Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware, not sure


  • Please log in to reply
4 replies to this topic

#1 DigitalGal1

DigitalGal1

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 13 February 2012 - 06:50 PM

Hi we are running Server 2003 SPK 2 and there are several files that are running on the machine and the server is freezing and or shutting down unexpectantly.

These suspect files are as follows:
SecureSurf.Browser.Client.exe
Webisida.Browser.exe
Webisida.exe

We have found it in the
C:\Windows\Prefetch
We have now disabled the Prefetch folder and removed all files, rebooted prefetch file is still empty

We have found it in the
C:\Windows\Temp\Spoon\Cache\0x59993E908D29B78E\STUBEXE
We have stopped the services running and deleted this folder several times, rebooted and services started again ant the STUBEXE folder is back.

We have found them in the registry
C:\Documents and Settings\Administrator\Local Settings\Application Data\Webisida\Install
C:\Program Files\Surfing
We removed these keys, rebooted and the above keys have returned.

Msconfig is empty

Webisida.com is a Russian website that looks like it makes some type of browser helper but we are unsure.

Any help appreciated.

BC AdBot (Login to Remove)

 


#2 DigitalGal1

DigitalGal1
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 13 February 2012 - 07:26 PM

A couple of additional items:

Computer originally had outdated version of Trend Micro on it AND Windows Defender. Removed both and installed Kaspersky A/V server Edition. Kaspersky found SafeSurf originally and cleaned it but it is coming back.

Ran Malware Bytes several times between software removal and reinstall. It DID find spyware and removed it.
First Scan - Files Detected and Cleaned:
C:\windows\system32\crypt.dll (Hacktool)
C:\windows\system32\TS_Free.exe (TrjanAgent.ck)

Second Scan - Clean

Third Scan - Files Detected and Cleaned:
C:\documents and settings\support_388945A0\desktop\surfing\modified\@programfilesx86@\surfing\safesurf.exe (trojan.downloader)

Fourth Scan - Clean

When we log into the computer we get a Windows Pop up Error in Russian.

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,906 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:22 AM

Posted 14 February 2012 - 02:39 PM

Hmmm that pop up may be from Kaspersky,as it is Russian software.

Lets run these if you can,
Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.




Please download TDSSKiller.zip and and extract it.
  • Run TDSSKiller.exe.
  • Click on Change Parameters
  • Put a check in the box of Detect TDLFS file system
  • Click Start scan.
  • When it is finished the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Let the options as it is and click Continue
  • Let reboot if needed and tell me if the tool needed a reboot.
  • Click on Report and post the contents of the text file that will open.

    Note: By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder. The Log have a name like: TDSSKiller.Version_Date_Time_log.txt.



I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 DigitalGal1

DigitalGal1
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 19 February 2012 - 11:23 PM

boopme -

Thank you for your help.

Ran all 3 utilities as instructed. When I finished running everything there were 12 instatinces of webisida.exe and safesurf.exe running in task manager. I was able to terminate those processes.



Here are the results:

1. Minitoolbox:

MiniToolBox by Farbar Version: 18-01-2012
Ran by administrator (administrator) on 17-02-2012 at 13:21:50
Microsoft® Windows® Server 2003, Standard Edition Service Pack 2 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================


127.0.0.1 localhost

========================= IP Configuration: ================================

Intel® PRO/1000 MT Network Connection = Local Area Connection (Disconnected)
Intel® 82566DM-2 Gigabit Network Connection = Local Area Connection 2 (Connected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection 2"

set address name="Local Area Connection 2" source=static addr=192.168.1.50 mask=255.255.255.0
set address name="Local Area Connection 2" gateway=192.168.1.1 gwmetric=0
set dns name="Local Area Connection 2" source=static addr=192.168.1.50 register=PRIMARY
set wins name="Local Area Connection 2" source=static addr=none


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : NT-FS1

Primary Dns Suffix . . . . . . . : DOMAIN.local

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : Yes

WINS Proxy Enabled. . . . . . . . : Yes

DNS Suffix Search List. . . . . . : DOMAIN.local



Ethernet adapter Local Area Connection 2:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Intel® 82566DM-2 Gigabit Network Connection

Physical Address. . . . . . . . . : 00-15-17-26-29-D3

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 192.168.1.50

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 192.168.1.50

Server: nt-fs1.domain.local
Address: 192.168.1.50

Name: google.com
Addresses: 72.14.204.113, 72.14.204.138, 72.14.204.102, 72.14.204.100
72.14.204.101



Pinging google.com [72.14.204.113] with 32 bytes of data:



Reply from 72.14.204.113: bytes=32 time=21ms TTL=56

Reply from 72.14.204.113: bytes=32 time=21ms TTL=56



Ping statistics for 72.14.204.113:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 21ms, Maximum = 21ms, Average = 21ms

Server: nt-fs1.domain.local
Address: 192.168.1.50

Name: yahoo.com
Addresses: 98.139.127.62, 98.139.183.24, 209.191.122.70



Pinging yahoo.com [98.139.127.62] with 32 bytes of data:



Reply from 98.139.127.62: bytes=32 time=151ms TTL=55

Reply from 98.139.127.62: bytes=32 time=243ms TTL=55



Ping statistics for 98.139.127.62:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 151ms, Maximum = 243ms, Average = 197ms

Server: nt-fs1.domain.local
Address: 192.168.1.50

Name: bleepingcomputer.com
Address: 208.43.87.2



Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:



Reply from 208.43.87.2: Destination host unreachable.

Reply from 208.43.87.2: Destination host unreachable.



Ping statistics for 208.43.87.2:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms


IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 15 17 26 29 d3 ...... Intel® 82566DM-2 Gigabit Network Connection
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.50 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.50 192.168.1.50 20
192.168.1.50 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.50 192.168.1.50 20
224.0.0.0 240.0.0.0 192.168.1.50 192.168.1.50 20
255.255.255.255 255.255.255.255 192.168.1.50 192.168.1.50 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\mswsock.dll [256000] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [17408] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [256000] (Microsoft Corporation)
Catalog9 01 C:\Windows\system32\mswsock.dll [256000] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [256000] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [256000] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\mswsock.dll [256000] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\mswsock.dll [256000] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [256000] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [256000] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [256000] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [256000] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [256000] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [256000] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [256000] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [256000] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [256000] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [256000] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [256000] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [256000] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (02/13/2012 07:54:14 PM) (Source: WinVNC4) (User: )
Description: DeviceFrameBuffer: BitBlt failed:5

Error: (02/13/2012 04:24:19 PM) (Source: Userenv) (User: SYSTEM)SYSTEM
Description: Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.

Error: (02/13/2012 04:24:19 PM) (Source: Userenv) (User: SYSTEM)SYSTEM
Description: Windows cannot find the machine account, Not enough memory is available to complete this request .

Error: (02/13/2012 04:19:00 PM) (Source: .NET Runtime) (User: )
Description: .NET Runtime version : 2.0.50727.3053 - Fatal errorUnable to load Jit Compiler: (mscorjit.dll): file may be missing or corrupt. Please check or rerun setup.

Error: (02/13/2012 02:39:01 PM) (Source: .NET Runtime) (User: )
Description: .NET Runtime version : 2.0.50727.3053 -

Error: (02/13/2012 02:34:02 PM) (Source: .NET Runtime) (User: )
Description: .NET Runtime version : 2.0.50727.3053 - Fatal errorCLR error: 80004005.
The program will now terminate.

Error: (02/13/2012 02:04:00 PM) (Source: .NET Runtime) (User: )
Description: .NET Runtime version : 2.0.50727.3053 - .NET Framework Initialization ErrorUnable to find a version of the runtime to run this application.

Error: (02/13/2012 07:29:03 AM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.

Error: (02/13/2012 07:29:03 AM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: The EventSystem service is disabled or is attempting to start during Safe Mode.
The Volume Shadow Copy service cannot start while in safe mode.
If not in safe mode, make sure that EventSystem service is enabled.
CLSID:{4e14fba2-2e22-11d1-9964-00c04fbbb345} Name:CEventSystem [0x80040206]

Error: (02/13/2012 07:29:03 AM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.


System errors:
=============
Error: (02/17/2012 01:17:35 PM) (Source: 0) (User: )
Description: \Device\LanmanDatagramReceiverFD-02NetBT_Tcpip_{49FED0FB-62F0-497D-93E

Error: (02/17/2012 11:54:17 AM) (Source: NETLOGON) (User: )
Description: The session setup from the computer OP-06 failed to authenticate.
The name(s) of the account(s) referenced in the security database is
OP-06$. The following error occurred:
%%5

Error: (02/17/2012 07:15:51 AM) (Source: NETLOGON) (User: )
Description: The session setup from the computer OP-06 failed to authenticate.
The name(s) of the account(s) referenced in the security database is
OP-06$. The following error occurred:
%%5

Error: (02/17/2012 03:15:40 AM) (Source: NETLOGON) (User: )
Description: The session setup from the computer OP-06 failed to authenticate.
The name(s) of the account(s) referenced in the security database is
OP-06$. The following error occurred:
%%5

Error: (02/16/2012 10:30:51 PM) (Source: NETLOGON) (User: )
Description: The session setup from the computer OP-06 failed to authenticate.
The name(s) of the account(s) referenced in the security database is
OP-06$. The following error occurred:
%%5

Error: (02/16/2012 05:30:51 PM) (Source: NETLOGON) (User: )
Description: The session setup from the computer OP-06 failed to authenticate.
The name(s) of the account(s) referenced in the security database is
OP-06$. The following error occurred:
%%5

Error: (02/16/2012 00:30:51 PM) (Source: NETLOGON) (User: )
Description: The session setup from the computer OP-06 failed to authenticate.
The name(s) of the account(s) referenced in the security database is
OP-06$. The following error occurred:
%%5

Error: (02/16/2012 07:15:51 AM) (Source: NETLOGON) (User: )
Description: The session setup from the computer OP-06 failed to authenticate.
The name(s) of the account(s) referenced in the security database is
OP-06$. The following error occurred:
%%5

Error: (02/15/2012 05:45:51 PM) (Source: NETLOGON) (User: )
Description: The session setup from the computer OP-06 failed to authenticate.
The name(s) of the account(s) referenced in the security database is
OP-06$. The following error occurred:
%%5

Error: (02/15/2012 00:45:51 PM) (Source: NETLOGON) (User: )
Description: The session setup from the computer OP-06 failed to authenticate.
The name(s) of the account(s) referenced in the security database is
OP-06$. The following error occurred:
%%5


Microsoft Office Sessions:
=========================
Error: (02/13/2012 07:54:14 PM) (Source: WinVNC4)(User: )
Description: DeviceFrameBufferBitBlt failed:5

Error: (02/13/2012 04:24:19 PM) (Source: Userenv)(User: SYSTEM)SYSTEM
Description:

Error: (02/13/2012 04:24:19 PM) (Source: Userenv)(User: SYSTEM)SYSTEM
Description: Not enough memory is available to complete this request

Error: (02/13/2012 04:19:00 PM) (Source: .NET Runtime)(User: )
Description: .NET Runtime version : 2.0.50727.3053 - Fatal errorUnable to load Jit Compiler: (mscorjit.dll): file may be missing or corrupt. Please check or rerun setup.

Error: (02/13/2012 02:39:01 PM) (Source: .NET Runtime)(User: )
Description: .NET Runtime version : 2.0.50727.3053 -

Error: (02/13/2012 02:34:02 PM) (Source: .NET Runtime)(User: )
Description: .NET Runtime version : 2.0.50727.3053 - Fatal errorCLR error: 80004005.
The program will now terminate.

Error: (02/13/2012 02:04:00 PM) (Source: .NET Runtime)(User: )
Description: .NET Runtime version : 2.0.50727.3053 - .NET Framework Initialization ErrorUnable to find a version of the runtime to run this application.

Error: (02/13/2012 07:29:03 AM) (Source: VSS)(User: )
Description: CoCreateInstance0x80040206

Error: (02/13/2012 07:29:03 AM) (Source: VSS)(User: )
Description: {4e14fba2-2e22-11d1-9964-00c04fbbb345}CEventSystem0x80040206

Error: (02/13/2012 07:29:03 AM) (Source: VSS)(User: )
Description: CoCreateInstance0x80040206


=========================== Installed Programs ============================

Adobe Flash Player 10 Plugin (Version: 10.1.102.64)
Adobe Reader 7.0 (Version: 7.0.0)
APC PowerChute Business Edition Agent (Version: 1)
APC PowerChute Business Edition Console (Version: 1)
APC PowerChute Business Edition Server (Version: 1)
Crystal Reports Basic Runtime for Visual Studio 2008 (Version: 10.5.0.0)
EPSON Printer Software
GoToAssist Corporate (Version: 9.0.0.570)
IIS 7.5 Express (Version: 7.5.1070)
Intel® PRO Network Connections 12.2.41.0 (Version: 12.2.41.0)
Java Auto Updater (Version: 2.0.6.1)
Java™ 6 Update 30 (Version: 6.0.300)
Kaseya Agent (nt-fs1.chesdental.tda-unmanged- - ks.tdai.net) (Version: 6.2.0.0)
Kaspersky Anti-Virus 6.0 for Windows Servers (Version: 6.0.4.1424)
Lexmark Pro800-Pro900 Series
LightScribe 1.4.136.1 (Version: 1.4.136.1)
Malwarebytes Anti-Malware version 1.60.1.1000 (Version: 1.60.1.1000)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (CONNECTOR) (Version: 9.4.5000.00)
Microsoft SQL Server Native Client (Version: 9.00.5000.00)
Microsoft SQL Server Setup Support Files (English) (Version: 9.00.5000.00)
Microsoft SQL Server VSS Writer (Version: 9.00.5000.00)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 6 Service Pack 2 (KB973686) (Version: 6.20.2003.0)
Nero 7 Essentials (Version: 7.02.5017)
NETGEAR Print Server Software
OnTrack Connector (Version: 2.1.13)
OPOS for the Ingenico iSeries (Version: 2.7.3)
Patterson EagleSoft (Version: 16.00.0021)
PINPadDevice Files
Samsung CLX-3170 Series
Sentinel Protection Installer 7.4.0 (Version: 7.4.0)
SIDEXIS
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Windows Internet Explorer 8 (KB982632) (Version: 1)
Update for Windows Server 2003 (KB2345886) (Version: 1)
Update for Windows Server 2003 (KB2467659) (Version: 1)
Update for Windows Server 2003 (KB2616676-v2) (Version: 2)
Update for Windows Server 2003 (KB2641690-v2) (Version: 2)
Update for Windows Server 2003 (KB925876) (Version: 2)
Update for Windows Server 2003 (KB927891) (Version: 5)
Update for Windows Server 2003 (KB936357) (Version: 1)
Update for Windows Server 2003 (KB942763) (Version: 1)
Update for Windows Server 2003 (KB942840) (Version: 1)
Update for Windows Server 2003 (KB948496) (Version: 1)
Update for Windows Server 2003 (KB955759) (Version: 1)
Update for Windows Server 2003 (KB968389) (Version: 1)
Update for Windows Server 2003 (KB971029) (Version: 1)
Update for Windows Server 2003 (KB971737) (Version: 1)
Update for Windows Server 2003 (KB973815) (Version: 1)
Update for Windows Server 2003 (KB973825) (Version: 1)
Update for Windows Server 2003 (KB973917-v2) (Version: 2)
WebEx
Windows Imaging Component (Version: 3.0.0.0)
Windows Internet Explorer 7 (Version: 20070813.185237)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Presentation Foundation (Version: 3.0.6920.0)
WinZip (Version: 9.0 SR-1 (6224))
XML Paper Specification Shared Components Pack 1.0

========================= Memory info: ===================================

Percentage of memory in use: 83%
Total physical RAM: 2044.92 MB
Available physical RAM: 327.66 MB
Total Pagefile: 4969.58 MB
Available Pagefile: 1932.92 MB
Total Virtual: 2047.88 MB
Available Virtual: 1974.77 MB

========================= Partitions: =====================================

2 Drive c: () (Fixed) (Total:29.99 GB) (Free:12.38 GB) NTFS
4 Drive e: (FreeAgent GoFlex Drive) (Fixed) (Total:931.51 GB) (Free:870.28 GB) NTFS
5 Drive f: (Shared) (Fixed) (Total:435.62 GB) (Free:318.64 GB) NTFS

========================= Users: ========================================

User accounts for \\NT-FS1

Administrator BO-01 BO-02
BO-03 CONSULT DOC
FD-01 FD-02 FD-03
FD-04 FD-05 Guest
IUSR_NT-FS1 IWAM_NT-FS1 krbtgt
monitor OP-01 OP-02
OP-03 OP-04 OP-05
OP-06 OP-07 OP-08
OP-09 OP-10 pan
SUPPORT_388945a0 user WS-01
WS-02 WS-03 WS-04
WS-05


**** End of log ****


2. TDSSKiller.zip

Ran this - did not require a reboot

13:25:05.0843 1880 TDSS rootkit removing tool 2.7.13.0 Feb 15 2012 19:33:14
13:25:06.0515 1880 ============================================================
13:25:06.0515 1880 Current date / time: 2012/02/17 13:25:06.0515
13:25:06.0515 1880 SystemInfo:
13:25:06.0515 1880
13:25:06.0515 1880 OS Version: 5.2.3790 ServicePack: 2.0
13:25:06.0515 1880 Product type: Domain controller
13:25:06.0515 1880 ComputerName: NT-FS1
13:25:06.0515 1880 UserName: administrator
13:25:06.0515 1880 Windows directory: C:\WINDOWS
13:25:06.0515 1880 System windows directory: C:\WINDOWS
13:25:06.0515 1880 Processor architecture: Intel x86
13:25:06.0515 1880 Number of processors: 2
13:25:06.0515 1880 Page size: 0x1000
13:25:06.0515 1880 Boot type: Normal boot
13:25:06.0515 1880 ============================================================
13:25:11.0171 1880 Drive \Device\Harddisk0\DR0 - Size: 0x7467500000 (465.61 Gb), SectorSize: 0x200, Cylinders: 0xED6E, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000058
13:25:11.0171 1880 Drive \Device\Harddisk1\DR5 - Size: 0xE8E0DB5E00 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
13:25:11.0218 1880 \Device\Harddisk0\DR0:
13:25:11.0218 1880 MBR used
13:25:11.0218 1880 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x3BFB14C
13:25:11.0234 1880 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3BFB1CA, BlocksNum 0x3673F224
13:25:11.0234 1880 \Device\Harddisk1\DR5:
13:25:11.0234 1880 MBR used
13:25:11.0234 1880 \Device\Harddisk1\DR5\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x747059C1
13:25:11.0343 1880 Initialize success
13:25:11.0343 1880 ============================================================
13:25:29.0953 11440 ============================================================
13:25:29.0953 11440 Scan started
13:25:29.0953 11440 Mode: Manual; TDLFS;
13:25:29.0953 11440 ============================================================
13:25:47.0250 11440 aaccin (a357b088a8e3eb222406258c94944cef) C:\WINDOWS\system32\drivers\aaccin.dll
13:25:47.0250 11440 aaccin - ok
13:25:48.0765 11440 aacsas (bb2e84a084929407f872d432b98ce307) C:\WINDOWS\system32\drivers\aacsas.sys
13:25:48.0781 11440 aacsas - ok
13:25:50.0328 11440 Abiosdsk - ok
13:25:52.0046 11440 ACPI (a0a850bac6f8a88ad0fc964c6bea170d) C:\WINDOWS\system32\DRIVERS\ACPI.sys
13:25:52.0062 11440 ACPI - ok
13:25:53.0562 11440 ACPIEC (043c89cc533ff546d835cb998b95b198) C:\WINDOWS\system32\drivers\ACPIEC.sys
13:25:53.0562 11440 ACPIEC - ok
13:25:56.0171 11440 adpu160m - ok
13:25:58.0062 11440 adpu320 - ok
13:26:01.0578 11440 afcnt - ok
13:26:03.0343 11440 AFD (317e75d96065ac6af5ef8857ce2e399b) C:\WINDOWS\System32\drivers\afd.sys
13:26:03.0390 11440 AFD - ok
13:26:05.0328 11440 aic78u2 - ok
13:26:07.0578 11440 aic78xx - ok
13:26:10.0437 11440 AliIde - ok
13:26:12.0406 11440 AmdIde - ok
13:26:14.0828 11440 arc - ok
13:26:17.0343 11440 AsyncMac (a35b971f631d4dfdeb68d71e770d2ce9) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
13:26:17.0343 11440 AsyncMac - ok
13:26:19.0468 11440 atapi (ff953a8f08ca3f822127654375786bbe) C:\WINDOWS\system32\DRIVERS\atapi.sys
13:26:19.0500 11440 atapi - ok
13:26:22.0500 11440 Atdisk - ok
13:26:24.0390 11440 Atmarpc (d12dad5032285343ce3aa4906f661181) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
13:26:24.0406 11440 Atmarpc - ok
13:26:26.0500 11440 audstub (5bfd980c2107d88101d1dc14055526fc) C:\WINDOWS\system32\DRIVERS\audstub.sys
13:26:26.0531 11440 audstub - ok
13:26:28.0484 11440 Beep (99572503e15a3d10239b7b9887cbaf89) C:\WINDOWS\system32\drivers\Beep.sys
13:26:28.0500 11440 Beep - ok
13:26:30.0718 11440 cbidf2k (1342877de604a5a6bff986e288e3a8a7) C:\WINDOWS\system32\drivers\cbidf2k.sys
13:26:30.0796 11440 cbidf2k - ok
13:26:33.0343 11440 cd20xrnt - ok
13:26:35.0000 11440 Cdfs (e6d72780c957b69c48bfc66bc3ecdad4) C:\WINDOWS\system32\drivers\Cdfs.sys
13:26:35.0015 11440 Cdfs - ok
13:26:37.0296 11440 Cdrom (825aa877a852ecc731fa0c39c8c37744) C:\WINDOWS\system32\DRIVERS\cdrom.sys
13:26:37.0312 11440 Cdrom - ok
13:26:39.0500 11440 Changer - ok
13:26:42.0156 11440 ClusDisk (54308cdf97622fae1620bb1ec39ef014) C:\WINDOWS\system32\DRIVERS\ClusDisk.sys
13:26:42.0171 11440 ClusDisk - ok
13:26:43.0750 11440 CmdIde - ok
13:26:45.0562 11440 Compbatt (1dcbf98f0fa712e384a1a2926f774673) C:\WINDOWS\system32\DRIVERS\compbatt.sys
13:26:45.0562 11440 Compbatt - ok
13:26:48.0046 11440 Cpqarray - ok
13:26:52.0093 11440 cpqarry2 - ok
13:26:53.0828 11440 cpqcissm - ok
13:26:55.0625 11440 cpqfcalm - ok
13:26:57.0875 11440 crcdisk (0ee27d9dbb208c13314f3c60f66aed26) C:\WINDOWS\system32\DRIVERS\crcdisk.sys
13:26:57.0890 11440 crcdisk - ok
13:27:00.0234 11440 dac2w2k - ok
13:27:04.0531 11440 dac960nt - ok
13:27:07.0015 11440 dellcerc - ok
13:27:09.0453 11440 DfsDriver (444726b01c31d29c70e60f7c35de43e5) C:\WINDOWS\system32\drivers\Dfs.sys
13:27:09.0453 11440 DfsDriver - ok
13:27:12.0500 11440 DgiVecp (770471de2550820feeb7e5d24bf2e273) C:\WINDOWS\system32\Drivers\DgiVecp.sys
13:27:12.0515 11440 DgiVecp - ok
13:27:14.0296 11440 Disk (98433302c02f1168efb7364f8111a179) C:\WINDOWS\system32\DRIVERS\disk.sys
13:27:14.0296 11440 Disk - ok
13:27:15.0859 11440 dmboot (89fa376d83042f6f1aed505106a5719d) C:\WINDOWS\system32\drivers\dmboot.sys
13:27:15.0875 11440 dmboot - ok
13:27:17.0218 11440 dmio (15081421ee62dc1c95abb387d9081571) C:\WINDOWS\system32\drivers\dmio.sys
13:27:17.0234 11440 dmio - ok
13:27:18.0750 11440 dmload (3d9bfa13b6f1cd2d91c50c52b32e91a2) C:\WINDOWS\system32\drivers\dmload.sys
13:27:18.0750 11440 dmload - ok
13:27:20.0890 11440 dpti2o - ok
13:27:22.0906 11440 E1000 (3044851b3c5286a908a6a4d1166328aa) C:\WINDOWS\system32\DRIVERS\e1000325.sys
13:27:22.0937 11440 E1000 - ok
13:27:25.0140 11440 e1express (05e35fca7e7b2921dd7bcaa72f3903c6) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
13:27:25.0218 11440 e1express - ok
13:27:26.0828 11440 elxstor - ok
13:27:28.0781 11440 Fastfat (e792a18abdc32286212dce8e75baa124) C:\WINDOWS\system32\drivers\Fastfat.sys
13:27:28.0796 11440 Fastfat - ok
13:27:30.0390 11440 Fdc (5090cd3f6ab1d71ad507953cff556ea9) C:\WINDOWS\system32\DRIVERS\fdc.sys
13:27:30.0406 11440 Fdc - ok
13:27:31.0968 11440 Fips (b485ac2edc466c538bdff32bc3f2e506) C:\WINDOWS\system32\drivers\Fips.sys
13:27:31.0984 11440 Fips - ok
13:27:33.0312 11440 Flpydisk (c621a51f415419a3145a5939abde39fa) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
13:27:33.0312 11440 Flpydisk - ok
13:27:34.0796 11440 FltMgr (f978277ef786532195cdd9f88e908632) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
13:27:34.0812 11440 FltMgr - ok
13:27:36.0390 11440 Fs_Rec (aebff3d810b74971b91b2b77b289a98b) C:\WINDOWS\system32\drivers\Fs_Rec.sys
13:27:36.0390 11440 Fs_Rec - ok
13:27:38.0109 11440 Ftdisk (4c533b70afa917416aec57fcbeecb57d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
13:27:38.0156 11440 Ftdisk - ok
13:27:39.0890 11440 Gpc (30b1653a955f548352024a5fee203cc3) C:\WINDOWS\system32\DRIVERS\msgpc.sys
13:27:39.0906 11440 Gpc - ok
13:27:41.0468 11440 HidBatt (973deed6f882ae8282d4c4c69db7e85f) C:\WINDOWS\system32\DRIVERS\HidBatt.sys
13:27:41.0484 11440 HidBatt - ok
13:27:43.0156 11440 HidUsb (90a325e14f9b95f17712707b1a7181b5) C:\WINDOWS\system32\DRIVERS\hidusb.sys
13:27:43.0171 11440 HidUsb - ok
13:27:45.0250 11440 hpcisss - ok
13:27:46.0796 11440 hpn - ok
13:27:48.0421 11440 hpt3xx - ok
13:27:50.0109 11440 HTTP (7a5d176c4b43f0a47da4051c96c56439) C:\WINDOWS\system32\Drivers\HTTP.sys
13:27:50.0140 11440 HTTP - ok
13:27:51.0562 11440 i2omgmt - ok
13:27:53.0234 11440 i2omp - ok
13:27:54.0781 11440 i8042prt (68e8ff9eeaf8b37a66cac2c57835ffbd) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
13:27:54.0796 11440 i8042prt - ok
13:27:56.0343 11440 iirsp - ok
13:27:57.0734 11440 imapi (44c132b35921b54b4a9ac64369d86d83) C:\WINDOWS\system32\DRIVERS\imapi.sys
13:27:57.0734 11440 imapi - ok
13:27:59.0468 11440 IntelIde - ok
13:28:01.0875 11440 intelppm (7d7575b971b3a0fe26fac6f5d58f5180) C:\WINDOWS\system32\DRIVERS\intelppm.sys
13:28:01.0875 11440 intelppm - ok
13:28:03.0265 11440 Ip6Fw (d7e7e7898a05c53dd862b49828747c1e) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
13:28:03.0281 11440 Ip6Fw - ok
13:28:04.0609 11440 IpFilterDriver (5a41f207b7c39ee4918f7496a4f19b14) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
13:28:04.0609 11440 IpFilterDriver - ok
13:28:06.0812 11440 IpInIp - ok
13:28:09.0031 11440 IpNat (890e7a14a63aec2ea9257a79a88be784) C:\WINDOWS\system32\DRIVERS\ipnat.sys
13:28:09.0062 11440 IpNat - ok
13:28:10.0593 11440 IPSec (1a9aeac49683b32df55b7fb1516f3028) C:\WINDOWS\system32\DRIVERS\ipsec.sys
13:28:10.0593 11440 IPSec - ok
13:28:12.0125 11440 ipsraidn - ok
13:28:13.0937 11440 IRENUM (11407ee682a2d5b0248de8af0f1a6996) C:\WINDOWS\system32\DRIVERS\irenum.sys
13:28:13.0953 11440 IRENUM - ok
13:28:15.0531 11440 isapnp (b71ba04a3b5d4404225ccdbf1969078f) C:\WINDOWS\system32\DRIVERS\isapnp.sys
13:28:15.0546 11440 isapnp - ok
13:28:18.0093 11440 KAPFA (f0c4a6d81d30866aaf8cfa983d9d13d7) C:\WINDOWS\system32\drivers\KAPFA.SYS
13:28:18.0125 11440 KAPFA - ok
13:28:19.0750 11440 Kbdclass (e5097a07e14f36abc21fa18d88f93655) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
13:28:19.0750 11440 Kbdclass - ok
13:28:22.0390 11440 kl1 (a884729b0e98cd93d6511de6d58cdc98) c:\WINDOWS\system32\drivers\kl1.sys
13:28:22.0421 11440 kl1 - ok
13:28:24.0250 11440 KLIF (8561637834a84bfc5743607432fd9f41) C:\WINDOWS\system32\DRIVERS\klif.sys
13:28:24.0281 11440 KLIF - ok
13:28:26.0156 11440 KSecDD (2e47d8ffe0965d166f962a45302c7edd) C:\WINDOWS\system32\drivers\KSecDD.sys
13:28:27.0437 11440 KSecDD - ok
13:28:29.0343 11440 lp6nds35 - ok
13:28:31.0578 11440 mnmdd (c35bb38904d843c0465858195b30dab7) C:\WINDOWS\system32\drivers\mnmdd.sys
13:28:31.0609 11440 mnmdd - ok
13:28:34.0703 11440 Modem (81ec1c6d3798b36a92a6d7a355ba2c62) C:\WINDOWS\system32\drivers\Modem.sys
13:28:34.0812 11440 Modem - ok
13:28:36.0828 11440 Mouclass (aa50da5ab638ce0bab5f7d5d633110c2) C:\WINDOWS\system32\DRIVERS\mouclass.sys
13:28:36.0859 11440 Mouclass - ok
13:28:38.0359 11440 mouhid (6824b20127716121b53a2ec2bd6739b7) C:\WINDOWS\system32\DRIVERS\mouhid.sys
13:28:38.0828 11440 mouhid - ok
13:28:40.0812 11440 MountMgr (fc43a7a34309c750b9daeadf2f6ec9b9) C:\WINDOWS\system32\drivers\MountMgr.sys
13:28:40.0812 11440 MountMgr - ok
13:28:42.0562 11440 mraid35x - ok
13:28:44.0203 11440 MRxDAV (ab6db63a1791f8e86b085291686464fd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
13:28:44.0218 11440 MRxDAV - ok
13:28:45.0984 11440 MRxSmb (16936142fa1d989cf63fd22c8b9d4a6d) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
13:28:46.0000 11440 MRxSmb - ok
13:28:47.0812 11440 Msfs (8f50b87361585763841c6b603d23260c) C:\WINDOWS\system32\drivers\Msfs.sys
13:28:47.0812 11440 Msfs - ok
13:28:49.0859 11440 mssmbios (92afab2f216ce8ffbad3bc510fcf4a33) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
13:28:49.0859 11440 mssmbios - ok
13:28:51.0468 11440 Mup (834560abee4eae62620f4026263aa051) C:\WINDOWS\system32\drivers\Mup.sys
13:28:51.0500 11440 Mup - ok
13:28:52.0953 11440 NDIS (33739ab31d36184772af1ee132d5c2e2) C:\WINDOWS\system32\drivers\NDIS.sys
13:28:52.0968 11440 NDIS - ok
13:28:54.0500 11440 NdisTapi (888b08f81b7d8428a37439d15c27f419) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
13:28:54.0515 11440 NdisTapi - ok
13:28:56.0234 11440 Ndisuio (8b8e682b03483092e17ab9dfe70fedff) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
13:28:56.0265 11440 Ndisuio - ok
13:28:57.0843 11440 NdisWan (1b397eef4614419be5679e0209f7848b) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
13:28:57.0843 11440 NdisWan - ok
13:28:59.0265 11440 NDProxy (5298ed90bbe5c5eeedc363eed2888a25) C:\WINDOWS\system32\drivers\NDProxy.sys
13:28:59.0265 11440 NDProxy - ok
13:29:01.0328 11440 NetBIOS (a0d5d6ae530ca78a062fc0471f1e6f78) C:\WINDOWS\system32\DRIVERS\netbios.sys
13:29:01.0359 11440 NetBIOS - ok
13:29:04.0109 11440 NetBT (5cd7cca08498ec8753b22e92d367ca11) C:\WINDOWS\system32\DRIVERS\netbt.sys
13:29:04.0140 11440 NetBT - ok
13:29:08.0593 11440 nfrd960 - ok
13:29:15.0265 11440 Npfs (d5bb605f6dcbdfe0129670c8de57913e) C:\WINDOWS\system32\drivers\Npfs.sys
13:29:15.0265 11440 Npfs - ok
13:29:19.0140 11440 Ntfs (482ea51aadb8763a0f67588c394ec693) C:\WINDOWS\system32\drivers\Ntfs.sys
13:29:19.0234 11440 Ntfs - ok
13:29:22.0828 11440 Null (5db0ede7aaf3a7bc9110d18c12524be0) C:\WINDOWS\system32\drivers\Null.sys
13:29:22.0843 11440 Null - ok
13:29:24.0625 11440 Parport (ee3333b36deb86a0d472f037172da10a) C:\WINDOWS\system32\drivers\Parport.sys
13:29:24.0625 11440 Parport - ok
13:29:26.0234 11440 PartMgr (4eb6f7418959444a06d3c51eb81bff04) C:\WINDOWS\system32\drivers\PartMgr.sys
13:29:26.0234 11440 PartMgr - ok
13:29:27.0718 11440 PCI (8217000e5c53ce823b3111f339e47c41) C:\WINDOWS\system32\DRIVERS\pci.sys
13:29:27.0734 11440 PCI - ok
13:29:29.0156 11440 PCIIde (7e3fb50aa22d4ed883c6abdd40e9c60b) C:\WINDOWS\system32\DRIVERS\pciide.sys
13:29:29.0156 11440 PCIIde - ok
13:29:31.0062 11440 Pcmcia (fc9f4c9c73e9698357c836be4628a299) C:\WINDOWS\system32\drivers\Pcmcia.sys
13:29:33.0125 11440 Pcmcia - ok
13:29:34.0875 11440 PDCOMP - ok
13:29:37.0562 11440 PDFRAME - ok
13:29:39.0656 11440 PDRELI - ok
13:29:41.0515 11440 PDRFRAME - ok
13:29:43.0703 11440 perc2 - ok
13:29:45.0484 11440 perc2hib - ok
13:29:47.0375 11440 PptpMiniport (4454f2639bcca93be86a45137e427277) C:\WINDOWS\system32\DRIVERS\raspptp.sys
13:29:47.0375 11440 PptpMiniport - ok
13:29:49.0015 11440 Ptilink (0320fd91fb5ed4298355977cecfc0eb4) C:\WINDOWS\system32\DRIVERS\ptilink.sys
13:29:49.0078 11440 Ptilink - ok
13:29:50.0875 11440 ql1080 - ok
13:29:52.0750 11440 Ql10wnt - ok
13:29:54.0984 11440 ql12160 - ok
13:29:56.0718 11440 ql1240 - ok
13:29:59.0375 11440 ql1280 - ok
13:30:00.0796 11440 ql2100 - ok
13:30:03.0312 11440 ql2200 - ok
13:30:05.0484 11440 ql2300 - ok
13:30:07.0171 11440 RasAcd (48ee7b6802c0306f9a66f34db7e9ef75) C:\WINDOWS\system32\DRIVERS\rasacd.sys
13:30:07.0218 11440 RasAcd - ok
13:30:09.0890 11440 Rasl2tp (3633175613e052ecb41776dee2777a89) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
13:30:09.0890 11440 Rasl2tp - ok
13:30:12.0281 11440 RasPppoe (59842f0a22216a71cade6f89fe84c973) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
13:30:12.0281 11440 RasPppoe - ok
13:30:14.0187 11440 Raspti (5b11871de804d3ed28bbdcc65fe14ede) C:\WINDOWS\system32\DRIVERS\raspti.sys
13:30:14.0234 11440 Raspti - ok
13:30:15.0968 11440 Rdbss (4496b15c44ccb703fbc54f2cf5b67f15) C:\WINDOWS\system32\DRIVERS\rdbss.sys
13:30:16.0000 11440 Rdbss - ok
13:30:17.0593 11440 RDPCDD (ac5bb528ecd2bea4ff4bff9df9baf749) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
13:30:17.0593 11440 RDPCDD - ok
13:30:19.0203 11440 rdpdr (ff678596b761e1ccba79f49981ef51bc) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
13:30:19.0218 11440 rdpdr - ok
13:30:21.0031 11440 RDPWD (319ea134a11fb4b78285475b7f9147e9) C:\WINDOWS\system32\drivers\RDPWD.sys
13:30:21.0031 11440 RDPWD - ok
13:30:23.0140 11440 redbook (c6f8751f3263603935866e71629cfae4) C:\WINDOWS\system32\DRIVERS\redbook.sys
13:30:23.0187 11440 redbook - ok
13:30:25.0484 11440 sacdrv (34d79729d6e4d1289e08322405045085) C:\WINDOWS\system32\drivers\sacdrv.sys
13:30:25.0531 11440 sacdrv - ok
13:30:27.0218 11440 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
13:30:27.0218 11440 Secdrv - ok
13:30:29.0015 11440 Sentinel (95a26d5d8ceda33377af627dafc2796f) C:\WINDOWS\System32\Drivers\SENTINEL.SYS
13:30:29.0015 11440 Sentinel - ok
13:30:30.0640 11440 serenum (b261d4597bf9a2723b7020207260c72a) C:\WINDOWS\system32\DRIVERS\serenum.sys
13:30:30.0640 11440 serenum - ok
13:30:32.0703 11440 Serial (95768fde08dd34089aa90dccb5537704) C:\WINDOWS\system32\DRIVERS\serial.sys
13:30:32.0703 11440 Serial - ok
13:30:34.0875 11440 Sfloppy (831826dc54fa225f0b654ef2f1e13af9) C:\WINDOWS\system32\drivers\Sfloppy.sys
13:30:34.0953 11440 Sfloppy - ok
13:30:36.0843 11440 Simbad - ok
13:30:38.0546 11440 SNTNLUSB (8d4a96868ae13c3cf8425b383b59d802) C:\WINDOWS\system32\DRIVERS\SNTNLUSB.SYS
13:30:39.0171 11440 SNTNLUSB - ok
13:30:41.0187 11440 Srv (e8b1a07774a9e4fec3105cbad49bf289) C:\WINDOWS\system32\DRIVERS\srv.sys
13:30:41.0187 11440 Srv - ok
13:30:42.0718 11440 SSPORT - ok
13:30:44.0375 11440 swenum (93965919785102ba847545ab460ce2df) C:\WINDOWS\system32\DRIVERS\swenum.sys
13:30:44.0375 11440 swenum - ok
13:30:46.0046 11440 symc810 - ok
13:30:47.0968 11440 symc8xx - ok
13:30:49.0734 11440 symmpi - ok
13:30:51.0703 11440 sym_hi - ok
13:30:53.0734 11440 sym_u3 - ok
13:30:55.0843 11440 Tcpip (238dc2b879d1b37b91f8d5d44f3815d3) C:\WINDOWS\system32\DRIVERS\tcpip.sys
13:30:55.0890 11440 Tcpip - ok
13:30:58.0046 11440 TDPIPE (45d49fb800463de84d1cc2e231319ad5) C:\WINDOWS\system32\drivers\TDPIPE.sys
13:30:58.0046 11440 TDPIPE - ok
13:30:59.0656 11440 TDTCP (d7c31008de209b8b11ced207580e9c91) C:\WINDOWS\system32\drivers\TDTCP.sys
13:30:59.0671 11440 TDTCP - ok
13:31:01.0593 11440 TermDD (a01e46fff445a38d35db188c5458582c) C:\WINDOWS\system32\DRIVERS\termdd.sys
13:31:01.0609 11440 TermDD - ok
13:31:03.0609 11440 TosIde - ok
13:31:05.0750 11440 Udfs (c26024265a7523312a5d06fc33aa57aa) C:\WINDOWS\system32\drivers\Udfs.sys
13:31:05.0765 11440 Udfs - ok
13:31:07.0859 11440 ultra - ok
13:31:09.0390 11440 Update (b0e133858e63940755b496761834f334) C:\WINDOWS\system32\DRIVERS\update.sys
13:31:09.0421 11440 Update - ok
13:31:11.0046 11440 usbehci (9dd4aba9462938734bcbf51d8669c884) C:\WINDOWS\system32\DRIVERS\usbehci.sys
13:31:11.0187 11440 usbehci - ok
13:31:13.0453 11440 usbhub (17859937740bc0d422fe71a588d6ddf7) C:\WINDOWS\system32\DRIVERS\usbhub.sys
13:31:13.0453 11440 usbhub - ok
13:31:14.0953 11440 usbscan (ff0464bab0572888111f22da5b9a5fe7) C:\WINDOWS\system32\DRIVERS\usbscan.sys
13:31:14.0984 11440 usbscan - ok
13:31:16.0781 11440 USBSTOR (d0740ff9f7e819486e88096826b4dc37) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
13:31:16.0796 11440 USBSTOR - ok
13:31:19.0031 11440 usbuhci (cbd3053337bb475f442a892edf671312) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
13:31:19.0062 11440 usbuhci - ok
13:31:21.0609 11440 vga (2eb062b434792bb6bb614f107dd3a5cf) C:\WINDOWS\system32\DRIVERS\vgapnp.sys
13:31:21.0609 11440 vga - ok
13:31:23.0984 11440 VgaSave (062fbc10147fd837d819f94aa394e661) C:\WINDOWS\System32\drivers\vga.sys
13:31:24.0000 11440 VgaSave - ok
13:31:26.0015 11440 ViaIde - ok
13:31:28.0750 11440 VolSnap (45ae67c387a640ec6e228f30d421f088) C:\WINDOWS\system32\DRIVERS\volsnap.sys
13:31:28.0796 11440 VolSnap - ok
13:31:30.0578 11440 Wanarp (ce030b1d05a01fa012d32f2d25676b1c) C:\WINDOWS\system32\DRIVERS\wanarp.sys
13:31:30.0625 11440 Wanarp - ok
13:31:32.0265 11440 WDICA - ok
13:31:34.0000 11440 WLBS (d346e2f289f23e557ddfb9132d1dab35) C:\WINDOWS\system32\DRIVERS\wlbs.sys
13:31:34.0031 11440 WLBS - ok
13:31:34.0078 11440 MBR (0x1B8) (671b81004fdd1588fa9ed1331c9ceca9) \Device\Harddisk0\DR0
13:31:35.0281 11440 \Device\Harddisk0\DR0 - ok
13:31:35.0312 11440 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk1\DR5
13:31:35.0468 11440 \Device\Harddisk1\DR5 - ok
13:31:35.0468 11440 Boot (0x1200) (eb5d2d09338d225a7bb0f1f1c3cc8f4b) \Device\Harddisk0\DR0\Partition0
13:31:35.0468 11440 \Device\Harddisk0\DR0\Partition0 - ok
13:31:35.0484 11440 Boot (0x1200) (99893620f2ff13d6a5b3cc652da8b11b) \Device\Harddisk0\DR0\Partition1
13:31:35.0515 11440 \Device\Harddisk0\DR0\Partition1 - ok
13:31:35.0515 11440 Boot (0x1200) (8620b158e12682dfeb7a447938bea509) \Device\Harddisk1\DR5\Partition0
13:31:35.0515 11440 \Device\Harddisk1\DR5\Partition0 - ok
13:31:35.0531 11440 ============================================================
13:31:35.0531 11440 Scan finished
13:31:35.0531 11440 ============================================================
13:31:35.0578 7040 Detected object count: 0
13:31:35.0578 7040 Actual detected object count: 0
13:34:57.0468 4832 Deinitialize success



3. Ran ESET


C:\Documents and Settings\SUPPORT_388945a0\Desktop\Search.exe a variant of Win32/Adware.SafeSurf.AA application deleted (after the next restart) - quarantined
C:\WINDOWS\system32\WPA_Kill.exe Win32/Agent.JH trojan cleaned by deleting - quarantined
Operating memory a variant of Win32/Adware.SafeSurf.AA application

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,906 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:22 AM

Posted 20 February 2012 - 02:47 PM

Hi,looks good how is it running now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users