Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Security Virus leading to Ping.exe issue


  • This topic is locked This topic is locked
30 replies to this topic

#1 Emerald Light

Emerald Light

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fayetteville, GA
  • Local time:09:14 AM

Posted 25 December 2011 - 04:34 PM

I recently acquired the XP Security virus and used the suggestions on your site through use of your routines and manual removal of files. I was left with a ping.exe issue that hogged computer resources to the point the system completely locked, except for mouse movements. Unfortunately, I saw your suggestion to use the ComboFix.exe before I saw your outline of how to begin the troubleshooting procedure. I was not connected to the internet when I executed ComboFix. The extraction list scrolled on the screen and the program seemed to terminate normally, but I could not find any log generated by ComboFix (I looked further than in C:\).
I am running XP Home Edition V 5.1 under Service Pack 3 and keep up with all updates. My system now seems to be back to the point where I can only erratically execute any programs, My Computer Icon, or a normal shutdown in Normal Mode. I have to do a power down in Normal Mode since the normal shut off does nothing. I also have to power down from Safe Mode, where during a normal shut down process I get a repeating Windows Application Error – “The application failed to initialize properly (0xc0000017). Click on OK to terminate the application.”
I ran the DeFogger, DDS and GMER in Normal mode, but I encountered “problems” with GMER. The system shut it down and froze the computer in Normal mode before I could save the log, so I had to power down and rerun GMER, stopping it after it started looking at program/data files. I am not sure this yields the information you need for analysis. I also ran GMER in Safe Mode (which ran for almost 12 hours before abnormally terminating-I have a lot of files), I received a message “GMER has found system modification caused by a ROOTKIT activity.” At that point, the scan stopped. I have enclosed the logs I received from the DDS (Normal mode) and GMER (both Normal and Safe Mode) programs.
This is my first posting on your site (except for a greeting). Any suggestions for a next step?

Thank you for the time you devote to helping others.

John

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,732 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:14 AM

Posted 31 December 2011 - 04:35 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/434452 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:14 AM

Posted 01 January 2012 - 02:04 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 Emerald Light

Emerald Light
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fayetteville, GA
  • Local time:09:14 AM

Posted 01 January 2012 - 09:37 PM

Thank you for your reply. No apologies - please. Your help on this matter is much appreciated in any time frame.

This post answers the initial set of questions and actions requested with your first response:

I recently acquired the XP Security virus and used the suggestions on your site through use of your routines and manual removal of files. It seems most of it was removed, but I was left with a ping.exe issue that hogged computer resources to the point the system completely locked, except for mouse movements.

I have not taken much action on my problem since my initial post except to reboot a number of times in attempts to retrieve certain files I needed. The following describes the conditions I currently experience – in both normal and safe mode I have to start the system without an internet connection, otherwise ping.exe takes over and no commands can be executed.

In normal Windows mode, without internet access, the system takes about 3 times longer to boot than before the initial virus attack. After booting, most of the time I cannot execute any commands, open programs or do a normal shutdown ( I must power down). In about 1 boot out of 5, I am able to execute a few commands, open files or do file copies, but eventually the system stops responding except for mouse movements (not clicks). It was during one of these sessions that I was able to generate the new DDS log, and then the new GMER log during another session. The Windows session never lasted long enough to execute both routines. I also believe the system is more unstable if Malwarebyte and/or Norton is running.

Safe mode seems to be a little more stable, but will also lock up if an internet connection is present. I can normally do a regular system shutdown in Safe mode without the need for a power down.

After many boot attempts, I was able to generate the DDS log (enclosed) and execute GMER. The DDS process took about 8 minutes to complete, but GMER never completed. I repeatedly got a message that “GMER has encountered a problem and needs to close. Send a report to Microsoft?”. This always occurred when the program was looking at \device\NTPNP_PCI0013. I was able to save a copy of the log in one of these scans before the system locked up, and it is also follows. During one of the attempts to execute GMER, I did get a message in a separate window: “SPYWAREDR with AntiVirus blocked TROJANGEN.” I only got this message once.

This is a Dell 8300 computer (32 bit system), and I do have the XP Reinstallation CD (with SP1). Drivers and applications are on separate CDs. Unfortunately, I have Windows Restore disabled, so I do not have that option to do a restore to a previous date. However, I do have the system backed up with Seagate Replica to an external hard drive, which also allows a system restore. I am reluctant to use this process until I am certain the external drive is not infected. This drive has been disconnected during my troubleshooting procedures. It has not been recently scanned for viruses or other problems.

Gringo, per your second request, I will run ComboFix and report the results.

Thank you again for your assistance.

John

_____________________________

New DDS Log (Normal Windows mode):
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by User at 23:55:59 on 2011-12-31
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.829 [GMT -5:00]
.
AV: PC Tools Spyware Doctor with AntiVirus *Enabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.
============== Running Processes ===============
.
C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\PC Tools\PC Tools Security\BDT\BDTUpdateService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\HPSIsvc.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\PC Tools\PC Tools Security\pctsGui.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\DOCUME~1\User\LOCALS~1\Temp\bwgo0001d685.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\svcs.exe
C:\Program Files\palmOne\Hotsync.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\PC Tools\PC Tools Security\pctsAuxs.exe
C:\Program Files\TrippLite\PowerAlert\console\pastatus.exe
C:\Program Files\Intellicast\Intellicast.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Seagate Replica\bin\ReplicaSysMon.exe
C:\Program Files\Seagate Replica\bin\Seagate-Replica-Autoplay.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\PC Tools\PC Tools Security\pctsSvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\ping.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.intellicast.com/National/Radar/Current.aspx?animate=true&location=USGA0210
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dellnet.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.dellnet.com/
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
uURLSearchHooks: N/A: {0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
uURLSearchHooks: H - No File
uURLSearchHooks: PC Tools Browser Defender: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\pc tools\pc tools security\bdt\PCTBrowserDefender.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
BHO: Ask Search Assistant BHO: {0579b4b1-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Ask Toolbar BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Ask Toolbar: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes0521.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
uRun: [NvMediaCenter] "c:\windows\system32\rundll32.exe" c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\BackWeb-8876480.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] "c:\program files\windows media player\WMPNSCFG.exe"
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [Pando Media Booster] "c:\program files\pando networks\media booster\PMB.exe"
uRun: [Google Update] "c:\documents and settings\user\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ServeMe.exe] "c:\program files\pure networks\network magic\support\serveme.exe"
mRun: [NvCplDaemon] "c:\windows\system32\rundll32.exe" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [diagent] "c:\program files\creative\sblive\diagnostics\diagent.exe" startup
mRun: [UpdReg] "c:\windows\UpdReg.EXE"
mRun: [DVDSentry] "c:\windows\system32\DSentry.exe"
mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
mRun: [nwiz] "c:\windows\system32\nwiz.exe" /install
mRun: [mmtask] "c:\program files\musicmatch\musicmatch jukebox\mmtask.exe"
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\easy cd creator 6\dragtodisc\DrgToDsc.exe"
mRun: [RoxioAudioCentral] "c:\program files\roxio\easy cd creator 6\audiocentral\RxMon.exe"
mRun: [POINTER] point32.exe
mRun: [IntelliType] "c:\program files\microsoft hardware\keyboard\type32.exe"
mRun: [masqform.exe] "c:\program files\pureedge\viewer 6.0\masqform.exe" -UpdateCurrentUser
mRun: [Microsoft Works Update Detection] "c:\program files\common files\microsoft shared\works shared\WkUFind.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [UserFaultCheck] "%systemroot%\system32\dumprep" 0 -u
mRun: [dvd43] "c:\program files\dvd43\dvd43_tray.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [ISTray] "c:\program files\pc tools\pc tools security\pctsGui.exe" /hideGUI
dRunOnce: [WUAppSetup] c:\program files\common files\logishrd\WUApp32.exe -v 0x046d -p 0x08d7 -f video -m logitech -d 11.5.0.1145
StartupFolder: c:\docume~1\user\startm~1\programs\startup\intell~1.lnk - c:\program files\intellicast\Intellicast.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 8.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\powera~1.lnk - c:\program files\tripplite\poweralert\console\pastatus.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{14fcfe7c-ab86-428a-9d2e-bfb6f5a7aa6e}\Icon3E5562ED7.ico
mPolicies-explorer: <NO NAME> =
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
LSP: mswsock.dll
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/3.0.1.0/GarminAxControl.CAB
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1208867312812
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab
DPF: {9EF2BA47-C6A7-470D-9DD9-4323B0CB8353} - hxxp://71.204.108.198/WebClient.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v10.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2011-12-24 331880]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2011-12-24 341656]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2011-12-24 660992]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-8-9 29832]
R1 PCTSD;PC Tools Spyware Doctor Driver;c:\windows\system32\drivers\PCTSD.sys [2011-12-24 185560]
R2 NAVAPEL;NAVAPEL;c:\program files\navnt\Navapel.sys [2001-12-4 8464]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-21 20464]
R3 nmserial;PCI Serial Port;c:\windows\system32\drivers\NmSerial.sys [2010-12-23 70016]
R3 PCTBD;PC Tools Browser Defender Driver;c:\windows\system32\drivers\PCTBD.sys [2011-12-24 56840]
S3 L2XPSR;L2XPSR;\??\f:\release\l2xpsr.sys --> f:\release\L2XPSR.SYS [?]
S3 mvusbews;USB EWS Device;c:\windows\system32\drivers\mvusbews.sys [2010-12-22 17408]
S3 NmPar;Unusable Parallel Port;c:\windows\system32\drivers\NmPar.sys [2010-12-23 80256]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [2008-3-10 58240]
S3 pwi_bus;Curitel PC Card Composite Device driver (WDM);c:\windows\system32\drivers\pwi_bus.sys [2006-11-10 55344]
S3 pwi_mdfl;Curitel PC Card Filter;c:\windows\system32\drivers\pwi_mdfl.sys [2006-11-10 9200]
S3 pwi_mdm;Curitel PC Card Drivers;c:\windows\system32\drivers\pwi_mdm.sys [2006-11-10 89936]
S3 pwi_oflt;Curitel PC Card OHCI Filter;c:\windows\system32\drivers\pwi_oflt.sys [2006-11-10 9472]
S3 pwi_serd;Curitel PC Card Diagnostic Serial Port (WDM);c:\windows\system32\drivers\pwi_serd.sys [2006-11-10 69632]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
.
=============== Created Last 30 ================
.
2011-12-24 14:11:32 56840 ----a-w- c:\windows\system32\drivers\PCTBD.sys
2011-12-24 14:11:30 767952 ----a-w- c:\windows\BDTSupport.dll
2011-12-24 14:11:28 149456 ----a-w- c:\windows\SGDetectionTool.dll
2011-12-24 14:11:26 2246608 ----a-w- c:\windows\PCTBDCore.dll
2011-12-24 14:11:25 1681360 ----a-w- c:\windows\PCTBDRes.dll
2011-12-24 14:08:33 253096 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2011-12-24 14:08:06 17848 ----a-w- c:\windows\system32\drivers\pctBTFix.sys
2011-12-24 14:07:39 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2011-12-24 14:07:03 -------- d-----w- c:\program files\PC Tools
2011-12-24 14:04:09 660992 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2011-12-24 14:04:09 341656 ----a-w- c:\windows\system32\drivers\pctDS.sys
2011-12-24 14:04:02 331880 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2011-12-24 14:04:02 162584 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-12-24 14:03:56 185560 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2011-12-24 14:03:56 -------- d-----w- c:\program files\common files\PC Tools
2011-12-24 14:03:08 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2011-12-24 14:03:03 -------- d-----w- c:\documents and settings\user\application data\TestApp
2011-12-22 14:51:04 508928 ----a-w- c:\windows\svcs.exe
2011-12-22 03:33:28 -------- d-----w- c:\documents and settings\user\application data\Malwarebytes
2011-12-22 03:33:14 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-12-22 03:33:11 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-22 03:33:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-14 12:04:14 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-04 12:57:38 72080 ----a-w- c:\documents and settings\user\g2mdlhlpx.exe
.
============= FINISH: 0:04:02.04 ===============


New GMER Log (normal Windows mode):

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-01 01:54:38
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\uglorfob.sys


---- System - GMER 1.0.15 ----

SSDT 8A64ED50 ZwAllocateVirtualMemory
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF7884D3A]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF7853C0C]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF7853ED4]
SSDT 8A629170 ZwCreateThread
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF7885634]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF788594C]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF7883EBE]
SSDT 8A64EDC8 ZwQueueApcThread
SSDT 8A64EC60 ZwReadVirtualMemory
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF7885E16]
SSDT 8A64EEB8 ZwSetContextThread
SSDT 8A6511A8 ZwSetInformationKey
SSDT 8A62AFA8 ZwSetInformationProcess
SSDT 8A64EF30 ZwSetInformationThread
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF788509A]
SSDT 8A6291E8 ZwSuspendProcess
SSDT 8A64EE40 ZwSuspendThread
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF785380A]
SSDT 8A64EFA8 ZwTerminateThread
SSDT 8A64ECD8 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 3FE 804E4C58 2 Bytes [A8, 11] {TEST AL, 0x11}
.text ntoskrnl.exe!ZwYieldExecution + 46A 804E4CC4 8 Bytes CALL C0D8AF5A
.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xB8F87340, 0x121A5F, 0xF8000020]
.text C:\WINDOWS\System32\nv4_disp.dll section is writeable [0xBF012380, 0x25BA81, 0xF8000020]
.text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xAE467400, 0x7960C, 0xE8000020]
.protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xAE509420] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xAE509420]
.protect˙˙˙˙hardlockunknown last code section [0xAE509200, 0x5049, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xAE509200, 0x5049, 0xE0000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe[416] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 003F0001
.text C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe[416] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 71A50F5A
.text C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe[416] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 71AE0F5A
.text C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe[416] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe[416] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [A7, 71]
.text C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe[416] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 71A20F5A
? C:\WINDOWS\system32\cisvc.exe[500] C:\WINDOWS\system32\SHLWAPI.dll IMAGE_DOS_SIGNATURE not found;
.text C:\WINDOWS\Explorer.EXE[544] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 023A000A
.text C:\WINDOWS\Explorer.EXE[544] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 023B000A
.text C:\WINDOWS\Explorer.EXE[544] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0239000C
.text C:\WINDOWS\System32\DSentry.exe[940] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C20001
.text C:\WINDOWS\System32\DSentry.exe[940] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 71A50F5A
.text C:\WINDOWS\System32\DSentry.exe[940] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 71AE0F5A
.text C:\WINDOWS\System32\DSentry.exe[940] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\DSentry.exe[940] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [A7, 71]
.text C:\WINDOWS\System32\DSentry.exe[940] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 71A20F5A
.text C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe[980] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01220001
.text C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe[980] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 71A50F5A
.text C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe[980] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 71AE0F5A
.text C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe[980] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe[980] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [A7, 71]
.text C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe[980] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 71A20F5A
.text C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe[1060] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01440001
.text C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe[1060] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 71A50F5A
.text C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe[1060] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 71AE0F5A
.text C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe[1060] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe[1060] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [A7, 71]
.text C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe[1060] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 71A20F5A
.text C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe[1360] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 014D0001
.text C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe[1360] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 71A50F5A
.text C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe[1360] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 71AE0F5A
.text C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe[1360] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe[1360] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [A7, 71]
.text C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe[1360] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 71A20F5A
.text C:\Program Files\Microsoft Hardware\Mouse\point32.exe[1368] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 010C0001
.text C:\Program Files\Microsoft Hardware\Mouse\point32.exe[1368] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 71A50F5A
.text C:\Program Files\Microsoft Hardware\Mouse\point32.exe[1368] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 71AE0F5A
.text C:\Program Files\Microsoft Hardware\Mouse\point32.exe[1368] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Microsoft Hardware\Mouse\point32.exe[1368] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [A7, 71]
.text C:\Program Files\Microsoft Hardware\Mouse\point32.exe[1368] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 71A20F5A
.text C:\WINDOWS\System32\svchost.exe[1448] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 021B000A
.text C:\WINDOWS\System32\svchost.exe[1448] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 021C000A
.text C:\WINDOWS\System32\svchost.exe[1448] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 021A000C
.text C:\Program Files\Microsoft Hardware\Keyboard\type32.exe[1472] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01100001
.text C:\Program Files\Microsoft Hardware\Keyboard\type32.exe[1472] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 71A50F5A
.text C:\Program Files\Microsoft Hardware\Keyboard\type32.exe[1472] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 71AE0F5A
.text C:\Program Files\Microsoft Hardware\Keyboard\type32.exe[1472] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Microsoft Hardware\Keyboard\type32.exe[1472] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [A7, 71]
.text C:\Program Files\Microsoft Hardware\Keyboard\type32.exe[1472] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 71A20F5A
.text C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe[1500] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 003D0001
.text C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe[1500] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 71A50F5A
.text C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe[1500] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 71AE0F5A
.text C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe[1500] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe[1500] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [A7, 71]
.text C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe[1500] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 71A20F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1532] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C00001
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1532] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 71A50F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1532] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 71AE0F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1532] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1532] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [A7, 71]
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1532] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 71A20F5A
.text C:\Program Files\dvd43\dvd43_tray.exe[1692] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FD0001
.text C:\Program Files\dvd43\dvd43_tray.exe[1692] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 71A50F5A
.text C:\Program Files\dvd43\dvd43_tray.exe[1692] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 71AE0F5A
.text C:\Program Files\dvd43\dvd43_tray.exe[1692] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\dvd43\dvd43_tray.exe[1692] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [A7, 71]
.text C:\Program Files\dvd43\dvd43_tray.exe[1692] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 71A20F5A
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[2080] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01430001
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[2080] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 71A20F5A
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[2080] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 71AE0F5A
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[2080] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[2080] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [A4, 71]
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[2080] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 719F0F5A
.text C:\Program Files\PC Tools\PC Tools Security\pctsGui.exe[2096] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 0044CD69 C:\Program Files\PC Tools\PC Tools Security\pctsGui.exe (PC Tools Security Component/PC Tools)
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2112] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 027F0001
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2112] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 71A10F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2112] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 71AE0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2112] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2112] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [A3, 71]
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2112] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 719E0F5A
.text C:\Program Files\DellSupport\DSAgnt.exe[2160] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02360001
.text C:\Program Files\DellSupport\DSAgnt.exe[2160] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 71A20F5A
.text C:\Program Files\DellSupport\DSAgnt.exe[2160] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 71AE0F5A
.text C:\Program Files\DellSupport\DSAgnt.exe[2160] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellSupport\DSAgnt.exe[2160] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [A4, 71]
.text C:\Program Files\DellSupport\DSAgnt.exe[2160] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 719F0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2224] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00EB0001
.text C:\WINDOWS\system32\ctfmon.exe[2224] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 71A50F5A
.text C:\WINDOWS\system32\ctfmon.exe[2224] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 71AE0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2224] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[2224] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [A7, 71]
.text C:\WINDOWS\system32\ctfmon.exe[2224] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 71A20F5A
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[2240] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D20001
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[2240] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 71A50F5A
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[2240] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 71AE0F5A
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[2240] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[2240] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [A7, 71]
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[2240] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 71A20F5A
.text C:\DOCUME~1\User\LOCALS~1\Temp\bwgo0001cd6d.exe[2404] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00BC0001
.text C:\DOCUME~1\User\LOCALS~1\Temp\bwgo0001cd6d.exe[2404] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 71A50F5A
.text C:\DOCUME~1\User\LOCALS~1\Temp\bwgo0001cd6d.exe[2404] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 71AE0F5A
.text C:\DOCUME~1\User\LOCALS~1\Temp\bwgo0001cd6d.exe[2404] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\DOCUME~1\User\LOCALS~1\Temp\bwgo0001cd6d.exe[2404] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [A7, 71]
.text C:\DOCUME~1\User\LOCALS~1\Temp\bwgo0001cd6d.exe[2404] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 71A20F5A
.text C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe[2424] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C70001
.text C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe[2424] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 71A50F5A
.text C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe[2424] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 71AE0F5A
.text C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe[2424] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe[2424] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [A7, 71]
.text C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe[2424] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 71A20F5A
.text C:\Program Files\palmOne\Hotsync.exe[2536] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01260001
.text C:\Program Files\palmOne\Hotsync.exe[2536] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 71A20F5A
.text C:\Program Files\palmOne\Hotsync.exe[2536] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 71AE0F5A
.text C:\Program Files\palmOne\Hotsync.exe[2536] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\palmOne\Hotsync.exe[2536] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [A4, 71]
.text C:\Program Files\palmOne\Hotsync.exe[2536] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 719F0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2696] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01520001
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2696] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 71A10F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2696] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 71AE0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2696] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2696] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [A3, 71]
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2696] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 719E0F5A
.text C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe[2784] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01540001
.text C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe[2784] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 71A50F5A
.text C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe[2784] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 71AE0F5A
.text C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe[2784] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe[2784] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [A7, 71]
.text C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe[2784] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 71A20F5A
.text C:\Program Files\TrippLite\PowerAlert\console\pastatus.exe[2844] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00ED0001
.text C:\Program Files\TrippLite\PowerAlert\console\pastatus.exe[2844] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 71A50F5A
.text C:\Program Files\TrippLite\PowerAlert\console\pastatus.exe[2844] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 71AE0F5A
.text C:\Program Files\TrippLite\PowerAlert\console\pastatus.exe[2844] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TrippLite\PowerAlert\console\pastatus.exe[2844] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [A7, 71]
.text C:\Program Files\TrippLite\PowerAlert\console\pastatus.exe[2844] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 71A20F5A
.text C:\Program Files\Intellicast\Intellicast.exe[2980] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01B20001
.text C:\Program Files\Intellicast\Intellicast.exe[2980] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 719D0F5A
.text C:\Program Files\Intellicast\Intellicast.exe[2980] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 71AE0F5A
.text C:\Program Files\Intellicast\Intellicast.exe[2980] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Intellicast\Intellicast.exe[2980] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [9F, 71]
.text C:\Program Files\Intellicast\Intellicast.exe[2980] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 719A0F5A
.text C:\Program Files\Microsoft Office\Office\1033\msoffice.exe[3084] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00F60001
.text C:\Program Files\Microsoft Office\Office\1033\msoffice.exe[3084] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 71A50F5A
.text C:\Program Files\Microsoft Office\Office\1033\msoffice.exe[3084] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 71AE0F5A
.text C:\Program Files\Microsoft Office\Office\1033\msoffice.exe[3084] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Microsoft Office\Office\1033\msoffice.exe[3084] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [A7, 71]
.text C:\Program Files\Microsoft Office\Office\1033\msoffice.exe[3084] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 71A20F5A
.text C:\Program Files\PC Tools\PC Tools Security\pctsSvc.exe[3116] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 0044C4B9 C:\Program Files\PC Tools\PC Tools Security\pctsSvc.exe (PC Tools Security Component/PC Tools)
.text C:\Program Files\Seagate Replica\bin\Seagate-Replica-Autoplay.exe[3212] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02790001
.text C:\Program Files\Seagate Replica\bin\Seagate-Replica-Autoplay.exe[3212] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 71A20F5A
.text C:\Program Files\Seagate Replica\bin\Seagate-Replica-Autoplay.exe[3212] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 71AE0F5A
.text C:\Program Files\Seagate Replica\bin\Seagate-Replica-Autoplay.exe[3212] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Seagate Replica\bin\Seagate-Replica-Autoplay.exe[3212] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [A4, 71]
.text C:\Program Files\Seagate Replica\bin\Seagate-Replica-Autoplay.exe[3212] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 719F0F5A
.text C:\Documents and Settings\User\Desktop\gmer.exe[3648] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 003C0001
.text C:\Documents and Settings\User\Desktop\gmer.exe[3648] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 71A60F5A
.text C:\Documents and Settings\User\Desktop\gmer.exe[3648] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 71AF0F5A
.text C:\Documents and Settings\User\Desktop\gmer.exe[3648] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\User\Desktop\gmer.exe[3648] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [A8, 71] {TEST AL, 0x71}
.text C:\Documents and Settings\User\Desktop\gmer.exe[3648] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 71A30F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[4068] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 013C0001
.text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[4068] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 719E0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[4068] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 71AE0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[4068] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[4068] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [A0, 71]
.text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[4068] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 719B0F5A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))

Device \Driver\Tcpip \Device\Ip 8A205260
Device \Driver\Tcpip \Device\Ip 89E2FAC0
Device \Driver\Tcpip \Device\Ip 8A04DE68
Device \Driver\Tcpip \Device\Ip 89A76AC0
Device \Driver\Tcpip \Device\Ip 8A3A2E08
Device \Driver\Tcpip \Device\Ip 8A177728
Device \Driver\Tcpip \Device\Ip 8A63C948
Device \Driver\Tcpip \Device\Ip 89C24C68
Device \Driver\Tcpip \Device\Ip 89877120
Device \Driver\Tcpip \Device\Ip 89B46C70
Device \Driver\Tcpip \Device\Ip 899B55F0
Device \Driver\Tcpip \Device\Tcp 8A205260
Device \Driver\Tcpip \Device\Tcp 89E2FAC0
Device \Driver\Tcpip \Device\Tcp 8A04DE68
Device \Driver\Tcpip \Device\Tcp 89A76AC0
Device \Driver\Tcpip \Device\Tcp 8A3A2E08
Device \Driver\Tcpip \Device\Tcp 8A177728
Device \Driver\Tcpip \Device\Tcp 8A63C948
Device \Driver\Tcpip \Device\Tcp 89C24C68
Device \Driver\Tcpip \Device\Tcp 89877120
Device \Driver\Tcpip \Device\Tcp 89B46C70
Device \Driver\Tcpip \Device\Tcp 899B55F0

End of Reply

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:14 AM

Posted 01 January 2012 - 10:51 PM

OK run combofix and send me the report when you are ready


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 Emerald Light

Emerald Light
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fayetteville, GA
  • Local time:09:14 AM

Posted 01 January 2012 - 11:13 PM

Gringo,

The infected computer is off-line (since Ping will cripple it). The ComboFix program was downloaded on a differenct computer and transferred to the infected computer via a thumb drive. I copied it to executed it on the infected computer and saw a small window with black background extract a number of files, then a blue screen opened that I believe was a DOS window. It stayed open a few seconds, then closed with no entries on the blue screen. The program and its icon then disappeared off the desktop and nothing else happened. I therefore have no report to send. When I looked at Task Manager. the ping.exe process was still active (but not doing anything since I am off line).
I rebooted, and Ping was not immediately start as a process, but it did appear after about 2 minutes and began to demand ever-increasing CPU use. I killed the ping process, but it returned within a minute or so. I also noted that the ping process takes more CPU cycles after I start an application. Computer reaction to commands is still slow.

John

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:14 AM

Posted 02 January 2012 - 08:23 AM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 Emerald Light

Emerald Light
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fayetteville, GA
  • Local time:09:14 AM

Posted 02 January 2012 - 09:39 AM

Gringo,

I executed TDSSKiller and the log follows. Ping.exe now does not come up in Processes. Bootup is still slow and some icons have not come back in my system tray, but applications seem to load OK - things seem to be better.
John

08:59:08.0718 1376 TDSS rootkit removing tool 2.6.25.0 Dec 23 2011 14:51:16
08:59:09.0234 1376 ============================================================
08:59:09.0234 1376 Current date / time: 2012/01/02 08:59:09.0234
08:59:09.0234 1376 SystemInfo:
08:59:09.0234 1376
08:59:09.0234 1376 OS Version: 5.1.2600 ServicePack: 3.0
08:59:09.0234 1376 Product type: Workstation
08:59:09.0234 1376 ComputerName: JDGHOME8300
08:59:09.0234 1376 UserName: User
08:59:09.0234 1376 Windows directory: C:\WINDOWS
08:59:09.0234 1376 System windows directory: C:\WINDOWS
08:59:09.0234 1376 Processor architecture: Intel x86
08:59:09.0234 1376 Number of processors: 2
08:59:09.0234 1376 Page size: 0x1000
08:59:09.0234 1376 Boot type: Normal boot
08:59:09.0234 1376 ============================================================
08:59:11.0531 1376 Initialize success
08:59:19.0109 2068 ============================================================
08:59:19.0109 2068 Scan started
08:59:19.0109 2068 Mode: Manual;
08:59:19.0109 2068 ============================================================
08:59:20.0546 2068 Abiosdsk - ok
08:59:20.0937 2068 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\System32\DRIVERS\ABP480N5.SYS
08:59:20.0953 2068 abp480n5 - ok
08:59:21.0375 2068 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
08:59:21.0437 2068 ACPI - ok
08:59:21.0812 2068 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
08:59:21.0812 2068 ACPIEC - ok
08:59:22.0218 2068 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\System32\DRIVERS\adpu160m.sys
08:59:22.0250 2068 adpu160m - ok
08:59:22.0734 2068 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
08:59:22.0781 2068 aec - ok
08:59:23.0187 2068 Afc (a7b8a3a79d35215d798a300df49ed23f) C:\WINDOWS\system32\drivers\Afc.sys
08:59:23.0187 2068 Afc - ok
08:59:23.0640 2068 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
08:59:23.0687 2068 AFD - ok
08:59:24.0156 2068 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\System32\DRIVERS\agp440.sys
08:59:24.0171 2068 agp440 - ok
08:59:24.0656 2068 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\System32\DRIVERS\agpCPQ.sys
08:59:24.0671 2068 agpCPQ - ok
08:59:25.0093 2068 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\System32\DRIVERS\aha154x.sys
08:59:25.0093 2068 Aha154x - ok
08:59:25.0750 2068 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\System32\DRIVERS\aic78u2.sys
08:59:25.0765 2068 aic78u2 - ok
08:59:26.0656 2068 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\System32\DRIVERS\aic78xx.sys
08:59:26.0765 2068 aic78xx - ok
08:59:27.0421 2068 akshasp (d5987b854a62867d399a3d3d744547e5) C:\WINDOWS\system32\DRIVERS\akshasp.sys
08:59:27.0531 2068 akshasp - ok
08:59:28.0015 2068 aksusb (25c07de96a774622001935e36693c9c2) C:\WINDOWS\system32\DRIVERS\aksusb.sys
08:59:28.0062 2068 aksusb - ok
08:59:28.0468 2068 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\System32\DRIVERS\aliide.sys
08:59:28.0468 2068 AliIde - ok
08:59:28.0953 2068 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\System32\DRIVERS\alim1541.sys
08:59:28.0984 2068 alim1541 - ok
08:59:29.0453 2068 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\System32\DRIVERS\amdagp.sys
08:59:29.0750 2068 amdagp - ok
08:59:30.0203 2068 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\System32\DRIVERS\amsint.sys
08:59:30.0218 2068 amsint - ok
08:59:30.0656 2068 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\System32\DRIVERS\asc.sys
08:59:30.0671 2068 asc - ok
08:59:31.0093 2068 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\System32\DRIVERS\asc3350p.sys
08:59:31.0109 2068 asc3350p - ok
08:59:31.0468 2068 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\System32\DRIVERS\asc3550.sys
08:59:31.0484 2068 asc3550 - ok
08:59:31.0937 2068 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys
08:59:31.0937 2068 ASCTRM - ok
08:59:32.0437 2068 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
08:59:32.0437 2068 AsyncMac - ok
08:59:32.0921 2068 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
08:59:32.0921 2068 atapi - ok
08:59:33.0281 2068 Atdisk - ok
08:59:33.0703 2068 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
08:59:33.0718 2068 Atmarpc - ok
08:59:34.0109 2068 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
08:59:34.0125 2068 audstub - ok
08:59:34.0515 2068 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
08:59:34.0531 2068 Beep - ok
08:59:35.0000 2068 Bridge (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
08:59:35.0031 2068 Bridge - ok
08:59:35.0093 2068 BridgeMP (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
08:59:35.0109 2068 BridgeMP - ok
08:59:35.0562 2068 bvrp_pci - ok
08:59:36.0187 2068 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\System32\DRIVERS\cbidf2k.sys
08:59:36.0203 2068 cbidf - ok
08:59:36.0578 2068 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
08:59:36.0609 2068 cbidf2k - ok
08:59:37.0031 2068 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
08:59:37.0031 2068 CCDECODE - ok
08:59:37.0437 2068 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\System32\DRIVERS\cd20xrnt.sys
08:59:37.0453 2068 cd20xrnt - ok
08:59:37.0875 2068 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
08:59:37.0875 2068 Cdaudio - ok
08:59:38.0312 2068 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
08:59:38.0328 2068 Cdfs - ok
08:59:38.0718 2068 Cdr4_2K - ok
08:59:39.0171 2068 Cdr4_xp (fc0bf5df85f8bb38cb678976259e57d2) C:\WINDOWS\system32\drivers\Cdr4_xp.sys
08:59:39.0343 2068 Cdr4_xp - ok
08:59:39.0765 2068 Cdralw2k (ee162ca67a1158b56f6009efd252642c) C:\WINDOWS\system32\drivers\Cdralw2k.sys
08:59:39.0765 2068 Cdralw2k - ok
08:59:40.0171 2068 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
08:59:40.0203 2068 Cdrom - ok
08:59:40.0375 2068 CDRPDACC (30b37c18e1725eb9f25039e9a1fb9b7e) C:\Program Files\321Studios\Shared\CDRPDACC.SYS
08:59:40.0375 2068 CDRPDACC - ok
08:59:40.0875 2068 cdudf_xp (a27bc139a443bf4df61a7535533927cc) C:\WINDOWS\system32\drivers\cdudf_xp.sys
08:59:40.0953 2068 cdudf_xp - ok
08:59:41.0312 2068 Changer - ok
08:59:41.0687 2068 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\System32\DRIVERS\cmdide.sys
08:59:41.0687 2068 CmdIde - ok
08:59:42.0046 2068 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
08:59:42.0046 2068 Compbatt - ok
08:59:42.0484 2068 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\System32\DRIVERS\cpqarray.sys
08:59:42.0484 2068 Cpqarray - ok
08:59:42.0859 2068 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
08:59:42.0859 2068 CVirtA - ok
08:59:43.0359 2068 CVPNDRVA (26deef07394624247d1f549bd94f0b15) C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
08:59:43.0406 2068 CVPNDRVA - ok
08:59:43.0906 2068 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\System32\DRIVERS\dac2w2k.sys
08:59:43.0968 2068 dac2w2k - ok
08:59:44.0390 2068 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\System32\DRIVERS\dac960nt.sys
08:59:44.0406 2068 dac960nt - ok
08:59:44.0921 2068 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
08:59:44.0953 2068 Disk - ok
08:59:45.0703 2068 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
08:59:46.0312 2068 dmboot - ok
08:59:46.0812 2068 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
08:59:46.0859 2068 dmio - ok
08:59:47.0281 2068 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
08:59:47.0281 2068 dmload - ok
08:59:47.0734 2068 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
08:59:47.0750 2068 DMusic - ok
08:59:48.0203 2068 DNE (7b4fdfbe97c047175e613aa96f3de987) C:\WINDOWS\system32\DRIVERS\dne2000.sys
08:59:48.0203 2068 DNE - ok
08:59:48.0703 2068 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\System32\DRIVERS\dpti2o.sys
08:59:48.0718 2068 dpti2o - ok
08:59:49.0187 2068 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
08:59:49.0375 2068 drmkaud - ok
08:59:49.0531 2068 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
08:59:49.0531 2068 DSproct - ok
08:59:50.0000 2068 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
08:59:50.0000 2068 dsunidrv - ok
08:59:50.0500 2068 dvd43llh (1fc1eed3ea0c3a0ecf8a95b97e1b4831) C:\WINDOWS\system32\DRIVERS\dvd43llh.sys
08:59:50.0500 2068 dvd43llh - ok
08:59:51.0000 2068 DVDVRRdr_xp (879de97d532186cdbe749a7acd508cf0) C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
08:59:51.0062 2068 DVDVRRdr_xp - ok
08:59:51.0515 2068 dvd_2K (6da1951e3de986f1080e6852846df0fb) C:\WINDOWS\system32\drivers\dvd_2K.sys
08:59:51.0515 2068 dvd_2K - ok
08:59:51.0953 2068 E100B (98b46b331404a951cabad8b4877e1276) C:\WINDOWS\system32\DRIVERS\e100b325.sys
08:59:52.0000 2068 E100B - ok
08:59:52.0531 2068 EL90XBC (6e883bf518296a40959131c2304af714) C:\WINDOWS\system32\DRIVERS\el90xbc5.sys
08:59:52.0562 2068 EL90XBC - ok
08:59:53.0046 2068 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
08:59:53.0093 2068 Fastfat - ok
08:59:53.0562 2068 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
08:59:53.0562 2068 Fdc - ok
08:59:53.0984 2068 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
08:59:53.0984 2068 Fips - ok
08:59:54.0375 2068 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
08:59:54.0375 2068 Flpydisk - ok
08:59:54.0828 2068 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
08:59:54.0921 2068 FltMgr - ok
08:59:55.0375 2068 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
08:59:55.0375 2068 Fs_Rec - ok
08:59:55.0937 2068 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
08:59:56.0046 2068 Ftdisk - ok
08:59:56.0687 2068 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
08:59:56.0703 2068 gameenum - ok
08:59:57.0078 2068 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
08:59:57.0093 2068 Gpc - ok
08:59:57.0765 2068 Hardlock (c1cc0c9742b881c42f1cc628e6f9ebd1) C:\WINDOWS\system32\drivers\hardlock.sys
08:59:58.0031 2068 Hardlock - ok
08:59:58.0437 2068 HidBatt (748031ff4fe45ccc47546294905feab8) C:\WINDOWS\system32\DRIVERS\HidBatt.sys
08:59:58.0453 2068 HidBatt - ok
08:59:58.0906 2068 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
08:59:58.0906 2068 HidUsb - ok
08:59:59.0406 2068 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\System32\DRIVERS\hpn.sys
08:59:59.0750 2068 hpn - ok
09:00:00.0171 2068 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
09:00:00.0203 2068 HPZid412 - ok
09:00:00.0640 2068 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
09:00:00.0671 2068 HPZipr12 - ok
09:00:01.0343 2068 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
09:00:01.0375 2068 HPZius12 - ok
09:00:02.0218 2068 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
09:00:02.0421 2068 HTTP - ok
09:00:03.0140 2068 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
09:00:03.0171 2068 i2omgmt - ok
09:00:03.0875 2068 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\System32\DRIVERS\i2omp.sys
09:00:03.0875 2068 i2omp - ok
09:00:04.0421 2068 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
09:00:04.0453 2068 i8042prt - ok
09:00:05.0109 2068 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
09:00:05.0156 2068 i81x - ok
09:00:05.0656 2068 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
09:00:05.0656 2068 iAimFP0 - ok
09:00:06.0687 2068 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
09:00:06.0687 2068 iAimFP1 - ok
09:00:07.0234 2068 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
09:00:07.0250 2068 iAimFP2 - ok
09:00:07.0718 2068 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
09:00:07.0718 2068 iAimFP3 - ok
09:00:08.0218 2068 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
09:00:08.0218 2068 iAimFP4 - ok
09:00:08.0640 2068 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
09:00:08.0656 2068 iAimTV0 - ok
09:00:09.0171 2068 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
09:00:09.0281 2068 iAimTV1 - ok
09:00:09.0718 2068 iAimTV2 - ok
09:00:10.0171 2068 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
09:00:10.0187 2068 iAimTV3 - ok
09:00:10.0656 2068 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
09:00:10.0656 2068 iAimTV4 - ok
09:00:11.0156 2068 ICAM3NT5 (673962b31666f877c283a81392eab199) C:\WINDOWS\system32\Drivers\ICAM3D2.SYS
09:00:11.0671 2068 ICAM3NT5 - ok
09:00:12.0234 2068 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
09:00:12.0250 2068 Imapi - ok
09:00:12.0656 2068 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\System32\DRIVERS\ini910u.sys
09:00:12.0656 2068 ini910u - ok
09:00:13.0093 2068 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\System32\DRIVERS\intelide.sys
09:00:13.0093 2068 IntelIde - ok
09:00:13.0484 2068 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
09:00:13.0500 2068 intelppm - ok
09:00:13.0968 2068 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
09:00:13.0984 2068 Ip6Fw - ok
09:00:14.0453 2068 IPFilter (9ea02e03ed52d25551a6e46cf3b94b01) C:\WINDOWS\system32\DRIVERS\IPFilter.sys
09:00:14.0453 2068 IPFilter - ok
09:00:14.0859 2068 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
09:00:14.0875 2068 IpFilterDriver - ok
09:00:15.0593 2068 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
09:00:15.0609 2068 IpInIp - ok
09:00:16.0093 2068 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
09:00:16.0140 2068 IpNat - ok
09:00:16.0640 2068 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
09:00:16.0687 2068 IPSec - ok
09:00:17.0218 2068 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
09:00:17.0234 2068 IRENUM - ok
09:00:17.0843 2068 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
09:00:17.0859 2068 isapnp - ok
09:00:18.0296 2068 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
09:00:18.0312 2068 Kbdclass - ok
09:00:18.0921 2068 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
09:00:18.0921 2068 kbdhid - ok
09:00:19.0421 2068 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
09:00:21.0453 2068 kmixer - ok
09:00:22.0437 2068 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
09:00:22.0500 2068 KSecDD - ok
09:00:22.0500 2068 L2XPSR - ok
09:00:23.0109 2068 lbrtfdc - ok
09:00:23.0625 2068 LVUSBSta (be5e104be263921d6842c555db6a5c23) C:\WINDOWS\system32\drivers\LVUSBSta.sys
09:00:23.0687 2068 LVUSBSta - ok
09:00:24.0375 2068 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\WINDOWS\system32\drivers\mbam.sys
09:00:24.0390 2068 MBAMProtector - ok
09:00:24.0890 2068 mf (a7da20ab18a1bdae28b0f349e57da0d1) C:\WINDOWS\system32\DRIVERS\mf.sys
09:00:24.0906 2068 mf - ok
09:00:25.0421 2068 mmc_2K (8095d2e05301aa131d966492546f1e1c) C:\WINDOWS\system32\drivers\mmc_2K.sys
09:00:25.0421 2068 mmc_2K - ok
09:00:25.0906 2068 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
09:00:25.0906 2068 mnmdd - ok
09:00:26.0437 2068 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
09:00:26.0484 2068 Modem - ok
09:00:26.0921 2068 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
09:00:26.0953 2068 MODEMCSA - ok
09:00:27.0406 2068 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
09:00:27.0421 2068 Mouclass - ok
09:00:27.0906 2068 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
09:00:27.0906 2068 mouhid - ok
09:00:28.0343 2068 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
09:00:28.0343 2068 MountMgr - ok
09:00:28.0812 2068 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\System32\DRIVERS\mraid35x.sys
09:00:28.0812 2068 mraid35x - ok
09:00:29.0546 2068 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
09:00:30.0109 2068 MRxDAV - ok
09:00:30.0671 2068 MRxSmb (c1d85b598874ed1a1d6c531af30edf75) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
09:00:31.0015 2068 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\mrxsmb.sys. Real md5: c1d85b598874ed1a1d6c531af30edf75, Fake md5: 7d304a5eb4344ebeeab53a2fe3ffb9f0
09:00:31.0031 2068 MRxSmb ( Rootkit.Win32.ZAccess.aml ) - infected
09:00:31.0031 2068 MRxSmb - detected Rootkit.Win32.ZAccess.aml (0)
09:00:31.0546 2068 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
09:00:31.0609 2068 Msfs - ok
09:00:32.0093 2068 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
09:00:32.0093 2068 MSKSSRV - ok
09:00:32.0593 2068 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
09:00:32.0593 2068 MSPCLOCK - ok
09:00:33.0093 2068 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
09:00:33.0125 2068 MSPQM - ok
09:00:33.0515 2068 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
09:00:33.0531 2068 mssmbios - ok
09:00:33.0984 2068 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
09:00:34.0000 2068 MSTEE - ok
09:00:34.0843 2068 Mtlmnt5 (6433ec4bce450447c7947f6181a9e268) C:\WINDOWS\system32\DRIVERS\Mtlmnt5.sys
09:00:34.0843 2068 Mtlmnt5 - ok
09:00:35.0984 2068 Mtlstrm (30b87862b93574a20d78e1ff63c88694) C:\WINDOWS\system32\DRIVERS\Mtlstrm.sys
09:00:36.0546 2068 Mtlstrm - ok
09:00:37.0031 2068 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
09:00:37.0078 2068 Mup - ok
09:00:37.0593 2068 mvusbews (1889385f1825c0782c5c179a0518d490) C:\WINDOWS\system32\Drivers\mvusbews.sys
09:00:37.0656 2068 mvusbews - ok
09:00:38.0187 2068 MxlW2k (63d074073d5fda93163517c2a8f2ba5a) C:\WINDOWS\system32\drivers\MxlW2k.sys
09:00:38.0203 2068 MxlW2k - ok
09:00:38.0718 2068 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
09:00:38.0750 2068 NABTSFEC - ok
09:00:38.0906 2068 NAVAPEL (fb0e5b6e8f655f372eead2fd5c667948) C:\Program Files\NavNT\NAVAPEL.SYS
09:00:38.0906 2068 NAVAPEL - ok
09:00:39.0500 2068 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
09:00:40.0218 2068 NDIS - ok
09:00:40.0750 2068 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
09:00:40.0812 2068 NdisIP - ok
09:00:41.0578 2068 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
09:00:41.0640 2068 NdisTapi - ok
09:00:42.0375 2068 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
09:00:42.0406 2068 Ndisuio - ok
09:00:43.0265 2068 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
09:00:43.0328 2068 NdisWan - ok
09:00:44.0000 2068 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
09:00:44.0031 2068 NDProxy - ok
09:00:44.0937 2068 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
09:00:45.0000 2068 NetBIOS - ok
09:00:45.0843 2068 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
09:00:45.0921 2068 NetBT - ok
09:00:46.0500 2068 NmPar (241c985de3ab9f73568fe3b181dc70f4) C:\WINDOWS\system32\DRIVERS\NmPar.sys
09:00:46.0515 2068 NmPar - ok
09:00:47.0062 2068 nmserial (6489dd8e27d70bee2897681b46b76bd1) C:\WINDOWS\system32\DRIVERS\nmserial.sys
09:00:47.0125 2068 nmserial - ok
09:00:47.0671 2068 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
09:00:47.0671 2068 Npfs - ok
09:00:48.0312 2068 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
09:00:48.0531 2068 Ntfs - ok
09:00:49.0000 2068 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
09:00:49.0578 2068 Null - ok
09:00:50.0734 2068 nv (71dbdc08df86b80511e72953fa1ad6b0) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
09:00:50.0781 2068 nv - ok
09:00:51.0250 2068 NWADI (039e60681bb68fd38d18684fd6b9db84) C:\WINDOWS\system32\DRIVERS\NWADIenum.sys
09:00:51.0281 2068 NWADI - ok
09:00:51.0984 2068 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
09:00:52.0031 2068 NwlnkFlt - ok
09:00:52.0671 2068 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
09:00:52.0687 2068 NwlnkFwd - ok
09:00:53.0265 2068 NWUSBModem (a12b91c592b3cfaedf85f87a624cfb98) C:\WINDOWS\system32\DRIVERS\nwusbmdm.sys
09:00:53.0312 2068 NWUSBModem - ok
09:00:53.0812 2068 NWUSBPort (a12b91c592b3cfaedf85f87a624cfb98) C:\WINDOWS\system32\DRIVERS\nwusbser.sys
09:00:53.0828 2068 NWUSBPort - ok
09:00:54.0296 2068 omci (1d98907d80461371437a7c898c58c8ae) C:\WINDOWS\system32\DRIVERS\omci.sys
09:00:54.0296 2068 omci - ok
09:00:55.0171 2068 P16X (e433c553d00d76fbc616294b60a7a530) C:\WINDOWS\system32\drivers\P16X.sys
09:00:55.0718 2068 P16X - ok
09:00:56.0406 2068 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
09:00:56.0437 2068 P3 - ok
09:00:56.0875 2068 PalmUSBD (240c0d4049a833b16b63b636acf01672) C:\WINDOWS\system32\drivers\PalmUSBD.sys
09:00:56.0875 2068 PalmUSBD - ok
09:00:57.0390 2068 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
09:00:57.0421 2068 Parport - ok
09:00:57.0921 2068 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
09:00:57.0921 2068 PartMgr - ok
09:00:58.0437 2068 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
09:00:58.0437 2068 ParVdm - ok
09:00:59.0093 2068 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
09:01:00.0281 2068 PCI - ok
09:01:00.0890 2068 PCIDump - ok
09:01:01.0531 2068 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
09:01:01.0562 2068 PCIIde - ok
09:01:02.0250 2068 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
09:01:02.0281 2068 Pcmcia - ok
09:01:02.0656 2068 Pcouffin - ok
09:01:02.0984 2068 PDCOMP - ok
09:01:03.0343 2068 PDFRAME - ok
09:01:03.0734 2068 PDRELI - ok
09:01:04.0250 2068 PDRFRAME - ok
09:01:04.0718 2068 pepifilter (0896002d1efcd08859a41c9db34ad84c) C:\WINDOWS\system32\DRIVERS\lv302af.sys
09:01:04.0718 2068 pepifilter - ok
09:01:05.0156 2068 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\System32\DRIVERS\perc2.sys
09:01:05.0171 2068 perc2 - ok
09:01:05.0546 2068 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\System32\DRIVERS\perc2hib.sys
09:01:05.0562 2068 perc2hib - ok
09:01:06.0140 2068 pfc (da86016f0672ada925f589ede715f185) C:\WINDOWS\system32\drivers\pfc.sys
09:01:06.0140 2068 pfc - ok
09:01:06.0531 2068 PfModNT (2f5532f9b0f903b26847da674b4f55b2) C:\WINDOWS\System32\PfModNT.sys
09:01:06.0546 2068 PfModNT - ok
09:01:07.0203 2068 PhilCam8116 (a2b74f7dc4407be6a20808d00aeca9df) C:\WINDOWS\system32\DRIVERS\CamDrL21.sys
09:01:07.0421 2068 PhilCam8116 - ok
09:01:08.0453 2068 PID_PEPI (a7598e897da639e255ad4188fa398478) C:\WINDOWS\system32\DRIVERS\LV302V32.SYS
09:01:08.0468 2068 PID_PEPI - ok
09:01:09.0078 2068 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
09:01:09.0093 2068 PptpMiniport - ok
09:01:09.0546 2068 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
09:01:09.0781 2068 Processor - ok
09:01:10.0640 2068 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
09:01:10.0687 2068 PSched - ok
09:01:11.0343 2068 PTDCBus (445d21f11eb4f378b206ebca5f597ffa) C:\WINDOWS\system32\DRIVERS\PTDCBus.sys
09:01:11.0421 2068 PTDCBus - ok
09:01:12.0984 2068 PTDCMdm (fea4addf9e23b853e5cacc9f013bb986) C:\WINDOWS\system32\DRIVERS\PTDCMdm.sys
09:01:13.0000 2068 PTDCMdm - ok
09:01:13.0734 2068 PTDCVsp (56e46ffef17844e626b441176be1aabf) C:\WINDOWS\system32\DRIVERS\PTDCVsp.sys
09:01:13.0843 2068 PTDCVsp - ok
09:01:14.0484 2068 PTDCWWAN (a4bbb6c04d80ed32b8f3d3c10430a032) C:\WINDOWS\system32\DRIVERS\PTDCWWAN.sys
09:01:14.0546 2068 PTDCWWAN - ok
09:01:15.0093 2068 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
09:01:15.0093 2068 Ptilink - ok
09:01:15.0750 2068 pwd_2k (ebae372d36658e2bcb6a347bb78c5144) C:\WINDOWS\system32\drivers\pwd_2k.sys
09:01:15.0796 2068 pwd_2k - ok
09:01:16.0484 2068 pwi_bus (0af65a778e8e3a651666ebb7f7ce7bfe) C:\WINDOWS\system32\DRIVERS\pwi_bus.sys
09:01:16.0500 2068 pwi_bus - ok
09:01:16.0937 2068 pwi_mdfl (f6fd82b7e85290882e5ae1820ca2c447) C:\WINDOWS\system32\DRIVERS\pwi_mdfl.sys
09:01:16.0953 2068 pwi_mdfl - ok
09:01:17.0390 2068 pwi_mdm (78765d89d30d9e4886b6f4580e6b1f67) C:\WINDOWS\system32\DRIVERS\pwi_mdm.sys
09:01:17.0437 2068 pwi_mdm - ok
09:01:17.0906 2068 pwi_oflt (c671e19546554047c4ea8213695225a6) C:\WINDOWS\system32\DRIVERS\pwi_oflt.sys
09:01:17.0921 2068 pwi_oflt - ok
09:01:18.0406 2068 pwi_serd (b1704382cf18b1ab3245537e5f7f9f23) C:\WINDOWS\system32\DRIVERS\pwi_serd.sys
09:01:18.0421 2068 pwi_serd - ok
09:01:18.0906 2068 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\System32\DRIVERS\ql1080.sys
09:01:18.0937 2068 ql1080 - ok
09:01:19.0375 2068 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\System32\DRIVERS\ql10wnt.sys
09:01:19.0718 2068 Ql10wnt - ok
09:01:20.0359 2068 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\System32\DRIVERS\ql12160.sys
09:01:20.0390 2068 ql12160 - ok
09:01:20.0843 2068 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\System32\DRIVERS\ql1240.sys
09:01:20.0843 2068 ql1240 - ok
09:01:21.0265 2068 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\System32\DRIVERS\ql1280.sys
09:01:21.0343 2068 ql1280 - ok
09:01:21.0968 2068 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
09:01:22.0015 2068 RasAcd - ok
09:01:22.0734 2068 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
09:01:22.0765 2068 Rasl2tp - ok
09:01:23.0531 2068 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
09:01:23.0593 2068 RasPppoe - ok
09:01:24.0125 2068 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
09:01:24.0125 2068 Raspti - ok
09:01:24.0609 2068 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
09:01:24.0671 2068 Rdbss - ok
09:01:25.0078 2068 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
09:01:25.0078 2068 RDPCDD - ok
09:01:25.0515 2068 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
09:01:25.0578 2068 rdpdr - ok
09:01:26.0140 2068 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
09:01:26.0187 2068 RDPWD - ok
09:01:26.0609 2068 RecAgent (41315d97bb319bd5b5e1b367570e7b3c) C:\WINDOWS\system32\DRIVERS\RecAgent.sys
09:01:26.0609 2068 RecAgent - ok
09:01:27.0078 2068 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
09:01:27.0093 2068 redbook - ok
09:01:27.0765 2068 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
09:01:28.0031 2068 Secdrv - ok
09:01:28.0562 2068 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
09:01:28.0578 2068 serenum - ok
09:01:29.0031 2068 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
09:01:29.0062 2068 Serial - ok
09:01:29.0562 2068 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
09:01:30.0109 2068 Sfloppy - ok
09:01:30.0484 2068 Simbad - ok
09:01:31.0078 2068 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\System32\DRIVERS\sisagp.sys
09:01:31.0125 2068 sisagp - ok
09:01:31.0671 2068 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
09:01:31.0687 2068 SLIP - ok
09:01:32.0656 2068 Slntamr (3af1d1cf5053ee50fc675e4036929d18) C:\WINDOWS\system32\DRIVERS\slntamr.sys
09:01:32.0671 2068 Slntamr - ok
09:01:33.0296 2068 SlNtHal (f06507086ff9bfdbcf3c5098a4848b5d) C:\WINDOWS\system32\DRIVERS\Slnthal.sys
09:01:33.0375 2068 SlNtHal - ok
09:01:33.0859 2068 SlWdmSup (cd4f4cee4481e11bda806a9366785a1d) C:\WINDOWS\system32\DRIVERS\SlWdmSup.sys
09:01:33.0859 2068 SlWdmSup - ok
09:01:34.0062 2068 SMNDIS5 (4ef5ea44583c37383c289d4b8c354698) C:\PROGRA~1\VERIZO~1\VZACCE~1\SMNDIS5.SYS
09:01:34.0062 2068 SMNDIS5 - ok
09:01:34.0468 2068 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\System32\DRIVERS\sparrow.sys
09:01:34.0484 2068 Sparrow - ok
09:01:34.0890 2068 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
09:01:34.0890 2068 splitter - ok
09:01:35.0390 2068 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\System32\DRIVERS\sr.sys
09:01:35.0406 2068 sr - ok
09:01:36.0000 2068 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
09:01:36.0125 2068 Srv - ok
09:01:36.0593 2068 ssfs0bbc (6c46d1d2fc31a8cf0f1d6f9d6859d836) C:\WINDOWS\system32\DRIVERS\ssfs0bbc.sys
09:01:36.0609 2068 ssfs0bbc - ok
09:01:37.0078 2068 sshrmd (cfbd9006204468f64c5737f71eb602f3) C:\WINDOWS\system32\DRIVERS\sshrmd.sys
09:01:37.0093 2068 sshrmd - ok
09:01:37.0562 2068 ssidrv (808c18876dd615b82f08298c98af46b2) C:\WINDOWS\system32\DRIVERS\ssidrv.sys
09:01:37.0640 2068 ssidrv - ok
09:01:38.0109 2068 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
09:01:38.0109 2068 StillCam - ok
09:01:38.0734 2068 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
09:01:38.0750 2068 streamip - ok
09:01:39.0218 2068 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
09:01:39.0296 2068 swenum - ok
09:01:39.0984 2068 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
09:01:40.0000 2068 swmidi - ok
09:01:40.0421 2068 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\System32\DRIVERS\symc810.sys
09:01:40.0421 2068 symc810 - ok
09:01:40.0859 2068 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\System32\DRIVERS\symc8xx.sys
09:01:40.0859 2068 symc8xx - ok
09:01:41.0015 2068 SymEvent (a7e2d7ff88cc7a60874deaa0c7630217) C:\Program Files\Symantec\SYMEVENT.SYS
09:01:41.0031 2068 SymEvent - ok
09:01:41.0515 2068 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\System32\DRIVERS\sym_hi.sys
09:01:41.0890 2068 sym_hi - ok
09:01:42.0703 2068 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\System32\DRIVERS\sym_u3.sys
09:01:42.0734 2068 sym_u3 - ok
09:01:43.0250 2068 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
09:01:43.0265 2068 sysaudio - ok
09:01:43.0921 2068 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
09:01:44.0046 2068 Tcpip - ok
09:01:44.0562 2068 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
09:01:44.0562 2068 TDPIPE - ok
09:01:45.0015 2068 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
09:01:45.0015 2068 TDTCP - ok
09:01:45.0437 2068 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
09:01:45.0437 2068 TermDD - ok
09:01:45.0875 2068 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\System32\DRIVERS\toside.sys
09:01:45.0875 2068 TosIde - ok
09:01:46.0359 2068 U2SP (975e28ba5acdd645c3d7a6775a63c8d9) C:\WINDOWS\system32\DRIVERS\u2s2kxp.sys
09:01:46.0390 2068 U2SP - ok
09:01:46.0953 2068 UdfReadr_xp (91bfde97fc50ee92158f9106e4e00b6b) C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
09:01:47.0031 2068 UdfReadr_xp - ok
09:01:47.0453 2068 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
09:01:47.0828 2068 Udfs - ok
09:01:48.0343 2068 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\System32\DRIVERS\ultra.sys
09:01:48.0359 2068 ultra - ok
09:01:48.0953 2068 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
09:01:49.0093 2068 Update - ok
09:01:49.0578 2068 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
09:01:49.0765 2068 usbaudio - ok
09:01:50.0203 2068 usbbus (5aadc9297c39aa249cd994acdba19034) C:\WINDOWS\system32\DRIVERS\lgusbbus.sys
09:01:50.0203 2068 usbbus - ok
09:01:50.0656 2068 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
09:01:50.0656 2068 usbccgp - ok
09:01:51.0093 2068 UsbDiag (4650ffe04e5922399b0e932319e6b215) C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys
09:01:51.0093 2068 UsbDiag - ok
09:01:51.0500 2068 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
09:01:51.0515 2068 usbehci - ok
09:01:52.0296 2068 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
09:01:52.0312 2068 usbhub - ok
09:01:52.0984 2068 USBModem (2666fe171e0c2e7085ccd5fe0bac09e3) C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys
09:01:53.0046 2068 USBModem - ok
09:01:53.0640 2068 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
09:01:53.0656 2068 usbohci - ok
09:01:54.0156 2068 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
09:01:54.0187 2068 usbprint - ok
09:01:54.0640 2068 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
09:01:54.0656 2068 usbscan - ok
09:01:55.0109 2068 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
09:01:55.0109 2068 USBSTOR - ok
09:01:55.0546 2068 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
09:01:55.0562 2068 usbuhci - ok
09:01:56.0015 2068 usb_rndisx (b6cc50279d6cd28e090a5d33244adc9a) C:\WINDOWS\system32\DRIVERS\usb8023x.sys
09:01:56.0015 2068 usb_rndisx - ok
09:01:56.0421 2068 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
09:01:56.0421 2068 VgaSave - ok
09:01:56.0921 2068 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\System32\DRIVERS\viaagp.sys
09:01:56.0937 2068 viaagp - ok
09:01:57.0328 2068 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\System32\DRIVERS\viaide.sys
09:01:57.0328 2068 ViaIde - ok
09:01:57.0828 2068 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
09:01:57.0890 2068 VolSnap - ok
09:01:58.0421 2068 vsdatant (27b3dd12a19eec50220df15b64913dda) C:\WINDOWS\system32\vsdatant.sys
09:01:58.0578 2068 vsdatant - ok
09:01:59.0078 2068 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
09:01:59.0468 2068 Wanarp - ok
09:01:59.0906 2068 wceusbsh (dc7f91b2ed24a738c807ea07f298928c) C:\WINDOWS\system32\DRIVERS\wceusbsh.sys
09:01:59.0937 2068 wceusbsh - ok
09:02:00.0593 2068 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
09:02:00.0796 2068 Wdf01000 - ok
09:02:01.0187 2068 WDICA - ok
09:02:01.0703 2068 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
09:02:01.0765 2068 wdmaud - ok
09:02:02.0843 2068 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
09:02:02.0843 2068 WS2IFSL - ok
09:02:03.0640 2068 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
09:02:03.0656 2068 WSTCODEC - ok
09:02:04.0093 2068 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
09:02:04.0109 2068 WudfPf - ok
09:02:04.0625 2068 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
09:02:04.0656 2068 WudfRd - ok
09:02:04.0781 2068 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
09:02:05.0937 2068 \Device\Harddisk0\DR0 - ok
09:02:06.0000 2068 MBR (0x1B8) (4c174fe99672b3a91fda305d2eb1efed) \Device\Harddisk8\DR17
09:02:06.0437 2068 \Device\Harddisk8\DR17 - ok
09:02:06.0468 2068 Boot (0x1200) (68e99d2a52d5d31a4d7d2a80544a7b54) \Device\Harddisk0\DR0\Partition0
09:02:06.0468 2068 \Device\Harddisk0\DR0\Partition0 - ok
09:02:06.0484 2068 Boot (0x1200) (e2665b93390665e4c64bb66ba5abf5a6) \Device\Harddisk8\DR17\Partition0
09:02:06.0484 2068 \Device\Harddisk8\DR17\Partition0 - ok
09:02:06.0500 2068 ============================================================
09:02:06.0500 2068 Scan finished
09:02:06.0500 2068 ============================================================
09:02:06.0515 2240 Detected object count: 1
09:02:06.0515 2240 Actual detected object count: 1
09:02:23.0312 2240 Backup copy found, using it..
09:02:23.0500 2240 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys - will be cured on reboot
09:02:53.0062 2240 MRxSmb ( Rootkit.Win32.ZAccess.aml ) - User select action: Cure
09:03:01.0406 3776 Deinitialize success

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:14 AM

Posted 02 January 2012 - 11:17 AM

Hello

This is the tool I would like you to try and run next.

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.



Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 Emerald Light

Emerald Light
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fayetteville, GA
  • Local time:09:14 AM

Posted 02 January 2012 - 01:10 PM

Gringo,

I ran aswMBR and the log is enclosed:

aswMBR version 0.9.9.1124 Copyright© 2011 AVAST Software
Run date: 2012-01-02 11:26:15
-----------------------------
11:26:15.046 OS Version: Windows 5.1.2600 Service Pack 3
11:26:15.046 Number of processors: 2 586 0x209
11:26:15.046 ComputerName: JDGHOME8300 UserName: User
11:26:17.125 Initialize success
11:27:55.812 AVAST engine defs: 12010200
11:28:11.140 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
11:28:11.140 Disk 0 Vendor: ST3120023A 3.33 Size: 114473MB BusType: 3
11:28:11.140 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c
11:28:11.140 Disk 1 Vendor: IOMEGA_ZIP_250 42.S Size: 114473MB BusType: 2
11:28:11.203 Disk 0 MBR read successfully
11:28:11.203 Disk 0 MBR scan
11:28:11.375 Disk 0 Windows XP default MBR code
11:28:11.421 Disk 0 Partition 1 00 DE Dell Utility Dell 4.1 31 MB offset 63
11:28:11.468 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 114439 MB offset 64260
11:28:11.625 Disk 0 scanning sectors +234436545
11:28:11.937 Disk 0 scanning C:\WINDOWS\system32\drivers
11:29:33.421 Service scanning
11:29:37.343 Service L2XPSR F:\Release\L2XPSR.SYS **LOCKED** 21
11:29:38.890 Modules scanning
11:30:20.859 Disk 0 trace - called modules:
11:30:20.859
11:30:22.625 AVAST engine scan C:\WINDOWS
11:31:17.296 File: C:\WINDOWS\svcs.exe **INFECTED** Win32:Downloader-LEF [Trj]
11:31:32.609 AVAST engine scan C:\WINDOWS\system32
11:46:38.265 AVAST engine scan C:\WINDOWS\system32\drivers
11:48:54.546 AVAST engine scan C:\Documents and Settings\User
12:39:24.562 AVAST engine scan C:\Documents and Settings\All Users
12:50:28.937 Scan finished successfully
12:52:56.812 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\User\Desktop\MBR.dat"
12:52:56.812 The log file has been saved successfully to "C:\Documents and Settings\User\Desktop\aswMBR.txt"

John

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:14 AM

Posted 02 January 2012 - 01:46 PM

SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
:filefind
svcs.exe
L2XPSR.SYS
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 Emerald Light

Emerald Light
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fayetteville, GA
  • Local time:09:14 AM

Posted 02 January 2012 - 02:15 PM

Gringo,

Enclosed is the log file for the SystemLook scan:

SystemLook 30.07.11 by jpshortstuff
Log created at 13:57 on 02/01/2012 by User
Administrator - Elevation successful

========== filefind ==========

Searching for "svcs.exe"
C:\WINDOWS\svcs.exe --a---- 508928 bytes [14:51 22/12/2011] [14:51 22/12/2011] 1214CFC194041BF48A8746D5C7F85161

Searching for "L2XPSR.SYS"
No files found.

-= EOF =-

John

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:14 AM

Posted 02 January 2012 - 02:42 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

KillAll::

File::
C:\WINDOWS\svcs.exe

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 Emerald Light

Emerald Light
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fayetteville, GA
  • Local time:09:14 AM

Posted 02 January 2012 - 03:13 PM

Gringo,

ComboFix ran with the script, but it closed after opening the blue window. No log was generated, and the ComboFix program/icon was removed from the Desktop.
I did get a message asking me if I wanted to download a newer version of ComboFix. Since it was in the middle of execution, I declined. Should I download a new copy and rerun?

Computer appears to be running much better. Apps open OK and IE seems smooth. Bootup seems to take longer than I remember, but that may be because I have Norton Antivirus, Malwarebyte and Spysweeper all active now. I download very little from the Internet, by do you have any suggestions on what to use to minimize future infection risk? I am disappointed my current detection software failed me, and I am not sure how I got the virus.

I also would like to know if I should do anything with my external 1TB drive. It has been disconnected since I found the virus and am unsure if it is clean.

John

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:14 AM

Posted 02 January 2012 - 03:44 PM

Hello


I want you to reset the DMA you can do this by this script here - Reset DMA

If you have problems when you click on the link try to right click on the link and select "Save Target As" and then save to your desktop.
Once it is on your desktop right click on the file and select "Run"

If you still can't run it then you can go here "Reset DMA" to see what I want to do

I would like to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users