Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rootkit.zeroaccess


  • This topic is locked This topic is locked
4 replies to this topic

#1 lilgeezy24

lilgeezy24

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 12 September 2011 - 07:42 PM

Hey Everyone!

I seem to have a bad case of the zeroaccess rootkit. My comp is Windows XP Pro Media Center Edition SP3.
This rootkit is not letting me run a virus scan with malwarebytes, symantec or superantipsyware. they all get about 20 seconds into the scan and just close automatically. I get a bunch of fake alerts on my desktop and regular programs wont work either like taskmanager, it closes itself as soon as i open it also.

Internet explorer is about the only thing that will work in safe mode w/networking.

A friend of mine told me to download and run combofix and left me hanging and i wont see him again til next week..

But anyway i ran combofix and it says it deleted and cured the infected files but the computer hasnt got any better or worse, everything is still the same.

My comp has been driving me nuts trying to figure out what is wrong and how to fix it. Im usually the go to guy on issues like this, but im stumped on this one. :angry:

Anyones Help Would Be Really Really Appreciated

Thanks In Advance!

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,947 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:11 AM

Posted 13 September 2011 - 12:07 AM

Hello,

Please follow the instructions in ==>This Guide<== starting at step 6.

Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button. Since you have run ComboFix, please include the ComboFix log in the new topic.

If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, include the information that you were unable to produce the other logs, include the ComboFix log, and describe what happens when you try to create the other logs.

Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 lilgeezy24

lilgeezy24
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 13 September 2011 - 12:45 PM

Hey Again Everyone.

I was told by the moderater to do a few more steps and post another topic, so here it is..

I have some malware infections that are stopping almost all my .exe files from opening, including malwarebytes, symantec ect.. Which is disabling me from doing a virus scan and removal.

The only logs i were able to obtain were a combofix log and a tdskiller log.

The dds.scr is saying that "Windows cannot open this file" "Use web service to find the appropriate program OR select the program from a list" (so i skipped this step.)

The Gmer scanned for about 20 seconds and then closed like mbam and symantec, and when i try to reopen it says "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access this item".

And Here Are My Combofix and TDSSkiller Logs


ComboFix 11-09-12.03 - Owner 09/12/2011 18:42:16.2.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.819 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\Bleeping computer downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Outdated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
.
((((((((((((((((((((((((( Files Created from 2011-08-12 to 2011-09-12 )))))))))))))))))))))))))))))))
.
.
2011-09-12 18:16 . 2011-09-12 18:18 48016 --sha-w- c:\windows\system32\c_56610.nl_
2011-09-12 03:52 . 2011-09-12 03:56 -------- dc----w- C:\MGtools
2011-09-12 03:49 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-12 03:48 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-12 03:22 . 2011-09-12 03:22 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-09-12 00:57 . 2011-09-12 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}
2011-09-12 00:32 . 2011-09-12 03:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-11 22:41 . 2011-09-11 22:41 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Symantec
2011-09-11 22:41 . 2011-09-11 22:40 83208 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-09-11 22:41 . 2011-09-11 22:40 73624 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-09-11 22:41 . 2011-09-11 22:40 124167 ----a-w- c:\windows\system32\SYMEVNT.386
2011-09-11 22:41 . 2011-09-11 22:41 -------- d-----w- c:\program files\Symantec
2011-09-11 22:41 . 2011-09-11 22:41 -------- d-----w- c:\program files\Common Files\Symantec Shared
2011-09-11 18:50 . 2011-09-11 18:50 -------- d-----w- c:\program files\Trend Micro
2011-09-05 21:46 . 2011-09-05 21:46 -------- d-----w- c:\documents and settings\Owner\Application Data\RegGenie
2011-09-05 18:41 . 2011-09-12 00:57 -------- d-----w- c:\documents and settings\Owner\Application Data\Uniblue
2011-09-05 11:34 . 2011-09-05 11:34 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Threat Expert
2011-09-05 02:03 . 2011-09-05 02:08 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-09-05 02:03 . 2011-09-05 02:03 -------- d-----w- c:\documents and settings\Owner\Application Data\PC Tools
2011-09-04 20:09 . 2011-09-04 20:09 239104 ----a-w- c:\windows\system32\wscui32.dll
2011-09-03 10:17 . 2011-09-03 10:17 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
2011-09-03 02:20 . 2011-09-03 02:20 -------- d--h--w- c:\windows\msdownld.tmp
2011-09-02 20:44 . 2011-09-02 20:44 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2011-09-02 20:42 . 2011-09-02 21:27 -------- d-----w- c:\documents and settings\Owner\Application Data\IObit
2011-09-02 20:16 . 2011-09-02 20:35 -------- d-----w- c:\documents and settings\Owner\Application Data\Registry Cleaner
2011-09-02 19:54 . 2011-09-02 19:54 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\AMUST
2011-09-02 19:48 . 2011-09-02 19:48 -------- d-----w- c:\documents and settings\All Users\Application Data\!SASCORE
2011-09-02 19:48 . 2011-09-12 21:33 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-09-02 17:18 . 2011-09-02 17:18 4194304 ----a-w- c:\windows\system32\maaamtym.dll
2011-09-02 17:17 . 2011-09-02 17:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-09-02 15:30 . 2011-09-02 15:30 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PackageAware
2011-09-02 05:40 . 2011-09-02 05:40 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\2K Games
2011-08-31 22:04 . 2011-08-31 22:04 -------- d-----w- c:\program files\Common Files\Steam
2011-08-31 20:43 . 2011-08-31 20:43 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Activision
2011-08-31 20:41 . 2010-06-02 08:55 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2011-08-31 20:41 . 2010-06-02 08:55 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2011-08-31 20:41 . 2010-06-02 08:55 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2011-08-31 20:41 . 2010-05-26 15:41 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2011-08-31 20:41 . 2010-05-26 15:41 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2011-08-31 20:41 . 2010-05-26 15:41 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2011-08-31 20:41 . 2010-05-26 15:41 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2011-08-31 20:41 . 2010-05-26 15:41 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2011-08-31 20:41 . 2010-02-04 14:01 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2011-08-31 20:41 . 2010-02-04 14:01 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2011-08-31 20:41 . 2010-02-04 14:01 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2011-08-31 20:41 . 2010-02-04 14:01 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2011-08-31 20:29 . 2011-08-31 20:29 -------- d-----w- c:\program files\Activision
2011-08-27 01:06 . 2011-08-27 01:06 -------- d-----w- c:\program files\Apple Software Update
2011-08-25 21:10 . 2011-08-25 21:10 -------- d-----w- c:\program files\EA GAMES
2011-08-25 21:04 . 2011-08-25 21:04 -------- d-sh--w- c:\windows\system32\AI_RecycleBin
2011-08-25 21:04 . 2011-08-25 21:04 -------- d-----w- c:\program files\W3i
2011-08-25 21:04 . 2011-08-25 21:04 -------- d-----w- c:\documents and settings\All Users\Application Data\W3i
2011-08-25 21:04 . 2011-08-25 21:04 -------- d-----w- c:\documents and settings\Owner\Application Data\NetAssistant
2011-08-19 01:23 . 2011-08-19 01:23 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
2011-08-19 01:15 . 2011-08-19 01:23 -------- d-----w- c:\documents and settings\Owner\Application Data\uPlayer
2011-08-19 01:15 . 2011-08-19 01:15 -------- d-----w- c:\program files\uPlayer
2011-08-19 01:14 . 2011-08-19 01:35 -------- d-----w- c:\program files\Common Files\FreeCause
2011-08-15 18:11 . 2011-08-15 18:11 -------- d-----w- c:\program files\Common Files\Adobe
2011-08-14 17:47 . 2011-08-14 17:47 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-14 02:12 . 2011-08-14 02:12 -------- d-----w- c:\windows\Temp301C9D70-ACA1-50E5-859B-41624187A40B-Signatures
2011-08-14 01:48 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-08-14 01:45 . 2011-08-14 01:45 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-08-14 01:45 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-14 01:42 . 2011-03-29 15:22 1034240 ----a-r- c:\windows\system32\drivers\AE2500xp.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-12 18:15 . 2005-04-13 16:55 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-09-12 03:56 . 2011-09-12 03:52 146025 -c--a-w- C:\MGlogs.zip
2011-09-03 10:17 . 2005-04-13 16:55 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29 . 2005-04-13 16:55 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2005-04-13 16:55 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2005-04-13 17:12 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2005-04-13 16:56 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2005-04-13 16:55 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2005-04-13 16:55 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2005-04-13 16:55 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2005-04-13 16:56 293376 ----a-w- c:\windows\system32\winsrv.dll
2001-09-28 22:00 . 2006-12-29 21:52 164864 -c--a-w- c:\program files\UNWISE.EXE
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2009-08-27 . F232BA9F39BC0F722672C7E79E68EBEA . 634648 . . [7.00.6000.16915] . . c:\windows\ie8\iexplore.exe
[7] 2009-08-27 . 332EC7562F3AA7364F2D4231C56DA986 . 634648 . . [7.00.6000.21115] . . c:\windows\$hf_mig$\KB974455-IE7\SP3QFE\iexplore.exe
[7] 2009-06-29 . 3CFC56F73D494FC1AA2B6E981DF15ACD . 634632 . . [7.00.6000.16876] . . c:\windows\ie7updates\KB974455-IE7\iexplore.exe
[7] 2009-06-29 . 02E2754D3E566C11A4934825920C47DD . 634632 . . [7.00.6000.21073] . . c:\windows\$hf_mig$\KB972260-IE7\SP3QFE\iexplore.exe
[7] 2009-03-08 . B60DDDD2D63CE41CB8C487FCFBB6419E . 638816 . . [8.00.6001.18702] . . c:\windows\system32\dllcache\iexplore.exe
[7] 2009-02-28 . BCD8E48709BE4A79606F0B6E8E9A6162 . 636088 . . [7.00.6000.21020] . . c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\iexplore.exe
[7] 2009-02-28 . A251068640DDB69FD7805B57D89D7FF7 . 636072 . . [7.00.6000.16827] . . c:\windows\ie7updates\KB972260-IE7\iexplore.exe
[7] 2008-12-19 . 15E8A89499741D5CF59A9CF6463A4339 . 634024 . . [7.00.6000.20978] . . c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\iexplore.exe
[7] 2008-12-19 . 030D78FE84A086ED376EFCBD2D72C522 . 634024 . . [7.00.6000.16791] . . c:\windows\ie7updates\KB963027-IE7\iexplore.exe
[7] 2008-10-15 . 9D3DB9ADFABD2F0BC778EC03250A3ABB . 633632 . . [7.00.6000.16762] . . c:\windows\ie7updates\KB961260-IE7\iexplore.exe
[7] 2008-10-15 . 056C927CF7207857E8B34F7A8FFD9B9E . 633632 . . [7.00.6000.20935] . . c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\iexplore.exe
[7] 2008-08-23 . E8305C30D35E85D6657ED3E9934CB302 . 635848 . . [7.00.6000.20900] . . c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\iexplore.exe
[7] 2008-08-23 . 1F03216084447F990AE797317D0A6E70 . 635848 . . [7.00.6000.16735] . . c:\windows\ie7updates\KB958215-IE7\iexplore.exe
[7] 2008-06-23 . 64E376A47763DAEABCDA14BD5B6EA286 . 625664 . . [7.00.6000.16705] . . c:\windows\ie7updates\KB956390-IE7\iexplore.exe
[7] 2008-06-23 . C52A9EF571E91535EB78DB4B8B95EA07 . 625664 . . [7.00.6000.20861] . . c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\iexplore.exe
[7] 2008-04-22 . 197B7E4030CFBD8D2979D375E1787AA2 . 625664 . . [7.00.6000.20815] . . c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\iexplore.exe
[7] 2008-04-22 . 232B22817B90AE0AFF2D189E3E3735AC . 625664 . . [7.00.6000.16674] . . c:\windows\ie7updates\KB953838-IE7\iexplore.exe
[7] 2008-04-14 . 55794B97A7FAABD2910873C85274F409 . 93184 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\iexplore.exe
[7] 2008-02-29 . 2D0E5592AB5A46C27DAF7CCAFF4F5B59 . 625664 . . [7.00.6000.16640] . . c:\windows\ie7updates\KB950759-IE7\iexplore.exe
[7] 2008-02-22 . 6E0888626E0CAC79F57149814E22DB4D . 625664 . . [7.00.6000.20772] . . c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\iexplore.exe
[7] 2007-12-06 . 2703D940A62B731AA220529DD7331A78 . 625664 . . [7.00.6000.16608] . . c:\windows\ie7updates\KB947864-IE7\iexplore.exe
[7] 2007-12-06 . 809D17D8FA0FDAEE07778CD821CAFFDE . 625664 . . [7.00.6000.20733] . . c:\windows\$hf_mig$\KB944533-IE7\SP2QFE\iexplore.exe
[7] 2007-10-10 . E854D02E4231F704D9BE782A424E6D8B . 625152 . . [7.00.6000.16574] . . c:\windows\ie7updates\KB944533-IE7\iexplore.exe
[7] 2007-10-10 . 632BDE0179847234433CA50945442ACB . 625664 . . [7.00.6000.20696] . . c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\iexplore.exe
[7] 2007-08-17 . 3AC2BC667DA0AF2C968E96E1630F5AB5 . 625152 . . [7.00.6000.16544] . . c:\windows\ie7updates\KB942615-IE7\iexplore.exe
[7] 2007-08-17 . 5577D0E3AC2F9F035ACD81B44AF5F511 . 625152 . . [7.00.6000.20661] . . c:\windows\$hf_mig$\KB939653-IE7\SP2QFE\iexplore.exe
[7] 2007-06-27 . BD8502DFD53FC24FB8D6929DC46B8C2C . 625152 . . [7.00.6000.20627] . . c:\windows\$hf_mig$\KB937143-IE7\SP2QFE\iexplore.exe
[7] 2007-06-27 . 275CEE268B9E5D82474C43D5D249D111 . 625152 . . [7.00.6000.16512] . . c:\windows\ie7updates\KB939653-IE7\iexplore.exe
[7] 2007-04-24 . 10BDB55982586A432A3951EB19A26009 . 625152 . . [7.00.6000.16473] . . c:\windows\ie7updates\KB937143-IE7\iexplore.exe
[7] 2007-04-24 . 9B3516C1F30DA17ADD3818573047D63C . 625152 . . [7.00.6000.20583] . . c:\windows\$hf_mig$\KB933566-IE7\SP2QFE\iexplore.exe
[7] 2007-02-28 . D321092F8529CDAE843D6E24E3CAC6CB . 625152 . . [7.00.6000.20544] . . c:\windows\$hf_mig$\KB931768-IE7\SP2QFE\iexplore.exe
[7] 2007-02-21 . 683DDE71BCF03B501B912D20CB93B549 . 623616 . . [7.00.6000.16441] . . c:\windows\ie7updates\KB933566-IE7\iexplore.exe
[7] 2007-01-08 . 93A6A4F5293AE19E3B37021AABCF0902 . 623616 . . [7.00.6000.16414] . . c:\windows\ie7updates\KB931768-IE7\iexplore.exe
[-] 2006-10-17 . 5334D4461AA92A7B008755FE6D13C5F2 . 622080 . . [7.00.5730.11] . . c:\windows\ie7updates\KB928090-IE7\iexplore.exe
[-] 2004-08-10 . E7484514C0464642BE7B4DC2689354C8 . 93184 . . [6.00.2900.2180] . . c:\windows\ie7\iexplore.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{132A3557-F4F3-4BCC-9648-8346A82E74Cf}]
2011-09-04 20:09 239104 ----a-w- c:\windows\system32\wscui32.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUMUpdate"="c:\documents and settings\Owner\Application Data\AdobeUM\AdobeUMUpdate\AdobeUMupdt32.exe" [2011-09-04 56832]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-12 4603264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-12 483422]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-04-26 90112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
"AdobeUMUpdate"="c:\documents and settings\Owner\Application Data\AdobeUM\AdobeUMUpdate\AdobeUMupdt32.exe" [2011-09-04 56832]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Install Pending Files.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Install Pending Files.LNK
backup=c:\windows\pss\Install Pending Files.LNKCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Run Google Web Accelerator.lnk
backup=c:\windows\pss\Run Google Web Accelerator.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
backupExtension=Common Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
2005-05-03 21:02 543232 -c--a-w- c:\windows\zHotkey.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 17:56 64512 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-04-25 17:29 77824 -c--a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-04-25 17:32 94208 -c--a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InstallIQUpdater]
2011-08-09 21:02 1176064 ----a-w- c:\program files\W3i\InstallIQUpdater\InstallIQUpdater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2005-06-02 23:03 1957888 -c----w- c:\program files\Ahead\Nero BackItUp\NBJ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 18:50 155648 -c--a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2005-04-25 17:32 114688 -c--a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-14 06:42 212992 -c--a-w- c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2005-03-09 15:49 966656 -c--a-w- c:\windows\creator\remind_xp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2009-03-12 17:53 483422 ----a-w- c:\windows\sttray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
2004-11-15 22:04 135168 -c--a-w- c:\program files\Digital Media Reader\shwiconEM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PrismXL"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\AOL\\1144556525\\ee\\aim6.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1144556525\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\W3i\\InstallIQUpdater\\InstallIQUpdater.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"=
"c:\\Documents and Settings\\Owner\\Application Data\\AdobeUM\\AdobeUMUpdate\\AdobeUMupdt32.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\Bleeping computer downloads\\SUPERAntiSpyware.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"81:TCP"= 81:TCP:*:Disabled:www.fileporn.org
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"15072:TCP"= 15072:TCP:*:Disabled:BitComet 15072 TCP
"15072:UDP"= 15072:UDP:*:Disabled:BitComet 15072 UDP
"27097:TCP"= 27097:TCP:*:Disabled:BitComet 27097 TCP
"27097:UDP"= 27097:UDP:*:Disabled:BitComet 27097 UDP
"49154:TCP"= 49154:TCP:*:Disabled:BitComet 49154 TCP
"49154:UDP"= 49154:UDP:*:Disabled:BitComet 49154 UDP
"53580:TCP"= 53580:TCP:*:Disabled:BitComet 53580 TCP
"53580:UDP"= 53580:UDP:*:Disabled:BitComet 53580 UDP
"6839:TCP"= 6839:TCP:*:Disabled:BitComet 6839 TCP
"6839:UDP"= 6839:UDP:*:Disabled:BitComet 6839 UDP
"52890:TCP"= 52890:TCP:*:Disabled:BitComet 52890 TCP
"52890:UDP"= 52890:UDP:*:Disabled:BitComet 52890 UDP
"62890:TCP"= 62890:TCP:*:Disabled:BitComet 62890 TCP
"62890:UDP"= 62890:UDP:*:Disabled:BitComet 62890 UDP
"38839:TCP"= 38839:TCP:*:Disabled:BitCometBeta 38839 TCP
"38839:UDP"= 38839:UDP:*:Disabled:BitCometBeta 38839 UDP
"9383:TCP"= 9383:TCP:*:Disabled:BitComet 9383 TCP
"9383:UDP"= 9383:UDP:*:Disabled:BitComet 9383 UDP
"9879:TCP"= 9879:TCP:*:Disabled:BitComet 9879 TCP
"9879:UDP"= 9879:UDP:*:Disabled:BitComet 9879 UDP
"6346:TCP"= 6346:TCP:BitComet 6346 TCP
"6346:UDP"= 6346:UDP:BitComet 6346 UDP
"43823:TCP"= 43823:TCP:BitComet 43823 TCP
"43823:UDP"= 43823:UDP:BitComet 43823 UDP
"31853:TCP"= 31853:TCP:BitComet 31853 TCP
"31853:UDP"= 31853:UDP:BitComet 31853 UDP
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
"23301:TCP"= 23301:TCP:BitComet 23301 TCP
"23301:UDP"= 23301:UDP:BitComet 23301 UDP
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/10/2006 10:36 PM 691696]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [9/12/2011 5:33 PM 116608]
R3 Linksys_adapter_H;Linksys Adapter Network Driver;c:\windows\system32\drivers\AE2500xp.sys [8/13/2011 9:42 PM 1034240]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S1 cqknmdjg;cqknmdjg; [x]
S1 MpKsl1b68c793;MpKsl1b68c793; [x]
S1 MpKsl3c4a2abb;MpKsl3c4a2abb; [x]
S1 MpKsld7d2ad1c;MpKsld7d2ad1c; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/20/2010 9:39 PM 135664]
S2 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/20/2010 9:39 PM 135664]
S2 RPCQT;Remote Procedure Call (CQTPM);c:\windows\System32\svchost.exe -k netsvcs [4/13/2005 12:56 PM 14336]
S3 ATMFBUS;A600 USB Composite Device Driver;c:\windows\system32\DRIVERS\ATMFBUS.sys --> c:\windows\system32\DRIVERS\ATMFBUS.sys [?]
S3 ATMFCVsp;A600 Cricket CM Port;c:\windows\system32\DRIVERS\ATMFCVsp.sys --> c:\windows\system32\DRIVERS\ATMFCVsp.sys [?]
S3 ATMFFLT;A600 USB Modem Installation CD;c:\windows\system32\DRIVERS\ATMFFLT.sys --> c:\windows\system32\DRIVERS\ATMFFLT.sys [?]
S3 ATMFMdm;A600 Cricket EVDO Modem;c:\windows\system32\DRIVERS\ATMFMdm.sys --> c:\windows\system32\DRIVERS\ATMFMdm.sys [?]
S3 ATMFNET;A600 Cricket EVDO Network Adapter;c:\windows\system32\DRIVERS\ATMFNET.sys --> c:\windows\system32\DRIVERS\ATMFNET.sys [?]
S3 ATMFNVsp;A600 Cricket NMEA Port Serial Port;c:\windows\system32\DRIVERS\ATMFNVsp.sys --> c:\windows\system32\DRIVERS\ATMFNVsp.sys [?]
S3 ATMFVsp;A600 Cricket Diagnostics Port;c:\windows\system32\DRIVERS\ATMFVsp.sys --> c:\windows\system32\DRIVERS\ATMFVsp.sys [?]
S3 DPCNET5U;Satellite USB Driver;c:\windows\system32\DRIVERS\dpcnet5u.sys --> c:\windows\system32\DRIVERS\dpcnet5u.sys [?]
S3 gAGP440p;gAGP440p; [x]
S3 TfNetMon;TfNetMon; [x]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
RPCQT
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2007-10-30 c:\windows\Tasks\BitComet.job
- c:\progra~1\BitComet\BitComet.exe [2009-07-31 09:05]
.
2011-09-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-21 01:38]
.
2011-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-21 01:38]
.
2011-09-12 c:\windows\Tasks\User_Feed_Synchronization-{7B8B7F67-DA93-447D-83C7-A6BD434B3F4A}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = <local>
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
TCP: DhcpNameServer = 192.168.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-12 18:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet009\Services\.cdrom]
"ImagePath"="\*"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3411350672-2408072866-3857614147-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(600)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(1608)
c:\windows\system32\WININET.dll
.
Completion time: 2011-09-12 18:54:55
ComboFix-quarantined-files.txt 2011-09-12 22:54
ComboFix2.txt 2011-09-12 21:50
.
Pre-Run: 59,844,632,576 bytes free
Post-Run: 59,857,158,144 bytes free
.
Current=9 Default=9 Failed=8 LastKnownGood=10 Sets=1,2,3,4,5,6,7,8,9,10
- - End Of File - - 028E4C22695B41F7E8C5F0B6A421A978




2011/09/12 23:21:18.0770 0776 TDSS rootkit removing tool 2.5.21.0 Sep 10 2011 21:07:05
2011/09/12 23:21:19.0207 0776 ================================================================================
2011/09/12 23:21:19.0207 0776 SystemInfo:
2011/09/12 23:21:19.0207 0776
2011/09/12 23:21:19.0207 0776 OS Version: 5.1.2600 ServicePack: 3.0
2011/09/12 23:21:19.0207 0776 Product type: Workstation
2011/09/12 23:21:19.0207 0776 ComputerName: YOUR-4CFD40D048
2011/09/12 23:21:19.0207 0776 UserName: Owner
2011/09/12 23:21:19.0207 0776 Windows directory: C:\WINDOWS
2011/09/12 23:21:19.0207 0776 System windows directory: C:\WINDOWS
2011/09/12 23:21:19.0207 0776 Processor architecture: Intel x86
2011/09/12 23:21:19.0207 0776 Number of processors: 2
2011/09/12 23:21:19.0207 0776 Page size: 0x1000
2011/09/12 23:21:19.0207 0776 Boot type: Normal boot
2011/09/12 23:21:19.0207 0776 ================================================================================
2011/09/12 23:21:21.0129 0776 Initialize success
2011/09/12 23:21:27.0863 2808 ================================================================================
2011/09/12 23:21:27.0863 2808 Scan started
2011/09/12 23:21:27.0863 2808 Mode: Manual;
2011/09/12 23:21:27.0863 2808 ================================================================================
2011/09/12 23:21:28.0988 2808 7848373e (8f2bb1827cac01aee6a16e30a1260199) C:\WINDOWS\1043810424:2276968641.exe
2011/09/12 23:21:31.0223 2808 Suspicious file (Hidden): C:\WINDOWS\1043810424:2276968641.exe. md5: 8f2bb1827cac01aee6a16e30a1260199
2011/09/12 23:21:31.0238 2808 7848373e - detected HiddenFile.Multi.Generic (1)
2011/09/12 23:21:31.0442 2808 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/09/12 23:21:31.0488 2808 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/09/12 23:21:31.0520 2808 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/09/12 23:21:31.0551 2808 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/09/12 23:21:31.0582 2808 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/09/12 23:21:31.0629 2808 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/09/12 23:21:31.0660 2808 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/09/12 23:21:31.0707 2808 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/09/12 23:21:31.0723 2808 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/09/12 23:21:31.0738 2808 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/09/12 23:21:31.0754 2808 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/09/12 23:21:31.0801 2808 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/09/12 23:21:31.0848 2808 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/09/12 23:21:31.0863 2808 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/09/12 23:21:31.0895 2808 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/09/12 23:21:31.0926 2808 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/09/12 23:21:31.0942 2808 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/09/12 23:21:31.0973 2808 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/09/12 23:21:31.0988 2808 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/09/12 23:21:32.0051 2808 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/09/12 23:21:32.0082 2808 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/09/12 23:21:32.0129 2808 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/09/12 23:21:32.0332 2808 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/09/12 23:21:32.0395 2808 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/09/12 23:21:32.0598 2808 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/09/12 23:21:32.0629 2808 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/09/12 23:21:32.0660 2808 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/09/12 23:21:32.0692 2808 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/09/12 23:21:32.0723 2808 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/09/12 23:21:32.0754 2808 Cdr4_xp (837eef65af62d4e8a37c41d3879f7274) C:\WINDOWS\system32\drivers\Cdr4_xp.sys
2011/09/12 23:21:32.0785 2808 Cdralw2k (579da2f9f5401f55dae2cf8779d61dfc) C:\WINDOWS\system32\drivers\Cdralw2k.sys
2011/09/12 23:21:32.0832 2808 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/09/12 23:21:33.0035 2808 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/09/12 23:21:33.0067 2808 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/09/12 23:21:33.0129 2808 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/09/12 23:21:33.0160 2808 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/09/12 23:21:33.0207 2808 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/09/12 23:21:33.0285 2808 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/09/12 23:21:33.0332 2808 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/09/12 23:21:33.0363 2808 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/09/12 23:21:33.0395 2808 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/09/12 23:21:33.0442 2808 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/09/12 23:21:33.0473 2808 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/09/12 23:21:33.0520 2808 dtscsi (12aca694b50ea53563c1e7c99e7bb27d) C:\WINDOWS\System32\Drivers\dtscsi.sys
2011/09/12 23:21:33.0520 2808 Suspicious file (NoAccess): C:\WINDOWS\System32\Drivers\dtscsi.sys. md5: 12aca694b50ea53563c1e7c99e7bb27d
2011/09/12 23:21:33.0535 2808 dtscsi - detected LockedFile.Multi.Generic (1)
2011/09/12 23:21:33.0567 2808 E100B (6ca101f9aa3d845ba31f6e13c01301a8) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/09/12 23:21:33.0660 2808 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/09/12 23:21:33.0692 2808 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/09/12 23:21:33.0738 2808 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/09/12 23:21:33.0785 2808 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/09/12 23:21:33.0832 2808 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/09/12 23:21:33.0895 2808 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
2011/09/12 23:21:33.0957 2808 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/09/12 23:21:33.0973 2808 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/09/12 23:21:34.0176 2808 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/09/12 23:21:34.0238 2808 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/09/12 23:21:34.0301 2808 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/09/12 23:21:34.0332 2808 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/09/12 23:21:34.0379 2808 HSFHWBS2 (b6b0721a86e51d141ec55c3cc1ca5686) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
2011/09/12 23:21:34.0520 2808 HSF_DP (b2dfc168d6f7512faea085253c5a37ad) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
2011/09/12 23:21:34.0660 2808 HSF_DPV (698204d9c2832e53633e53a30a53fc3d) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
2011/09/12 23:21:34.0738 2808 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/09/12 23:21:34.0816 2808 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/09/12 23:21:34.0863 2808 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/09/12 23:21:34.0895 2808 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/09/12 23:21:34.0988 2808 ialm (d95eb1c9b3a5c2f6fdeab05dd03736fe) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/09/12 23:21:35.0066 2808 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/09/12 23:21:35.0098 2808 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/09/12 23:21:35.0145 2808 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/09/12 23:21:35.0191 2808 intelppm (8bcdcdc99c2a7d37306c0b64a77a48f3) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/09/12 23:21:35.0191 2808 intelppm - detected Rootkit.Win32.ZAccess.e (0)
2011/09/12 23:21:35.0238 2808 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/09/12 23:21:35.0270 2808 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/09/12 23:21:35.0301 2808 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/09/12 23:21:35.0332 2808 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/09/12 23:21:35.0363 2808 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/09/12 23:21:35.0410 2808 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/09/12 23:21:35.0441 2808 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/09/12 23:21:35.0473 2808 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/09/12 23:21:35.0598 2808 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/09/12 23:21:35.0629 2808 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/09/12 23:21:35.0707 2808 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/09/12 23:21:35.0816 2808 Linksys_adapter_H (bcdf72dce41874b3ad9143d537b493b2) C:\WINDOWS\system32\DRIVERS\AE2500xp.sys
2011/09/12 23:21:35.0910 2808 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/09/12 23:21:35.0973 2808 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
2011/09/12 23:21:36.0004 2808 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/09/12 23:21:36.0051 2808 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/09/12 23:21:36.0066 2808 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/09/12 23:21:36.0113 2808 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/09/12 23:21:36.0145 2808 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/09/12 23:21:36.0238 2808 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/09/12 23:21:36.0254 2808 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/09/12 23:21:36.0316 2808 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/09/12 23:21:36.0363 2808 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/09/12 23:21:36.0410 2808 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/09/12 23:21:36.0457 2808 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/09/12 23:21:36.0488 2808 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/09/12 23:21:36.0535 2808 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/09/12 23:21:36.0566 2808 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/09/12 23:21:36.0613 2808 mxnic (e1cdf20697d992cf83ff86dd04df1285) C:\WINDOWS\system32\DRIVERS\mxnic.sys
2011/09/12 23:21:36.0785 2808 NAVAP (73c3bbe77011e9121930148fc5a8d2fd) C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAP.sys
2011/09/12 23:21:36.0816 2808 NAVAPEL (035adce1cce9f50d6d32b733aa9b1aa7) C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS
2011/09/12 23:21:36.0941 2808 NAVENG (49d802531e5984cf1fe028c6c129b9d8) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101018.002\NAVENG.sys
2011/09/12 23:21:37.0004 2808 NAVEX15 (158676a5758c1fa519563b3e72fbf256) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101018.002\NAVEX15.sys
2011/09/12 23:21:37.0176 2808 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/09/12 23:21:37.0223 2808 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/09/12 23:21:37.0254 2808 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/09/12 23:21:37.0285 2808 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/09/12 23:21:37.0316 2808 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/09/12 23:21:37.0348 2808 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/09/12 23:21:37.0379 2808 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/09/12 23:21:37.0441 2808 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/09/12 23:21:37.0473 2808 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/09/12 23:21:37.0535 2808 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/09/12 23:21:37.0629 2808 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/09/12 23:21:37.0691 2808 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/09/12 23:21:37.0785 2808 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/09/12 23:21:37.0801 2808 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/09/12 23:21:37.0848 2808 NwlnkIpx (8b8b1be2dba4025da6786c645f77f123) C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
2011/09/12 23:21:37.0879 2808 NwlnkNb (56d34a67c05e94e16377c60609741ff8) C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
2011/09/12 23:21:37.0926 2808 NwlnkSpx (c0bb7d1615e1acbdc99757f6ceaf8cf0) C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
2011/09/12 23:21:37.0973 2808 NWRDR (36b9b950e3d2e100970a48d8bad86740) C:\WINDOWS\system32\DRIVERS\nwrdr.sys
2011/09/12 23:21:38.0004 2808 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/09/12 23:21:38.0066 2808 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
2011/09/12 23:21:38.0113 2808 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/09/12 23:21:38.0176 2808 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/09/12 23:21:38.0223 2808 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/09/12 23:21:38.0238 2808 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/09/12 23:21:38.0316 2808 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/09/12 23:21:38.0348 2808 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/09/12 23:21:38.0520 2808 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/09/12 23:21:38.0566 2808 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/09/12 23:21:38.0738 2808 pfc (444f122e68db44c0589227781f3c8b3f) C:\WINDOWS\system32\drivers\pfc.sys
2011/09/12 23:21:38.0785 2808 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/09/12 23:21:38.0832 2808 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/09/12 23:21:38.0863 2808 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/09/12 23:21:38.0910 2808 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/09/12 23:21:38.0926 2808 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/09/12 23:21:38.0957 2808 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/09/12 23:21:38.0973 2808 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/09/12 23:21:39.0020 2808 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/09/12 23:21:39.0035 2808 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/09/12 23:21:39.0066 2808 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/09/12 23:21:39.0113 2808 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/09/12 23:21:39.0160 2808 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/09/12 23:21:39.0176 2808 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/09/12 23:21:39.0223 2808 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/09/12 23:21:39.0238 2808 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/09/12 23:21:39.0270 2808 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/09/12 23:21:39.0301 2808 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/09/12 23:21:39.0348 2808 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/09/12 23:21:39.0426 2808 RimVSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
2011/09/12 23:21:39.0473 2808 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2011/09/12 23:21:39.0613 2808 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/09/12 23:21:39.0660 2808 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/09/12 23:21:39.0723 2808 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/09/12 23:21:39.0770 2808 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/09/12 23:21:39.0785 2808 Serial (bae8d82da3e64d0c83e606b35c385f4d) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/09/12 23:21:39.0801 2808 Serial - detected Rootkit.Win32.ZAccess.e (0)
2011/09/12 23:21:39.0848 2808 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/09/12 23:21:39.0895 2808 sfng32 (cecdd7cb5db385775790d30fa10f0507) C:\WINDOWS\system32\drivers\sfng32.sys
2011/09/12 23:21:39.0973 2808 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/09/12 23:21:40.0020 2808 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/09/12 23:21:40.0051 2808 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/09/12 23:21:40.0113 2808 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\system32\Drivers\sptd.sys
2011/09/12 23:21:40.0113 2808 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
2011/09/12 23:21:40.0129 2808 sptd - detected LockedFile.Multi.Generic (1)
2011/09/12 23:21:40.0254 2808 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/09/12 23:21:40.0316 2808 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/09/12 23:21:40.0410 2808 STHDA (228519217a88c2f6b0cf8c022e6d669c) C:\WINDOWS\system32\drivers\sthda.sys
2011/09/12 23:21:40.0520 2808 SunkFilt (86ca1a5c15a5a98d5533945fb1120b05) C:\WINDOWS\System32\Drivers\sunkfilt.sys
2011/09/12 23:21:40.0551 2808 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/09/12 23:21:40.0582 2808 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/09/12 23:21:40.0629 2808 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/09/12 23:21:40.0645 2808 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/09/12 23:21:40.0754 2808 SymEvent (b36605d45281772a088ee2d70c913a55) C:\Program Files\Symantec\SYMEVENT.SYS
2011/09/12 23:21:40.0801 2808 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/09/12 23:21:40.0816 2808 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/09/12 23:21:40.0879 2808 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/09/12 23:21:40.0941 2808 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/09/12 23:21:41.0004 2808 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/09/12 23:21:41.0035 2808 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/09/12 23:21:41.0082 2808 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/09/12 23:21:41.0223 2808 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/09/12 23:21:41.0270 2808 TPkd (5f226c681049fb1df1578af32bb641f1) C:\WINDOWS\system32\drivers\TPkd.sys
2011/09/12 23:21:41.0332 2808 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/09/12 23:21:41.0379 2808 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/09/12 23:21:41.0426 2808 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/09/12 23:21:41.0488 2808 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/09/12 23:21:41.0504 2808 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/09/12 23:21:41.0551 2808 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/09/12 23:21:41.0707 2808 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/09/12 23:21:41.0770 2808 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/09/12 23:21:41.0801 2808 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/09/12 23:21:41.0848 2808 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/09/12 23:21:41.0895 2808 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/09/12 23:21:41.0910 2808 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/09/12 23:21:41.0957 2808 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/09/12 23:21:41.0973 2808 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/09/12 23:21:41.0988 2808 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/09/12 23:21:42.0051 2808 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/09/12 23:21:42.0098 2808 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
2011/09/12 23:21:42.0160 2808 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/09/12 23:21:42.0238 2808 winachsf (74cf3f2e4e40c4a2e18d39d6300a5c24) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/09/12 23:21:42.0379 2808 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
2011/09/12 23:21:42.0410 2808 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/09/12 23:21:42.0473 2808 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/09/12 23:21:42.0504 2808 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/09/12 23:21:42.0598 2808 MBR (0x1B8) (b20939cd98b7710036274839082ae757) \Device\Harddisk0\DR0
2011/09/12 23:21:42.0613 2808 Boot (0x1200) (127e1b3642c10dc89539400a3bc1bb83) \Device\Harddisk0\DR0\Partition0
2011/09/12 23:21:42.0629 2808 Boot (0x1200) (269486c08c34db434c807fc5661d8c81) \Device\Harddisk0\DR0\Partition1
2011/09/12 23:21:42.0645 2808 ================================================================================
2011/09/12 23:21:42.0645 2808 Scan finished
2011/09/12 23:21:42.0645 2808 ================================================================================
2011/09/12 23:21:42.0660 0428 Detected object count: 5
2011/09/12 23:21:42.0660 0428 Actual detected object count: 5
2011/09/12 23:22:49.0675 0428 HKLM\SYSTEM\ControlSet009\services\7848373e - will be deleted after reboot
2011/09/12 23:22:49.0691 0428 C:\WINDOWS\1043810424:2276968641.exe - will be deleted after reboot
2011/09/12 23:22:49.0691 0428 HiddenFile.Multi.Generic(7848373e) - User select action: Delete
2011/09/12 23:22:49.0707 0428 HKLM\SYSTEM\ControlSet008\services\dtscsi - will be deleted after reboot
2011/09/12 23:22:49.0707 0428 HKLM\SYSTEM\ControlSet009\services\dtscsi - will be deleted after reboot
2011/09/12 23:22:49.0707 0428 HKLM\SYSTEM\ControlSet010\services\dtscsi - will be deleted after reboot
2011/09/12 23:22:49.0722 0428 C:\WINDOWS\System32\Drivers\dtscsi.sys - will be deleted after reboot
2011/09/12 23:22:49.0722 0428 LockedFile.Multi.Generic(dtscsi) - User select action: Delete
2011/09/12 23:22:49.0879 0428 intelppm (8bcdcdc99c2a7d37306c0b64a77a48f3) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/09/12 23:22:49.0894 0428 VerifyFileNameVersionInfo: GetFileVersionInfoSizeW(C:\WINDOWS\system32\drivers\intelppm.sys) error 1813
2011/09/12 23:22:53.0253 0428 Backup copy found, using it..
2011/09/12 23:22:53.0300 0428 C:\WINDOWS\system32\DRIVERS\intelppm.sys - will be cured after reboot
2011/09/12 23:22:53.0300 0428 Rootkit.Win32.ZAccess.e(intelppm) - User select action: Cure
2011/09/12 23:22:53.0472 0428 Serial (bae8d82da3e64d0c83e606b35c385f4d) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/09/12 23:22:53.0472 0428 VerifyFileNameVersionInfo: GetFileVersionInfoSizeW(C:\WINDOWS\system32\drivers\serial.sys) error 1813
2011/09/12 23:22:55.0691 0428 Backup copy found, using it..
2011/09/12 23:22:55.0738 0428 C:\WINDOWS\system32\DRIVERS\serial.sys - will be cured after reboot
2011/09/12 23:22:55.0738 0428 Rootkit.Win32.ZAccess.e(Serial) - User select action: Cure
2011/09/12 23:22:55.0738 0428 HKLM\SYSTEM\ControlSet001\services\sptd - will be deleted after reboot
2011/09/12 23:22:55.0738 0428 HKLM\SYSTEM\ControlSet002\services\sptd - will be deleted after reboot
2011/09/12 23:22:55.0753 0428 HKLM\SYSTEM\ControlSet003\services\sptd - will be deleted after reboot
2011/09/12 23:22:55.0753 0428 HKLM\SYSTEM\ControlSet004\services\sptd - will be deleted after reboot
2011/09/12 23:22:55.0753 0428 HKLM\SYSTEM\ControlSet005\services\sptd - will be deleted after reboot
2011/09/12 23:22:55.0753 0428 HKLM\SYSTEM\ControlSet006\services\sptd - will be deleted after reboot
2011/09/12 23:22:55.0753 0428 HKLM\SYSTEM\ControlSet007\services\sptd - will be deleted after reboot
2011/09/12 23:22:55.0753 0428 HKLM\SYSTEM\ControlSet008\services\sptd - will be deleted after reboot
2011/09/12 23:22:55.0753 0428 HKLM\SYSTEM\ControlSet009\services\sptd - will be deleted after reboot
2011/09/12 23:22:55.0769 0428 HKLM\SYSTEM\ControlSet010\services\sptd - will be deleted after reboot
2011/09/12 23:22:55.0769 0428 C:\WINDOWS\system32\Drivers\sptd.sys - will be deleted after reboot
2011/09/12 23:22:55.0769 0428 LockedFile.Multi.Generic(sptd) - User select action: Delete
2011/09/12 23:23:29.0191 2680 Deinitialize success

Edited by Orange Blossom, 13 September 2011 - 01:25 PM.
Merged topics. ~ OB


#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:11 AM

Posted 15 September 2011 - 08:29 PM

Hi

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic418730.html

KillAll::

Collect::
c:\windows\system32\c_56610.nl_
c:\windows\system32\maaamtym.dll
c:\windows\system32\wscui32.dll


Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{132A3557-F4F3-4BCC-9648-8346A82E74Cf}]

Driver::
cqknmdjg
gAGP440p
7848373e

NetSvc::
RPCQT

ADS::
C:\WINDOWS\1043810424

RootKit::
C:\WINDOWS\1043810424
C:\WINDOWS\1043810424:2276968641.exe

FixCSet::


Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:11 AM

Posted 21 September 2011 - 07:44 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users