Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Agent_r.aww with evidence of rootkit


  • This topic is locked This topic is locked
12 replies to this topic

#1 InfectedBear

InfectedBear

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:28 PM

Posted 04 February 2012 - 02:01 PM

Cleaning up a machine for a friend.

AVG 2012 detected Agent_r.AWW in C:\Windows\System32\Drivers\smb.sys

I was not able to enable Windows Firewall.

Here are the logs as requested here: http://www.bleepingcomputer.com/forums/topic34773.html

Please help with clean up instructions.

DDS:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19170
Run by computer at 10:10:16 on 2012-02-04
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2548.1425 [GMT -5:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k hpdevmgmt
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\PSIService.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\AVG\AVG2012\avgui.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Users\computer\Downloads\Defogger.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Presario&pf=desktop
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Presario&pf=desktop
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\10.0.0.7\AVG Secure Search_toolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre1.6.0_22\bin\jp2ssv.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\10.0.0.7\AVG Secure Search_toolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [swg] c:\program files\google\googletoolbarnotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [conhost] c:\users\computer\appdata\roaming\microsoft\conhost.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun: [<NO NAME>]
mRun: [Corel Photo Downloader] c:\program files\corel\corel snapfire plus\Corel Photo Downloader.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Open with WordPerfect - c:\program files\wordperfect office x3\programs\WPLauncher.hta
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
LSP: c:\windows\system32\wpclsp.dll
LSP: mswsock.dll
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.10
TCP: Interfaces\{0628537D-5218-40C0-B788-33B3BD1FFA51} : DhcpNameServer = 192.168.0.10
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\10.0.6\ViProtocol.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\computer\appdata\roaming\mozilla\firefox\profiles\ku9w2o06.default\
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B232c7c85-523d-4760-9a9b-43f44e559a3c%7D&mid=71406de62c5e45d972597d042d599f4a-b924f8fc52c3aa39d3db741d272b63b601415f7b&ds=AVG&v=10.0.0.7&lang=en&pr=fr&d=2012-02-01%2018%3A03%3A28&sap=ku&q=
FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre1.6.0_22\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre1.6.0_22\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\computer\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\users\computer\appdata\roaming\facebook\npfbplugin_1_0_1.dll
.
============= SERVICES / DRIVERS ===============
.
R?2 cvhsvc;Client Virtualization Handler;c:\program files\common files\microsoft shared\virtualization handler\CVHSVC.EXE [2010-2-28 821664]
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 sftlist;Application Virtualization Client;c:\program files\microsoft application virtualization client\sftlist.exe [2010-4-24 483688]
R2 vToolbarUpdater;vToolbarUpdater;c:\program files\common files\avg secure search\vtoolbarupdater\10.0.6\ToolbarUpdater.exe [2012-2-1 909152]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134736]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfslh.sys [2010-4-24 550760]
R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplaylh.sys [2010-4-24 195944]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirlh.sys [2010-4-24 21864]
R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvollh.sys [2010-4-24 19304]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\microsoft application virtualization client\sftvsa.exe [2010-4-24 209768]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-1-20 16896]
.
=============== Created Last 30 ================
.
2012-02-04 14:58:55 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
2012-02-04 14:58:55 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2012-02-04 14:58:55 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2012-02-04 14:58:55 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
2012-02-04 14:24:11 -------- d-----w- c:\users\computer\appdata\roaming\SUPERAntiSpyware.com
2012-02-04 14:23:37 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-02-04 14:23:37 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-02-01 23:15:16 -------- d-----w- c:\users\computer\appdata\roaming\AVG2012
2012-02-01 23:03:28 -------- d-----w- c:\programdata\AVG Secure Search
2012-02-01 23:03:24 -------- d-----w- c:\program files\common files\AVG Secure Search
2012-02-01 23:03:23 -------- d-----w- c:\program files\AVG Secure Search
2012-02-01 23:01:16 -------- d-----w- c:\windows\system32\drivers\AVG
2012-02-01 23:01:16 -------- d-----w- c:\programdata\AVG2012
2012-02-01 19:28:01 -------- d-----w- c:\programdata\MFAData
2012-01-28 16:34:48 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-28 01:11:03 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2012-01-14 18:05:58 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-14 18:05:58 278528 ----a-w- c:\windows\system32\schannel.dll
2012-01-14 18:05:58 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-14 18:05:57 9728 ----a-w- c:\windows\system32\lsass.exe
2012-01-14 18:05:57 72704 ----a-w- c:\windows\system32\secur32.dll
2012-01-14 18:05:57 377344 ----a-w- c:\windows\system32\winhttp.dll
2012-01-12 13:57:50 -------- d-----w- C:\d4eb3347a9e120cc449f14082a
2012-01-11 16:29:45 -------- d-----w- C:\8b9decc6c43f94355cf1010e
2012-01-05 16:54:30 -------- d-----w- C:\dc431c9389cb108ff5f84857ca
.
==================== Find3M ====================
.
2012-01-31 02:52:56 8354 --sha-w- c:\windows\system32\KGyGaAvL.sys
2012-01-31 02:52:45 248 --sh--r- c:\windows\system32\337C81BCFF.sys
2011-12-10 20:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-23 13:37:27 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-11-08 14:42:19 2048 ----a-w- c:\windows\system32\tzres.dll
.
============= FINISH: 10:11:21.83 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:28 PM

Posted 04 February 2012 - 04:38 PM

Hi,

Please do the following

Refer to the ComboFix User's Guide

  • Download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.



NEXT



Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • when the window opens, click on Change Parameters
  • under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
  • click OK
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 InfectedBear

InfectedBear
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:28 PM

Posted 04 February 2012 - 05:34 PM

Hi Catbyte,

I temporarily disabled AVG 2012 Free Edition and started Combofix. About 10 minutes after the Combofix window started "Scanning for infected files . . .", a popup saying "Freeware implementation of XCACLS has stopped working." I clicked Close program and the Combofix windows hasn't changed.

What do I do now?

Thanks,
InfectedBear

Edited by InfectedBear, 04 February 2012 - 05:38 PM.


#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:28 PM

Posted 04 February 2012 - 05:39 PM

Hi

even though AVG was disabled, it's been known to interfere with the download, you may need to uninstall it till you are clean

please delete the copy of ComboFix that you have on your desktop and download a fresh copy,

then please run it again

thanks

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 InfectedBear

InfectedBear
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:28 PM

Posted 04 February 2012 - 07:42 PM

Hi,

I uninstalled AVG 2012 via Add/Remove programs but a fresh download of Combofix still thought it was installed so I ran Appremover and it didn't detect AVG being installed. Then I ran the AVG Removal Tool and restarted. Combofix still prompts to turn off AVG and I still get the popup saying XCACLS stopped working.

What do I do now?

Thanks for your help.

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:28 PM

Posted 04 February 2012 - 07:51 PM

please boot into safe mode and try it in safe mode

To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
  • go into your usual account

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 InfectedBear

InfectedBear
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:28 PM

Posted 04 February 2012 - 10:10 PM

Running chkdsk c: /f and Combofix in safe mode led to some progress. Combofix detected the ZeroAccess rootkit in Safe mode and asked to reboot. I let it reboot into Normal mode and then started Combofix manually. It mentioned ZeroAccess again and after three reboots it gave the log file. TDSS found and cured ZAccess1.

Thanks for your help so far. Please let me know if I need to do anything else to make sure the system is clean.



Combofix:

ComboFix 12-02-05.01 - computer 04/02/2012 21:35:01.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2548.1810 [GMT -5:00]
Running from: c:\users\computer\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Common Files\System\Uninstall
c:\programdata\pswi_preloaded.exe
c:\users\computer\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.drv
c:\users\computer\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.sys
c:\users\computer\AppData\Roaming\Microsoft\Windows\Recent\cb.drv
c:\users\computer\AppData\Roaming\Microsoft\Windows\Recent\cid.dll
c:\users\computer\AppData\Roaming\Microsoft\Windows\Recent\cid.drv
c:\users\computer\AppData\Roaming\Microsoft\Windows\Recent\CLSV.drv
c:\users\computer\AppData\Roaming\Microsoft\Windows\Recent\ddv.tmp
c:\users\computer\AppData\Roaming\Microsoft\Windows\Recent\dudl.drv
c:\users\computer\AppData\Roaming\Microsoft\Windows\Recent\eb.dll
c:\users\computer\AppData\Roaming\Microsoft\Windows\Recent\eb.drv
c:\users\computer\AppData\Roaming\Microsoft\Windows\Recent\eb.exe
c:\users\computer\AppData\Roaming\Microsoft\Windows\Recent\energy.dll
c:\users\computer\AppData\Roaming\Microsoft\Windows\Recent\energy.exe
c:\users\computer\AppData\Roaming\Microsoft\Windows\Recent\energy.tmp
c:\users\computer\AppData\Roaming\Microsoft\Windows\Recent\exec.sys
c:\users\computer\AppData\Roaming\Microsoft\Windows\Recent\fix.exe
c:\users\computer\AppData\Roaming\Microsoft\Windows\Recent\FS.sys
c:\users\computer\AppData\Roaming\Microsoft\Windows\Recent\FW.sys
c:\users\computer\AppData\Roaming\Microsoft\Windows\Recent\hymt.exe
c:\users\computer\AppData\Roaming\Microsoft\Windows\Recent\kernel32.dll
c:\users\computer\AppData\Roaming\Microsoft\Windows\Recent\kernel32.sys
c:\users\computer\AppData\Roaming\Microsoft\Windows\Recent\pal.dll
c:\users\computer\AppData\Roaming\Microsoft\Windows\Recent\pal.tmp
c:\users\computer\AppData\Roaming\Microsoft\Windows\Recent\PE.sys
c:\users\computer\AppData\Roaming\Microsoft\Windows\Recent\snl2w.exe
c:\users\computer\AppData\Roaming\Microsoft\Windows\Recent\snl2w.sys
c:\users\computer\CPR .rtf
c:\users\computer\Desktop\Internet Explorer.lnk
c:\windows\security\Database\tmp.edb
c:\windows\$NtUninstallKB49587$ . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2012-01-05 to 2012-02-05 )))))))))))))))))))))))))))))))
.
.
2012-02-04 14:58 . 2012-02-04 22:57 45016 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2012-02-04 14:58 . 2012-02-04 14:58 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-02-04 14:58 . 2012-02-04 14:58 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-02-04 14:58 . 2012-02-04 14:58 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-02-04 14:24 . 2012-02-04 14:24 -------- d-----w- c:\users\computer\AppData\Roaming\SUPERAntiSpyware.com
2012-02-04 14:23 . 2012-02-04 14:24 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-02-04 14:23 . 2012-02-04 14:23 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-01-28 16:34 . 2012-01-28 16:40 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-28 01:11 . 2011-04-09 20:35 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2012-01-14 18:05 . 2011-11-17 06:48 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-14 18:05 . 2011-11-16 16:23 278528 ----a-w- c:\windows\system32\schannel.dll
2012-01-14 18:05 . 2011-11-16 16:21 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-14 18:05 . 2011-11-16 16:23 377344 ----a-w- c:\windows\system32\winhttp.dll
2012-01-14 18:05 . 2011-11-16 16:23 72704 ----a-w- c:\windows\system32\secur32.dll
2012-01-14 18:05 . 2011-11-16 14:12 9728 ----a-w- c:\windows\system32\lsass.exe
2012-01-12 13:57 . 2012-01-12 14:02 -------- d-----w- C:\d4eb3347a9e120cc449f14082a
2012-01-11 16:29 . 2012-01-11 16:29 -------- d-----w- C:\8b9decc6c43f94355cf1010e
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 20:24 . 2009-02-23 18:36 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-23 13:37 . 2011-12-14 16:39 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-11-08 14:42 . 2011-12-14 16:39 2048 ----a-w- c:\windows\system32\tzres.dll
2012-02-04 22:57 . 2011-06-22 20:48 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-08-25 171448]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-03 6266880]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"Corel Photo Downloader"="c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe" [2007-01-15 478800]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-26 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-26 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-26 150552]
"WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 176128]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-6827989-4259258885-628603017-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001
.
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-04 c:\windows\Tasks\User_Feed_Synchronization-{976DD633-DEDB-47E8-99F7-E6EEF7B610DC}.job
- c:\windows\system32\msfeedssync.exe [2011-12-14 04:44]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
IE: Open with WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta
TCP: DhcpNameServer = 192.168.0.10
FF - ProfilePath - c:\users\computer\AppData\Roaming\Mozilla\Firefox\Profiles\ku9w2o06.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B232c7c85-523d-4760-9a9b-43f44e559a3c%7D&mid=71406de62c5e45d972597d042d599f4a-b924f8fc52c3aa39d3db741d272b63b601415f7b&ds=AVG&v=10.0.0.7&lang=en&pr=fr&d=2012-02-01%2018%3A03%3A28&sap=ku&q=
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
HKCU-Run-conhost - c:\users\computer\AppData\Roaming\Microsoft\conhost.exe
HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\PSIService.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Microsoft Application Virtualization Client\sftvsa.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Microsoft Application Virtualization Client\sftlist.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
c:\windows\system32\conime.exe
c:\windows\RtHDVCpl.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\ehome\ehmsas.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2012-02-04 21:52:18 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-05 02:52
.
Pre-Run: 226,376,142,848 bytes free
Post-Run: 227,353,313,280 bytes free
.
- - End Of File - - EA7606345BD8D26A91FF947999EBD922


21:58:04.0376 1256 TDSS rootkit removing tool 2.7.9.0 Feb 1 2012 09:28:49
21:58:05.0031 1256 ============================================================
21:58:05.0031 1256 Current date / time: 2012/02/04 21:58:05.0031
21:58:05.0031 1256 SystemInfo:
21:58:05.0031 1256
21:58:05.0031 1256 OS Version: 6.0.6002 ServicePack: 2.0
21:58:05.0031 1256 Product type: Workstation
21:58:05.0031 1256 ComputerName: COMPUTER-PC
21:58:05.0031 1256 UserName: computer
21:58:05.0031 1256 Windows directory: C:\Windows
21:58:05.0031 1256 System windows directory: C:\Windows
21:58:05.0031 1256 Processor architecture: Intel x86
21:58:05.0031 1256 Number of processors: 2
21:58:05.0031 1256 Page size: 0x1000
21:58:05.0031 1256 Boot type: Normal boot
21:58:05.0031 1256 ============================================================
21:58:06.0030 1256 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0xA181, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000050
21:58:06.0030 1256 \Device\Harddisk0\DR0:
21:58:06.0030 1256 MBR used
21:58:06.0030 1256 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x241D2041
21:58:06.0030 1256 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x241D2080, BlocksNum 0x125B290
21:58:06.0201 1256 Initialize success
21:58:06.0201 1256 ============================================================
21:58:36.0013 3088 ============================================================
21:58:36.0013 3088 Scan started
21:58:36.0013 3088 Mode: Manual; SigCheck; TDLFS;
21:58:36.0013 3088 ============================================================
21:58:37.0089 3088 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
21:58:37.0199 3088 ACPI - ok
21:58:37.0308 3088 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
21:58:37.0370 3088 adp94xx - ok
21:58:37.0542 3088 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
21:58:37.0573 3088 adpahci - ok
21:58:37.0620 3088 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
21:58:37.0635 3088 adpu160m - ok
21:58:37.0729 3088 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
21:58:37.0745 3088 adpu320 - ok
21:58:37.0885 3088 AFD (3911b972b55fea0478476b2e777b29fa) C:\Windows\system32\drivers\afd.sys
21:58:37.0947 3088 AFD - ok
21:58:38.0041 3088 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys
21:58:38.0057 3088 agp440 - ok
21:58:38.0088 3088 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
21:58:38.0103 3088 aic78xx - ok
21:58:38.0166 3088 aliide (9eaef5fc9b8e351afa7e78a6fae91f91) C:\Windows\system32\drivers\aliide.sys
21:58:38.0181 3088 aliide - ok
21:58:38.0197 3088 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
21:58:38.0228 3088 amdagp - ok
21:58:38.0244 3088 amdide (9b78a39a4c173fdbc1321e0dd659b34c) C:\Windows\system32\drivers\amdide.sys
21:58:38.0259 3088 amdide - ok
21:58:38.0337 3088 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
21:58:38.0447 3088 AmdK7 - ok
21:58:38.0540 3088 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\drivers\amdk8.sys
21:58:38.0556 3088 AmdK8 - ok
21:58:38.0603 3088 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
21:58:38.0618 3088 arc - ok
21:58:38.0712 3088 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
21:58:38.0712 3088 arcsas - ok
21:58:38.0743 3088 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
21:58:38.0790 3088 AsyncMac - ok
21:58:38.0883 3088 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
21:58:38.0899 3088 atapi - ok
21:58:39.0024 3088 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
21:58:39.0086 3088 Beep - ok
21:58:39.0180 3088 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
21:58:39.0242 3088 blbdrive - ok
21:58:39.0336 3088 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
21:58:39.0398 3088 bowser - ok
21:58:39.0523 3088 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
21:58:39.0788 3088 BrFiltLo - ok
21:58:39.0851 3088 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
21:58:39.0913 3088 BrFiltUp - ok
21:58:39.0975 3088 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
21:58:40.0131 3088 Brserid - ok
21:58:40.0209 3088 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
21:58:40.0303 3088 BrSerWdm - ok
21:58:40.0443 3088 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
21:58:40.0537 3088 BrUsbMdm - ok
21:58:40.0709 3088 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
21:58:40.0787 3088 BrUsbSer - ok
21:58:40.0880 3088 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
21:58:40.0943 3088 BTHMODEM - ok
21:58:41.0021 3088 catchme - ok
21:58:41.0145 3088 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
21:58:41.0192 3088 cdfs - ok
21:58:41.0223 3088 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
21:58:41.0255 3088 cdrom - ok
21:58:41.0348 3088 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\drivers\circlass.sys
21:58:41.0395 3088 circlass - ok
21:58:41.0567 3088 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
21:58:41.0598 3088 CLFS - ok
21:58:41.0707 3088 cmdide (0ca25e686a4928484e9fdabd168ab629) C:\Windows\system32\drivers\cmdide.sys
21:58:41.0723 3088 cmdide - ok
21:58:41.0863 3088 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\drivers\compbatt.sys
21:58:41.0894 3088 Compbatt - ok
21:58:42.0019 3088 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
21:58:42.0035 3088 crcdisk - ok
21:58:42.0191 3088 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
21:58:42.0253 3088 Crusoe - ok
21:58:42.0487 3088 DfsC (622c41a07ca7e6dd91770f50d532cb6c) C:\Windows\system32\Drivers\dfsc.sys
21:58:42.0534 3088 DfsC - ok
21:58:42.0674 3088 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
21:58:42.0690 3088 disk - ok
21:58:42.0783 3088 Dot4 (4f59c172c094e1a1d46463a8dc061cbd) C:\Windows\system32\DRIVERS\Dot4.sys
21:58:42.0846 3088 Dot4 - ok
21:58:42.0877 3088 Dot4Print (80bf3ba09f6f2523c8f6b7cc6dbf7bd5) C:\Windows\system32\DRIVERS\Dot4Prt.sys
21:58:42.0939 3088 Dot4Print - ok
21:58:43.0002 3088 dot4usb (c55004ca6b419b6695970dfe849b122f) C:\Windows\system32\DRIVERS\dot4usb.sys
21:58:43.0064 3088 dot4usb - ok
21:58:43.0158 3088 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
21:58:43.0189 3088 drmkaud - ok
21:58:43.0267 3088 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
21:58:43.0283 3088 DXGKrnl - ok
21:58:43.0361 3088 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
21:58:43.0392 3088 E1G60 - ok
21:58:43.0439 3088 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
21:58:43.0454 3088 Ecache - ok
21:58:43.0548 3088 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
21:58:43.0579 3088 elxstor - ok
21:58:43.0610 3088 ErrDev (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys
21:58:43.0657 3088 ErrDev - ok
21:58:43.0735 3088 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
21:58:43.0766 3088 exfat - ok
21:58:43.0813 3088 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
21:58:43.0860 3088 fastfat - ok
21:58:43.0938 3088 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
21:58:44.0000 3088 fdc - ok
21:58:44.0172 3088 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
21:58:44.0187 3088 FileInfo - ok
21:58:44.0312 3088 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
21:58:44.0390 3088 Filetrace - ok
21:58:44.0484 3088 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
21:58:44.0531 3088 flpydisk - ok
21:58:44.0577 3088 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
21:58:44.0593 3088 FltMgr - ok
21:58:44.0702 3088 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
21:58:44.0749 3088 Fs_Rec - ok
21:58:44.0952 3088 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
21:58:44.0983 3088 gagp30kx - ok
21:58:45.0201 3088 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
21:58:45.0264 3088 HDAudBus - ok
21:58:45.0560 3088 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
21:58:45.0685 3088 HidBth - ok
21:58:45.0903 3088 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
21:58:45.0997 3088 HidIr - ok
21:58:46.0091 3088 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
21:58:46.0137 3088 HidUsb - ok
21:58:46.0247 3088 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
21:58:46.0262 3088 HpCISSs - ok
21:58:46.0449 3088 HSF_DP (88749fbf8beb18c90e7d6626c8c1910b) C:\Windows\system32\DRIVERS\HSX_DP.sys
21:58:46.0559 3088 HSF_DP - ok
21:58:46.0715 3088 HSXHWBS2 (fe440536bd98af772130dc3a6fe1915f) C:\Windows\system32\DRIVERS\HSXHWBS2.sys
21:58:46.0746 3088 HSXHWBS2 - ok
21:58:46.0917 3088 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
21:58:47.0011 3088 HTTP - ok
21:58:47.0183 3088 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
21:58:47.0198 3088 i2omp - ok
21:58:47.0276 3088 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
21:58:47.0354 3088 i8042prt - ok
21:58:47.0417 3088 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
21:58:47.0448 3088 iaStorV - ok
21:58:47.0822 3088 igfx (a9221d13d8f1f772010ee293ba9baeb7) C:\Windows\system32\DRIVERS\igdkmd32.sys
21:58:48.0041 3088 igfx - ok
21:58:48.0134 3088 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
21:58:48.0150 3088 iirsp - ok
21:58:48.0321 3088 IntcAzAudAddService (3914ea9111dbeffaf1c68200817768ad) C:\Windows\system32\drivers\RTKVHDA.sys
21:58:48.0446 3088 IntcAzAudAddService - ok
21:58:48.0618 3088 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
21:58:48.0633 3088 intelide - ok
21:58:48.0649 3088 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
21:58:48.0696 3088 intelppm - ok
21:58:48.0805 3088 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
21:58:48.0852 3088 IpFilterDriver - ok
21:58:48.0852 3088 IpInIp - ok
21:58:48.0883 3088 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys
21:58:48.0914 3088 IPMIDRV - ok
21:58:48.0992 3088 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
21:58:49.0023 3088 IPNAT - ok
21:58:49.0039 3088 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
21:58:49.0086 3088 IRENUM - ok
21:58:49.0195 3088 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
21:58:49.0195 3088 isapnp - ok
21:58:49.0289 3088 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
21:58:49.0304 3088 iScsiPrt - ok
21:58:49.0382 3088 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
21:58:49.0398 3088 iteatapi - ok
21:58:49.0601 3088 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
21:58:49.0601 3088 iteraid - ok
21:58:49.0757 3088 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
21:58:49.0772 3088 kbdclass - ok
21:58:49.0944 3088 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
21:58:49.0991 3088 kbdhid - ok
21:58:50.0115 3088 KSecDD (2b2f1638466e8cb091400c9019cc730e) C:\Windows\system32\Drivers\ksecdd.sys
21:58:50.0162 3088 KSecDD - ok
21:58:50.0303 3088 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
21:58:50.0365 3088 lltdio - ok
21:58:50.0490 3088 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
21:58:50.0521 3088 LSI_FC - ok
21:58:50.0646 3088 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
21:58:50.0677 3088 LSI_SAS - ok
21:58:50.0755 3088 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
21:58:50.0771 3088 LSI_SCSI - ok
21:58:50.0786 3088 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
21:58:50.0817 3088 luafv - ok
21:58:50.0880 3088 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
21:58:50.0927 3088 mdmxsdk - ok
21:58:51.0005 3088 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
21:58:51.0020 3088 megasas - ok
21:58:51.0051 3088 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
21:58:51.0083 3088 MegaSR - ok
21:58:51.0145 3088 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
21:58:51.0207 3088 Modem - ok
21:58:51.0270 3088 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
21:58:51.0317 3088 monitor - ok
21:58:51.0363 3088 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
21:58:51.0379 3088 mouclass - ok
21:58:51.0441 3088 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
21:58:51.0504 3088 mouhid - ok
21:58:51.0629 3088 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
21:58:51.0644 3088 MountMgr - ok
21:58:51.0722 3088 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
21:58:51.0738 3088 mpio - ok
21:58:51.0769 3088 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
21:58:51.0816 3088 mpsdrv - ok
21:58:51.0909 3088 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
21:58:51.0925 3088 Mraid35x - ok
21:58:51.0972 3088 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
21:58:52.0034 3088 MRxDAV - ok
21:58:52.0175 3088 mrxsmb (1e94971c4b446ab2290deb71d01cf0c2) C:\Windows\system32\DRIVERS\mrxsmb.sys
21:58:52.0206 3088 mrxsmb - ok
21:58:52.0346 3088 mrxsmb10 (4fccb34d793b116423209c0f8b7a3b03) C:\Windows\system32\DRIVERS\mrxsmb10.sys
21:58:52.0377 3088 mrxsmb10 - ok
21:58:52.0487 3088 mrxsmb20 (c3cb1b40ad4a0124d617a1199b0b9d7c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
21:58:52.0518 3088 mrxsmb20 - ok
21:58:52.0643 3088 msahci (28023e86f17001f7cd9b15a5bc9ae07d) C:\Windows\system32\drivers\msahci.sys
21:58:52.0658 3088 msahci - ok
21:58:52.0674 3088 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
21:58:52.0705 3088 msdsm - ok
21:58:52.0736 3088 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
21:58:52.0799 3088 Msfs - ok
21:58:52.0861 3088 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
21:58:52.0877 3088 msisadrv - ok
21:58:52.0923 3088 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
21:58:52.0986 3088 MSKSSRV - ok
21:58:53.0048 3088 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
21:58:53.0079 3088 MSPCLOCK - ok
21:58:53.0126 3088 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
21:58:53.0173 3088 MSPQM - ok
21:58:53.0391 3088 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
21:58:53.0423 3088 MsRPC - ok
21:58:53.0579 3088 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
21:58:53.0594 3088 mssmbios - ok
21:58:53.0891 3088 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
21:58:53.0937 3088 MSTEE - ok
21:58:54.0047 3088 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
21:58:54.0078 3088 Mup - ok
21:58:54.0187 3088 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
21:58:54.0234 3088 NativeWifiP - ok
21:58:54.0265 3088 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
21:58:54.0312 3088 NDIS - ok
21:58:54.0437 3088 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
21:58:54.0483 3088 NdisTapi - ok
21:58:54.0561 3088 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
21:58:54.0608 3088 Ndisuio - ok
21:58:54.0686 3088 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
21:58:54.0733 3088 NdisWan - ok
21:58:54.0873 3088 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
21:58:54.0920 3088 NDProxy - ok
21:58:54.0998 3088 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
21:58:55.0061 3088 NetBIOS - ok
21:58:55.0092 3088 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
21:58:55.0139 3088 netbt - ok
21:58:55.0263 3088 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
21:58:55.0279 3088 nfrd960 - ok
21:58:55.0341 3088 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
21:58:55.0404 3088 Npfs - ok
21:58:55.0622 3088 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
21:58:55.0716 3088 nsiproxy - ok
21:58:55.0856 3088 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
21:58:55.0919 3088 Ntfs - ok
21:58:56.0028 3088 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
21:58:56.0075 3088 ntrigdigi - ok
21:58:56.0199 3088 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
21:58:56.0231 3088 Null - ok
21:58:56.0262 3088 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys
21:58:56.0277 3088 nvraid - ok
21:58:56.0340 3088 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys
21:58:56.0355 3088 nvstor - ok
21:58:56.0387 3088 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys
21:58:56.0402 3088 nv_agp - ok
21:58:56.0402 3088 NwlnkFlt - ok
21:58:56.0418 3088 NwlnkFwd - ok
21:58:56.0449 3088 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\drivers\ohci1394.sys
21:58:56.0496 3088 ohci1394 - ok
21:58:56.0605 3088 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
21:58:56.0683 3088 Parport - ok
21:58:56.0714 3088 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
21:58:56.0730 3088 partmgr - ok
21:58:56.0886 3088 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
21:58:56.0979 3088 Parvdm - ok
21:58:57.0182 3088 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
21:58:57.0213 3088 pci - ok
21:58:57.0385 3088 pciide (fc175f5ddab666d7f4d17449a547626f) C:\Windows\system32\drivers\pciide.sys
21:58:57.0432 3088 pciide - ok
21:58:57.0510 3088 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
21:58:57.0541 3088 pcmcia - ok
21:58:57.0588 3088 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
21:58:57.0681 3088 PEAUTH - ok
21:58:57.0853 3088 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
21:58:57.0900 3088 PptpMiniport - ok
21:58:58.0009 3088 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\drivers\processr.sys
21:58:58.0056 3088 Processor - ok
21:58:58.0118 3088 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
21:58:58.0165 3088 PSched - ok
21:58:58.0274 3088 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
21:58:58.0337 3088 ql2300 - ok
21:58:58.0555 3088 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
21:58:58.0586 3088 ql40xx - ok
21:58:58.0742 3088 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
21:58:58.0789 3088 QWAVEdrv - ok
21:58:58.0992 3088 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
21:58:59.0054 3088 RasAcd - ok
21:58:59.0179 3088 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
21:58:59.0241 3088 Rasl2tp - ok
21:58:59.0429 3088 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
21:58:59.0475 3088 RasPppoe - ok
21:58:59.0694 3088 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
21:58:59.0725 3088 RasSstp - ok
21:58:59.0959 3088 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
21:59:00.0006 3088 rdbss - ok
21:59:00.0240 3088 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
21:59:00.0287 3088 RDPCDD - ok
21:59:00.0427 3088 rdpdr (fbc0bacd9c3d7f6956853f64a66e252d) C:\Windows\system32\drivers\rdpdr.sys
21:59:00.0474 3088 rdpdr - ok
21:59:00.0677 3088 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
21:59:00.0755 3088 RDPENCDD - ok
21:59:00.0895 3088 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
21:59:00.0957 3088 RDPWD - ok
21:59:01.0176 3088 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
21:59:01.0238 3088 rspndr - ok
21:59:01.0316 3088 RTL8169 (abbe0f54ba3a378262c9cb86cf7d91f8) C:\Windows\system32\DRIVERS\Rtlh86.sys
21:59:01.0379 3088 RTL8169 - ok
21:59:01.0457 3088 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
21:59:01.0472 3088 SASDIFSV - ok
21:59:01.0488 3088 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
21:59:01.0503 3088 SASKUTIL - ok
21:59:01.0737 3088 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
21:59:01.0753 3088 sbp2port - ok
21:59:01.0956 3088 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
21:59:02.0049 3088 secdrv - ok
21:59:02.0221 3088 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
21:59:02.0315 3088 Serenum - ok
21:59:02.0346 3088 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
21:59:02.0439 3088 Serial - ok
21:59:02.0502 3088 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
21:59:02.0564 3088 sermouse - ok
21:59:02.0627 3088 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys
21:59:02.0658 3088 sffdisk - ok
21:59:02.0705 3088 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys
21:59:02.0751 3088 sffp_mmc - ok
21:59:02.0798 3088 sffp_sd (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys
21:59:02.0845 3088 sffp_sd - ok
21:59:02.0907 3088 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
21:59:02.0985 3088 sfloppy - ok
21:59:03.0079 3088 Sftfs (cc895997c0995a07b6b2779a3b21918b) C:\Windows\system32\DRIVERS\Sftfslh.sys
21:59:03.0110 3088 Sftfs - ok
21:59:03.0204 3088 Sftplay (cf5e9798637795db59697f5e40fca993) C:\Windows\system32\DRIVERS\Sftplaylh.sys
21:59:03.0219 3088 Sftplay - ok
21:59:03.0266 3088 Sftredir (4c8076ff8938b365eeec9123969e0350) C:\Windows\system32\DRIVERS\Sftredirlh.sys
21:59:03.0282 3088 Sftredir - ok
21:59:03.0297 3088 Sftvol (6095a5f221eca9dada2c9ee80ec0d92d) C:\Windows\system32\DRIVERS\Sftvollh.sys
21:59:03.0313 3088 Sftvol - ok
21:59:03.0453 3088 sisagp (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys
21:59:03.0469 3088 sisagp - ok
21:59:03.0516 3088 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys
21:59:03.0531 3088 SiSRaid2 - ok
21:59:03.0563 3088 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys
21:59:03.0594 3088 SiSRaid4 - ok
21:59:03.0875 3088 Smb (2e304ca720cc332917f7ab3d825d8e2a) C:\Windows\system32\DRIVERS\smb.sys
21:59:03.0875 3088 Smb ( Virus.Win32.ZAccess.k ) - infected
21:59:03.0875 3088 Smb - detected Virus.Win32.ZAccess.k (0)
21:59:04.0077 3088 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
21:59:04.0093 3088 spldr - ok
21:59:04.0421 3088 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
21:59:04.0467 3088 srv - ok
21:59:04.0639 3088 srv2 (ff33aff99564b1aa534f58868cbe41ef) C:\Windows\system32\DRIVERS\srv2.sys
21:59:04.0670 3088 srv2 - ok
21:59:04.0842 3088 srvnet (7605c0e1d01a08f3ecd743f38b834a44) C:\Windows\system32\DRIVERS\srvnet.sys
21:59:04.0920 3088 srvnet - ok
21:59:05.0029 3088 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
21:59:05.0045 3088 swenum - ok
21:59:05.0310 3088 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
21:59:05.0325 3088 Symc8xx - ok
21:59:05.0481 3088 SymIMMP - ok
21:59:05.0513 3088 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
21:59:05.0528 3088 Sym_hi - ok
21:59:05.0731 3088 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
21:59:05.0747 3088 Sym_u3 - ok
21:59:05.0949 3088 Tcpip (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\drivers\tcpip.sys
21:59:06.0012 3088 Tcpip - ok
21:59:06.0230 3088 Tcpip6 (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\DRIVERS\tcpip.sys
21:59:06.0277 3088 Tcpip6 - ok
21:59:06.0355 3088 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
21:59:06.0402 3088 tcpipreg - ok
21:59:06.0495 3088 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
21:59:06.0558 3088 TDPIPE - ok
21:59:06.0854 3088 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
21:59:06.0885 3088 TDTCP - ok
21:59:07.0213 3088 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
21:59:07.0229 3088 tdx - ok
21:59:07.0400 3088 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
21:59:07.0416 3088 TermDD - ok
21:59:07.0619 3088 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
21:59:07.0681 3088 tssecsrv - ok
21:59:07.0775 3088 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
21:59:07.0853 3088 tunmp - ok
21:59:07.0899 3088 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
21:59:07.0946 3088 tunnel - ok
21:59:08.0040 3088 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys
21:59:08.0055 3088 uagp35 - ok
21:59:08.0180 3088 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
21:59:08.0211 3088 udfs - ok
21:59:08.0321 3088 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys
21:59:08.0336 3088 uliagpkx - ok
21:59:08.0477 3088 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys
21:59:08.0492 3088 uliahci - ok
21:59:08.0555 3088 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
21:59:08.0570 3088 UlSata - ok
21:59:08.0664 3088 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
21:59:08.0679 3088 ulsata2 - ok
21:59:08.0773 3088 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
21:59:08.0835 3088 umbus - ok
21:59:08.0960 3088 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
21:59:08.0991 3088 usbccgp - ok
21:59:09.0038 3088 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
21:59:09.0132 3088 usbcir - ok
21:59:09.0225 3088 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
21:59:09.0272 3088 usbehci - ok
21:59:09.0303 3088 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
21:59:09.0366 3088 usbhub - ok
21:59:09.0475 3088 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
21:59:09.0553 3088 usbohci - ok
21:59:09.0662 3088 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
21:59:09.0740 3088 usbprint - ok
21:59:09.0803 3088 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
21:59:09.0849 3088 usbscan - ok
21:59:09.0912 3088 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
21:59:09.0974 3088 USBSTOR - ok
21:59:10.0068 3088 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
21:59:10.0099 3088 usbuhci - ok
21:59:10.0130 3088 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
21:59:10.0193 3088 vga - ok
21:59:10.0364 3088 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
21:59:10.0427 3088 VgaSave - ok
21:59:10.0505 3088 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys
21:59:10.0520 3088 viaagp - ok
21:59:10.0614 3088 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys
21:59:10.0661 3088 ViaC7 - ok
21:59:10.0910 3088 viaide (aadf5587a4063f52c2c3fed7887426fc) C:\Windows\system32\drivers\viaide.sys
21:59:10.0941 3088 viaide - ok
21:59:11.0082 3088 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
21:59:11.0097 3088 volmgr - ok
21:59:11.0300 3088 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
21:59:11.0331 3088 volmgrx - ok
21:59:11.0441 3088 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
21:59:11.0472 3088 volsnap - ok
21:59:11.0519 3088 vsmraid (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys
21:59:11.0550 3088 vsmraid - ok
21:59:11.0597 3088 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
21:59:11.0675 3088 WacomPen - ok
21:59:11.0846 3088 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
21:59:11.0877 3088 Wanarp - ok
21:59:11.0909 3088 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
21:59:11.0940 3088 Wanarpv6 - ok
21:59:12.0127 3088 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
21:59:12.0143 3088 Wd - ok
21:59:12.0205 3088 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
21:59:12.0252 3088 Wdf01000 - ok
21:59:12.0408 3088 winachsf (72cc6a8ca7891031d6380db5025c773c) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
21:59:12.0501 3088 winachsf - ok
21:59:12.0642 3088 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\drivers\wmiacpi.sys
21:59:12.0689 3088 WmiAcpi - ok
21:59:12.0751 3088 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
21:59:12.0782 3088 WpdUsb - ok
21:59:12.0985 3088 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
21:59:13.0047 3088 ws2ifsl - ok
21:59:13.0203 3088 WSDPrintDevice (4422ac5ed8d4c2f0db63e71d4c069dd7) C:\Windows\system32\DRIVERS\WSDPrint.sys
21:59:13.0250 3088 WSDPrintDevice - ok
21:59:13.0359 3088 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
21:59:13.0406 3088 WUDFRd - ok
21:59:13.0453 3088 XAudio (dab33cfa9dd24251aaa389ff36b64d4b) C:\Windows\system32\DRIVERS\xaudio.sys
21:59:13.0484 3088 XAudio - ok
21:59:13.0531 3088 MBR (0x1B8) (81cd5ec01db0ce57edd853f82462ef27) \Device\Harddisk0\DR0
21:59:14.0701 3088 \Device\Harddisk0\DR0 - ok
21:59:14.0748 3088 Boot (0x1200) (fcd90fe84aa975dedf5ce07cb271a97e) \Device\Harddisk0\DR0\Partition0
21:59:14.0763 3088 \Device\Harddisk0\DR0\Partition0 - ok
21:59:14.0795 3088 Boot (0x1200) (fbf89313ec315786da78a406cc1fbfae) \Device\Harddisk0\DR0\Partition1
21:59:14.0826 3088 \Device\Harddisk0\DR0\Partition1 - ok
21:59:14.0826 3088 ============================================================
21:59:14.0826 3088 Scan finished
21:59:14.0826 3088 ============================================================
21:59:14.0857 1344 Detected object count: 1
21:59:14.0857 1344 Actual detected object count: 1
21:59:42.0329 1344 C:\Windows\system32\DRIVERS\smb.sys - copied to quarantine
21:59:42.0329 1344 VerifyFileNameVersionInfo: GetFileVersionInfoSizeW(C:\Windows\system32\drivers\smb.sys) error 1813
21:59:43.0779 1344 Backup copy found, using it..
21:59:43.0795 1344 C:\Windows\system32\DRIVERS\smb.sys - will be cured on reboot
21:59:54.0044 1344 Smb ( Virus.Win32.ZAccess.k ) - User select action: Cure
22:00:08.0708 1800 Deinitialize success

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:28 PM

Posted 04 February 2012 - 10:47 PM

Good,

we just have a little more work to do to make sure you are clean, please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Folder::
c:\windows\$NtUninstallKB49587$

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 InfectedBear

InfectedBear
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:28 PM

Posted 05 February 2012 - 06:04 PM

Thank you for your continued assistance. Combofix mentioned a rootkit again while Malware-bytes came up clean. ESET found the TDSS quarantined item and some Frostwire entries.

Here are the latest logs.

ComboFix 12-02-05.01 - computer 04/02/2012 23:13:46.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2548.1804 [GMT -5:00]
Running from: c:\users\computer\Desktop\ComboFix.exe
Command switches used :: c:\users\computer\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB49587$
.
.
((((((((((((((((((((((((( Files Created from 2012-01-05 to 2012-02-05 )))))))))))))))))))))))))))))))
.
.
2012-02-05 04:22 . 2012-02-05 04:22 -------- d-----w- c:\users\computer\AppData\Local\temp
2012-02-05 04:22 . 2012-02-05 04:22 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2012-02-05 04:22 . 2012-02-05 04:22 -------- d-----w- c:\users\Guest\AppData\Local\temp
2012-02-05 04:22 . 2012-02-05 04:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-05 03:16 . 2012-02-05 03:16 -------- d-----w- c:\program files\Common Files\Java
2012-02-05 02:59 . 2012-02-05 02:59 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-04 14:58 . 2012-02-04 22:57 45016 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2012-02-04 14:58 . 2012-02-04 14:58 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-02-04 14:58 . 2012-02-04 14:58 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-02-04 14:58 . 2012-02-04 14:58 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-02-04 14:24 . 2012-02-04 14:24 -------- d-----w- c:\users\computer\AppData\Roaming\SUPERAntiSpyware.com
2012-02-04 14:23 . 2012-02-04 14:24 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-02-04 14:23 . 2012-02-04 14:23 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-01-28 16:34 . 2012-01-28 16:40 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-28 01:11 . 2012-02-05 03:15 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2012-01-14 18:05 . 2011-11-17 06:48 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-14 18:05 . 2011-11-16 16:23 278528 ----a-w- c:\windows\system32\schannel.dll
2012-01-14 18:05 . 2011-11-16 16:21 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-14 18:05 . 2011-11-16 16:23 377344 ----a-w- c:\windows\system32\winhttp.dll
2012-01-14 18:05 . 2011-11-16 16:23 72704 ----a-w- c:\windows\system32\secur32.dll
2012-01-14 18:05 . 2011-11-16 14:12 9728 ----a-w- c:\windows\system32\lsass.exe
2012-01-12 13:57 . 2012-01-12 14:02 -------- d-----w- C:\d4eb3347a9e120cc449f14082a
2012-01-11 16:29 . 2012-01-11 16:29 -------- d-----w- C:\8b9decc6c43f94355cf1010e
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-05 03:15 . 2010-04-29 00:38 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-05 03:00 . 2009-09-18 16:09 66560 ----a-w- c:\windows\system32\drivers\smb.sys
2011-12-10 20:24 . 2009-02-23 18:36 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-23 13:37 . 2011-12-14 16:39 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-11-08 14:42 . 2011-12-14 16:39 2048 ----a-w- c:\windows\system32\tzres.dll
2012-02-04 22:57 . 2011-06-22 20:48 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-08-25 171448]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-03 6266880]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"Corel Photo Downloader"="c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe" [2007-01-15 478800]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-26 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-26 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-26 150552]
"WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 176128]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-6827989-4259258885-628603017-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001
.
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-04 c:\windows\Tasks\User_Feed_Synchronization-{976DD633-DEDB-47E8-99F7-E6EEF7B610DC}.job
- c:\windows\system32\msfeedssync.exe [2011-12-14 04:44]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
IE: Open with WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta
TCP: DhcpNameServer = 192.168.0.10
FF - ProfilePath - c:\users\computer\AppData\Roaming\Mozilla\Firefox\Profiles\ku9w2o06.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B232c7c85-523d-4760-9a9b-43f44e559a3c%7D&mid=71406de62c5e45d972597d042d599f4a-b924f8fc52c3aa39d3db741d272b63b601415f7b&ds=AVG&v=10.0.0.7&lang=en&pr=fr&d=2012-02-01%2018%3A03%3A28&sap=ku&q=
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-23261268.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-04 23:22
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-02-04 23:23:59
ComboFix-quarantined-files.txt 2012-02-05 04:23
ComboFix2.txt 2012-02-05 02:52
.
Pre-Run: 225,335,697,408 bytes free
Post-Run: 225,311,211,520 bytes free
.
- - End Of File - - 19DB0602D455FEEF41DD11A118B1229C


Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.05.01

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.19170
computer :: COMPUTER-PC [administrator]

04/02/2012 11:26:10 PM
mbam-log-2012-02-04 (23-26-10).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 200453
Time elapsed: 3 minute(s), 58 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



ESET:
C:\Documents and Settings\computer\AppData\Roaming\FrostWire\.AppSpecialShare\frostwire-4.21.5.windows.exe Win32/OpenCandy application
C:\Documents and Settings\computer\AppData\Roaming\FrostWire\.AppSpecialShare\frostwire-4.21.8.windows.exe Win32/OpenCandy application
C:\Documents and Settings\computer\AppData\Roaming\FrostWire\.AppSpecialShare\frostwire-5.1.3.windows.exe Win32/OpenCandy application
C:\TDSSKiller_Quarantine\04.02.2012_21.58.05\rtkt0000\svc0000\tsk0000.dta a variant of Win32/Rootkit.Kryptik.HA trojan
C:\Users\computer\AppData\Roaming\FrostWire\.AppSpecialShare\frostwire-4.21.5.windows.exe Win32/OpenCandy application
C:\Users\computer\AppData\Roaming\FrostWire\.AppSpecialShare\frostwire-4.21.8.windows.exe Win32/OpenCandy application
C:\Users\computer\AppData\Roaming\FrostWire\.AppSpecialShare\frostwire-5.1.3.windows.exe Win32/OpenCandy application

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:28 PM

Posted 05 February 2012 - 07:23 PM

Hi,

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\Documents and Settings\computer\AppData\Roaming\FrostWire\.AppSpecialShare\frostwire-4.21.5.windows.exe 
C:\Documents and Settings\computer\AppData\Roaming\FrostWire\.AppSpecialShare\frostwire-4.21.8.windows.exe 
C:\Documents and Settings\computer\AppData\Roaming\FrostWire\.AppSpecialShare\frostwire-5.1.3.windows.exe 
C:\TDSSKiller_Quarantine\04.02.2012_21.58.05\rtkt0000\svc0000\tsk0000.dta 
C:\Users\computer\AppData\Roaming\FrostWire\.AppSpecialShare\frostwire-4.21.5.windows.exe 
C:\Users\computer\AppData\Roaming\FrostWire\.AppSpecialShare\frostwire-4.21.8.windows.exe 
C:\Users\computer\AppData\Roaming\FrostWire\.AppSpecialShare\frostwire-5.1.3.windows.exe 

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT

Posted Image Your Java is out of date.
Java™ 6 Update 22 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now.
An update should begin; > follow the prompts.


NEXT


Please advise how the computer is running and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 InfectedBear

InfectedBear
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:28 PM

Posted 09 February 2012 - 07:51 AM

Thanks for your help CatByte. Unfortunately after removing the rootkit I was unable to get Windows Update back up and running. This seems to be a fairly common side effect of ZeroAccess with no known resolutions. I ended up reinstalling Windows on the machine.

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:28 PM

Posted 09 February 2012 - 05:44 PM

Hi,

Yes, ZA does sometimes break legitimate services at random. Thanks for letting me know, at least you will have a machine you can trust again.

Stay safe

~CB

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:28 PM

Posted 09 February 2012 - 05:44 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users