office Live Add-in 1.3 (Version: 2.0.2313.0)
Microsoft Office OneNote MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office OneNote MUI (Hebrew) 2007 (Version: 12.0.6425.1000)
Microsoft Office Outlook Connector (Version: 12.0.6414.1000)
Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Outlook MUI (Hebrew) 2007 (Version: 12.0.6425.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office PowerPoint MUI (Hebrew) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (Arabic) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (Hebrew) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (Russian) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing (Hebrew) 2007 (Version: 12.0.4518.1016)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Publisher MUI (Hebrew) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared MUI (Hebrew) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Small Business Connectivity Components (Version: 2.0.7024.0)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Word MUI (Hebrew) 2007 (Version: 12.0.6425.1000)
Microsoft Save as PDF Add-in for 2007 Microsoft Office programs (Version: 12.0.4518.1014)
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ) (Version: 9.4.5000.00)
Microsoft SQL Server 2005 Tools Express Edition (Version: 9.4.5000.00)
Microsoft SQL Server Native Client (Version: 9.00.5000.00)
Microsoft SQL Server Setup Support Files (English) (Version: 9.00.5000.00)
Microsoft SQL Server VSS Writer (Version: 9.00.5000.00)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Mozilla Firefox 6.0 (x86 en-GB) (Version: 6.0)
MSVCRT (Version: 14.0.1468.721)
MSXML 4.0 SP2 (KB925672) (Version: 4.20.9839.0)
MSXML 4.0 SP2 (KB927978) (Version: 4.20.9841.0)
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 6 Service Pack 2 (KB973686) (Version: 6.20.2003.0)
Nero 7 Premium (Version: 7.00.0087)
NOD32 FiX v1.9
Nvu 1.0PR (Version: 1.0PR)
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0)
Paint.NET v3.5.8 (Version: 3.58.0)
PDF-XChange 3
Platform (Version: 1.21)
PowerCinema NE for Everio
PowerDirector Express
PowerProducer
Private Proxy (Version: 1.0.0)
QuickTime (Version: 7.66.71.0)
RoboForm 7-2-9 (All Users) (Version: 7-2-9)
ScanSoft PaperPort 10 (Version: 10.2.0000)
ScanSoft PDF Professional 4 (Version: 4.00.0000)
Screencast.com Desktop Uploader (Version: 1.3.11)
Segoe UI (Version: 14.0.4327.805)
Skype Toolbars (Version: 1.0.4051)
Skype™ 4.2 (Version: 4.2.169)
SONAR 6 LE (Version: 15.0)
SUPERAntiSpyware (Version: 4.53.1000)
Traffic Travis 3.1.12
VIA Platform Device Manager (Version: 1.21)
VIA Rhine-Family Fast-Ethernet Adapter
VIA/S3G Display Driver 6.14.10.0330
Virtools 3D Life Player (Version: 4.0.0.x)
Visual C++ 2008 x86 Runtime - (v9.0.30729) (Version: 9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01 (Version: 9.0.30729.01)
WebEx
WebFldrs XP (Version: 9.50.7523)
Winamp (remove only)
Windows Imaging Component (Version: 3.0.0.0)
Windows Internet Explorer 7 (Version: 20061107.210142)
Windows Live Call (Version: 14.0.8064.0206)
Windows Live Communications Platform (Version: 14.0.8064.206)
Windows Live Essentials (Version: 14.0.8064.0206)
Windows Live Essentials (Version: 14.0.8064.206)
Windows Live Mail (Version: 14.0.8064.0206)
Windows Live Messenger (Version: 14.0.8064.0206)
Windows Live Sign-in Assistant (Version: 5.000.818.6)
Windows Live Upload Tool (Version: 14.0.8014.1029)
Windows Live Writer (Version: 14.0.8064.0206)
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin (Version: 1.0.0.8)
Windows Rights Management Client Backwards Compatibility SP2 (Version: 5.2.70)
Windows Rights Management Client with Service Pack 2 (Version: 5.2.70)
Windows XP Service Pack 3 (Version: 20080414.031525)
WinRAR archiver
WinZip (Version: 8.1 SR-1 (5266))
Xerox WorkCentre PE220 Series Driver Uninstall
Yahoo! Install Manager
YouSendIt Express (Version: 2.10.2)

========================= Memory info: ===================================

Percentage of memory in use: 45%
Total physical RAM: 1471.48 MB
Available physical RAM: 805.39 MB
Total Pagefile: 2792.64 MB
Available Pagefile: 1964.46 MB
Total Virtual: 2047.88 MB
Available Virtual: 1992.28 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:29.3 GB) (Free:8.4 GB) NTFS
2 Drive d: (DATA_SHIRA) (Fixed) (Total:119.75 GB) (Free:19.34 GB) NTFS

========================= Users: ========================================

User accounts for \\SHIRA

Administrator Guest HelpAssistant
Shira SUPPORT_388945a0

========================= Minidump Files ==================================

No minidump file found

**** End of log ****
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

MBAM log

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7639

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

03/09/2011 00:01:20
mbam-log-2011-09-03 (00-01-20).txt

Scan type: Quick scan
Objects scanned: 165368
Time elapsed: 3 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Gmer log:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-03 00:18:35
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 SAMSUNG_HD161HJ rev.JF100-15
Running: 33lx3cii.exe; Driver: C:\DOCUME~1\Shira\LOCALS~1\Temp\uxtdypog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xB8A3C738]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB76B5640]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xB8A3C878]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xB8A3C914]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[616] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BA000A
.text C:\WINDOWS\Explorer.EXE[616] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BB000A
.text C:\WINDOWS\Explorer.EXE[616] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B8000C
.text C:\WINDOWS\System32\svchost.exe[1484] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006E000A
.text C:\WINDOWS\System32\svchost.exe[1484] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 006F000A
.text C:\WINDOWS\System32\svchost.exe[1484] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 006D000C
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3620] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B5000A
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3620] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00B6000A
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3620] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B4000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A1C227F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A1C227F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8A1C227F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8A1C227F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP2T0L0-12 8A1C227F

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskSAMSUNG_HD161HJ_________________________JF100-15#30533356314a504e303534353239202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\BabyGloss\shell\open
Reg HKLM\SOFTWARE\Classes\BabyGloss\shell\open\command
Reg HKLM\SOFTWARE\Classes\BabyGloss\shell\open\command@ "C:\Program Files\Babylon\Babylon.exe" %1
Reg HKLM\SOFTWARE\Classes\BabyOptFile\shell\open
Reg HKLM\SOFTWARE\Classes\BabyOptFile\shell\open\command
Reg HKLM\SOFTWARE\Classes\BabyOptFile\shell\open\command@ "C:\Program Files\Babylon\Babylon.exe" %1

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----

Edited by IMDuru, 02 September 2011 - 04:32 PM.

Have a great day!

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 70,887 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:33 PM

Posted 02 September 2011 - 06:37 PM

Hello. I see a couple things to fix and I feel we will have this.

First get the TDL4 rootkit from the lasr scan.

But I see Spybots Teatimer is running.
We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Mode > Advanced Mode.
    Posted Image
  • You may be presented with a warning dialog. If so, click Yes
  • Click on Tools and then Resident
    Posted Image
  • Uncheck this checkbox: "Resident TeaTimer {protection of over-all system settings) active"
  • Close/Exit Spybot Search and Destroy



>>>
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.5.9.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these[/color] instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer.


Now I see too much in the Hosts file....

Your HOSTS file may be infected.
Reset the HOSTS file
As this infection also changes your Windows HOSTS file, we want to replace this file with the default version for your operating system.
Some types of malware will alter the HOSTS file as part of its infection. Please follow the instructions provided in How do I reset the hosts file back to the default?

To reset the hosts file automatically,go HERE click the Posted Image button. Then just follow the prompts in the Fix it wizard.


OR
Click Run in the File Download dialog box or save MicrosoftFixit50267.msi to your Desktop and double-click on it to run. Then just follow the promots in the Fix it wizard.

>>
Now for any leftovers

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


[color="#8B0000"]NOTE: In some instances if no malware is found there will be no log produced.





Let me know how it is now.
Next we'll update thise Java and Adobe's...

Edited by boopme, 02 September 2011 - 06:38 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 IMDuru

IMDuru
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:33 PM

Posted 02 September 2011 - 07:28 PM

Hello,
Thanks for your reply.

I don't have Spybot installed. It does not appear in my programs menu or in the control panel - add remove programs. The only thing I see is in the Program Files Folder /Spybot - Search & Destroy /advcheck.dll 1.6.5.20 It seems to have some German text - Dateuberprufungs-Bibliothek

Please let me know how I can disable this from another interface.
Should I continue to step 2 aka run TDSS Rootkit Removing Tool ?

Thanks in advance,
I appreciate your assistance!

D

Edited by IMDuru, 02 September 2011 - 07:40 PM.

Have a great day!

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 70,887 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:33 PM

Posted 02 September 2011 - 07:39 PM

OK all this indicates it is or was and it is German.
127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com



So lets do the rest and rerun Mini toolbox after.

EDIT: Spybot has identified 1000gratisproben.com as a "malicioius" site
SO we need to dump the Hosts file

Edited by boopme, 02 September 2011 - 07:42 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 IMDuru

IMDuru
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:33 PM

Posted 02 September 2011 - 08:17 PM

Hello,
quick update:

I ran the TDSS Rootkit Removing Tool (log below)

After the reboot - Windows installer for ScanSoft PDF paperport10 still popped up and my Firefox proxy settings were changed to manual - (this has been happening frequently. I fixed it and connected to Microsoft to fix the hosts file - I downloaded the installer but it failed to install, providing the error message :"Another installation is in progress. You must complete that installation before continuing this one" So I went through their manual instructions - I copied their host file to my new one (is this correct???) After that I had to fix the proxy settings in Firefox again to connect to the Internet.

I downloaded the eset online scanner installation but it is failing to install - "cannot get update. Is proxy configured?" message - what should I do??? Moment of clarity - Installing through Internet Explorer - Received error message - "Unexpected Error 2002"
Here is the killer log :)


2011/09/03 03:45:11.0566 3500 TDSS rootkit removing tool 2.5.17.0 Aug 22 2011 15:46:57
2011/09/03 03:45:13.0569 3500 ================================================================================
2011/09/03 03:45:13.0569 3500 SystemInfo:
2011/09/03 03:45:13.0569 3500
2011/09/03 03:45:13.0569 3500 OS Version: 5.1.2600 ServicePack: 3.0
2011/09/03 03:45:13.0569 3500 Product type: Workstation
2011/09/03 03:45:13.0569 3500 ComputerName: SHIRA
2011/09/03 03:45:13.0569 3500 UserName: Shira
2011/09/03 03:45:13.0569 3500 Windows directory: C:\WINDOWS
2011/09/03 03:45:13.0569 3500 System windows directory: C:\WINDOWS
2011/09/03 03:45:13.0569 3500 Processor architecture: Intel x86
2011/09/03 03:45:13.0569 3500 Number of processors: 1
2011/09/03 03:45:13.0569 3500 Page size: 0x1000
2011/09/03 03:45:13.0569 3500 Boot type: Normal boot
2011/09/03 03:45:13.0569 3500 ================================================================================
2011/09/03 03:45:14.0320 3500 Initialize success
2011/09/03 03:45:38.0615 0452 ================================================================================
2011/09/03 03:45:38.0615 0452 Scan started
2011/09/03 03:45:38.0615 0452 Mode: Manual;
2011/09/03 03:45:38.0615 0452 ================================================================================
2011/09/03 03:45:39.0356 0452 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/09/03 03:45:39.0446 0452 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys
2011/09/03 03:45:39.0526 0452 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/09/03 03:45:39.0616 0452 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/09/03 03:45:39.0667 0452 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/09/03 03:45:39.0727 0452 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/09/03 03:45:39.0817 0452 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/09/03 03:45:39.0907 0452 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/09/03 03:45:39.0967 0452 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/09/03 03:45:40.0027 0452 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/09/03 03:45:40.0087 0452 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/09/03 03:45:40.0157 0452 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/09/03 03:45:40.0207 0452 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/09/03 03:45:40.0247 0452 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/09/03 03:45:40.0287 0452 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/09/03 03:45:40.0317 0452 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/09/03 03:45:40.0358 0452 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/09/03 03:45:40.0398 0452 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/09/03 03:45:40.0478 0452 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/09/03 03:45:40.0528 0452 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/09/03 03:45:40.0648 0452 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/09/03 03:45:40.0748 0452 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/09/03 03:45:40.0858 0452 Avgfwdx (0c5941af0b6bf2fdf378937392865217) C:\WINDOWS\system32\DRIVERS\avgfwdx.sys
2011/09/03 03:45:40.0908 0452 Avgfwfd (0c5941af0b6bf2fdf378937392865217) C:\WINDOWS\system32\DRIVERS\avgfwdx.sys
2011/09/03 03:45:40.0978 0452 AVGIDSDriver (c403e7f715bb0a851a9dfae16ec4ae42) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
2011/09/03 03:45:41.0059 0452 AVGIDSEH (1af676db3f3d4cc709cfab2571cf5fc3) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
2011/09/03 03:45:41.0129 0452 AVGIDSFilter (4c51e233c87f9ec7598551de554bc99d) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
2011/09/03 03:45:41.0179 0452 AVGIDSShim (c3fc426e54f55c1cc3219e415b88e10c) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
2011/09/03 03:45:41.0249 0452 Avgldx86 (4e796d3d2c3182b13b3e3b5a2ad4ef0a) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
2011/09/03 03:45:41.0309 0452 Avgmfx86 (5639de66b37d02bd22df4cf3155fba60) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
2011/09/03 03:45:41.0369 0452 Avgrkx86 (d1baf652eda0ae70896276a1fb32c2d4) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
2011/09/03 03:45:41.0429 0452 Avgtdix (aaf0ebcad95f2164cffb544e00392498) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
2011/09/03 03:45:41.0549 0452 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/09/03 03:45:41.0649 0452 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/09/03 03:45:41.0689 0452 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/09/03 03:45:41.0739 0452 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/09/03 03:45:41.0810 0452 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/09/03 03:45:41.0870 0452 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/09/03 03:45:41.0950 0452 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/09/03 03:45:42.0100 0452 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/09/03 03:45:42.0200 0452 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/09/03 03:45:42.0250 0452 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/09/03 03:45:42.0320 0452 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/09/03 03:45:42.0420 0452 DgivEcp (a5034f77b278f07e224fe07cf98a8b76) C:\WINDOWS\system32\Drivers\DgivEcp.Sys
2011/09/03 03:45:42.0491 0452 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/09/03 03:45:42.0591 0452 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/09/03 03:45:42.0651 0452 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/09/03 03:45:42.0721 0452 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/09/03 03:45:42.0811 0452 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/09/03 03:45:42.0881 0452 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/09/03 03:45:42.0921 0452 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/09/03 03:45:43.0031 0452 EL90X (653394706ff5634f4b5180b8294badb1) C:\WINDOWS\system32\DRIVERS\el90xnd5.sys
2011/09/03 03:45:43.0172 0452 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/09/03 03:45:43.0242 0452 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/09/03 03:45:43.0312 0452 FET5X86V (263f2507788917ab54c4ab8bc740f290) C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys
2011/09/03 03:45:43.0372 0452 FETND5BV (263f2507788917ab54c4ab8bc740f290) C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys
2011/09/03 03:45:43.0452 0452 FETNDIS (e9648254056bce81a85380c0c3647dc4) C:\WINDOWS\system32\DRIVERS\fetnd5.sys
2011/09/03 03:45:43.0542 0452 FETNDISB (a583bc166495b07f704533754ce29cbd) C:\WINDOWS\system32\DRIVERS\fetnd5b.sys
2011/09/03 03:45:43.0612 0452 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/09/03 03:45:43.0672 0452 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/09/03 03:45:43.0762 0452 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/09/03 03:45:43.0843 0452 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/09/03 03:45:43.0923 0452 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/09/03 03:45:44.0013 0452 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
2011/09/03 03:45:44.0093 0452 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/09/03 03:45:44.0213 0452 HCF_MSFT (4236e014632f4163f53ebb717f41594c) C:\WINDOWS\system32\DRIVERS\HCF_MSFT.sys
2011/09/03 03:45:44.0323 0452 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/09/03 03:45:44.0383 0452 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/09/03 03:45:44.0473 0452 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/09/03 03:45:44.0544 0452 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/09/03 03:45:44.0614 0452 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/09/03 03:45:44.0684 0452 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/09/03 03:45:44.0774 0452 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
2011/09/03 03:45:44.0844 0452 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
2011/09/03 03:45:44.0894 0452 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
2011/09/03 03:45:44.0974 0452 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
2011/09/03 03:45:45.0034 0452 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
2011/09/03 03:45:45.0094 0452 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
2011/09/03 03:45:45.0144 0452 iAimFP5 (0308aef61941e4af478fa1a0f83812f5) C:\WINDOWS\system32\DRIVERS\wADV07nt.sys
2011/09/03 03:45:45.0214 0452 iAimFP6 (714038a8aa5de08e12062202cd7eaeb5) C:\WINDOWS\system32\DRIVERS\wADV08nt.sys
2011/09/03 03:45:45.0275 0452 iAimFP7 (7bb3aa595e4507a788de1cdc63f4c8c4) C:\WINDOWS\system32\DRIVERS\wADV09nt.sys
2011/09/03 03:45:45.0335 0452 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
2011/09/03 03:45:45.0405 0452 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
2011/09/03 03:45:45.0485 0452 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
2011/09/03 03:45:45.0545 0452 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
2011/09/03 03:45:45.0605 0452 iAimTV5 (791cc45de6e50445be72e8ad6401ff45) C:\WINDOWS\system32\DRIVERS\wATV10nt.sys
2011/09/03 03:45:45.0675 0452 iAimTV6 (352fa0e98bc461ce1ce5d41f64db558d) C:\WINDOWS\system32\DRIVERS\wATV06nt.sys
2011/09/03 03:45:45.0765 0452 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/09/03 03:45:46.0016 0452 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/09/03 03:45:46.0096 0452 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/09/03 03:45:46.0176 0452 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/09/03 03:45:46.0246 0452 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/09/03 03:45:46.0316 0452 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/09/03 03:45:46.0396 0452 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/09/03 03:45:46.0476 0452 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/09/03 03:45:46.0546 0452 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/09/03 03:45:46.0606 0452 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/09/03 03:45:46.0677 0452 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/09/03 03:45:46.0757 0452 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/09/03 03:45:46.0807 0452 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/09/03 03:45:46.0867 0452 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/09/03 03:45:47.0137 0452 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/09/03 03:45:47.0237 0452 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/09/03 03:45:47.0297 0452 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/09/03 03:45:47.0358 0452 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/09/03 03:45:47.0428 0452 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/09/03 03:45:47.0518 0452 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/09/03 03:45:47.0608 0452 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/09/03 03:45:47.0738 0452 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/09/03 03:45:47.0798 0452 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/09/03 03:45:47.0868 0452 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/09/03 03:45:47.0938 0452 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/09/03 03:45:47.0998 0452 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/09/03 03:45:48.0119 0452 ms_mpu401 (ca3e22598f411199adc2dfee76cd0ae0) C:\WINDOWS\system32\drivers\msmpu401.sys
2011/09/03 03:45:48.0179 0452 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/09/03 03:45:48.0289 0452 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/09/03 03:45:48.0359 0452 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/09/03 03:45:48.0439 0452 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/09/03 03:45:48.0509 0452 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/09/03 03:45:48.0599 0452 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/09/03 03:45:48.0669 0452 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/09/03 03:45:48.0740 0452 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/09/03 03:45:48.0880 0452 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/09/03 03:45:48.0960 0452 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/09/03 03:45:49.0050 0452 NTSIM (a568b9a9ffe2d9387222a5c90f86d731) C:\WINDOWS\system32\ntsim.sys
2011/09/03 03:45:49.0160 0452 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/09/03 03:45:49.0240 0452 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/09/03 03:45:49.0310 0452 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/09/03 03:45:49.0421 0452 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
2011/09/03 03:45:49.0491 0452 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/09/03 03:45:49.0561 0452 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/09/03 03:45:49.0621 0452 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/09/03 03:45:49.0681 0452 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/09/03 03:45:49.0781 0452 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/09/03 03:45:49.0831 0452 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/09/03 03:45:50.0061 0452 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/09/03 03:45:50.0112 0452 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/09/03 03:45:50.0262 0452 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/09/03 03:45:50.0342 0452 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/09/03 03:45:50.0402 0452 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/09/03 03:45:50.0452 0452 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/09/03 03:45:50.0512 0452 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/09/03 03:45:50.0572 0452 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/09/03 03:45:50.0632 0452 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/09/03 03:45:50.0692 0452 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/09/03 03:45:50.0762 0452 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/09/03 03:45:50.0823 0452 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/09/03 03:45:50.0893 0452 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/09/03 03:45:50.0943 0452 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/09/03 03:45:51.0013 0452 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/09/03 03:45:51.0053 0452 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/09/03 03:45:51.0133 0452 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/09/03 03:45:51.0223 0452 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/09/03 03:45:51.0323 0452 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/09/03 03:45:51.0494 0452 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2011/09/03 03:45:51.0624 0452 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/09/03 03:45:51.0684 0452 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/09/03 03:45:51.0814 0452 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/09/03 03:45:51.0924 0452 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/09/03 03:45:51.0994 0452 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/09/03 03:45:52.0124 0452 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/09/03 03:45:52.0275 0452 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/09/03 03:45:52.0345 0452 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/09/03 03:45:52.0475 0452 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/09/03 03:45:52.0585 0452 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/09/03 03:45:52.0745 0452 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/09/03 03:45:52.0865 0452 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/09/03 03:45:53.0206 0452 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/09/03 03:45:53.0346 0452 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/09/03 03:45:53.0416 0452 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/09/03 03:45:53.0476 0452 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/09/03 03:45:53.0556 0452 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/09/03 03:45:53.0697 0452 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/09/03 03:45:53.0797 0452 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/09/03 03:45:53.0847 0452 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/09/03 03:45:53.0907 0452 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/09/03 03:45:54.0017 0452 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/09/03 03:45:54.0107 0452 uagp35 (d85938f272d1bcf3db3a31fc0a048928) C:\WINDOWS\system32\DRIVERS\uagp35.sys
2011/09/03 03:45:54.0177 0452 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/09/03 03:45:54.0247 0452 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/09/03 03:45:54.0318 0452 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/09/03 03:45:54.0438 0452 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/09/03 03:45:54.0518 0452 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/09/03 03:45:54.0578 0452 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/09/03 03:45:54.0648 0452 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/09/03 03:45:54.0738 0452 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/09/03 03:45:54.0798 0452 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/09/03 03:45:54.0878 0452 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/09/03 03:45:54.0928 0452 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/09/03 03:45:55.0019 0452 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/09/03 03:45:55.0119 0452 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/09/03 03:45:55.0189 0452 viagfx (1287315e92df22e9b67bdd42da6e1bd9) C:\WINDOWS\system32\DRIVERS\vtmini.sys
2011/09/03 03:45:55.0289 0452 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/09/03 03:45:55.0379 0452 VIAudio (df47d922e86f4c571d81221bfb5873b8) C:\WINDOWS\system32\drivers\vinyl97.sys
2011/09/03 03:45:55.0449 0452 videX32 (c8ee49fa76eb7c41a9cddfe58151a74e) C:\WINDOWS\system32\DRIVERS\videX32.sys
2011/09/03 03:45:55.0539 0452 VNA (48007916b1d0dab3e6c0d701de7c4afb) C:\WINDOWS\system32\DRIVERS\vna.sys
2011/09/03 03:45:55.0609 0452 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/09/03 03:45:55.0730 0452 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/09/03 03:45:55.0880 0452 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/09/03 03:45:56.0090 0452 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/09/03 03:45:56.0210 0452 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/09/03 03:45:56.0280 0452 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/09/03 03:45:56.0391 0452 xfilt (fcbc27869092850cdb75139f3818653a) C:\WINDOWS\system32\DRIVERS\xfilt.sys
2011/09/03 03:45:56.0511 0452 MBR (0x1B8) (d0fa4a6f9d91bf5254bf3f16031b8303) \Device\Harddisk0\DR0
2011/09/03 03:45:56.0541 0452 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/09/03 03:45:56.0561 0452 Boot (0x1200) (b085365b8ca6e556dc6d4c098a1c5f86) \Device\Harddisk0\DR0\Partition0
2011/09/03 03:45:56.0621 0452 Boot (0x1200) (782f4d1832b27b6cc48ffa82d9372bf6) \Device\Harddisk0\DR0\Partition1
2011/09/03 03:45:56.0631 0452 ================================================================================
2011/09/03 03:45:56.0631 0452 Scan finished
2011/09/03 03:45:56.0631 0452 ================================================================================
2011/09/03 03:45:56.0681 5212 Detected object count: 1
2011/09/03 03:45:56.0681 5212 Actual detected object count: 1
2011/09/03 03:46:28.0236 5212 \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/09/03 03:46:28.0236 5212 \Device\Harddisk0\DR0 - ok
2011/09/03 03:46:28.0236 5212 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure
2011/09/03 03:46:43.0268 0372 Deinitialize success

Edited by IMDuru, 02 September 2011 - 08:25 PM.

Have a great day!

#8 IMDuru

IMDuru
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:33 PM

Posted 02 September 2011 - 08:52 PM

Got ESET to scan - still going
It identifies a trojan:
"a varient of Java/Exploit.CVE-2010-4452.A trojan"

and a bunch of Adaware, will post the log results when it's done.

Edited by IMDuru, 02 September 2011 - 08:53 PM.

Have a great day!

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 70,887 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:33 PM

Posted 02 September 2011 - 09:02 PM

I was werting as you posted.. we;ll see how it is after ESET

OK you did OK. Reboot to finish the TDSS if you have not, Now lets see if there is a different one.

To check for and confirm the MBR (Master Boot Record) rootkit.


Please download mbr.exe and save it to the root directory, usually C:\ <- (Important!).
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe >>"C:\mbr.log"
  • press Enter.
  • The process is automatic...a black DOS window will open and quickly disappear. This is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.
If you have a problem using the command prompt, you can just double-click on mbr.exe to run the tool.

Edited by boopme, 02 September 2011 - 09:04 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 IMDuru

IMDuru
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:33 PM

Posted 02 September 2011 - 09:57 PM

Hi,

Here are the results...

ESET scan:

C:\Documents and Settings\All Users\Start Menu\Programs\eBay.url Win32/Adware.ADON application cleaned by deleting - quarantined
C:\Documents and Settings\Shira\Application Data\Microsoft\Internet Explorer\Quick Launch\eBay.url Win32/Adware.ADON application cleaned by deleting - quarantined
C:\Documents and Settings\Shira\Application Data\Sun\Java\Deployment\cache\6.0\39\58ec35a7-7d1c60df a variant of Java/Exploit.CVE-2010-4452.A trojan cleaned by deleting - quarantined
C:\Documents and Settings\Shira\Desktop\shortcuts\eBay (2).url Win32/Adware.ADON application cleaned by deleting - quarantined
C:\Documents and Settings\Shira\Desktop\shortcuts\eBay.url Win32/Adware.ADON application cleaned by deleting - quarantined
D:\Transfer\my business\IMReMarkable\Mafia site flipping\RegistryEasy.exe a variant of Win32/Adware.RegistryEasy application deleted - quarantined


mbr log -

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: SAMSUNG_HD161HJ rev.JF100-15 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
Have a great day!

#11 IMDuru

IMDuru
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:33 PM

Posted 03 September 2011 - 10:16 PM

Hi,

Please let me know how to continue cleaning my PC :)
Have a great day!

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 70,887 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:33 PM

Posted 04 September 2011 - 01:22 PM

Hello. sorry for the Hurricane Irene and I have been helping people get around or out of the floods and fell asleep when I got in .

So you did change the hosts file.?
The exploit is from the out dated Java. We'll fix that next.

Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 7 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select your OS and Platform (32-bit or 64-bit).
  • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7-windows-i586.exe to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.
Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.


Similarly Update to Adobe Reader X (10.1.0)
Note UN check the box so you do not install the toolbar,unless you really want it..

Free! Google Toolbar search Google from any web page, block pop-ups

Yes, install Google Toolbar - optional


>>>
Reboot into Safe Mode with Networking
How to enter safe mode(XP/Vista)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode with Networking using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.


Run TFC by OT (Temp File Cleaner)
Please download TFC by Old Timer and save it to your desktop.
alternate download link

Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.


Next run Superantisypware (SAS):

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 IMDuru

IMDuru
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:33 PM

Posted 05 September 2011 - 06:59 PM

HI,
Thanks for getting back to me.

I uninstalled Java and installed the new version, updated Adobe and rebooted into safe mode.

I ran TFC and after that Super Anti Spyware wouldn't run so I uninstalled and now it will not install - went back to regular mode, reinstalled but the minute I try to run a scan it disappears and I get the error message:"Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item"

Help!

D

Edited by IMDuru, 05 September 2011 - 07:20 PM.

Have a great day!

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 70,887 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:33 PM

Posted 05 September 2011 - 07:14 PM

You're welcome,have you tried the Portable SAS at the bottom?

OR
Download and run the SUPERAntiSpyware Uninstaller Assistant:

SUPERAntiSpyware Uninstaller Assistant (32-Bit)

Reboot

Install SAS L@@K
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 IMDuru

IMDuru
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:33 PM

Posted 05 September 2011 - 07:58 PM

will try the SAS uninstaller assistant, though the same thing is happening with AVG and Malaware bytes - I think this is deeper than the installation.
Have a great day!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users