Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Trojan infection, svchost.exe initiating accessing various IP addresses - per Malwarebytes


  • This topic is locked This topic is locked
25 replies to this topic

#1 msm2012

msm2012

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 09 January 2012 - 10:36 PM

On Dec 22 2011 the laptop (Dell Vostrio 860, with Vista Home Basic, 32bit) started opening some "reporting screens" (false disc scanning) and presenting false virus warnings. Based on the articles I found - it could be described as "Vista 2012" "bug" (virus?).
Followed instructions form various sites and after 4 days it seemed the problem was removed.
From completely useless computer with a black screen and most of the exe files being hijacked (the bug would open whatever it waned instead of the file I would choose) I managed to get the laptop to its previus functioning state. However, the laptop seemed fine - but only for about 4 days.

Since the Jan 01, the computer has been running fine except for the Malwarebytes' (free trial) popuwindow coming up every few minutes with the following messages:
"Successfully blocked access to a potentially malicious website: "IP ADDRESS", Type: Outgoing Port: xxxxx, Process: schost.exe" where:
"xxxxxx" is a 5 digit port number changing its value (increment +1) with each message (as the process uses differnet ports)
" IP ADDRESS" were the following values:
141.136.16.152
178.238.233.153
206.161.121.2
206.161.121.3

I traced all of the addresse and found their sources, however I can't tell if those systems were also compromised and used as relays for infection/attack against my computer or if they are actively attacking. Since then I have been trying most of the tools and methods I found on this and other web sites (MS included). Here are just some names;
TFC
Rkill
PC Doctor
Malwarebytes
HitmanPro
Stinger
Combofix
Pandasecurity
Eset (some EU online scan)
MS Malicious Removal Toll

I have Microsoft Defender continuously "on", installed Malwarebytes, Win Firewall has been active and running, all the applications have been updated to the last definitions. I would disable system restore before going into the safe mode and scanning and doing the repair work, then I would reboot in the normal mode, scan again. Some of the programs detect some issues, I followed the insrtuciotns, removed the files, rebooted etc but after some time - the same problem is back.

The funny thing is that the Win file checker (sfc /scannow ) reported problems (svchost.exe -- user32.dll) while Vista Repair disk downloaded from Neosmart.net ($9.75) doesn't "see" any problems with my system (files). That is of course - when the laptop is booted off of the Vista repair disk.

I am running out of ideas and tools. Not even sure at this point if Malwarebytes isn't creating those popups for commercial purpsoes (so I purchase the full version) ? NY idea or suggestion on how to proceed with this problem is more than welcome.
Here below is the DDS scan and other scans are attached to this post.

Thank you in advance

------------------------- DDS SCAN / LOG ------------------------------------------- -
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19170
Run by AFC at 20:59:20 on 2012-01-09
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.2038.821 [GMT -5:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\MDM.EXE
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil11e_ActiveX.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\sdclt.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://login.secureserver.net/?app=wbe
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uWindow Title = Windows Internet Explorer provided by Yahoo!
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SecureBrowsing bho: {7632abca-b104-4fbc-9c70-419c4147061b} - c:\program files\m86security secure browsing\SecureBrowsing.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: M86 Security Secure Browsing: {b99f805c-f0b1-48ea-8c8b-753bfcbed913} - c:\program files\m86security secure browsing\SecureBrowsing.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {106E49CF-797A-11D2-81A2-00E02C015623} - hxxp://www.alternatiff.com/install-ie/alttiff.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://pephoto.lifepics.com/net/Uploader/LPUploader57.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{1EEA358A-45CB-4097-9FD8-B43D5A9C8395} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{32814287-C329-439B-9490-A68DCF53B9D4} : DhcpNameServer = 10.1.10.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: igfxcui - igfxdev.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
============= SERVICES / DRIVERS ===============
.
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-1-6 652872]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-1-6 20464]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-01-10 01:27:12 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{906f0be6-22db-4a40-b950-d4894be6f184}\offreg.dll
2012-01-08 03:33:45 -------- d-----w- c:\program files\ESET
2012-01-08 03:30:36 -------- d-----w- c:\users\afc\appdata\roaming\Finjan
2012-01-08 03:30:36 -------- d-----w- c:\program files\M86Security Secure Browsing
2012-01-08 03:16:41 98816 ----a-w- c:\windows\sed.exe
2012-01-08 03:16:41 518144 ----a-w- c:\windows\SWREG.exe
2012-01-08 03:16:41 256000 ----a-w- c:\windows\PEV.exe
2012-01-08 03:16:41 208896 ----a-w- c:\windows\MBR.exe
2012-01-08 03:16:29 -------- d-s---w- C:\ComboFix
2012-01-07 00:50:23 -------- d-----w- c:\users\afc\appdata\roaming\Malwarebytes
2012-01-07 00:50:06 -------- d-----w- c:\programdata\Malwarebytes
2012-01-07 00:50:04 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-07 00:50:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-06 18:46:54 6823496 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{906f0be6-22db-4a40-b950-d4894be6f184}\mpengine.dll
2012-01-05 04:02:58 -------- d-----w- c:\users\afc\appdata\local\Thunderbird
2012-01-04 04:20:30 -------- d-----w- C:\scan-results
2012-01-04 02:48:31 -------- d-----w- c:\program files\Panda Security
2011-12-31 22:18:33 -------- d-----w- c:\program files\Microsoft Fix it Center
2011-12-31 22:13:49 -------- d-----w- C:\$RECYCLE(0).BIN
2011-12-31 22:13:10 -------- d-----w- c:\users\afc\appdata\local\ElevatedDiagnostics
2011-12-31 16:50:24 -------- d--h--w- C:\SafeRecycle
2011-12-31 16:23:43 -------- d-----w- c:\program files\common files\Adobe(317)
2011-12-31 15:56:26 -------- d-----w- c:\users\afc\appdata\local\KSafe
2011-12-31 15:55:25 -------- d-----w- c:\users\afc\appdata\roaming\kingsoft
2011-12-31 15:50:40 -------- d-----w- c:\users\afc\appdata\roaming\KSafe
2011-12-31 15:50:27 -------- d-sh--w- C:\KRSHistory
2011-12-31 15:50:19 -------- d-sh--w- c:\programdata\KRSHistory
2011-12-31 15:50:01 -------- d-----w- c:\programdata\Safe
2011-12-31 15:49:52 -------- d-----w- c:\programdata\kingsoft
2011-12-31 15:49:22 -------- d-----w- c:\program files\Kingsoft
2011-12-31 14:48:22 -------- d-----w- c:\users\afc\appdata\roaming\SUPERAntiSpyware.com
2011-12-31 14:47:51 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-12-31 14:47:51 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-12-31 14:45:03 -------- d-----w- c:\program files\HitmanPro
2011-12-31 14:44:53 -------- d-----w- c:\programdata\HitmanPro
2011-12-31 04:11:36 -------- d-----w- c:\programdata\Adobe(1568)
2011-12-30 20:37:42 -------- d-----w- c:\program files\Microsoft Security Client
2011-12-30 20:22:07 -------- d-----w- c:\windows\system32\MpEngineStore
2011-12-29 14:39:02 -------- d--h--w- c:\users\afc\appdata\roaming\Sanou
2011-12-29 14:39:02 -------- d--h--w- c:\users\afc\appdata\roaming\Edsopa
2011-12-29 14:36:14 -------- d--h--w- c:\users\afc\appdata\local\MicrosoftNT
2011-12-26 21:50:32 -------- d-----w- c:\program files\APTE Software
2011-12-14 02:40:55 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
==================== Find3M ====================
.
2011-12-13 15:00:25 60 ----a-w- c:\windows\wpd99.drv
2011-11-23 13:37:27 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-11-15 19:29:56 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-11-08 14:42:19 2048 ----a-w- c:\windows\system32\tzres.dll
2011-11-03 06:22:04 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-03 06:17:38 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-03 06:17:23 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-03 06:17:08 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-11-03 06:17:08 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-11-03 05:22:43 385024 ----a-w- c:\windows\system32\html.iec
2011-11-03 04:45:39 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-11-03 04:43:59 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-10-27 08:01:53 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-27 08:01:53 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 15:56:04 49152 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-14 16:02:19 429056 ----a-w- c:\windows\system32\EncDec.dll
.
============= FINISH: 21:00:41.71 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:37 AM

Posted 15 January 2012 - 10:40 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/437236 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:09:37 AM

Posted 16 January 2012 - 01:21 PM

Hi msm2012,

I will be handling your logs to help you get cleaned up. Please give me some time to look them over and I will get back to you as soon as possible. Thanks in advance for your patience.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#4 msm2012

msm2012
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 16 January 2012 - 01:35 PM

Hello and thank you for taking ownership over the logs.
I have gathered 2nd version of all three logs - as requested by the automated post (please see above)
Please find them attached, they are from 10min ago
msm2012

Attached Files



#5 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:09:37 AM

Posted 16 January 2012 - 10:33 PM

Hi msm2012,

:welcome: to Bleeping Computer.

My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.

Some things to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please do not attach logs or put logs in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can also help.
  • Do not run anything while running a fix.
  • If you don't understand a step, please ask for clarification before continuing with any future steps.

Click on the Watch Topic button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

 

Posted Image One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


:step1: Please download Kaspersky's TDSSKiller and save it to your Desktop. <-Important!!!
Be sure to print out and follow the instructions for performing a scan. Alternate instructions can be found here.

  • Extract (unzip) the file to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the Desktop.
  • Alternatively, you can download TDSSKiller.exe and use that instead.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • When the program opens, click the Start Scan button.

    Posted Image
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • Any objects found, will show in the Scan results - Select action for found objects and offer three options.
  • If an infected file is detected, the default action will be Cure...do not change it.

    Posted Image
  • Click Continue > Reboot now to finish the cleaning process.<- Important!!

    Posted Image
  • If 'Suspicious' objects are detected, you will be given the option to Skip or Quarantine. Skip will be the default selection. Leave it as such for now.
  • A log file named TDSSKiller_version_date_time_log.txt will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
-- If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer or to perform the scan in "safe mode".

-- For any files detected as 'Suspicious' (except those identified as Forged to be cured after reboot) get a second opinion by submitting to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.

:step2: I see you ran ComboFix. I'd like to see the log file from it.

Locating ComboFix Log
  • Right click on START on the left end of your Windows toolbar (lower left corner of your screen)
  • Click on Explore
  • Click on Local Disk (C:) in the left-hand window pane
  • Look for ComboFix.txt in the right-hand window pane and right click on it
  • Put your cursor (arrow) on Open With
  • Move your cursor to the new menu that opens and click on Choose Program...
  • Click on Notepad

When file opens, Copy/Paste text here.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#6 msm2012

msm2012
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 17 January 2012 - 09:10 AM

Good morning jntkwx
Went over the links you provided and am leaning towards the cleanup option for start.
The PC is Dell Vostro and it came with pre-installed Win Vista Home Basic, however without the repair disc. Contacted Dell and they refused to send me one without paying for it - even though I paid full Win Vista license when I purhcased the Laptop. Spoke to MS and they washed hands saying it's Dell's responsbility.
Downloaded repair disc for $9.75 from Neosmart.net but it doesn't have the Install option ? If I remember correctly their description of it - it should have had it ?
Q1. What should I do in order to acquire a re-install disc for my version of Vista ?

The PC is used for work and it does have sensitive info on it but given the time it has been infected - the damage has been done.
Q2. Would you have an idea on how did I get that ifection ? My guess is a link on some web site - but also a possible email attachments.
Q3. Several thumbdrives have been in use with the infected laptop. What (if any) is the proces of scanning/cleaning those flash memories?
Q4. You asked for Combofix log - would you like the old a fresh one (today) or both ?

Malwarebytes is popping up every minute or so - with the same message :"Successfully blocked access to the following IP..... svchost.exe"
So it seems the infection is still active and is trying to go back to its creator

Yesterday, the laptop booted up to a black background with the following message in the bottom right corner:
Windos Vista ™
Build 6002
This copy of Windows is not genuine

Fixed it by calling Microsoft activation services who helped me re-activate the system and it is fine now
However, knowing what you said (key logger) I might have done a wrong thing ?

Going to work on the cleanup today and will send you the log based on your feedbcak to the Q4 above.
Thank you again for your help.
msm2012

#7 msm2012

msm2012
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 17 January 2012 - 09:19 AM

One more question please:

Q5. Do I have to boot up in a safe mode (with networking or not) to run TDSS killer or just normal boot up ?

Thanks
smm2012

#8 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:09:37 AM

Posted 17 January 2012 - 09:24 AM

Hi msm2012,

  • Unfortunately, to get a repair disc, you would have to purchase one from Dell, since you have what is called an OEM (original equipment manufactured) version of Windows. However, I don't think this will be needed to fix your computer.
  • It's hard to say how you were infected. Many computers are infected by having outdated versions of common software, like Adobe Reader, Adobe Flash, and Java. I also notice you appear to not have an antivirus program installed on your computer. I will help you fix this once we have removed the malware.
  • While a flash drive infection is not apparent in your log, you may have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.
    • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
    • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
      Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
    • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    • Wait until it has finished scanning and then exit the program.
    • Reboot your computer when done.
    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
    Anti-Malware programs flag Flash Disinfector as being infected because of in which the way it runs.
  • Regarding the Windows activation, I believe you did the right thing by calling Microsoft, however I'm not sure why you got that message in the first place.
  • I would first like to see the old Combofix log. Please don't create a new log until I instruct you to do so.
  • TDSSkiller runs best in normal mode.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#9 msm2012

msm2012
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 17 January 2012 - 08:37 PM

Here is the TDSS Killer log:
======================================== TDSS KILLER LOG ====================================== =
18:47:09.0901 3212 TDSS rootkit removing tool 2.7.3.0 Jan 16 2012 18:53:41
18:47:10.0166 3212 ============================================================
18:47:10.0166 3212 Current date / time: 2012/01/17 18:47:10.0166
18:47:10.0166 3212 SystemInfo:
18:47:10.0166 3212
18:47:10.0166 3212 OS Version: 6.0.6002 ServicePack: 2.0
18:47:10.0166 3212 Product type: Workstation
18:47:10.0166 3212 ComputerName: AFC-LAPTOP
18:47:10.0166 3212 UserName: AFC
18:47:10.0166 3212 Windows directory: C:\Windows
18:47:10.0166 3212 System windows directory: C:\Windows
18:47:10.0166 3212 Processor architecture: Intel x86
18:47:10.0166 3212 Number of processors: 2
18:47:10.0166 3212 Page size: 0x1000
18:47:10.0166 3212 Boot type: Normal boot
18:47:10.0166 3212 ============================================================
18:47:11.0773 3212 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
18:47:11.0851 3212 Initialize success
18:47:27.0607 1504 ============================================================
18:47:27.0607 1504 Scan started
18:47:27.0607 1504 Mode: Manual;
18:47:27.0607 1504 ============================================================
18:47:28.0808 1504 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
18:47:28.0808 1504 ACPI - ok
18:47:28.0979 1504 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
18:47:28.0995 1504 adp94xx - ok
18:47:29.0167 1504 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
18:47:29.0182 1504 adpahci - ok
18:47:29.0354 1504 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
18:47:29.0354 1504 adpu160m - ok
18:47:29.0525 1504 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
18:47:29.0541 1504 adpu320 - ok
18:47:29.0791 1504 AFD (3911b972b55fea0478476b2e777b29fa) C:\Windows\system32\drivers\afd.sys
18:47:29.0806 1504 AFD - ok
18:47:29.0978 1504 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys
18:47:29.0978 1504 agp440 - ok
18:47:30.0149 1504 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
18:47:30.0149 1504 aic78xx - ok
18:47:30.0337 1504 aliide (9eaef5fc9b8e351afa7e78a6fae91f91) C:\Windows\system32\drivers\aliide.sys
18:47:30.0337 1504 aliide - ok
18:47:30.0508 1504 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
18:47:30.0508 1504 amdagp - ok
18:47:30.0711 1504 amdide (9b78a39a4c173fdbc1321e0dd659b34c) C:\Windows\system32\drivers\amdide.sys
18:47:30.0711 1504 amdide - ok
18:47:30.0820 1504 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
18:47:30.0820 1504 AmdK7 - ok
18:47:30.0867 1504 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\drivers\amdk8.sys
18:47:30.0867 1504 AmdK8 - ok
18:47:30.0992 1504 ApfiltrService (9325e49d555d8f12ce1735227dbb3d80) C:\Windows\system32\DRIVERS\Apfiltr.sys
18:47:30.0992 1504 ApfiltrService - ok
18:47:31.0195 1504 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
18:47:31.0195 1504 arc - ok
18:47:31.0351 1504 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
18:47:31.0366 1504 arcsas - ok
18:47:31.0538 1504 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
18:47:31.0538 1504 AsyncMac - ok
18:47:31.0725 1504 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
18:47:31.0725 1504 atapi - ok
18:47:32.0006 1504 athr (997e25f5b7d53c94c0ad2dc080f6868e) C:\Windows\system32\DRIVERS\athr.sys
18:47:32.0162 1504 athr - ok
18:47:32.0333 1504 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
18:47:32.0333 1504 Beep - ok
18:47:32.0521 1504 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
18:47:32.0521 1504 blbdrive - ok
18:47:32.0677 1504 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
18:47:32.0677 1504 bowser - ok
18:47:32.0864 1504 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
18:47:32.0864 1504 BrFiltLo - ok
18:47:32.0895 1504 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
18:47:32.0895 1504 BrFiltUp - ok
18:47:32.0973 1504 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
18:47:32.0973 1504 Brserid - ok
18:47:33.0098 1504 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
18:47:33.0098 1504 BrSerWdm - ok
18:47:33.0269 1504 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
18:47:33.0269 1504 BrUsbMdm - ok
18:47:33.0441 1504 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
18:47:33.0441 1504 BrUsbSer - ok
18:47:33.0597 1504 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
18:47:33.0597 1504 BTHMODEM - ok
18:47:33.0706 1504 catchme - ok
18:47:33.0862 1504 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
18:47:33.0862 1504 cdfs - ok
18:47:33.0940 1504 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
18:47:33.0940 1504 cdrom - ok
18:47:34.0096 1504 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\drivers\circlass.sys
18:47:34.0096 1504 circlass - ok
18:47:34.0252 1504 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
18:47:34.0252 1504 CLFS - ok
18:47:34.0361 1504 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
18:47:34.0361 1504 CmBatt - ok
18:47:34.0502 1504 cmdide (0ca25e686a4928484e9fdabd168ab629) C:\Windows\system32\drivers\cmdide.sys
18:47:34.0502 1504 cmdide - ok
18:47:34.0689 1504 CnxtHdAudService (58bc03301ec3052f866532946bf51ad6) C:\Windows\system32\drivers\CHDRT32.sys
18:47:34.0689 1504 CnxtHdAudService - ok
18:47:34.0861 1504 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
18:47:34.0861 1504 Compbatt - ok
18:47:35.0032 1504 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
18:47:35.0048 1504 crcdisk - ok
18:47:35.0219 1504 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
18:47:35.0219 1504 Crusoe - ok
18:47:35.0391 1504 DfsC (622c41a07ca7e6dd91770f50d532cb6c) C:\Windows\system32\Drivers\dfsc.sys
18:47:35.0391 1504 DfsC - ok
18:47:35.0594 1504 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
18:47:35.0609 1504 disk - ok
18:47:35.0765 1504 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
18:47:35.0765 1504 drmkaud - ok
18:47:35.0937 1504 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
18:47:35.0953 1504 DXGKrnl - ok
18:47:36.0140 1504 e1express (908ed85b7806e8af3af5e9b74f7809d4) C:\Windows\system32\DRIVERS\e1e6032.sys
18:47:36.0140 1504 e1express - ok
18:47:36.0421 1504 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
18:47:36.0421 1504 E1G60 - ok
18:47:36.0717 1504 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
18:47:36.0733 1504 Ecache - ok
18:47:37.0169 1504 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
18:47:37.0201 1504 elxstor - ok
18:47:37.0403 1504 ErrDev (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys
18:47:37.0403 1504 ErrDev - ok
18:47:37.0622 1504 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
18:47:37.0622 1504 exfat - ok
18:47:37.0793 1504 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
18:47:37.0793 1504 fastfat - ok
18:47:37.0965 1504 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
18:47:37.0965 1504 fdc - ok
18:47:38.0152 1504 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
18:47:38.0152 1504 FileInfo - ok
18:47:38.0308 1504 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
18:47:38.0308 1504 Filetrace - ok
18:47:38.0464 1504 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
18:47:38.0464 1504 flpydisk - ok
18:47:38.0651 1504 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
18:47:38.0651 1504 FltMgr - ok
18:47:38.0807 1504 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
18:47:38.0807 1504 Fs_Rec - ok
18:47:38.0963 1504 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
18:47:39.0010 1504 gagp30kx - ok
18:47:39.0197 1504 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
18:47:39.0197 1504 HDAudBus - ok
18:47:39.0369 1504 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
18:47:39.0369 1504 HidBth - ok
18:47:39.0541 1504 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
18:47:39.0541 1504 HidIr - ok
18:47:39.0712 1504 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
18:47:39.0712 1504 HidUsb - ok
18:47:39.0884 1504 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
18:47:39.0884 1504 HpCISSs - ok
18:47:40.0087 1504 HSF_DPV (99f85640054ba65190b860d878a7c9ae) C:\Windows\system32\DRIVERS\HSX_DPV.sys
18:47:40.0118 1504 HSF_DPV - ok
18:47:40.0289 1504 HSXHWAZL (cfbc2b81972e298f0e19ee68fa9e73da) C:\Windows\system32\DRIVERS\HSXHWAZL.sys
18:47:40.0289 1504 HSXHWAZL - ok
18:47:40.0477 1504 HTTP (0eeeca26c8d4bde2a4664db058a81937) C:\Windows\system32\drivers\HTTP.sys
18:47:40.0477 1504 HTTP - ok
18:47:40.0633 1504 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
18:47:40.0633 1504 i2omp - ok
18:47:40.0789 1504 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
18:47:40.0789 1504 i8042prt - ok
18:47:40.0960 1504 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
18:47:40.0960 1504 iaStorV - ok
18:47:41.0225 1504 igfx (63c56dac467ef814b60ff2aa2286c917) C:\Windows\system32\DRIVERS\igdkmd32.sys
18:47:41.0303 1504 igfx - ok
18:47:41.0475 1504 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
18:47:41.0475 1504 iirsp - ok
18:47:41.0647 1504 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\DRIVERS\intelide.sys
18:47:41.0647 1504 intelide - ok
18:47:41.0787 1504 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
18:47:41.0787 1504 intelppm - ok
18:47:41.0959 1504 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
18:47:41.0959 1504 IpFilterDriver - ok
18:47:42.0099 1504 IpInIp - ok
18:47:42.0286 1504 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys
18:47:42.0286 1504 IPMIDRV - ok
18:47:42.0442 1504 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
18:47:42.0458 1504 IPNAT - ok
18:47:42.0598 1504 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
18:47:42.0614 1504 IRENUM - ok
18:47:42.0770 1504 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
18:47:42.0770 1504 isapnp - ok
18:47:42.0941 1504 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
18:47:42.0941 1504 iScsiPrt - ok
18:47:43.0113 1504 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
18:47:43.0113 1504 iteatapi - ok
18:47:43.0300 1504 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
18:47:43.0300 1504 iteraid - ok
18:47:43.0456 1504 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
18:47:43.0456 1504 kbdclass - ok
18:47:43.0612 1504 kbdhid (18247836959ba67e3511b62846b9c2e0) C:\Windows\system32\DRIVERS\kbdhid.sys
18:47:43.0612 1504 kbdhid - ok
18:47:43.0784 1504 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
18:47:43.0784 1504 KSecDD - ok
18:47:43.0971 1504 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
18:47:43.0971 1504 lltdio - ok
18:47:44.0174 1504 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
18:47:44.0189 1504 LSI_FC - ok
18:47:44.0361 1504 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
18:47:44.0361 1504 LSI_SAS - ok
18:47:44.0533 1504 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
18:47:44.0533 1504 LSI_SCSI - ok
18:47:44.0689 1504 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
18:47:44.0689 1504 luafv - ok
18:47:44.0845 1504 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\Windows\system32\drivers\mbam.sys
18:47:44.0845 1504 MBAMProtector - ok
18:47:45.0016 1504 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
18:47:45.0016 1504 mdmxsdk - ok
18:47:45.0188 1504 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
18:47:45.0188 1504 megasas - ok
18:47:45.0391 1504 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
18:47:45.0406 1504 MegaSR - ok
18:47:45.0578 1504 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
18:47:45.0578 1504 Modem - ok
18:47:45.0718 1504 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
18:47:45.0718 1504 monitor - ok
18:47:45.0859 1504 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
18:47:45.0859 1504 mouclass - ok
18:47:45.0999 1504 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
18:47:45.0999 1504 mouhid - ok
18:47:46.0171 1504 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
18:47:46.0171 1504 MountMgr - ok
18:47:46.0373 1504 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
18:47:46.0373 1504 mpio - ok
18:47:46.0514 1504 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
18:47:46.0514 1504 mpsdrv - ok
18:47:46.0670 1504 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
18:47:46.0670 1504 Mraid35x - ok
18:47:46.0841 1504 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
18:47:46.0841 1504 MRxDAV - ok
18:47:46.0997 1504 mrxsmb (1e94971c4b446ab2290deb71d01cf0c2) C:\Windows\system32\DRIVERS\mrxsmb.sys
18:47:47.0013 1504 mrxsmb - ok
18:47:47.0231 1504 mrxsmb10 (4fccb34d793b116423209c0f8b7a3b03) C:\Windows\system32\DRIVERS\mrxsmb10.sys
18:47:47.0231 1504 mrxsmb10 - ok
18:47:47.0294 1504 mrxsmb20 (c3cb1b40ad4a0124d617a1199b0b9d7c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
18:47:47.0294 1504 mrxsmb20 - ok
18:47:47.0450 1504 msahci (f70590424eefbf5c27a40c67afdb8383) C:\Windows\system32\drivers\msahci.sys
18:47:47.0450 1504 msahci - ok
18:47:47.0621 1504 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
18:47:47.0621 1504 msdsm - ok
18:47:47.0809 1504 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
18:47:47.0809 1504 Msfs - ok
18:47:47.0933 1504 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
18:47:47.0933 1504 msisadrv - ok
18:47:48.0105 1504 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
18:47:48.0121 1504 MSKSSRV - ok
18:47:48.0277 1504 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
18:47:48.0277 1504 MSPCLOCK - ok
18:47:48.0448 1504 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
18:47:48.0448 1504 MSPQM - ok
18:47:48.0635 1504 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
18:47:48.0635 1504 MsRPC - ok
18:47:48.0791 1504 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
18:47:48.0791 1504 mssmbios - ok
18:47:48.0963 1504 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
18:47:48.0979 1504 MSTEE - ok
18:47:49.0135 1504 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
18:47:49.0135 1504 Mup - ok
18:47:49.0291 1504 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
18:47:49.0291 1504 NativeWifiP - ok
18:47:49.0462 1504 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
18:47:49.0478 1504 NDIS - ok
18:47:49.0634 1504 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
18:47:49.0634 1504 NdisTapi - ok
18:47:49.0790 1504 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
18:47:49.0805 1504 Ndisuio - ok
18:47:49.0961 1504 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
18:47:49.0961 1504 NdisWan - ok
18:47:50.0133 1504 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
18:47:50.0133 1504 NDProxy - ok
18:47:50.0289 1504 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
18:47:50.0289 1504 NetBIOS - ok
18:47:50.0461 1504 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
18:47:50.0461 1504 netbt - ok
18:47:50.0570 1504 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
18:47:50.0585 1504 nfrd960 - ok
18:47:50.0866 1504 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
18:47:50.0882 1504 Npfs - ok
18:47:51.0256 1504 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
18:47:51.0256 1504 nsiproxy - ok
18:47:51.0490 1504 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
18:47:51.0521 1504 Ntfs - ok
18:47:51.0787 1504 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
18:47:51.0787 1504 ntrigdigi - ok
18:47:51.0818 1504 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
18:47:51.0818 1504 Null - ok
18:47:51.0849 1504 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys
18:47:51.0849 1504 nvraid - ok
18:47:51.0989 1504 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys
18:47:52.0005 1504 nvstor - ok
18:47:52.0161 1504 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys
18:47:52.0161 1504 nv_agp - ok
18:47:52.0270 1504 NwlnkFlt - ok
18:47:52.0395 1504 NwlnkFwd - ok
18:47:52.0551 1504 ohci1394 (6f310e890d46e246e0e261a63d9b36b4) C:\Windows\system32\DRIVERS\ohci1394.sys
18:47:52.0551 1504 ohci1394 - ok
18:47:52.0738 1504 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
18:47:52.0754 1504 Parport - ok
18:47:52.0910 1504 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
18:47:52.0910 1504 partmgr - ok
18:47:53.0081 1504 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
18:47:53.0081 1504 Parvdm - ok
18:47:53.0269 1504 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
18:47:53.0284 1504 pci - ok
18:47:53.0456 1504 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\drivers\pciide.sys
18:47:53.0456 1504 pciide - ok
18:47:53.0612 1504 pcmcia (3bb2244f343b610c29c98035504c9b75) C:\Windows\system32\DRIVERS\pcmcia.sys
18:47:53.0612 1504 pcmcia - ok
18:47:53.0815 1504 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
18:47:53.0830 1504 PEAUTH - ok
18:47:54.0049 1504 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
18:47:54.0049 1504 PptpMiniport - ok
18:47:54.0205 1504 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\drivers\processr.sys
18:47:54.0205 1504 Processor - ok
18:47:54.0392 1504 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
18:47:54.0392 1504 PSched - ok
18:47:54.0579 1504 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\Windows\system32\Drivers\PxHelp20.sys
18:47:54.0579 1504 PxHelp20 - ok
18:47:54.0766 1504 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
18:47:54.0797 1504 ql2300 - ok
18:47:54.0953 1504 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
18:47:54.0953 1504 ql40xx - ok
18:47:55.0156 1504 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
18:47:55.0172 1504 QWAVEdrv - ok
18:47:55.0406 1504 R300 (e642b131fb74caf4bb8a014f31113142) C:\Windows\system32\DRIVERS\atikmdag.sys
18:47:55.0468 1504 R300 - ok
18:47:55.0655 1504 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
18:47:55.0655 1504 RasAcd - ok
18:47:55.0827 1504 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
18:47:55.0827 1504 Rasl2tp - ok
18:47:55.0999 1504 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
18:47:55.0999 1504 RasPppoe - ok
18:47:56.0201 1504 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
18:47:56.0201 1504 RasSstp - ok
18:47:56.0357 1504 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
18:47:56.0357 1504 rdbss - ok
18:47:56.0529 1504 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
18:47:56.0529 1504 RDPCDD - ok
18:47:56.0685 1504 rdpdr (fbc0bacd9c3d7f6956853f64a66e252d) C:\Windows\system32\drivers\rdpdr.sys
18:47:56.0685 1504 rdpdr - ok
18:47:56.0747 1504 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
18:47:56.0747 1504 RDPENCDD - ok
18:47:56.0888 1504 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
18:47:56.0903 1504 RDPWD - ok
18:47:57.0075 1504 rimmptsk (c2ef513bbe069f0d4ee0938a76f975d3) C:\Windows\system32\DRIVERS\rimmptsk.sys
18:47:57.0075 1504 rimmptsk - ok
18:47:57.0231 1504 rimsptsk (c398bca91216755b098679a8da8a2300) C:\Windows\system32\drivers\rimsptsk.sys
18:47:57.0231 1504 rimsptsk - ok
18:47:57.0403 1504 rismxdp (2a2554cb24506e0a0508fc395c4a1b42) C:\Windows\system32\drivers\rixdptsk.sys
18:47:57.0403 1504 rismxdp - ok
18:47:57.0590 1504 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
18:47:57.0590 1504 rspndr - ok
18:47:57.0761 1504 RTL8169 (2fc33077f85d7dc0d03678c06d43898c) C:\Windows\system32\DRIVERS\Rtlh86.sys
18:47:57.0761 1504 RTL8169 - ok
18:47:57.0824 1504 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
18:47:57.0824 1504 sbp2port - ok
18:47:57.0902 1504 sdbus (8f36b54688c31eed4580129040c6a3d3) C:\Windows\system32\DRIVERS\sdbus.sys
18:47:57.0902 1504 sdbus - ok
18:47:58.0011 1504 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
18:47:58.0011 1504 secdrv - ok
18:47:58.0198 1504 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
18:47:58.0198 1504 Serenum - ok
18:47:58.0401 1504 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
18:47:58.0401 1504 Serial - ok
18:47:58.0526 1504 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
18:47:58.0541 1504 sermouse - ok
18:47:58.0744 1504 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys
18:47:58.0744 1504 sffdisk - ok
18:47:58.0900 1504 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys
18:47:58.0900 1504 sffp_mmc - ok
18:47:59.0072 1504 sffp_sd (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys
18:47:59.0072 1504 sffp_sd - ok
18:47:59.0228 1504 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
18:47:59.0228 1504 sfloppy - ok
18:47:59.0431 1504 sisagp (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys
18:47:59.0431 1504 sisagp - ok
18:47:59.0602 1504 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys
18:47:59.0602 1504 SiSRaid2 - ok
18:47:59.0821 1504 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys
18:47:59.0821 1504 SiSRaid4 - ok
18:48:00.0008 1504 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
18:48:00.0008 1504 Smb - ok
18:48:00.0195 1504 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
18:48:00.0195 1504 spldr - ok
18:48:00.0335 1504 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
18:48:00.0335 1504 srv - ok
18:48:00.0491 1504 srv2 (ff33aff99564b1aa534f58868cbe41ef) C:\Windows\system32\DRIVERS\srv2.sys
18:48:00.0491 1504 srv2 - ok
18:48:00.0663 1504 srvnet (7605c0e1d01a08f3ecd743f38b834a44) C:\Windows\system32\DRIVERS\srvnet.sys
18:48:00.0663 1504 srvnet - ok
18:48:00.0881 1504 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
18:48:00.0881 1504 swenum - ok
18:48:01.0053 1504 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
18:48:01.0053 1504 Symc8xx - ok
18:48:01.0225 1504 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
18:48:01.0225 1504 Sym_hi - ok
18:48:01.0396 1504 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
18:48:01.0396 1504 Sym_u3 - ok
18:48:01.0583 1504 Tcpip (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\drivers\tcpip.sys
18:48:01.0615 1504 Tcpip - ok
18:48:01.0786 1504 Tcpip6 (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\DRIVERS\tcpip.sys
18:48:01.0802 1504 Tcpip6 - ok
18:48:01.0973 1504 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
18:48:01.0973 1504 tcpipreg - ok
18:48:02.0145 1504 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
18:48:02.0145 1504 TDPIPE - ok
18:48:02.0301 1504 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
18:48:02.0301 1504 TDTCP - ok
18:48:02.0473 1504 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
18:48:02.0473 1504 tdx - ok
18:48:02.0629 1504 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
18:48:02.0644 1504 TermDD - ok
18:48:02.0816 1504 toshidpt (e362d54fd394999c4178936396664e57) C:\Windows\system32\drivers\toshidpt.sys
18:48:02.0831 1504 toshidpt - ok
18:48:03.0003 1504 tosporte (2c15b4856f929ac7dd144044d8334b54) C:\Windows\system32\DRIVERS\tosporte.sys
18:48:03.0003 1504 tosporte - ok
18:48:03.0175 1504 tosrfbd (4ac571026155442678e3a0b564a374b1) C:\Windows\system32\DRIVERS\tosrfbd.sys
18:48:03.0175 1504 tosrfbd - ok
18:48:03.0346 1504 tosrfbnp (181e217a7a326817d97946d045b3cb46) C:\Windows\system32\Drivers\tosrfbnp.sys
18:48:03.0346 1504 tosrfbnp - ok
18:48:03.0409 1504 Tosrfcom (e90ace3b4fa7a85f992bc21eb779c407) C:\Windows\system32\Drivers\tosrfcom.sys
18:48:03.0424 1504 Tosrfcom - ok
18:48:03.0565 1504 Tosrfhid (d3f87c46c7c9e5db99fbd3d17121b891) C:\Windows\system32\DRIVERS\Tosrfhid.sys
18:48:03.0565 1504 Tosrfhid - ok
18:48:03.0705 1504 tosrfnds (c52fd27b9adf3a1f22cb90e6bcf9b0cb) C:\Windows\system32\DRIVERS\tosrfnds.sys
18:48:03.0705 1504 tosrfnds - ok
18:48:03.0877 1504 tosrfusb (98c04a6432ce9c2ad328f57b9384d348) C:\Windows\system32\DRIVERS\tosrfusb.sys
18:48:03.0877 1504 tosrfusb - ok
18:48:04.0064 1504 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
18:48:04.0064 1504 tssecsrv - ok
18:48:04.0204 1504 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
18:48:04.0204 1504 tunmp - ok
18:48:04.0376 1504 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
18:48:04.0376 1504 tunnel - ok
18:48:04.0547 1504 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys
18:48:04.0547 1504 uagp35 - ok
18:48:04.0719 1504 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
18:48:04.0735 1504 udfs - ok
18:48:04.0922 1504 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys
18:48:04.0922 1504 uliagpkx - ok
18:48:05.0093 1504 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys
18:48:05.0109 1504 uliahci - ok
18:48:05.0281 1504 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
18:48:05.0281 1504 UlSata - ok
18:48:05.0437 1504 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
18:48:05.0452 1504 ulsata2 - ok
18:48:05.0608 1504 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
18:48:05.0608 1504 umbus - ok
18:48:05.0795 1504 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
18:48:05.0795 1504 usbccgp - ok
18:48:05.0983 1504 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
18:48:05.0998 1504 usbcir - ok
18:48:06.0139 1504 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
18:48:06.0139 1504 usbehci - ok
18:48:06.0326 1504 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
18:48:06.0326 1504 usbhub - ok
18:48:06.0497 1504 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
18:48:06.0513 1504 usbohci - ok
18:48:06.0653 1504 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
18:48:06.0653 1504 usbprint - ok
18:48:06.0809 1504 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
18:48:06.0809 1504 usbscan - ok
18:48:07.0059 1504 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
18:48:07.0059 1504 USBSTOR - ok
18:48:07.0184 1504 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
18:48:07.0199 1504 usbuhci - ok
18:48:07.0231 1504 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
18:48:07.0231 1504 vga - ok
18:48:07.0309 1504 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
18:48:07.0309 1504 VgaSave - ok
18:48:07.0433 1504 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys
18:48:07.0433 1504 viaagp - ok
18:48:07.0480 1504 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys
18:48:07.0480 1504 ViaC7 - ok
18:48:07.0527 1504 viaide (aadf5587a4063f52c2c3fed7887426fc) C:\Windows\system32\drivers\viaide.sys
18:48:07.0527 1504 viaide - ok
18:48:07.0652 1504 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
18:48:07.0652 1504 volmgr - ok
18:48:07.0808 1504 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
18:48:07.0823 1504 volmgrx - ok
18:48:07.0979 1504 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
18:48:07.0979 1504 volsnap - ok
18:48:08.0167 1504 vsmraid (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys
18:48:08.0167 1504 vsmraid - ok
18:48:08.0338 1504 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
18:48:08.0354 1504 WacomPen - ok
18:48:08.0494 1504 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
18:48:08.0494 1504 Wanarp - ok
18:48:08.0510 1504 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
18:48:08.0510 1504 Wanarpv6 - ok
18:48:08.0697 1504 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
18:48:08.0697 1504 Wd - ok
18:48:08.0869 1504 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
18:48:08.0884 1504 Wdf01000 - ok
18:48:09.0212 1504 winachsf (72cc6a8ca7891031d6380db5025c773c) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
18:48:09.0243 1504 winachsf - ok
18:48:09.0508 1504 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
18:48:09.0508 1504 WmiAcpi - ok
18:48:10.0054 1504 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
18:48:10.0085 1504 WpdUsb - ok
18:48:10.0475 1504 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
18:48:10.0475 1504 ws2ifsl - ok
18:48:10.0865 1504 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
18:48:10.0881 1504 WUDFRd - ok
18:48:11.0318 1504 XAudio (dab33cfa9dd24251aaa389ff36b64d4b) C:\Windows\system32\DRIVERS\xaudio.sys
18:48:11.0333 1504 XAudio - ok
18:48:11.0365 1504 MBR (0x1B8) (ae8fa489bdbabb7f15572f885c9ff9ae) \Device\Harddisk0\DR0
18:48:11.0396 1504 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
18:48:11.0396 1504 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
18:48:11.0411 1504 Boot (0x1200) (3c1180f8b6a386d95756c9607a0bc440) \Device\Harddisk0\DR0\Partition0
18:48:11.0411 1504 \Device\Harddisk0\DR0\Partition0 - ok
18:48:11.0427 1504 Boot (0x1200) (cecef0584d0d65a9e970b6e3fe430566) \Device\Harddisk0\DR0\Partition1
18:48:11.0427 1504 \Device\Harddisk0\DR0\Partition1 - ok
18:48:11.0443 1504 ============================================================
18:48:11.0443 1504 Scan finished
18:48:11.0443 1504 ============================================================
18:48:11.0443 2784 Detected object count: 1
18:48:11.0443 2784 Actual detected object count: 1
18:48:24.0687 2784 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
18:48:24.0687 2784 \Device\Harddisk0\DR0 - ok
18:48:24.0687 2784 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
18:48:28.0057 2776 Deinitialize success

====================================== THE END OF TDSS KILLER LOG ================================================ =

Unfortunately I can't locate the old Combofix log file. It could be that I deleted it a day or two after using Combofix

#10 msm2012

msm2012
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 17 January 2012 - 08:46 PM

I have been trying to start/activate Flash_Disinfector but it won't.
Tried double clickin as well as Run as Admin. It asks me if I want to allow it to run
After I answer positively, the popup closes, the mouse gets that Microsoft turning circle for about 4 sec and that's it. No applications with a name simillar to Flash_Disinfector are to be found in the Task Manager.

Is it my Windows defender and/or firewall that is blocking it ?

#11 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:09:37 AM

Posted 17 January 2012 - 08:52 PM

Hi msm2012,

No, that's my fault. That program only works on Windows XP.

Please use Panda USB Vaccine, or BitDefender's USB Immunizer

Edited by jntkwx, 17 January 2012 - 08:52 PM.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#12 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:09:37 AM

Posted 17 January 2012 - 11:24 PM

Hi msm2012,

Looking good. :thumbup2:

Please download a new version of Combofix:
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you do not know how to do this you can find out >here< or >here<
3. Double click on combofix.exe & follow the prompts.

Important:
  • Do not mouseclick combofix's window while it's running. That may cause it to stall.
  • If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer


In your next reply, please include:
  • Combofix log
  • How is your computer running now? Please be as descriptive as possible. Include any word-for-word error messages that you may have, and/or screenshots of strange behavior.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#13 msm2012

msm2012
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 18 January 2012 - 11:41 AM

Hello Jason
Attached please find the Combofix log made per your instructions.
The computer seems to be running fine. No more of that popup window from Malwarebytes with the message of svchost.exe initiating access to those four IP addresses. However I see a new message (jpg attached) about the last update. Should I run it to see what is it about ?

Attached Files



#14 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:09:37 AM

Posted 18 January 2012 - 04:22 PM

Hi msm2012,

I'm not sure why you are getting the Windows Backup failed message. We'll try to determine why in step 2, below.

:step1: Rerun Combofix
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:

    DirLook::
    c:\users\AFC\AppData\Roaming\Edsopa
    c:\users\AFC\AppData\Roaming\Sanou
    
  • Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt. Please copy and paste this log into your next reply.


:step2: MiniToolBox

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • List last 10 Event Viewer log
  • List Installed Programs
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.


In your next reply, please include:
  • Combofix log
  • MiniToolBox log
  • How's your computer running now?

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#15 msm2012

msm2012
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 19 January 2012 - 09:55 AM

Thanks Jason
Will do the steps above tonight.
The computer is running very well.
Combofix log shall be copy/pasted in the reply message body and MiniToolBox log shall be attached as a txt file ?
msm2012




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users