Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

OpenCloud Security Virus


  • Please log in to reply
16 replies to this topic

#1 that1120

that1120

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 04 October 2011 - 07:36 PM

To whom it may concern,

I have dealt with many virus' in the past, but this OpenCloud Security Virus seems to be particularly pesky. I tried running rkill at first; rkill yielded no results, but it was obvious that there was still a virus. I would try running MBAM, but 10 seconds in, the virus would shut it down. In addition to OpenCloud Security, there are other conspicuous programs installed, such as Reimage Repair, and Driver Detective. Attached are the dds files requested. I tried running gmer, but 10 seconds in, the gmer scan was stopped and the program was shut down. I tried running the gmer again, but I got the following error code: "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." Nonetheless, here are the DDS logs.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_26
Run by May at 20:14:21 on 2011-10-04
Microsoft Windows XP Home Edition 5.1.2600.2.936.86.1033.18.894.576 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\709773043:213496277.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: ADC PlugIn: {19090308-636d-4e9b-a1ce-a647b6f794bf} - c:\documents and settings\may\application data\wwwwk77fr\sysl32.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {B580CF65-E151-49C3-B73F-70B13FCA8E86} - No File
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {95B3F550-91C4-4627-BCC4-521288C52977} - c:\program files\pplive\pptv\PPLive.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: pps.tv
Trusted Zone: ppstream.com
Trusted Zone: webscache.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{20934345-971A-4084-9C57-B0463CB74F50} : DhcpNameServer = 192.168.0.1
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\may\application data\mozilla\firefox\profiles\ax9uj57q.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.50401.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2010-4-16 65584]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 MSSQL$ITSQLEXPRESS;SQL Server (ITSQLEXPRESS);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-11-25 29263712]
R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-10-2 41272]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-4-3 136176]
S3 cpuz134;cpuz134;\??\c:\docume~1\may\locals~1\temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\may\locals~1\temp\cpuz134\cpuz134_x32.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-4-3 136176]
.
=============== Created Last 30 ================
.
2011-10-04 23:03:13 -------- d-----w- c:\documents and settings\may\application data\XbF3pnG5aJW8R9X
2011-10-04 23:03:13 -------- d-----w- c:\documents and settings\may\application data\pelIBtzP0
2011-10-03 01:52:20 -------- d-----w- c:\documents and settings\may\application data\SUPERAntiSpyware.com
2011-10-03 01:51:41 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-10-03 01:51:26 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-03 01:51:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-03 01:46:51 -------- d-----w- c:\documents and settings\may\application data\Malwarebytes
2011-10-03 01:46:51 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-10-03 01:46:18 -------- d-----w- c:\documents and settings\may\application data\PnF4amH6sJfLgZj
2011-10-03 01:46:18 -------- d-----w- c:\documents and settings\may\application data\BzONyxA0uSoFpGQ
2011-10-03 01:27:55 -------- d-----w- c:\documents and settings\may\application data\ullIBrrzP
2011-10-03 01:27:55 -------- d-----w- c:\documents and settings\may\application data\t7dEEL8gTq
2011-10-02 14:27:54 -------- d-----w- C:\rei
2011-10-02 14:27:49 -------- d-----w- c:\program files\Reimage
2011-10-02 14:21:13 -------- d-----w- c:\documents and settings\may\application data\HBtxP0ycSiDoGaH
2011-10-02 14:16:35 -------- d-----w- c:\documents and settings\may\application data\JnG4ammH6WK7
2011-10-02 14:16:35 -------- d-----w- c:\documents and settings\may\application data\IqqYkBzNN
2011-09-30 12:11:07 -------- d-----w- c:\documents and settings\may\application data\WWWWK77fR
2011-09-30 12:11:07 -------- d-----w- c:\documents and settings\may\application data\VSSS1ibbD3nG4Q6
2011-09-30 12:11:00 -------- d-----w- c:\documents and settings\may\application data\YD22onnF4pm5sJ7
2011-09-20 03:48:00 -------- d-----w- c:\documents and settings\may\local settings\application data\LogiShrd
.
==================== Find3M ====================
.
2010-09-02 19:17:36 15872 ----a-w- c:\program files\common files\JH_Killer.exe
2001-09-28 22:00:28 164864 ----a-w- c:\program files\UNWISE.EXE
.
============= FINISH: 20:14:57.67 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:06:25 PM

Posted 06 October 2011 - 08:42 PM

that1120,

First, let's take care of this file:
C:\WINDOWS\709773043:213496277.exe

It throws a wrench in the works, and programs will not run successfully...

Please download DummyCreator.zip

Unzip the folder:
Right-click and select: Extract all
Follow the prompts to extract

Open the new folder that appears on the Desktop:
Double-click DummyCreator/DummyMaker to run the tool.

Now, copy/paste the following into the blank area:

C:\WINDOWS\709773043

Press the Create button.

Save the content of the Result.txt to your Desktop, and post it in your reply. It is a very short report.

Next, restart the computer!


Please do not run any malware removal programs while we are in the process of making malwere repairs. Doing so may just make matters worse, and that, you do not want!

Thanks!

Old duck...


#3 that1120

that1120
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 06 October 2011 - 09:45 PM

Hi Aaflac,

Thank you in advance for your help.

I ran DummyCreater and had the following result:

DummyCreator by Farbar
Ran by May (administrator) on 06-10-2011 at 22:36:22
**************************************************************

C:\WINDOWS\709773043 [06-10-2011 22:36:22]

== End of log ==

Thanks!

#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:06:25 PM

Posted 06 October 2011 - 10:15 PM

that1120,

That is the result we want. :thumbup2:

Big question: Do you have an AntiVirus program installed????

If not, do not attempt to do so right now, but, as soon as we are in the clear, it is a MUST DO!



Please do the following, running ComboFix first, and TDSSKiller next. If ComboFix does not run, press on to run TDSSKiller.


If you have ComboFix (CF) already on your Desktop, please remove it. We'll download an updated version.

Download ComboFix

Save ComboFix.exe to your Desktop!! <- Important!

Make sure you temporarily disable your AntiVirus, Firewall, and any other AntiSpyware applications. They may interfere with the running of CF.

Information available through this link

Double-click on ComboFix.exe to run the program.

When given the option, DO install the Recovery Console . This program can come in very handy if there is trouble.

Click on Yes, to continue scanning for malware.

When finished, CF produces a report.

Please provide a copy of the C:\ComboFix.txt in your reply.


Notes:

1. Do not mouse-click the ComboFix window while it is running.
This action may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.

3. CF disconnects your machine from the internet. However, the connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



~~~~
Next, please remove any previous download of TDSSKiller (if used) and download the latest version: TDSSKiller.exe

Execute the file:
XP - Double-click tdsskiller.exe

Press the button: Start Scan

The tool scans and detects two object types:
Malicious (where the malware has been identified)
Suspicious (where the malware cannot be identified)

When the scan is over, the tool outputs a list of detected objects (Malicious or Suspicious) with their description.

It automatically selects an action (Cure or Delete) for Malicious objects. Leave the setting as it is.

It also prompts the User to select an action to apply to Suspicious objects (Skip, by default). Leave the setting as it is.

After clicking 'Next/Continue', the tool applies the selected actions.


A Reboot Required prompt may appear after a disinfection. Please reboot.


By default, the tool outputs its log to the system disk root folder (the disk with the Windows operating system, normally C:\).

Logs have a name like:
C:\TDSSKiller.2.4.7_23.07.2010_15.31.43_log.txt

Please post the TDSSKiller log in your reply.



Need to see the following in your reply:
**The ComboFix log
**The TDSSKiller log
**Whether TDSSKiller needed a reboot


Thanks.

Old duck...


#5 that1120

that1120
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 06 October 2011 - 11:01 PM

Hi Aaflac,

I didn't have any AV programs installed, but I plan on intalling Microsoft Security Essentials after I get rid of this virus

I tried running ComboFix. Strangely, ComboFix runs only in Chinese; thankfully, I do have a translator. During the scan, ComboFix told me that I might have a rootkit, or a ZeroAccessRootkit. Nonetheless, ComboFix still ran, producting the attached log (log.txt). Some of the characters on the log were Chinese characters, I don't know if that will make a difference.

TDSSKiller ran very smoothly. A reboot was required, but a rootkit was found. Attached is the log.

For the future, would you want me to directly copy logs into the reply post or attach them?

Thanks,
that1120

Attached Files


Edited by that1120, 06 October 2011 - 11:01 PM.


#6 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:06:25 PM

Posted 06 October 2011 - 11:13 PM

Thanks for providing the reports. It is preferable for you to directly copy the logs into the reply. They are easier to read. :)

The ComboFix report is still showing malware entries.

I am signing off for tonight, but will have instructions for you in the morning.

In the meantime, please try not to use this computer. You do not want any more malware on it!

Thanks!!

Old duck...


#7 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:06:25 PM

Posted 07 October 2011 - 12:12 AM

that1120,

Let's do the following:

1. Please continue to disable (temporarily) all AntiVirus and AntiMalware programs so they do not interfere with the running of ComboFix.

2. Open Notepad, click the Format menu, uncheck Word Wrap, and then copy/paste the text in the code box below to it:


KILLALL::

Folder::
c:\documents and settings\May\Application Data\pelIBtzP0
c:\documents and settings\May\Application Data\XbF3pnG5aJW8R9X
c:\documents and settings\May\Application Data\PnF4amH6sJfLgZj
c:\documents and settings\May\Application Data\BzONyxA0uSoFpGQ
c:\documents and settings\May\Application Data\ullIBrrzP
c:\documents and settings\May\Application Data\t7dEEL8gTq
c:\documents and settings\May\Application Data\HBtxP0ycSiDoGaH
c:\documents and settings\May\Application Data\JnG4ammH6WK7
c:\documents and settings\May\Application Data\IqqYkBzNN
c:\documents and settings\May\Application Data\WWWWK77fR
c:\documents and settings\May\Application Data\VSSS1ibbD3nG4Q6
c:\documents and settings\May\Application Data\YD22onnF4pm5sJ7


Save to your Desktop as CFScript.txt

2. Close all open windows.

3. Referring to the picture below, drag CFScript >>> into >>> ComboFix.exe

Posted Image


When finished, it will produce a log for you at "C:\ComboFix.txt"



Note: Do not mouse-click the ComboFix window while it is running. It may cause CF to stall.



When done, please post the new Combofix.txt in your reply.


Next, please run TDSSKiller once again, and post its report.


Thanks.

Old duck...


#8 that1120

that1120
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 07 October 2011 - 06:00 PM

Hey Aaflac,

I followed the steps you asked me to do, and I got the two logs:

ComboFix:

ComboFix 11-10-06.04 - May 7/2011 Fri 18:32:31.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.936.86.1033.18.894.595 [GMT -4:00]
ִλ: c:\documents and settings\May\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\May\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( ɾĵ )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\May\Application Data\BzONyxA0uSoFpGQ
c:\documents and settings\May\Application Data\HBtxP0ycSiDoGaH
c:\documents and settings\May\Application Data\IqqYkBzNN
c:\documents and settings\May\Application Data\JnG4ammH6WK7
c:\documents and settings\May\Application Data\pelIBtzP0
c:\documents and settings\May\Application Data\PnF4amH6sJfLgZj
c:\documents and settings\May\Application Data\t7dEEL8gTq
c:\documents and settings\May\Application Data\ullIBrrzP
c:\documents and settings\May\Application Data\VSSS1ibbD3nG4Q6
c:\documents and settings\May\Application Data\WWWWK77fR
c:\documents and settings\May\Application Data\XbF3pnG5aJW8R9X
c:\documents and settings\May\Application Data\YD22onnF4pm5sJ7
.
.
((((((((((((((((((((((((( 2011-09-07 2011-10-07 µĵ )))))))))))))))))))))))))))))))
.
.
2011-10-03 01:52 . 2011-10-03 01:52 -------- d-----w- c:\documents and settings\May\Application Data\SUPERAntiSpyware.com
2011-10-03 01:51 . 2011-10-04 23:54 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-10-03 01:51 . 2011-10-04 23:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-03 01:51 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-03 01:46 . 2011-10-03 01:46 -------- d-----w- c:\documents and settings\May\Application Data\Malwarebytes
2011-10-03 01:46 . 2011-10-03 01:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-10-03 01:40 . 2011-10-03 01:40 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2011-10-02 14:27 . 2011-10-02 14:28 -------- d-----w- C:\rei
2011-10-02 14:27 . 2011-10-02 14:27 -------- d-----w- c:\program files\Reimage
2011-09-20 03:48 . 2011-09-20 03:48 -------- d-----w- c:\documents and settings\May\Local Settings\Application Data\LogiShrd
.
.
.
(((((((((((((((((((((((((((((((((((((((( ڱ޸ĵĵ ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-07 03:54 . 2004-08-12 13:58 74752 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-07-14 11:20 . 2011-07-14 11:16 40960 ----a-r- c:\documents and settings\May\Application Data\Microsoft\Installer\{7010DC20-6CF9-7171-AE11-006F40FE7010}\UserPrefManager_CB4F5113071A473EAA4FE544D68EF3A7.exe
2011-07-14 11:20 . 2011-07-14 11:16 40960 ----a-r- c:\documents and settings\May\Application Data\Microsoft\Installer\{7010DC20-6CF9-7171-AE11-006F40FE7010}\UserPrefLocator_B11D488824134CD29B20F3FAD6EABFAE.exe
2011-07-14 11:20 . 2011-07-14 11:16 57344 ----a-r- c:\documents and settings\May\Application Data\Microsoft\Installer\{7010DC20-6CF9-7171-AE11-006F40FE7010}\StartMenu_C9386B61682A4A8A824452D5667BA44A.exe
2011-07-14 11:20 . 2011-07-14 11:16 57344 ----a-r- c:\documents and settings\May\Application Data\Microsoft\Installer\{7010DC20-6CF9-7171-AE11-006F40FE7010}\Desktop_65606E1E02F649BFBABF559DDD479E32.exe
2011-07-14 11:20 . 2011-07-14 11:16 57344 ----a-r- c:\documents and settings\May\Application Data\Microsoft\Installer\{7010DC20-6CF9-7171-AE11-006F40FE7010}\ARPPRODUCTICON.exe
2010-09-02 19:17 . 2010-09-02 19:17 15872 ----a-w- c:\program files\Common Files\JH_Killer.exe
2001-09-28 22:00 . 2010-04-06 02:04 164864 ----a-w- c:\program files\UNWISE.EXE
2010-05-12 20:42 . 2010-05-12 20:42 124344 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
2010-05-12 21:22 . 2010-05-12 21:22 13240 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2010-05-12 20:43 . 2010-05-12 20:43 70592 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2010-05-12 20:42 . 2010-05-12 20:42 91576 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2010-05-12 20:42 . 2010-05-12 20:42 22464 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2010-05-12 20:41 . 2010-05-12 20:41 255416 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2010-05-12 20:42 . 2010-05-12 20:42 31160 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2010-05-12 20:42 . 2010-05-12 20:42 40384 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2010-04-14 17:55 . 2010-04-14 17:55 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2010-05-12 20:43 . 2010-05-12 20:43 24000 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2011-09-08 19:30 . 2011-05-11 23:33 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-10-07_03.45.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-07 22:40 . 2011-10-07 22:40 16384 c:\windows\temp\Perflib_Perfdata_1c4.dat
+ 2011-10-07 22:40 . 2011-10-07 22:40 16384 c:\windows\temp\Perflib_Perfdata_16c.dat
+ 2011-10-07 22:40 . 2009-10-07 05:47 109080 c:\windows\temp\logishrd\LVPrcInj01.dll
.
((((((((((((((((((((((((((((((((((((( Ҫ ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*ע* հϷȱʡ¼ᱻʾ
REGEDIT4
.
c:\documents and settings\Yong\Start Menu\Programs\Startup\
Logitech . Product Registration.lnk - c:\program files\Logitech\Logitech WebCam Software\eReg.exe [2009-10-14 517384]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AEG ForeSight Startup Services.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AEG ForeSight Startup Services.lnk
backup=c:\windows\pss\AEG ForeSight Startup Services.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PPTV.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PPTV.lnk
backup=c:\windows\pss\PPTV.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^May^Start Menu^Programs^Startup^PPS.lnk]
path=c:\documents and settings\May\Start Menu\Programs\Startup\PPS.lnk
backup=c:\windows\pss\PPS.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Yong^Start Menu^Programs^Startup^Funshion.lnk]
path=c:\documents and settings\Yong\Start Menu\Programs\Startup\Funshion.lnk
backup=c:\windows\pss\Funshion.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Yong^Start Menu^Programs^Startup^.lnk]
path=c:\documents and settings\Yong\Start Menu\Programs\Startup\.lnk
backup=c:\windows\pss\.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 05:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2006-05-10 15:12 90112 ----a-w- c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2008-11-26 15:39 2289664 ----a-w- c:\windows\system32\WLTRAY.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ConnectionCenter]
2010-05-12 21:03 300472 ----a-w- c:\program files\Citrix\ICA Client\concentr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-12 13:56 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2007-05-14 18:23 1191936 ----a-w- c:\program files\Dell\QuickSet\quickset.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Pinyin 2 Autoupdater]
2011-02-14 01:59 1160760 ----a-w- c:\program files\Google\Google Pinyin 2\GooglePinyinDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-06-02 00:15 136176 ----atw- c:\documents and settings\Yong\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 04:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-12 13:58 208952 ----a-w- c:\windows\ime\IMJP8_1\imjpmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechGalleryRepair]
2002-12-10 22:32 155648 ----a-w- c:\program files\Logitech\ImageStudio\ISStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechImageStudioTray]
2002-12-10 22:31 61440 ----a-w- c:\program files\Logitech\ImageStudio\LogiTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2009-10-14 17:36 2793304 ----a-w- c:\program files\Logitech\Logitech WebCam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
2002-12-10 21:54 127022 ----a-w- c:\program files\Common Files\Logitech\QCDriver3\LVComS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2007-09-17 15:56 124200 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-12 13:58 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-12 13:58 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPAP]
2011-06-09 03:14 439744 ----a-w- c:\program files\Common Files\PPLiveNetwork\PPAP.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPS Accelerator]
2010-02-24 03:25 214408 ----a-w- c:\progra~1\PPStream\PPSAP.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-02-19 18:26 303104 ----a-w- c:\windows\stsystra.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2006-11-10 16:35 90112 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 16:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-06-10 16:26 2424192 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2011-04-04 01:36 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\PPLive\\PPTV\\PPLive.exe"=
"c:\\Program Files\\Common Files\\PPLiveNetwork\\PPAP.exe"=
"c:\\Program Files\\PPLive\\PPTV\\PPLiveU.exe"=
"c:\\Documents and Settings\\Yong\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Funshion Online\\Funshion\\FunshionUpgrade.exe"=
"c:\\Program Files\\PPStream\\PPStream.exe"=
"c:\\Program Files\\PPStream\\PPSAP.exe"=
"c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [4/16/2010 4:22 PM 65584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 MSSQL$ITSQLEXPRESS;SQL Server (ITSQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [11/25/2008 2:31 AM 29263712]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/3/2011 9:36 PM 136176]
S3 cpuz134;cpuz134;\??\c:\docume~1\May\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\May\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/3/2011 9:36 PM 136176]
.
ƻ ļ
.
2011-10-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-04 01:36]
.
2011-10-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-04 01:36]
.
2011-09-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-688789844-725345543-1005Core.job
- c:\documents and settings\Yong\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-02 00:15]
.
2011-10-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-688789844-725345543-1005UA.job
- c:\documents and settings\Yong\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-02 00:15]
.
2011-10-07 c:\windows\Tasks\Norton PC Checkup Setup.job
- c:\docume~1\Yong\LOCALS~1\Temp\PCCUStubInstaller\SymcPCCUInstaller.exe [2011-08-29 17:06]
.
2011-10-02 c:\windows\Tasks\Reimage Reminder.job
- c:\program files\Reimage\Reimage Repair\ReimageReminder.exe [2011-09-26 06:09]
.
.
------- ɨ -------
.
uStart Page = hxxp://www.google.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
Trusted Zone: pps.tv
Trusted Zone: ppstream.com
Trusted Zone: webscache.com
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\May\Application Data\Mozilla\Firefox\Profiles\ax9uj57q.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-61032393.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-07 18:42
Windows 5.1.2600 Service Pack 2 NTFS
.
ɨ豻صĽ
.
ɨ豻ص
.
ɨ豻صļ
.
ɨ
صĵ: 0
.
**************************************************************************
.
--------------------- нµĶ̬ӿ ---------------------
.
- - - - - - - > 'winlogon.exe'(936)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(4720)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\msi.dll
.
------------------------ н ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\conime.exe
.
**************************************************************************
.
ʱ: 2011-10-07 18:45:40 -
ComboFix-quarantined-files.txt 2011-10-07 22:45
ComboFix2.txt 2011-10-07 03:49
.
Pre-Run: 95,083,405,312 bytes free
Post-Run: 95,069,487,104 bytes free
.
- - End Of File - - 22DB80553BF13F4ABD604DF52F45CDFA




18:47:35.0203 4112 TDSS rootkit removing tool 2.6.5.0 Oct 5 2011 20:52:46
18:47:39.0500 4112 ============================================================
18:47:39.0500 4112 Current date / time: 2011/10/07 18:47:39.0500
18:47:39.0500 4112 SystemInfo:
18:47:39.0500 4112
18:47:39.0500 4112 OS Version: 5.1.2600 ServicePack: 2.0
18:47:39.0500 4112 Product type: Workstation
18:47:39.0500 4112 ComputerName: HOME-MAY
18:47:39.0500 4112 UserName: May
18:47:39.0500 4112 Windows directory: C:\WINDOWS
18:47:39.0500 4112 System windows directory: C:\WINDOWS
18:47:39.0500 4112 Processor architecture: Intel x86
18:47:39.0500 4112 Number of processors: 1
18:47:39.0500 4112 Page size: 0x1000
18:47:39.0500 4112 Boot type: Normal boot
18:47:39.0500 4112 ============================================================
18:47:41.0171 4112 Initialize success
18:47:44.0828 1476 ============================================================
18:47:44.0828 1476 Scan started
18:47:44.0828 1476 Mode: Manual;
18:47:44.0828 1476 ============================================================
18:47:46.0062 1476 Abiosdsk - ok
18:47:46.0093 1476 abp480n5 - ok
18:47:46.0171 1476 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
18:47:46.0171 1476 ACPI - ok
18:47:46.0234 1476 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
18:47:46.0234 1476 ACPIEC - ok
18:47:46.0250 1476 adpu160m - ok
18:47:46.0296 1476 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
18:47:46.0312 1476 aec - ok
18:47:46.0390 1476 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
18:47:46.0390 1476 AFD - ok
18:47:46.0406 1476 Aha154x - ok
18:47:46.0421 1476 aic78u2 - ok
18:47:46.0437 1476 aic78xx - ok
18:47:46.0453 1476 AliIde - ok
18:47:46.0468 1476 AmdK8 - ok
18:47:46.0484 1476 amsint - ok
18:47:46.0562 1476 APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
18:47:46.0578 1476 APPDRV - ok
18:47:46.0625 1476 asc - ok
18:47:46.0640 1476 asc3350p - ok
18:47:46.0656 1476 asc3550 - ok
18:47:46.0703 1476 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
18:47:46.0703 1476 AsyncMac - ok
18:47:46.0828 1476 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
18:47:46.0828 1476 atapi - ok
18:47:46.0843 1476 Atdisk - ok
18:47:46.0984 1476 ati2mtag (e78b73eb84c257d0d940e041742d2699) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
18:47:47.0000 1476 ati2mtag - ok
18:47:47.0015 1476 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
18:47:47.0031 1476 Atmarpc - ok
18:47:47.0125 1476 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
18:47:47.0125 1476 audstub - ok
18:47:47.0250 1476 BCM43XX (37f385a93c620cbe0f89c17e45f697a1) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
18:47:47.0296 1476 BCM43XX - ok
18:47:47.0359 1476 bcm4sbxp (cd4646067cc7dcba1907fa0acf7e3966) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
18:47:47.0359 1476 bcm4sbxp - ok
18:47:47.0515 1476 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
18:47:47.0515 1476 Beep - ok
18:47:47.0531 1476 catchme - ok
18:47:47.0609 1476 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
18:47:47.0609 1476 cbidf2k - ok
18:47:47.0625 1476 cd20xrnt - ok
18:47:47.0640 1476 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
18:47:47.0640 1476 Cdaudio - ok
18:47:47.0718 1476 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
18:47:47.0718 1476 Cdfs - ok
18:47:47.0796 1476 Cdrom (7b53584d94e9d8716b2de91d5f1cb42d) C:\WINDOWS\system32\DRIVERS\cdrom.sys
18:47:47.0796 1476 Cdrom - ok
18:47:47.0812 1476 Changer - ok
18:47:47.0921 1476 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
18:47:47.0921 1476 CmBatt - ok
18:47:47.0937 1476 CmdIde - ok
18:47:47.0953 1476 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys
18:47:47.0953 1476 Compbatt - ok
18:47:47.0984 1476 Cpqarray - ok
18:47:48.0140 1476 cpuz134 - ok
18:47:48.0343 1476 ctxusbm (cb6ff7012bb5d59d7c12350db795ce1f) C:\WINDOWS\system32\DRIVERS\ctxusbm.sys
18:47:48.0343 1476 ctxusbm - ok
18:47:48.0359 1476 dac2w2k - ok
18:47:48.0375 1476 dac960nt - ok
18:47:48.0453 1476 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
18:47:48.0453 1476 Disk - ok
18:47:48.0562 1476 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
18:47:48.0593 1476 dmboot - ok
18:47:48.0609 1476 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
18:47:48.0609 1476 dmio - ok
18:47:48.0625 1476 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
18:47:48.0625 1476 dmload - ok
18:47:48.0718 1476 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
18:47:48.0718 1476 DMusic - ok
18:47:48.0734 1476 dpti2o - ok
18:47:48.0765 1476 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
18:47:48.0765 1476 drmkaud - ok
18:47:48.0796 1476 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
18:47:48.0796 1476 Fastfat - ok
18:47:49.0000 1476 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
18:47:49.0000 1476 Fdc - ok
18:47:49.0015 1476 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
18:47:49.0015 1476 Fips - ok
18:47:49.0062 1476 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
18:47:49.0062 1476 Flpydisk - ok
18:47:49.0125 1476 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
18:47:49.0125 1476 FltMgr - ok
18:47:49.0187 1476 FsVga (455f778ee14368468560bd7cb8c854d0) C:\WINDOWS\system32\DRIVERS\fsvga.sys
18:47:49.0187 1476 FsVga - ok
18:47:49.0187 1476 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
18:47:49.0187 1476 Fs_Rec - ok
18:47:49.0203 1476 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
18:47:49.0218 1476 Ftdisk - ok
18:47:49.0250 1476 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
18:47:49.0250 1476 Gpc - ok
18:47:49.0343 1476 HDAudBus (e31363d186b3e1d7c4e9117884a6aee5) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
18:47:49.0343 1476 HDAudBus - ok
18:47:49.0375 1476 hidusb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
18:47:49.0375 1476 hidusb - ok
18:47:49.0453 1476 hpn - ok
18:47:49.0484 1476 HSFHWAZL (b1526810210980bed9d22315946c919d) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
18:47:49.0484 1476 HSFHWAZL - ok
18:47:49.0640 1476 HSF_DPV (ddbd528e60f5961c142a490dc4ea7780) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
18:47:49.0671 1476 HSF_DPV - ok
18:47:49.0765 1476 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
18:47:49.0765 1476 HTTP - ok
18:47:49.0781 1476 i2omgmt - ok
18:47:49.0796 1476 i2omp - ok
18:47:49.0875 1476 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
18:47:49.0875 1476 i8042prt - ok
18:47:49.0953 1476 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
18:47:49.0953 1476 Imapi - ok
18:47:50.0109 1476 ini910u - ok
18:47:50.0125 1476 IntelIde - ok
18:47:50.0203 1476 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
18:47:50.0203 1476 Ip6Fw - ok
18:47:50.0281 1476 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
18:47:50.0281 1476 IpFilterDriver - ok
18:47:50.0312 1476 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
18:47:50.0312 1476 IpInIp - ok
18:47:50.0359 1476 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
18:47:50.0437 1476 IpNat - ok
18:47:50.0812 1476 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
18:47:50.0859 1476 IPSec - ok
18:47:50.0906 1476 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
18:47:50.0906 1476 IRENUM - ok
18:47:50.0953 1476 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
18:47:50.0953 1476 isapnp - ok
18:47:51.0171 1476 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
18:47:51.0171 1476 Kbdclass - ok
18:47:51.0281 1476 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
18:47:51.0281 1476 kbdhid - ok
18:47:51.0343 1476 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
18:47:51.0343 1476 kmixer - ok
18:47:51.0406 1476 KSecDD (1be7cc2535d760ae4d481576eb789f24) C:\WINDOWS\system32\drivers\KSecDD.sys
18:47:51.0406 1476 KSecDD - ok
18:47:51.0421 1476 lbrtfdc - ok
18:47:51.0484 1476 LVPr2Mon (1a7db7a00a4b0d8da24cd691a4547291) C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys
18:47:51.0484 1476 LVPr2Mon - ok
18:47:51.0515 1476 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
18:47:51.0515 1476 mdmxsdk - ok
18:47:51.0562 1476 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
18:47:51.0562 1476 mnmdd - ok
18:47:51.0640 1476 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
18:47:51.0640 1476 Modem - ok
18:47:51.0812 1476 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
18:47:51.0812 1476 Mouclass - ok
18:47:51.0843 1476 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
18:47:51.0843 1476 mouhid - ok
18:47:51.0875 1476 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
18:47:51.0875 1476 MountMgr - ok
18:47:51.0890 1476 mraid35x - ok
18:47:51.0906 1476 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
18:47:51.0906 1476 MRxDAV - ok
18:47:52.0000 1476 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
18:47:52.0015 1476 MRxSmb - ok
18:47:52.0078 1476 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
18:47:52.0078 1476 Msfs - ok
18:47:52.0125 1476 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
18:47:52.0125 1476 MSKSSRV - ok
18:47:52.0265 1476 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
18:47:52.0265 1476 MSPCLOCK - ok
18:47:52.0281 1476 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
18:47:52.0281 1476 MSPQM - ok
18:47:52.0359 1476 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
18:47:52.0359 1476 mssmbios - ok
18:47:52.0437 1476 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
18:47:52.0453 1476 Mup - ok
18:47:52.0484 1476 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
18:47:52.0484 1476 NDIS - ok
18:47:52.0515 1476 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
18:47:52.0515 1476 NdisTapi - ok
18:47:52.0531 1476 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
18:47:52.0531 1476 Ndisuio - ok
18:47:52.0609 1476 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
18:47:52.0609 1476 NdisWan - ok
18:47:52.0625 1476 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
18:47:52.0625 1476 NDProxy - ok
18:47:52.0656 1476 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
18:47:52.0656 1476 NetBIOS - ok
18:47:52.0671 1476 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
18:47:52.0687 1476 NetBT - ok
18:47:52.0734 1476 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
18:47:52.0734 1476 Npfs - ok
18:47:52.0812 1476 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
18:47:52.0828 1476 Ntfs - ok
18:47:52.0953 1476 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
18:47:52.0953 1476 Null - ok
18:47:53.0031 1476 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
18:47:53.0031 1476 NwlnkFlt - ok
18:47:53.0046 1476 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
18:47:53.0046 1476 NwlnkFwd - ok
18:47:53.0109 1476 NwlnkIpx (79ea3fcda7067977625b3363a2657c80) C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
18:47:53.0109 1476 NwlnkIpx - ok
18:47:53.0125 1476 NwlnkNb (56d34a67c05e94e16377c60609741ff8) C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
18:47:53.0140 1476 NwlnkNb - ok
18:47:53.0156 1476 NwlnkSpx (c0bb7d1615e1acbdc99757f6ceaf8cf0) C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
18:47:53.0156 1476 NwlnkSpx - ok
18:47:53.0265 1476 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys
18:47:53.0265 1476 Parport - ok
18:47:53.0296 1476 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
18:47:53.0296 1476 PartMgr - ok
18:47:53.0343 1476 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
18:47:53.0343 1476 ParVdm - ok
18:47:53.0500 1476 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
18:47:53.0500 1476 PCI - ok
18:47:53.0515 1476 PCIDump - ok
18:47:53.0531 1476 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
18:47:53.0531 1476 PCIIde - ok
18:47:53.0562 1476 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
18:47:53.0562 1476 Pcmcia - ok
18:47:53.0593 1476 PDCOMP - ok
18:47:53.0609 1476 PDFRAME - ok
18:47:53.0625 1476 PDRELI - ok
18:47:53.0640 1476 PDRFRAME - ok
18:47:53.0656 1476 perc2 - ok
18:47:53.0671 1476 perc2hib - ok
18:47:53.0734 1476 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
18:47:53.0750 1476 PptpMiniport - ok
18:47:53.0765 1476 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
18:47:53.0765 1476 Processor - ok
18:47:53.0781 1476 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
18:47:53.0781 1476 PSched - ok
18:47:53.0812 1476 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
18:47:53.0812 1476 Ptilink - ok
18:47:53.0828 1476 ql1080 - ok
18:47:53.0843 1476 Ql10wnt - ok
18:47:53.0859 1476 ql12160 - ok
18:47:53.0875 1476 ql1240 - ok
18:47:53.0890 1476 ql1280 - ok
18:47:53.0906 1476 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
18:47:53.0906 1476 RasAcd - ok
18:47:53.0937 1476 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
18:47:53.0937 1476 Rasl2tp - ok
18:47:53.0953 1476 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
18:47:53.0953 1476 RasPppoe - ok
18:47:53.0968 1476 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
18:47:53.0968 1476 Raspti - ok
18:47:54.0000 1476 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
18:47:54.0000 1476 Rdbss - ok
18:47:54.0093 1476 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
18:47:54.0093 1476 RDPCDD - ok
18:47:54.0171 1476 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
18:47:54.0187 1476 RDPWD - ok
18:47:54.0359 1476 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
18:47:54.0359 1476 redbook - ok
18:47:54.0437 1476 rimmptsk (d85e3fa9f5b1f29bb4ed185c450d1470) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
18:47:54.0437 1476 rimmptsk - ok
18:47:54.0593 1476 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
18:47:54.0593 1476 SASDIFSV - ok
18:47:54.0625 1476 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
18:47:54.0625 1476 SASKUTIL - ok
18:47:54.0718 1476 sdbus (02fc71b020ec8700ee8a46c58bc6f276) C:\WINDOWS\system32\DRIVERS\sdbus.sys
18:47:54.0718 1476 sdbus - ok
18:47:54.0828 1476 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
18:47:54.0828 1476 Secdrv - ok
18:47:54.0921 1476 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\drivers\Serial.sys
18:47:54.0921 1476 Serial - ok
18:47:54.0968 1476 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
18:47:54.0968 1476 Sfloppy - ok
18:47:54.0984 1476 Simbad - ok
18:47:55.0015 1476 Sparrow - ok
18:47:55.0078 1476 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
18:47:55.0078 1476 splitter - ok
18:47:55.0156 1476 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
18:47:55.0171 1476 sr - ok
18:47:55.0250 1476 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
18:47:55.0265 1476 Srv - ok
18:47:55.0406 1476 STHDA (31ba85e1cff39a57f702a2a0877bb8e1) C:\WINDOWS\system32\drivers\sthda.sys
18:47:55.0406 1476 STHDA - ok
18:47:55.0625 1476 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
18:47:55.0625 1476 swenum - ok
18:47:55.0640 1476 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
18:47:55.0640 1476 swmidi - ok
18:47:55.0671 1476 symc810 - ok
18:47:55.0687 1476 symc8xx - ok
18:47:55.0703 1476 sym_hi - ok
18:47:55.0718 1476 sym_u3 - ok
18:47:55.0765 1476 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
18:47:55.0765 1476 sysaudio - ok
18:47:55.0875 1476 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
18:47:55.0875 1476 Tcpip - ok
18:47:55.0937 1476 Tcpip6 (be4007ab8c9b62e3688fc2f469b98190) C:\WINDOWS\system32\DRIVERS\tcpip6.sys
18:47:55.0937 1476 Tcpip6 - ok
18:47:55.0968 1476 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
18:47:55.0968 1476 TDPIPE - ok
18:47:56.0000 1476 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
18:47:56.0000 1476 TDTCP - ok
18:47:56.0062 1476 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
18:47:56.0062 1476 TermDD - ok
18:47:56.0109 1476 TosIde - ok
18:47:56.0187 1476 tunmp (87a0e9e18c10a9e454238e3330e2a26d) C:\WINDOWS\system32\DRIVERS\tunmp.sys
18:47:56.0187 1476 tunmp - ok
18:47:56.0281 1476 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
18:47:56.0281 1476 Udfs - ok
18:47:56.0296 1476 UIUSys - ok
18:47:56.0312 1476 ultra - ok
18:47:56.0359 1476 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
18:47:56.0359 1476 Update - ok
18:47:56.0453 1476 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
18:47:56.0453 1476 usbccgp - ok
18:47:56.0531 1476 usbehci (708579b01fed227aadb393cb0c3b4a2c) C:\WINDOWS\system32\DRIVERS\usbehci.sys
18:47:56.0531 1476 usbehci - ok
18:47:56.0625 1476 usbhub (ace960e54148821e8e48f5d191562c28) C:\WINDOWS\system32\DRIVERS\usbhub.sys
18:47:56.0625 1476 usbhub - ok
18:47:56.0671 1476 usbohci (bdfe799a8531bad8a5a985821fe78760) C:\WINDOWS\system32\DRIVERS\usbohci.sys
18:47:56.0671 1476 usbohci - ok
18:47:56.0750 1476 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
18:47:56.0750 1476 usbscan - ok
18:47:56.0890 1476 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:47:56.0890 1476 USBSTOR - ok
18:47:56.0953 1476 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
18:47:56.0968 1476 VgaSave - ok
18:47:56.0984 1476 ViaIde - ok
18:47:57.0015 1476 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
18:47:57.0015 1476 VolSnap - ok
18:47:57.0046 1476 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
18:47:57.0046 1476 Wanarp - ok
18:47:57.0062 1476 WDICA - ok
18:47:57.0156 1476 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
18:47:57.0156 1476 wdmaud - ok
18:47:57.0312 1476 winachsf (96aff1738271755a39b52eef7e35f98f) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
18:47:57.0343 1476 winachsf - ok
18:47:57.0500 1476 WmiAcpi (ae2c8544e747c20062db27456ea2d67a) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
18:47:57.0500 1476 WmiAcpi - ok
18:47:57.0578 1476 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
18:47:57.0750 1476 \Device\Harddisk0\DR0 - ok
18:47:57.0765 1476 MBR (0x1B8) (2bdbc086f60bc3ca3e44f97d87ab1e64) \Device\Harddisk1\DR3
18:48:14.0593 1476 \Device\Harddisk1\DR3 - ok
18:48:14.0593 1476 Boot (0x1200) (2b6f2a0e66fdf448b7a431094b227859) \Device\Harddisk0\DR0\Partition0
18:48:14.0593 1476 \Device\Harddisk0\DR0\Partition0 - ok
18:48:14.0609 1476 Boot (0x1200) (602554afaad9a98c4d59a4c8033c647b) \Device\Harddisk1\DR3\Partition0
18:48:14.0609 1476 \Device\Harddisk1\DR3\Partition0 - ok
18:48:14.0609 1476 ============================================================
18:48:14.0609 1476 Scan finished
18:48:14.0609 1476 ============================================================
18:48:14.0625 2336 Detected object count: 0
18:48:14.0625 2336 Actual detected object count: 0
18:48:28.0062 3344 Deinitialize success


Thanks.

#9 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:06:25 PM

Posted 07 October 2011 - 09:31 PM

that1120,

See if you can uninstall Reimage Repair and Driver Dtective from Control Panel > Add/Remove Programs.

Next, let's search for any remnants by doing the scan that follows. You will need to use Internet Explorer for this scan, since the scanner is implemented as an ActiveX control.

However, compatibility with other browsers (Firefox, Opera, Netscape, etc.) was added if you agree to the installation of the ESET Smart Installer, an application which will install and launch ESET Online Scanner in a new browser window.

Download ESET Online Scanner

Press the ESET Online Scanner download button
  • In the prompt that appears, check 'Yes' to Accept Terms of Use, and click the 'Start' button
  • Allow the ActiveX to download, and click: 'Install'
  • Click Start
  • Make sure that the option Remove found threats is unticked.
  • Click Scan
  • Wait for the scan to finish
  • If any threats are found, click the 'List of found threats', then click Export to text file....
  • Save the file to your Desktop as: ESET Scan.

Please provide the contents of ESET Scan in your reply.

Old duck...


#10 that1120

that1120
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 07 October 2011 - 11:05 PM

Hey Aaflac,

I successfully removes Reimage Repair and Driver Detective. I also ran the ESET Scanner, yielding the following result:


ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=a4c6e49d15395b41a6b701e11c28da51
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-10-08 03:59:31
# local_time=2011-10-07 11:59:31 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=75651
# found=16
# cleaned=0
# scan_time=3609
C:\Qoobox\Quarantine\C\Documents and Settings\May\Application Data\WWWWK77fR\sySL32.dll.vir a variant of Win32/Adware.BlueFlareAntivirus.B application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{249F458E-643C-4BC7-9E30-9C8D7D60F824}\RP282\A0033211.sys a variant of Win32/Olmarik.AXN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{249F458E-643C-4BC7-9E30-9C8D7D60F824}\RP282\A0033223.sys a variant of Win32/Olmarik.AXN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{249F458E-643C-4BC7-9E30-9C8D7D60F824}\RP282\A0033247.sys a variant of Win32/Olmarik.AXN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{249F458E-643C-4BC7-9E30-9C8D7D60F824}\RP282\A0034247.sys a variant of Win32/Olmarik.AXN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{249F458E-643C-4BC7-9E30-9C8D7D60F824}\RP282\A0034271.sys a variant of Win32/Olmarik.AXN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{249F458E-643C-4BC7-9E30-9C8D7D60F824}\RP282\A0034278.sys a variant of Win32/Olmarik.AXN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{249F458E-643C-4BC7-9E30-9C8D7D60F824}\RP282\A0034302.exe a variant of Win32/Kryptik.TLP trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{249F458E-643C-4BC7-9E30-9C8D7D60F824}\RP282\A0034303.sys a variant of Win32/Olmarik.AXN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{249F458E-643C-4BC7-9E30-9C8D7D60F824}\RP282\A0035303.sys a variant of Win32/Olmarik.AXN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{249F458E-643C-4BC7-9E30-9C8D7D60F824}\RP282\A0035318.sys a variant of Win32/Olmarik.AXN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{249F458E-643C-4BC7-9E30-9C8D7D60F824}\RP282\A0035335.sys a variant of Win32/Olmarik.AXN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{249F458E-643C-4BC7-9E30-9C8D7D60F824}\RP282\A0036335.sys a variant of Win32/Olmarik.AXN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{249F458E-643C-4BC7-9E30-9C8D7D60F824}\RP282\A0036345.sys a variant of Win32/Olmarik.AXN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{249F458E-643C-4BC7-9E30-9C8D7D60F824}\RP282\A0036353.sys a variant of Win32/Olmarik.AXN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{249F458E-643C-4BC7-9E30-9C8D7D60F824}\RP283\A0036496.dll a variant of Win32/Adware.BlueFlareAntivirus.B application (unable to clean) 00000000000000000000000000000000 I


Thanks,
that1120

#11 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:06:25 PM

Posted 07 October 2011 - 11:22 PM

We will take care of those ESET entries when we wrap up.

Can you try runnning GMER once again, and providing its report?
**Caution**
1. Do not use your computer for anything else during the GMER scan.
2. Rootkit scans often produce false positives. Please, do NOT take action on any ROOKIT entries



Next, scan the system with a special tool to see if the ZeroAccess RootKit blocked and locked any programs or system files by altering the permissions on them.
  • Please download Junction.zip and save it.
    Unzip it and place the junction.exe file in the Windows directory (C:\Windows). (No need to run it.)
  • Go to Start > Run (Windows key > 'R'), and copy/paste the following command in the Open box and click OK:
    cmd /c junction -s >log.txt&log.txt
    A command window opens and scans the system.
    Next, a log file opens in Notepad.
    Please copy the contents of log.txt, and provide it in your reply.

Edited by Aaflac, 07 October 2011 - 11:23 PM.

Old duck...


#12 that1120

that1120
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 08 October 2011 - 04:40 PM

I succesfully ran gmer and Junction. Here are the logs:


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-10-08 17:25:28
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 FUJITSU_MHY2120BH rev.0085000B
Running: gmer.exe; Driver: C:\DOCUME~1\May\LOCALS~1\Temp\kgrdipow.sys


---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \Fat EB39EC8A

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PPS
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PPS@InstallLocation C:\Program Files\PPSGame
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@FriendlyName Indeo? video 5.10 Compression Filter
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@CLSID {1F73E9B1-8C3A-11D0-A3BE-00A0C9244436}
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@FilterData 0x02 0x00 0x00 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@EncoderType 1

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 malicious Win32:MBRoot code @ sector 234420483
Disk \Device\Harddisk0\DR0 PE file @ sector 234420505

---- EOF - GMER 1.0.15 ----


Junction v1.06 - Windows junction creator and reparse point viewer
Copyright © 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

...

..No reparse points found.

#13 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:06:25 PM

Posted 08 October 2011 - 11:03 PM

We need to do some cross-checking on the following from GMER:

Disk \Device\Harddisk0\DR0 malicious Win32:MBRoot code @ sector 234420483
Disk \Device\Harddisk0\DR0 PE file @ sector 234420505


An infection will return if its source is the Master Boot Record (MBR).
It loads the infection as soon as you boot into Windows!


To check for this possibility, please download aswMBR:
http://public.avast.com/~gmerek/aswMBR.exe
Save it to the Desktop.

XP: Double-click aswMBR.exe to start the tool.

Click Scan

Upon completion of the scan, click Save log and save it to the Desktop,
Note - Do NOT attempt any fix anything!!.

Please post the aswMBR log in your reply.


Also, you will notice that another file is created on the Desktop.
It is named MBR.dat.

Please submit the MBR.dat file for analysis to Virus Total:
http://www.virustotal.com/

Use the 'Browse' button to navigate to the location of the file.

Click on the file
Then, click the 'Open' button.
The file is now displayed in the Submit Box.

Scroll down and click 'Send File', and wait for the results
If you get a message saying: 'File has already been analyzed', click 'Reanalyze file now'
Once scanned, please provide the link to the results page in your reply.

Thanks.

Old duck...


#14 that1120

that1120
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 09 October 2011 - 09:07 PM

Hey Aaflac,

Here is the link to VirusTotal. Are you sure I did it correctly?

http://www.virustotal.com/file-scan/report.html?id=6939b417834b04380cf44dc69e86a71a03a93c3dff1fc8c9094ea5d6be2df637-1318211331

And this is the log for the MBR:

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-10-09 21:07:48
-----------------------------
21:07:48.671 OS Version: Windows 5.1.2600 Service Pack 2
21:07:48.671 Number of processors: 1 586 0x7C02
21:07:48.671 ComputerName: HOME-MAY UserName: May
21:07:49.984 Initialize success
21:26:37.234 AVAST engine defs: 11100901
21:40:23.765 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
21:40:23.765 Disk 0 Vendor: FUJITSU_MHY2120BH 0085000B Size: 114473MB BusType: 3
21:40:25.796 Disk 0 MBR read successfully
21:40:25.796 Disk 0 MBR scan
21:40:25.953 Disk 0 Windows XP default MBR code
21:40:26.031 Disk 0 scanning sectors +234420480
21:40:26.109 Disk 0 malicious Win32:MBRoot code @ sector 234420483 !
21:40:26.140 Disk 0 PE file @ sector 234420505 !
21:40:26.296 Disk 0 scanning C:\WINDOWS\system32\drivers
21:40:46.234 Service scanning
21:40:47.250 Modules scanning
21:41:08.703 Disk 0 trace - called modules:
21:41:08.734 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
21:41:09.234 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8556bab8]
21:41:09.234 3 CLASSPNP.SYS[f760505b] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8557eb00]
21:41:09.734 AVAST engine scan C:\WINDOWS
21:41:35.843 AVAST engine scan C:\WINDOWS\system32
21:44:51.296 AVAST engine scan C:\WINDOWS\system32\drivers
21:45:18.843 AVAST engine scan C:\Documents and Settings\May
21:47:49.843 AVAST engine scan C:\Documents and Settings\All Users
21:48:26.421 Scan finished successfully
21:58:46.312 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\May\Desktop\MBR.dat"
21:58:46.328 The log file has been saved successfully to "C:\Documents and Settings\May\Desktop\aswMBR.txt"

Thanks!

#15 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:06:25 PM

Posted 10 October 2011 - 12:44 PM

You did fine!

aswMbr is apparently reporting the backup (inert) copy of the malware, and it is of no danger.

The MBR.dat file is reported as clean by VirusTotal.

Disk 0 Windows XP default MBR code <- this indicates clean
Disk 0 malicious Win32:MBRoot code @ sector 234420483 ! <- this indicates a remnant of malicious code



Let's press on and search for any remnants by doing the scan that follows. You will need to use Internet Explorer for this scan, since the scanner is implemented as an ActiveX control.
However, compatibility with other browsers (Firefox, Opera, Netscape, etc.) was added if you agree to the installation of the ESET Smart Installer, an application which will install and launch ESET Online Scanner in a new browser window.

Download ESET Online Scanner

Press the ESET Online Scanner download button
  • In the prompt that appears, check 'Yes' to Accept Terms of Use, and click the 'Start' button
  • Allow the ActiveX to download, and click: 'Install'
  • Click Start
  • Make sure that the option Remove found threats is unticked.
  • Click Scan
  • Wait for the scan to finish
  • If any threats are found, click the 'List of found threats', then click Export to text file....
  • Save the file to your Desktop as: ESET Scan.

Please provide the contents of ESET Scan in your reply.



Also, download Security Check

Save it to the Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions (on the black screen)
When done, a Notepad document opens automatically: [i]checkup.txt[i]

Please post the contents of checkup.txt in your reply.

Old duck...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users