Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Backdoor.TDSS.565, WIN32.ZAccess.L, TR/Graftor.13023.1, TR/Dropper.Gen8


  • This topic is locked This topic is locked
21 replies to this topic

#1 YmTim45

YmTim45

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:07 AM

Posted 01 February 2012 - 05:57 PM

I got an infection in a Windows XP Sp3 system while visiting a web page.
I first cleaned the system using Avira bootable rescue CD:

it found 3 files in the temp directory infected by TR/Graftor.13023.1 and 1 by TR/Dropper.Gen8.

When I rebooted the PC, I noticed unasked network connetions to the Internet (I watched the activity leds of the adsl modem and ran "netstat" from the MS-Dos shell) so I unplugged the network cable from the network card. svchost.exe process was working at 100% so I killed it to scan the system at a decent speed.

Then I cleaned the system using Dr.Web CureIt!:

it found Backdoor.TDSS.565 in the process \System32\lsass.exe and \System32\ping.exe

When the user logged-in Windows again after a reboot, svchost.exe process was still working at 100% so I killed it again to scan the system at a decent speed. So Dr.Web CureIt! wasn't able to clean the system. Then I cleaned the system with Kaspersky's TDSSKiller.exe:

it found Virus.WIN32.ZAccess.L in service "NetBT" \System32\Drivers\netbt.sys
it also found "suspicious objects" (medium risk): "unsigned files": services "jrskd24", "jrsukd24", "pfc", "TcpIp".

In the beginning of 2010 I removed with a previous version of Kaspersky's TDSSKiller.exe another infection of the family TDSS. The PC has been used since then for 2 years without noticing unwanted network activity.

Now I would like to know if logs are OK and if the system is safe. I haven't svchost.exe anymore working at 100% but I still haven't tried again to connect to the Internet.
I didn't manage to get a DDS log because DDS freezes after 1-2 minutes of scanning. I read that many users here encountered this problem.

I attach the GMER 1.0.15.15641 log.

Attached Files

  • Attached File  ark.txt   2.74KB   5 downloads

Edited by YmTim45, 01 February 2012 - 06:03 PM.


BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:07 PM

Posted 01 February 2012 - 06:54 PM

Hello YmTim45,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  • I will be analyzing your log. I will get back to you with instructions.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:07 PM

Posted 04 February 2012 - 11:07 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 2-3 days the topic will need to be closed.

Thanks for understanding :)

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#4 YmTim45

YmTim45
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:07 AM

Posted 05 February 2012 - 08:47 AM

Are you still there?

Yes, I have been checking this topic two times a day since the 1st of February waiting for you to analyze my GMER log.

I will be analyzing your log. I will get back to you with instructions.



I'm waiting to know if that system is now safe for use. I haven't used it since the 1st of February waiting for your reply. If you wish, I could post you also the TDSS killer logs and HijackThis log if you need more informations to reply me with some help about my system (as I said before, DDS freezes during its work so I cannot get a DDS log for my system as happens to many other users).

GMER log (I already posted it as attachment in the previous post renaming it ark.txt as said in the Bleepingcomputer guide I followed):


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-02-01 23:00:10
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Scsi\ultra1Port2Path0Target0Lun0 HDS72251 rev.V33O
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\uxtdipow.sys


---- System - GMER 1.0.15 ----

SSDT F112DE6E ZwCreateKey
SSDT F112DE64 ZwCreateThread
SSDT F112DE73 ZwDeleteKey
SSDT F112DE7D ZwDeleteValueKey
SSDT F112DE82 ZwLoadKey
SSDT F112DE50 ZwOpenProcess
SSDT F112DE55 ZwOpenThread
SSDT F112DE8C ZwReplaceKey
SSDT F112DE87 ZwRestoreKey
SSDT F112DE78 ZwSetValueKey
SSDT F112DE5F ZwTerminateProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs F6CEC400

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB40203$\3122494159 0 bytes
File C:\WINDOWS\$NtUninstallKB40203$\63610561 0 bytes
File C:\WINDOWS\$NtUninstallKB40203$\63610561\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB40203$\63610561\cfg.ini 211 bytes
File C:\WINDOWS\$NtUninstallKB40203$\63610561\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB40203$\63610561\L 0 bytes
File C:\WINDOWS\$NtUninstallKB40203$\63610561\L\jiojfrqs 162816 bytes
File C:\WINDOWS\$NtUninstallKB40203$\63610561\U 0 bytes
File C:\WINDOWS\$NtUninstallKB40203$\63610561\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB40203$\63610561\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB40203$\63610561\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB40203$\63610561\U\80000000.@ 11264 bytes
File C:\WINDOWS\$NtUninstallKB40203$\63610561\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB40203$\63610561\U\80000032.@ 73216 bytes
File C:\WINDOWS\$NtUninstallKB40203$\63610561\version 854 bytes

---- EOF - GMER 1.0.15 ----



#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:07 PM

Posted 05 February 2012 - 10:53 AM

Hello,

Sorry for the delay. Your machine is still showing signs of infection. Let's run some tools and see if we can get it cleaned up.


1.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
TdssKiller log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 YmTim45

YmTim45
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:07 AM

Posted 05 February 2012 - 01:50 PM

1. As you asked I ran again TDSSKiller.exe (all optional scans activated).

The result is attached in the tdssk_log.txt file attached to this post and pasted in the end of this message body ("tdssk_log" label).

I got the same result I talked about in the first post of this topic: the rootkit isn't found anymore but 4 elements are not signed (it found 4 "suspicious objects" (medium risk): "unsigned files": services "jrskd24", "jrsukd24", "pfc", "TcpIp").

2. Then I ran Combofix: it asked to install the "Microsoft Windows Recovery Console" so I plugged again in the network cable into the adsl modem. After having installed the Recovery Console Combofix found Rootkit.ZeroAccess into the tcp/ip stack. After about 15 minutes of scan Combofix freezes. I rebooted manually the PC and ran again Combofix: it founded again Rootkit.ZeroAccess and the PC was freezed after about 15 minutes. I don't know if Combofix wrote somewhere a logfile.



tdssk_log:
18:01:54.0190 1740 TDSS rootkit removing tool 2.7.8.0 Jan 30 2012 16:39:36
18:01:54.0331 1740 ============================================================
18:01:54.0331 1740 Current date / time: 2012/02/05 18:01:54.0331
18:01:54.0331 1740 SystemInfo:
18:01:54.0331 1740
18:01:54.0331 1740 OS Version: 5.1.2600 ServicePack: 3.0
18:01:54.0331 1740 Product type: Workstation
18:01:54.0331 1740 ComputerName: BALTASHAR
18:01:54.0331 1740 UserName: Administrator
18:01:54.0331 1740 Windows directory: C:\WINDOWS
18:01:54.0331 1740 System windows directory: C:\WINDOWS
18:01:54.0331 1740 Processor architecture: Intel x86
18:01:54.0331 1740 Number of processors: 1
18:01:54.0331 1740 Page size: 0x1000
18:01:54.0331 1740 Boot type: Normal boot
18:01:54.0331 1740 ============================================================
18:01:55.0693 1740 Drive \Device\Harddisk0\DR0 - Size: 0x1CC2828000 (115.04 Gb), SectorSize: 0x200, Cylinders: 0x3AA9, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000058
18:01:55.0693 1740 \Device\Harddisk0\DR0:
18:01:55.0693 1740 MBR used
18:01:55.0693 1740 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x2F10C, BlocksNum 0x206B344
18:01:55.0813 1740 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x209A48F, BlocksNum 0x11FC8D7
18:01:55.0993 1740 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x3296DA5, BlocksNum 0x1805DE1
18:01:56.0003 1740 \Device\Harddisk0\DR0\Partition3: MBR, Type 0x7, StartLBA 0x4A9CBC5, BlocksNum 0x3618FCC
18:01:56.0023 1740 \Device\Harddisk0\DR0\Partition4: MBR, Type 0x7, StartLBA 0x80B5BD0, BlocksNum 0x4617AE0
18:01:56.0103 1740 \Device\Harddisk0\DR0\Partition5: MBR, Type 0xB, StartLBA 0xE46ECFD, BlocksNum 0x1A3A6C
18:01:56.0324 1740 Initialize success
18:01:56.0324 1740 ============================================================
18:03:09.0298 1884 ============================================================
18:03:09.0298 1884 Scan started
18:03:09.0298 1884 Mode: Manual; SigCheck; TDLFS;
18:03:09.0298 1884 ============================================================
18:03:09.0699 1884 Abiosdsk - ok
18:03:09.0829 1884 abp480n5 - ok
18:03:10.0000 1884 ACPI (d766e636187b8f240bbfbabcd51eb2c6) C:\WINDOWS\system32\DRIVERS\ACPI.sys
18:03:12.0022 1884 ACPI - ok
18:03:12.0193 1884 ACPIEC (49ac5cd87fbdda62f3e25190019e7627) C:\WINDOWS\system32\drivers\ACPIEC.sys
18:03:12.0583 1884 ACPIEC - ok
18:03:12.0713 1884 adpu160m - ok
18:03:12.0794 1884 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
18:03:13.0204 1884 aec - ok
18:03:13.0404 1884 AFD (e3049b90fe06f3f740b7cfda44995e2c) C:\WINDOWS\System32\drivers\afd.sys
18:03:13.0485 1884 AFD - ok
18:03:13.0585 1884 Aha154x - ok
18:03:13.0695 1884 aic78u2 - ok
18:03:13.0775 1884 aic78xx - ok
18:03:13.0945 1884 AliIde - ok
18:03:14.0135 1884 AmdPPM (033448d435e65c4bd72e70521fd05c76) C:\WINDOWS\system32\DRIVERS\AmdPPM.sys
18:03:14.0256 1884 AmdPPM - ok
18:03:14.0406 1884 amsint - ok
18:03:14.0576 1884 asc - ok
18:03:14.0646 1884 asc3350p - ok
18:03:14.0716 1884 asc3550 - ok
18:03:14.0927 1884 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
18:03:15.0327 1884 AsyncMac - ok
18:03:15.0477 1884 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
18:03:15.0878 1884 atapi - ok
18:03:16.0018 1884 Atdisk - ok
18:03:16.0158 1884 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
18:03:16.0549 1884 Atmarpc - ok
18:03:16.0709 1884 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
18:03:17.0100 1884 audstub - ok
18:03:17.0270 1884 avgio (594d25ef73f381fd508b8ee04883f90f) C:\Programmi\Avira\AntiVir Desktop\avgio.sys
18:03:17.0290 1884 avgio - ok
18:03:17.0460 1884 avgntflt (14fe36d8f2c6a2435275338d061a0b66) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
18:03:17.0510 1884 avgntflt - ok
18:03:17.0661 1884 avipbb (33e08f43071e4a4ff6fcfb6758f85a27) C:\WINDOWS\system32\DRIVERS\avipbb.sys
18:03:17.0681 1884 avipbb - ok
18:03:17.0831 1884 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
18:03:18.0321 1884 Beep - ok
18:03:18.0512 1884 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
18:03:19.0002 1884 cbidf2k - ok
18:03:19.0123 1884 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
18:03:19.0493 1884 CCDECODE - ok
18:03:19.0613 1884 cd20xrnt - ok
18:03:19.0774 1884 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
18:03:20.0244 1884 Cdaudio - ok
18:03:20.0414 1884 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
18:03:20.0755 1884 Cdfs - ok
18:03:20.0925 1884 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
18:03:21.0266 1884 Cdrom - ok
18:03:21.0436 1884 Changer - ok
18:03:21.0606 1884 CmdIde - ok
18:03:21.0816 1884 Cpqarray - ok
18:03:21.0907 1884 ctljystk (71007bd2e1e26927fe3e4eb00c0beedf) C:\WINDOWS\system32\DRIVERS\ctljystk.sys
18:03:22.0417 1884 ctljystk - ok
18:03:22.0528 1884 dac2w2k - ok
18:03:22.0598 1884 dac960nt - ok
18:03:22.0758 1884 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
18:03:23.0098 1884 Disk - ok
18:03:23.0289 1884 dmboot (82bc125a8ed33f5f0e75f2aac1065323) C:\WINDOWS\system32\drivers\dmboot.sys
18:03:23.0749 1884 dmboot - ok
18:03:23.0930 1884 dmio (e959ddc0ea7ac11ee5e5602e2a364310) C:\WINDOWS\system32\drivers\dmio.sys
18:03:24.0330 1884 dmio - ok
18:03:24.0450 1884 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
18:03:24.0961 1884 dmload - ok
18:03:25.0221 1884 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
18:03:25.0552 1884 DMusic - ok
18:03:25.0722 1884 dpti2o - ok
18:03:25.0832 1884 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
18:03:26.0203 1884 drmkaud - ok
18:03:26.0373 1884 emu10k (01f83e1b5dce05f5cb7d99113ca9e890) C:\WINDOWS\system32\drivers\emu10k1m.sys
18:03:26.0894 1884 emu10k - ok
18:03:27.0064 1884 emu10k1 (7ffa171cce6a8bfc774862a578ba39a2) C:\WINDOWS\system32\drivers\ctlfacem.sys
18:03:27.0545 1884 emu10k1 - ok
18:03:27.0815 1884 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
18:03:28.0176 1884 Fastfat - ok
18:03:28.0316 1884 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
18:03:28.0666 1884 Fdc - ok
18:03:28.0787 1884 FilterService (52cd33f70a70fa71e051d6f9276c4702) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
18:03:28.0807 1884 FilterService - ok
18:03:29.0007 1884 Fips (2cfea3326981a18c6baf2bd9be76225b) C:\WINDOWS\system32\drivers\Fips.sys
18:03:29.0347 1884 Fips - ok
18:03:29.0508 1884 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
18:03:29.0848 1884 Flpydisk - ok
18:03:29.0998 1884 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
18:03:30.0389 1884 FltMgr - ok
18:03:30.0519 1884 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
18:03:31.0020 1884 Fs_Rec - ok
18:03:31.0440 1884 Ftdisk (f3269a6ee547ea87b949a1cea4816b38) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
18:03:31.0971 1884 Ftdisk - ok
18:03:32.0151 1884 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
18:03:32.0462 1884 gameenum - ok
18:03:32.0592 1884 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
18:03:32.0942 1884 Gpc - ok
18:03:33.0173 1884 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
18:03:33.0513 1884 HidUsb - ok
18:03:33.0724 1884 hpn - ok
18:03:33.0884 1884 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
18:03:34.0274 1884 HTTP - ok
18:03:34.0555 1884 i2omgmt - ok
18:03:34.0705 1884 i2omp - ok
18:03:34.0825 1884 i8042prt (610726e28af55b95043c5c35a727e320) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
18:03:35.0176 1884 i8042prt - ok
18:03:35.0326 1884 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
18:03:35.0686 1884 Imapi - ok
18:03:35.0887 1884 ini910u - ok
18:03:36.0027 1884 IntelIde - ok
18:03:36.0137 1884 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
18:03:36.0468 1884 Ip6Fw - ok
18:03:36.0678 1884 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
18:03:37.0189 1884 IpFilterDriver - ok
18:03:37.0309 1884 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
18:03:37.0669 1884 IpInIp - ok
18:03:37.0820 1884 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
18:03:38.0140 1884 IpNat - ok
18:03:38.0310 1884 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
18:03:38.0651 1884 IPSec - ok
18:03:38.0821 1884 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
18:03:39.0151 1884 IRENUM - ok
18:03:39.0512 1884 isapnp (0953594beb81cc72fcc62d37921b25a6) C:\WINDOWS\system32\DRIVERS\isapnp.sys
18:03:39.0892 1884 isapnp - ok
18:03:40.0073 1884 JRSKD24 (dcc77cd51c8a9ba6a14b979fe5442c7e) C:\WINDOWS\system32\JRSKD24.SYS
18:03:40.0083 1884 JRSKD24 ( UnsignedFile.Multi.Generic ) - warning
18:03:40.0083 1884 JRSKD24 - detected UnsignedFile.Multi.Generic (1)
18:03:40.0273 1884 JRSUKD24 (9cc88aecca3a98abe936929570141d8a) C:\WINDOWS\system32\JRSUKD24.SYS
18:03:40.0283 1884 JRSUKD24 ( UnsignedFile.Multi.Generic ) - warning
18:03:40.0283 1884 JRSUKD24 - detected UnsignedFile.Multi.Generic (1)
18:03:40.0393 1884 Kbdclass (28b6eace513ca7eaba3b809ad4bc274d) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
18:03:40.0744 1884 Kbdclass - ok
18:03:40.0894 1884 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
18:03:41.0305 1884 kmixer - ok
18:03:41.0455 1884 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
18:03:41.0875 1884 KSecDD - ok
18:03:42.0016 1884 L8042pr2 (0f8b7bf7097d1e8d78f2f52a2bea03cd) C:\WINDOWS\system32\DRIVERS\L8042pr2.Sys
18:03:42.0076 1884 L8042pr2 - ok
18:03:42.0306 1884 lbrtfdc - ok
18:03:42.0536 1884 LMouFlt2 (aef09673376a4d93c09e8341854f1bf4) C:\WINDOWS\system32\DRIVERS\LMouFlt2.Sys
18:03:42.0576 1884 LMouFlt2 - ok
18:03:42.0697 1884 lvpopflt - ok
18:03:42.0777 1884 LVUSBSta (f7e15f2fe7790733df86e95a76556389) C:\WINDOWS\system32\drivers\LVUSBSta.sys
18:03:42.0817 1884 LVUSBSta - ok
18:03:43.0157 1884 LVUVC (92d03dc19eae9d0a86735705e374fdad) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
18:03:43.0588 1884 LVUVC - ok
18:03:43.0748 1884 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
18:03:44.0229 1884 mnmdd - ok
18:03:44.0429 1884 Modem (8cb6636806d76b85fafaee94d75f5129) C:\WINDOWS\system32\drivers\Modem.sys
18:03:44.0749 1884 Modem - ok
18:03:44.0870 1884 Mouclass (e904ebed608055a2bfb824c07f59766c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
18:03:45.0230 1884 Mouclass - ok
18:03:45.0400 1884 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
18:03:45.0791 1884 MountMgr - ok
18:03:45.0911 1884 mraid35x - ok
18:03:46.0071 1884 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
18:03:46.0412 1884 MRxDAV - ok
18:03:46.0582 1884 MRxSmb (68755f0ff16070178b54674fe5b847b0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
18:03:46.0973 1884 MRxSmb - ok
18:03:47.0153 1884 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
18:03:47.0493 1884 Msfs - ok
18:03:47.0694 1884 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
18:03:48.0024 1884 MSKSSRV - ok
18:03:48.0174 1884 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
18:03:48.0515 1884 MSPCLOCK - ok
18:03:48.0675 1884 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
18:03:49.0046 1884 MSPQM - ok
18:03:49.0166 1884 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
18:03:49.0476 1884 mssmbios - ok
18:03:49.0606 1884 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
18:03:49.0937 1884 MSTEE - ok
18:03:50.0077 1884 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
18:03:50.0408 1884 Mup - ok
18:03:50.0608 1884 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
18:03:50.0948 1884 NABTSFEC - ok
18:03:51.0119 1884 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
18:03:51.0469 1884 NDIS - ok
18:03:51.0639 1884 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
18:03:51.0970 1884 NdisIP - ok
18:03:52.0070 1884 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
18:03:52.0421 1884 NdisTapi - ok
18:03:52.0581 1884 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
18:03:52.0941 1884 Ndisuio - ok
18:03:53.0081 1884 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
18:03:53.0412 1884 NdisWan - ok
18:03:53.0592 1884 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
18:03:53.0913 1884 NDProxy - ok
18:03:54.0073 1884 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
18:03:54.0413 1884 NetBIOS - ok
18:03:54.0574 1884 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
18:03:54.0924 1884 NetBT - ok
18:03:55.0315 1884 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
18:03:55.0645 1884 Npfs - ok
18:03:55.0825 1884 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
18:03:56.0186 1884 Ntfs - ok
18:03:56.0396 1884 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
18:03:56.0907 1884 Null - ok
18:03:57.0298 1884 nv (f7ee020dc255b40a83899c53d4147746) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
18:03:57.0788 1884 nv - ok
18:03:57.0958 1884 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
18:03:58.0429 1884 NwlnkFlt - ok
18:03:58.0569 1884 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
18:03:59.0010 1884 NwlnkFwd - ok
18:03:59.0180 1884 Parport (4e9408a178b2d955871c2cdd278de3c3) C:\WINDOWS\system32\DRIVERS\parport.sys
18:03:59.0501 1884 Parport - ok
18:03:59.0621 1884 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
18:03:59.0971 1884 PartMgr - ok
18:04:00.0112 1884 ParVdm (0dabef655a444cb1e193626fb1d24b9f) C:\WINDOWS\system32\drivers\ParVdm.sys
18:04:00.0622 1884 ParVdm - ok
18:04:00.0773 1884 PCI (f40a46892afebb0314536b849d57c11e) C:\WINDOWS\system32\DRIVERS\pci.sys
18:04:01.0113 1884 PCI - ok
18:04:01.0243 1884 PCIDump - ok
18:04:01.0353 1884 PCIIde - ok
18:04:01.0494 1884 Pcmcia (815c50f2b1d1562800bdce8be895000e) C:\WINDOWS\system32\drivers\Pcmcia.sys
18:04:01.0814 1884 Pcmcia - ok
18:04:01.0944 1884 PDCOMP - ok
18:04:02.0024 1884 PDFRAME - ok
18:04:02.0165 1884 PDRELI - ok
18:04:02.0215 1884 PDRFRAME - ok
18:04:02.0285 1884 perc2 - ok
18:04:02.0355 1884 perc2hib - ok
18:04:02.0545 1884 pfc (5903fa75200807ad739286bbf40c4904) C:\WINDOWS\system32\drivers\pfc.sys
18:04:02.0575 1884 pfc ( UnsignedFile.Multi.Generic ) - warning
18:04:02.0575 1884 pfc - detected UnsignedFile.Multi.Generic (1)
18:04:02.0775 1884 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
18:04:03.0116 1884 PptpMiniport - ok
18:04:03.0336 1884 Processor (b479f50e883b2297a5f7f212aaee6f6c) C:\WINDOWS\system32\DRIVERS\processr.sys
18:04:03.0667 1884 Processor - ok
18:04:03.0857 1884 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
18:04:04.0187 1884 PSched - ok
18:04:04.0378 1884 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
18:04:04.0858 1884 Ptilink - ok
18:04:04.0999 1884 ql1080 - ok
18:04:05.0079 1884 Ql10wnt - ok
18:04:05.0159 1884 ql12160 - ok
18:04:05.0369 1884 ql1240 - ok
18:04:05.0499 1884 ql1280 - ok
18:04:05.0599 1884 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
18:04:06.0040 1884 RasAcd - ok
18:04:06.0391 1884 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
18:04:06.0711 1884 Rasl2tp - ok
18:04:06.0921 1884 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
18:04:07.0252 1884 RasPppoe - ok
18:04:07.0412 1884 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
18:04:07.0923 1884 Raspti - ok
18:04:08.0053 1884 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
18:04:08.0383 1884 Rdbss - ok
18:04:08.0524 1884 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
18:04:08.0984 1884 RDPCDD - ok
18:04:09.0245 1884 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
18:04:09.0585 1884 rdpdr - ok
18:04:09.0745 1884 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
18:04:10.0076 1884 RDPWD - ok
18:04:10.0266 1884 redbook (393fc252593323b624b230eca6b85e63) C:\WINDOWS\system32\DRIVERS\redbook.sys
18:04:10.0607 1884 redbook - ok
18:04:10.0937 1884 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
18:04:11.0218 1884 rtl8139 - ok
18:04:11.0488 1884 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
18:04:11.0808 1884 Secdrv - ok
18:04:12.0009 1884 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
18:04:12.0339 1884 Serenum - ok
18:04:12.0479 1884 Serial (fdbd9d64e2e03270021d424f0dccf79d) C:\WINDOWS\system32\DRIVERS\serial.sys
18:04:12.0830 1884 Serial - ok
18:04:12.0960 1884 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
18:04:13.0291 1884 Sfloppy - ok
18:04:13.0481 1884 sfman (0b1a5e9cacb5cdd54a2815107bd7c772) C:\WINDOWS\system32\drivers\sfmanm.sys
18:04:13.0971 1884 sfman - ok
18:04:14.0162 1884 Simbad - ok
18:04:14.0312 1884 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
18:04:14.0622 1884 SLIP - ok
18:04:14.0733 1884 Sparrow - ok
18:04:14.0903 1884 SPLITCAM - ok
18:04:15.0103 1884 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
18:04:15.0424 1884 splitter - ok
18:04:15.0644 1884 sr (618718cae288bf7cbd8fcbab2577d932) C:\WINDOWS\system32\DRIVERS\sr.sys
18:04:15.0964 1884 sr - ok
18:04:16.0155 1884 Srv (5252605079810904e31c332e241cd59b) C:\WINDOWS\system32\DRIVERS\srv.sys
18:04:16.0545 1884 Srv - ok
18:04:16.0745 1884 ssmdrv (7b69466075b4da427c5ecd10e1eab72a) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
18:04:16.0755 1884 ssmdrv - ok
18:04:16.0946 1884 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
18:04:17.0286 1884 streamip - ok
18:04:17.0467 1884 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
18:04:17.0797 1884 swenum - ok
18:04:17.0977 1884 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
18:04:18.0308 1884 swmidi - ok
18:04:18.0488 1884 symc810 - ok
18:04:18.0558 1884 symc8xx - ok
18:04:18.0668 1884 sym_hi - ok
18:04:18.0748 1884 sym_u3 - ok
18:04:18.0859 1884 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
18:04:19.0179 1884 sysaudio - ok
18:04:19.0419 1884 Tcpip (d24ea301e2b36c4e975fd216ca85d8e7) C:\WINDOWS\system32\DRIVERS\tcpip.sys
18:04:19.0489 1884 Tcpip ( UnsignedFile.Multi.Generic ) - warning
18:04:19.0489 1884 Tcpip - detected UnsignedFile.Multi.Generic (1)
18:04:19.0740 1884 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
18:04:20.0070 1884 TDPIPE - ok
18:04:20.0220 1884 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
18:04:20.0531 1884 TDTCP - ok
18:04:20.0771 1884 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
18:04:21.0142 1884 TermDD - ok
18:04:21.0352 1884 TosIde - ok
18:04:21.0462 1884 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
18:04:21.0843 1884 Udfs - ok
18:04:21.0983 1884 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
18:04:22.0163 1884 ultra - ok
18:04:22.0374 1884 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
18:04:22.0734 1884 Update - ok
18:04:22.0964 1884 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
18:04:23.0285 1884 usbaudio - ok
18:04:23.0415 1884 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
18:04:23.0746 1884 usbccgp - ok
18:04:23.0896 1884 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
18:04:24.0216 1884 usbhub - ok
18:04:24.0386 1884 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
18:04:24.0737 1884 usbscan - ok
18:04:24.0867 1884 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:04:25.0188 1884 USBSTOR - ok
18:04:25.0358 1884 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
18:04:25.0678 1884 usbuhci - ok
18:04:25.0849 1884 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
18:04:26.0189 1884 VgaSave - ok
18:04:26.0339 1884 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
18:04:26.0660 1884 viaagp - ok
18:04:26.0830 1884 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
18:04:27.0150 1884 ViaIde - ok
18:04:27.0331 1884 VolSnap (e46c1b5a56da7da603d09dfcc79ec59e) C:\WINDOWS\system32\drivers\VolSnap.sys
18:04:27.0711 1884 VolSnap - ok
18:04:27.0952 1884 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
18:04:28.0282 1884 Wanarp - ok
18:04:28.0402 1884 WDICA - ok
18:04:28.0552 1884 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
18:04:28.0873 1884 wdmaud - ok
18:04:29.0714 1884 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
18:04:30.0045 1884 WSTCODEC - ok
18:04:30.0235 1884 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
18:04:30.0325 1884 WudfPf - ok
18:04:30.0515 1884 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
18:04:30.0555 1884 WudfRd - ok
18:04:30.0736 1884 MBR (0x1B8) (6bdf5b8764b8e3e9920abc5dd777a8a5) \Device\Harddisk0\DR0
18:04:31.0947 1884 \Device\Harddisk0\DR0 - ok
18:04:32.0057 1884 Boot (0x1200) (50facd02eed24bc98db897df0a3482c8) \Device\Harddisk0\DR0\Partition0
18:04:32.0057 1884 \Device\Harddisk0\DR0\Partition0 - ok
18:04:32.0158 1884 Boot (0x1200) (a4b0a9d4167e7e07279a4aa48efdb5cf) \Device\Harddisk0\DR0\Partition1
18:04:32.0168 1884 \Device\Harddisk0\DR0\Partition1 - ok
18:04:32.0238 1884 Boot (0x1200) (0a3be49c03ad89c83434086af6a11a78) \Device\Harddisk0\DR0\Partition2
18:04:32.0248 1884 \Device\Harddisk0\DR0\Partition2 - ok
18:04:32.0318 1884 Boot (0x1200) (0f1394c6ea29882fe1f4819edc93d8a4) \Device\Harddisk0\DR0\Partition3
18:04:32.0318 1884 \Device\Harddisk0\DR0\Partition3 - ok
18:04:32.0428 1884 Boot (0x1200) (c2b20160a399b9423930243bb3badc47) \Device\Harddisk0\DR0\Partition4
18:04:32.0428 1884 \Device\Harddisk0\DR0\Partition4 - ok
18:04:32.0508 1884 Boot (0x1200) (da31d52996704144bc1e9182efd8d809) \Device\Harddisk0\DR0\Partition5
18:04:32.0508 1884 \Device\Harddisk0\DR0\Partition5 - ok
18:04:32.0548 1884 ============================================================
18:04:32.0548 1884 Scan finished
18:04:32.0548 1884 ============================================================
18:04:32.0769 1764 Detected object count: 4
18:04:32.0769 1764 Actual detected object count: 4
18:05:23.0722 1764 JRSKD24 ( UnsignedFile.Multi.Generic ) - skipped by user
18:05:23.0722 1764 JRSKD24 ( UnsignedFile.Multi.Generic ) - User select action: Skip
18:05:23.0722 1764 JRSUKD24 ( UnsignedFile.Multi.Generic ) - skipped by user
18:05:23.0722 1764 JRSUKD24 ( UnsignedFile.Multi.Generic ) - User select action: Skip
18:05:23.0732 1764 pfc ( UnsignedFile.Multi.Generic ) - skipped by user
18:05:23.0732 1764 pfc ( UnsignedFile.Multi.Generic ) - User select action: Skip
18:05:23.0732 1764 Tcpip ( UnsignedFile.Multi.Generic ) - skipped by user
18:05:23.0732 1764 Tcpip ( UnsignedFile.Multi.Generic ) - User select action: Skip
18:06:29.0496 1700 Deinitialize success

Attached Files


Edited by YmTim45, 05 February 2012 - 01:54 PM.


#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:07 PM

Posted 05 February 2012 - 05:49 PM

There might be a Combofix log at C:\Combofix.txt . Try and see if there is a log at C:\Qoobox\ComboFix-quarantined-files.txt

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 YmTim45

YmTim45
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:07 AM

Posted 06 February 2012 - 12:39 AM

There are no regular logs left by Combofix.
The only log I found is this (in the "quarantine" directory):



catchme.log

-------- 2012-02-05 - 18:20:30 -------------

file zipped: C:\WINDOWS\$NtUninstallKB40203$\3122494159 -> _3122494159_.zip -> 3122494159 ( 0 bytes )
error: C:\WINDOWS\$NtUninstallKB40203$\3122494159 is not a PE file
kill file error: C:\WINDOWS\$NtUninstallKB40203$\3122494159, Impossibile accedere al file (cannot access file).

-------- 2012-02-05 - 18:54:45 -------------


-------- 2012-02-06 - 05:48:44 -------------

Attached Files



#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:07 PM

Posted 06 February 2012 - 05:47 PM

Hello,

It looks like Combofix may have worked partially. I want to check a file and seee if Combofix removed some files.

1.
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\WINDOWS\system32\DRIVERS\tcpip.sys

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/


2.
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.


3.
Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.


Things to include in your next reply::
Jotti results
Gmer log
MBAM log

How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 YmTim45

YmTim45
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:07 AM

Posted 07 February 2012 - 12:12 PM

1.
jotty Virusscan log:


Jotti's malware scan
Filename: TCPIP.SYS
Status:
Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Tue 7 Feb 2012 00:46:33 (CET)

Additional info
File size: 361600 bytes
Filetype: PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5: d24ea301e2b36c4e975fd216ca85d8e7
SHA1: fa9dc1de4881552c6b71c1bce9cfaf60a3c9db79


Scanners
ALL THE SCANNERS FOUND NOTHING



__________


2.
GMER log:


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-02-07 17:36:19
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Scsi\ultra1Port2Path0Target0Lun0 HDS72251 rev.V33O
Running: 8n9ijrok.exe; Driver: C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\uxtdipow.sys


---- System - GMER 1.0.15 ----

SSDT F06C06AE ZwCreateKey
SSDT F06C06A4 ZwCreateThread
SSDT F06C06B3 ZwDeleteKey
SSDT F06C06BD ZwDeleteValueKey
SSDT F06C06C2 ZwLoadKey
SSDT F06C0690 ZwOpenProcess
SSDT F06C0695 ZwOpenThread
SSDT F06C06CC ZwReplaceKey
SSDT F06C06C7 ZwRestoreKey
SSDT F06C06B8 ZwSetValueKey
SSDT F06C069F ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + F0 804E274C 1 Byte [AE]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs F2DF6400

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- EOF - GMER 1.0.15 ----



3.
Malware bytes log:


Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.07.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.13
Administrator :: BALTASHAR [administrator]

07/02/2012 17.51.38
mbam-log-2012-02-07 (17-51-38).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 253993
Time elapsed: 14 minute(s), 4 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Attached Files



#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:07 PM

Posted 07 February 2012 - 12:15 PM

How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 YmTim45

YmTim45
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:07 AM

Posted 07 February 2012 - 01:20 PM

It seems working fine. Now it seems that there aren't unasked connections to the Internet.

The profile of Windows that was running when the system was infected still doesn't run programs. Opening links pointing to executables and double clicking on an executable open the window that asks "Which program do you want to use to open that file?".

Other users registered on that Windows system seem working fine.

Is the GMER log OK? Why Combofix said that my tcp/ip stack is infected? I do not want to use an infected system that could spread personal informations...

Edited by YmTim45, 07 February 2012 - 01:23 PM.


#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:07 PM

Posted 07 February 2012 - 04:50 PM

Hello,

Is the GMER log OK? Why Combofix said that my tcp/ip stack is infected? I do not want to use an infected system that could spread personal informations...

This is why I had you check Tcpip.sys file. Like all Tools and Antivirus sometimes false positives are going to happen.


The profile of Windows that was running when the system was infected still doesn't run programs. Opening links pointing to executables and double clicking on an executable open the window that asks "Which program do you want to use to open that file?".


Log into that user and do the following.

Please download exeHelper to your desktop.
  • Double-click on exeHelper.com to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)

2.
Please download and run unhide.exe.


3.
  • Please go to start -> Run.
  • Copy and paste the bold line in the run-box and click OK:

    cmd /c dir /a/s/b C:\QooBox >log.txt & log.txt
  • A text file opens up, copy and paste the content to your reply.


Do you have SuperAntiSpyware on this machine?


How is the machine running now?

Edited by fireman4it, 07 February 2012 - 04:56 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 YmTim45

YmTim45
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:07 AM

Posted 08 February 2012 - 07:12 AM

Do you have SuperAntiSpyware on this machine?

No.


I will accomplish your requests in the next hours. Then I will post the results. Thanks for your support.

#15 YmTim45

YmTim45
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:07 AM

Posted 08 February 2012 - 11:15 AM

1.

Post the contents of exehelperlog.txt


helperlog.txt

--------

exeHelper by Raktor
Build 20100414
Run at 16:29:04 on 02/08/12
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
exefile="%1" %*
.exe=exefile
Resetting filetype association for .com
comfile="%1" %*
.com=comfile
Resetting userinit and shell values...
Resetting policies...
--Finished--



3.

Please go to start -> Run.



dir command QooBox log:


----------

c:\QooBox\BackEnv
c:\QooBox\LastRun
c:\QooBox\Quarantine
c:\QooBox\Test
c:\QooBox\TestC
c:\QooBox\BackEnv\AppData.folder.dat
c:\QooBox\BackEnv\Cache.folder.dat
c:\QooBox\BackEnv\Cookies.folder.dat
c:\QooBox\BackEnv\Desktop.folder.dat
c:\QooBox\BackEnv\Favorites.folder.dat
c:\QooBox\BackEnv\History.folder.dat
c:\QooBox\BackEnv\LocalAppData.folder.dat
c:\QooBox\BackEnv\LocalSettings.folder.dat
c:\QooBox\BackEnv\Music.folder.dat
c:\QooBox\BackEnv\NetHood.folder.dat
c:\QooBox\BackEnv\Personal.folder.dat
c:\QooBox\BackEnv\Pictures.folder.dat
c:\QooBox\BackEnv\PrintHood.folder.dat
c:\QooBox\BackEnv\Profiles.Folder.dat
c:\QooBox\BackEnv\Profiles.Folder.folder.dat
c:\QooBox\BackEnv\Programs.folder.dat
c:\QooBox\BackEnv\Recent.folder.dat
c:\QooBox\BackEnv\SendTo.folder.dat
c:\QooBox\BackEnv\SetPath.bat
c:\QooBox\BackEnv\StartMenu.folder.dat
c:\QooBox\BackEnv\StartUp.folder.dat
c:\QooBox\BackEnv\SysPath.dat
c:\QooBox\BackEnv\Templates.folder.dat
c:\QooBox\BackEnv\VikPev00
c:\QooBox\LastRun\Gateway
c:\QooBox\Quarantine\C
c:\QooBox\Quarantine\catchme.log
c:\QooBox\Quarantine\Registry_backups
c:\QooBox\Quarantine\C\WINDOWS
c:\QooBox\Quarantine\C\WINDOWS\$NtUninstallKB40203$
c:\QooBox\Quarantine\C\WINDOWS\$NtUninstallKB40203$\63610561
c:\QooBox\Quarantine\C\WINDOWS\$NtUninstallKB40203$\_3122494159_.zip
c:\QooBox\Quarantine\C\WINDOWS\$NtUninstallKB40203$\63610561\@.vir
c:\QooBox\Quarantine\C\WINDOWS\$NtUninstallKB40203$\63610561\cfg.ini.vir
c:\QooBox\Quarantine\C\WINDOWS\$NtUninstallKB40203$\63610561\Desktop.ini.vir
c:\QooBox\Quarantine\C\WINDOWS\$NtUninstallKB40203$\63610561\L
c:\QooBox\Quarantine\C\WINDOWS\$NtUninstallKB40203$\63610561\U
c:\QooBox\Quarantine\C\WINDOWS\$NtUninstallKB40203$\63610561\version.vir
c:\QooBox\Quarantine\C\WINDOWS\$NtUninstallKB40203$\63610561\L\jiojfrqs.vir
c:\QooBox\Quarantine\C\WINDOWS\$NtUninstallKB40203$\63610561\U\00000001.@.vir
c:\QooBox\Quarantine\C\WINDOWS\$NtUninstallKB40203$\63610561\U\00000002.@.vir
c:\QooBox\Quarantine\C\WINDOWS\$NtUninstallKB40203$\63610561\U\00000004.@.vir
c:\QooBox\Quarantine\C\WINDOWS\$NtUninstallKB40203$\63610561\U\80000000.@.vir
c:\QooBox\Quarantine\C\WINDOWS\$NtUninstallKB40203$\63610561\U\80000004.@.vir
c:\QooBox\Quarantine\C\WINDOWS\$NtUninstallKB40203$\63610561\U\80000032.@.vir



How is the machine running now?

Some files I always kept "hidden" are now "not hidden".
Links to executables and direct double clicks on executable files now work also in the Windows' user that was running during the infection.

Edited by YmTim45, 08 February 2012 - 11:16 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users