Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection with Sirefef-HJ, Alureon-AOW


  • This topic is locked This topic is locked
22 replies to this topic

#1 HeeHaw5130

HeeHaw5130

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 16 December 2011 - 01:40 PM

Hello. A few days ago, my Avast scanner detected a rootkit infection in the i8042prt.sys driver file called "Win32:Alureon-AOW" while visiting a website. I have my AV quarantine it, but it still asked me to run it in its sandbox about two or three times. Something tells me it didn't detect it in time before it could run any code. After quarantining it, I have it restart and run a boot scan as it requested. During this scan, it picked up "Java:Agent-AGD [Expl]" inside 'C:\Documents and Settings\Doug Plemms\Application Data\Sun\Java\Deployment\cache\6.0\26\593ae75a-358fa0f4|>xmltree\kondar.class.' Seeing as I had to leave for work at the time, I let it run and just sit there until I returned. After coming back, I noticed I couldn't use my mouse or keyboard, so I reboot it, go into the boot options menu and use Last Known Good Configuration to get it to work. Then I had it run a custom scan using the most heaviest scan settings I could find and picked up three more infections of "Sirefef-HJ [Trj]" in the following locations/files:

C:\Documents and Settings\doug plemms\Local Settings\Application Data\aqv.exe
C:\Documents and Settings\doug plemms\Local Settings\temp\gggf0.4912269561487549.exe
C:\Documents and Settings\doug plemms\Local Settings\temp\nnnv0.5044841501629642.exe

I've tried to quarantine the last two at the bottom, but it doesn't work, nor does it disappear from its location. Once in a while, nnnv0.5044841501629642.exe tries to run, but Avast always picks it up before it does so. At the time of this post, this thing is also trying to keep my monitor turned off to keep me from getting help (didn't even know malware could do *that!*).

Help would be appreciated. Thanks. Take note that I disabled my AV for proper use of DDS as instructed:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by doug plemms at 5:59:32 on 2011-12-16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1640 [GMT -5:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Sygate Personal Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ralink\Common\RalinkRegistryWriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\atwtusb.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atwtusb.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\WTMKM.exe
svchost.exe
C:\Program Files\Ralink\Common\RaUI.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [SmcService] c:\progra~1\sygate\spf\smc.exe -startgui
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [MacrokeyManager] WTMKM.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ralink~1.lnk - c:\program files\ralink\common\RaUI.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1277113145421
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: Interfaces\{C53A9AF9-A376-41EC-9D11-388D92E39AA5} : NameServer = 192.168.254.254
Notify: AtiExtEvent - Ati2evxx.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\doug plemms\application data\mozilla\firefox\profiles\t6wqn1ta.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.fark.com
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-3-11 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-6-21 314456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-6-21 20568]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-21 44768]
R2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\ralink\common\RalinkRegistryWriter.exe [2010-6-21 75040]
R2 WTService;WTService;c:\windows\system32\atwtusb.exe -s --> c:\windows\system32\atwtusb.exe -s [?]
R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2010-6-21 963712]
S3 hp4200c;%usbscan.SvcDesc%;c:\windows\system32\drivers\hp4200c.sys [2010-7-10 9312]
S3 RAPIProtocol;Ralink RAPI Protocol Driver;c:\windows\system32\drivers\RAPIProtocol.sys [2010-6-21 16512]
S4 vsdatant;vsdatant; [x]
.
=============== Created Last 30 ================
.
2011-12-14 20:50:46 334336 ----a-w- c:\documents and settings\doug plemms\local settings\application data\aqv.exe
.
==================== Find3M ====================
.
2011-11-30 19:23:56 1480 ----a-w- c:\windows\AUTOLNCH.REG
2011-11-28 18:01:25 41184 ----a-w- c:\windows\avastSS.scr
2011-11-28 17:53:53 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-18 19:46:52 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
============= FINISH: 6:00:25.73 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:56 AM

Posted 17 December 2011 - 04:17 PM

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 HeeHaw5130

HeeHaw5130
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 19 December 2011 - 05:48 AM

Wow, ComboFix right off the bat. It also told me that I have a ZeroAccess rootkit that inserted itself into my TCP stack. Would there be anything I would still have to do to that even after malware removal?

Also, my firewall told me about a file called PING.3XE going outbound. I let it go because I didn't want to risk screwing up the scan. Just to make sure, was that part of CF as well?

Here's the CF report:


ComboFix 11-12-19.01 - Doug Plemms 12/19/2011 4:58.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1654 [GMT -5:00]
Running from: c:\documents and settings\Doug Plemms\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Sygate Personal Firewall *Enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Doug Plemms\WINDOWS
c:\windows\$NtUninstallKB54840$
c:\windows\$NtUninstallKB54840$\2729584078
c:\windows\alcrmv.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-11-19 to 2011-12-19 )))))))))))))))))))))))))))))))
.
.
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-30 19:23 . 2010-07-10 16:15 1480 ----a-w- c:\windows\AUTOLNCH.REG
2011-11-28 18:01 . 2010-07-01 09:08 41184 ----a-w- c:\windows\avastSS.scr
2011-11-28 18:01 . 2010-06-21 09:01 199816 ----a-w- c:\windows\system32\aswBoot.exe
2011-11-28 17:53 . 2011-03-11 12:09 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-28 17:53 . 2010-06-21 09:01 314456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-11-28 17:52 . 2010-06-21 09:01 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-11-28 17:52 . 2010-06-21 09:01 52952 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-11-28 17:52 . 2010-06-21 09:01 111320 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-11-28 17:51 . 2010-06-21 09:01 105176 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-11-28 17:51 . 2010-06-21 09:01 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-11-28 17:48 . 2010-06-21 09:01 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-11-18 19:46 . 2011-05-20 12:12 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2010-06-21 06:53 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2006-02-28 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2006-02-28 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2006-02-28 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-11-28 18:01 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-07-09 570664]
"MacrokeyManager"="WTMKM.exe" [2009-08-11 5586664]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Ralink Wireless Utility.lnk - c:\program files\Ralink\Common\RaUI.exe [2010-6-21 1662976]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hplampc]
2002-01-17 14:40 40448 ----a-w- c:\windows\system32\hplampc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
2003-03-11 20:24 86016 ----a-w- c:\program files\Intel\NCS\PROSet\PRONoMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2003-08-15 07:34 57344 ----a-w- c:\windows\SOUNDMAN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2006-11-10 16:35 90112 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 16:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [3/11/2011 7:09 AM 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/21/2010 4:01 AM 314456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/21/2010 4:01 AM 20568]
R2 WTService;WTService;c:\windows\system32\atwtusb.exe -s --> c:\windows\system32\atwtusb.exe -s [?]
R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [6/21/2010 3:36 AM 963712]
S3 hp4200c;%usbscan.SvcDesc%;c:\windows\system32\drivers\hp4200c.sys [7/10/2010 11:15 AM 9312]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
TCP: Interfaces\{C53A9AF9-A376-41EC-9D11-388D92E39AA5}: NameServer = 192.168.254.254
FF - ProfilePath - c:\documents and settings\Doug Plemms\Application Data\Mozilla\Firefox\Profiles\t6wqn1ta.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.fark.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-19 05:27
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\vsdatant]
"ImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(2504)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\SSSensor.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Sygate\SPF\smc.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Ralink\Common\RalinkRegistryWriter.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\atwtusb.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\WTMKM.exe
.
**************************************************************************
.
Completion time: 2011-12-19 05:34:30 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-19 10:34
.
Pre-Run: 479,211,823,104 bytes free
Post-Run: 479,203,880,960 bytes free
.
- - End Of File - - FF694BE56464B53009E6264D11E8800C

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:56 AM

Posted 19 December 2011 - 08:59 AM

Hi,

Disable the firewall when running the scans so it doesn't interfere, The stack should be OK now.


Please run the following:


Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)



NEXT



  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 HeeHaw5130

HeeHaw5130
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 20 December 2011 - 07:05 AM

TDSSKiller report:
05:53:32.0156 1860 TDSS rootkit removing tool 2.6.23.0 Dec 13 2011 10:39:31
05:53:32.0734 1860 ============================================================
05:53:32.0734 1860 Current date / time: 2011/12/20 05:53:32.0734
05:53:32.0734 1860 SystemInfo:
05:53:32.0734 1860
05:53:32.0734 1860 OS Version: 5.1.2600 ServicePack: 3.0
05:53:32.0734 1860 Product type: Workstation
05:53:32.0734 1860 ComputerName: GARFIELD1
05:53:32.0734 1860 UserName: Doug Plemms
05:53:32.0734 1860 Windows directory: C:\WINDOWS
05:53:32.0734 1860 System windows directory: C:\WINDOWS
05:53:32.0734 1860 Processor architecture: Intel x86
05:53:32.0734 1860 Number of processors: 2
05:53:32.0734 1860 Page size: 0x1000
05:53:32.0734 1860 Boot type: Normal boot
05:53:32.0734 1860 ============================================================
05:53:33.0468 1860 Initialize success
05:53:44.0187 2632 ============================================================
05:53:44.0187 2632 Scan started
05:53:44.0187 2632 Mode: Manual;
05:53:44.0187 2632 ============================================================
05:53:44.0406 2632 Aavmker4 (b6de0336f9f4b687b4ff57939f7b657a) C:\WINDOWS\system32\drivers\Aavmker4.sys
05:53:44.0406 2632 Aavmker4 - ok
05:53:44.0406 2632 Abiosdsk - ok
05:53:44.0421 2632 abp480n5 - ok
05:53:44.0468 2632 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
05:53:44.0468 2632 ACPI - ok
05:53:44.0484 2632 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
05:53:44.0484 2632 ACPIEC - ok
05:53:44.0500 2632 adpu160m - ok
05:53:44.0515 2632 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
05:53:44.0515 2632 aec - ok
05:53:44.0546 2632 AegisP (023867b6606fbabcdd52e089c4a507da) C:\WINDOWS\system32\DRIVERS\AegisP.sys
05:53:44.0546 2632 AegisP - ok
05:53:44.0578 2632 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
05:53:44.0578 2632 AFD - ok
05:53:44.0609 2632 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
05:53:44.0609 2632 agp440 - ok
05:53:44.0625 2632 Aha154x - ok
05:53:44.0640 2632 aic78u2 - ok
05:53:44.0640 2632 aic78xx - ok
05:53:44.0687 2632 ALCXSENS (a9355a51698f6901b362ef738b15631d) C:\WINDOWS\system32\drivers\ALCXSENS.SYS
05:53:44.0687 2632 ALCXSENS - ok
05:53:44.0718 2632 ALCXWDM (b191753b1aa2e7b11a18d5fde8248aa2) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
05:53:44.0718 2632 ALCXWDM - ok
05:53:44.0734 2632 AliIde - ok
05:53:44.0750 2632 amsint - ok
05:53:44.0765 2632 asc - ok
05:53:44.0781 2632 asc3350p - ok
05:53:44.0796 2632 asc3550 - ok
05:53:44.0828 2632 aswFsBlk (054df24c92b55427e0757cfff160e4f2) C:\WINDOWS\system32\drivers\aswFsBlk.sys
05:53:44.0828 2632 aswFsBlk - ok
05:53:44.0843 2632 aswMon2 (ef0e9ad83380724bd6fbbb51d2d0f5b8) C:\WINDOWS\system32\drivers\aswMon2.sys
05:53:44.0843 2632 aswMon2 - ok
05:53:44.0859 2632 aswRdr (352d5a48ebab35a7693b048679304831) C:\WINDOWS\system32\drivers\aswRdr.sys
05:53:44.0859 2632 aswRdr - ok
05:53:44.0906 2632 aswSnx (8d34d2b24297e27d93e847319abfdec4) C:\WINDOWS\system32\drivers\aswSnx.sys
05:53:44.0906 2632 aswSnx - ok
05:53:44.0937 2632 aswSP (010012597333da1f46c3243f33f8409e) C:\WINDOWS\system32\drivers\aswSP.sys
05:53:44.0937 2632 aswSP - ok
05:53:44.0968 2632 aswTdi (f9f84364416658e9786235904d448d37) C:\WINDOWS\system32\drivers\aswTdi.sys
05:53:44.0968 2632 aswTdi - ok
05:53:44.0984 2632 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
05:53:44.0984 2632 AsyncMac - ok
05:53:45.0000 2632 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
05:53:45.0000 2632 atapi - ok
05:53:45.0015 2632 Atdisk - ok
05:53:45.0093 2632 ati2mtag (e51aa5adf535c847072c0aed3e642912) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
05:53:45.0109 2632 ati2mtag - ok
05:53:45.0140 2632 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
05:53:45.0140 2632 Atmarpc - ok
05:53:45.0171 2632 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
05:53:45.0171 2632 audstub - ok
05:53:45.0203 2632 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
05:53:45.0203 2632 Beep - ok
05:53:45.0218 2632 catchme - ok
05:53:45.0250 2632 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
05:53:45.0250 2632 cbidf2k - ok
05:53:45.0265 2632 cd20xrnt - ok
05:53:45.0281 2632 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
05:53:45.0281 2632 Cdaudio - ok
05:53:45.0296 2632 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
05:53:45.0296 2632 Cdfs - ok
05:53:45.0328 2632 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
05:53:45.0328 2632 Cdrom - ok
05:53:45.0328 2632 Changer - ok
05:53:45.0359 2632 CmdIde - ok
05:53:45.0375 2632 Cpqarray - ok
05:53:45.0390 2632 dac2w2k - ok
05:53:45.0406 2632 dac960nt - ok
05:53:45.0437 2632 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
05:53:45.0437 2632 Disk - ok
05:53:45.0468 2632 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
05:53:45.0468 2632 dmboot - ok
05:53:45.0500 2632 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
05:53:45.0500 2632 dmio - ok
05:53:45.0515 2632 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
05:53:45.0515 2632 dmload - ok
05:53:45.0531 2632 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
05:53:45.0531 2632 DMusic - ok
05:53:45.0546 2632 dpti2o - ok
05:53:45.0578 2632 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
05:53:45.0578 2632 drmkaud - ok
05:53:45.0593 2632 E100B (98b46b331404a951cabad8b4877e1276) C:\WINDOWS\system32\DRIVERS\e100b325.sys
05:53:45.0609 2632 E100B - ok
05:53:45.0656 2632 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
05:53:45.0656 2632 Fastfat - ok
05:53:45.0671 2632 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
05:53:45.0687 2632 Fdc - ok
05:53:45.0703 2632 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
05:53:45.0703 2632 Fips - ok
05:53:45.0718 2632 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
05:53:45.0718 2632 Flpydisk - ok
05:53:45.0750 2632 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
05:53:45.0750 2632 FltMgr - ok
05:53:45.0765 2632 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
05:53:45.0765 2632 Fs_Rec - ok
05:53:45.0796 2632 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
05:53:45.0796 2632 Ftdisk - ok
05:53:45.0812 2632 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
05:53:45.0812 2632 Gpc - ok
05:53:45.0843 2632 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
05:53:45.0843 2632 HidUsb - ok
05:53:45.0875 2632 hp4200c (9add235b564d7b3d27d97cb13ede8c0a) C:\WINDOWS\system32\DRIVERS\hp4200c.sys
05:53:45.0875 2632 hp4200c - ok
05:53:45.0890 2632 hpn - ok
05:53:45.0921 2632 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
05:53:45.0921 2632 HTTP - ok
05:53:45.0937 2632 i2omgmt - ok
05:53:45.0953 2632 i2omp - ok
05:53:45.0968 2632 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
05:53:45.0968 2632 i8042prt - ok
05:53:46.0000 2632 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
05:53:46.0000 2632 Imapi - ok
05:53:46.0015 2632 ini910u - ok
05:53:46.0031 2632 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
05:53:46.0046 2632 IntelIde - ok
05:53:46.0062 2632 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
05:53:46.0062 2632 intelppm - ok
05:53:46.0078 2632 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
05:53:46.0078 2632 Ip6Fw - ok
05:53:46.0109 2632 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
05:53:46.0109 2632 IpFilterDriver - ok
05:53:46.0125 2632 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
05:53:46.0125 2632 IpInIp - ok
05:53:46.0156 2632 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
05:53:46.0156 2632 IpNat - ok
05:53:46.0171 2632 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
05:53:46.0171 2632 IPSec - ok
05:53:46.0187 2632 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
05:53:46.0187 2632 IRENUM - ok
05:53:46.0218 2632 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
05:53:46.0218 2632 isapnp - ok
05:53:46.0234 2632 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
05:53:46.0234 2632 Kbdclass - ok
05:53:46.0250 2632 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
05:53:46.0250 2632 kbdhid - ok
05:53:46.0265 2632 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
05:53:46.0265 2632 kmixer - ok
05:53:46.0296 2632 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
05:53:46.0296 2632 KSecDD - ok
05:53:46.0312 2632 lbrtfdc - ok
05:53:46.0359 2632 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
05:53:46.0375 2632 mnmdd - ok
05:53:46.0390 2632 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
05:53:46.0390 2632 Modem - ok
05:53:46.0406 2632 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
05:53:46.0421 2632 Mouclass - ok
05:53:46.0437 2632 moufiltr (9b5d39ed7659ba9b38b64df2a83f1768) C:\WINDOWS\system32\DRIVERS\moufiltr.sys
05:53:46.0437 2632 moufiltr - ok
05:53:46.0453 2632 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
05:53:46.0453 2632 mouhid - ok
05:53:46.0468 2632 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
05:53:46.0468 2632 MountMgr - ok
05:53:46.0484 2632 mraid35x - ok
05:53:46.0515 2632 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
05:53:46.0515 2632 MRxDAV - ok
05:53:46.0546 2632 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
05:53:46.0546 2632 Msfs - ok
05:53:46.0562 2632 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
05:53:46.0562 2632 MSKSSRV - ok
05:53:46.0578 2632 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
05:53:46.0578 2632 MSPCLOCK - ok
05:53:46.0593 2632 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
05:53:46.0593 2632 MSPQM - ok
05:53:46.0609 2632 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
05:53:46.0609 2632 mssmbios - ok
05:53:46.0640 2632 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
05:53:46.0640 2632 Mup - ok
05:53:46.0671 2632 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
05:53:46.0671 2632 NDIS - ok
05:53:46.0687 2632 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
05:53:46.0703 2632 NdisTapi - ok
05:53:46.0718 2632 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
05:53:46.0718 2632 Ndisuio - ok
05:53:46.0734 2632 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
05:53:46.0734 2632 NdisWan - ok
05:53:46.0750 2632 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
05:53:46.0750 2632 NDProxy - ok
05:53:46.0781 2632 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
05:53:46.0781 2632 NetBT - ok
05:53:46.0828 2632 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
05:53:46.0828 2632 Npfs - ok
05:53:46.0859 2632 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
05:53:46.0875 2632 Ntfs - ok
05:53:46.0890 2632 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
05:53:46.0890 2632 Null - ok
05:53:46.0921 2632 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
05:53:46.0937 2632 NwlnkFlt - ok
05:53:46.0937 2632 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
05:53:46.0953 2632 NwlnkFwd - ok
05:53:46.0968 2632 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
05:53:46.0968 2632 Parport - ok
05:53:46.0984 2632 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
05:53:46.0984 2632 PartMgr - ok
05:53:47.0015 2632 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
05:53:47.0015 2632 ParVdm - ok
05:53:47.0031 2632 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
05:53:47.0031 2632 PCI - ok
05:53:47.0046 2632 PCIDump - ok
05:53:47.0062 2632 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
05:53:47.0062 2632 PCIIde - ok
05:53:47.0093 2632 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
05:53:47.0093 2632 Pcmcia - ok
05:53:47.0093 2632 PDCOMP - ok
05:53:47.0109 2632 PDFRAME - ok
05:53:47.0125 2632 PDRELI - ok
05:53:47.0140 2632 PDRFRAME - ok
05:53:47.0156 2632 perc2 - ok
05:53:47.0156 2632 perc2hib - ok
05:53:47.0203 2632 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
05:53:47.0203 2632 PptpMiniport - ok
05:53:47.0218 2632 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
05:53:47.0234 2632 PSched - ok
05:53:47.0250 2632 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
05:53:47.0250 2632 Ptilink - ok
05:53:47.0250 2632 ql1080 - ok
05:53:47.0265 2632 Ql10wnt - ok
05:53:47.0281 2632 ql12160 - ok
05:53:47.0296 2632 ql1240 - ok
05:53:47.0312 2632 ql1280 - ok
05:53:47.0328 2632 RAPIProtocol (488090449877fb7f9c2aff9ebf6689da) C:\WINDOWS\system32\DRIVERS\RAPIProtocol.sys
05:53:47.0328 2632 RAPIProtocol - ok
05:53:47.0343 2632 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
05:53:47.0359 2632 RasAcd - ok
05:53:47.0375 2632 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
05:53:47.0375 2632 Rasl2tp - ok
05:53:47.0406 2632 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
05:53:47.0406 2632 RasPppoe - ok
05:53:47.0406 2632 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
05:53:47.0421 2632 Raspti - ok
05:53:47.0437 2632 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
05:53:47.0437 2632 RDPCDD - ok
05:53:47.0468 2632 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
05:53:47.0468 2632 RDPWD - ok
05:53:47.0500 2632 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
05:53:47.0500 2632 redbook - ok
05:53:47.0546 2632 RT80x86 (19daacb2627a62956bb837e0e4fa6494) C:\WINDOWS\system32\DRIVERS\RT2860.sys
05:53:47.0546 2632 RT80x86 - ok
05:53:47.0593 2632 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
05:53:47.0593 2632 Secdrv - ok
05:53:47.0609 2632 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
05:53:47.0625 2632 Serial - ok
05:53:47.0765 2632 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
05:53:47.0765 2632 Sfloppy - ok
05:53:47.0781 2632 Simbad - ok
05:53:47.0812 2632 Sparrow - ok
05:53:47.0843 2632 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
05:53:47.0843 2632 splitter - ok
05:53:47.0859 2632 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
05:53:47.0859 2632 sr - ok
05:53:47.0890 2632 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
05:53:47.0890 2632 swenum - ok
05:53:47.0906 2632 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
05:53:47.0906 2632 swmidi - ok
05:53:47.0921 2632 symc810 - ok
05:53:47.0937 2632 symc8xx - ok
05:53:47.0953 2632 sym_hi - ok
05:53:47.0968 2632 sym_u3 - ok
05:53:47.0984 2632 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
05:53:47.0984 2632 sysaudio - ok
05:53:48.0031 2632 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
05:53:48.0031 2632 Tcpip - ok
05:53:48.0046 2632 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
05:53:48.0062 2632 TDPIPE - ok
05:53:48.0062 2632 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
05:53:48.0078 2632 TDTCP - ok
05:53:48.0109 2632 Teefer (99336d4da97b4eeaafab46a4f8e512e6) C:\WINDOWS\system32\Drivers\Teefer.sys
05:53:48.0109 2632 Teefer - ok
05:53:48.0125 2632 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
05:53:48.0125 2632 TermDD - ok
05:53:48.0156 2632 TosIde - ok
05:53:48.0187 2632 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
05:53:48.0203 2632 Udfs - ok
05:53:48.0203 2632 ultra - ok
05:53:48.0234 2632 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
05:53:48.0250 2632 Update - ok
05:53:48.0281 2632 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
05:53:48.0281 2632 usbccgp - ok
05:53:48.0296 2632 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
05:53:48.0296 2632 usbehci - ok
05:53:48.0328 2632 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
05:53:48.0328 2632 usbhub - ok
05:53:48.0359 2632 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
05:53:48.0359 2632 usbscan - ok
05:53:48.0390 2632 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
05:53:48.0390 2632 USBSTOR - ok
05:53:48.0406 2632 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
05:53:48.0406 2632 usbuhci - ok
05:53:48.0437 2632 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
05:53:48.0437 2632 VgaSave - ok
05:53:48.0468 2632 vhidmini (4a2c339b9e848e5099411577be01e0ff) C:\WINDOWS\system32\DRIVERS\walvhid.sys
05:53:48.0468 2632 vhidmini - ok
05:53:48.0484 2632 ViaIde - ok
05:53:48.0500 2632 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
05:53:48.0500 2632 VolSnap - ok
05:53:48.0515 2632 vsdatant - ok
05:53:48.0546 2632 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
05:53:48.0562 2632 Wanarp - ok
05:53:48.0562 2632 WDICA - ok
05:53:48.0578 2632 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
05:53:48.0593 2632 wdmaud - ok
05:53:48.0625 2632 wg3n (a67340b874df9eaf5b226e5f3473b9da) C:\WINDOWS\SYSTEM32\Drivers\wg3n.sys
05:53:48.0625 2632 wg3n - ok
05:53:48.0640 2632 wg4n (851216e2816b7b7e74b5f7ef1d4acfb7) C:\WINDOWS\SYSTEM32\Drivers\wg4n.sys
05:53:48.0640 2632 wg4n - ok
05:53:48.0656 2632 wg5n (aedd1fe0df660411d15da3c57cfc2402) C:\WINDOWS\SYSTEM32\Drivers\wg5n.sys
05:53:48.0656 2632 wg5n - ok
05:53:48.0687 2632 wg6n (dd0d719a58df79086462bd5fc972a908) C:\WINDOWS\SYSTEM32\Drivers\wg6n.sys
05:53:48.0687 2632 wg6n - ok
05:53:48.0734 2632 WpdUsb (1385e5aa9c9821790d33a9563b8d2dd0) C:\WINDOWS\system32\Drivers\wpdusb.sys
05:53:48.0734 2632 WpdUsb - ok
05:53:48.0750 2632 wpsdrvnt (93c145dceb13156322423efd62d4549a) C:\WINDOWS\system32\drivers\wpsdrvnt.sys
05:53:48.0765 2632 wpsdrvnt - ok
05:53:48.0796 2632 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
05:53:48.0906 2632 \Device\Harddisk0\DR0 - ok
05:53:48.0906 2632 Boot (0x1200) (c311693a873ce6d7735cf8f8c30781f5) \Device\Harddisk0\DR0\Partition0
05:53:48.0906 2632 \Device\Harddisk0\DR0\Partition0 - ok
05:53:48.0906 2632 ============================================================
05:53:48.0906 2632 Scan finished
05:53:48.0906 2632 ============================================================
05:53:48.0921 2652 Detected object count: 0
05:53:48.0921 2652 Actual detected object count: 0


MBAM report:
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8401

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/20/2011 5:59:30 AM
mbam-log-2011-12-20 (05-59-30).txt

Scan type: Quick scan
Objects scanned: 167853
Time elapsed: 1 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


ESET Scanner report:
C:\Documents and Settings\Doug Plemms\Application Data\Sun\Java\Deployment\cache\6.0\26\593ae75a-358fa0f4 Java/Agent.DY trojan
C:\Documents and Settings\Doug Plemms\Application Data\Sun\Java\Deployment\cache\6.0\52\128aa334-580a0b45 Java/Exploit.CVE-2011-3544.F trojan
C:\System Volume Information\_restore{106EB629-6560-4926-B767-173525A1A94E}\RP1\A0000057.exe a variant of Win32/Kryptik.XIS trojan

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:56 AM

Posted 20 December 2011 - 08:53 AM

Hi,

We just need to update Java and clear the cache.

please do the following:

Posted Image Your Java is out of date.
Java™ 6 Update 26 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now.
An update should begin; > follow the prompts.


Clear Java cache

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup) If you do not see the icon, look to your left and click 'Switch to Classic View'.
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


NEXT

Please post a fresh DDS Log and advise how the computer is running and if there are any outstanding issues.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 HeeHaw5130

HeeHaw5130
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 20 December 2011 - 03:59 PM

Would I need to simply delete all restore points in order to get rid of the Kryptik.XIS trojan?

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:56 AM

Posted 20 December 2011 - 05:03 PM

yes, it's in an old restore point, we will clean those up shortly when we do the tool clean up routine, but if you want to look after it now please do the following:


Click Start > Run > copy and paste the following into the run box:

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next.
Name it (something you'll remember) and click Create,
when the confirmation screen shows the restore point has been created click Close.

Now remove all previous Restore Points:
Click Start > Run > copy and paste the following into the run box:

cleanmgr

Choose to scan drive C:\ (if C:\ is your main drive) At the top, click on More Options tab. Click the Clean up button in the System Restore box.
Click on the Yes button.
When finished, click on Cancel button to exit.


NEXT

Please don't forget to provide the new DDS Log and advise if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 HeeHaw5130

HeeHaw5130
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 21 December 2011 - 07:20 AM

I updated Java first, then created the new restore point & deleted the old one. One small thing: I think ComboFix did something to where the Avast icon doesn't show up in the System Tray after the OS finishes starting up. Any way to fix that?

And along with the DDS post, I've also attached a new "attach.txt" file as well.


DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_30
Run by Doug Plemms at 7:08:12 on 2011-12-21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1615 [GMT -5:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Sygate Personal Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Ralink\Common\RalinkRegistryWriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\atwtusb.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\atwtusb.exe
C:\WINDOWS\system32\WTMKM.exe
C:\Program Files\Ralink\Common\RaUI.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [SmcService] c:\progra~1\sygate\spf\smc.exe -startgui
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [MacrokeyManager] WTMKM.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ralink~1.lnk - c:\program files\ralink\common\RaUI.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1277113145421
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: Interfaces\{C53A9AF9-A376-41EC-9D11-388D92E39AA5} : NameServer = 192.168.254.254
Notify: AtiExtEvent - Ati2evxx.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\doug plemms\application data\mozilla\firefox\profiles\t6wqn1ta.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.fark.com
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-3-11 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-6-21 314456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-6-21 20568]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-21 44768]
R2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\ralink\common\RalinkRegistryWriter.exe [2010-6-21 75040]
R2 WTService;WTService;c:\windows\system32\atwtusb.exe -s --> c:\windows\system32\atwtusb.exe -s [?]
R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2010-6-21 963712]
S3 hp4200c;%usbscan.SvcDesc%;c:\windows\system32\drivers\hp4200c.sys [2010-7-10 9312]
S3 RAPIProtocol;Ralink RAPI Protocol Driver;c:\windows\system32\drivers\RAPIProtocol.sys [2010-6-21 16512]
S4 vsdatant;vsdatant; [x]
.
=============== Created Last 30 ================
.
2011-12-20 11:15:20 -------- d-----w- c:\program files\ESET
2011-12-19 09:52:14 98816 ----a-w- c:\windows\sed.exe
2011-12-19 09:52:14 518144 ----a-w- c:\windows\SWREG.exe
2011-12-19 09:52:14 256000 ----a-w- c:\windows\PEV.exe
2011-12-19 09:52:14 208896 ----a-w- c:\windows\MBR.exe
.
==================== Find3M ====================
.
2011-11-30 19:23:56 1480 ----a-w- c:\windows\AUTOLNCH.REG
2011-11-28 18:01:25 41184 ----a-w- c:\windows\avastSS.scr
2011-11-28 17:53:53 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-18 19:46:52 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-10 10:54:13 472808 -c--a-w- c:\windows\system32\deployJava1.dll
2011-11-10 08:27:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
============= FINISH: 7:09:02.28 ===============


How's it looking?

Attached Files



#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:56 AM

Posted 21 December 2011 - 08:22 AM

There is probably a setting within Avast for the system try icon, open the interface and see if you can find anything for "real time" monitoring and ensure it is enabled. Usually a reboot takes care of it.


The log looks good, just some housekeeping to do now, please do the following:


You can delete the TDSSKiller, DDS and GMER logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 HeeHaw5130

HeeHaw5130
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 21 December 2011 - 03:20 PM

It's still not coming up, even if the tray icon setting is checked.

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:56 AM

Posted 21 December 2011 - 03:26 PM

Please uninstall Avast completely > use the removal tool after removing through Add/Remove Programs

then re-install it

Avast removal tool:

http://www.avast.com/eng/avast-uninstall-utility.html

Sometimes it's not possible to uninstall avast! the standard way - using the ADD/REMOVE PROGRAMS in control panel. In this case, you can use our uninstallation utility aswClear.

How to uninstall our software using aswClear.exe:
  • Download aswClear.exe on to your desktop
  • Open (execute) it
  • If you installed avast! in a different folder than the default, browse for it. (Note: Be careful! The content of any folder you choose will be deleted!)
  • Click REMOVE
  • Restart your computer

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 HeeHaw5130

HeeHaw5130
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 23 December 2011 - 08:18 PM

Done. For some reason, AvastUI.exe wasn't starting up at boot, but the icon is showing up now after reinstalling.

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:56 AM

Posted 23 December 2011 - 08:21 PM

Good,

make sure you follow the clean up routine from my previous post, then you should be good to go :)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 HeeHaw5130

HeeHaw5130
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 25 December 2011 - 03:41 AM

*sigh....*

I'm going to *completely* isolate Java from ever accessing the internet ever, ever again. Avast just detected and blocked a connection that a .JAR file was attempting to make as I was browsing UrbanDictionary.com. The detection is "Java:CVE-2011-3544-AH." At least I hope it blocked it, because it said the same thing for when I got infected with the malware we just took care of.

I've unchecked IE and FireFox from the "Default Java for browsers" section in Java's control panel, disabled the "Java Console" extension and "Deployment Toolkit" & "Java Platform SE 6" plug-ins in FF, and finally disassociated its use in IE. Are there any other settings I need to take care of? I'd really love to uninstall it, but OpenOffice requires it. Cutting off its network access will have to do.

And is there a comprehensive guide on understanding DDS and GMER logs, along with the logs for all the other tools we've used? This way I won't have to keep bugging BC for every rootkit that's detected since I'm still quite horrible in dealing with those things.

Thank you for your help so far.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users