Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan horse Crypt.ANVH, msgsvc.dll


  • This topic is locked This topic is locked
74 replies to this topic

#1 Corryn

Corryn

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 06 February 2012 - 03:04 PM

About a month ago, I received a warning from my AVG anti-virus about a blocked trojan. Concerned, I restarted the computer to "complete the removal" as it desired, but upon restart all .exe associations were broken. Having experienced this before, I booted the computer again in safe mode and ran a full Malwarebytes scan. The scan detected a few issues, all of which it resolved. Once the computer was started normally after this, .exe files worked properly again. However, while browsing with my usual internet browser (Firefox), occasional tabs with ads would appear in place of what I actually wanted to access. I knew something was still wrong, but did not have the time to go hunting for something Malwarebytes was unable to catch. Over the past week, I finally got around to doing some work to find what the problem was.

I began with a full Malwarebytes scan once again. It detected several infections, which I resolved. The occasional ad still appeared in Firefox, though. During this attempt and before, AVG was sometimes warning me about an infection in netbt.sys. Curious, I made a copy of the file and deleted it. The file reappeared a few moments later. I tried this with a different .sys file and it did not reappear. I replaced the latter .sys file and tried using Malwarebytes's FileASSASSIN tool to delete netbt.sys. This worked, and I then replaced the file with one I downloaded on a separate PC. After this I ran another full Malwarebytes scan the next day. It found nothing, but the next time I turned on my PC it could not connect to the internet. I tried a few minor connection tests to confirm it was a major problem, and finally did some searching on a separate PC. I managed to find that it was an infection that stopped my DHCP service from starting. I tried using ComboFix on the recommendation of a friend, before I really knew what this site (which I got the program from, of course) was. I ran ComboFix, it scanned my PC and found a rootkit "inserted into the TCP/IP stack." It finished its scan and restarted my PC, at which point I simply had to restart my DHCP service to get the internet running again.

Now the internet worked fine, but ComboFix also discovered a file called msgsvc.dll that was infected. It said that it had replaced it, but a second ComboFix scan later that day reported the same thing. Additionally, AVG warnings about a "Trojan horse Crypt.ANVH" appear every few days or so. Attempting to let AVG remove it clearly does nothing, despite it reporting success. Malwarebytes currently reports nothing with a full scan, and neither does TDSSkiller while scanning for rootkits. All that is left is this msgsvc.dll and the trojan, as far as I know. I experience no more ads while browsing the internet, but I encounter a strange annoyance. Often, when I have been typing in a text box on a website (or possibly simply browsing without typing, I am not sure), then go to click the address bar and type in a website, the address bar does not recognize that I have clicked it until I minimize Firefox and reopen it, at which point the address bar is highlighted as if it has been clicked. Not sure if that is Firefox itself or something to do with my infection.

Finally, my apologies for using ComboFix before being asked to, but I was not aware of the nature of the program. I have removed it using Run and "combofix /uninstall". Why does AVG recognize parts of Combofix as malware? Is it because of how powerful the program is?

Thank you in advance.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_27
Run by Owner at 17:56:51 on 2012-02-05
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2044.764 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\MotioninJoy\ds3\DS3_Tool.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Akamai\netsession_win.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Akamai\netsession_win.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\libusbd-nt.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Program Files\nHancer\nHancerService.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\AirLink101\AWLH6075\Common\RalinkRegistryWriter.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\SpeedItup Free\speeditupfree.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX00.484\gmer.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://thestar.com/
uInternet Settings,ProxyOverride = local;127.0.0.1:9421;
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\10.0.0.7\AVG Secure Search_toolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\10.0.0.7\AVG Secure Search_toolbar.dll
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuz1.dll
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [DS3 Tool] c:\program files\motioninjoy\ds3\DS3_Tool.exe -mini
uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot
uRun: [Akamai NetSession Interface] "c:\documents and settings\owner\local settings\application data\akamai\netsession_win.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [Smart File Advisor] "c:\program files\smart file advisor\sfa.exe" /checkassoc
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRun: [LogMeIn Hamachi Ui] "c:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [ROC_roc_dec12] "c:\program files\avg secure search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
mRun: [SpeetItUpFree] "c:\program files\speeditup free\speeditupfree.exe"
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\airlin~1.lnk - c:\program files\airlink101\awlh6075\common\RaUI.exe
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1260984248055
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1260984243898
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
TCP: Interfaces\{61BB25A8-6C94-483D-A004-C0EAC68FCF51} : DhcpNameServer = 192.168.2.1
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\10.0.6\ViProtocol.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\59vxf8y7.default\
FF - prefs.js: browser.startup.homepage - hxxp://z10.invisionfree.com/RockmanChaosNetwork/index.php?act=idx|http://z10.invisionfree.com/RockmanChaosNetwork/index.php?showtopic=4811&st=0&#last|http://www.onemanga.com/|http://www.2kgames.com/index.php?p=support_patches|http://www.rarlab.com/download.htm
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\all users\application data\id software\quakelive\npquakezero.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\59vxf8y7.default\extensions\csweblauncher@cyberstep.com\plugins\npCsWebLauncher.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\59vxf8y7.default\extensions\devicedetection@logitech.com\plugins\npLogitechDeviceDetection.dll
FF - plugin: c:\documents and settings\owner\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\windows\system32\npOGPPlugin.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2012-1-25 56208]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 295248]
R1 RapportCerberus_34302;RapportCerberus_34302;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\34302\RapportCerberus32_34302.sys [2011-12-15 228208]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2012-1-25 71440]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2012-1-25 164112]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2010-2-26 123280]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2010-2-26 41680]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2001-8-23 14336]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2011-8-15 1361288]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-12-26 2253120]
R2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\airlink101\awlh6075\common\RalinkRegistryWriter.exe [2009-12-17 75040]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2012-1-25 931640]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2009-12-23 370688]
R2 vToolbarUpdater;vToolbarUpdater;c:\program files\common files\avg secure search\vtoolbarupdater\10.0.6\ToolbarUpdater.exe [2012-1-23 909152]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 16720]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2011-4-17 33792]
R3 RapportIaso;RapportIaso;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\28896\RapportIaso.sys [2011-8-12 21520]
R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2009-12-17 966912]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2010-2-12 99152]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2010-2-12 110096]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2009-12-16 547744]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-5-16 1025352]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\eaglexnt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\drivers\MijXfilt.sys [2011-5-20 97552]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 RAPIProtocol;Ralink RAPI Protocol Driver;c:\windows\system32\drivers\RAPIProtocol.sys [2009-12-17 16512]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 XDva359;XDva359;\??\c:\windows\system32\xdva359.sys --> c:\windows\system32\XDva359.sys [?]
S3 XDva391;XDva391;\??\c:\windows\system32\xdva391.sys --> c:\windows\system32\XDva391.sys [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-22 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]
.
=============== Created Last 30 ================
.
2073-10-27 14:55:34 2404352 ----a-w- c:\program files\microsoft games\halo custom edition\haloce.exe
2073-10-27 14:55:34 1835008 ----a-w- c:\program files\microsoft games\halo custom edition\haloceded.exe
2073-10-27 14:55:34 1118208 ----a-w- c:\program files\microsoft games\halo custom edition\Strings.dll
2012-02-05 17:26:44 -------- d-----w- c:\documents and settings\owner\application data\AVG
2012-02-05 16:57:09 -------- d-----w- c:\program files\SpeedItup Free
2012-02-05 16:56:59 -------- d-----w- c:\program files\Free Offers from Freeze.com
2012-02-05 16:56:57 9216 ----a-r- c:\documents and settings\owner\application data\microsoft\installer\{7426428e-71d4-452c-ba13-b14e5eb52859}\Icon7426428E16.exe
2012-02-05 16:38:23 -------- d-----w- c:\documents and settings\all users\application data\SpeedyPC
2012-02-05 16:38:22 -------- d-----w- c:\program files\SpeedyPC
2012-02-03 21:04:19 -------- d-----w- c:\documents and settings\owner\application data\Malwarebytes
2012-02-03 21:04:16 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-02-03 21:04:15 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-03 21:04:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-03 20:08:54 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2012-02-03 19:55:27 -------- d-sha-r- C:\cmdcons
2012-02-03 19:55:24 -------- d-----w- c:\windows\setup.pss
2012-02-03 19:55:11 -------- d-----w- c:\windows\setupupd
2012-02-03 16:08:04 -------- d-----w- C:\Combo-Fix
2012-02-03 12:11:51 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-03 04:27:57 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-02-03 04:27:57 -------- d-----w- c:\windows\system32\wbem\Repository
2012-02-03 02:49:06 162816 -c--a-w- c:\windows\system32\dllcache\netbt.sys
2012-02-03 02:49:06 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-01-29 03:28:16 79256 ----a-w- c:\windows\system32\npOGPPlugin.dll
2012-01-29 03:28:15 271768 ----a-w- c:\windows\system32\OGPIEPlugin.ocx
2012-01-29 03:28:09 -------- d-----w- c:\program files\OGPlanet
2012-01-25 15:16:44 56208 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2012-01-18 21:16:20 -------- d-----w- c:\documents and settings\owner\application data\BigHugeEngine
2012-01-18 19:58:01 -------- d--h--w- c:\program files\common files\EAInstaller
2012-01-18 04:06:18 -------- d-----w- c:\program files\Origin Games
2012-01-18 04:06:07 -------- d-----w- c:\documents and settings\owner\local settings\application data\Origin
2012-01-18 04:06:00 -------- d-----w- c:\documents and settings\owner\application data\Origin
2012-01-18 04:03:18 -------- d-----w- c:\documents and settings\all users\application data\Origin
2012-01-18 04:03:14 -------- d-----w- c:\documents and settings\all users\application data\Electronic Arts
2012-01-18 04:02:36 -------- d-----w- c:\program files\Origin
2012-01-14 05:55:19 -------- d-----w- c:\documents and settings\owner\application data\.doomseeker
2012-01-10 21:41:42 62848 ----a-w- c:\windows\system32\drivers\rspndr.sys
2012-01-10 21:16:48 -------- d-----w- c:\documents and settings\all users\application data\SecTaskMan
2012-01-10 21:16:29 -------- d-----w- c:\program files\Security Task Manager
.
==================== Find3M ====================
.
2011-12-27 00:35:06 285176 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-12-27 00:35:06 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-12-27 00:35:01 285176 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-11-25 21:56:26 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:29:56 1868544 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35:08 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:20:51 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:20:51 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-14 12:20:40 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-30 18:30:47 2000000000 ----a-w- c:\program files\Hellgate Global.part1.exe
2011-01-19 05:38:07 424403 ----a-w- c:\program files\ROMSetup.exe
2011-01-19 05:38:07 287135628 ----a-w- c:\program files\ROMSetup-8.bin
2011-01-19 05:30:02 1073741824 ----a-w- c:\program files\ROMSetup-7.bin
2011-01-19 05:01:02 1073741824 ----a-w- c:\program files\ROMSetup-6.bin
2011-01-19 04:35:05 1073741824 ----a-w- c:\program files\ROMSetup-5.bin
2011-01-19 04:08:13 1073741824 ----a-w- c:\program files\ROMSetup-4.bin
2011-01-19 03:40:19 1073741824 ----a-w- c:\program files\ROMSetup-3.bin
2011-01-19 03:12:27 1073741824 ----a-w- c:\program files\ROMSetup-2.bin
2011-01-19 02:45:00 1073317376 ----a-w- c:\program files\ROMSetup-1.bin
2011-01-14 01:30:47 451279679 ----a-w- c:\program files\ProjectBlackout_Install.exe
2010-11-19 01:24:19 2349951226 ----a-w- c:\program files\VindictusSetupV110.exe
2010-03-07 07:17:00 681984000 ----a-w- c:\program files\dndsetup-6.bin
2010-03-07 07:17:00 531452879 ----a-w- c:\program files\dndsetup-7.bin
2010-03-07 07:16:59 681984000 ----a-w- c:\program files\dndsetup-3.bin
2010-03-07 07:16:59 681984000 ----a-w- c:\program files\dndsetup-2.bin
2010-03-07 07:16:59 681478144 ----a-w- c:\program files\dndsetup-1.bin
2010-03-07 07:16:52 681984000 ----a-w- c:\program files\dndsetup-4.bin
2010-03-07 07:16:25 681984000 ----a-w- c:\program files\dndsetup-5.bin
2003-10-02 20:47:24 610304 ----a-w- c:\program files\Kicks.exe
2002-02-19 04:00:00 28672 ----a-w- c:\program files\jHexen.exe
2002-02-19 04:00:00 28672 ----a-w- c:\program files\jHeretic.exe
2002-02-19 04:00:00 28672 ----a-w- c:\program files\jDoom.exe
.
============= FINISH: 17:57:13.12 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:30 PM

Posted 06 February 2012 - 09:22 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 Corryn

Corryn
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 07 February 2012 - 02:41 PM

I'm here. Thanks for the quick response.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:30 PM

Posted 07 February 2012 - 08:33 PM

Combofix is being flagged as malware and, yes you're right, it is because of the nature of the program.

When you were warned by Combofix about an infection in the TCP/IP stack, did it mention the name of the rootkit? Was it ZeroAccess?

Please run aswMBR

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#5 Corryn

Corryn
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 07 February 2012 - 10:42 PM

Yes, it was ZeroAccess.

Attached Files



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:30 PM

Posted 08 February 2012 - 05:35 PM

Please run Combofix next

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 Corryn

Corryn
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 08 February 2012 - 08:11 PM

Here is the Combofix log. Also, I notice (though it may not mean anything) that the Trojan horse Crypt warning from AVG has not appeared in the last two or three days.

Attached Files



#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:30 PM

Posted 08 February 2012 - 09:03 PM

The Combofix log has replaced an infected driver this time round (msgsvc.dll)

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

DDS::
uInternet Settings,ProxyOverride = local;127.0.0.1:9421;


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Please then run aswMBR, this is a rootkit scanner

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#9 Corryn

Corryn
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 08 February 2012 - 10:26 PM

Here are the logs. Probably obvious, but the aswMBR.txt has two scan logs in it now.

Attached Files



#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:30 PM

Posted 09 February 2012 - 09:20 PM

The driver was infected again and Combofix replaced it again. Not good.

Please run TDSSKiller

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\

Posted Image
m0le is a proud member of UNITE

#11 Corryn

Corryn
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 09 February 2012 - 09:50 PM

Ran the scan and it didn't find anything.

21:48:55.0718 6136 TDSS rootkit removing tool 2.7.11.0 Feb 9 2012 10:12:57
21:48:56.0078 6136 ============================================================
21:48:56.0078 6136 Current date / time: 2012/02/09 21:48:56.0078
21:48:56.0078 6136 SystemInfo:
21:48:56.0078 6136
21:48:56.0078 6136 OS Version: 5.1.2600 ServicePack: 3.0
21:48:56.0078 6136 Product type: Workstation
21:48:56.0078 6136 ComputerName: ADAM
21:48:56.0078 6136 UserName: Owner
21:48:56.0078 6136 Windows directory: C:\WINDOWS
21:48:56.0078 6136 System windows directory: C:\WINDOWS
21:48:56.0078 6136 Processor architecture: Intel x86
21:48:56.0078 6136 Number of processors: 4
21:48:56.0078 6136 Page size: 0x1000
21:48:56.0078 6136 Boot type: Normal boot
21:48:56.0078 6136 ============================================================
21:48:57.0828 6136 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
21:48:57.0843 6136 \Device\Harddisk0\DR0:
21:48:57.0843 6136 MBR used
21:48:57.0843 6136 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x3A380D41
21:48:57.0890 6136 Initialize success
21:48:57.0890 6136 ============================================================
21:49:05.0671 4704 ============================================================
21:49:05.0671 4704 Scan started
21:49:05.0671 4704 Mode: Manual;
21:49:05.0671 4704 ============================================================
21:49:06.0015 4704 A3AB (21af8e9c727c6d7643ad497268f55bf1) C:\WINDOWS\system32\DRIVERS\A3AB.sys
21:49:06.0015 4704 A3AB - ok
21:49:06.0031 4704 Abiosdsk - ok
21:49:06.0031 4704 abp480n5 - ok
21:49:06.0093 4704 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
21:49:06.0093 4704 ACPI - ok
21:49:06.0125 4704 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
21:49:06.0125 4704 ACPIEC - ok
21:49:06.0140 4704 adpu160m - ok
21:49:06.0187 4704 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
21:49:06.0187 4704 aec - ok
21:49:06.0234 4704 AegisP (023867b6606fbabcdd52e089c4a507da) C:\WINDOWS\system32\DRIVERS\AegisP.sys
21:49:06.0234 4704 AegisP - ok
21:49:06.0265 4704 AFD (f6b7b1ecd7b41736bdb6ff4b092bcb79) C:\WINDOWS\System32\drivers\afd.sys
21:49:06.0265 4704 AFD - ok
21:49:06.0281 4704 Aha154x - ok
21:49:06.0281 4704 aic78u2 - ok
21:49:06.0296 4704 aic78xx - ok
21:49:06.0328 4704 AliIde - ok
21:49:06.0328 4704 amsint - ok
21:49:06.0343 4704 asc - ok
21:49:06.0343 4704 asc3350p - ok
21:49:06.0359 4704 asc3550 - ok
21:49:06.0421 4704 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
21:49:06.0421 4704 AsyncMac - ok
21:49:06.0484 4704 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
21:49:06.0484 4704 atapi - ok
21:49:06.0484 4704 Atdisk - ok
21:49:06.0515 4704 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
21:49:06.0515 4704 Atmarpc - ok
21:49:06.0562 4704 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
21:49:06.0562 4704 audstub - ok
21:49:06.0593 4704 AVGIDSDriver (4fa401b33c1b50c816486f6951244a14) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
21:49:06.0593 4704 AVGIDSDriver - ok
21:49:06.0593 4704 AVGIDSEH (69578bc9d43d614c6b3455db4af19762) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
21:49:06.0609 4704 AVGIDSEH - ok
21:49:06.0609 4704 AVGIDSFilter (6df528406aa22201f392b9b19121cd6f) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
21:49:06.0609 4704 AVGIDSFilter - ok
21:49:06.0640 4704 AVGIDSShim (1e01c2166b5599802bcd61b9691f7476) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
21:49:06.0640 4704 AVGIDSShim - ok
21:49:06.0656 4704 Avgldx86 (bf8118cd5e2255387b715b534d64acd1) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
21:49:06.0656 4704 Avgldx86 - ok
21:49:06.0671 4704 Avgmfx86 (1c77ef67f196466adc9924cb288afe87) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
21:49:06.0671 4704 Avgmfx86 - ok
21:49:06.0671 4704 Avgrkx86 (f2038ed7284b79dcef581468121192a9) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
21:49:06.0671 4704 Avgrkx86 - ok
21:49:06.0703 4704 Avgtdix (a6d562b612216d8d02a35ebeb92366bd) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
21:49:06.0703 4704 Avgtdix - ok
21:49:06.0718 4704 BANTExt (5d7be7b19e827125e016325334e58ff1) C:\WINDOWS\System32\Drivers\BANTExt.sys
21:49:06.0718 4704 BANTExt - ok
21:49:06.0765 4704 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
21:49:06.0765 4704 Beep - ok
21:49:06.0796 4704 CamDrL (cba8bce5bf67a3c619d5ce540bed9cf7) C:\WINDOWS\system32\DRIVERS\Camdrl.sys
21:49:06.0796 4704 CamDrL - ok
21:49:06.0796 4704 catchme - ok
21:49:06.0828 4704 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
21:49:06.0828 4704 cbidf2k - ok
21:49:06.0859 4704 CCDECODE (fdc06e2ada8c468ebb161624e03976cf) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
21:49:06.0859 4704 CCDECODE - ok
21:49:06.0859 4704 cd20xrnt - ok
21:49:06.0875 4704 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
21:49:06.0875 4704 Cdaudio - ok
21:49:06.0906 4704 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
21:49:06.0906 4704 Cdfs - ok
21:49:06.0937 4704 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
21:49:06.0937 4704 Cdrom - ok
21:49:06.0937 4704 Changer - ok
21:49:06.0984 4704 CmdIde - ok
21:49:07.0000 4704 Cpqarray - ok
21:49:07.0000 4704 dac2w2k - ok
21:49:07.0015 4704 dac960nt - ok
21:49:07.0046 4704 Disk (47b6aaec570f2c11d8bad80a064d8ed1) C:\WINDOWS\system32\DRIVERS\disk.sys
21:49:07.0046 4704 Disk - ok
21:49:07.0093 4704 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
21:49:07.0093 4704 dmboot - ok
21:49:07.0125 4704 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
21:49:07.0125 4704 dmio - ok
21:49:07.0156 4704 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
21:49:07.0156 4704 dmload - ok
21:49:07.0187 4704 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
21:49:07.0187 4704 DMusic - ok
21:49:07.0203 4704 dpti2o - ok
21:49:07.0218 4704 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
21:49:07.0218 4704 drmkaud - ok
21:49:07.0218 4704 EagleNT - ok
21:49:07.0218 4704 EagleXNt - ok
21:49:07.0250 4704 ElbyCDIO (d71233d7ccc2e64f8715a20428d5a33b) C:\WINDOWS\system32\Drivers\ElbyCDIO.sys
21:49:07.0250 4704 ElbyCDIO - ok
21:49:07.0296 4704 exFat (4d893323dae445e34a4c9038b0551bc9) C:\WINDOWS\system32\drivers\exFat.sys
21:49:07.0296 4704 exFat - ok
21:49:07.0328 4704 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
21:49:07.0328 4704 Fastfat - ok
21:49:07.0343 4704 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
21:49:07.0343 4704 Fdc - ok
21:49:07.0359 4704 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
21:49:07.0359 4704 Fips - ok
21:49:07.0375 4704 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
21:49:07.0375 4704 Flpydisk - ok
21:49:07.0437 4704 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
21:49:07.0437 4704 FltMgr - ok
21:49:07.0484 4704 Fs_Rec (30d42943a54704ef13e2562911dbfcea) C:\WINDOWS\system32\drivers\Fs_Rec.sys
21:49:07.0484 4704 Fs_Rec - ok
21:49:07.0484 4704 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
21:49:07.0500 4704 Ftdisk - ok
21:49:07.0546 4704 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
21:49:07.0546 4704 Gpc - ok
21:49:07.0562 4704 hamachi (833051c6c6c42117191935f734cfbd97) C:\WINDOWS\system32\DRIVERS\hamachi.sys
21:49:07.0562 4704 hamachi - ok
21:49:07.0625 4704 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
21:49:07.0625 4704 HDAudBus - ok
21:49:07.0656 4704 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
21:49:07.0656 4704 HidUsb - ok
21:49:07.0656 4704 hpn - ok
21:49:07.0703 4704 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
21:49:07.0703 4704 HTTP - ok
21:49:07.0703 4704 i2omgmt - ok
21:49:07.0718 4704 i2omp - ok
21:49:07.0718 4704 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
21:49:07.0718 4704 i8042prt - ok
21:49:07.0781 4704 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
21:49:07.0781 4704 Imapi - ok
21:49:07.0781 4704 ini910u - ok
21:49:07.0921 4704 IntcAzAudAddService (b2957d6c1226f029230dac2c46d34286) C:\WINDOWS\system32\drivers\RtkHDAud.sys
21:49:07.0937 4704 IntcAzAudAddService - ok
21:49:07.0953 4704 IntelIde - ok
21:49:07.0984 4704 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
21:49:07.0984 4704 intelppm - ok
21:49:08.0000 4704 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
21:49:08.0000 4704 Ip6Fw - ok
21:49:08.0046 4704 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
21:49:08.0046 4704 IpFilterDriver - ok
21:49:08.0078 4704 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
21:49:08.0078 4704 IpInIp - ok
21:49:08.0093 4704 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
21:49:08.0093 4704 IpNat - ok
21:49:08.0156 4704 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
21:49:08.0156 4704 IPSec - ok
21:49:08.0187 4704 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
21:49:08.0187 4704 IRENUM - ok
21:49:08.0234 4704 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
21:49:08.0234 4704 isapnp - ok
21:49:08.0281 4704 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
21:49:08.0281 4704 Kbdclass - ok
21:49:08.0312 4704 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
21:49:08.0312 4704 kbdhid - ok
21:49:08.0343 4704 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
21:49:08.0343 4704 kmixer - ok
21:49:08.0375 4704 KSecDD (c6ebf1d6ad71df30db49b8d3287e1368) C:\WINDOWS\system32\drivers\KSecDD.sys
21:49:08.0375 4704 KSecDD - ok
21:49:08.0390 4704 lbrtfdc - ok
21:49:08.0421 4704 libusb0 (e2f1dcf4a68cc6cf694fbfba1842f4cd) C:\WINDOWS\system32\drivers\libusb0.sys
21:49:08.0421 4704 libusb0 - ok
21:49:08.0453 4704 LVUSBSta (c5efbd05a5195402121711a6ebbb271f) C:\WINDOWS\system32\drivers\lvusbsta.sys
21:49:08.0453 4704 LVUSBSta - ok
21:49:08.0515 4704 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
21:49:08.0515 4704 mnmdd - ok
21:49:08.0562 4704 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
21:49:08.0562 4704 Modem - ok
21:49:08.0609 4704 MotioninJoyXFilter (787a5f57812f8b9d76d82c80d077c5ca) C:\WINDOWS\system32\DRIVERS\MijXfilt.sys
21:49:08.0609 4704 MotioninJoyXFilter - ok
21:49:08.0625 4704 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
21:49:08.0625 4704 Mouclass - ok
21:49:08.0640 4704 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
21:49:08.0640 4704 mouhid - ok
21:49:08.0656 4704 MountMgr (1a1faa5102466f418494e94ff9b0b091) C:\WINDOWS\system32\drivers\MountMgr.sys
21:49:08.0656 4704 MountMgr - ok
21:49:08.0671 4704 mraid35x - ok
21:49:08.0671 4704 MRxDAV (65e818c473e220b6ab762e1966296fd1) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
21:49:08.0671 4704 MRxDAV - ok
21:49:08.0703 4704 MRxSmb (fb2fccc70f7174c7bf64f48e96d3adf4) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
21:49:08.0703 4704 MRxSmb - ok
21:49:08.0750 4704 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
21:49:08.0750 4704 Msfs - ok
21:49:08.0781 4704 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
21:49:08.0781 4704 MSKSSRV - ok
21:49:08.0796 4704 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
21:49:08.0796 4704 MSPCLOCK - ok
21:49:08.0812 4704 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
21:49:08.0812 4704 MSPQM - ok
21:49:08.0843 4704 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
21:49:08.0843 4704 mssmbios - ok
21:49:08.0937 4704 MSTEE (d5059366b361f0e1124753447af08aa2) C:\WINDOWS\system32\drivers\MSTEE.sys
21:49:08.0937 4704 MSTEE - ok
21:49:08.0968 4704 Mup (f7b1ad991491f02af6da70b00b8bf114) C:\WINDOWS\system32\drivers\Mup.sys
21:49:08.0968 4704 Mup - ok
21:49:09.0000 4704 NABTSFEC (ac31b352ce5e92704056d409834beb74) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
21:49:09.0000 4704 NABTSFEC - ok
21:49:09.0031 4704 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
21:49:09.0031 4704 NDIS - ok
21:49:09.0078 4704 NdisIP (abd7629cf2796250f315c1dd0b6cf7a0) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
21:49:09.0078 4704 NdisIP - ok
21:49:09.0109 4704 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
21:49:09.0109 4704 NdisTapi - ok
21:49:09.0125 4704 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
21:49:09.0125 4704 Ndisuio - ok
21:49:09.0140 4704 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
21:49:09.0140 4704 NdisWan - ok
21:49:09.0171 4704 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
21:49:09.0171 4704 NDProxy - ok
21:49:09.0187 4704 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
21:49:09.0187 4704 NetBIOS - ok
21:49:09.0218 4704 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
21:49:09.0218 4704 NetBT - ok
21:49:09.0250 4704 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
21:49:09.0250 4704 Npfs - ok
21:49:09.0265 4704 Ntfs (4c51d5275ae8a16999edfe7e647d00de) C:\WINDOWS\system32\drivers\Ntfs.sys
21:49:09.0281 4704 Ntfs - ok
21:49:09.0328 4704 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
21:49:09.0328 4704 NuidFltr - ok
21:49:09.0375 4704 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
21:49:09.0375 4704 Null - ok
21:49:09.0609 4704 nv (4b54dcd6adee535df80f07c59ddd8f14) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
21:49:09.0671 4704 nv - ok
21:49:09.0703 4704 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
21:49:09.0703 4704 NwlnkFlt - ok
21:49:09.0703 4704 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
21:49:09.0718 4704 NwlnkFwd - ok
21:49:09.0750 4704 NwlnkIpx (8b8b1be2dba4025da6786c645f77f123) C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
21:49:09.0750 4704 NwlnkIpx - ok
21:49:09.0765 4704 NwlnkNb (56d34a67c05e94e16377c60609741ff8) C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
21:49:09.0765 4704 NwlnkNb - ok
21:49:09.0781 4704 NwlnkSpx (c0bb7d1615e1acbdc99757f6ceaf8cf0) C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
21:49:09.0781 4704 NwlnkSpx - ok
21:49:09.0796 4704 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
21:49:09.0796 4704 Parport - ok
21:49:09.0828 4704 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
21:49:09.0828 4704 PartMgr - ok
21:49:09.0890 4704 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
21:49:09.0890 4704 ParVdm - ok
21:49:09.0921 4704 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
21:49:09.0921 4704 PCI - ok
21:49:09.0921 4704 PCIDump - ok
21:49:09.0937 4704 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
21:49:09.0937 4704 PCIIde - ok
21:49:09.0953 4704 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
21:49:09.0953 4704 Pcmcia - ok
21:49:09.0953 4704 PDCOMP - ok
21:49:09.0968 4704 PDFRAME - ok
21:49:09.0968 4704 PDRELI - ok
21:49:09.0984 4704 PDRFRAME - ok
21:49:09.0984 4704 perc2 - ok
21:49:10.0000 4704 perc2hib - ok
21:49:10.0062 4704 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
21:49:10.0062 4704 PptpMiniport - ok
21:49:10.0093 4704 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
21:49:10.0093 4704 PSched - ok
21:49:10.0109 4704 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
21:49:10.0109 4704 Ptilink - ok
21:49:10.0125 4704 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
21:49:10.0125 4704 PxHelp20 - ok
21:49:10.0125 4704 ql1080 - ok
21:49:10.0125 4704 Ql10wnt - ok
21:49:10.0140 4704 ql12160 - ok
21:49:10.0140 4704 ql1240 - ok
21:49:10.0156 4704 ql1280 - ok
21:49:10.0187 4704 RAPIProtocol (488090449877fb7f9c2aff9ebf6689da) C:\WINDOWS\system32\DRIVERS\RAPIProtocol.sys
21:49:10.0187 4704 RAPIProtocol - ok
21:49:10.0265 4704 RapportCerberus_34302 (6b6f0a77365667912360ff1d5e984f25) C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys
21:49:10.0265 4704 RapportCerberus_34302 - ok
21:49:10.0359 4704 RapportEI (34992b59780a8a227a9eb54c97dc4608) C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys
21:49:10.0359 4704 RapportEI - ok
21:49:10.0406 4704 RapportIaso (dd3e4610de9252a957c5bd19bdf47ac4) c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\28896\rapportiaso.sys
21:49:10.0406 4704 RapportIaso - ok
21:49:10.0500 4704 RapportKELL (a231b5552148ade82ed3dfba25919b75) C:\WINDOWS\system32\Drivers\RapportKELL.sys
21:49:10.0500 4704 RapportKELL - ok
21:49:10.0500 4704 RapportPG (060f8e34707d68178a564935ce4546eb) C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
21:49:10.0515 4704 RapportPG - ok
21:49:10.0562 4704 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
21:49:10.0562 4704 RasAcd - ok
21:49:10.0609 4704 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
21:49:10.0609 4704 Rasl2tp - ok
21:49:10.0625 4704 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
21:49:10.0625 4704 RasPppoe - ok
21:49:10.0625 4704 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
21:49:10.0625 4704 Raspti - ok
21:49:10.0656 4704 Rdbss (77050c6615f6eb5402f832b27fd695e0) C:\WINDOWS\system32\DRIVERS\rdbss.sys
21:49:10.0656 4704 Rdbss - ok
21:49:10.0656 4704 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
21:49:10.0656 4704 RDPCDD - ok
21:49:10.0734 4704 RDPWD (3348e61a78ba4f79c795aad6565d3b6f) C:\WINDOWS\system32\drivers\RDPWD.sys
21:49:10.0734 4704 RDPWD - ok
21:49:10.0765 4704 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
21:49:10.0765 4704 redbook - ok
21:49:10.0828 4704 RsFx0103 (fd692c6ffade58f7c4c3c3c9a0ec35bd) C:\WINDOWS\system32\DRIVERS\RsFx0103.sys
21:49:10.0828 4704 RsFx0103 - ok
21:49:10.0875 4704 rspndr (743d7d59767073a617b1dcc6c546f234) C:\WINDOWS\system32\DRIVERS\rspndr.sys
21:49:10.0875 4704 rspndr - ok
21:49:10.0937 4704 RT80x86 (303ea99c05a8a435da9a4dc9e00c52b6) C:\WINDOWS\system32\DRIVERS\RT2860.sys
21:49:10.0953 4704 RT80x86 - ok
21:49:10.0953 4704 RTLE8023xp (839141088ad7ee90f5b441b2d1afd22c) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
21:49:10.0953 4704 RTLE8023xp - ok
21:49:11.0031 4704 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
21:49:11.0031 4704 Secdrv - ok
21:49:11.0031 4704 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
21:49:11.0046 4704 serenum - ok
21:49:11.0046 4704 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
21:49:11.0046 4704 Serial - ok
21:49:11.0140 4704 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
21:49:11.0140 4704 Sfloppy - ok
21:49:11.0156 4704 Simbad - ok
21:49:11.0187 4704 SLIP (1ffc44d6787ec1ea9a2b1440a90fa5c1) C:\WINDOWS\system32\DRIVERS\SLIP.sys
21:49:11.0187 4704 SLIP - ok
21:49:11.0234 4704 Sparrow - ok
21:49:11.0281 4704 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
21:49:11.0281 4704 splitter - ok
21:49:11.0328 4704 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
21:49:11.0328 4704 sr - ok
21:49:11.0343 4704 Srv (9b390283569ea58d43d2586032b892f5) C:\WINDOWS\system32\DRIVERS\srv.sys
21:49:11.0359 4704 Srv - ok
21:49:11.0406 4704 streamip (a9f9fd0212e572b84edb9eb661f6bc04) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
21:49:11.0406 4704 streamip - ok
21:49:11.0437 4704 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
21:49:11.0437 4704 swenum - ok
21:49:11.0484 4704 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
21:49:11.0484 4704 swmidi - ok
21:49:11.0500 4704 symc810 - ok
21:49:11.0500 4704 symc8xx - ok
21:49:11.0515 4704 sym_hi - ok
21:49:11.0515 4704 sym_u3 - ok
21:49:11.0562 4704 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
21:49:11.0562 4704 sysaudio - ok
21:49:11.0578 4704 Tcpip (ce42c0c1c33cebd799056525461c523b) C:\WINDOWS\system32\DRIVERS\tcpip.sys
21:49:11.0578 4704 Tcpip - ok
21:49:11.0609 4704 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
21:49:11.0609 4704 TDPIPE - ok
21:49:11.0625 4704 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
21:49:11.0625 4704 TDTCP - ok
21:49:11.0640 4704 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
21:49:11.0656 4704 TermDD - ok
21:49:11.0687 4704 TosIde - ok
21:49:11.0750 4704 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
21:49:11.0750 4704 Udfs - ok
21:49:11.0765 4704 ultra - ok
21:49:11.0796 4704 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
21:49:11.0796 4704 Update - ok
21:49:11.0875 4704 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
21:49:11.0875 4704 usbaudio - ok
21:49:11.0921 4704 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
21:49:11.0921 4704 usbccgp - ok
21:49:11.0937 4704 usbehci (152ee0baa614388273a0b9ae9c9fd5a0) C:\WINDOWS\system32\DRIVERS\usbehci.sys
21:49:11.0937 4704 usbehci - ok
21:49:11.0984 4704 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
21:49:11.0984 4704 usbhub - ok
21:49:12.0031 4704 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
21:49:12.0031 4704 usbprint - ok
21:49:12.0046 4704 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
21:49:12.0046 4704 usbstor - ok
21:49:12.0046 4704 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
21:49:12.0062 4704 usbuhci - ok
21:49:12.0109 4704 VBoxDrv (60741ad74d5d599dc1ba7a00265a3606) C:\WINDOWS\system32\DRIVERS\VBoxDrv.sys
21:49:12.0109 4704 VBoxDrv - ok
21:49:12.0156 4704 VBoxNetAdp (3f753d64b3a3aba0690aeeb8e4f12460) C:\WINDOWS\system32\DRIVERS\VBoxNetAdp.sys
21:49:12.0156 4704 VBoxNetAdp - ok
21:49:12.0156 4704 VBoxNetFlt (32207ed4e4b335e5ec774d37127e837e) C:\WINDOWS\system32\DRIVERS\VBoxNetFlt.sys
21:49:12.0171 4704 VBoxNetFlt - ok
21:49:12.0171 4704 VBoxUSBMon (7d0c8fc5a5917af4f091d0f4e83a7cec) C:\WINDOWS\system32\DRIVERS\VBoxUSBMon.sys
21:49:12.0171 4704 VBoxUSBMon - ok
21:49:12.0187 4704 VClone (fce98c43b5c5db8e0da8ea0e2b45e044) C:\WINDOWS\system32\DRIVERS\VClone.sys
21:49:12.0187 4704 VClone - ok
21:49:12.0234 4704 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
21:49:12.0234 4704 VgaSave - ok
21:49:12.0250 4704 ViaIde - ok
21:49:12.0250 4704 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
21:49:12.0250 4704 VolSnap - ok
21:49:12.0296 4704 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
21:49:12.0296 4704 Wanarp - ok
21:49:12.0343 4704 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
21:49:12.0343 4704 Wdf01000 - ok
21:49:12.0343 4704 WDICA - ok
21:49:12.0390 4704 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
21:49:12.0390 4704 wdmaud - ok
21:49:12.0468 4704 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
21:49:12.0468 4704 WS2IFSL - ok
21:49:12.0515 4704 WSTCODEC (233cdd1c06942115802eb7ce6669e099) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
21:49:12.0515 4704 WSTCODEC - ok
21:49:12.0546 4704 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
21:49:12.0546 4704 WudfPf - ok
21:49:12.0562 4704 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
21:49:12.0562 4704 WudfRd - ok
21:49:12.0578 4704 XDva359 - ok
21:49:12.0578 4704 XDva391 - ok
21:49:12.0640 4704 xusb21 (ee9144207ee0211eb5656ba6808ac4a0) C:\WINDOWS\system32\DRIVERS\xusb21.sys
21:49:12.0640 4704 xusb21 - ok
21:49:12.0671 4704 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
21:49:12.0781 4704 \Device\Harddisk0\DR0 - ok
21:49:12.0781 4704 Boot (0x1200) (ae79a8adc9876a5cc68b39c290c64ec9) \Device\Harddisk0\DR0\Partition0
21:49:12.0781 4704 \Device\Harddisk0\DR0\Partition0 - ok
21:49:12.0781 4704 ============================================================
21:49:12.0781 4704 Scan finished
21:49:12.0781 4704 ============================================================
21:49:12.0796 6052 Detected object count: 0
21:49:12.0796 6052 Actual detected object count: 0

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:30 PM

Posted 09 February 2012 - 09:53 PM

There must be something reinfecting the driver. Let's check again.

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Please copy the following into the Custom Scans box at the bottom

    /md5start
    msgsvc.dll
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    /md5stop
    
  • Now click the Run Scan button on the toolbar.
  • Let it run until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it

Post the log in the next reply.
Posted Image
m0le is a proud member of UNITE

#13 Corryn

Corryn
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 09 February 2012 - 10:28 PM

Here is the log. Also, I remembered a specific webcomic I was reading the morning I first got a virus alert and checked the date on that comic. The first alert popped up around January 9th, about a month ago today.

Attached Files

  • Attached File  OTL.Txt   142.59KB   4 downloads


#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:30 PM

Posted 10 February 2012 - 09:48 AM

That's useful, 9th of January.

Please rerun OTL as shown

Open OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
[2012/01/25 19:22:26 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\KQXi5so.dat
[2012/01/09 07:22:36 | 000,001,368 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\xe071lp451gdet81172et54826i00ay512u7ul0a8vg325
[2011/04/16 00:49:31 | 000,001,292 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\b513h2vulke4
[2011/04/16 00:49:31 | 000,001,292 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\b513h2vulke4
:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
""=""%1" %*"

Then click the Run Fix button at the top

Let the program run unhindered.

When done it will say "Fix Complete press ok to open the log"
Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Now we can rerun Combofix again. Please post the log.
Posted Image
m0le is a proud member of UNITE

#15 Corryn

Corryn
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 10 February 2012 - 02:55 PM

Here is the OTL log. The Combofix log is attached.

========== OTL ==========
C:\Documents and Settings\All Users\Application Data\KQXi5so.dat moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\xe071lp451gdet81172et54826i00ay512u7ul0a8vg325 moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\b513h2vulke4 moved successfully.
C:\Documents and Settings\All Users\Application Data\b513h2vulke4 moved successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\\""|""%1" %*" /E : value set successfully!

OTL by OldTimer - Version 3.2.31.0 log created on 02102012_112222

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users