Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Keeps Redirecting


  • This topic is locked This topic is locked
15 replies to this topic

#1 Aidan2012

Aidan2012

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 06 February 2012 - 01:58 PM

Hi,

I had the SYSTEM CHECK virus on my laptop, I had got rid of it however I have google redirect on my laptop and cant get rid of it at all. Everytime I google something, I click on the link and it redirects me to a site other than the one I wanted to go to. I've had someone from the I.T. department in work to have a look at it to see if they could get rid of it, unfortunately they could'nt. They had run malware bytes and other virus/malware and also combofix. I had also ran (C:\windows\system32\drivers\etc\hosts) and got a text file and deleted everything other than 127.0.0.1 localhost, but that didnt help.

Google does not redirect whilst in work due to the proxy?? It redirects when im using home internet for example.
I have followed the steps on prepping the laptop before posting. I ran the gmer, however the only options that I was able to check in the main gmer window wer service, registry, files, C:\ and ADS. The other boxes were grey and unable to check them. I ran the scan.
Any help is much appreciated.

Aidan



Please see dds.txt below:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7600.16385
Run by aidan.macmanus at 18:02:18 on 2012-02-06
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.3510.2019 [GMT 0:00]
.
AV: Trend Micro Core Protection Module *Enabled/Updated* {7193B549-236F-55EE-9AEC-F65279E59A92}
SP: Trend Micro Core Protection Module *Enabled/Updated* {CAF254AD-0555-5A60-A05C-CD200262D02F}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\IDT\WDM\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Windows\system32\svchost.exe -k regsvc
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\Core Protection Module\TMCPMAdapter.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\UltraVNC\WinVNC.exe
c:\Program Files\Dell\Dell System Manager\DCPSysMgrSvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\SPBA\upeksvr.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files\Trend Micro\OfficeScan Client\PccNTMon.exe
C:\Program Files\FreePDF_XP\fpassist.exe
C:\Program Files\Ask.com\Updater\Updater.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\System32\StikyNot.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClientUI.exe
C:\Windows\system32\ntvdm.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\REGSVR32.exe
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://vwtlive/WorkticketSelection.aspx?VwtId=11
mStart Page = about:blank
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [2020] c:\program files\p9\P2020.EXE
uRun: [RESTART_STICKY_NOTES] c:\windows\system32\StikyNot.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IAStorIcon] c:\program files\intel\intel® rapid storage technology\IAStorIcon.exe
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [FreePDF Assistant] c:\program files\freepdf_xp\fpassist.exe
mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [<NO NAME>]
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{f3c1de9e-5e16-4ba9-b854-7b53a45e3579}\Icon3E5562ED7.ico
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: DisableCAD = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{30F535A0-EE5D-4425-AA0B-0B5186004917} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{30F535A0-EE5D-4425-AA0B-0B5186004917}\244524573796E6563737845726D2339383 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{30F535A0-EE5D-4425-AA0B-0B5186004917}\244584F6D65684572623D225432584 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{30F535A0-EE5D-4425-AA0B-0B5186004917}\2445F40756E6A7F6E656 : DhcpNameServer = 192.168.22.22 192.168.22.23
TCP: Interfaces\{30F535A0-EE5D-4425-AA0B-0B5186004917}\3435B475C414E4 : DhcpNameServer = 192.0.0.185 10.10.1.12
TCP: Interfaces\{30F535A0-EE5D-4425-AA0B-0B5186004917}\35B4952313534373 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{30F535A0-EE5D-4425-AA0B-0B5186004917}\E4564776561627D223 : DhcpNameServer = 192.168.0.1
Handler: x-excid - {9D6CC632-1337-4a33-9214-2DA092E776F4} - c:\windows\downloaded program files\mimectl.dll
Notify: igfxcui - igfxdev.dll
Notify: spba - c:\program files\common files\spba\homefus2.dll
LSA: Authentication Packages = msv1_0 wvauth
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\aidan.macmanus\appdata\roaming\mozilla\firefox\profiles\9qmoh8jr.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\windows\system32\wat\npWatWeb.dll
.
============= SERVICES / DRIVERS ===============
.
R0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\drivers\stdfltn.sys [2011-3-15 17072]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
R2 AESTFilters;Andrea ST Filters Service;c:\program files\idt\wdm\AEstSrv.exe [2011-3-15 81920]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2010-10-25 826272]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2010-10-25 32160]
R2 dcpsysmgrsvc;Dell System Manager Service;c:\program files\dell\dell system manager\DCPSysMgrSvc.exe [2010-8-24 388464]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\intel\intel® rapid storage technology\IAStorDataMgrSvc.exe [2011-3-15 13336]
R2 InstallFilterService;FF Install Filter Service;c:\program files\stmicroelectronics\accelerometerp11\InstallFilterService.exe [2011-3-15 60928]
R2 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe86.sys [2011-3-15 59904]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2012-1-6 1153368]
R2 TMAdptrSvr;Trend Micro Adapter Service;c:\program files\trend micro\core protection module\TMCPMAdapter.exe [2011-5-23 990384]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2011-2-25 58640]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\TmXpflt.sys [2010-10-20 262416]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\TmPreflt.sys [2010-10-20 36624]
R2 uvnc_service;uvnc_service;c:\program files\ultravnc\winvnc.exe [2011-3-22 1590216]
R3 Acceler;Accelerometer Service;c:\windows\system32\drivers\Accelern.sys [2011-3-15 42672]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2011-3-15 144576]
R3 cvusbdrv;Dell ControlVault;c:\windows\system32\drivers\cvusbdrv.sys [2011-3-15 33832]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k6232.sys [2011-3-15 224424]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2011-3-15 132480]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2011-3-15 246272]
R3 mv2;mv2;c:\windows\system32\drivers\mv2.sys [2011-3-22 12096]
R3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETwNs32.sys [2011-3-15 6814720]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-4-30 136176]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-1-6 652872]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\drivers\CtAudDrv.sys [2011-3-15 134144]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-4-30 136176]
S3 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [2011-3-15 48640]
S3 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe86.sys [2011-3-15 38912]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2010-4-24 689416]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-3-24 1343400]
.
=============== Created Last 30 ================
.
2012-01-27 00:44:24 -------- d-----w- c:\windows\system32\MpEngineStore
2012-01-25 22:28:54 102400 ----a-w- c:\windows\RegBootClean.exe
2012-01-16 08:20:25 0 ----a-w- c:\users\aidan.macmanus\appdata\local\BIT3F43.tmp
2012-01-14 11:19:13 -------- d-sh--w- C:\$RECYCLE.BIN
2012-01-14 10:15:41 -------- d-----w- C:\ComboFix
2012-01-14 09:59:52 -------- d-----w- c:\windows\PIF
2012-01-09 20:52:10 -------- d-----w- c:\programdata\Common Files
2012-01-09 20:51:43 -------- d-----w- c:\programdata\AVG2012
2012-01-09 20:51:29 -------- d-----w- c:\program files\AVG
2012-01-09 20:48:27 -------- d-----w- c:\programdata\MFAData
2012-01-09 18:35:20 -------- d-----w- c:\users\aidan.macmanus\appdata\roaming\Tieg
2012-01-09 18:35:20 -------- d-----w- c:\users\aidan.macmanus\appdata\roaming\Ivab
2012-01-09 17:42:42 -------- d-----w- c:\users\aidan.macmanus\appdata\roaming\Malwarebytes
2012-01-09 07:57:57 14664 ----a-w- c:\windows\stinger.sys
.
==================== Find3M ====================
.
2012-01-06 11:38:55 9851496 ----a-w- C:\mbam-setup.exe
2012-01-06 11:37:27 1578288 ----a-w- C:\tdsskiller.exe
2011-11-24 04:23:31 2340352 ----a-w- c:\windows\system32\win32k.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7600 Disk: WDC_WD16 rev.01.0 -> Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8857EFA9]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH EBX; MOV EBX, [EBP+0xc]; PUSH ESI; XOR EDX, EDX; CMP [0x88586d34], EDX; PUSH EDI; MOV EDI, [EBX+0x60]; JZ 0x187; MOV EAX, [EBP+0x8]; }
1 ntkrnlpa!IofCallDriver[0x82E3BAB6] -> \Device\Harddisk0\DR0[0x88566030]
3 CLASSPNP[0x8C9A059E] -> ntkrnlpa!IofCallDriver[0x82E3BAB6] -> [0x885652A0]
\Driver\stdflt[0x85CEAAD8] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x8857EFA9
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; PUSH CS; POP DS; PUSH CS; POP ES; PUSHAD ; MOV [0x7e00], DL; MOV BYTE [0x7e04], 0x1e; MOV AH, 0x48; MOV SI, 0x7e04; INT 0x13; MOV AL, 0x50; JB 0x196; SUB WORD [0x413], 0x14; }
user != kernel MBR !!!
sectors 312581805 (+254): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 18:09:02.82 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:05 PM

Posted 06 February 2012 - 09:22 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 Aidan2012

Aidan2012
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 07 February 2012 - 05:48 AM

Hi m0le,

Yes, I'm watching this post. I have little/no experience with this sort of stuff but I'll help in whatever way possible.

Many Thanks

A

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:05 PM

Posted 07 February 2012 - 08:24 PM

Let's start by checking for rootkit activity

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\


Now as Gmer doesn't work so well with Windows 7, we can use aswMBR

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#5 Aidan2012

Aidan2012
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 08 February 2012 - 01:42 PM

Please see below for the report from TDSSKiller. I have downloaded aswMBR onto my desktop but when I double click it, the timer appears for a second or two and nothing happens?


18:21:54.0855 5684 TDSS rootkit removing tool 2.7.10.0 Feb 7 2012 15:14:46
18:21:55.0124 5684 ============================================================
18:21:55.0124 5684 Current date / time: 2012/02/08 18:21:55.0124
18:21:55.0124 5684 SystemInfo:
18:21:55.0124 5684
18:21:55.0124 5684 OS Version: 6.1.7600 ServicePack: 0.0
18:21:55.0124 5684 Product type: Workstation
18:21:55.0124 5684 ComputerName: UKBFP150
18:21:55.0124 5684 UserName: aidan.macmanus
18:21:55.0124 5684 Windows directory: C:\Windows
18:21:55.0125 5684 System windows directory: C:\Windows
18:21:55.0125 5684 Processor architecture: Intel x86
18:21:55.0125 5684 Number of processors: 4
18:21:55.0125 5684 Page size: 0x1000
18:21:55.0125 5684 Boot type: Normal boot
18:21:55.0125 5684 ============================================================
18:21:55.0574 5684 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
18:21:55.0577 5684 \Device\Harddisk0\DR0:
18:21:55.0577 5684 MBR used
18:21:55.0577 5684 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x14000, BlocksNum 0x178000
18:21:55.0577 5684 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x18C000, BlocksNum 0x1248E000
18:21:55.0597 5684 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x1261A800, BlocksNum 0x3FD800
18:21:55.0695 5684 Initialize success
18:21:55.0695 5684 ============================================================
18:21:57.0415 4564 ============================================================
18:21:57.0415 4564 Scan started
18:21:57.0415 4564 Mode: Manual;
18:21:57.0415 4564 ============================================================
18:21:57.0922 4564 1394ohci (d01e0b1cef9ee82100c2bb07294880ef) C:\Windows\system32\DRIVERS\1394ohci.sys
18:21:57.0957 4564 1394ohci - ok
18:21:58.0061 4564 Acceler (af1f178b0218b44876e63bf0b019e96b) C:\Windows\system32\DRIVERS\Accelern.sys
18:21:58.0069 4564 Acceler - ok
18:21:58.0174 4564 ACPI (f0e07d144c8685b8774bc32fc8da4df0) C:\Windows\system32\DRIVERS\ACPI.sys
18:21:58.0212 4564 ACPI - ok
18:21:58.0327 4564 AcpiPmi (98d81ca942d19f7d9153b095162ac013) C:\Windows\system32\DRIVERS\acpipmi.sys
18:21:58.0341 4564 AcpiPmi - ok
18:21:58.0481 4564 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\DRIVERS\adp94xx.sys
18:21:58.0512 4564 adp94xx - ok
18:21:58.0628 4564 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\DRIVERS\adpahci.sys
18:21:58.0657 4564 adpahci - ok
18:21:58.0761 4564 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\DRIVERS\adpu320.sys
18:21:58.0796 4564 adpu320 - ok
18:21:58.0921 4564 AFD (0db7a48388d54d154ebec120461a0fcd) C:\Windows\system32\drivers\afd.sys
18:21:58.0925 4564 AFD - ok
18:21:59.0019 4564 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\DRIVERS\agp440.sys
18:21:59.0037 4564 agp440 - ok
18:21:59.0139 4564 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\DRIVERS\djsvs.sys
18:21:59.0163 4564 aic78xx - ok
18:21:59.0287 4564 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\DRIVERS\aliide.sys
18:21:59.0307 4564 aliide - ok
18:21:59.0426 4564 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\DRIVERS\amdagp.sys
18:21:59.0445 4564 amdagp - ok
18:21:59.0554 4564 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\DRIVERS\amdide.sys
18:21:59.0575 4564 amdide - ok
18:21:59.0712 4564 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\DRIVERS\amdk8.sys
18:21:59.0740 4564 AmdK8 - ok
18:21:59.0843 4564 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\DRIVERS\amdppm.sys
18:21:59.0864 4564 AmdPPM - ok
18:21:59.0968 4564 amdsata (e8887df31600cee28eddd5e6ffaaeed7) C:\Windows\system32\DRIVERS\amdsata.sys
18:21:59.0995 4564 amdsata - ok
18:22:00.0114 4564 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\DRIVERS\amdsbs.sys
18:22:00.0165 4564 amdsbs - ok
18:22:00.0270 4564 amdxata (2d31914d521c5d36613063cb06d1b12c) C:\Windows\system32\DRIVERS\amdxata.sys
18:22:00.0281 4564 amdxata - ok
18:22:00.0397 4564 ApfiltrService (83299c470907b54bb861b7ad55011871) C:\Windows\system32\DRIVERS\Apfiltr.sys
18:22:00.0411 4564 ApfiltrService - ok
18:22:00.0513 4564 AppID (feb834c02ce1e84b6a38f953ca067706) C:\Windows\system32\drivers\appid.sys
18:22:00.0525 4564 AppID - ok
18:22:00.0648 4564 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\DRIVERS\arc.sys
18:22:00.0659 4564 arc - ok
18:22:00.0691 4564 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\DRIVERS\arcsas.sys
18:22:00.0701 4564 arcsas - ok
18:22:00.0813 4564 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
18:22:00.0833 4564 AsyncMac - ok
18:22:00.0970 4564 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\DRIVERS\atapi.sys
18:22:00.0991 4564 atapi - ok
18:22:01.0141 4564 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\DRIVERS\bxvbdx.sys
18:22:01.0190 4564 b06bdrv - ok
18:22:01.0313 4564 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys
18:22:01.0335 4564 b57nd60x - ok
18:22:02.0156 4564 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
18:22:02.0164 4564 Beep - ok
18:22:02.0313 4564 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys
18:22:02.0335 4564 blbdrive - ok
18:22:02.0481 4564 bowser (9a5c671b7fbae4865149bb11f59b91b2) C:\Windows\system32\DRIVERS\bowser.sys
18:22:02.0483 4564 bowser - ok
18:22:02.0524 4564 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\DRIVERS\BrFiltLo.sys
18:22:02.0531 4564 BrFiltLo - ok
18:22:02.0563 4564 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\DRIVERS\BrFiltUp.sys
18:22:02.0569 4564 BrFiltUp - ok
18:22:02.0710 4564 BridgeMP (77361d72a04f18809d0efb6cceb74d4b) C:\Windows\system32\DRIVERS\bridge.sys
18:22:02.0721 4564 BridgeMP - ok
18:22:02.0848 4564 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys
18:22:02.0885 4564 Brserid - ok
18:22:02.0960 4564 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys
18:22:02.0979 4564 BrSerWdm - ok
18:22:03.0051 4564 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys
18:22:03.0058 4564 BrUsbMdm - ok
18:22:03.0077 4564 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys
18:22:03.0084 4564 BrUsbSer - ok
18:22:03.0180 4564 BthEnum (2865a5c8e98c70c605f417908cebb3a4) C:\Windows\system32\drivers\BthEnum.sys
18:22:03.0203 4564 BthEnum - ok
18:22:03.0259 4564 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\DRIVERS\bthmodem.sys
18:22:03.0281 4564 BTHMODEM - ok
18:22:03.0333 4564 BthPan (ad1872e5829e8a2c3b5b4b641c3eab0e) C:\Windows\system32\DRIVERS\bthpan.sys
18:22:03.0355 4564 BthPan - ok
18:22:03.0564 4564 BTHPORT (88059ff1ded4472acd17eebabd393069) C:\Windows\System32\Drivers\BTHport.sys
18:22:03.0604 4564 BTHPORT - ok
18:22:03.0746 4564 BTHUSB (80e6384beec03b8bd45edea29802d657) C:\Windows\System32\Drivers\BTHUSB.sys
18:22:03.0760 4564 BTHUSB - ok
18:22:03.0856 4564 btwaudio - ok
18:22:03.0879 4564 btwavdt - ok
18:22:03.0892 4564 btwl2cap - ok
18:22:03.0957 4564 btwrchid - ok
18:22:04.0113 4564 catchme - ok
18:22:04.0237 4564 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
18:22:04.0261 4564 cdfs - ok
18:22:04.0481 4564 cdrom (ba6e70aa0e6091bc39de29477d866a77) C:\Windows\system32\DRIVERS\cdrom.sys
18:22:04.0495 4564 cdrom - ok
18:22:04.0615 4564 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\DRIVERS\circlass.sys
18:22:04.0635 4564 circlass - ok
18:22:04.0777 4564 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
18:22:04.0781 4564 CLFS - ok
18:22:04.0913 4564 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys
18:22:04.0929 4564 CmBatt - ok
18:22:05.0078 4564 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\DRIVERS\cmdide.sys
18:22:05.0097 4564 cmdide - ok
18:22:05.0241 4564 CNG (1b675691ed940766149c93e8f4488d68) C:\Windows\system32\Drivers\cng.sys
18:22:05.0271 4564 CNG - ok
18:22:05.0422 4564 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys
18:22:05.0441 4564 Compbatt - ok
18:22:05.0579 4564 CompositeBus (f1724ba27e97d627f808fb0ba77a28a6) C:\Windows\system32\DRIVERS\CompositeBus.sys
18:22:05.0595 4564 CompositeBus - ok
18:22:05.0730 4564 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys
18:22:05.0748 4564 crcdisk - ok
18:22:05.0936 4564 CSC (27c9490bdd0ae48911ab8cf1932591ed) C:\Windows\system32\drivers\csc.sys
18:22:05.0974 4564 CSC - ok
18:22:06.0121 4564 CtAudDrv (0f538df1673e5216f3baacb6911d9d0f) C:\Windows\system32\Drivers\CtAudDrv.sys
18:22:06.0148 4564 CtAudDrv - ok
18:22:06.0288 4564 CtClsFlt (aa52c0b88c46d5037809d05dd826c61e) C:\Windows\system32\DRIVERS\CtClsFlt.sys
18:22:06.0330 4564 CtClsFlt - ok
18:22:06.0486 4564 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\Windows\system32\DRIVERS\CVirtA.sys
18:22:06.0501 4564 CVirtA - ok
18:22:06.0663 4564 CVPNDRVA (d46b2e0eeaf349f2085f8b164e462156) C:\Windows\system32\Drivers\CVPNDRVA.sys
18:22:06.0689 4564 CVPNDRVA - ok
18:22:06.0835 4564 cvusbdrv (d1697063e2cdb6575aa46d668ffee825) C:\Windows\system32\Drivers\cvusbdrv.sys
18:22:06.0855 4564 cvusbdrv - ok
18:22:06.0992 4564 DfsC (83d1ecea8faae75604c0fa49ac7ad996) C:\Windows\system32\Drivers\dfsc.sys
18:22:06.0994 4564 DfsC - ok
18:22:07.0068 4564 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
18:22:07.0069 4564 discache - ok
18:22:07.0212 4564 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys
18:22:07.0235 4564 Disk - ok
18:22:07.0363 4564 DNE (694616f813fb627a32c9e32dec133078) C:\Windows\system32\DRIVERS\dne2000.sys
18:22:07.0386 4564 DNE - ok
18:22:07.0519 4564 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys
18:22:07.0538 4564 drmkaud - ok
18:22:07.0650 4564 DXGKrnl (1679a4669326cb1a67cc95658d273234) C:\Windows\System32\drivers\dxgkrnl.sys
18:22:07.0711 4564 DXGKrnl - ok
18:22:07.0896 4564 e1kexpress (19e30c3c80d8ce29944b3f30ff9c8b76) C:\Windows\system32\DRIVERS\e1k6232.sys
18:22:07.0925 4564 e1kexpress - ok
18:22:08.0124 4564 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\DRIVERS\evbdx.sys
18:22:08.0218 4564 ebdrv - ok
18:22:08.0286 4564 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\DRIVERS\elxstor.sys
18:22:08.0323 4564 elxstor - ok
18:22:08.0345 4564 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\DRIVERS\errdev.sys
18:22:08.0353 4564 ErrDev - ok
18:22:08.0508 4564 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys
18:22:08.0541 4564 exfat - ok
18:22:08.0577 4564 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys
18:22:08.0612 4564 fastfat - ok
18:22:08.0644 4564 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\DRIVERS\fdc.sys
18:22:08.0665 4564 fdc - ok
18:22:08.0690 4564 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys
18:22:08.0701 4564 FileInfo - ok
18:22:08.0721 4564 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys
18:22:08.0731 4564 Filetrace - ok
18:22:08.0748 4564 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\DRIVERS\flpydisk.sys
18:22:08.0757 4564 flpydisk - ok
18:22:08.0790 4564 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys
18:22:08.0824 4564 FltMgr - ok
18:22:08.0846 4564 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys
18:22:08.0861 4564 FsDepends - ok
18:22:08.0876 4564 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\Windows\system32\drivers\Fs_Rec.sys
18:22:08.0893 4564 Fs_Rec - ok
18:22:08.0931 4564 fvevol (5592f5dba26282d24d2b080eb438a4d7) C:\Windows\system32\DRIVERS\fvevol.sys
18:22:08.0935 4564 fvevol - ok
18:22:09.0058 4564 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\DRIVERS\gagp30kx.sys
18:22:09.0083 4564 gagp30kx - ok
18:22:09.0239 4564 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys
18:22:09.0257 4564 hcw85cir - ok
18:22:09.0374 4564 HDAudBus (717a2207fd6f13ad3e664c7d5a43c7bf) C:\Windows\system32\DRIVERS\HDAudBus.sys
18:22:09.0402 4564 HDAudBus - ok
18:22:09.0436 4564 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\DRIVERS\HidBatt.sys
18:22:09.0458 4564 HidBatt - ok
18:22:09.0482 4564 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\DRIVERS\hidbth.sys
18:22:09.0510 4564 HidBth - ok
18:22:09.0558 4564 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\DRIVERS\hidir.sys
18:22:09.0577 4564 HidIr - ok
18:22:09.0623 4564 HidUsb (25072fb35ac90b25f9e4e3bacf774102) C:\Windows\system32\DRIVERS\hidusb.sys
18:22:09.0645 4564 HidUsb - ok
18:22:09.0749 4564 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\DRIVERS\HpSAMD.sys
18:22:09.0777 4564 HpSAMD - ok
18:22:09.0843 4564 HTTP (c531c7fd9e8b62021112787c4e2c5a5a) C:\Windows\system32\drivers\HTTP.sys
18:22:09.0853 4564 HTTP - ok
18:22:09.0891 4564 hwpolicy (8305f33cde89ad6c7a0763ed0b5a8d42) C:\Windows\system32\drivers\hwpolicy.sys
18:22:09.0892 4564 hwpolicy - ok
18:22:09.0943 4564 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\DRIVERS\i8042prt.sys
18:22:09.0971 4564 i8042prt - ok
18:22:10.0098 4564 iaStor (26541a068572f650a2fa490726fe81be) C:\Windows\system32\DRIVERS\iaStor.sys
18:22:10.0104 4564 iaStor - ok
18:22:10.0254 4564 iaStorV (2d2918606673c46769fb516a5ace958e) C:\Windows\system32\DRIVERS\iaStorV.sys
18:22:10.0334 4564 iaStorV - ok
18:22:10.0602 4564 igfx (c5589781f75de0bfb26e221649c80d00) C:\Windows\system32\DRIVERS\igdkmd32.sys
18:22:10.0882 4564 igfx - ok
18:22:11.0005 4564 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\DRIVERS\iirsp.sys
18:22:11.0026 4564 iirsp - ok
18:22:11.0082 4564 Impcd (e3c36ac5ae87ec970ae8ea2a93d59ae1) C:\Windows\system32\DRIVERS\Impcd.sys
18:22:11.0131 4564 Impcd - ok
18:22:11.0269 4564 IntcDAud (af6d1e38bce11daba4c01d6a6de94410) C:\Windows\system32\DRIVERS\IntcDAud.sys
18:22:11.0312 4564 IntcDAud - ok
18:22:11.0358 4564 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\DRIVERS\intelide.sys
18:22:11.0378 4564 intelide - ok
18:22:11.0428 4564 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys
18:22:11.0447 4564 intelppm - ok
18:22:11.0479 4564 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys
18:22:11.0490 4564 IpFilterDriver - ok
18:22:11.0532 4564 IPMIDRV (e4454b6c37d7ffd5649611f6496308a7) C:\Windows\system32\DRIVERS\IPMIDrv.sys
18:22:11.0560 4564 IPMIDRV - ok
18:22:11.0589 4564 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys
18:22:11.0615 4564 IPNAT - ok
18:22:11.0655 4564 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys
18:22:11.0674 4564 IRENUM - ok
18:22:11.0713 4564 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\DRIVERS\isapnp.sys
18:22:11.0731 4564 isapnp - ok
18:22:11.0754 4564 iScsiPrt (ed46c223ae46c6866ab77cdc41c404b7) C:\Windows\system32\DRIVERS\msiscsi.sys
18:22:11.0792 4564 iScsiPrt - ok
18:22:11.0832 4564 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\DRIVERS\kbdclass.sys
18:22:11.0854 4564 kbdclass - ok
18:22:11.0882 4564 kbdhid (3d9f0ebf350edcfd6498057301455964) C:\Windows\system32\DRIVERS\kbdhid.sys
18:22:11.0903 4564 kbdhid - ok
18:22:11.0933 4564 KSecDD (e36a061ec11b373826905b21be10948f) C:\Windows\system32\Drivers\ksecdd.sys
18:22:11.0952 4564 KSecDD - ok
18:22:11.0997 4564 KSecPkg (365c6154bbbc5377173f1ca7bfb6cc59) C:\Windows\system32\Drivers\ksecpkg.sys
18:22:12.0026 4564 KSecPkg - ok
18:22:12.0093 4564 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys
18:22:12.0488 4564 lltdio - ok
18:22:12.0731 4564 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\DRIVERS\lsi_fc.sys
18:22:12.0764 4564 LSI_FC - ok
18:22:12.0876 4564 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\DRIVERS\lsi_sas.sys
18:22:12.0906 4564 LSI_SAS - ok
18:22:12.0951 4564 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\DRIVERS\lsi_sas2.sys
18:22:12.0973 4564 LSI_SAS2 - ok
18:22:12.0996 4564 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\DRIVERS\lsi_scsi.sys
18:22:13.0013 4564 LSI_SCSI - ok
18:22:13.0038 4564 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys
18:22:13.0057 4564 luafv - ok
18:22:13.0083 4564 MBAMProtector - ok
18:22:13.0131 4564 mdmxsdk - ok
18:22:13.0164 4564 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\DRIVERS\megasas.sys
18:22:13.0187 4564 megasas - ok
18:22:13.0226 4564 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\DRIVERS\MegaSR.sys
18:22:13.0274 4564 MegaSR - ok
18:22:13.0294 4564 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys
18:22:13.0305 4564 Modem - ok
18:22:13.0333 4564 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys
18:22:13.0334 4564 monitor - ok
18:22:13.0373 4564 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\DRIVERS\mouclass.sys
18:22:13.0395 4564 mouclass - ok
18:22:13.0445 4564 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys
18:22:13.0467 4564 mouhid - ok
18:22:13.0506 4564 mountmgr (921c18727c5920d6c0300736646931c2) C:\Windows\system32\drivers\mountmgr.sys
18:22:13.0508 4564 mountmgr - ok
18:22:13.0539 4564 mpio (2af5997438c55fb79d33d015c30e1974) C:\Windows\system32\DRIVERS\mpio.sys
18:22:13.0566 4564 mpio - ok
18:22:13.0590 4564 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys
18:22:13.0613 4564 mpsdrv - ok
18:22:13.0631 4564 MRxDAV (b1be47008d20e43da3adc37c24cdb89d) C:\Windows\system32\drivers\mrxdav.sys
18:22:13.0632 4564 MRxDAV - ok
18:22:13.0669 4564 mrxsmb (b4c76ef46322a9711c7b0f4e21ef6ea5) C:\Windows\system32\DRIVERS\mrxsmb.sys
18:22:13.0671 4564 mrxsmb - ok
18:22:13.0715 4564 mrxsmb10 (e593d45024a3fdd11e93cc4a6ca91101) C:\Windows\system32\DRIVERS\mrxsmb10.sys
18:22:13.0718 4564 mrxsmb10 - ok
18:22:13.0740 4564 mrxsmb20 (a9f86c82c9cc3b679cc3957e1183a30f) C:\Windows\system32\DRIVERS\mrxsmb20.sys
18:22:13.0742 4564 mrxsmb20 - ok
18:22:13.0784 4564 msahci (cb5d37e91135b0f15cee64d1f1ba5de5) C:\Windows\system32\DRIVERS\msahci.sys
18:22:13.0805 4564 msahci - ok
18:22:13.0851 4564 msdsm (455029c7174a2dbb03dba8a0d8bddd9a) C:\Windows\system32\DRIVERS\msdsm.sys
18:22:13.0880 4564 msdsm - ok
18:22:13.0908 4564 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys
18:22:13.0917 4564 Msfs - ok
18:22:13.0928 4564 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys
18:22:13.0935 4564 mshidkmdf - ok
18:22:13.0958 4564 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\DRIVERS\msisadrv.sys
18:22:13.0965 4564 msisadrv - ok
18:22:13.0997 4564 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys
18:22:14.0004 4564 MSKSSRV - ok
18:22:14.0015 4564 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys
18:22:14.0029 4564 MSPCLOCK - ok
18:22:14.0041 4564 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys
18:22:14.0048 4564 MSPQM - ok
18:22:14.0074 4564 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys
18:22:14.0103 4564 MsRPC - ok
18:22:14.0128 4564 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\DRIVERS\mssmbios.sys
18:22:14.0145 4564 mssmbios - ok
18:22:14.0182 4564 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys
18:22:14.0194 4564 MSTEE - ok
18:22:14.0217 4564 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\DRIVERS\MTConfig.sys
18:22:14.0234 4564 MTConfig - ok
18:22:14.0256 4564 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys
18:22:14.0266 4564 Mup - ok
18:22:14.0302 4564 mv2 (4cb5d3a5902a92606408a36865a04d53) C:\Windows\system32\DRIVERS\mv2.sys
18:22:14.0322 4564 mv2 - ok
18:22:14.0473 4564 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys
18:22:14.0530 4564 NativeWifiP - ok
18:22:14.0685 4564 NDIS (23759d175a0a9baaf04d05047bc135a8) C:\Windows\system32\drivers\ndis.sys
18:22:14.0701 4564 NDIS - ok
18:22:14.0848 4564 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys
18:22:14.0874 4564 NdisCap - ok
18:22:14.0992 4564 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys
18:22:15.0014 4564 NdisTapi - ok
18:22:15.0141 4564 Ndisuio (b30ae7f2b6d7e343b0df32e6c08fce75) C:\Windows\system32\DRIVERS\ndisuio.sys
18:22:15.0166 4564 Ndisuio - ok
18:22:15.0188 4564 NdisWan (267c415eadcbe53c9ca873dee39cf3a4) C:\Windows\system32\DRIVERS\ndiswan.sys
18:22:15.0203 4564 NdisWan - ok
18:22:15.0225 4564 NDProxy (af7e7c63dcef3f8772726f86039d6eb4) C:\Windows\system32\drivers\NDProxy.sys
18:22:15.0236 4564 NDProxy - ok
18:22:15.0391 4564 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys
18:22:15.0412 4564 NetBIOS - ok
18:22:15.0504 4564 NetBT (dd52a733bf4ca5af84562a5e2f963b91) C:\Windows\system32\DRIVERS\netbt.sys
18:22:15.0507 4564 NetBT - ok
18:22:15.0813 4564 NETwNs32 (29e4f23d31fb66c7bf0014d36cf5af2a) C:\Windows\system32\DRIVERS\NETwNs32.sys
18:22:16.0157 4564 NETwNs32 - ok
18:22:16.0302 4564 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\DRIVERS\nfrd960.sys
18:22:16.0324 4564 nfrd960 - ok
18:22:16.0427 4564 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys
18:22:16.0449 4564 Npfs - ok
18:22:16.0505 4564 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys
18:22:16.0506 4564 nsiproxy - ok
18:22:16.0576 4564 Ntfs (b0ff28fef1c6b51bc1ac91b9ffd5d00e) C:\Windows\system32\drivers\Ntfs.sys
18:22:16.0653 4564 Ntfs - ok
18:22:16.0782 4564 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys
18:22:16.0797 4564 Null - ok
18:22:16.0908 4564 nvraid (d71feb6fcb0912eb238f0cfe5cb085b8) C:\Windows\system32\DRIVERS\nvraid.sys
18:22:16.0925 4564 nvraid - ok
18:22:17.0056 4564 nvstor (1d8b6a440dff2bdeaa4eb209fcba21bf) C:\Windows\system32\DRIVERS\nvstor.sys
18:22:17.0092 4564 nvstor - ok
18:22:17.0206 4564 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\DRIVERS\nv_agp.sys
18:22:17.0234 4564 nv_agp - ok
18:22:17.0319 4564 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\DRIVERS\ohci1394.sys
18:22:17.0344 4564 ohci1394 - ok
18:22:17.0501 4564 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys
18:22:17.0526 4564 Parport - ok
18:22:17.0593 4564 partmgr (ff4218952b51de44fe910953a3e686b9) C:\Windows\system32\drivers\partmgr.sys
18:22:17.0616 4564 partmgr - ok
18:22:17.0679 4564 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys
18:22:17.0697 4564 Parvdm - ok
18:22:17.0729 4564 PBADRV (4088c1ecd1f54281a92fa663b0fdc36f) C:\Windows\system32\DRIVERS\PBADRV.sys
18:22:17.0748 4564 PBADRV - ok
18:22:17.0799 4564 pci (c858cb77c577780ecc456a892e7e7d0f) C:\Windows\system32\DRIVERS\pci.sys
18:22:17.0829 4564 pci - ok
18:22:17.0944 4564 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\DRIVERS\pciide.sys
18:22:17.0963 4564 pciide - ok
18:22:18.0040 4564 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\DRIVERS\pcmcia.sys
18:22:18.0080 4564 pcmcia - ok
18:22:18.0222 4564 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys
18:22:18.0242 4564 pcw - ok
18:22:18.0394 4564 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys
18:22:18.0461 4564 PEAUTH - ok
18:22:18.0698 4564 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys
18:22:18.0723 4564 PptpMiniport - ok
18:22:18.0805 4564 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\DRIVERS\processr.sys
18:22:18.0826 4564 Processor - ok
18:22:18.0975 4564 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys
18:22:18.0976 4564 Psched - ok
18:22:19.0090 4564 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\DRIVERS\ql2300.sys
18:22:19.0222 4564 ql2300 - ok
18:22:19.0365 4564 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\DRIVERS\ql40xx.sys
18:22:19.0383 4564 ql40xx - ok
18:22:19.0428 4564 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys
18:22:19.0449 4564 QWAVEdrv - ok
18:22:19.0486 4564 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys
18:22:19.0495 4564 RasAcd - ok
18:22:19.0637 4564 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys
18:22:19.0648 4564 RasAgileVpn - ok
18:22:19.0769 4564 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys
18:22:19.0785 4564 Rasl2tp - ok
18:22:19.0958 4564 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys
18:22:19.0985 4564 RasPppoe - ok
18:22:20.0144 4564 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys
18:22:20.0166 4564 RasSstp - ok
18:22:20.0318 4564 rdbss (835d7e81bf517a3b72384bdcc85e1ce6) C:\Windows\system32\DRIVERS\rdbss.sys
18:22:20.0390 4564 rdbss - ok
18:22:20.0482 4564 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys
18:22:20.0500 4564 rdpbus - ok
18:22:20.0565 4564 RDPCDD (1e016846895b15a99f9a176a05029075) C:\Windows\system32\DRIVERS\RDPCDD.sys
18:22:20.0566 4564 RDPCDD - ok
18:22:20.0611 4564 RDPDR (c5ff95883ffef704d50c40d21cfb3ab5) C:\Windows\system32\drivers\rdpdr.sys
18:22:20.0648 4564 RDPDR - ok
18:22:20.0769 4564 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys
18:22:20.0770 4564 RDPENCDD - ok
18:22:20.0851 4564 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys
18:22:20.0852 4564 RDPREFMP - ok
18:22:20.0911 4564 RDPWD (801371ba9782282892d00aadb08ee367) C:\Windows\system32\drivers\RDPWD.sys
18:22:20.0952 4564 RDPWD - ok
18:22:21.0072 4564 rdyboost (4ea225bf1cf05e158853f30a99ca29a7) C:\Windows\system32\drivers\rdyboost.sys
18:22:21.0110 4564 rdyboost - ok
18:22:21.0286 4564 RFCOMM (cb928d9e6daf51879dd6ba8d02f01321) C:\Windows\system32\DRIVERS\rfcomm.sys
18:22:21.0325 4564 RFCOMM - ok
18:22:21.0467 4564 rimspci (e891f07815af88075705ef6a248711f6) C:\Windows\system32\DRIVERS\rimspe86.sys
18:22:21.0490 4564 rimspci - ok
18:22:21.0643 4564 RimUsb (616eac1b0e48b236a5a9b8ae07fdb81c) C:\Windows\system32\Drivers\RimUsb.sys
18:22:21.0668 4564 RimUsb - ok
18:22:21.0833 4564 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\Windows\system32\DRIVERS\RimSerial.sys
18:22:21.0853 4564 RimVSerPort - ok
18:22:22.0007 4564 risdpcie (5312f15dbeb47d906dca2e334dc4c97d) C:\Windows\system32\DRIVERS\risdpe86.sys
18:22:22.0028 4564 risdpcie - ok
18:22:22.0188 4564 rixdpcie (cf2de2365fd99e5b8e38c9f3467dcdb8) C:\Windows\system32\DRIVERS\rixdpe86.sys
18:22:22.0210 4564 rixdpcie - ok
18:22:22.0404 4564 ROOTMODEM (564297827d213f52c7a3a2ff749568ca) C:\Windows\system32\Drivers\RootMdm.sys
18:22:22.0422 4564 ROOTMODEM - ok
18:22:23.0132 4564 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys
18:22:23.0157 4564 rspndr - ok
18:22:23.0279 4564 rxtgwjgm - ok
18:22:23.0358 4564 s3cap (5423d8437051e89dd34749f242c98648) C:\Windows\system32\DRIVERS\vms3cap.sys
18:22:23.0372 4564 s3cap - ok
18:22:23.0567 4564 sbp2port (34ee0c44b724e3e4ce2eff29126de5b5) C:\Windows\system32\DRIVERS\sbp2port.sys
18:22:23.0595 4564 sbp2port - ok
18:22:23.0775 4564 scfilter (a95c54b2ac3cc9c73fcdf9e51a1d6b51) C:\Windows\system32\DRIVERS\scfilter.sys
18:22:23.0794 4564 scfilter - ok
18:22:23.0985 4564 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
18:22:24.0003 4564 secdrv - ok
18:22:24.0201 4564 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys
18:22:24.0219 4564 Serenum - ok
18:22:24.0301 4564 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\DRIVERS\serial.sys
18:22:24.0317 4564 Serial - ok
18:22:24.0463 4564 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\DRIVERS\sermouse.sys
18:22:24.0485 4564 sermouse - ok
18:22:24.0574 4564 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\DRIVERS\sffdisk.sys
18:22:24.0593 4564 sffdisk - ok
18:22:24.0667 4564 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\DRIVERS\sffp_mmc.sys
18:22:24.0684 4564 sffp_mmc - ok
18:22:24.0737 4564 sffp_sd (a0708bbd07d245c06ff9de549ca47185) C:\Windows\system32\DRIVERS\sffp_sd.sys
18:22:24.0755 4564 sffp_sd - ok
18:22:24.0836 4564 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\DRIVERS\sfloppy.sys
18:22:24.0856 4564 sfloppy - ok
18:22:25.0012 4564 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\DRIVERS\sisagp.sys
18:22:25.0034 4564 sisagp - ok
18:22:25.0091 4564 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\DRIVERS\SiSRaid2.sys
18:22:25.0114 4564 SiSRaid2 - ok
18:22:25.0146 4564 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\DRIVERS\sisraid4.sys
18:22:25.0174 4564 SiSRaid4 - ok
18:22:25.0213 4564 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys
18:22:25.0228 4564 Smb - ok
18:22:25.0270 4564 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys
18:22:25.0280 4564 spldr - ok
18:22:25.0315 4564 srv (c4a027b8c0bd3fc0699f41fa5e9e0c87) C:\Windows\system32\DRIVERS\srv.sys
18:22:25.0318 4564 srv - ok
18:22:25.0363 4564 srv2 (414bb592cad8a79649d01f9d94318fb3) C:\Windows\system32\DRIVERS\srv2.sys
18:22:25.0365 4564 srv2 - ok
18:22:25.0418 4564 SrvHsfHDA (e00fdfaff025e94f9821153750c35a6d) C:\Windows\system32\DRIVERS\VSTAZL3.SYS
18:22:25.0436 4564 SrvHsfHDA - ok
18:22:25.0477 4564 SrvHsfV92 (ceb4e3b6890e1e42dca6694d9e59e1a0) C:\Windows\system32\DRIVERS\VSTDPV3.SYS
18:22:25.0535 4564 SrvHsfV92 - ok
18:22:25.0585 4564 SrvHsfWinac (bc0c7ea89194c299f051c24119000e17) C:\Windows\system32\DRIVERS\VSTCNXT3.SYS
18:22:25.0659 4564 SrvHsfWinac - ok
18:22:25.0794 4564 srvnet (ff207d67700aa18242aaf985d3e7d8f4) C:\Windows\system32\DRIVERS\srvnet.sys
18:22:25.0795 4564 srvnet - ok
18:22:25.0953 4564 stdflt (a5b83c8050572622e5c43b5b3326a129) C:\Windows\system32\DRIVERS\stdfltn.sys
18:22:25.0972 4564 stdflt - ok
18:22:26.0110 4564 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\DRIVERS\stexstor.sys
18:22:26.0132 4564 stexstor - ok
18:22:26.0284 4564 STHDA (698e186ac2df982b2d26428428155de1) C:\Windows\system32\DRIVERS\stwrt.sys
18:22:26.0313 4564 STHDA - ok
18:22:26.0470 4564 storflt (957e346ca948668f2496a6ccf6ff82cc) C:\Windows\system32\DRIVERS\vmstorfl.sys
18:22:26.0492 4564 storflt - ok
18:22:26.0638 4564 storvsc (d5751969dc3e4b88bf482ac8ec9fe019) C:\Windows\system32\DRIVERS\storvsc.sys
18:22:26.0658 4564 storvsc - ok
18:22:26.0818 4564 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\DRIVERS\swenum.sys
18:22:26.0836 4564 swenum - ok
18:22:27.0044 4564 Tcpip (56c198ac82efa622dd93e9e43575f79c) C:\Windows\system32\drivers\tcpip.sys
18:22:27.0073 4564 Tcpip - ok
18:22:27.0277 4564 TCPIP6 (56c198ac82efa622dd93e9e43575f79c) C:\Windows\system32\DRIVERS\tcpip.sys
18:22:27.0290 4564 TCPIP6 - ok
18:22:27.0444 4564 tcpipreg (e64444523add154f86567c469bc0b17f) C:\Windows\system32\drivers\tcpipreg.sys
18:22:27.0467 4564 tcpipreg - ok
18:22:27.0633 4564 TDPIPE (1875c1490d99e70e449e3afae9fcbadf) C:\Windows\system32\drivers\tdpipe.sys
18:22:27.0654 4564 TDPIPE - ok
18:22:27.0844 4564 TDTCP (7551e91ea999ee9a8e9c331d5a9c31f3) C:\Windows\system32\drivers\tdtcp.sys
18:22:27.0868 4564 TDTCP - ok
18:22:28.0050 4564 tdx (cb39e896a2a83702d1737bfd402b3542) C:\Windows\system32\DRIVERS\tdx.sys
18:22:28.0074 4564 tdx - ok
18:22:28.0236 4564 TermDD (c36f41ee20e6999dbf4b0425963268a5) C:\Windows\system32\DRIVERS\termdd.sys
18:22:28.0255 4564 TermDD - ok
18:22:28.0452 4564 tmactmon (c41cb57ad392c612871efc98b12280b4) C:\Windows\system32\DRIVERS\tmactmon.sys
18:22:28.0472 4564 tmactmon - ok
18:22:28.0673 4564 tmcomm (a31246180e61140ad7ff9dd7edf1f6a1) C:\Windows\system32\DRIVERS\tmcomm.sys
18:22:28.0676 4564 tmcomm - ok
18:22:28.0849 4564 tmevtmgr (906a0245ade9b40dedcd3d41fa8fedbb) C:\Windows\system32\DRIVERS\tmevtmgr.sys
18:22:28.0873 4564 tmevtmgr - ok
18:22:28.0974 4564 TmFilter (717e406972bbc07f8fb2a989416cab73) C:\Program Files\Trend Micro\OfficeScan Client\TmXPFlt.sys
18:22:28.0980 4564 TmFilter - ok
18:22:29.0028 4564 TmPreFilter (379c4f99994a56b66e11d1e32bb22a1c) C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys
18:22:29.0030 4564 TmPreFilter - ok
18:22:29.0148 4564 tmtdi (5f7f63884a8547981ee379b8c0fb3312) C:\Windows\system32\DRIVERS\tmtdi.sys
18:22:29.0173 4564 tmtdi - ok
18:22:29.0270 4564 tssecsrv (98ae6fa07d12cb4ec5cf4a9bfa5f4242) C:\Windows\system32\DRIVERS\tssecsrv.sys
18:22:29.0291 4564 tssecsrv - ok
18:22:29.0345 4564 tunnel (3e461d890a97f9d4c168f5fda36e1d00) C:\Windows\system32\DRIVERS\tunnel.sys
18:22:29.0361 4564 tunnel - ok
18:22:29.0385 4564 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\DRIVERS\uagp35.sys
18:22:29.0396 4564 uagp35 - ok
18:22:29.0444 4564 udfs (eb0a7bd4d471ac3ce55564a4c55b9d8e) C:\Windows\system32\DRIVERS\udfs.sys
18:22:29.0472 4564 udfs - ok
18:22:29.0519 4564 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\DRIVERS\uliagpkx.sys
18:22:29.0534 4564 uliagpkx - ok
18:22:29.0595 4564 umbus (049b3a50b3d646baeeee9eec9b0668dc) C:\Windows\system32\DRIVERS\umbus.sys
18:22:29.0607 4564 umbus - ok
18:22:29.0631 4564 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\DRIVERS\umpass.sys
18:22:29.0640 4564 UmPass - ok
18:22:29.0709 4564 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\Windows\system32\Drivers\usbaapl.sys
18:22:29.0734 4564 USBAAPL - ok
18:22:29.0766 4564 usbccgp (b1edb25bce864ccd58ce771e063756b4) C:\Windows\system32\DRIVERS\usbccgp.sys
18:22:29.0795 4564 usbccgp - ok
18:22:29.0849 4564 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\DRIVERS\usbcir.sys
18:22:29.0878 4564 usbcir - ok
18:22:29.0897 4564 usbehci (6bf08e83a434d511ac3fca6d97c43683) C:\Windows\system32\DRIVERS\usbehci.sys
18:22:29.0909 4564 usbehci - ok
18:22:29.0952 4564 usbhub (b3be3b01fe8ffcd5b28204dffc0fe19d) C:\Windows\system32\DRIVERS\usbhub.sys
18:22:29.0998 4564 usbhub - ok
18:22:30.0076 4564 usbohci (a6fb7957ea7afb1165991e54ce934b74) C:\Windows\system32\DRIVERS\usbohci.sys
18:22:30.0095 4564 usbohci - ok
18:22:30.0119 4564 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys
18:22:30.0137 4564 usbprint - ok
18:22:30.0186 4564 USBSTOR (694c991cd0b8138888f086da6009adbc) C:\Windows\system32\DRIVERS\USBSTOR.SYS
18:22:30.0220 4564 USBSTOR - ok
18:22:30.0257 4564 usbuhci (78780c3ebce17405b1ccd07a3a8a7d72) C:\Windows\system32\DRIVERS\usbuhci.sys
18:22:30.0274 4564 usbuhci - ok
18:22:30.0322 4564 usbvideo (b5f6a992d996282b7fae7048e50af83a) C:\Windows\system32\Drivers\usbvideo.sys
18:22:30.0365 4564 usbvideo - ok
18:22:30.0457 4564 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\DRIVERS\vdrvroot.sys
18:22:30.0477 4564 vdrvroot - ok
18:22:30.0508 4564 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys
18:22:30.0527 4564 vga - ok
18:22:30.0549 4564 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys
18:22:30.0559 4564 VgaSave - ok
18:22:30.0584 4564 vhdmp (3be6e1f3a4f1afec8cee0d7883f93583) C:\Windows\system32\DRIVERS\vhdmp.sys
18:22:30.0621 4564 vhdmp - ok
18:22:30.0658 4564 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\DRIVERS\viaagp.sys
18:22:30.0677 4564 viaagp - ok
18:22:30.0698 4564 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\DRIVERS\viac7.sys
18:22:30.0709 4564 ViaC7 - ok
18:22:30.0740 4564 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\DRIVERS\viaide.sys
18:22:30.0751 4564 viaide - ok
18:22:30.0779 4564 vmbus (379b349f65f453d2a6e75ea6b7448e49) C:\Windows\system32\DRIVERS\vmbus.sys
18:22:30.0794 4564 vmbus - ok
18:22:30.0809 4564 VMBusHID (ec2bbab4b84d0738c6c83d2234dc36fe) C:\Windows\system32\DRIVERS\VMBusHID.sys
18:22:30.0817 4564 VMBusHID - ok
18:22:30.0848 4564 volmgr (384e5a2aa49934295171e499f86ba6f3) C:\Windows\system32\DRIVERS\volmgr.sys
18:22:30.0859 4564 volmgr - ok
18:22:30.0879 4564 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys
18:22:30.0883 4564 volmgrx - ok
18:22:30.0900 4564 volsnap (58df9d2481a56edde167e51b334d44fd) C:\Windows\system32\DRIVERS\volsnap.sys
18:22:30.0921 4564 volsnap - ok
18:22:31.0052 4564 vpcbus (33e74df34753fcaab06f6f2bdc8cabf5) C:\Windows\system32\DRIVERS\vpchbus.sys
18:22:31.0086 4564 vpcbus - ok
18:22:31.0147 4564 vpcnfltr (5f04362ceb5fb5901037e9d9eadd3760) C:\Windows\system32\DRIVERS\vpcnfltr.sys
18:22:31.0159 4564 vpcnfltr - ok
18:22:31.0186 4564 vpcusb (625088d6ee9ede977fd03cf18d1cd5c5) C:\Windows\system32\DRIVERS\vpcusb.sys
18:22:31.0200 4564 vpcusb - ok
18:22:31.0266 4564 vpcvmm (1023c696d42268e9071bb376dbec8396) C:\Windows\system32\drivers\vpcvmm.sys
18:22:31.0302 4564 vpcvmm - ok
18:22:31.0428 4564 VSApiNt (642eb152cb980ad9181b2161066be629) C:\Program Files\Trend Micro\OfficeScan Client\VSApiNt.sys
18:22:31.0459 4564 VSApiNt - ok
18:22:31.0580 4564 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\DRIVERS\vsmraid.sys
18:22:31.0603 4564 vsmraid - ok
18:22:31.0650 4564 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\system32\DRIVERS\vwifibus.sys
18:22:31.0662 4564 vwifibus - ok
18:22:31.0718 4564 vwififlt (7090d3436eeb4e7da3373090a23448f7) C:\Windows\system32\DRIVERS\vwififlt.sys
18:22:31.0733 4564 vwififlt - ok
18:22:31.0867 4564 vwifimp (a3f04cbea6c2a10e6cb01f8b47611882) C:\Windows\system32\DRIVERS\vwifimp.sys
18:22:31.0879 4564 vwifimp - ok
18:22:31.0947 4564 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\DRIVERS\wacompen.sys
18:22:31.0968 4564 WacomPen - ok
18:22:32.0103 4564 WANARP (692a712062146e96d28ba0b7d75de31b) C:\Windows\system32\DRIVERS\wanarp.sys
18:22:32.0114 4564 WANARP - ok
18:22:32.0117 4564 Wanarpv6 (692a712062146e96d28ba0b7d75de31b) C:\Windows\system32\DRIVERS\wanarp.sys
18:22:32.0119 4564 Wanarpv6 - ok
18:22:32.0192 4564 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\DRIVERS\wd.sys
18:22:32.0201 4564 Wd - ok
18:22:32.0274 4564 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
18:22:32.0338 4564 Wdf01000 - ok
18:22:32.0460 4564 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys
18:22:32.0481 4564 WfpLwf - ok
18:22:32.0515 4564 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys
18:22:32.0524 4564 WIMMount - ok
18:22:32.0637 4564 WinUsb (b5ba3cc19d00f2eba92f1cfbebb5d650) C:\Windows\system32\DRIVERS\WinUSB.sys
18:22:32.0664 4564 WinUsb - ok
18:22:32.0717 4564 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\DRIVERS\wmiacpi.sys
18:22:32.0735 4564 WmiAcpi - ok
18:22:32.0778 4564 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys
18:22:32.0780 4564 ws2ifsl - ok
18:22:32.0828 4564 WudfPf (a52494b107afc92ddca21f0b64f83376) C:\Windows\system32\drivers\WudfPf.sys
18:22:32.0857 4564 WudfPf - ok
18:22:32.0879 4564 WUDFRd (90a541c607da0025ae75f0f3673945fe) C:\Windows\system32\DRIVERS\WUDFRd.sys
18:22:32.0915 4564 WUDFRd - ok
18:22:32.0986 4564 MBR (0x1B8) (e721c1d33ce412a9c094a8e8c9e67c5b) \Device\Harddisk0\DR0
18:22:33.0006 4564 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.a ) - infected
18:22:33.0006 4564 \Device\Harddisk0\DR0 - detected Rootkit.Boot.SST.a (0)
18:22:33.0035 4564 Boot (0x1200) (785d53c258abdb17def7d04f89f5eb64) \Device\Harddisk0\DR0\Partition0
18:22:33.0037 4564 \Device\Harddisk0\DR0\Partition0 - ok
18:22:33.0051 4564 Boot (0x1200) (567ab557135ec6beb10aee6d87552768) \Device\Harddisk0\DR0\Partition1
18:22:33.0053 4564 \Device\Harddisk0\DR0\Partition1 - ok
18:22:33.0081 4564 Boot (0x1200) (6918449ea06378af95265680f89c3e56) \Device\Harddisk0\DR0\Partition2
18:22:33.0083 4564 \Device\Harddisk0\DR0\Partition2 - ok
18:22:33.0083 4564 ============================================================
18:22:33.0083 4564 Scan finished
18:22:33.0083 4564 ============================================================
18:22:33.0100 2904 Detected object count: 1
18:22:33.0100 2904 Actual detected object count: 1
18:23:09.0324 2904 \Device\Harddisk0\DR0\# - copied to quarantine
18:23:09.0330 2904 \Device\Harddisk0\DR0 - copied to quarantine
18:23:09.0451 2904 \Device\Harddisk0\DR0 - processing error
18:23:13.0832 2904 \Device\Harddisk0\DR0 - will be restored on reboot
18:23:13.0834 2904 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.a ) - User select action: Cure Restore
18:23:20.0581 3140 Deinitialize success

#6 Aidan2012

Aidan2012
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 08 February 2012 - 02:00 PM

I restarted my laptop and ran aswMBR and it scanned, it logged the following:

aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-08 18:53:26
-----------------------------
18:53:26.458 OS Version: Windows 6.1.7600
18:53:26.458 Number of processors: 4 586 0x2505
18:53:26.459 ComputerName: UKBFP150 UserName:
18:53:28.518 Initialize success
18:57:19.362 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
18:57:19.365 Disk 0 Vendor: WDC_WD16 01.0 Size: 152627MB BusType: 8
18:57:19.392 Disk 0 MBR read successfully
18:57:19.396 Disk 0 MBR scan
18:57:19.400 Disk 0 Windows XP default MBR code
18:57:19.406 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
18:57:19.440 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 752 MB offset 81920
18:57:19.456 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 149788 MB offset 1622016
18:57:19.462 Disk 0 Partition - 00 0F Extended LBA 2044 MB offset 308387840
18:57:19.496 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 2043 MB offset 308389888
18:57:19.509 Disk 0 scanning sectors +312573952
18:57:19.609 Disk 0 scanning C:\Windows\system32\drivers
18:57:33.892 Service scanning
18:57:34.664 Service TmFilter C:\Program Files\Trend Micro\OfficeScan Client\TmXPFlt.sys **LOCKED** 32
18:57:34.675 Service TmPreFilter C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys **LOCKED** 32
18:57:34.707 Service VSApiNt C:\Program Files\Trend Micro\OfficeScan Client\VSApiNt.sys **LOCKED** 32
18:57:35.250 Modules scanning
18:57:46.646 Disk 0 trace - called modules:
18:57:46.667 ntkrnlpa.exe CLASSPNP.SYS disk.sys stdfltn.sys ACPI.sys halmacpi.dll iaStor.sys
18:57:46.673 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x881666a0]
18:57:46.678 3 CLASSPNP.SYS[8c9c159e] -> nt!IofCallDriver -> [0x88166bf8]
18:57:46.683 5 stdfltn.sys[8cbdb70c] -> nt!IofCallDriver -> [0x86604988]
18:57:46.688 7 ACPI.sys[8c2a33b2] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x861d9028]
18:57:46.693 Scan finished successfully
18:58:18.360 Disk 0 MBR has been saved successfully to "C:\Users\aidan.macmanus\Desktop\MBR.dat"
18:58:18.368 The log file has been saved successfully to "C:\Users\aidan.macmanus\Desktop\aswMBR.txt"

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:05 PM

Posted 08 February 2012 - 05:48 PM

TDSSKiller seems to have removed the bootkit and aswMBR shows that it is now clean.


Please run Combofix next


Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#8 Aidan2012

Aidan2012
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 09 February 2012 - 02:23 PM

ComboFix 12-02-09.04 - aidan.macmanus 09/02/2012 19:02:33.4.4 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.3510.2157 [GMT 0:00]
Running from: c:\users\aidan.macmanus\Desktop\ComboFix.exe
AV: Trend Micro Core Protection Module *Enabled/Updated* {7193B549-236F-55EE-9AEC-F65279E59A92}
SP: Trend Micro Core Protection Module *Enabled/Updated* {CAF254AD-0555-5A60-A05C-CD200262D02F}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\aidan.macmanus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check
c:\users\aidan.macmanus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\System Check.lnk
c:\users\aidan.macmanus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\Uninstall System Check.lnk
.
.
((((((((((((((((((((((((( Files Created from 2012-01-09 to 2012-02-09 )))))))))))))))))))))))))))))))
.
.
2012-02-09 19:11 . 2012-02-09 19:11 -------- d-----w- c:\users\ronan.devlin\AppData\Local\temp
2012-02-09 19:11 . 2012-02-09 19:11 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-02-09 19:11 . 2012-02-09 19:11 -------- d-----w- c:\users\itsupp\AppData\Local\temp
2012-02-09 19:11 . 2012-02-09 19:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-08 18:23 . 2012-02-08 18:23 -------- d-----w- C:\TDSSKiller_Quarantine
2012-01-27 00:44 . 2012-01-27 00:44 -------- d-----w- c:\windows\system32\MpEngineStore
2012-01-25 22:28 . 2012-01-27 00:16 102400 ----a-w- c:\windows\RegBootClean.exe
2012-01-16 08:20 . 2012-01-16 08:20 0 ----a-w- c:\users\aidan.macmanus\AppData\Local\BIT3F43.tmp
2012-01-14 09:59 . 2012-01-14 09:59 -------- d-----w- c:\windows\PIF
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-09 07:57 . 2012-01-09 07:57 14664 ----a-w- c:\windows\stinger.sys
2012-01-06 11:38 . 2012-01-06 11:38 9851496 ----a-w- C:\mbam-setup.exe
2012-01-06 11:37 . 2012-01-06 11:37 1578288 ----a-w- C:\tdsskiller.exe
2011-12-09 08:12 . 2011-12-09 08:12 0 ----a-w- c:\users\aidan.macmanus\AppData\Local\BITA513.tmp
2011-11-24 04:23 . 2012-01-06 18:01 2340352 ----a-w- c:\windows\system32\win32k.sys
2011-12-21 07:42 . 2011-04-27 11:53 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2012-01-03 16:31 1514152 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-01-03 1514152]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-01-03 1514152]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2010-10-16 21:10 119664 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2010-10-16 21:10 119664 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-04-30 39408]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [2009-07-14 354304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-05-13 288112]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-05-26 495708]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-07-28 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-07-28 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-07-28 170520]
"IAStorIcon"="c:\program files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2011-05-23 899744]
"FreePDF Assistant"="c:\program files\FreePDF_XP\fpassist.exe" [2010-06-17 370176]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2012-01-03 1391272]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{F3C1DE9E-5E16-4BA9-B854-7B53A45E3579}\Icon3E5562ED7.ico [2011-3-24 6144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\spba]
2010-09-15 16:11 1971536 ----a-w- c:\program files\Common Files\SPBA\homefus2.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R1 rxtgwjgm;rxtgwjgm;c:\windows\system32\drivers\rxtgwjgm.sys [x]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-04-30 136176]
R2 InstallFilterService;FF Install Filter Service;c:\program files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe [2010-01-10 60928]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-24 652872]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
R3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\Drivers\CtAudDrv.sys [2009-05-28 134144]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-04-30 136176]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe86.sys [2010-03-21 48640]
R3 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe86.sys [2010-03-21 38912]
R3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [2010-04-24 689416]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-03-24 1343400]
S0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdfltn.sys [2010-01-18 17072]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\aestsrv.exe [2010-05-26 81920]
S2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [2010-10-25 826272]
S2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [2010-10-25 32160]
S2 dcpsysmgrsvc;Dell System Manager Service;c:\program files\Dell\Dell System Manager\DCPSysMgrSvc.exe [2010-08-24 388464]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336]
S2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe86.sys [2010-03-21 59904]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 TMAdptrSvr;Trend Micro Adapter Service;c:\program files\Trend Micro\Core Protection Module\TMCPMAdapter.exe service [x]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys [2011-02-25 58640]
S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [2011-07-12 262416]
S2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\TmPreFlt.sys [2011-07-12 36624]
S2 uvnc_service;uvnc_service;c:\program files\UltraVNC\WinVNC.exe [2009-12-07 1590216]
S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [2010-01-18 42672]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2009-09-16 144576]
S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys [2010-08-20 33832]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [2010-04-06 224424]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-27 132480]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-06-21 246272]
S3 mv2;mv2;c:\windows\system32\DRIVERS\mv2.sys [2011-03-22 12096]
S3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwNs32.sys [2010-07-14 6814720]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-30 09:27]
.
2012-02-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-30 09:27]
.
2012-01-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2000478354-1580818891-725345543-23556Core.job
- c:\users\ronan.devlin\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-07 23:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://vwtlive/WorkticketSelection.aspx?VwtId=11
mStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
FF - ProfilePath - c:\users\aidan.macmanus\AppData\Roaming\Mozilla\Firefox\Profiles\9qmoh8jr.default\
FF - prefs.js: network.proxy.type - 0
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(552)
c:\windows\system32\wvauth.DLL
.
Completion time: 2012-02-09 19:13:37
ComboFix-quarantined-files.txt 2012-02-09 19:13
ComboFix2.txt 2012-01-14 11:22
ComboFix3.txt 2012-01-07 18:01
ComboFix4.txt 2012-01-06 17:22
.
Pre-Run: 117,617,696,768 bytes free
Post-Run: 117,764,665,344 bytes free
.
- - End Of File - - 29BB360E807792F69C7B5DB599488721

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:05 PM

Posted 09 February 2012 - 09:29 PM

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

File::
c:\windows\system32\drivers\rxtgwjgm.sys

Driver::
rxtgwjgm

Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#10 Aidan2012

Aidan2012
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 10 February 2012 - 09:50 AM

I had disabled the firewall, the antivirus programme does'nt have an option to disable it.

ComboFix 12-02-09.04 - aidan.macmanus 10/02/2012 9:02.5.4 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.3510.2243 [GMT 0:00]
Running from: c:\users\aidan.macmanus\Desktop\ComboFix.exe
Command switches used :: c:\users\aidan.macmanus\Desktop\CFScript.txt
AV: Trend Micro Core Protection Module *Enabled/Updated* {7193B549-236F-55EE-9AEC-F65279E59A92}
SP: Trend Micro Core Protection Module *Enabled/Updated* {CAF254AD-0555-5A60-A05C-CD200262D02F}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\windows\system32\drivers\rxtgwjgm.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_rxtgwjgm
.
.
((((((((((((((((((((((((( Files Created from 2012-01-10 to 2012-02-10 )))))))))))))))))))))))))))))))
.
.
2012-02-10 09:10 . 2012-02-10 09:10 -------- d-----w- c:\users\ronan.devlin\AppData\Local\temp
2012-02-10 09:10 . 2012-02-10 09:10 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-02-10 09:10 . 2012-02-10 09:10 -------- d-----w- c:\users\itsupp\AppData\Local\temp
2012-02-10 09:10 . 2012-02-10 09:10 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-08 18:23 . 2012-02-08 18:23 -------- d-----w- C:\TDSSKiller_Quarantine
2012-01-27 00:44 . 2012-01-27 00:44 -------- d-----w- c:\windows\system32\MpEngineStore
2012-01-25 22:28 . 2012-01-27 00:16 102400 ----a-w- c:\windows\RegBootClean.exe
2012-01-16 08:20 . 2012-01-16 08:20 0 ----a-w- c:\users\aidan.macmanus\AppData\Local\BIT3F43.tmp
2012-01-14 09:59 . 2012-01-14 09:59 -------- d-----w- c:\windows\PIF
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-09 07:57 . 2012-01-09 07:57 14664 ----a-w- c:\windows\stinger.sys
2012-01-06 11:38 . 2012-01-06 11:38 9851496 ----a-w- C:\mbam-setup.exe
2012-01-06 11:37 . 2012-01-06 11:37 1578288 ----a-w- C:\tdsskiller.exe
2011-12-09 08:12 . 2011-12-09 08:12 0 ----a-w- c:\users\aidan.macmanus\AppData\Local\BITA513.tmp
2011-11-24 04:23 . 2012-01-06 18:01 2340352 ----a-w- c:\windows\system32\win32k.sys
2011-12-21 07:42 . 2011-04-27 11:53 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2012-01-03 16:31 1514152 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-01-03 1514152]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-01-03 1514152]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2010-10-16 21:10 119664 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2010-10-16 21:10 119664 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-04-30 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-05-13 288112]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-05-26 495708]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-07-28 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-07-28 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-07-28 170520]
"IAStorIcon"="c:\program files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2011-05-23 899744]
"FreePDF Assistant"="c:\program files\FreePDF_XP\fpassist.exe" [2010-06-17 370176]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2012-01-03 1391272]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{F3C1DE9E-5E16-4BA9-B854-7B53A45E3579}\Icon3E5562ED7.ico [2011-3-24 6144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\spba]
2010-09-15 16:11 1971536 ----a-w- c:\program files\Common Files\SPBA\homefus2.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-04-30 136176]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-24 652872]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
R3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\Drivers\CtAudDrv.sys [2009-05-28 134144]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-04-30 136176]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe86.sys [2010-03-21 48640]
R3 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe86.sys [2010-03-21 38912]
R3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [2010-04-24 689416]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-03-24 1343400]
S0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdfltn.sys [2010-01-18 17072]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\aestsrv.exe [2010-05-26 81920]
S2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [2010-10-25 826272]
S2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [2010-10-25 32160]
S2 dcpsysmgrsvc;Dell System Manager Service;c:\program files\Dell\Dell System Manager\DCPSysMgrSvc.exe [2010-08-24 388464]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336]
S2 InstallFilterService;FF Install Filter Service;c:\program files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe [2010-01-10 60928]
S2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe86.sys [2010-03-21 59904]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 TMAdptrSvr;Trend Micro Adapter Service;c:\program files\Trend Micro\Core Protection Module\TMCPMAdapter.exe service [x]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys [2011-02-25 58640]
S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [2011-07-12 262416]
S2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\TmPreFlt.sys [2011-07-12 36624]
S2 uvnc_service;uvnc_service;c:\program files\UltraVNC\WinVNC.exe [2009-12-07 1590216]
S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [2010-01-18 42672]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2009-09-16 144576]
S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys [2010-08-20 33832]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [2010-04-06 224424]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-27 132480]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-06-21 246272]
S3 mv2;mv2;c:\windows\system32\DRIVERS\mv2.sys [2011-03-22 12096]
S3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwNs32.sys [2010-07-14 6814720]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-30 09:27]
.
2012-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-30 09:27]
.
2012-01-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2000478354-1580818891-725345543-23556Core.job
- c:\users\ronan.devlin\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-07 23:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://vwtlive/WorkticketSelection.aspx?VwtId=11
mStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.0.0.185 10.10.1.12
FF - ProfilePath - c:\users\aidan.macmanus\AppData\Roaming\Mozilla\Firefox\Profiles\9qmoh8jr.default\
FF - prefs.js: network.proxy.type - 0
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(552)
c:\windows\system32\wvauth.DLL
.
- - - - - - - > 'Explorer.exe'(5036)
c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\IDT\WDM\STacSV.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\WLANExt.exe
c:\windows\system32\conhost.exe
c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Trend Micro\OfficeScan Client\ntrtscan.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Trend Micro\Core Protection Module\TMCPMAdapter.exe
c:\program files\Trend Micro\OfficeScan Client\tmlisten.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
c:\windows\system32\conhost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\program files\Common Files\SPBA\upeksvr.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\Apntex.exe
c:\program files\DellTPad\HidFind.exe
c:\windows\system32\conhost.exe
c:\program files\BigFix Enterprise\BES Client\BESClient.exe
c:\windows\system32\sppsvc.exe
c:\program files\Common Files\Java\Java Update\jusched.exe
c:\program files\BigFix Enterprise\BES Client\BESClientUI.exe
.
**************************************************************************
.
Completion time: 2012-02-10 09:17:11 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-10 09:17
ComboFix2.txt 2012-02-09 19:13
ComboFix3.txt 2012-01-14 11:22
ComboFix4.txt 2012-01-07 18:01
ComboFix5.txt 2012-02-10 09:01
.
Pre-Run: 117,847,707,648 bytes free
Post-Run: 117,603,135,488 bytes free
.
- - End Of File - - DCFFF68E6937207F816B254CA514CBEA

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:05 PM

Posted 10 February 2012 - 10:30 AM

Please run ESET online

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • Copy and paste the resulting log in your next reply
If no log is generated that means nothing was found. Please let me know if this happens.
Posted Image
m0le is a proud member of UNITE

#12 Aidan2012

Aidan2012
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 10 February 2012 - 01:30 PM

C:\Users\aidan.macmanus\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\5a21dcf1-34365c2d a variant of Java/Exploit.CVE-2011-3544.AM trojan deleted - quarantined
C:\Users\aidan.macmanus\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\3dbccdb2-457f4ba2 a variant of Java/Exploit.CVE-2011-3544.AM trojan deleted - quarantined

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:05 PM

Posted 10 February 2012 - 09:01 PM

Do you still have redirections?

If so, which browser(s) does it affect?
Posted Image
m0le is a proud member of UNITE

#14 Aidan2012

Aidan2012
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 13 February 2012 - 06:37 AM

I'd used Mozilla and IE, they're not redirecting anymore, do you think that the system is clean?

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:05 PM

Posted 13 February 2012 - 02:21 PM

Yes. I do. The fact that the redirects have stopped means we aren't looking at anything deeper like DNS poisoning.

You're clean. Good stuff! :thumbup2:

Let's do some clearing up

If you used DeFogger now is the time to enable your CD emulation software again.

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


We Need to Clean Up our Mess
Download and Run OTC

We will now remove the tools we used during this fix using OTC.

  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Use and update your AntiVirus Software

You must have a good antivirus. There are plenty to choose from but I personally recommend the free options of Avast and Avira Antivir - though if you choose Avira you should make sure that you uncheck the box offering to install the Ask toolbar. If you want to purchase a security program then I recommend any of the following: AVG, Norton, McAfee, Kaspersky and ESET Nod32.

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

Use this next program to check for updates for programs already on your system. Download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically, make sure that updates on any that are flagged are carried out as soon as possible

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it Aidan2012, happy surfing!

Cheers.

m0le
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users