Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Serial.sys infected with trojan horse Agent_r.ASB


  • This topic is locked This topic is locked
24 replies to this topic

#1 strangedays

strangedays

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 14 November 2011 - 11:09 PM

My AVG says I have a trojan horse infection in "serial.sys" but it can't remove it.

In the scan results it says: "Object is white-listed (critical/system file that should not be removed"

Naturally, I'd like to get rid of it.

---

Here's the backstory for your reference...

Last thursday, November 10th, my computer got hit with rogue program "AV Security 2012".
There were constant "threat detected" messages popping up from what I *thought* was AVG (though I'm not certain now).
Choosing the recommended action in the pop-up to deal with the threat, launched a "ping.exe" process in Task Manager.
This then would start my DSL internet light to flash (as if sending or receiving data).
The CPU usage would also max out and my computer would slow to a crawl.
If I just closed the pop-up, this did not happen.
By the next day, my computer had about a dozen Trojans showing up in my AVG scan.
I downloaded and scanned with Malwarebytes - it got rid of AV Security 2012 (and all symptoms).
I scanned again with every anti-virus and spyware program I had until all trojans and other bad stuff was gone.
All that remains now is this Agent_r.ASB that AVG says it cannot remove.

---

And here's my DDS log...

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_24
Run by Daniel at 16:31:00 on 2011-11-14
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.482 [GMT -8:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
G:\Tool Box\joy-to-key\JoyToKey.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG2012\avgui.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Cobian Backup 10\Cobian.exe
C:\Program Files\Cobian Backup 10\cbInterface.exe
.
============== Pseudo HJT Report ===============
.
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: CrossRider: {a876e312-7d08-401a-b7a6-fafc5dc2f292} - c:\program files\crossriderwebapps\Crossrider.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\daniel\startm~1\programs\startup\shortc~1.lnk - g:\tool box\joy-to-key\JoyToKey.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tabuse~1.lnk - c:\windows\system32\wtablet\TabUserW.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1277852415140
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1277852401203
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{1464CA5A-D8FB-49EB-AAC1-B47497BE8F32} : DhcpNameServer = 192.168.0.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\daniel\application data\mozilla\firefox\profiles\pcqwsg30.default\
FF - prefs.js: browser.startup.homepage - hxxp://mysteriousdollfilm.blogspot.com/
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff4.dll
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff5.dll
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff6.dll
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff7.dll
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 295248]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 16720]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-7-21 2152152]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-7-21 15232]
.
=============== Created Last 30 ================
.
2011-11-14 04:22:59 -------- d-----w- c:\documents and settings\daniel\local settings\application data\Safe mirror
2011-11-14 04:21:45 -------- d-----w- c:\program files\Cobian Backup 10
2011-11-11 05:28:00 -------- d-----w- c:\documents and settings\daniel\application data\Malwarebytes
2011-11-11 05:27:10 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-11-11 05:27:06 22216 ------w- c:\windows\system32\drivers\mbam.sys
2011-11-11 05:27:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-09 20:54:23 -------- d-----w- c:\documents and settings\daniel\application data\rnnG44aQH
2011-11-09 20:54:23 -------- d-----w- c:\documents and settings\daniel\application data\nOBBtxxP0uc1iD3
2011-11-09 20:54:03 -------- d-----w- c:\documents and settings\daniel\application data\NXXwwkUVVlOBtPy
.
==================== Find3M ====================
.
2011-10-07 13:23:48 230608 ------w- c:\windows\system32\drivers\avgldx86.sys
2011-10-04 13:21:42 16720 ------w- c:\windows\system32\drivers\AVGIDSShim.sys
2011-09-13 13:30:10 32592 ------w- c:\windows\system32\drivers\avgrkx86.sys
.
============= FINISH: 16:32:16.92 ===============


---

You should also find Attach.txt and Ark.txt attached below.
I'll be checking my messages regularly so you can expect a fast response.

And thank you, I appreciate any help you can give.

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 PM

Posted 19 November 2011 - 11:10 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/427919 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,191 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:02 PM

Posted 20 November 2011 - 11:34 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Your log shows that you have a bad ZeroAccess infection.

Lets start with these scans.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) ( 511KB ) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Please post the logs for my review.

#4 strangedays

strangedays
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 20 November 2011 - 07:59 PM

Hi nasdaq, thanks for helping me out.

I caught your reply when I was finishing my response to the bot and decided to respond to you instead.
Let me know if you still want the new DDS logs and all that.

When I ran aswMBR.exe it asked me if I wanted to use Avast Scanner.
I wasn't sure so I just said no, hope that was okay.
During the scan there was an AVG threat popup for serial.sys during the scan.
The only option it gave was to ignore the threat so I clicked that.



Anyway, here's the scan log:



aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-11-20 16:25:27
-----------------------------
16:25:27.937 OS Version: Windows 5.1.2600 Service Pack 2
16:25:27.937 Number of processors: 2 586 0x209
16:25:27.937 ComputerName: KENSON UserName: Daniel
16:25:28.812 Initialize success
16:27:55.109 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5
16:27:55.109 Disk 0 Vendor: ST3120026AS 8.05 Size: 114440MB BusType: 3
16:27:57.125 Disk 0 MBR read successfully
16:27:57.125 Disk 0 MBR scan
16:27:57.125 Disk 0 Windows XP default MBR code
16:27:57.125 Disk 0 scanning sectors +234356220
16:27:57.187 Disk 0 scanning C:\WINDOWS\system32\drivers
16:28:06.765 Service scanning
16:28:07.750 Modules scanning
16:28:16.609 Disk 0 trace - called modules:
16:28:16.640 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
16:28:16.640 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x867d5ab8]
16:28:16.640 3 CLASSPNP.SYS[f78a205b] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-5[0x86789b00]
16:28:16.640 Scan finished successfully
16:31:21.781 Disk 0 MBR has been saved successfully to "G:\tmp\MBR.dat"
16:31:21.781 The log file has been saved successfully to "G:\tmp\aswMBR.txt"




And here's my TDSSKiller:



16:36:41.0765 1696 TDSS rootkit removing tool 2.6.19.0 Nov 16 2011 12:18:50
16:36:42.0296 1696 ============================================================
16:36:42.0296 1696 Current date / time: 2011/11/20 16:36:42.0296
16:36:42.0296 1696 SystemInfo:
16:36:42.0296 1696
16:36:42.0296 1696 OS Version: 5.1.2600 ServicePack: 2.0
16:36:42.0296 1696 Product type: Workstation
16:36:42.0296 1696 ComputerName: KENSON
16:36:42.0296 1696 UserName: Daniel
16:36:42.0296 1696 Windows directory: C:\WINDOWS
16:36:42.0296 1696 System windows directory: C:\WINDOWS
16:36:42.0296 1696 Processor architecture: Intel x86
16:36:42.0296 1696 Number of processors: 2
16:36:42.0296 1696 Page size: 0x1000
16:36:42.0296 1696 Boot type: Normal boot
16:36:42.0296 1696 ============================================================
16:36:43.0578 1696 Initialize success
16:38:29.0500 3356 ============================================================
16:38:29.0500 3356 Scan started
16:38:29.0500 3356 Mode: Manual;
16:38:29.0500 3356 ============================================================
16:38:30.0250 3356 Abiosdsk - ok
16:38:30.0265 3356 abp480n5 - ok
16:38:30.0312 3356 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
16:38:30.0328 3356 ACPI - ok
16:38:30.0359 3356 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
16:38:30.0359 3356 ACPIEC - ok
16:38:30.0390 3356 adpu160m - ok
16:38:30.0437 3356 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
16:38:30.0437 3356 aeaudio - ok
16:38:30.0468 3356 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
16:38:30.0484 3356 aec - ok
16:38:30.0515 3356 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
16:38:30.0531 3356 AFD - ok
16:38:30.0562 3356 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys
16:38:30.0562 3356 agp440 - ok
16:38:30.0593 3356 Aha154x - ok
16:38:30.0609 3356 aic78u2 - ok
16:38:30.0640 3356 aic78xx - ok
16:38:30.0671 3356 AliIde - ok
16:38:30.0703 3356 amsint - ok
16:38:30.0718 3356 asc - ok
16:38:30.0750 3356 asc3350p - ok
16:38:30.0765 3356 asc3550 - ok
16:38:30.0828 3356 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
16:38:30.0828 3356 AsyncMac - ok
16:38:30.0843 3356 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
16:38:30.0859 3356 atapi - ok
16:38:30.0875 3356 Atdisk - ok
16:38:30.0921 3356 ati2mtag (8759322ffc1a50569c1e5528ee8026b7) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
16:38:30.0953 3356 ati2mtag - ok
16:38:31.0000 3356 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
16:38:31.0000 3356 Atmarpc - ok
16:38:31.0046 3356 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
16:38:31.0046 3356 audstub - ok
16:38:31.0109 3356 AVGIDSDriver (4fa401b33c1b50c816486f6951244a14) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
16:38:31.0109 3356 AVGIDSDriver - ok
16:38:31.0125 3356 AVGIDSEH (69578bc9d43d614c6b3455db4af19762) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
16:38:31.0125 3356 AVGIDSEH - ok
16:38:31.0156 3356 AVGIDSFilter (6df528406aa22201f392b9b19121cd6f) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
16:38:31.0156 3356 AVGIDSFilter - ok
16:38:31.0203 3356 AVGIDSShim (1e01c2166b5599802bcd61b9691f7476) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
16:38:31.0203 3356 AVGIDSShim - ok
16:38:31.0250 3356 Avgldx86 (bf8118cd5e2255387b715b534d64acd1) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
16:38:31.0250 3356 Avgldx86 - ok
16:38:31.0281 3356 Avgmfx86 (1c77ef67f196466adc9924cb288afe87) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
16:38:31.0281 3356 Avgmfx86 - ok
16:38:31.0312 3356 Avgrkx86 (f2038ed7284b79dcef581468121192a9) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
16:38:31.0312 3356 Avgrkx86 - ok
16:38:31.0375 3356 Avgtdix (a6d562b612216d8d02a35ebeb92366bd) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
16:38:31.0390 3356 Avgtdix - ok
16:38:31.0437 3356 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
16:38:31.0437 3356 Beep - ok
16:38:31.0484 3356 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
16:38:31.0484 3356 cbidf2k - ok
16:38:31.0515 3356 cd20xrnt - ok
16:38:31.0531 3356 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
16:38:31.0546 3356 Cdaudio - ok
16:38:31.0578 3356 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
16:38:31.0578 3356 Cdfs - ok
16:38:31.0609 3356 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
16:38:31.0609 3356 Cdrom - ok
16:38:31.0640 3356 Changer - ok
16:38:31.0671 3356 CmdIde - ok
16:38:31.0703 3356 Cpqarray - ok
16:38:31.0734 3356 dac2w2k - ok
16:38:31.0750 3356 dac960nt - ok
16:38:31.0796 3356 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
16:38:31.0796 3356 Disk - ok
16:38:31.0859 3356 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
16:38:31.0890 3356 dmboot - ok
16:38:31.0921 3356 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
16:38:31.0921 3356 dmio - ok
16:38:31.0953 3356 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
16:38:31.0953 3356 dmload - ok
16:38:31.0984 3356 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
16:38:31.0984 3356 DMusic - ok
16:38:32.0015 3356 dpti2o - ok
16:38:32.0046 3356 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
16:38:32.0046 3356 drmkaud - ok
16:38:32.0078 3356 E1000 (a97b4360acc61d9d3cae50cd155ef02c) C:\WINDOWS\system32\DRIVERS\e1000325.sys
16:38:32.0093 3356 E1000 - ok
16:38:32.0125 3356 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
16:38:32.0140 3356 Fastfat - ok
16:38:32.0171 3356 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
16:38:32.0171 3356 Fdc - ok
16:38:32.0203 3356 FETNDISB (95bc4d8493fe30312f5e1ab57ef36083) C:\WINDOWS\system32\DRIVERS\dlkfet5b.sys
16:38:32.0218 3356 FETNDISB - ok
16:38:32.0250 3356 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
16:38:32.0250 3356 Fips - ok
16:38:32.0265 3356 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
16:38:32.0265 3356 Flpydisk - ok
16:38:32.0328 3356 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\drivers\fltmgr.sys
16:38:32.0328 3356 FltMgr - ok
16:38:32.0375 3356 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
16:38:32.0375 3356 Fs_Rec - ok
16:38:32.0421 3356 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
16:38:32.0421 3356 Ftdisk - ok
16:38:32.0453 3356 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
16:38:32.0468 3356 Gpc - ok
16:38:32.0500 3356 hidusb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
16:38:32.0500 3356 hidusb - ok
16:38:32.0531 3356 hpn - ok
16:38:32.0578 3356 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
16:38:32.0593 3356 HTTP - ok
16:38:32.0625 3356 i2omgmt - ok
16:38:32.0640 3356 i2omp - ok
16:38:32.0671 3356 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
16:38:32.0671 3356 i8042prt - ok
16:38:32.0718 3356 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
16:38:32.0718 3356 Imapi - ok
16:38:32.0750 3356 ini910u - ok
16:38:32.0781 3356 IntelIde - ok
16:38:32.0828 3356 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
16:38:32.0828 3356 intelppm - ok
16:38:32.0859 3356 ip6fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys
16:38:32.0859 3356 ip6fw - ok
16:38:32.0906 3356 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
16:38:32.0921 3356 IpFilterDriver - ok
16:38:32.0937 3356 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
16:38:32.0953 3356 IpInIp - ok
16:38:32.0984 3356 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
16:38:32.0984 3356 IpNat - ok
16:38:33.0015 3356 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
16:38:33.0015 3356 IPSec - ok
16:38:33.0046 3356 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
16:38:33.0046 3356 IRENUM - ok
16:38:33.0093 3356 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
16:38:33.0093 3356 isapnp - ok
16:38:33.0125 3356 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
16:38:33.0125 3356 Kbdclass - ok
16:38:33.0171 3356 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
16:38:33.0187 3356 kmixer - ok
16:38:33.0234 3356 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
16:38:33.0234 3356 KSecDD - ok
16:38:33.0312 3356 Lavasoft Kernexplorer (6c4a3804510ad8e0f0c07b5be3d44ddb) C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys
16:38:33.0312 3356 Lavasoft Kernexplorer - ok
16:38:33.0343 3356 lbrtfdc - ok
16:38:33.0375 3356 MBAMSwissArmy - ok
16:38:33.0437 3356 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
16:38:33.0437 3356 mnmdd - ok
16:38:33.0484 3356 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
16:38:33.0484 3356 Modem - ok
16:38:33.0515 3356 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
16:38:33.0515 3356 Mouclass - ok
16:38:33.0546 3356 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
16:38:33.0562 3356 mouhid - ok
16:38:33.0593 3356 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
16:38:33.0593 3356 MountMgr - ok
16:38:33.0609 3356 mraid35x - ok
16:38:33.0656 3356 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
16:38:33.0671 3356 MRxDAV - ok
16:38:33.0734 3356 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
16:38:33.0750 3356 MRxSmb - ok
16:38:33.0781 3356 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
16:38:33.0781 3356 Msfs - ok
16:38:33.0812 3356 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
16:38:33.0828 3356 MSKSSRV - ok
16:38:33.0859 3356 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
16:38:33.0859 3356 MSPCLOCK - ok
16:38:33.0890 3356 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
16:38:33.0890 3356 MSPQM - ok
16:38:33.0937 3356 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
16:38:33.0937 3356 mssmbios - ok
16:38:33.0968 3356 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
16:38:33.0968 3356 Mup - ok
16:38:34.0000 3356 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
16:38:34.0000 3356 NDIS - ok
16:38:34.0031 3356 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
16:38:34.0031 3356 NdisTapi - ok
16:38:34.0062 3356 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
16:38:34.0062 3356 Ndisuio - ok
16:38:34.0093 3356 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
16:38:34.0093 3356 NdisWan - ok
16:38:34.0125 3356 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
16:38:34.0125 3356 NDProxy - ok
16:38:34.0156 3356 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
16:38:34.0156 3356 NetBIOS - ok
16:38:34.0187 3356 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
16:38:34.0187 3356 NetBT - ok
16:38:34.0250 3356 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
16:38:34.0250 3356 Npfs - ok
16:38:34.0328 3356 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
16:38:34.0375 3356 Ntfs - ok
16:38:34.0421 3356 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
16:38:34.0421 3356 Null - ok
16:38:34.0687 3356 nv (9f4384aa43548ddd438f7b7825d11699) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
16:38:34.0843 3356 nv - ok
16:38:34.0906 3356 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
16:38:34.0906 3356 NwlnkFlt - ok
16:38:34.0937 3356 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
16:38:34.0937 3356 NwlnkFwd - ok
16:38:34.0968 3356 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
16:38:34.0968 3356 OMCI - ok
16:38:35.0031 3356 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
16:38:35.0031 3356 Parport - ok
16:38:35.0062 3356 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
16:38:35.0062 3356 PartMgr - ok
16:38:35.0078 3356 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
16:38:35.0078 3356 ParVdm - ok
16:38:35.0109 3356 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
16:38:35.0109 3356 PCI - ok
16:38:35.0140 3356 PCIDump - ok
16:38:35.0171 3356 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
16:38:35.0171 3356 PCIIde - ok
16:38:35.0218 3356 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
16:38:35.0218 3356 Pcmcia - ok
16:38:35.0250 3356 PDCOMP - ok
16:38:35.0265 3356 PDFRAME - ok
16:38:35.0296 3356 PDRELI - ok
16:38:35.0312 3356 PDRFRAME - ok
16:38:35.0359 3356 PenClass (4a108cc9cc0e0605e68cce7021479879) C:\WINDOWS\system32\Drivers\PenClass.sys
16:38:35.0359 3356 PenClass - ok
16:38:35.0390 3356 perc2 - ok
16:38:35.0406 3356 perc2hib - ok
16:38:35.0484 3356 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
16:38:35.0484 3356 PptpMiniport - ok
16:38:35.0515 3356 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
16:38:35.0531 3356 Processor - ok
16:38:35.0562 3356 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
16:38:35.0562 3356 PSched - ok
16:38:35.0593 3356 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
16:38:35.0593 3356 Ptilink - ok
16:38:35.0625 3356 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
16:38:35.0625 3356 PxHelp20 - ok
16:38:35.0640 3356 ql1080 - ok
16:38:35.0671 3356 Ql10wnt - ok
16:38:35.0703 3356 ql12160 - ok
16:38:35.0718 3356 ql1240 - ok
16:38:35.0750 3356 ql1280 - ok
16:38:35.0781 3356 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
16:38:35.0781 3356 RasAcd - ok
16:38:35.0828 3356 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
16:38:35.0828 3356 Rasl2tp - ok
16:38:35.0859 3356 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
16:38:35.0859 3356 RasPppoe - ok
16:38:35.0890 3356 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
16:38:35.0890 3356 Raspti - ok
16:38:35.0937 3356 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
16:38:35.0937 3356 Rdbss - ok
16:38:35.0968 3356 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
16:38:35.0968 3356 RDPCDD - ok
16:38:36.0015 3356 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
16:38:36.0015 3356 rdpdr - ok
16:38:36.0062 3356 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
16:38:36.0062 3356 RDPWD - ok
16:38:36.0093 3356 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
16:38:36.0093 3356 redbook - ok
16:38:36.0187 3356 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
16:38:36.0187 3356 Secdrv - ok
16:38:36.0218 3356 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
16:38:36.0218 3356 serenum - ok
16:38:36.0250 3356 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
16:38:36.0250 3356 Sfloppy - ok
16:38:36.0281 3356 Simbad - ok
16:38:36.0343 3356 smwdm (31fd0707c7dbe715234f2823b27214fe) C:\WINDOWS\system32\drivers\smwdm.sys
16:38:36.0375 3356 smwdm - ok
16:38:36.0390 3356 Sparrow - ok
16:38:36.0437 3356 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
16:38:36.0437 3356 splitter - ok
16:38:36.0468 3356 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
16:38:36.0468 3356 sr - ok
16:38:36.0531 3356 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
16:38:36.0531 3356 Srv - ok
16:38:36.0578 3356 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
16:38:36.0578 3356 swenum - ok
16:38:36.0609 3356 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
16:38:36.0609 3356 swmidi - ok
16:38:36.0640 3356 symc810 - ok
16:38:36.0671 3356 symc8xx - ok
16:38:36.0687 3356 sym_hi - ok
16:38:36.0718 3356 sym_u3 - ok
16:38:36.0750 3356 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
16:38:36.0750 3356 sysaudio - ok
16:38:36.0843 3356 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
16:38:36.0859 3356 Tcpip - ok
16:38:36.0890 3356 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
16:38:36.0890 3356 TDPIPE - ok
16:38:36.0937 3356 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
16:38:36.0937 3356 TDTCP - ok
16:38:36.0968 3356 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
16:38:36.0968 3356 TermDD - ok
16:38:37.0015 3356 TosIde - ok
16:38:37.0062 3356 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
16:38:37.0062 3356 Udfs - ok
16:38:37.0078 3356 ultra - ok
16:38:37.0140 3356 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys
16:38:37.0140 3356 Update - ok
16:38:37.0203 3356 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
16:38:37.0203 3356 usbehci - ok
16:38:37.0218 3356 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
16:38:37.0218 3356 usbhub - ok
16:38:37.0281 3356 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
16:38:37.0281 3356 usbscan - ok
16:38:37.0312 3356 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
16:38:37.0312 3356 USBSTOR - ok
16:38:37.0359 3356 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
16:38:37.0359 3356 usbuhci - ok
16:38:37.0390 3356 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
16:38:37.0390 3356 VgaSave - ok
16:38:37.0421 3356 ViaIde - ok
16:38:37.0468 3356 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
16:38:37.0468 3356 VolSnap - ok
16:38:37.0546 3356 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
16:38:37.0546 3356 Wanarp - ok
16:38:37.0625 3356 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
16:38:37.0656 3356 Wdf01000 - ok
16:38:37.0671 3356 WDICA - ok
16:38:37.0718 3356 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
16:38:37.0718 3356 wdmaud - ok
16:38:37.0843 3356 xusb21 (a640c90b007762939507c28a021be3b3) C:\WINDOWS\system32\DRIVERS\xusb21.sys
16:38:37.0843 3356 xusb21 - ok
16:38:37.0875 3356 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
16:38:38.0046 3356 \Device\Harddisk0\DR0 - ok
16:38:38.0046 3356 Boot (0x1200) (096b41902fedf658a50fdd5d492efe31) \Device\Harddisk0\DR0\Partition0
16:38:38.0046 3356 \Device\Harddisk0\DR0\Partition0 - ok
16:38:38.0078 3356 Boot (0x1200) (e5e56b654e79e7137a5f80ebe3b0760b) \Device\Harddisk0\DR0\Partition1
16:38:38.0078 3356 \Device\Harddisk0\DR0\Partition1 - ok
16:38:38.0093 3356 Boot (0x1200) (6453a11b50c89f2715b2fa074d8e8267) \Device\Harddisk0\DR0\Partition2
16:38:38.0093 3356 \Device\Harddisk0\DR0\Partition2 - ok
16:38:38.0109 3356 Boot (0x1200) (cf3f0d2a218a67f04bfff05c98049886) \Device\Harddisk0\DR0\Partition3
16:38:38.0109 3356 \Device\Harddisk0\DR0\Partition3 - ok
16:38:38.0109 3356 ============================================================
16:38:38.0109 3356 Scan finished
16:38:38.0109 3356 ============================================================
16:38:38.0140 4044 Detected object count: 0
16:38:38.0140 4044 Actual detected object count: 0




Let me know if you need anything else.
I'll be keeping an eye on my messages so my replies to you will be more prompt.
Thanks again!

Attached Files

  • Attached File  MBR.zip   528bytes   0 downloads


#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,191 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:02 PM

Posted 21 November 2011 - 11:30 AM

More checking.

BackupYour Registry with ERUNT
  • Please go here, scroll down to ERUNT, and download.
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your Registry to the folder of your choice.

Note: To restore your Registry, go to the folder and start ERDNT.exe

p.s.
On a Vista or Windows 7 operating system, right click the Erunt.exe and run as Administrator.
===

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    consrv.dll
    winsrv.dll
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at on your Desktop entitled SystemLook.txt
===

Please do the following:
Download Registry Search (see the link titled RegSearch Download Link), and save it to your Desktop.
  • Extract the files from Regsearch.zip to your Desktop.
  • Double click regsearch.exe to start the program.
  • Enter consrv in the top area of the form and then click "OK".
  • Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well). Copy/paste this file in your next reply.

Please post the logs.

#6 strangedays

strangedays
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 21 November 2011 - 03:55 PM

Here's my SystemLook.exe log...


SystemLook 30.07.11 by jpshortstuff
Log created at 12:14 on 21/11/2011 by Daniel
Administrator - Elevation successful

========== filefind ==========

Searching for "consrv.dll"
No files found.

Searching for "winsrv.dll"
C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\winsrv.dll --a---- 291328 bytes [18:19 02/03/2005] [18:19 02/03/2005] 0F292F96B5967F31793C74007A0368AB
C:\WINDOWS\$hf_mig$\KB900725\SP2QFE\winsrv.dll --a---- 291840 bytes [01:44 01/09/2005] [01:44 01/09/2005] 3642C99D14EC986DDE123C9D2846427D
C:\WINDOWS\$hf_mig$\KB930178\SP2QFE\winsrv.dll --a---- 292864 bytes [13:45 17/03/2007] [13:45 17/03/2007] 3E958EBBE7DA5691E8B08429A7EDB44B
C:\WINDOWS\$NtServicePackUninstall$\winsrv.dll -----c- 276480 bytes [00:08 30/06/2010] [16:45 16/07/2003] 3DDBF81B10908850A54BC74FC9498663
C:\WINDOWS\$NtUninstallKB890859$\winsrv.dll -----c- 290816 bytes [06:40 11/08/2011] [07:56 04/08/2004] 442D0EAD5534E4ADCF6D4469043C82C0
C:\WINDOWS\$NtUninstallKB900725$\winsrv.dll -----c- 291328 bytes [08:54 25/08/2011] [18:09 02/03/2005] 4C6A223A9E8571073EC033E4A06D0131
C:\WINDOWS\$NtUninstallKB930178$\winsrv.dll -----c- 291840 bytes [09:03 25/08/2011] [01:41 01/09/2005] 31F2735965A8AD1EB56F774D703DDAF9
C:\WINDOWS\ServicePackFiles\i386\winsrv.dll ------- 290816 bytes [07:56 04/08/2004] [07:56 04/08/2004] 442D0EAD5534E4ADCF6D4469043C82C0
C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\winsrv.dll ------- 293376 bytes [20:17 19/07/2010] [00:12 14/04/2008] 1618F36D4F7F6CCCEB3EE44BA95BE85C
C:\WINDOWS\system32\winsrv.dll ------- 292864 bytes [16:45 16/07/2003] [13:43 17/03/2007] 3D21B3BE0C5768E76FD9780E9CF9E07C
C:\WINDOWS\system32\dllcache\winsrv.dll -----c- 292864 bytes [13:43 17/03/2007] [13:43 17/03/2007] 3D21B3BE0C5768E76FD9780E9CF9E07C

-= EOF =-



And my RegSearch log...



Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman 2005
; Version: 2.0.6.0

; Results at 11/21/2011 12:21:45 PM for strings:
; 'consrv'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...



Also, one other quick thing... After Malwarebytes had removed that AV Security 2012 program, I noticed its empty folder is still listed in the Start Menu. Should I just delete that?

#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,191 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:02 PM

Posted 22 November 2011 - 08:50 AM

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

#8 strangedays

strangedays
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 22 November 2011 - 12:56 PM

Okay, here's my ComboFix log:


ComboFix 11-11-22.01 - Daniel 11/22/2011 9:19.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.533 [GMT -8:00]
Running from: c:\documents and settings\Daniel\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Start Menu\Programs\Startup\TabUserW.exe.lnk
c:\documents and settings\Daniel\Start Menu\Programs\AV Security 2012
c:\documents and settings\Daniel\Start Menu\Programs\Startup\Shortcut to JoyToKey.exe.lnk
c:\documents and settings\Daniel\WINDOWS
c:\windows\$NtUninstallKB23891$
c:\windows\$NtUninstallKB23891$\1980054711
c:\windows\$NtUninstallKB23891$\3197166531\@
c:\windows\$NtUninstallKB23891$\3197166531\bckfg.tmp
c:\windows\$NtUninstallKB23891$\3197166531\cfg.ini
c:\windows\$NtUninstallKB23891$\3197166531\Desktop.ini
c:\windows\$NtUninstallKB23891$\3197166531\kwrd.dll
c:\windows\$NtUninstallKB23891$\3197166531\L\vosyeiej
c:\windows\$NtUninstallKB23891$\3197166531\lsflt7.ver
c:\windows\$NtUninstallKB23891$\3197166531\U\00000001.@
c:\windows\$NtUninstallKB23891$\3197166531\U\00000002.@
c:\windows\$NtUninstallKB23891$\3197166531\U\00000004.@
c:\windows\$NtUninstallKB23891$\3197166531\U\80000000.@
c:\windows\$NtUninstallKB23891$\3197166531\U\80000004.@
c:\windows\$NtUninstallKB23891$\3197166531\U\80000032.@
c:\windows\CSC\d6
c:\windows\tsoc.log
.
.
((((((((((((((((((((((((( Files Created from 2011-10-22 to 2011-11-22 )))))))))))))))))))))))))))))))
.
.
2011-11-21 09:38 . 2011-11-21 09:38 -------- d-----w- c:\program files\Windows Media Connect 2
2011-11-21 09:36 . 2011-11-22 17:04 -------- d-----w- c:\windows\system32\LogFiles
2011-11-21 09:36 . 2011-11-21 09:37 -------- d-----w- c:\windows\system32\drivers\UMDF
2011-11-17 22:19 . 2011-11-21 09:29 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-16 04:38 . 2011-11-05 06:53 134104 ------w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-11-16 04:38 . 2011-11-05 06:53 89048 ------w- c:\program files\Mozilla Firefox\libEGL.dll
2011-11-16 04:38 . 2011-11-05 06:53 801752 ------w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-11-16 04:38 . 2011-11-05 06:53 478168 ------w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-11-16 04:38 . 2011-11-05 06:53 1989592 ------w- c:\program files\Mozilla Firefox\mozjs.dll
2011-11-16 04:38 . 2011-11-05 06:53 15832 ------w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-11-16 04:38 . 2011-11-05 03:21 2106216 ------w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-11-16 04:38 . 2011-11-05 03:21 1998168 ------w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-11-14 04:22 . 2011-11-14 04:22 -------- d-----w- c:\documents and settings\Daniel\Local Settings\Application Data\Safe mirror
2011-11-14 04:21 . 2011-11-14 04:22 -------- d-----w- c:\program files\Cobian Backup 10
2011-11-11 05:28 . 2011-11-11 05:28 -------- d-----w- c:\documents and settings\Daniel\Application Data\Malwarebytes
2011-11-11 05:27 . 2011-11-11 05:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-11-11 05:27 . 2011-09-01 01:00 22216 ------w- c:\windows\system32\drivers\mbam.sys
2011-11-11 05:27 . 2011-11-11 05:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-11 03:00 . 2011-11-11 03:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-11-10 21:59 . 2011-11-10 22:14 -------- d-----w- c:\documents and settings\Administrator
2011-11-09 21:27 . 2011-11-09 21:27 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2011-11-09 20:54 . 2011-11-09 20:54 -------- d-----w- c:\documents and settings\Daniel\Application Data\rnnG44aQH
2011-11-09 20:54 . 2011-11-09 20:54 -------- d-----w- c:\documents and settings\Daniel\Application Data\nOBBtxxP0uc1iD3
2011-11-09 20:54 . 2011-11-09 20:54 -------- d-----w- c:\documents and settings\Daniel\Application Data\NXXwwkUVVlOBtPy
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-07 13:23 . 2010-09-07 10:48 230608 ------w- c:\windows\system32\drivers\avgldx86.sys
2011-10-04 13:21 . 2010-08-20 04:42 16720 ------w- c:\windows\system32\drivers\AVGIDSShim.sys
2011-09-13 13:30 . 2010-09-07 10:48 32592 ------w- c:\windows\system32\drivers\avgrkx86.sys
2011-11-05 06:53 . 2011-11-16 04:38 134104 ------w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-10-25 2415456]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2003-07-16 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2003-07-16 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2003-07-16 455168]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 3:27 PM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 2:48 AM 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [9/7/2010 2:48 AM 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [9/7/2010 2:49 AM 295248]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 5:25 AM 4433248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 5:09 AM 192776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/21/2011 1:59 PM 2152152]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [8/19/2010 8:42 PM 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [8/19/2010 8:42 PM 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [8/19/2010 8:42 PM 16720]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [7/21/2011 1:59 PM 15232]
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-22 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-07-21 07:40]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\pcqwsg30.default\
FF - prefs.js: browser.startup.homepage - hxxp://mysteriousdollfilm.blogspot.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-22 09:35
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1052)
c:\windows\system32\tabhook.dll
.
- - - - - - - > 'explorer.exe'(2036)
c:\windows\system32\tabhook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG2012\avgrsx.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\Tablet.exe
c:\program files\AVG\AVG2012\avgnsx.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-11-22 09:40:30 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-22 17:40
.
Pre-Run: 3,041,988,608 bytes free
Post-Run: 4,163,047,424 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - B9294BA573E5478DE46E0DA696A4F43C

#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,191 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:02 PM

Posted 22 November 2011 - 02:07 PM

Looking good.

Delete these 3 folders in bold.

c:\documents and settings\Daniel\Application Data\rnnG44aQH
c:\documents and settings\Daniel\Application Data\nOBBtxxP0uc1iD3
c:\documents and settings\Daniel\Application Data\NXXwwkUVVlOBtP

===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Any remaining issues with this computer?

#10 strangedays

strangedays
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 23 November 2011 - 05:36 AM

SecurityCheck results...



Results of screen317's Security Check version 0.99.28
Windows XP Service Pack 2 x86
Out of date service pack!!
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
AVG 2012
Antivirus up to date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:

Ad-Aware
Malwarebytes' Anti-Malware
Java™ 6 Update 24
Java version out of date!
Adobe Flash Player 11.1.102.55
Mozilla Firefox (8.0.)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
``````````End of Log````````````




I ran a scan with AVG today but it still can't remove that trojan.
Also, some folders popped up out of nowhere on each of my drives.
They have names like "RECYCLER" and "$AVG" and other things.
Any idea what that's about?

But my main concern is just getting the trojan infection healed.

I really appreciate all your help so far. I'll update my software for better security when we're threw with this.

#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,191 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:02 PM

Posted 23 November 2011 - 11:48 AM

They have names like "RECYCLER" and "$AVG" and other things.


The folders you delete are in your Recycle bin. Flush the bin.

===

What is the exact error about "$AVG" Some files in the quarantine folder may be identified and are being reported as false/positive.

#12 strangedays

strangedays
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 23 November 2011 - 12:18 PM

Basically, when I go into my F partition drive with Windows Explorer from My Computer...
there are some new folders that appeared by themselves.
I just noticed them today. Here are their exact names:

- $AVG
- 9b28ad94402bf05a6adf663d
- a69e8649efe714fbaa48a4775c1e68
- MSOCache

They're just there among my usual files.
They all contain various contents inside them.
Some contents can only be seen if I turn on "show hidden" in my folder options.

The $AVG folder also appears in my H drive - which is an external hard drive.

There was a "RECYCLER" folder too, but it disappeared immediately after flushing the recycle bin.

Hope that's making sense... Let me know if you need more details.

#13 strangedays

strangedays
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 23 November 2011 - 12:32 PM

To give you an idea of what's inside the folders...

The $AVG folder contains a hidden folder called "$VAULT".
Inside that are 2 .fil files and 1 .idx file.

9b28ad94402bf05a6adf663d folder contains 3 hidden files
- wga_eula.txt
- wganotifypackageinner.exe
- wgasetup.exe

a69e8649efe714fbaa48a4775c1e68 folder contains two hidden folders holding various dlls and other things.

The MSOCache folder contains many folders and files. All unhidden and much of it carrying the Microsoft name.

Maybe I can just delete this stuff and hope it doesn't come back?

#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,191 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:02 PM

Posted 23 November 2011 - 01:55 PM

The $AVG folder contains a hidden folder called "$VAULT".

The files are quarantined. Not doing anything.

Look at your AVG program options and see if you can empty the $VAULT (QUARANTINE FOLDER)

#15 strangedays

strangedays
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 23 November 2011 - 02:43 PM

Emptied the Virus Vault in AVG, but the folders are still there in my F drive.
If they're not doing anything, would it hurt to just delete them?
My F drive holds the files I access day to day during work so it's a bit of a distraction.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users