Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer keeps freezing; directed here after test in 'Am i infected? forum"


  • This topic is locked This topic is locked
21 replies to this topic

#1 st.michael2011

st.michael2011

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 29 September 2011 - 07:30 AM

Referred from here: http://www.bleepingcomputer.com/forums/topic420634.html ~ OB

Hello, Thank you again for all your hard work.
My computer's been extremely slow/freezing periodically and I believe it's due to virus. Here are the logs.

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 10.0.0
Run by Wonkyo Jung at 14:49:53 on 2011-09-29
Microsoft Windows XP Professional 5.1.2600.3.949.82.1033.18.1014.606 [GMT -4:00]
.
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\conime.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
mStart Page = hxxp://sharebox.co.kr/?ptn=startpage&inty=main
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:\progra~1\wi371a~1\toolbar\searchqudtx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:\progra~1\wi371a~1\toolbar\searchqudtx.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [Google Update] "c:\documents and settings\wonkyo jung\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SsAAD.exe] c:\progra~1\sony\sonics~1\SsAAD.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [NATEON] c:\program files\nateon\bin\NATEON.exe -as
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [VAIO Update 2] "c:\program files\sony\vaio update 2\VAIOUpdt.exe" /Stationary
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [Switcher.exe] c:\program files\sony\wireless switch setting utility\Switcher.exe
mRun: [SonyPowerCfg] "c:\program files\sony\vaio power management\SPMgr.exe"
mRun: [SkyTel] SkyTel.EXE
mRun: [ISBMgr.exe] c:\program files\sony\isb utility\ISBMgr.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ntasvr] "c:\program files\nate\addresssearch\ntasvr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
StartupFolder: c:\docume~1\wonkyo~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\wonkyo~1\startm~1\programs\startup\virtua~1.lnk - c:\windows\system32\virtualexpander\VirtualExpander.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lcdpla~1.lnk - c:\program files\space international\cdspace 5\LCDPlyer.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\trendm~1.lnk - c:\program files\trend micro\tmas\Tmas.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{d25122bc-a60e-4663-b602-b01718f12044}\Icon3E5562ED7.ico
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: Transfer by Image Converter 2 Plus - c:\program files\sony\image converter 2\menu.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: GPplayerActiveXCAB - hxxp://music.godpeople.com/gpplayer/GPplayerActiveXCAB.CAB
DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} - hxxp://cyimg8.cyworld.com/ImageUpload/CyImageUpload_10217.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {1A35058C-ED39-483D-BB57-305DB9ABAAF4} - hxxp://www.shoprich.co.kr/update/EHostAgentX.cab
DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} - hxxp://www.crezio.com/test/leeyunho/AlwaysOn/AlwaysOn.CAB
DPF: {2029F1D2-90E4-49EF-9824-F666D238BFF6} - hxxp://jr.naver.com/comic/book/viewer_new/NHNComicViewer.cab
DPF: {20BBA18F-5BC8-47B5-8FC9-5DFCA8E56A4B} - hxxps://mpi.dacom.net/XMPI/js/xmpi2007.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {31547BE4-40A1-4F53-8DC6-40553BBEAA44} - hxxp://www.clubhard.co.kr/append/application/ClubHardCtrl.CAB
DPF: {386EDCD0-72B4-42F4-9942-049B8A92FC48} - hxxp://down.fileguri.com/FgAddOn.cab
DPF: {39461460-2552-4D51-A062-3AB6A7B902E9} - hxxp://www.hanabank.com/shttp/install/down/INIS70.cab
DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} - hxxp://download.kbstar.com/security/SCSK/scsk4.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {5888E710-0C1D-4CC8-BCBF-3971B959BB5C} - hxxp://www.iple.com/cache/ActiveX/axau.cab
DPF: {5B28FBF2-8EA7-4EEE-BA15-BFD1608C783B} - hxxp://goodfile.net/downloder/GoodFileDownLoadProj.cab
DPF: {6CE20149-ABE3-462E-A1B4-5B549971AA38} - hxxps://npg.tgcorp.com/dlp/js/CKKeyPro/CKKeyPro.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1246467851234
DPF: {7513B187-5954-4C64-ABF4-E652FE899F24} - hxxp://www.wedisk.co.kr/app/WeDisk.cab
DPF: {7A9935D3-9B3C-4382-B62A-45CF92B18D74} - hxxp://cyimg8.cyworld.com/storyRoom/CyImgResize.cab
DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} - hxxp://download.kbstar.com/security/XecureWeb/xw_install_v7225.cab
DPF: {81DC74C9-7B3E-4708-849A-1745754666BA} - hxxp://music.freechal.com/player/MUPY.cab
DPF: {8218BB3D-2D62-4719-B6EC-FEBE7A079CBD} - hxxp://imgcdn.pandora.tv/pan_img/app/FirstLoad1.0.0.3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {8DC067B8-911D-473A-90F1-1171B887CDE0} - hxxp://cyimg7.cyworld.com/ImageUpload/CyPictureU1233.cab?20081124
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9103166D-A34B-45A2-91F5-73D508C7A650} - hxxp://imusicsoft.co.kr/develop/nateviewer/NateComicViewer.cab
DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} - hxxp://cafeimg.hanmail.net/activex/dmcc2.cab?Version=1,0,0,10
DPF: {9CDD57AC-CA86-464C-B920-3228A388CC78} - hxxp://file.naver.com/activex/NaverFile.cab
DPF: {9DEFEDFC-8193-4BE6-AA60-B6375AB7C8BE} - hxxp://patch.mnet.com/NaverMusic/ActiveX/naverx.cab
DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} - hxxp://cyimg7.cyworld.nate.com/cymusic/package/skcbgmset.cab
DPF: {B0846BBB-A5C3-45BF-A9B9-A6837A8C6A9B} - hxxp://pds.hanafos.com/Include/component/PDSControl.cab
DPF: {B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C} - hxxp://cafeimg.hanmail.net/cto/xman.cab?ver=1,2,3,3
DPF: {BE81B237-0EE9-40F6-BABB-0CE2C1DA7832} - hxxp://activexdown.paran.com/paranactivex/data/ImPlayer.cab
DPF: {BF6F8114-5DC3-4515-9BC6-16342AE7FDCE} - hxxp://www.chamdisk.com/fs_prg/XFShowClient.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CCD4D366-51C3-4D2E-BA25-262C45F104F5} - hxxp://imusicsoft.co.kr/develop/nateviewer/NateComicViewer.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D912AABC-6CB0-416F-85B6-CABBB86FD558} - hxxp://plugin.inicis.com/wallet60/INIwallet60.cab
DPF: {D9EF4DC2-D250-486F-88A0-516DC35AB59E} - hxxp://app.jjangfile.net/JJangFile.CAB
DPF: {DA54C9C1-8109-43C9-9C80-E4210CEDF147} - hxxp://wedisk.co.kr/app/EzwonSessionCtl.cab
DPF: {E3FA6DAA-04BF-4AEF-9612-341B2B7A25FC} - hxxp://pay.kcp.co.kr/plugin/file/payplus.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} - hxxps://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
DPF: {E9E5E440-45DE-4D5B-8F8E-54212D160106} - hxxp://afocx.afreeca.com:9091/AFC/OpenTV.cab
DPF: {F4A1D5E2-AF49-47A7-A945-23038106F3A4} - hxxp://imgcdn.pandora.tv/pan_img/launcher/codebase/Pandora_SetUpAX.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
DPF: {F68CACCC-C9A4-4A51-8EE9-694FF8A29248} - hxxp://qbic.hanafos.com/component/HDUpload.cab
DPF: {F7530E43-3359-42D0-B8DC-843A45028584} - hxxp://manager.ongamenet.com/common/control/hitelontop.cab
DPF: {FFD77E35-1C34-4EAC-B5A7-414CC5D007DA} - hxxps://www.isaackorea.net/update/ansim/ilkactx.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{9D4926EE-324C-4D4A-897A-3770D7CA6B46} : DhcpNameServer = 192.168.1.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: s-http - {D37E6C5F-1C0F-47C0-A3B6-403EEC555402} - c:\program files\initech\shttp\InitechSHTTPInterface.10111.dll
Name-Space Handler: http\s-http - {D37E6C5F-1C0F-47C0-A3B6-403EEC555402} - c:\program files\initech\shttp\InitechSHTTPInterface.10111.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
Notify: VESWinlogon - VESWinlogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\wonkyo jung\application data\mozilla\firefox\profiles\lsfwt95y.default\
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxp://www.searchqu.com/web?src=ffb&systemid=406&q=
FF - component: c:\documents and settings\wonkyo jung\application data\mozilla\firefox\profiles\lsfwt95y.default\extensions\{99079a25-328f-4bd4-be04-00955acaa0a7}\components\dtTransparency.dll
FF - component: c:\documents and settings\wonkyo jung\application data\mozilla\firefox\profiles\lsfwt95y.default\extensions\{99079a25-328f-4bd4-be04-00955acaa0a7}\components\dtTransparency3.5.dll
FF - component: c:\documents and settings\wonkyo jung\application data\mozilla\firefox\profiles\lsfwt95y.default\extensions\{99079a25-328f-4bd4-be04-00955acaa0a7}\components\dtTransparency3.6.dll
FF - component: c:\program files\windows ilivid toolbar\datamngr\firefoxextension\components\DataMngrHlp.dll
FF - plugin: c:\documents and settings\wonkyo jung\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\wonkyo jung\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\wonkyo jung\local settings\application data\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npNateComicPlugin32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-7-17 11608]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-17 108289]
S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-7-17 185089]
S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-17 56816]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-16 136176]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-5-17 366152]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?]
S2 PEVSystemStart;PEVSystemStart;"c:\combofix\pev.cfxxe" exec /i "c:\combofix\regt.cfxxe" /s "c:\combofix\cregb.dat" --> c:\combofix\PEV.cfxxe [?]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 cdspacex;cdspacex;c:\windows\system32\drivers\cdspacex.sys --> c:\windows\system32\drivers\CDSPACEX.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-10-16 136176]
S3 JRSKD24;JRSKD24;c:\windows\system32\JRSKD24.sys [2007-10-28 9216]
S3 JRSUKD24;JRSUKD24;c:\windows\system32\JRSUKD24.sys [2007-10-28 6784]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-5-17 22216]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 NPFWFLT;NPFWFLT;c:\windows\system32\npfwflt.sys [2009-1-29 31488]
S3 scsk5;SCSK5 Driver Service;c:\windows\system32\drivers\scsk5.sys --> c:\windows\system32\drivers\scsk5.sys [?]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?]
S3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-9-1 226304]
S3 TwoRabts;Two Rabbits Live Bus;c:\windows\system32\drivers\tworabts.sys --> c:\windows\system32\drivers\TwoRabts.sys [?]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
.
=============== Created Last 30 ================
.
2011-09-29 03:47:16 -------- d-----w- c:\documents and settings\wonkyo jung\application data\SUPERAntiSpyware.com
2011-09-29 03:39:25 -------- d-----w- c:\documents and settings\wonkyo jung\local settings\application data\Sun
2011-09-29 02:37:54 128000 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-28 02:34:49 -------- d-----w- c:\program files\ESET
2011-09-28 01:40:04 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-09-28 01:40:02 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-09-27 04:21:15 -------- d-sh--w- C:\found.000
2011-09-05 17:04:56 183696 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-09-05 17:04:56 183696 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2011-09-03 10:17:37 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
.
==================== Find3M ====================
.
2011-09-29 02:37:27 544656 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-03 10:17:37 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-31 21:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-03 05:50:09 0 ---ha-w- c:\documents and settings\wonkyo jung\noghvvngld.tmp
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_MK8032GSX rev.AS111G -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86AC34C0]<<
_asm { MOV EAX, [ESP+0x4]; MOV ECX, [0x86aca8a4]; PUSH ESI; MOV ESI, [ESP+0xc]; PUSH EDI; MOV EDI, [ESI+0x60]; CMP EAX, [0x86aca730]; JNZ 0x1f; MOV [ESP+0xc], ECX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x86F491F0]
3 CLASSPNP[0xF756CFD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\0000008c[0x86FC3F18]
5 ACPI[0xF74C3620] -> nt!IofCallDriver[0x804E13B9] -> [0x86F94030]
\Driver\atapi[0x86DFFCC0] -> IRP_MJ_CREATE -> 0x86AC34C0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x86AC32E0
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 14:52:02.50 ===============

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-30 07:07:46
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\0000009b TOSHIBA_MK8032GSX rev.AS111G
Running: gmer.exe; Driver: C:\DOCUME~1\WONKYO~1\LOCALS~1\Temp\fxtdqpoc.sys


---- System - GMER 1.0.15 ----

SSDT F7B07676 ZwCreateKey
SSDT F7B0766C ZwCreateThread
SSDT F7B0767B ZwDeleteKey
SSDT F7B07685 ZwDeleteValueKey
SSDT F7B0768A ZwLoadKey
SSDT F7B07658 ZwOpenProcess
SSDT F7B0765D ZwOpenThread
SSDT F7B07694 ZwReplaceKey
SSDT F7B0768F ZwRestoreKey
SSDT F7B07680 ZwSetValueKey
SSDT F7B07667 ZwTerminateProcess

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[472] kernel32.dll!WriteFile 7C810E27 5 Bytes JMP 001A000C
.text C:\WINDOWS\system32\svchost.exe[548] kernel32.dll!WriteFile 7C810E27 5 Bytes JMP 001A000C
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!WriteFile 7C810E27 5 Bytes JMP 001A000C
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!WriteFile 7C810E27 5 Bytes JMP 001A000C
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!WriteFile 7C810E27 5 Bytes JMP 001A000C
.text ...
.text C:\WINDOWS\System32\svchost.exe[1692] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 02E9000A
.text C:\WINDOWS\System32\svchost.exe[1692] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 02EA000A
.text C:\WINDOWS\System32\svchost.exe[1692] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 02EB000A
.text C:\WINDOWS\System32\svchost.exe[1692] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00EB000A
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!WriteFile 7C810E27 5 Bytes JMP 001A000C
.text C:\WINDOWS\system32\svchost.exe[2908] kernel32.dll!WriteFile 7C810E27 5 Bytes JMP 001A000C
.text C:\WINDOWS\system32\svchost.exe[2980] kernel32.dll!WriteFile 7C810E27 5 Bytes JMP 0075000C

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 868222E0
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 868222E0
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 868222E0
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 868222E0

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xAE 0x74 0xD7 0x2C ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xAE 0x74 0xD7 0x2C ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xAE 0x74 0xD7 0x2C ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@RequireSignedAppInit_DLLs 1
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@FriendlyName Indeo? video 5.10 Compression Filter
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@CLSID {1F73E9B1-8C3A-11D0-A3BE-00A0C9244436}
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@FilterData 0x02 0x00 0x00 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@EncoderType 1

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 MBR read error
Disk \Device\Harddisk0\DR0 MBR BIOS signature not found 0

---- EOF - GMER 1.0.15 ----

Edited by Orange Blossom, 04 October 2011 - 12:37 AM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:52 AM

Posted 04 October 2011 - 07:35 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/421045 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 st.michael2011

st.michael2011
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 04 October 2011 - 11:35 PM

Hello, my computer's been turned off so i have done nothing since the referral to this forum.
I ran DDS again, but with Gmer, the computer just suddenly rebooted in the middle of it and went on a rebooting loop.. it would reboot, go to the loading screen and reboot again, then again, until I manually shut it down.
So I'm on Safe mode with networking... I will post the new DDS and the old Gmer.
Thank you.

Attached Files



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:52 AM

Posted 05 October 2011 - 12:06 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 st.michael2011

st.michael2011
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 05 October 2011 - 07:22 PM

I did run combofix.. after somehow miraculously the computer loaded.
Now I cannot load normally at all. It's on a forever loop of rebooting..

Attached Files



#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:52 AM

Posted 05 October 2011 - 08:10 PM

What is it doing and when is it doing



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 st.michael2011

st.michael2011
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 05 October 2011 - 09:09 PM

The computer, when I turn it on, loads onto the Windows logo and loading sign.. after a while, the computer screen turns blue for a split second,
then reboots again. The same thing happens over and over again except for the fact that it asks whether or not I want to load in normal or safe mode after the
first reboot. The only way for me to get on at this point is through safe mode. For some reason, if I restart from safe mode normally, once or twice it loads in normal mode fine.

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:52 AM

Posted 05 October 2011 - 09:27 PM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 st.michael2011

st.michael2011
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 06 October 2011 - 12:01 AM

The computer is booting fine now. TDs killer found one threat.
Thank you, but still not sure if I'm free of virus..
Computer seems to have picked up speed a little too.

23:51:32.0250 0492 TDSS rootkit removing tool 2.6.5.0 Oct 5 2011 20:52:46
23:51:33.0796 0492 ============================================================
23:51:33.0796 0492 Current date / time: 2011/10/06 23:51:33.0796
23:51:33.0796 0492 SystemInfo:
23:51:33.0796 0492
23:51:33.0796 0492 OS Version: 5.1.2600 ServicePack: 3.0
23:51:33.0796 0492 Product type: Workstation
23:51:33.0796 0492 ComputerName: WONKYO
23:51:33.0859 0492 UserName: Wonkyo Jung
23:51:33.0859 0492 Windows directory: C:\WINDOWS
23:51:33.0859 0492 System windows directory: C:\WINDOWS
23:51:33.0859 0492 Processor architecture: Intel x86
23:51:33.0859 0492 Number of processors: 2
23:51:33.0859 0492 Page size: 0x1000
23:51:33.0859 0492 Boot type: Normal boot
23:51:33.0875 0492 ============================================================
23:52:39.0234 0492 Initialize success
23:53:31.0562 3728 ============================================================
23:53:31.0562 3728 Scan started
23:53:31.0562 3728 Mode: Manual;
23:53:31.0562 3728 ============================================================
23:54:37.0781 0564 ============================================================
23:54:37.0781 0564 Scan started
23:54:37.0781 0564 Mode: Manual;
23:54:37.0781 0564 ============================================================
23:54:41.0890 0564 Abiosdsk - ok
23:54:42.0453 0564 abp480n5 - ok
23:54:43.0109 0564 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
23:55:08.0218 0564 ACPI - ok
23:55:10.0578 0564 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
23:55:10.0578 0564 ACPIEC - ok
23:55:12.0640 0564 adpu160m - ok
23:55:15.0078 0564 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
23:55:40.0171 0564 aec - ok
23:55:40.0859 0564 AegisP (15e655baa989444f56787ef558823643) C:\WINDOWS\system32\DRIVERS\AegisP.sys
23:55:40.0875 0564 AegisP - ok
23:55:41.0531 0564 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
23:56:06.0625 0564 AFD - ok
23:56:17.0546 0564 Aha154x - ok
23:56:19.0656 0564 aic78u2 - ok
23:56:21.0796 0564 aic78xx - ok
23:56:25.0406 0564 AliIde - ok
23:56:51.0687 0564 amsint - ok
23:56:56.0500 0564 ApfiltrService (b21fcbc58cb13bac70f74b5ac5da7409) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
23:57:21.0578 0564 ApfiltrService - ok
23:57:36.0250 0564 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
23:58:01.0312 0564 Arp1394 - ok
23:58:01.0937 0564 asc - ok
23:58:02.0546 0564 asc3350p - ok
23:58:03.0140 0564 asc3550 - ok
23:58:03.0796 0564 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
23:58:03.0812 0564 AsyncMac - ok
23:58:04.0453 0564 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
23:58:04.0453 0564 atapi - ok
23:58:04.0953 0564 Atdisk - ok
23:58:05.0625 0564 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
23:58:05.0656 0564 Atmarpc - ok
23:58:06.0343 0564 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
23:58:06.0343 0564 audstub - ok
23:58:06.0593 0564 avgio (6a646c46b9415e13095aa9b352040a7a) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
23:58:06.0593 0564 avgio - ok
23:58:07.0203 0564 avgntflt (14fe36d8f2c6a2435275338d061a0b66) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
23:58:32.0250 0564 avgntflt - ok
23:58:33.0000 0564 avipbb (452e382340bb0c5e694ed9d3625356d0) C:\WINDOWS\system32\DRIVERS\avipbb.sys
23:58:33.0046 0564 avipbb - ok
23:58:33.0765 0564 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
23:58:33.0765 0564 Beep - ok
23:58:34.0421 0564 Bridge (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
23:58:34.0468 0564 Bridge - ok
23:58:34.0546 0564 BridgeMP (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
23:58:34.0562 0564 BridgeMP - ok
23:58:34.0843 0564 catchme - ok
23:58:48.0000 0564 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
23:58:48.0031 0564 cbidf2k - ok
23:58:51.0156 0564 cd20xrnt - ok
23:58:53.0890 0564 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
23:59:18.0953 0564 Cdaudio - ok
23:59:20.0812 0564 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
23:59:20.0843 0564 Cdfs - ok
23:59:22.0656 0564 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
23:59:47.0703 0564 Cdrom - ok
23:59:48.0453 0564 cdspacex - ok
23:59:48.0984 0564 Changer - ok
23:59:49.0718 0564 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
23:59:49.0734 0564 CmBatt - ok
23:59:50.0328 0564 CmdIde - ok
23:59:50.0937 0564 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
23:59:50.0953 0564 Compbatt - ok
23:59:51.0515 0564 Cpqarray - ok
23:59:52.0109 0564 CVirtA (5c706c06c1279952d2cc1a609ca948bf) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
00:00:17.0140 0564 CVirtA - ok
00:00:45.0593 0564 CVPNDRVA (5ba042bcab6246c6bba51606afd7b488) C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
00:00:45.0765 0564 CVPNDRVA - ok
00:00:48.0109 0564 dac2w2k - ok
00:00:50.0578 0564 dac960nt - ok
00:00:54.0531 0564 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
00:01:19.0578 0564 Disk - ok
00:01:20.0703 0564 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
00:01:21.0093 0564 dmboot - ok
00:01:21.0828 0564 DMICall (526192bf7696f72e29777bf4a180513a) C:\WINDOWS\system32\DRIVERS\DMICall.sys
00:01:46.0859 0564 DMICall - ok
00:01:58.0031 0564 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
00:02:23.0125 0564 dmio - ok
00:02:25.0609 0564 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
00:02:25.0609 0564 dmload - ok
00:02:28.0671 0564 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
00:02:53.0734 0564 DMusic - ok
00:02:54.0484 0564 DNE (2eddbb3ef1dd5a28cb07c149d36e7286) C:\WINDOWS\system32\DRIVERS\dne2000.sys
00:02:54.0546 0564 DNE - ok
00:02:55.0203 0564 dpti2o - ok
00:02:55.0781 0564 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
00:02:55.0781 0564 drmkaud - ok
00:02:56.0515 0564 dtscsi (6461e57bb51a848aae26f52427b7cf9e) C:\WINDOWS\System32\Drivers\dtscsi.sys
00:02:56.0640 0564 dtscsi - ok
00:02:57.0640 0564 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
00:03:22.0718 0564 Fastfat - ok
00:03:23.0500 0564 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
00:03:23.0515 0564 Fdc - ok
00:03:24.0203 0564 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
00:03:24.0218 0564 Fips - ok
00:03:24.0890 0564 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
00:03:24.0906 0564 Flpydisk - ok
00:03:25.0609 0564 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
00:03:25.0687 0564 FltMgr - ok
00:03:26.0375 0564 FsVga (455f778ee14368468560bd7cb8c854d0) C:\WINDOWS\system32\DRIVERS\fsvga.sys
00:03:26.0390 0564 FsVga - ok
00:03:26.0953 0564 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
00:03:51.0968 0564 Fs_Rec - ok
00:03:54.0968 0564 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
00:03:55.0046 0564 Ftdisk - ok
00:03:58.0234 0564 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
00:04:23.0265 0564 GEARAspiWDM - ok
00:04:24.0078 0564 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
00:04:24.0093 0564 Gpc - ok
00:04:24.0812 0564 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
00:04:24.0875 0564 HDAudBus - ok
00:04:25.0937 0564 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
00:04:25.0953 0564 hidusb - ok
00:04:27.0218 0564 hpn - ok
00:04:28.0140 0564 HSFHWAZL (be0a81f4337367ce94bb20e65b3d57c8) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
00:04:53.0265 0564 HSFHWAZL - ok
00:04:56.0390 0564 HSF_DPV (b46aa158f25ccbf03b12971b4c7f4723) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
00:04:57.0125 0564 HSF_DPV - ok
00:04:59.0437 0564 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
00:05:24.0593 0564 HTTP - ok
00:05:33.0421 0564 i2omgmt - ok
00:05:36.0296 0564 i2omp - ok
00:05:39.0296 0564 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
00:06:04.0406 0564 i8042prt - ok
00:06:05.0937 0564 ialm (0f0194c4b635c10c3f785e4fee52d641) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
00:06:06.0750 0564 ialm - ok
00:06:07.0906 0564 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
00:06:32.0984 0564 Imapi - ok
00:06:34.0000 0564 ini910u - ok
00:06:48.0781 0564 IntcAzAudAddService (ab2fe0faa519880bd16e4a0792d633d2) C:\WINDOWS\system32\drivers\RtkHDAud.sys
00:07:16.0890 0564 IntcAzAudAddService - ok
00:07:32.0406 0564 IntelIde - ok
00:07:35.0468 0564 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
00:07:35.0562 0564 intelppm - ok
00:07:38.0187 0564 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
00:08:03.0250 0564 Ip6Fw - ok
00:08:05.0281 0564 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
00:08:05.0296 0564 IpFilterDriver - ok
00:08:07.0953 0564 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
00:08:32.0984 0564 IpInIp - ok
00:08:34.0015 0564 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
00:08:34.0093 0564 IpNat - ok
00:08:35.0031 0564 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
00:08:35.0093 0564 IPSec - ok
00:08:35.0968 0564 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
00:08:35.0984 0564 IRENUM - ok
00:08:36.0625 0564 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
00:08:36.0656 0564 isapnp - ok
00:08:37.0437 0564 JRSKD24 (dcc77cd51c8a9ba6a14b979fe5442c7e) C:\WINDOWS\system32\JRSKD24.SYS
00:08:37.0468 0564 JRSKD24 - ok
00:08:38.0203 0564 JRSUKD24 (9cc88aecca3a98abe936929570141d8a) C:\WINDOWS\system32\JRSUKD24.SYS
00:09:03.0234 0564 JRSUKD24 - ok
00:09:04.0000 0564 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
00:09:04.0015 0564 Kbdclass - ok
00:09:04.0609 0564 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
00:09:04.0625 0564 kbdhid - ok
00:09:05.0593 0564 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
00:09:05.0687 0564 kmixer - ok
00:09:06.0609 0564 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
00:09:06.0656 0564 KSecDD - ok
00:09:07.0609 0564 lbrtfdc - ok
00:09:08.0546 0564 MBAMProtector (69a6268d7f81e53d568ab4e7e991caf3) C:\WINDOWS\system32\drivers\mbam.sys
00:09:33.0625 0564 MBAMProtector - ok
00:09:34.0578 0564 MBAMSwissArmy - ok
00:09:35.0531 0564 mdmxsdk (74f4372af97a587ecec527ec34955712) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
00:09:35.0531 0564 mdmxsdk - ok
00:09:36.0718 0564 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
00:09:36.0718 0564 MHNDRV - ok
00:09:37.0515 0564 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
00:09:37.0531 0564 mnmdd - ok
00:09:38.0531 0564 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
00:10:03.0562 0564 Modem - ok
00:10:04.0515 0564 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
00:10:04.0515 0564 Mouclass - ok
00:10:05.0078 0564 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
00:10:05.0156 0564 mouhid - ok
00:10:05.0890 0564 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
00:10:05.0921 0564 MountMgr - ok
00:10:06.0734 0564 mraid35x - ok
00:10:07.0578 0564 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
00:10:07.0656 0564 MRxDAV - ok
00:10:08.0781 0564 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
00:10:34.0031 0564 MRxSmb - ok
00:10:40.0312 0564 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
00:11:05.0453 0564 Msfs - ok
00:11:16.0656 0564 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
00:11:41.0718 0564 MSKSSRV - ok
00:11:45.0125 0564 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
00:12:10.0296 0564 MSPCLOCK - ok
00:12:19.0765 0564 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
00:12:44.0781 0564 MSPQM - ok
00:12:46.0546 0564 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
00:12:46.0562 0564 mssmbios - ok
00:12:47.0906 0564 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
00:12:47.0968 0564 Mup - ok
00:12:48.0781 0564 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
00:13:13.0921 0564 NDIS - ok
00:13:14.0796 0564 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
00:13:14.0828 0564 NdisTapi - ok
00:13:15.0625 0564 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
00:13:15.0625 0564 Ndisuio - ok
00:13:16.0390 0564 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
00:13:16.0546 0564 NdisWan - ok
00:13:17.0390 0564 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
00:13:17.0468 0564 NDProxy - ok
00:13:18.0187 0564 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
00:13:43.0218 0564 NetBIOS - ok
00:13:45.0984 0564 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
00:13:46.0078 0564 NetBT - ok
00:14:01.0375 0564 NETw3x32 (f886500c285af271fdd33bf8ba7b32ef) C:\WINDOWS\system32\DRIVERS\NETw3x32.sys
00:14:27.0328 0564 NETw3x32 - ok
00:14:28.0000 0564 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
00:14:28.0031 0564 NIC1394 - ok
00:14:29.0062 0564 NOWMEMDF (22eddbd0b31562a7633c370013471774) C:\WINDOWS\system32\NOWMEMDF.sys
00:14:29.0078 0564 NOWMEMDF - ok
00:14:29.0750 0564 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
00:14:29.0765 0564 Npfs - ok
00:14:30.0500 0564 NPFWFLT (470d7898c46a3a25f8f1308597dc4cba) C:\WINDOWS\system32\NPFWFLT.SYS
00:14:30.0515 0564 NPFWFLT - ok
00:14:31.0546 0564 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
00:14:31.0843 0564 Ntfs - ok
00:14:32.0750 0564 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
00:14:32.0750 0564 Null - ok
00:14:34.0953 0564 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
00:14:34.0968 0564 NwlnkFlt - ok
00:14:37.0968 0564 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
00:14:37.0984 0564 NwlnkFwd - ok
00:14:42.0125 0564 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
00:15:07.0218 0564 ohci1394 - ok
00:15:16.0750 0564 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
00:15:41.0890 0564 Parport - ok
00:15:47.0375 0564 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
00:15:47.0421 0564 PartMgr - ok
00:15:50.0421 0564 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
00:16:15.0453 0564 ParVdm - ok
00:16:19.0953 0564 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
00:16:19.0984 0564 PCI - ok
00:16:22.0796 0564 PCIDump - ok
00:16:25.0890 0564 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
00:16:50.0937 0564 PCIIde - ok
00:16:53.0593 0564 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
00:17:18.0671 0564 Pcmcia - ok
00:17:29.0687 0564 PDCOMP - ok
00:17:57.0234 0564 PDFRAME - ok
00:18:00.0453 0564 PDRELI - ok
00:18:03.0593 0564 PDRFRAME - ok
00:18:06.0921 0564 perc2 - ok
00:18:10.0437 0564 perc2hib - ok
00:18:42.0593 0564 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
00:19:07.0640 0564 PptpMiniport - ok
00:19:12.0343 0564 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
00:19:12.0375 0564 PSched - ok
00:19:15.0125 0564 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
00:19:40.0156 0564 Ptilink - ok
00:19:40.0937 0564 PxHelp20 (1ffd5f718638fbea6c1eaad3349d479e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
00:19:40.0984 0564 PxHelp20 - ok
00:19:41.0703 0564 ql1080 - ok
00:19:42.0359 0564 Ql10wnt - ok
00:19:42.0843 0564 ql12160 - ok
00:19:45.0125 0564 ql1240 - ok
00:19:48.0171 0564 ql1280 - ok
00:19:51.0062 0564 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
00:20:16.0109 0564 RasAcd - ok
00:20:16.0890 0564 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
00:20:16.0906 0564 Rasl2tp - ok
00:20:17.0593 0564 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
00:20:17.0609 0564 RasPppoe - ok
00:20:18.0359 0564 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
00:20:18.0375 0564 Raspti - ok
00:20:19.0187 0564 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
00:20:44.0328 0564 Rdbss - ok
00:20:45.0218 0564 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
00:20:45.0250 0564 RDPCDD - ok
00:20:46.0234 0564 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
00:20:46.0359 0564 rdpdr - ok
00:20:47.0328 0564 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
00:20:47.0406 0564 RDPWD - ok
00:20:48.0609 0564 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
00:21:13.0656 0564 redbook - ok
00:21:14.0578 0564 s24trans (d4661148e44816b6501be8f4466d65b0) C:\WINDOWS\system32\DRIVERS\s24trans.sys
00:21:14.0593 0564 s24trans - ok
00:21:14.0781 0564 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
00:21:14.0781 0564 SASDIFSV - ok
00:21:14.0984 0564 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
00:21:15.0015 0564 SASKUTIL - ok
00:21:15.0781 0564 scsk4 - ok
00:21:16.0375 0564 scsk5 - ok
00:21:17.0093 0564 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
00:21:17.0109 0564 Secdrv - ok
00:21:17.0828 0564 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
00:21:17.0859 0564 Serial - ok
00:21:18.0609 0564 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
00:21:43.0640 0564 Sfloppy - ok
00:21:49.0187 0564 Simbad - ok
00:21:53.0500 0564 SNC (be6038e0a7d2e2fe69107e41a0265831) C:\WINDOWS\system32\Drivers\SonyNC.sys
00:22:18.0562 0564 SNC - ok
00:22:21.0234 0564 Sparrow - ok
00:22:22.0265 0564 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
00:22:22.0265 0564 splitter - ok
00:22:23.0609 0564 sptd (fbf265d1a4dda0cf81ec4a8af3fa3b6a) C:\WINDOWS\System32\Drivers\sptd.sys
00:22:49.0015 0564 sptd - ok
00:22:54.0687 0564 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
00:23:19.0765 0564 sr - ok
00:23:20.0828 0564 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
00:23:21.0015 0564 Srv - ok
00:23:21.0859 0564 ssmdrv (654dfea96bc82b4acda4f37e5e4a3bbf) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
00:23:21.0875 0564 ssmdrv - ok
00:23:22.0625 0564 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
00:23:22.0625 0564 swenum - ok
00:23:23.0437 0564 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
00:23:23.0468 0564 swmidi - ok
00:23:24.0343 0564 symc810 - ok
00:23:25.0031 0564 symc8xx - ok
00:23:25.0734 0564 sym_hi - ok
00:23:26.0312 0564 sym_u3 - ok
00:23:26.0984 0564 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
00:23:52.0046 0564 sysaudio - ok
00:23:53.0062 0564 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
00:23:53.0250 0564 Tcpip - ok
00:23:53.0921 0564 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
00:24:18.0984 0564 TDPIPE - ok
00:24:25.0109 0564 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
00:24:50.0140 0564 TDTCP - ok
00:24:50.0906 0564 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
00:24:50.0937 0564 TermDD - ok
00:24:52.0000 0564 ti21sony (26587ce8e6c6f16b8b4e7e2c16fa00bf) C:\WINDOWS\system32\drivers\ti21sony.sys
00:24:52.0109 0564 ti21sony - ok
00:24:52.0937 0564 TosIde - ok
00:24:53.0625 0564 TwoRabts - ok
00:24:54.0281 0564 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
00:25:19.0328 0564 Udfs - ok
00:25:20.0046 0564 ultra - ok
00:25:20.0828 0564 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
00:25:21.0031 0564 Update - ok
00:25:22.0031 0564 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\WINDOWS\system32\Drivers\usbaapl.sys
00:25:22.0062 0564 USBAAPL - ok
00:25:22.0859 0564 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
00:25:22.0890 0564 usbaudio - ok
00:25:23.0609 0564 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
00:25:23.0625 0564 usbccgp - ok
00:25:24.0421 0564 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
00:25:24.0437 0564 usbehci - ok
00:25:37.0796 0564 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
00:25:37.0828 0564 usbhub - ok
00:25:41.0156 0564 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
00:26:06.0203 0564 usbscan - ok
00:26:06.0937 0564 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
00:26:06.0953 0564 usbstor - ok
00:26:07.0671 0564 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
00:26:07.0687 0564 usbuhci - ok
00:26:08.0703 0564 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
00:26:08.0718 0564 VgaSave - ok
00:26:11.0062 0564 ViaIde - ok
00:26:14.0203 0564 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
00:26:39.0265 0564 VolSnap - ok
00:26:42.0406 0564 vsdatant (27b3dd12a19eec50220df15b64913dda) C:\WINDOWS\system32\vsdatant.sys
00:26:42.0609 0564 vsdatant - ok
00:27:20.0218 0564 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
00:27:45.0281 0564 Wanarp - ok
00:27:45.0984 0564 WDICA - ok
00:27:48.0890 0564 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
00:27:48.0937 0564 wdmaud - ok
00:27:53.0937 0564 winachsf (317dc24899ad7a06e3430bf45f292989) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
00:27:54.0312 0564 winachsf - ok
00:29:05.0437 0564 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
00:29:30.0484 0564 WpdUsb - ok
00:29:44.0812 0564 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
00:30:09.0906 0564 WudfPf - ok
00:30:23.0062 0564 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
00:30:23.0125 0564 WudfRd - ok
00:30:30.0312 0564 yukonwxp (228d0403f0210d6d67a9acf907597efe) C:\WINDOWS\system32\DRIVERS\yk51x86.sys
00:30:55.0468 0564 yukonwxp - ok
00:30:55.0781 0564 MBR (0x1B8) (cdac57608c39097805c8c958f1f73d97) \Device\Harddisk0\DR0
00:30:55.0781 0564 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.a ) - infected
00:30:55.0781 0564 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.a (0)
00:30:55.0906 0564 Boot (0x1200) (f064df48d62a4187ee0782ea0d94474c) \Device\Harddisk0\DR0\Partition0
00:30:55.0906 0564 \Device\Harddisk0\DR0\Partition0 - ok
00:31:03.0062 0564 ============================================================
00:31:03.0062 0564 Scan finished
00:31:03.0062 0564 ============================================================
00:31:09.0031 3856 Detected object count: 1
00:31:09.0031 3856 Actual detected object count: 1
00:33:01.0343 3856 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.a ) - will be cured on reboot
00:33:01.0359 3856 \Device\Harddisk0\DR0 - ok
00:33:01.0359 3856 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.a ) - User select action: Cure
00:34:17.0156 2864 Deinitialize success

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:52 AM

Posted 06 October 2011 - 08:55 AM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Firefox::
FF - ProfilePath - c:\documents and settings\Wonkyo Jung\Application Data\Mozilla\Firefox\Profiles\lsfwt95y.default\
FF - prefs.js: keyword.URL - hxxp://www.searchqu.com/web?src=ffb&systemid=406&q=


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 st.michael2011

st.michael2011
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 06 October 2011 - 09:24 PM

here's the report. the computer seems to be working much smoother. still a lot of time to boot up but once it has been booted up, it's running pretty fast. Thank you.

ComboFix 11-10-06.04 - Wonkyo Jung 10/07/2011 21:34:47.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.431 [GMT -4:00]
Running from: c:\documents and settings\Wonkyo Jung\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Wonkyo Jung\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((( Files Created from 2011-09-08 to 2011-10-08 )))))))))))))))))))))))))))))))
.
.
2011-10-08 01:17 . 2011-10-08 01:17 -------- d-----w- c:\windows\LastGood
2011-10-07 04:46 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2011-10-06 03:02 . 2011-10-06 03:02 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-29 20:59 . 2011-09-29 20:59 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Sun
2011-09-29 03:47 . 2011-09-29 03:47 -------- d-----w- c:\documents and settings\Wonkyo Jung\Application Data\SUPERAntiSpyware.com
2011-09-29 03:39 . 2011-09-29 03:39 -------- d-----w- c:\documents and settings\Wonkyo Jung\Local Settings\Application Data\Sun
2011-09-29 03:35 . 2011-09-29 03:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Sun
2011-09-29 02:37 . 2011-09-29 02:37 128000 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-28 02:34 . 2011-09-28 02:34 -------- d-----w- c:\program files\ESET
2011-09-28 01:40 . 2011-09-28 01:40 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-09-28 01:40 . 2011-09-28 01:40 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-09-27 04:21 . 2011-09-27 04:21 -------- d-----w- C:\found.000
2011-09-19 03:06 . 2011-09-19 03:10 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-29 02:37 . 2010-11-05 04:34 544656 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-03 10:17 . 2006-09-01 21:55 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-31 21:00 . 2009-05-17 19:48 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-15 13:29 . 2006-09-01 21:55 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-10-06 04:30 . 2011-05-09 01:49 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VirtualExpanderFile.1]
@="{E4000AC4-5E5F-4956-807A-C5854405D64F}"
[HKEY_CLASSES_ROOT\CLSID\{E4000AC4-5E5F-4956-807A-C5854405D64F}]
2008-09-28 01:11 73728 ------w- c:\windows\system32\VirtualExpander\VEShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2006-05-08 81920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"NATEON"="c:\program files\NATEON\BIN\NATEON.exe" [2011-09-05 964504]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-04-05 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-04-05 118784]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-12 151552]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2006-02-14 176128]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2006-08-10 217088]
"SkyTel"="SkyTel.EXE" [2006-05-17 2879488]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-04-05 94208]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-08-25 53248]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-18 118784]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-05-04 252136]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
c:\documents and settings\Wonkyo Jung\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
VirtualExpander.lnk - c:\windows\system32\VirtualExpander\VirtualExpander.exe [2008-9-27 474808]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
LCDPlayer.lnk - c:\program files\SPACE INTERNATIONAL\CDSpace 5\LCDPlyer.exe [N/A]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]
Trend Micro Anti-Spyware.lnk - c:\program files\Trend Micro\Tmas\Tmas.exe [N/A]
VPN Client.lnk - c:\windows\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2006-10-25 6144]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-06-20 23:11 73728 ----a-w- c:\windows\system32\VESWinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"c:\\WINDOWS\\system32\\pdrtvsvr.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\WeDiskDownLoad.exe"=
"c:\\WINDOWS\\system32\\skcbgm.exe"=
"c:\\WINDOWS\\system32\\fscagent.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Wonkyo Jung\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\NATEON\\BIN\\NateOnMain.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/17/2009 4:02 PM 108289]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/17/2009 3:48 PM 366152]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/17/2009 3:48 PM 22216]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [9/1/2006 5:56 PM 226304]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/16/2010 9:22 AM 136176]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
S3 cdspacex;cdspacex;c:\windows\system32\DRIVERS\CDSPACEX.sys --> c:\windows\system32\DRIVERS\CDSPACEX.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/16/2010 9:22 AM 136176]
S3 JRSKD24;JRSKD24;c:\windows\system32\JRSKD24.sys [10/28/2007 9:31 PM 9216]
S3 JRSUKD24;JRSUKD24;c:\windows\system32\JRSUKD24.sys [10/28/2007 9:31 PM 6784]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 NPFWFLT;NPFWFLT;c:\windows\system32\npfwflt.sys [1/29/2009 1:09 AM 31488]
S3 scsk5;SCSK5 Driver Service;c:\windows\system32\drivers\scsk5.sys --> c:\windows\system32\drivers\scsk5.sys [?]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]
S3 TwoRabts;Two Rabbits Live Bus;c:\windows\system32\DRIVERS\TwoRabts.sys --> c:\windows\system32\DRIVERS\TwoRabts.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/27/2006 11:20 PM 664064]
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-16 20:20]
.
2011-10-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-16 20:20]
.
2011-10-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2105575518-719462570-4119484782-1005Core.job
- c:\documents and settings\Wonkyo Jung\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-08 05:52]
.
2011-10-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2105575518-719462570-4119484782-1005UA.job
- c:\documents and settings\Wonkyo Jung\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-08 05:52]
.
2011-10-07 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
mStart Page = hxxp://sharebox.co.kr/?ptn=startpage&inty=main
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Transfer by Image Converter 2 Plus - c:\program files\Sony\Image Converter 2\menu.htm
TCP: DhcpNameServer = 192.168.1.1
DPF: GPplayerActiveXCAB - hxxp://music.godpeople.com/gpplayer/GPplayerActiveXCAB.CAB
DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} - hxxp://cyimg8.cyworld.com/ImageUpload/CyImageUpload_10217.cab
DPF: {1A35058C-ED39-483D-BB57-305DB9ABAAF4} - hxxp://www.shoprich.co.kr/update/EHostAgentX.cab
DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} - hxxp://www.crezio.com/test/leeyunho/AlwaysOn/AlwaysOn.CAB
DPF: {2029F1D2-90E4-49EF-9824-F666D238BFF6} - hxxp://jr.naver.com/comic/book/viewer_new/NHNComicViewer.cab
DPF: {20BBA18F-5BC8-47B5-8FC9-5DFCA8E56A4B} - hxxps://mpi.dacom.net/XMPI/js/xmpi2007.cab
DPF: {31547BE4-40A1-4F53-8DC6-40553BBEAA44} - hxxp://www.clubhard.co.kr/append/application/ClubHardCtrl.CAB
DPF: {386EDCD0-72B4-42F4-9942-049B8A92FC48} - hxxp://down.fileguri.com/FgAddOn.cab
DPF: {5888E710-0C1D-4CC8-BCBF-3971B959BB5C} - hxxp://www.iple.com/cache/ActiveX/axau.cab
DPF: {5B28FBF2-8EA7-4EEE-BA15-BFD1608C783B} - hxxp://goodfile.net/downloder/GoodFileDownLoadProj.cab
DPF: {7513B187-5954-4C64-ABF4-E652FE899F24} - hxxp://www.wedisk.co.kr/app/WeDisk.cab
DPF: {7A9935D3-9B3C-4382-B62A-45CF92B18D74} - hxxp://cyimg8.cyworld.com/storyRoom/CyImgResize.cab
DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} - hxxp://download.kbstar.com/security/XecureWeb/xw_install_v7225.cab
DPF: {81DC74C9-7B3E-4708-849A-1745754666BA} - hxxp://music.freechal.com/player/MUPY.cab
DPF: {8218BB3D-2D62-4719-B6EC-FEBE7A079CBD} - hxxp://imgcdn.pandora.tv/pan_img/app/FirstLoad1.0.0.3.cab
DPF: {8DC067B8-911D-473A-90F1-1171B887CDE0} - hxxp://cyimg7.cyworld.com/ImageUpload/CyPictureU1233.cab?20081124
DPF: {9103166D-A34B-45A2-91F5-73D508C7A650} - hxxp://imusicsoft.co.kr/develop/nateviewer/NateComicViewer.cab
DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} - hxxp://cafeimg.hanmail.net/activex/dmcc2.cab?Version=1,0,0,10
DPF: {9CDD57AC-CA86-464C-B920-3228A388CC78} - hxxp://file.naver.com/activex/NaverFile.cab
DPF: {9DEFEDFC-8193-4BE6-AA60-B6375AB7C8BE} - hxxp://patch.mnet.com/NaverMusic/ActiveX/naverx.cab
DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} - hxxp://cyimg7.cyworld.nate.com/cymusic/package/skcbgmset.cab
DPF: {B0846BBB-A5C3-45BF-A9B9-A6837A8C6A9B} - hxxp://pds.hanafos.com/Include/component/PDSControl.cab
DPF: {B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C} - hxxp://cafeimg.hanmail.net/cto/xman.cab?ver=1,2,3,3
DPF: {BE81B237-0EE9-40F6-BABB-0CE2C1DA7832} - hxxp://activexdown.paran.com/paranactivex/data/ImPlayer.cab
DPF: {BF6F8114-5DC3-4515-9BC6-16342AE7FDCE} - hxxp://www.chamdisk.com/fs_prg/XFShowClient.cab
DPF: {CCD4D366-51C3-4D2E-BA25-262C45F104F5} - hxxp://imusicsoft.co.kr/develop/nateviewer/NateComicViewer.cab
DPF: {D912AABC-6CB0-416F-85B6-CABBB86FD558} - hxxp://plugin.inicis.com/wallet60/INIwallet60.cab
DPF: {D9EF4DC2-D250-486F-88A0-516DC35AB59E} - hxxp://app.jjangfile.net/JJangFile.CAB
DPF: {DA54C9C1-8109-43C9-9C80-E4210CEDF147} - hxxp://wedisk.co.kr/app/EzwonSessionCtl.cab
DPF: {E3FA6DAA-04BF-4AEF-9612-341B2B7A25FC} - hxxp://pay.kcp.co.kr/plugin/file/payplus.cab
DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} - hxxps://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
DPF: {E9E5E440-45DE-4D5B-8F8E-54212D160106} - hxxp://afocx.afreeca.com:9091/AFC/OpenTV.cab
DPF: {F4A1D5E2-AF49-47A7-A945-23038106F3A4} - hxxp://imgcdn.pandora.tv/pan_img/launcher/codebase/Pandora_SetUpAX.cab
DPF: {F68CACCC-C9A4-4A51-8EE9-694FF8A29248} - hxxp://qbic.hanafos.com/component/HDUpload.cab
DPF: {F7530E43-3359-42D0-B8DC-843A45028584} - hxxp://manager.ongamenet.com/common/control/hitelontop.cab
FF - ProfilePath - c:\documents and settings\Wonkyo Jung\Application Data\Mozilla\Firefox\Profiles\lsfwt95y.default\
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - prefs.js: browser.startup.homepage - about:home
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-07 21:58
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1248)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\VESWinlogon.dll
.
- - - - - - - > 'explorer.exe'(2484)
c:\windows\system32\WININET.dll
c:\windows\system32\VirtualExpander\VEShellExt.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-10-07 22:05:02
ComboFix-quarantined-files.txt 2011-10-08 02:04
ComboFix2.txt 2011-10-06 21:51
ComboFix3.txt 2010-11-05 22:30
.
Pre-Run: 20,516,528,128 bytes free
Post-Run: 20,583,092,224 bytes free
.
Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - F77BD178453FB3520DD14AB5F11DE919

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:52 AM

Posted 06 October 2011 - 09:36 PM

Hello


please run this tool and see if it helps any




TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

If you have problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 st.michael2011

st.michael2011
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 06 October 2011 - 09:55 PM

I'm not sure how to run that 1st tool... I am about to run MBAM.

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:52 AM

Posted 06 October 2011 - 09:59 PM

just click on link and open - if that does not work then right click on link and choose save target as and save to desktop


right click on file and select run


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 st.michael2011

st.michael2011
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 06 October 2011 - 10:05 PM

there's no option to run.. it's a text document?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users