Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspect rootkit infection


  • This topic is locked This topic is locked
65 replies to this topic

#1 adaniel

adaniel

  • Members
  • 206 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 30 September 2011 - 12:59 AM

I have been tasked with cleaning a machine whose antivirus expired. I was called in after someone else attempted to "clean" the infection. Both Avast and AVG Internet Security 2012 were installed during that process, but I do not think simultaneously. When I got there Avast was gone, AVG was installed. I tried to uninstall AVG to install ESET and was left with a partial install. I have tried their Special Uninstaller, but elements of AVG remain. It shows up in the tray, but no elements are running.

The machine is a Dell desktop, Celeron 1.70GHz, 1.25 GB RAM, running XP Home ver 2002 SP2.

The complaint was that the machine was very slow and would lock up after just a few minutes following a hard reboot.

The first thing I did was update IE from 6 to 8 and update Firefox from 3.xx to 7. I tried to update XP to SP3, but it fails. The machine now stays running and does not seem to be all that slow, but it has symptoms of infection.

When I tried to run MalwareBytes, it would start, then abort. Subsequent attempts to run resulted in the following message:

"windows cannot access the specified device, path or file. You may not have appropriate permission to access the item."

I am logged in using the administrator account.

I tried SuperAntiSpyware with the same results.

I even tried renaming the executables to 'my initials'.exe, but they still failed to run.

I then booted in safe mode and was able to run both, along with dds. Those logs are included/attached.

When I tried to run gmer, it started, then aborted. Subsequently, the system hangs trying to boot in safe mode, but will boot normally.

When I try to run chkdsk on reboot, I get:
"Cannot open volume for direct access."
Chkdsk finishes without doing anything and system boots up.

Thanks very much for your assistance.

adaniel

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Staff at 0:52:41 on 2011-09-30
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1278.826 [GMT -4:00]
.
FW: AVG Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\58706254:2973139196.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\TightVNC\WinVNC.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\hp business inkjet 1200 series\Toolbox\HPWNTBX.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DynDNS Updater\DynTray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://home.bellsouth.net/
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [HPWNTOOLBOX] c:\program files\hewlett-packard\hp business inkjet 1200 series\toolbox\HPWNTBX.exe "-i"
mRun: [WinVNC] "c:\program files\tightvnc\WinVNC.exe" -servicehelper
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRunOnce: [AvgRemover] c:\download\avg_remover_stf_x86_2012_1796.exe /run_number=2 /avgdir="c:\program files\avg\avg2012\" /avgdatadir="c:\documents and settings\all users\application data\avg2012\" /ndis_nextstep=1
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dyndns~1.lnk - c:\program files\dyndns updater\DynTray.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxps://office.webmd.com/HOME/ScriptX/smsx.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} - hxxp://games.king.com/ctl/kingcomie.cab
DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} - hxxp://games.bellsouth.net/Gh/Tumblebugs/axhost.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://games.bellsouth.net/Gh/DeliciousWeb/zylomplayer.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - hxxp://games.bellsouth.net/Gh/FeedingFrenzy/SproutLauncher.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{314CEAFF-C6A2-4275-BBC9-95489124D329} : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{314CEAFF-C6A2-4275-BBC9-95489124D329} : DhcpNameServer = 192.168.1.254
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: LMIinit - LMIinit.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\staff\application data\mozilla\firefox\profiles\30w84xpm.default\
FF - prefs.js: browser.search.selectedEngine - Google
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-6-18 565248]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-3-3 47640]
S2 5632;5632; [x]
S2 DynDNS Updater;DynDNS Updater;c:\program files\dyndns updater\DynUpSvc.exe [2010-1-20 99704]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-9-21 136176]
S3 cpuz132;cpuz132;\??\c:\docume~1\staff\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\staff\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-9-21 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2011-09-30 04:45:17 -------- d-----w- c:\documents and settings\staff\application data\SUPERAntiSpyware.com
2011-09-30 04:32:47 -------- d-----w- c:\documents and settings\staff\application data\AVG2012
2011-09-29 18:28:55 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-09-29 15:45:10 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-09-28 16:06:25 62 ----a-w- C:\vnc.bat
2011-09-28 14:04:45 -------- dc-h--w- c:\windows\ie8
2011-09-28 13:58:21 -------- d-----w- C:\1e91cf2dce91e27bafdb48096cb5d7
2011-09-23 16:04:58 -------- d--h--w- C:\$AVG
2011-09-23 14:57:31 -------- d-----w- c:\windows\system32\drivers\AVG
2011-09-22 17:03:31 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
2011-09-22 17:01:46 -------- d-----w- c:\program files\AVG
2011-09-22 15:40:37 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-09-22 15:40:10 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-09-21 18:37:09 -------- d-----w- c:\program files\AVAST Software
2011-09-21 18:37:09 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
.
==================== Find3M ====================
.
2011-08-31 21:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 0:54:07.26 ===============

Attached Files


Edited by adaniel, 30 September 2011 - 01:13 AM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:15 PM

Posted 05 October 2011 - 01:00 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/421221 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 adaniel

adaniel
  • Topic Starter

  • Members
  • 206 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 05 October 2011 - 01:34 PM

Here are the requested logs. The GMER log may be incomplete. When I run GMER, it gets to a certain point, then just closes with no opportunity to save log. I then have to re-copy it to the desktop to re-run, other wise I get the
"windows cannot access the specified device, path or file. You may not have appropriate permission to access the item." error. I got as much of the log as I could by clicking the copy button repeatedly, then pasted the last one.

The machine is a Dell desktop, Celeron 1.70GHz, 1.25 GB RAM, running XP Home ver 2002 SP2.

Thank you in advance for your assistance.
adaniel



.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Staff at 12:24:02 on 2011-10-05
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1278.863 [GMT -4:00]
.
FW: AVG Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\58706254:2973139196.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\TightVNC\WinVNC.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\DynDNS Updater\DynUpSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\hp business inkjet 1200 series\Toolbox\HPWNTBX.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DynDNS Updater\DynTray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://home.bellsouth.net/
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [HPWNTOOLBOX] c:\program files\hewlett-packard\hp business inkjet 1200 series\toolbox\HPWNTBX.exe "-i"
mRun: [WinVNC] "c:\program files\tightvnc\WinVNC.exe" -servicehelper
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dyndns~1.lnk - c:\program files\dyndns updater\DynTray.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxps://office.webmd.com/HOME/ScriptX/smsx.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} - hxxp://games.king.com/ctl/kingcomie.cab
DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} - hxxp://games.bellsouth.net/Gh/Tumblebugs/axhost.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://games.bellsouth.net/Gh/DeliciousWeb/zylomplayer.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - hxxp://games.bellsouth.net/Gh/FeedingFrenzy/SproutLauncher.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{314CEAFF-C6A2-4275-BBC9-95489124D329} : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{314CEAFF-C6A2-4275-BBC9-95489124D329} : DhcpNameServer = 192.168.1.254
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: LMIinit - LMIinit.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\staff\application data\mozilla\firefox\profiles\30w84xpm.default\
FF - prefs.js: browser.search.selectedEngine - Google
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-6-18 565248]
R2 DynDNS Updater;DynDNS Updater;c:\program files\dyndns updater\DynUpSvc.exe [2010-1-20 99704]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-3-3 47640]
S2 5632;5632; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-9-21 136176]
S3 cpuz132;cpuz132;\??\c:\docume~1\staff\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\staff\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-9-21 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2011-09-30 05:03:15 -------- d-----w- c:\program files\Special Uninstaller
2011-09-30 04:45:17 -------- d-----w- c:\documents and settings\staff\application data\SUPERAntiSpyware.com
2011-09-30 04:32:47 -------- d-----w- c:\documents and settings\staff\application data\AVG2012
2011-09-29 18:28:55 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-09-29 15:45:10 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-09-28 16:06:25 62 ----a-w- C:\vnc.bat
2011-09-28 14:04:45 -------- dc-h--w- c:\windows\ie8
2011-09-28 13:58:21 -------- d-----w- C:\1e91cf2dce91e27bafdb48096cb5d7
2011-09-23 16:04:58 -------- d--h--w- C:\$AVG
2011-09-23 14:57:31 -------- d-----w- c:\windows\system32\drivers\AVG
2011-09-22 17:03:31 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
2011-09-22 17:01:46 -------- d-----w- c:\program files\AVG
2011-09-22 15:40:37 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-09-22 15:40:10 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-09-21 18:37:09 -------- d-----w- c:\program files\AVAST Software
2011-09-21 18:37:09 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
.
==================== Find3M ====================
.
2011-08-31 21:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 12:25:35.82 ===============


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-10-05 14:15:17
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Staff\LOCALS~1\Temp\kwliqpow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IoFreeIrp + 1CB 804E875D 7 Bytes CALL 893C7C95
.text netbt.sys!QM_TTGZXlhjuvfzkeiztajnv_lDTaonntpXUAXI_IEJX_I B1084000 113 Bytes CALL B1084483 \SystemRoot\System32\DRIVERS\netbt.sys (MBT Transport driver/Microsoft Corporation)
.text netbt.sys!QM_TTGZXlhjuvfzkeiztajnv_lDTaonntpXUAXI_IEJX_I B1084072 15 Bytes [8B, 47, 18, 8B, 70, 0C, 85, ...]
.text netbt.sys!QM_TTGZXlhjuvfzkeiztajnv_lDTaonntpXUAXI_IEJX_I B1084082 39 Bytes [00, 8B, 46, 08, 3D, 43, 6F, ...]
.text netbt.sys!QM_TTGZXlhjuvfzkeiztajnv_lDTaonntpXUAXI_IEJX_I B10840AA 39 Bytes [00, 8D, 4F, 5C, FF, 15, 80, ...]
.text netbt.sys!QM_TTGZXlhjuvfzkeiztajnv_lDTaonntpXUAXI_IEJX_I B10840D2 18 Bytes [00, 8B, 75, 0C, 8B, 46, 04, ...]
.text ...
.text netbt.sys!gckMG__FdkjQ_M_UKSZwgf_bb_apFGKLALGy____ptzqCRVHKGLxLPNZ + 29 B108414B 6 Bytes [4D, F4, 89, 46, 14, FF]
.text netbt.sys!gckMG__FdkjQ_M_UKSZwgf_bb_apFGKLALGy____ptzqCRVHKGLxLPNZ + 30 B1084152 3 Bytes [70, E2, 09]
.text netbt.sys!gckMG__FdkjQ_M_UKSZwgf_bb_apFGKLALGy____ptzqCRVHKGLxLPNZ + 34 B1084156 26 Bytes [83, 7F, 64, 00, 0F, 84, FB, ...]
.text netbt.sys!gckMG__FdkjQ_M_UKSZwgf_bb_apFGKLALGy____ptzqCRVHKGLxLPNZ + 4F B1084171 255 Bytes [6A, 00, FF, 75, 08, 8B, F0, ...]
.text netbt.sys!gckMG__FdkjQ_M_UKSZwgf_bb_apFGKLALGy____ptzqCRVHKGLxLPNZ + 14F B1084271 109 Bytes [CA, 0F, 85, CF, 25, 01, 00, ...]
.text ...
.text netbt.sys!U_Rd__vaHFSQ_QYdcvjTBIBC + 2A B108447E 36 Bytes [00, 90, 90, 90, 90, 90, 8B, ...]
.text netbt.sys!U_Rd__vaHFSQ_QYdcvjTBIBC + 4F B10844A3 134 Bytes [57, 8B, 7E, 10, 8B, 47, 60, ...]
.text netbt.sys!U_Rd__vaHFSQ_QYdcvjTBIBC + D6 B108452A 176 Bytes [C7, 43, F8, 96, 43, 08, B1, ...]
.text netbt.sys!U_Rd__vaHFSQ_QYdcvjTBIBC + 187 B10845DB 465 Bytes [40, 38, 10, 0F, 84, AD, F1, ...]
.text netbt.sys!T_A___GVxdkhlejkpy_JUZN + 26 B10847AD 155 Bytes [45, C4, 83, C0, 0E, 50, E8, ...]
.text netbt.sys!T_A___GVxdkhlejkpy_JUZN + C2 B1084849 366 Bytes [45, D7, 8B, 85, 7C, FF, FF, ...]
.text netbt.sys!T_A___GVxdkhlejkpy_JUZN + 231 B10849B8 278 Bytes [0F, 8C, CF, CE, 00, 00, 8B, ...]
.text netbt.sys!SCRLCILHRhwk_y_espfh_kbcl_MIIRB__aias_ + 17 B1084ACF 4 Bytes [3D, 68, E2, 09]
.text netbt.sys!SCRLCILHRhwk_y_espfh_kbcl_MIIRB__aias_ + 1C B1084AD4 17 Bytes [0F, 85, C6, 0E, 00, 00, 8B, ...] {JNZ 0xecc; MOV EAX, [ESI+0x64]; CMP EAX, EBX; JNZ 0xd565}
.text netbt.sys!SCRLCILHRhwk_y_espfh_kbcl_MIIRB__aias_ + 2E B1084AE6 16 Bytes [86, 84, 00, 00, 00, 3B, C3, ...]
.text netbt.sys!SCRLCILHRhwk_y_espfh_kbcl_MIIRB__aias_ + 3F B1084AF7 17 Bytes [00, 00, 89, 40, 04, 89, 00, ...]
.text netbt.sys!SCRLCILHRhwk_y_espfh_kbcl_MIIRB__aias_ + 51 B1084B09 6 Bytes [09, B1, 89, 16, 89, 30] {OR [ECX+0x30891689], ESI}
.text ...
.text netbt.sys!BY_P__A_sVPQGUKNZz_m_honzd_oSYjdk + FB B1084ED5 416 Bytes [C2, 0A, 66, 89, 48, 0C, 66, ...]
.text netbt.sys!BY_P__A_sVPQGUKNZz_m_honzd_oSYjdk + 29C B1085076 154 Bytes [0F, 84, 75, F2, 00, 00, 8A, ...]
.text netbt.sys!BY_P__A_sVPQGUKNZz_m_honzd_oSYjdk + 337 B1085111 38 Bytes [74, 16, 8B, 81, 98, 00, 00, ...]
.text netbt.sys!BY_P__A_sVPQGUKNZz_m_honzd_oSYjdk + 35F B1085139 10 Bytes [8B, 41, 50, 89, 42, 14, 8B, ...]
.text netbt.sys!BY_P__A_sVPQGUKNZz_m_honzd_oSYjdk + 36A B1085144 25 Bytes [1C, 89, 01, 33, DB, E9, 48, ...]
.text ...
.text netbt.sys!EPC_PO_qkjr_d_gq___w_PY + 50 B1086DE2 73 Bytes [8B, 75, 08, 89, 46, 34, BE, ...]
.text netbt.sys!EPC_PO_qkjr_d_gq___w_PY + 9A B1086E2C 671 Bytes [89, 48, 08, 89, 48, 0C, 89, ...]
.text netbt.sys!n_nsgr_h_ybGPA + 2 B10870CC 67 Bytes [C7, 5F, 5E, 5D, C2, 14, 00, ...]
.text netbt.sys!n_nsgr_h_ybGPA + 46 B1087110 192 Bytes [FF, 70, 04, FF, 70, 10, 8D, ...]
.text netbt.sys!n_nsgr_h_ybGPA + 107 B10871D1 427 Bytes [B1, FF, D3, 8D, 4E, 7C, 88, ...]
.text netbt.sys!n_nsgr_h_ybGPA + 2B3 B108737D 140 Bytes [8B, 4E, 18, 88, 45, 0F, 8B, ...]
.text netbt.sys!QM_TTGZXlhjuvfzkeiztajnv_lDTaonntpXUAXI_IEJX_I + 12 B108740A 511 Bytes [04, C6, 45, FB, 01, C6, 45, ...]
.text netbt.sys!QM_TTGZXlhjuvfzkeiztajnv_lDTaonntpXUAXI_IEJX_I + 212 B108760A 360 Bytes [00, 83, C7, FC, 66, 8B, C7, ...]
.text netbt.sys!QM_TTGZXlhjuvfzkeiztajnv_lDTaonntpXUAXI_IEJX_I + 37B B1087773 72 Bytes CALL C7082881
.text netbt.sys!QM_TTGZXlhjuvfzkeiztajnv_lDTaonntpXUAXI_IEJX_I + 3C4 B10877BC 62 Bytes [8B, 45, 08, 8B, 75, 18, 89, ...]
.text netbt.sys!QM_TTGZXlhjuvfzkeiztajnv_lDTaonntpXUAXI_IEJX_I + 404 B10877FC 6 Bytes [8B, C1, 85, C0, 8B, 45]
.text ...
.text C:\WINDOWS\System32\DRIVERS\netbt.sys section is writeable [0xB1084000, 0x38D0, 0xE8000020]
? C:\WINDOWS\System32\DRIVERS\netbt.sys suspicious PE modification
? C:\DOCUME~1\Staff\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[972] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C2000A
.text C:\WINDOWS\System32\svchost.exe[972] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C3000A
.text C:\WINDOWS\System32\svchost.exe[972] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C1000C
.text C:\WINDOWS\System32\svchost.exe[972] USER32.dll!GetCursorPos 7E41BD76 5 Bytes JMP 0283000A
.text C:\WINDOWS\System32\svchost.exe[972] USER32.dll!WindowFromPoint 7E41BD8E 5 Bytes JMP 0284000A
.text C:\WINDOWS\System32\svchost.exe[972] USER32.dll!GetForegroundWindow 7E41BE4B 5 Bytes JMP 028D000A
.text C:\WINDOWS\System32\svchost.exe[972] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 0282000A

Attached Files



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:15 PM

Posted 05 October 2011 - 04:50 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Please run TDSSKiller

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\

Posted Image
m0le is a proud member of UNITE

#5 adaniel

adaniel
  • Topic Starter

  • Members
  • 206 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 05 October 2011 - 06:30 PM

Good evening, mole. Thank you for your help.

When I ran TDSSKiller, it found two medium threats. The default action on both was skip. I have options for delete or move to quarantine. I don't see cure anywhere.

The two files are:

Hidden File
Service: 4ec97f03
suspicious object, medium risk

and

Forged file
Service: NetBT
suspicious object, medium risk

Which option should I choose? Just want to be sure.

Thanks again for your help.

Adaniel

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:15 PM

Posted 05 October 2011 - 06:33 PM

Can you post the entire log please?
Posted Image
m0le is a proud member of UNITE

#7 adaniel

adaniel
  • Topic Starter

  • Members
  • 206 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 05 October 2011 - 06:35 PM

I haven't gotten a log yet as far as I know. I didn't know which option to select.

Thanks,
adaniel

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:15 PM

Posted 05 October 2011 - 06:45 PM

Skip them both at this stage. I'm not sure that either of them are malicious. :thumbup2:
Posted Image
m0le is a proud member of UNITE

#9 adaniel

adaniel
  • Topic Starter

  • Members
  • 206 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 05 October 2011 - 08:46 PM

Here is the report from TDSSKiller.

Thank you for your help.

adaniel

21:32:27.0421 1408 TDSS rootkit removing tool 2.6.5.0 Oct 5 2011 20:52:46
21:32:27.0765 1408 ============================================================
21:32:27.0765 1408 Current date / time: 2011/10/05 21:32:27.0765
21:32:27.0765 1408 SystemInfo:
21:32:27.0765 1408
21:32:27.0765 1408 OS Version: 5.1.2600 ServicePack: 2.0
21:32:27.0765 1408 Product type: Workstation
21:32:27.0781 1408 ComputerName: DRSLOFLINBYRNES
21:32:27.0781 1408 UserName: Staff
21:32:27.0781 1408 Windows directory: C:\WINDOWS
21:32:27.0781 1408 System windows directory: C:\WINDOWS
21:32:27.0781 1408 Processor architecture: Intel x86
21:32:27.0781 1408 Number of processors: 1
21:32:27.0781 1408 Page size: 0x1000
21:32:27.0781 1408 Boot type: Normal boot
21:32:27.0781 1408 ============================================================
21:32:29.0656 1408 Initialize success
21:32:32.0218 1444 ============================================================
21:32:32.0218 1444 Scan started
21:32:32.0218 1444 Mode: Manual;
21:32:32.0218 1444 ============================================================
21:32:33.0718 1444 4ec97f03 (8ab3ad9b5e7f0b487d7a28cd26081c8f) C:\WINDOWS\58706254:2973139196.exe
21:32:33.0718 1444 Suspicious file (Hidden): C:\WINDOWS\58706254:2973139196.exe. md5: 8ab3ad9b5e7f0b487d7a28cd26081c8f
21:32:33.0718 1444 4ec97f03 ( HiddenFile.Multi.Generic ) - warning
21:32:33.0718 1444 4ec97f03 - detected HiddenFile.Multi.Generic (1)
21:32:33.0984 1444 5632 - ok
21:32:34.0218 1444 Abiosdsk - ok
21:32:34.0468 1444 abp480n5 - ok
21:32:35.0093 1444 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
21:32:35.0109 1444 ACPI - ok
21:32:35.0437 1444 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
21:32:35.0437 1444 ACPIEC - ok
21:32:35.0671 1444 adpu160m - ok
21:32:36.0015 1444 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
21:32:36.0015 1444 AFD - ok
21:32:36.0281 1444 Aha154x - ok
21:32:36.0515 1444 aic78u2 - ok
21:32:36.0781 1444 aic78xx - ok
21:32:37.0046 1444 AliIde - ok
21:32:37.0281 1444 amsint - ok
21:32:37.0531 1444 asc - ok
21:32:37.0765 1444 asc3350p - ok
21:32:38.0031 1444 asc3550 - ok
21:32:38.0328 1444 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
21:32:38.0328 1444 AsyncMac - ok
21:32:38.0656 1444 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
21:32:38.0656 1444 atapi - ok
21:32:38.0890 1444 Atdisk - ok
21:32:39.0187 1444 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
21:32:39.0187 1444 Atmarpc - ok
21:32:39.0500 1444 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
21:32:39.0500 1444 audstub - ok
21:32:39.0828 1444 b57w2k (b9391a83f075351c923c3a37c53af396) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
21:32:39.0828 1444 b57w2k - ok
21:32:40.0156 1444 bcm4sbxp (f5c0d3c93235a455cdd13c954adf1a80) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
21:32:40.0156 1444 bcm4sbxp - ok
21:32:40.0468 1444 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
21:32:40.0468 1444 Beep - ok
21:32:40.0765 1444 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
21:32:40.0765 1444 cbidf2k - ok
21:32:41.0015 1444 cd20xrnt - ok
21:32:41.0312 1444 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
21:32:41.0312 1444 Cdaudio - ok
21:32:41.0625 1444 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
21:32:41.0625 1444 Cdfs - ok
21:32:41.0921 1444 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
21:32:41.0937 1444 Cdrom - ok
21:32:42.0171 1444 Changer - ok
21:32:42.0437 1444 CmdIde - ok
21:32:42.0718 1444 Cpqarray - ok
21:32:42.0890 1444 cpuz132 - ok
21:32:43.0156 1444 dac2w2k - ok
21:32:43.0406 1444 dac960nt - ok
21:32:43.0734 1444 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
21:32:43.0734 1444 Disk - ok
21:32:44.0312 1444 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
21:32:44.0328 1444 dmboot - ok
21:32:44.0750 1444 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
21:32:44.0750 1444 dmio - ok
21:32:45.0046 1444 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
21:32:45.0046 1444 dmload - ok
21:32:45.0296 1444 dpti2o - ok
21:32:45.0671 1444 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
21:32:45.0671 1444 Fastfat - ok
21:32:45.0953 1444 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
21:32:45.0953 1444 Fdc - ok
21:32:46.0250 1444 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
21:32:46.0250 1444 Fips - ok
21:32:46.0593 1444 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
21:32:46.0593 1444 Flpydisk - ok
21:32:46.0921 1444 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\drivers\fltmgr.sys
21:32:46.0921 1444 FltMgr - ok
21:32:47.0218 1444 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
21:32:47.0218 1444 Fs_Rec - ok
21:32:47.0546 1444 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
21:32:47.0546 1444 Ftdisk - ok
21:32:47.0843 1444 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
21:32:47.0843 1444 Gpc - ok
21:32:48.0187 1444 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
21:32:48.0187 1444 HidUsb - ok
21:32:48.0437 1444 hpn - ok
21:32:48.0812 1444 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
21:32:48.0812 1444 HTTP - ok
21:32:49.0078 1444 i2omgmt - ok
21:32:49.0328 1444 i2omp - ok
21:32:49.0671 1444 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
21:32:49.0671 1444 i8042prt - ok
21:32:50.0000 1444 ialm (bf5b9dbbee664f046e85c6b853af47de) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
21:32:50.0000 1444 ialm - ok
21:32:50.0312 1444 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
21:32:50.0312 1444 Imapi - ok
21:32:50.0578 1444 ini910u - ok
21:32:50.0859 1444 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
21:32:50.0859 1444 IntelIde - ok
21:32:51.0140 1444 ip6fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys
21:32:51.0140 1444 ip6fw - ok
21:32:51.0421 1444 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
21:32:51.0421 1444 IpFilterDriver - ok
21:32:51.0734 1444 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
21:32:51.0734 1444 IpInIp - ok
21:32:52.0078 1444 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
21:32:52.0078 1444 IpNat - ok
21:32:52.0390 1444 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
21:32:52.0406 1444 IPSec - ok
21:32:52.0671 1444 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
21:32:52.0671 1444 IRENUM - ok
21:32:52.0968 1444 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
21:32:52.0984 1444 isapnp - ok
21:32:53.0281 1444 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
21:32:53.0281 1444 Kbdclass - ok
21:32:53.0578 1444 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
21:32:53.0578 1444 kbdhid - ok
21:32:53.0906 1444 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
21:32:53.0906 1444 KSecDD - ok
21:32:54.0171 1444 lbrtfdc - ok
21:32:54.0343 1444 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys
21:32:54.0343 1444 LMIInfo - ok
21:32:54.0687 1444 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys
21:32:54.0687 1444 lmimirr - ok
21:32:54.0921 1444 LMIRfsClientNP - ok
21:32:55.0203 1444 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
21:32:55.0203 1444 LMIRfsDriver - ok
21:32:55.0437 1444 MBAMSwissArmy - ok
21:32:55.0718 1444 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
21:32:55.0718 1444 mnmdd - ok
21:32:56.0015 1444 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
21:32:56.0015 1444 Modem - ok
21:32:56.0312 1444 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
21:32:56.0312 1444 Mouclass - ok
21:32:56.0593 1444 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
21:32:56.0593 1444 mouhid - ok
21:32:56.0921 1444 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
21:32:56.0921 1444 MountMgr - ok
21:32:57.0156 1444 mraid35x - ok
21:32:57.0500 1444 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
21:32:57.0500 1444 MRxDAV - ok
21:32:57.0953 1444 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
21:32:57.0968 1444 MRxSmb - ok
21:32:58.0281 1444 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
21:32:58.0281 1444 Msfs - ok
21:32:58.0609 1444 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
21:32:58.0609 1444 mssmbios - ok
21:32:58.0921 1444 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
21:32:58.0937 1444 Mup - ok
21:32:59.0265 1444 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
21:32:59.0265 1444 NDIS - ok
21:32:59.0562 1444 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
21:32:59.0562 1444 NdisTapi - ok
21:32:59.0843 1444 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
21:32:59.0843 1444 Ndisuio - ok
21:33:00.0156 1444 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
21:33:00.0156 1444 NdisWan - ok
21:33:00.0468 1444 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
21:33:00.0468 1444 NDProxy - ok
21:33:00.0765 1444 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
21:33:00.0765 1444 NetBIOS - ok
21:33:01.0078 1444 NetBT (b540a7399722fc655aeff3d0401c966d) C:\WINDOWS\system32\DRIVERS\netbt.sys
21:33:01.0078 1444 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\netbt.sys. Real md5: b540a7399722fc655aeff3d0401c966d, Fake md5: 52b6f4e08c883042e4bea3e49dc5ce00
21:33:01.0093 1444 NetBT ( ForgedFile.Multi.Generic ) - warning
21:33:01.0093 1444 NetBT - detected ForgedFile.Multi.Generic (1)
21:33:01.0406 1444 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
21:33:01.0406 1444 Npfs - ok
21:33:01.0937 1444 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
21:33:01.0937 1444 Ntfs - ok
21:33:02.0281 1444 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
21:33:02.0296 1444 NuidFltr - ok
21:33:02.0609 1444 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
21:33:02.0609 1444 Null - ok
21:33:02.0906 1444 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
21:33:02.0906 1444 NwlnkFlt - ok
21:33:03.0171 1444 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
21:33:03.0187 1444 NwlnkFwd - ok
21:33:03.0468 1444 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
21:33:03.0468 1444 OMCI - ok
21:33:03.0796 1444 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
21:33:03.0796 1444 Parport - ok
21:33:04.0093 1444 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
21:33:04.0093 1444 PartMgr - ok
21:33:04.0359 1444 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
21:33:04.0359 1444 ParVdm - ok
21:33:04.0734 1444 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
21:33:04.0750 1444 PCI - ok
21:33:04.0984 1444 PCIDump - ok
21:33:05.0234 1444 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
21:33:05.0250 1444 PCIIde - ok
21:33:05.0562 1444 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
21:33:05.0562 1444 Pcmcia - ok
21:33:05.0812 1444 PDCOMP - ok
21:33:06.0062 1444 PDFRAME - ok
21:33:06.0312 1444 PDRELI - ok
21:33:06.0562 1444 PDRFRAME - ok
21:33:06.0812 1444 perc2 - ok
21:33:07.0078 1444 perc2hib - ok
21:33:07.0406 1444 Point32 (e5582e43e167cf367757d81e9727da2a) C:\WINDOWS\system32\DRIVERS\point32.sys
21:33:07.0406 1444 Point32 - ok
21:33:07.0734 1444 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
21:33:07.0734 1444 PptpMiniport - ok
21:33:08.0015 1444 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
21:33:08.0015 1444 Processor - ok
21:33:08.0296 1444 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
21:33:08.0312 1444 PSched - ok
21:33:08.0578 1444 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
21:33:08.0578 1444 Ptilink - ok
21:33:08.0875 1444 PxHelp20 (1962166e0ceb740704f30fa55ad3d509) C:\WINDOWS\system32\Drivers\PxHelp20.sys
21:33:08.0875 1444 PxHelp20 - ok
21:33:09.0125 1444 ql1080 - ok
21:33:09.0359 1444 Ql10wnt - ok
21:33:09.0593 1444 ql12160 - ok
21:33:09.0843 1444 ql1240 - ok
21:33:10.0078 1444 ql1280 - ok
21:33:10.0359 1444 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
21:33:10.0359 1444 RasAcd - ok
21:33:10.0703 1444 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
21:33:10.0703 1444 Rasl2tp - ok
21:33:11.0000 1444 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
21:33:11.0000 1444 RasPppoe - ok
21:33:11.0281 1444 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
21:33:11.0281 1444 Raspti - ok
21:33:11.0656 1444 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
21:33:11.0656 1444 Rdbss - ok
21:33:11.0968 1444 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
21:33:11.0968 1444 RDPCDD - ok
21:33:12.0328 1444 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
21:33:12.0343 1444 RDPWD - ok
21:33:12.0671 1444 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
21:33:12.0671 1444 redbook - ok
21:33:12.0906 1444 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
21:33:12.0906 1444 SASDIFSV - ok
21:33:12.0968 1444 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
21:33:12.0968 1444 SASKUTIL - ok
21:33:13.0343 1444 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
21:33:13.0343 1444 Secdrv - ok
21:33:13.0687 1444 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
21:33:13.0687 1444 serenum - ok
21:33:13.0968 1444 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
21:33:13.0984 1444 Serial - ok
21:33:14.0250 1444 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
21:33:14.0250 1444 Sfloppy - ok
21:33:14.0500 1444 Simbad - ok
21:33:14.0750 1444 Sparrow - ok
21:33:15.0062 1444 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
21:33:15.0062 1444 sr - ok
21:33:15.0468 1444 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
21:33:15.0484 1444 Srv - ok
21:33:15.0812 1444 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
21:33:15.0812 1444 swenum - ok
21:33:16.0078 1444 symc810 - ok
21:33:16.0312 1444 symc8xx - ok
21:33:16.0562 1444 sym_hi - ok
21:33:16.0796 1444 sym_u3 - ok
21:33:17.0218 1444 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
21:33:17.0234 1444 Tcpip - ok
21:33:17.0531 1444 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
21:33:17.0531 1444 TDPIPE - ok
21:33:17.0796 1444 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
21:33:17.0796 1444 TDTCP - ok
21:33:18.0093 1444 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
21:33:18.0093 1444 TermDD - ok
21:33:18.0359 1444 TosIde - ok
21:33:18.0640 1444 TSP - ok
21:33:18.0921 1444 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
21:33:18.0921 1444 Udfs - ok
21:33:19.0156 1444 ultra - ok
21:33:19.0593 1444 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys
21:33:19.0593 1444 Update - ok
21:33:19.0968 1444 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
21:33:19.0968 1444 usbccgp - ok
21:33:20.0281 1444 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
21:33:20.0281 1444 usbehci - ok
21:33:20.0593 1444 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
21:33:20.0593 1444 usbhub - ok
21:33:20.0875 1444 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
21:33:20.0890 1444 usbprint - ok
21:33:21.0187 1444 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
21:33:21.0187 1444 usbscan - ok
21:33:21.0468 1444 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
21:33:21.0484 1444 USBSTOR - ok
21:33:21.0781 1444 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
21:33:21.0781 1444 usbuhci - ok
21:33:22.0078 1444 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
21:33:22.0078 1444 VgaSave - ok
21:33:22.0328 1444 ViaIde - ok
21:33:22.0640 1444 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
21:33:22.0640 1444 VolSnap - ok
21:33:22.0984 1444 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
21:33:22.0984 1444 Wanarp - ok
21:33:23.0468 1444 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
21:33:23.0484 1444 Wdf01000 - ok
21:33:23.0734 1444 WDICA - ok
21:33:24.0234 1444 {6080A529-897E-4629-A488-ABA0C29B635E} (afeffe0f8805fcd47b05cf1fbde08092) C:\WINDOWS\system32\drivers\ialmsbw.sys
21:33:24.0234 1444 {6080A529-897E-4629-A488-ABA0C29B635E} - ok
21:33:24.0515 1444 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (85a36991a5ceaf9e65c4b743210e759b) C:\WINDOWS\system32\drivers\ialmkchw.sys
21:33:24.0515 1444 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} - ok
21:33:24.0562 1444 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
21:33:24.0843 1444 \Device\Harddisk0\DR0 - ok
21:33:24.0859 1444 MBR (0x1B8) (973e9ba32fdbb305c552ed3e1ebf0686) \Device\Harddisk1\DR5
21:33:24.0875 1444 \Device\Harddisk1\DR5 - ok
21:33:24.0906 1444 Boot (0x1200) (be852483d7cca0d0fc7ef5818df22dc5) \Device\Harddisk0\DR0\Partition0
21:33:24.0906 1444 \Device\Harddisk0\DR0\Partition0 - ok
21:33:24.0921 1444 Boot (0x1200) (3b72055f019cfe180274f7f885e16b5e) \Device\Harddisk1\DR5\Partition0
21:33:24.0921 1444 \Device\Harddisk1\DR5\Partition0 - ok
21:33:24.0921 1444 ============================================================
21:33:24.0921 1444 Scan finished
21:33:24.0921 1444 ============================================================
21:33:24.0968 3072 Detected object count: 2
21:33:24.0968 3072 Actual detected object count: 2
21:33:29.0375 3072 4ec97f03 ( HiddenFile.Multi.Generic ) - skipped by user
21:33:29.0375 3072 4ec97f03 ( HiddenFile.Multi.Generic ) - User select action: Skip
21:33:29.0390 3072 NetBT ( ForgedFile.Multi.Generic ) - skipped by user
21:33:29.0390 3072 NetBT ( ForgedFile.Multi.Generic ) - User select action: Skip
21:37:40.0125 2960 Deinitialize success

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:15 PM

Posted 06 October 2011 - 05:52 PM

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#11 adaniel

adaniel
  • Topic Starter

  • Members
  • 206 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 06 October 2011 - 09:18 PM

The aswMBR.exe scan behaved like the gmer scan: it got to a certain point and just quit without the option to save log. When I tried to rerun it, I got "windows cannot access the specified device, path or file. You may not have appropriate permission to access the item." When I try to copy over it from my flash drive, it is protected. I have to delete it from the desktop, then copy it. I believe it said "scanning services" just before it aborted.

I got as much of the log as I could by click the "save log" button before it aborted.

When it first starts, it asks about updating virus definitions; I chose No since the infected computer is not connected to the internet.

Thank you for your help.

adaniel

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-10-06 22:03:45
-----------------------------
22:03:45.984 OS Version: Windows 5.1.2600 Service Pack 2
22:03:45.984 Number of processors: 1 586 0x103
22:03:45.984 ComputerName: DRSLOFLINBYRNES UserName: Staff
22:03:46.671 Initialize success
22:03:57.328 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
22:03:57.328 Disk 0 Vendor: WDC_WD300BB-75DEA0 05.03E05 Size: 28610MB BusType: 3
22:03:57.343 Disk 0 MBR read successfully
22:03:57.343 Disk 0 MBR scan
22:03:57.359 Disk 0 Windows XP default MBR code
22:03:57.375 Disk 0 scanning sectors +58572990
22:03:57.531 Disk 0 scanning C:\WINDOWS\system32\drivers
22:04:13.078 File: C:\WINDOWS\system32\drivers\netbt.sys **SUSPICIOUS**
22:04:19.203 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Staff\My Documents\MBR.dat"
22:04:19.203 The log file has been saved successfully to "C:\Documents and Settings\Staff\My Documents\aswMBR.txt"


aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-10-06 22:06:36
-----------------------------
22:06:36.046 OS Version: Windows 5.1.2600 Service Pack 2
22:06:36.046 Number of processors: 1 586 0x103
22:06:36.046 ComputerName: DRSLOFLINBYRNES UserName: Staff
22:06:36.734 Initialize success
22:06:43.250 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
22:06:43.250 Disk 0 Vendor: WDC_WD300BB-75DEA0 05.03E05 Size: 28610MB BusType: 3
22:06:43.281 Disk 0 MBR read successfully
22:06:43.281 Disk 0 MBR scan
22:06:43.281 Disk 0 Windows XP default MBR code
22:06:43.328 Disk 0 scanning sectors +58572990
22:06:43.500 Disk 0 scanning C:\WINDOWS\system32\drivers
22:06:59.515 File: C:\WINDOWS\system32\drivers\netbt.sys **SUSPICIOUS**
22:07:09.031 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Staff\My Documents\MBR.dat"
22:07:09.031 The log file has been saved successfully to "C:\Documents and Settings\Staff\My Documents\aswMBR.txt"

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:15 PM

Posted 07 October 2011 - 08:05 PM

Rerun the TDSSKiller program and this time choose to quarantine the two files that we skipped earlier.
Posted Image
m0le is a proud member of UNITE

#13 adaniel

adaniel
  • Topic Starter

  • Members
  • 206 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 07 October 2011 - 09:20 PM

This time only one file appeared. Here is the report.

Thank you,
adaniel

22:06:07.0828 2920 TDSS rootkit removing tool 2.6.5.0 Oct 5 2011 20:52:46
22:06:07.0921 2920 ============================================================
22:06:07.0921 2920 Current date / time: 2011/10/07 22:06:07.0921
22:06:07.0921 2920 SystemInfo:
22:06:07.0921 2920
22:06:07.0921 2920 OS Version: 5.1.2600 ServicePack: 2.0
22:06:07.0921 2920 Product type: Workstation
22:06:07.0921 2920 ComputerName: DRSLOFLINBYRNES
22:06:07.0921 2920 UserName: Staff
22:06:07.0921 2920 Windows directory: C:\WINDOWS
22:06:07.0921 2920 System windows directory: C:\WINDOWS
22:06:07.0921 2920 Processor architecture: Intel x86
22:06:07.0921 2920 Number of processors: 1
22:06:07.0921 2920 Page size: 0x1000
22:06:07.0921 2920 Boot type: Normal boot
22:06:07.0921 2920 ============================================================
22:06:09.0796 2920 Initialize success
22:06:13.0390 2948 ============================================================
22:06:13.0390 2948 Scan started
22:06:13.0390 2948 Mode: Manual;
22:06:13.0390 2948 ============================================================
22:06:15.0078 2948 4ec97f03 (8ab3ad9b5e7f0b487d7a28cd26081c8f) C:\WINDOWS\58706254:2973139196.exe
22:06:15.0078 2948 Suspicious file (Hidden): C:\WINDOWS\58706254:2973139196.exe. md5: 8ab3ad9b5e7f0b487d7a28cd26081c8f
22:06:15.0093 2948 4ec97f03 ( HiddenFile.Multi.Generic ) - warning
22:06:15.0093 2948 4ec97f03 - detected HiddenFile.Multi.Generic (1)
22:06:15.0406 2948 5632 - ok
22:06:15.0656 2948 Abiosdsk - ok
22:06:15.0906 2948 abp480n5 - ok
22:06:16.0312 2948 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
22:06:16.0312 2948 ACPI - ok
22:06:16.0656 2948 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
22:06:16.0656 2948 ACPIEC - ok
22:06:16.0906 2948 adpu160m - ok
22:06:17.0265 2948 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
22:06:17.0265 2948 AFD - ok
22:06:17.0546 2948 Aha154x - ok
22:06:17.0781 2948 aic78u2 - ok
22:06:18.0031 2948 aic78xx - ok
22:06:18.0296 2948 AliIde - ok
22:06:18.0562 2948 amsint - ok
22:06:18.0828 2948 asc - ok
22:06:19.0093 2948 asc3350p - ok
22:06:19.0343 2948 asc3550 - ok
22:06:19.0656 2948 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
22:06:19.0671 2948 AsyncMac - ok
22:06:19.0968 2948 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
22:06:19.0984 2948 atapi - ok
22:06:20.0265 2948 Atdisk - ok
22:06:20.0578 2948 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
22:06:20.0578 2948 Atmarpc - ok
22:06:20.0906 2948 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
22:06:20.0906 2948 audstub - ok
22:06:21.0250 2948 b57w2k (b9391a83f075351c923c3a37c53af396) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
22:06:21.0265 2948 b57w2k - ok
22:06:21.0640 2948 bcm4sbxp (f5c0d3c93235a455cdd13c954adf1a80) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
22:06:21.0640 2948 bcm4sbxp - ok
22:06:21.0906 2948 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
22:06:21.0906 2948 Beep - ok
22:06:22.0203 2948 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
22:06:22.0203 2948 cbidf2k - ok
22:06:22.0453 2948 cd20xrnt - ok
22:06:22.0734 2948 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
22:06:22.0734 2948 Cdaudio - ok
22:06:23.0046 2948 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
22:06:23.0062 2948 Cdfs - ok
22:06:23.0359 2948 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
22:06:23.0359 2948 Cdrom - ok
22:06:23.0625 2948 Changer - ok
22:06:23.0890 2948 CmdIde - ok
22:06:24.0203 2948 Cpqarray - ok
22:06:24.0359 2948 cpuz132 - ok
22:06:24.0671 2948 dac2w2k - ok
22:06:24.0906 2948 dac960nt - ok
22:06:25.0250 2948 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
22:06:25.0250 2948 Disk - ok
22:06:25.0875 2948 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
22:06:25.0890 2948 dmboot - ok
22:06:26.0265 2948 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
22:06:26.0265 2948 dmio - ok
22:06:26.0578 2948 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
22:06:26.0578 2948 dmload - ok
22:06:26.0828 2948 dpti2o - ok
22:06:27.0203 2948 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
22:06:27.0203 2948 Fastfat - ok
22:06:27.0531 2948 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
22:06:27.0531 2948 Fdc - ok
22:06:27.0812 2948 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
22:06:27.0828 2948 Fips - ok
22:06:28.0125 2948 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
22:06:28.0125 2948 Flpydisk - ok
22:06:28.0484 2948 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\drivers\fltmgr.sys
22:06:28.0500 2948 FltMgr - ok
22:06:28.0796 2948 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
22:06:28.0796 2948 Fs_Rec - ok
22:06:29.0109 2948 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
22:06:29.0125 2948 Ftdisk - ok
22:06:29.0406 2948 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
22:06:29.0406 2948 Gpc - ok
22:06:29.0796 2948 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
22:06:29.0796 2948 HidUsb - ok
22:06:30.0046 2948 hpn - ok
22:06:30.0437 2948 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
22:06:30.0453 2948 HTTP - ok
22:06:30.0734 2948 i2omgmt - ok
22:06:30.0984 2948 i2omp - ok
22:06:31.0312 2948 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
22:06:31.0312 2948 i8042prt - ok
22:06:31.0625 2948 ialm (bf5b9dbbee664f046e85c6b853af47de) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
22:06:31.0625 2948 ialm - ok
22:06:31.0953 2948 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
22:06:31.0953 2948 Imapi - ok
22:06:32.0218 2948 ini910u - ok
22:06:32.0531 2948 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
22:06:32.0531 2948 IntelIde - ok
22:06:32.0828 2948 ip6fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys
22:06:32.0828 2948 ip6fw - ok
22:06:33.0125 2948 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
22:06:33.0125 2948 IpFilterDriver - ok
22:06:33.0437 2948 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
22:06:33.0437 2948 IpInIp - ok
22:06:33.0765 2948 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
22:06:33.0781 2948 IpNat - ok
22:06:34.0140 2948 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
22:06:34.0140 2948 IPSec - ok
22:06:34.0453 2948 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
22:06:34.0468 2948 IRENUM - ok
22:06:34.0781 2948 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
22:06:34.0781 2948 isapnp - ok
22:06:35.0078 2948 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
22:06:35.0078 2948 Kbdclass - ok
22:06:35.0406 2948 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
22:06:35.0406 2948 kbdhid - ok
22:06:35.0750 2948 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
22:06:35.0750 2948 KSecDD - ok
22:06:36.0031 2948 lbrtfdc - ok
22:06:36.0218 2948 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys
22:06:36.0218 2948 LMIInfo - ok
22:06:36.0578 2948 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys
22:06:36.0578 2948 lmimirr - ok
22:06:36.0828 2948 LMIRfsClientNP - ok
22:06:37.0109 2948 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
22:06:37.0109 2948 LMIRfsDriver - ok
22:06:37.0359 2948 MBAMSwissArmy - ok
22:06:37.0656 2948 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
22:06:37.0656 2948 mnmdd - ok
22:06:38.0093 2948 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
22:06:38.0093 2948 Modem - ok
22:06:38.0421 2948 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
22:06:38.0421 2948 Mouclass - ok
22:06:38.0703 2948 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
22:06:38.0703 2948 mouhid - ok
22:06:39.0031 2948 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
22:06:39.0031 2948 MountMgr - ok
22:06:39.0281 2948 mraid35x - ok
22:06:39.0609 2948 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
22:06:39.0609 2948 MRxDAV - ok
22:06:40.0078 2948 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
22:06:40.0093 2948 MRxSmb - ok
22:06:40.0390 2948 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
22:06:40.0390 2948 Msfs - ok
22:06:40.0703 2948 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
22:06:40.0703 2948 mssmbios - ok
22:06:41.0046 2948 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
22:06:41.0046 2948 Mup - ok
22:06:41.0375 2948 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
22:06:41.0375 2948 NDIS - ok
22:06:41.0671 2948 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
22:06:41.0687 2948 NdisTapi - ok
22:06:41.0968 2948 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
22:06:41.0968 2948 Ndisuio - ok
22:06:42.0281 2948 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
22:06:42.0281 2948 NdisWan - ok
22:06:42.0609 2948 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
22:06:42.0609 2948 NDProxy - ok
22:06:42.0921 2948 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
22:06:42.0921 2948 NetBIOS - ok
22:06:43.0234 2948 NetBT (b540a7399722fc655aeff3d0401c966d) C:\WINDOWS\system32\DRIVERS\netbt.sys
22:06:43.0250 2948 NetBT - ok
22:06:43.0593 2948 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
22:06:43.0609 2948 Npfs - ok
22:06:44.0093 2948 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
22:06:44.0109 2948 Ntfs - ok
22:06:44.0468 2948 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
22:06:44.0468 2948 NuidFltr - ok
22:06:44.0765 2948 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
22:06:44.0765 2948 Null - ok
22:06:45.0078 2948 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
22:06:45.0078 2948 NwlnkFlt - ok
22:06:45.0359 2948 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
22:06:45.0359 2948 NwlnkFwd - ok
22:06:45.0703 2948 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
22:06:45.0703 2948 OMCI - ok
22:06:46.0031 2948 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
22:06:46.0031 2948 Parport - ok
22:06:46.0343 2948 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
22:06:46.0343 2948 PartMgr - ok
22:06:46.0625 2948 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
22:06:46.0625 2948 ParVdm - ok
22:06:46.0937 2948 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
22:06:46.0937 2948 PCI - ok
22:06:47.0203 2948 PCIDump - ok
22:06:47.0468 2948 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
22:06:47.0468 2948 PCIIde - ok
22:06:47.0796 2948 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
22:06:47.0796 2948 Pcmcia - ok
22:06:48.0046 2948 PDCOMP - ok
22:06:48.0296 2948 PDFRAME - ok
22:06:48.0546 2948 PDRELI - ok
22:06:48.0796 2948 PDRFRAME - ok
22:06:49.0046 2948 perc2 - ok
22:06:49.0312 2948 perc2hib - ok
22:06:49.0671 2948 Point32 (e5582e43e167cf367757d81e9727da2a) C:\WINDOWS\system32\DRIVERS\point32.sys
22:06:49.0671 2948 Point32 - ok
22:06:50.0000 2948 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
22:06:50.0000 2948 PptpMiniport - ok
22:06:50.0281 2948 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
22:06:50.0281 2948 Processor - ok
22:06:50.0578 2948 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
22:06:50.0578 2948 PSched - ok
22:06:50.0859 2948 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
22:06:50.0859 2948 Ptilink - ok
22:06:51.0156 2948 PxHelp20 (1962166e0ceb740704f30fa55ad3d509) C:\WINDOWS\system32\Drivers\PxHelp20.sys
22:06:51.0156 2948 PxHelp20 - ok
22:06:51.0562 2948 ql1080 - ok
22:06:51.0984 2948 Ql10wnt - ok
22:06:52.0250 2948 ql12160 - ok
22:06:52.0500 2948 ql1240 - ok
22:06:52.0734 2948 ql1280 - ok
22:06:53.0031 2948 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
22:06:53.0046 2948 RasAcd - ok
22:06:53.0375 2948 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
22:06:53.0375 2948 Rasl2tp - ok
22:06:53.0656 2948 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
22:06:53.0656 2948 RasPppoe - ok
22:06:53.0953 2948 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
22:06:53.0953 2948 Raspti - ok
22:06:54.0296 2948 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
22:06:54.0312 2948 Rdbss - ok
22:06:54.0609 2948 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
22:06:54.0609 2948 RDPCDD - ok
22:06:54.0984 2948 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
22:06:54.0984 2948 RDPWD - ok
22:06:55.0343 2948 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
22:06:55.0343 2948 redbook - ok
22:06:55.0562 2948 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
22:06:55.0562 2948 SASDIFSV - ok
22:06:55.0640 2948 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
22:06:55.0656 2948 SASKUTIL - ok
22:06:56.0015 2948 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
22:06:56.0031 2948 Secdrv - ok
22:06:56.0343 2948 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
22:06:56.0343 2948 serenum - ok
22:06:56.0671 2948 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
22:06:56.0671 2948 Serial - ok
22:06:56.0937 2948 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
22:06:56.0937 2948 Sfloppy - ok
22:06:57.0187 2948 Simbad - ok
22:06:57.0453 2948 Sparrow - ok
22:06:57.0750 2948 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
22:06:57.0765 2948 sr - ok
22:06:58.0171 2948 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
22:06:58.0187 2948 Srv - ok
22:06:58.0515 2948 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
22:06:58.0515 2948 swenum - ok
22:06:58.0796 2948 symc810 - ok
22:06:59.0031 2948 symc8xx - ok
22:06:59.0281 2948 sym_hi - ok
22:06:59.0531 2948 sym_u3 - ok
22:06:59.0984 2948 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
22:06:59.0984 2948 Tcpip - ok
22:07:00.0281 2948 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
22:07:00.0281 2948 TDPIPE - ok
22:07:00.0562 2948 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
22:07:00.0562 2948 TDTCP - ok
22:07:00.0843 2948 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
22:07:00.0843 2948 TermDD - ok
22:07:01.0109 2948 TosIde - ok
22:07:01.0375 2948 TSP - ok
22:07:01.0687 2948 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
22:07:01.0687 2948 Udfs - ok
22:07:01.0937 2948 ultra - ok
22:07:02.0359 2948 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys
22:07:02.0375 2948 Update - ok
22:07:02.0734 2948 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
22:07:02.0734 2948 usbccgp - ok
22:07:03.0062 2948 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
22:07:03.0062 2948 usbehci - ok
22:07:03.0390 2948 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
22:07:03.0390 2948 usbhub - ok
22:07:03.0703 2948 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
22:07:03.0703 2948 usbprint - ok
22:07:04.0046 2948 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
22:07:04.0046 2948 usbscan - ok
22:07:04.0328 2948 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
22:07:04.0328 2948 USBSTOR - ok
22:07:04.0671 2948 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
22:07:04.0671 2948 usbuhci - ok
22:07:04.0984 2948 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
22:07:04.0984 2948 VgaSave - ok
22:07:05.0234 2948 ViaIde - ok
22:07:05.0562 2948 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
22:07:05.0562 2948 VolSnap - ok
22:07:05.0859 2948 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
22:07:05.0875 2948 Wanarp - ok
22:07:06.0359 2948 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
22:07:06.0375 2948 Wdf01000 - ok
22:07:06.0640 2948 WDICA - ok
22:07:07.0140 2948 {6080A529-897E-4629-A488-ABA0C29B635E} (afeffe0f8805fcd47b05cf1fbde08092) C:\WINDOWS\system32\drivers\ialmsbw.sys
22:07:07.0140 2948 {6080A529-897E-4629-A488-ABA0C29B635E} - ok
22:07:07.0421 2948 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (85a36991a5ceaf9e65c4b743210e759b) C:\WINDOWS\system32\drivers\ialmkchw.sys
22:07:07.0421 2948 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} - ok
22:07:07.0468 2948 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
22:07:07.0765 2948 \Device\Harddisk0\DR0 - ok
22:07:07.0781 2948 MBR (0x1B8) (973e9ba32fdbb305c552ed3e1ebf0686) \Device\Harddisk1\DR3
22:07:07.0796 2948 \Device\Harddisk1\DR3 - ok
22:07:07.0812 2948 Boot (0x1200) (be852483d7cca0d0fc7ef5818df22dc5) \Device\Harddisk0\DR0\Partition0
22:07:07.0828 2948 \Device\Harddisk0\DR0\Partition0 - ok
22:07:07.0843 2948 Boot (0x1200) (3872cec179876e7ef35f60712c4f814a) \Device\Harddisk1\DR3\Partition0
22:07:07.0843 2948 \Device\Harddisk1\DR3\Partition0 - ok
22:07:07.0843 2948 ============================================================
22:07:07.0843 2948 Scan finished
22:07:07.0843 2948 ============================================================
22:07:07.0875 2940 Detected object count: 1
22:07:07.0875 2940 Actual detected object count: 1
22:07:18.0484 2940 C:\WINDOWS\58706254:2973139196.exe - copied to quarantine
22:07:18.0484 2940 4ec97f03 ( HiddenFile.Multi.Generic ) - User select action: Quarantine

Edited by adaniel, 07 October 2011 - 09:20 PM.


#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:15 PM

Posted 09 October 2011 - 07:50 AM

Are you now able to run Gmer. If so, please post the log.
Posted Image
m0le is a proud member of UNITE

#15 adaniel

adaniel
  • Topic Starter

  • Members
  • 206 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 09 October 2011 - 12:28 PM

Good afternoon,

I started to try GMER before my last post, but thought it best to wait for explicit instructions to do so.

I attempted GMER again with the same results as before. I ran it four times to see where it was failing, and got the best log on the last attempt. It processes Windows, then Program files, then start with devices. The last two items to display are FAT and cdfs. As soon as cdfs displays, it aborts. Here is the log I got by hitting the copy button as soon as FAT displayed.

Thank you for your help.

adaniel

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-10-09 12:18:32
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Staff\LOCALS~1\Temp\kwliqpow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IoFreeIrp + 1CB 804E875D 7 Bytes CALL 893F5C95
.text netbt.sys!QM_TTGZXlhjuvfzkeiztajnv_lDTaonntpXUAXI_IEJX_I ADE12000 113 Bytes CALL ADE12483 \SystemRoot\System32\DRIVERS\netbt.sys (MBT Transport driver/Microsoft Corporation)
.text netbt.sys!QM_TTGZXlhjuvfzkeiztajnv_lDTaonntpXUAXI_IEJX_I ADE12072 15 Bytes [8B, 47, 18, 8B, 70, 0C, 85, ...]
.text netbt.sys!QM_TTGZXlhjuvfzkeiztajnv_lDTaonntpXUAXI_IEJX_I ADE12082 39 Bytes [00, 8B, 46, 08, 3D, 43, 6F, ...]
.text netbt.sys!QM_TTGZXlhjuvfzkeiztajnv_lDTaonntpXUAXI_IEJX_I ADE120AA 39 Bytes [00, 8D, 4F, 5C, FF, 15, 80, ...]
.text netbt.sys!QM_TTGZXlhjuvfzkeiztajnv_lDTaonntpXUAXI_IEJX_I ADE120D2 18 Bytes [00, 8B, 75, 0C, 8B, 46, 04, ...]
.text ...
.text netbt.sys!gckMG__FdkjQ_M_UKSZwgf_bb_apFGKLALGy____ptzqCRVHKGLxLPNZ + 29 ADE1214B 6 Bytes [4D, F4, 89, 46, 14, FF]
.text netbt.sys!gckMG__FdkjQ_M_UKSZwgf_bb_apFGKLALGy____ptzqCRVHKGLxLPNZ + 30 ADE12152 3 Bytes [70, C2, E2]
.text netbt.sys!gckMG__FdkjQ_M_UKSZwgf_bb_apFGKLALGy____ptzqCRVHKGLxLPNZ + 34 ADE12156 26 Bytes [83, 7F, 64, 00, 0F, 84, FB, ...]
.text netbt.sys!gckMG__FdkjQ_M_UKSZwgf_bb_apFGKLALGy____ptzqCRVHKGLxLPNZ + 4F ADE12171 255 Bytes [6A, 00, FF, 75, 08, 8B, F0, ...]
.text netbt.sys!gckMG__FdkjQ_M_UKSZwgf_bb_apFGKLALGy____ptzqCRVHKGLxLPNZ + 14F ADE12271 109 Bytes [CA, 0F, 85, CF, 25, 01, 00, ...]
.text ...
.text netbt.sys!U_Rd__vaHFSQ_QYdcvjTBIBC + 2A ADE1247E 36 Bytes [00, 90, 90, 90, 90, 90, 8B, ...]
.text netbt.sys!U_Rd__vaHFSQ_QYdcvjTBIBC + 4F ADE124A3 134 Bytes [57, 8B, 7E, 10, 8B, 47, 60, ...]
.text netbt.sys!U_Rd__vaHFSQ_QYdcvjTBIBC + D6 ADE1252A 176 Bytes [C7, 43, F8, 96, 23, E1, AD, ...]
.text netbt.sys!U_Rd__vaHFSQ_QYdcvjTBIBC + 187 ADE125DB 465 Bytes [40, 38, 10, 0F, 84, AD, F1, ...]
.text netbt.sys!T_A___GVxdkhlejkpy_JUZN + 26 ADE127AD 138 Bytes [45, C4, 83, C0, 0E, 50, E8, ...]
.text netbt.sys!T_A___GVxdkhlejkpy_JUZN + B1 ADE12838 16 Bytes [AD, 8B, 4D, CC, 83, C1, 24, ...] {LODSD ; MOV ECX, [EBP-0x34]; ADD ECX, 0x24; MOV [EBP-0x2e], AL; CALL [0xade2c280]}
.text netbt.sys!T_A___GVxdkhlejkpy_JUZN + C2 ADE12849 366 Bytes [45, D7, 8B, 85, 7C, FF, FF, ...]
.text netbt.sys!T_A___GVxdkhlejkpy_JUZN + 231 ADE129B8 278 Bytes [0F, 8C, CF, CE, 00, 00, 8B, ...]
.text netbt.sys!SCRLCILHRhwk_y_espfh_kbcl_MIIRB__aias_ + 17 ADE12ACF 4 Bytes [3D, 68, C2, E2]
.text netbt.sys!SCRLCILHRhwk_y_espfh_kbcl_MIIRB__aias_ + 1C ADE12AD4 17 Bytes [0F, 85, C6, 0E, 00, 00, 8B, ...] {JNZ 0xecc; MOV EAX, [ESI+0x64]; CMP EAX, EBX; JNZ 0xd565}
.text netbt.sys!SCRLCILHRhwk_y_espfh_kbcl_MIIRB__aias_ + 2E ADE12AE6 16 Bytes [86, 84, 00, 00, 00, 3B, C3, ...]
.text netbt.sys!SCRLCILHRhwk_y_espfh_kbcl_MIIRB__aias_ + 3F ADE12AF7 24 Bytes [00, 00, 89, 40, 04, 89, 00, ...]
.text netbt.sys!SCRLCILHRhwk_y_espfh_kbcl_MIIRB__aias_ + 58 ADE12B10 318 Bytes [35, 5C, C8, E2, AD, 8B, 86, ...]
.text ...
.text netbt.sys!BY_P__A_sVPQGUKNZz_m_honzd_oSYjdk + FB ADE12ED5 416 Bytes [C2, 0A, 66, 89, 48, 0C, 66, ...]
.text netbt.sys!BY_P__A_sVPQGUKNZz_m_honzd_oSYjdk + 29C ADE13076 154 Bytes [0F, 84, 75, F2, 00, 00, 8A, ...]
.text netbt.sys!BY_P__A_sVPQGUKNZz_m_honzd_oSYjdk + 337 ADE13111 38 Bytes [74, 16, 8B, 81, 98, 00, 00, ...]
.text netbt.sys!BY_P__A_sVPQGUKNZz_m_honzd_oSYjdk + 35F ADE13139 10 Bytes [8B, 41, 50, 89, 42, 14, 8B, ...]
.text netbt.sys!BY_P__A_sVPQGUKNZz_m_honzd_oSYjdk + 36A ADE13144 25 Bytes [1C, 89, 01, 33, DB, E9, 48, ...]
.text ...
.text netbt.sys!EPC_PO_qkjr_d_gq___w_PY + 9A ADE14E2C 671 Bytes [89, 48, 08, 89, 48, 0C, 89, ...]
.text netbt.sys!n_nsgr_h_ybGPA + 2 ADE150CC 688 Bytes [C7, 5F, 5E, 5D, C2, 14, 00, ...]
.text netbt.sys!n_nsgr_h_ybGPA + 2B3 ADE1537D 652 Bytes [8B, 4E, 18, 88, 45, 0F, 8B, ...]
.text netbt.sys!QM_TTGZXlhjuvfzkeiztajnv_lDTaonntpXUAXI_IEJX_I + 212 ADE1560A 360 Bytes [00, 83, C7, FC, 66, 8B, C7, ...]
.text netbt.sys!QM_TTGZXlhjuvfzkeiztajnv_lDTaonntpXUAXI_IEJX_I + 37B ADE15773 72 Bytes [C8, E2, AD, FF, 15, 08, C2, ...]
.text netbt.sys!QM_TTGZXlhjuvfzkeiztajnv_lDTaonntpXUAXI_IEJX_I + 3C4 ADE157BC 62 Bytes [8B, 45, 08, 8B, 75, 18, 89, ...]
.text netbt.sys!QM_TTGZXlhjuvfzkeiztajnv_lDTaonntpXUAXI_IEJX_I + 404 ADE157FC 33 Bytes [8B, C1, 85, C0, 8B, 45, 08, ...]
.text C:\WINDOWS\System32\DRIVERS\netbt.sys section is writeable [0xADE12000, 0x38D0, 0xE8000020]
? C:\WINDOWS\System32\DRIVERS\netbt.sys suspicious PE modification

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[996] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BE000A
.text C:\WINDOWS\System32\svchost.exe[996] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BF000A
.text C:\WINDOWS\System32\svchost.exe[996] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00BD000C
.text C:\WINDOWS\System32\svchost.exe[996] USER32.dll!GetCursorPos 7E41BD76 5 Bytes JMP 00E9000A
.text C:\WINDOWS\System32\svchost.exe[996] USER32.dll!WindowFromPoint 7E41BD8E 5 Bytes JMP 00EA000A
.text C:\WINDOWS\System32\svchost.exe[996] USER32.dll!GetForegroundWindow 7E41BE4B 5 Bytes JMP 00EB000A
.text C:\WINDOWS\System32\svchost.exe[996] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 00E8000A

---- Devices - GMER 1.0.15 ----

Device \Driver\00002213 \GLOBAL??\4ec97f03 893F2830

Edited by adaniel, 09 October 2011 - 12:31 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users