Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit AccessZero


  • This topic is locked This topic is locked
66 replies to this topic

#1 nexus_99

nexus_99

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 23 February 2012 - 02:08 PM

Hi there,

Thanks so much for assisting me. I've caught AccessZero and can't seem to get rid of it totally.

MBAM has run and gotten rid of all of the fake security pop-ups, but can't seem to get the rootkit out. While the computer runs almost normally, it takes a long time to connect to the internet and gives me the occasional redirect/popunder to hookmeup.com.

DDS and GMER posted. Attach log attached.
*********************************************************
DDS LOG:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Craig at 12:50:46 on 2012-02-23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3033.2345 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL$RETSDATA\Binn\sqlservr.exe
C:\WINDOWS\system32\DRIVERS\o2flash.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
\\.\globalroot\SystemRoot\system32\svchost.exe -k netsvcs
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Intuit\QuickBooks 2009\qbw32.exe
C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgr.exe
C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe
C:\Program Files\Winamp\winamp.exe
c:\drivers\audio\r211990\stacsv.exe
C:\WINDOWS\system32\02ebI0lT.com
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.tsn.ca/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1274908754140
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1274908748312
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2011-1-4 28552]
R2 MSSQL$RETSDATA;MSSQL$RETSDATA;c:\program files\microsoft sql server\mssql$retsdata\binn\sqlservr.exe -sretsdata --> c:\program files\microsoft sql server\mssql$retsdata\binn\sqlservr.exe -sRETSDATA [?]
R2 vetmsgnt;Pdagent;c:\windows\system32\svchost.exe -k netsvcs [2008-4-25 14336]
R2 WDDMService;WDDMService;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2010-9-8 237056]
R2 WDFME;WD File Management Engine;c:\program files\western digital\wd smartware\front parlor\wdfme\WDFME.exe [2010-9-8 1034752]
R2 WDSC;WD File Management Shadow Engine;c:\program files\western digital\wd smartware\front parlor\WDSC.exe [2010-9-8 484352]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-7-24 112512]
R3 O2MDGRDR;O2MDGRDR;c:\windows\system32\drivers\o2mdg.sys [2009-7-24 51616]
R3 O2SDGRDR;O2SDGRDR;c:\windows\system32\drivers\o2sdg.sys [2009-7-24 41760]
S0 hqsjfotu;hqsjfotu;c:\windows\system32\drivers\likc.sys --> c:\windows\system32\drivers\likc.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-26 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-5-26 136176]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2012-2-23 24064]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 SQLAgent$RETSDATA;SQLAgent$RETSDATA;c:\program files\microsoft sql server\mssql$retsdata\binn\sqlagent.exe -i retsdata --> c:\program files\microsoft sql server\mssql$retsdata\binn\sqlagent.EXE -i RETSDATA [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2011-1-3 11520]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-25 14336]
.
=============== Created Last 30 ================
.
2012-02-23 17:31:47 729088 ----a-w- c:\windows\system32\AESTFltr.exe
2012-02-23 14:04:47 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2012-02-23 13:13:33 84146 ----a-w- c:\windows\system32\02ebI0lT.com_
2012-02-23 13:02:12 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-23 12:27:58 24064 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-02-23 12:10:04 -------- d-----w- C:\spoolerlogs
.
==================== Find3M ====================
.
2012-02-23 17:03:56 17920 ----a-w- c:\windows\system32\rpcnetp.exe
2012-02-23 17:03:31 17920 ----a-w- c:\windows\system32\rpcnetp.dll
2012-02-23 17:03:30 58288 ----a-w- c:\windows\system32\rpcnet.dll
2011-12-10 20:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 12:51:23.50 ===============


*********************************************************************************
GMER LOG:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-02-23 14:01:54
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST925042 rev.DE17
Running: gmer.exe; Driver: C:\DOCUME~1\Craig\LOCALS~1\Temp\fwlyqkoc.sys


---- Kernel code sections - GMER 1.0.15 ----

.text cdrom.sys BA229000 105 Bytes [43, 02, C7, 43, 0C, 00, 00, ...]
.text cdrom.sys BA22906A 240 Bytes CALL BA233539 \SystemRoot\system32\DRIVERS\cdrom.sys (SCSI CD-ROM Driver/Microsoft Corporation)
.text cdrom.sys BA22915C 22 Bytes [F3, AB, EB, 3C, 33, C0, 8B, ...]
.text cdrom.sys BA229173 55 Bytes [C0, 8B, FE, C7, 43, 1C, C0, ...]
.text cdrom.sys BA2291AB 114 Bytes [50, 00, 07, 00, 75, 18, 33, ...]
.text ...
? C:\WINDOWS\system32\DRIVERS\cdrom.sys suspicious PE modification

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1268] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01B1000A
.text C:\WINDOWS\System32\svchost.exe[1268] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 01B2000A
.text C:\WINDOWS\System32\svchost.exe[1268] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0190000C
? C:\WINDOWS\System32\svchost.exe[1268] C:\WINDOWS\System32\smss.exe image checksum mismatch; time/date stamp mismatch;
.text C:\WINDOWS\system32\SearchIndexer.exe[2468] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) BA1C8000-BA1D8000 (65536 bytes)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 malicious Win32:MBRoot code @ sector 488395177

---- Files - GMER 1.0.15 ----

ADS C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP100\A0011785.exe:BAK 23040 bytes executable
ADS C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP100\A0011838.exe:BAK 23040 bytes executable
ADS C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP101\A0011921.exe:BAK 23040 bytes executable
ADS C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP101\A0011944.exe:BAK 23040 bytes executable
ADS C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP103\A0012026.exe:BAK 23040 bytes executable
ADS C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP103\A0012084.exe:BAK 23040 bytes executable
ADS C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP103\A0012139.exe:BAK 23040 bytes executable
ADS C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP104\A0012230.exe:BAK 23040 bytes executable
ADS C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP104\A0013230.exe:BAK 23040 bytes executable
ADS C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP107\A0013337.exe:BAK 23040 bytes executable
ADS C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP109\A0013512.exe:BAK 23040 bytes executable
ADS C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP110\A0013666.exe:BAK 23040 bytes executable
ADS C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP114\A0014666.exe:BAK 23040 bytes executable
ADS C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP115\A0014804.exe:BAK 23040 bytes executable
ADS C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP116\A0014852.exe:BAK 23040 bytes executable
ADS C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP119\A0015852.exe:BAK 23040 bytes executable
ADS C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP120\A0015977.exe:BAK 23040 bytes executable
ADS C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP120\A0016044.exe:BAK 23040 bytes executable
ADS C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP120\A0016097.exe:BAK 23040 bytes executable
ADS C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP122\A0016185.exe:BAK 23040 bytes executable
ADS C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP124\A0016285.exe:BAK 23040 bytes executable
ADS C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP124\A0016332.exe:BAK 23040 bytes executable
ADS C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP124\A0016360.exe:BAK 23040 bytes executable
ADS C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP125\A0016474.exe:BAK 23040 bytes executable
ADS C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP125\A0016648.exe:BAK 23040 bytes executable
ADS C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP126\A0016688.exe:BAK 23040 bytes executable
ADS C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP126\A0016746.exe:BAK 23040 bytes executable
ADS C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP126\A0017746.exe:BAK 23040 bytes executable
ADS C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP126\A0019792.exe:BAK 23040 bytes executable
ADS C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP126\A0019806.exe:BAK 23040 bytes executable
File C:\WINDOWS\$NtUninstallKB41409$\3641080007 0 bytes
File C:\WINDOWS\$NtUninstallKB41409$\3641080007\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB41409$\3641080007\cfg.ini 298 bytes
File C:\WINDOWS\$NtUninstallKB41409$\3641080007\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB41409$\3641080007\L 0 bytes
File C:\WINDOWS\$NtUninstallKB41409$\3641080007\L\rohepcid 62976 bytes
File C:\WINDOWS\$NtUninstallKB41409$\3641080007\U 0 bytes
File C:\WINDOWS\$NtUninstallKB41409$\3641080007\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB41409$\3641080007\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB41409$\3641080007\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB41409$\3641080007\U\80000000.@ 66560 bytes
File C:\WINDOWS\$NtUninstallKB41409$\3641080007\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB41409$\3641080007\U\80000032.@ 73216 bytes
File C:\WINDOWS\$NtUninstallKB41409$\3641080007\version 844 bytes
File C:\WINDOWS\$NtUninstallKB41409$\3940381854 0 bytes

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:32 PM

Posted 23 February 2012 - 03:15 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 nexus_99

nexus_99
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 23 February 2012 - 08:28 PM

Hi Gringo,

Thanks so much for your quick reply. I sincerely appreciate it.

When starting ComboFix, I received the following pop-up:

ComboFix - ZeroAccess

You are infected with Rootkit.ZeroAccess! It has inserted itself into the tcp/ip stack. This is a particularily difficult infection.

If for any reason you're unable to connect to the internet after running ComboFix, reboot once and see if that fixes it.

If it's not fixed, run ComboFix one more time.

Then I received the following pop-up:

Rootkit

Rootkit is detected.

Be patient as this may take some moments.

Another pop-up came after that (something about rebooting), but it was too quick for me to take down. Sorry.

*************************************
ComboFix log:

ComboFix 12-02-22.01 - Craig 02/23/2012 20:11:21.18.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3033.2637 [GMT -5:00]
Running from: E:\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB41409$\3641080007\@
c:\windows\$NtUninstallKB41409$\3641080007\cfg.ini
c:\windows\$NtUninstallKB41409$\3641080007\Desktop.ini
c:\windows\$NtUninstallKB41409$\3641080007\L\rohepcid
c:\windows\$NtUninstallKB41409$\3641080007\U\00000001.@
c:\windows\$NtUninstallKB41409$\3641080007\U\00000002.@
c:\windows\$NtUninstallKB41409$\3641080007\U\00000004.@
c:\windows\$NtUninstallKB41409$\3641080007\U\80000000.@
c:\windows\$NtUninstallKB41409$\3641080007\U\80000004.@
c:\windows\$NtUninstallKB41409$\3641080007\U\80000032.@
c:\windows\$NtUninstallKB41409$\3641080007\version
c:\windows\$NtUninstallKB41409$\3940381854
c:\windows\$NtUninstallKB41409$ . . . . Failed to delete
.
Infected copy of c:\windows\system32\autochk.exe was found and disinfected
Restored copy from - c:\i386\AUTOCHK.EXE
.
c:\windows\system32\drivers\cdrom.sys was missing
Restored copy from - c:\windows\system32\dllcache\cdrom.sys
.
.
((((((((((((((((((((((((( Files Created from 2012-01-24 to 2012-02-24 )))))))))))))))))))))))))))))))
.
.
2012-02-24 01:15 . 2008-04-14 12:00 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-02-23 17:31 . 2009-02-22 23:49 729088 ----a-w- c:\windows\system32\AESTFltr.exe
2012-02-23 14:04 . 2011-07-15 13:29 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2012-02-23 13:13 . 2012-02-23 13:13 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2012-02-23 13:13 . 2012-02-23 13:13 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Windows Search
2012-02-23 13:13 . 2012-02-23 13:12 84146 ----a-w- c:\windows\system32\02ebI0lT.com_
2012-02-23 13:02 . 2012-02-24 01:02 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-23 12:27 . 2012-02-23 12:27 24064 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-02-23 12:10 . 2012-02-23 12:10 -------- d-----w- C:\spoolerlogs
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-24 01:17 . 2010-05-21 16:41 17920 ----a-w- c:\windows\system32\rpcnetp.exe
2012-02-24 01:17 . 2010-05-26 04:04 58288 ----a-w- c:\windows\system32\rpcnet.dll
2012-02-24 01:17 . 2010-05-21 16:41 17920 ----a-w- c:\windows\system32\rpcnetp.dll
2011-12-10 20:24 . 2011-02-26 21:45 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((( SnapShot_2012-02-23_13.59.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-02-24 01:17 . 2012-02-24 01:17 16384 c:\windows\temp\Perflib_Perfdata_2d8.dat
+ 2012-02-24 01:17 . 2012-02-24 01:17 16384 c:\windows\temp\Perflib_Perfdata_29c.dat
+ 2008-04-25 16:16 . 2012-02-24 01:14 87994 c:\windows\system32\perfc009.dat
- 2008-04-25 16:16 . 2012-02-23 13:55 87994 c:\windows\system32\perfc009.dat
+ 2008-04-25 16:16 . 2008-04-14 12:00 5632 c:\windows\system32\deckzpsx.dll
+ 2009-07-25 04:23 . 2009-02-22 23:49 171520 c:\windows\system32\st326147.dll
+ 2008-04-25 16:16 . 2012-02-24 01:14 485260 c:\windows\system32\perfh009.dat
- 2008-04-25 16:16 . 2012-02-23 13:55 485260 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-31 39408]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-03-31 217088]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-06 1434920]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-07-23 933888]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-02-22 483420]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-02-22 729088]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [1/4/2011 3:11 PM 28552]
R2 MSSQL$RETSDATA;MSSQL$RETSDATA;c:\program files\Microsoft SQL Server\MSSQL$RETSDATA\Binn\sqlservr.exe -sRETSDATA --> c:\program files\Microsoft SQL Server\MSSQL$RETSDATA\Binn\sqlservr.exe -sRETSDATA [?]
R2 WDDMService;WDDMService;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [9/8/2010 10:41 AM 237056]
R2 WDFME;WD File Management Engine;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe [9/8/2010 10:45 AM 1034752]
R2 WDSC;WD File Management Shadow Engine;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe [9/8/2010 10:44 AM 484352]
R3 O2MDGRDR;O2MDGRDR;c:\windows\system32\drivers\o2mdg.sys [7/24/2009 11:23 PM 51616]
R3 O2SDGRDR;O2SDGRDR;c:\windows\system32\drivers\o2sdg.sys [7/24/2009 11:23 PM 41760]
S0 hqsjfotu;hqsjfotu;c:\windows\system32\drivers\likc.sys --> c:\windows\system32\drivers\likc.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/26/2010 11:03 AM 136176]
S3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [7/24/2009 11:23 PM 112512]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/26/2010 11:03 AM 136176]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2/23/2012 7:27 AM 24064]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232]
S3 SQLAgent$RETSDATA;SQLAgent$RETSDATA;c:\program files\Microsoft SQL Server\MSSQL$RETSDATA\Binn\sqlagent.EXE -i RETSDATA --> c:\program files\Microsoft SQL Server\MSSQL$RETSDATA\Binn\sqlagent.EXE -i RETSDATA [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [1/3/2011 7:08 PM 11520]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/25/2008 11:16 AM 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
cachemgr
artourservice
InterBaseServer
vetmsgnt
elservice
CTEDSPIO.DLL
.
Contents of the 'Scheduled Tasks' folder
.
2011-02-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2012-02-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-26 16:03]
.
2012-02-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-26 16:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.tsn.ca/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: mswsock.dll
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-23 20:17
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\$NtUninstallKB41409$:SummaryInformation 0 bytes hidden from API
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(916)
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(284)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\system32\brsvc01a.exe
c:\windows\system32\brss01a.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL$RETSDATA\Binn\sqlservr.exe
c:\windows\system32\DRIVERS\o2flash.exe
c:\windows\system32\rpcnet.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2012-02-23 20:20:02 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-24 01:20
ComboFix2.txt 2012-02-23 16:53
ComboFix3.txt 2012-02-23 14:01
ComboFix4.txt 2011-02-25 14:59
ComboFix5.txt 2012-02-24 01:04
.
Pre-Run: 208,721,055,744 bytes free
Post-Run: 208,723,513,344 bytes free
.
- - End Of File - - 81BD288ABE8FBD42BA7573F1A183CC1E

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:32 PM

Posted 23 February 2012 - 09:04 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 nexus_99

nexus_99
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 23 February 2012 - 09:31 PM

Once again, thanks so much for the expedited reply.

TDSSKiller Log:

21:13:08.0140 3948 TDSS rootkit removing tool 2.7.13.0 Feb 15 2012 19:33:14
21:13:08.0218 3948 ============================================================
21:13:08.0218 3948 Current date / time: 2012/02/23 21:13:08.0218
21:13:08.0218 3948 SystemInfo:
21:13:08.0218 3948
21:13:08.0218 3948 OS Version: 5.1.2600 ServicePack: 3.0
21:13:08.0218 3948 Product type: Workstation
21:13:08.0218 3948 ComputerName: CRAIGS-LAPTOP
21:13:08.0218 3948 UserName: Craig
21:13:08.0218 3948 Windows directory: C:\WINDOWS
21:13:08.0218 3948 System windows directory: C:\WINDOWS
21:13:08.0218 3948 Processor architecture: Intel x86
21:13:08.0218 3948 Number of processors: 2
21:13:08.0218 3948 Page size: 0x1000
21:13:08.0218 3948 Boot type: Normal boot
21:13:08.0218 3948 ============================================================
21:13:08.0765 3948 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
21:13:08.0765 3948 Drive \Device\Harddisk1\DR5 - Size: 0x7D00000 (0.12 Gb), SectorSize: 0x200, Cylinders: 0xF, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
21:13:08.0843 3948 \Device\Harddisk0\DR0:
21:13:08.0843 3948 MBR used
21:13:08.0843 3948 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x14000, BlocksNum 0x1D1B1170
21:13:08.0843 3948 \Device\Harddisk1\DR5:
21:13:08.0859 3948 MBR used
21:13:08.0859 3948 \Device\Harddisk1\DR5\Partition0: MBR, Type 0x6, StartLBA 0x20, BlocksNum 0x3E7A0
21:13:08.0890 3948 Initialize success
21:13:08.0890 3948 ============================================================
21:13:19.0140 3976 ============================================================
21:13:19.0140 3976 Scan started
21:13:19.0140 3976 Mode: Manual;
21:13:19.0140 3976 ============================================================
21:13:20.0390 3976 Abiosdsk - ok
21:13:20.0609 3976 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
21:13:20.0625 3976 abp480n5 - ok
21:13:20.0687 3976 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
21:13:20.0687 3976 ACPI - ok
21:13:20.0703 3976 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
21:13:20.0703 3976 ACPIEC - ok
21:13:20.0781 3976 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
21:13:20.0781 3976 adpu160m - ok
21:13:20.0859 3976 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
21:13:20.0859 3976 aec - ok
21:13:20.0875 3976 AESTAud (f21d5e93a94514be9f5b6ebf74a696b2) C:\WINDOWS\system32\drivers\AESTAud.sys
21:13:20.0890 3976 AESTAud - ok
21:13:20.0937 3976 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
21:13:20.0937 3976 AFD - ok
21:13:20.0984 3976 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
21:13:20.0984 3976 agp440 - ok
21:13:21.0000 3976 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
21:13:21.0000 3976 agpCPQ - ok
21:13:21.0046 3976 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
21:13:21.0046 3976 Aha154x - ok
21:13:21.0109 3976 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
21:13:21.0109 3976 aic78u2 - ok
21:13:21.0156 3976 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
21:13:21.0171 3976 aic78xx - ok
21:13:21.0218 3976 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
21:13:21.0218 3976 AliIde - ok
21:13:21.0265 3976 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
21:13:21.0265 3976 alim1541 - ok
21:13:21.0281 3976 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
21:13:21.0281 3976 amdagp - ok
21:13:21.0328 3976 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
21:13:21.0328 3976 amsint - ok
21:13:21.0375 3976 ApfiltrService (fb7c669774ffcacd77b5969ee5d9a19b) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
21:13:21.0390 3976 ApfiltrService - ok
21:13:21.0406 3976 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
21:13:21.0421 3976 Arp1394 - ok
21:13:21.0453 3976 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
21:13:21.0453 3976 asc - ok
21:13:21.0468 3976 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
21:13:21.0468 3976 asc3350p - ok
21:13:21.0484 3976 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
21:13:21.0484 3976 asc3550 - ok
21:13:21.0546 3976 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
21:13:21.0562 3976 AsyncMac - ok
21:13:21.0609 3976 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
21:13:21.0609 3976 atapi - ok
21:13:21.0625 3976 Atdisk - ok
21:13:21.0671 3976 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
21:13:21.0671 3976 Atmarpc - ok
21:13:21.0687 3976 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
21:13:21.0687 3976 audstub - ok
21:13:21.0796 3976 BCM43XX (fe4ed785396eaa554c561992106a35fa) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
21:13:21.0890 3976 BCM43XX - ok
21:13:21.0921 3976 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
21:13:21.0921 3976 Beep - ok
21:13:21.0953 3976 BrScnUsb - ok
21:13:22.0078 3976 catchme - ok
21:13:22.0109 3976 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
21:13:22.0109 3976 cbidf - ok
21:13:22.0125 3976 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
21:13:22.0125 3976 cbidf2k - ok
21:13:22.0171 3976 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
21:13:22.0171 3976 cd20xrnt - ok
21:13:22.0203 3976 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
21:13:22.0203 3976 Cdaudio - ok
21:13:22.0218 3976 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
21:13:22.0218 3976 Cdfs - ok
21:13:22.0250 3976 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
21:13:22.0265 3976 Cdrom - ok
21:13:22.0296 3976 Changer (2a5815ca6fff24b688c01f828b96819c) C:\WINDOWS\system32\drivers\Changer.sys
21:13:22.0296 3976 Changer - ok
21:13:22.0328 3976 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
21:13:22.0328 3976 CmBatt - ok
21:13:22.0359 3976 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
21:13:22.0375 3976 CmdIde - ok
21:13:22.0406 3976 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
21:13:22.0406 3976 Compbatt - ok
21:13:22.0453 3976 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
21:13:22.0453 3976 Cpqarray - ok
21:13:22.0500 3976 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
21:13:22.0500 3976 dac2w2k - ok
21:13:22.0531 3976 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
21:13:22.0531 3976 dac960nt - ok
21:13:22.0546 3976 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
21:13:22.0546 3976 Disk - ok
21:13:22.0593 3976 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
21:13:22.0609 3976 dmboot - ok
21:13:22.0625 3976 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
21:13:22.0640 3976 dmio - ok
21:13:22.0671 3976 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
21:13:22.0687 3976 dmload - ok
21:13:22.0718 3976 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
21:13:22.0718 3976 DMusic - ok
21:13:22.0750 3976 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
21:13:22.0750 3976 dpti2o - ok
21:13:22.0781 3976 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
21:13:22.0781 3976 drmkaud - ok
21:13:22.0812 3976 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
21:13:22.0812 3976 Fastfat - ok
21:13:22.0843 3976 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
21:13:22.0843 3976 Fdc - ok
21:13:22.0859 3976 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
21:13:22.0859 3976 Fips - ok
21:13:22.0890 3976 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
21:13:22.0890 3976 Flpydisk - ok
21:13:22.0906 3976 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
21:13:22.0906 3976 FltMgr - ok
21:13:22.0921 3976 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
21:13:22.0921 3976 Fs_Rec - ok
21:13:22.0937 3976 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
21:13:22.0937 3976 Ftdisk - ok
21:13:22.0953 3976 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
21:13:22.0953 3976 Gpc - ok
21:13:22.0984 3976 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
21:13:22.0984 3976 HDAudBus - ok
21:13:23.0015 3976 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
21:13:23.0015 3976 hidusb - ok
21:13:23.0078 3976 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
21:13:23.0078 3976 hpn - ok
21:13:23.0093 3976 hqsjfotu - ok
21:13:23.0156 3976 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
21:13:23.0156 3976 HTTP - ok
21:13:23.0187 3976 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
21:13:23.0187 3976 i2omgmt - ok
21:13:23.0218 3976 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
21:13:23.0218 3976 i2omp - ok
21:13:23.0250 3976 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
21:13:23.0250 3976 i8042prt - ok
21:13:23.0437 3976 ialm (66a685b05066683621920bc14a45cfe8) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
21:13:23.0593 3976 ialm - ok
21:13:23.0656 3976 iaStor (baabb0301949774a66b955c65319635a) C:\WINDOWS\system32\drivers\iaStor.sys
21:13:23.0671 3976 iaStor - ok
21:13:23.0687 3976 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
21:13:23.0687 3976 Imapi - ok
21:13:23.0734 3976 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
21:13:23.0734 3976 ini910u - ok
21:13:23.0750 3976 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
21:13:23.0765 3976 IntelIde - ok
21:13:23.0781 3976 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
21:13:23.0781 3976 intelppm - ok
21:13:23.0812 3976 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
21:13:23.0812 3976 Ip6Fw - ok
21:13:23.0843 3976 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
21:13:23.0843 3976 IpFilterDriver - ok
21:13:23.0859 3976 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
21:13:23.0859 3976 IpInIp - ok
21:13:23.0890 3976 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
21:13:23.0906 3976 IpNat - ok
21:13:23.0953 3976 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
21:13:23.0953 3976 IPSec - ok
21:13:23.0968 3976 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
21:13:23.0968 3976 IRENUM - ok
21:13:23.0984 3976 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
21:13:23.0984 3976 isapnp - ok
21:13:24.0031 3976 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
21:13:24.0031 3976 Kbdclass - ok
21:13:24.0046 3976 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
21:13:24.0046 3976 kbdhid - ok
21:13:24.0109 3976 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
21:13:24.0109 3976 kmixer - ok
21:13:24.0140 3976 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
21:13:24.0140 3976 KSecDD - ok
21:13:24.0171 3976 lbrtfdc (406598827a1b5f77954de11dde115ced) C:\WINDOWS\system32\drivers\lbrtfdc.sys
21:13:24.0171 3976 lbrtfdc - ok
21:13:24.0218 3976 mbamchameleon (7ffd29fafcde7aaf89b689b6e156d5b0) C:\WINDOWS\system32\drivers\mbamchameleon.sys
21:13:24.0218 3976 mbamchameleon - ok
21:13:24.0265 3976 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
21:13:24.0265 3976 mnmdd - ok
21:13:24.0281 3976 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
21:13:24.0281 3976 Modem - ok
21:13:24.0312 3976 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
21:13:24.0328 3976 Mouclass - ok
21:13:24.0343 3976 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
21:13:24.0359 3976 mouhid - ok
21:13:24.0359 3976 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
21:13:24.0359 3976 MountMgr - ok
21:13:24.0390 3976 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
21:13:24.0390 3976 mraid35x - ok
21:13:24.0406 3976 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
21:13:24.0406 3976 MRxDAV - ok
21:13:24.0437 3976 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
21:13:24.0453 3976 MRxSmb - ok
21:13:24.0484 3976 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
21:13:24.0484 3976 Msfs - ok
21:13:24.0546 3976 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
21:13:24.0546 3976 MSKSSRV - ok
21:13:24.0562 3976 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
21:13:24.0578 3976 MSPCLOCK - ok
21:13:24.0578 3976 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
21:13:24.0578 3976 MSPQM - ok
21:13:24.0625 3976 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
21:13:24.0640 3976 mssmbios - ok
21:13:24.0687 3976 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
21:13:24.0687 3976 Mup - ok
21:13:24.0703 3976 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
21:13:24.0718 3976 NDIS - ok
21:13:24.0750 3976 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
21:13:24.0750 3976 NdisTapi - ok
21:13:24.0765 3976 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
21:13:24.0765 3976 Ndisuio - ok
21:13:24.0781 3976 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
21:13:24.0781 3976 NdisWan - ok
21:13:24.0828 3976 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
21:13:24.0843 3976 NDProxy - ok
21:13:24.0859 3976 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
21:13:24.0875 3976 NetBIOS - ok
21:13:24.0906 3976 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
21:13:24.0906 3976 NetBT - ok
21:13:24.0937 3976 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
21:13:24.0937 3976 NIC1394 - ok
21:13:24.0953 3976 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
21:13:24.0953 3976 Npfs - ok
21:13:25.0000 3976 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
21:13:25.0015 3976 Ntfs - ok
21:13:25.0031 3976 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
21:13:25.0031 3976 Null - ok
21:13:25.0062 3976 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
21:13:25.0062 3976 NwlnkFlt - ok
21:13:25.0078 3976 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
21:13:25.0078 3976 NwlnkFwd - ok
21:13:25.0109 3976 O2MDGRDR (4f8d4b1233af48b30f4fdc76a8865cfa) C:\WINDOWS\system32\DRIVERS\o2mdg.sys
21:13:25.0109 3976 O2MDGRDR - ok
21:13:25.0125 3976 O2SDGRDR (928b7612b65e82d68d489a1474c98b37) C:\WINDOWS\system32\DRIVERS\o2sdg.sys
21:13:25.0125 3976 O2SDGRDR - ok
21:13:25.0156 3976 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
21:13:25.0156 3976 ohci1394 - ok
21:13:25.0187 3976 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
21:13:25.0187 3976 Parport - ok
21:13:25.0187 3976 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
21:13:25.0203 3976 PartMgr - ok
21:13:25.0203 3976 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
21:13:25.0203 3976 ParVdm - ok
21:13:25.0234 3976 pavboot (3adb8bd6154a3ef87496e8fce9c22493) C:\WINDOWS\system32\drivers\pavboot.sys
21:13:25.0234 3976 pavboot - ok
21:13:25.0250 3976 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
21:13:25.0250 3976 PCI - ok
21:13:25.0296 3976 PCIDump - ok
21:13:25.0312 3976 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
21:13:25.0328 3976 PCIIde - ok
21:13:25.0328 3976 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
21:13:25.0343 3976 Pcmcia - ok
21:13:25.0343 3976 PDCOMP - ok
21:13:25.0359 3976 PDFRAME - ok
21:13:25.0375 3976 PDRELI - ok
21:13:25.0390 3976 PDRFRAME - ok
21:13:25.0406 3976 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
21:13:25.0406 3976 perc2 - ok
21:13:25.0468 3976 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
21:13:25.0468 3976 perc2hib - ok
21:13:25.0578 3976 Point32 (e552d6598670b1e7655cb73d562e0cd9) C:\WINDOWS\system32\DRIVERS\point32.sys
21:13:25.0578 3976 Point32 - ok
21:13:25.0625 3976 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
21:13:25.0625 3976 PptpMiniport - ok
21:13:25.0703 3976 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
21:13:25.0703 3976 PSched - ok
21:13:25.0734 3976 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
21:13:25.0734 3976 Ptilink - ok
21:13:25.0750 3976 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
21:13:25.0750 3976 ql1080 - ok
21:13:25.0765 3976 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
21:13:25.0765 3976 Ql10wnt - ok
21:13:25.0781 3976 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
21:13:25.0781 3976 ql12160 - ok
21:13:25.0796 3976 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
21:13:25.0796 3976 ql1240 - ok
21:13:25.0812 3976 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
21:13:25.0812 3976 ql1280 - ok
21:13:25.0828 3976 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
21:13:25.0828 3976 RasAcd - ok
21:13:25.0843 3976 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
21:13:25.0843 3976 Rasl2tp - ok
21:13:25.0859 3976 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
21:13:25.0859 3976 RasPppoe - ok
21:13:25.0875 3976 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
21:13:25.0890 3976 Raspti - ok
21:13:25.0906 3976 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
21:13:25.0906 3976 Rdbss - ok
21:13:25.0937 3976 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
21:13:25.0937 3976 RDPCDD - ok
21:13:25.0968 3976 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
21:13:25.0968 3976 rdpdr - ok
21:13:26.0015 3976 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
21:13:26.0015 3976 RDPWD - ok
21:13:26.0046 3976 redbook (f8bd4f5b8d4e871f4c3998c0f9aff0ae) C:\WINDOWS\system32\DRIVERS\redbook.sys
21:13:26.0046 3976 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\redbook.sys. Real md5: f8bd4f5b8d4e871f4c3998c0f9aff0ae, Fake md5: f828dd7e1419b6653894a8f97a0094c5
21:13:26.0046 3976 redbook ( Virus.Win32.ZAccess.c ) - infected
21:13:26.0046 3976 redbook - detected Virus.Win32.ZAccess.c (0)
21:13:26.0109 3976 RTLE8023xp (79b4fe884c18dd82d5449f6b6026d092) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
21:13:26.0109 3976 RTLE8023xp - ok
21:13:26.0156 3976 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
21:13:26.0156 3976 sdbus - ok
21:13:26.0187 3976 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
21:13:26.0187 3976 Secdrv - ok
21:13:26.0218 3976 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
21:13:26.0218 3976 Serial - ok
21:13:26.0265 3976 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
21:13:26.0265 3976 Sfloppy - ok
21:13:26.0281 3976 Simbad - ok
21:13:26.0296 3976 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
21:13:26.0296 3976 sisagp - ok
21:13:26.0359 3976 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
21:13:26.0359 3976 Sparrow - ok
21:13:26.0437 3976 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
21:13:26.0437 3976 splitter - ok
21:13:26.0500 3976 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
21:13:26.0500 3976 sr - ok
21:13:26.0531 3976 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
21:13:26.0546 3976 Srv - ok
21:13:26.0562 3976 STHDA - ok
21:13:26.0593 3976 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
21:13:26.0593 3976 StillCam - ok
21:13:26.0609 3976 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
21:13:26.0609 3976 swenum - ok
21:13:26.0640 3976 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
21:13:26.0640 3976 swmidi - ok
21:13:26.0656 3976 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
21:13:26.0656 3976 symc810 - ok
21:13:26.0671 3976 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
21:13:26.0671 3976 symc8xx - ok
21:13:26.0703 3976 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
21:13:26.0703 3976 sym_hi - ok
21:13:26.0718 3976 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
21:13:26.0718 3976 sym_u3 - ok
21:13:26.0750 3976 SynTP (a10d781153bb23036b474ffedb448266) C:\WINDOWS\system32\DRIVERS\SynTP.sys
21:13:26.0765 3976 SynTP - ok
21:13:26.0828 3976 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
21:13:26.0828 3976 sysaudio - ok
21:13:26.0890 3976 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
21:13:26.0890 3976 Tcpip - ok
21:13:26.0921 3976 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
21:13:26.0921 3976 TDPIPE - ok
21:13:26.0937 3976 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
21:13:26.0953 3976 TDTCP - ok
21:13:26.0968 3976 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
21:13:26.0984 3976 TermDD - ok
21:13:27.0015 3976 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
21:13:27.0015 3976 TosIde - ok
21:13:27.0062 3976 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
21:13:27.0062 3976 Udfs - ok
21:13:27.0078 3976 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
21:13:27.0093 3976 ultra - ok
21:13:27.0125 3976 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
21:13:27.0140 3976 Update - ok
21:13:27.0187 3976 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
21:13:27.0187 3976 usbccgp - ok
21:13:27.0203 3976 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
21:13:27.0203 3976 usbehci - ok
21:13:27.0250 3976 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
21:13:27.0250 3976 usbhub - ok
21:13:27.0312 3976 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
21:13:27.0312 3976 usbprint - ok
21:13:27.0359 3976 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
21:13:27.0359 3976 USBSTOR - ok
21:13:27.0375 3976 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
21:13:27.0375 3976 usbuhci - ok
21:13:27.0406 3976 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
21:13:27.0406 3976 VgaSave - ok
21:13:27.0421 3976 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
21:13:27.0421 3976 viaagp - ok
21:13:27.0437 3976 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
21:13:27.0437 3976 ViaIde - ok
21:13:27.0468 3976 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
21:13:27.0468 3976 VolSnap - ok
21:13:27.0500 3976 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
21:13:27.0500 3976 Wanarp - ok
21:13:27.0546 3976 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\WINDOWS\system32\DRIVERS\wdcsam.sys
21:13:27.0546 3976 WDC_SAM - ok
21:13:27.0609 3976 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
21:13:27.0609 3976 Wdf01000 - ok
21:13:27.0625 3976 WDICA - ok
21:13:27.0656 3976 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
21:13:27.0656 3976 wdmaud - ok
21:13:27.0718 3976 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
21:13:27.0718 3976 WS2IFSL - ok
21:13:27.0750 3976 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
21:13:27.0750 3976 WudfPf - ok
21:13:27.0765 3976 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
21:13:27.0765 3976 WudfRd - ok
21:13:27.0796 3976 MBR (0x1B8) (c524bdf9d8ad2c36d9000bc4e457dd48) \Device\Harddisk0\DR0
21:13:27.0921 3976 \Device\Harddisk0\DR0 - ok
21:13:27.0968 3976 MBR (0x1B8) (e5fa06aca0d60ba9c870d0ef3d9898c9) \Device\Harddisk1\DR5
21:13:30.0390 3976 \Device\Harddisk1\DR5 - ok
21:13:30.0453 3976 Boot (0x1200) (212b8f0ea1201916badc59158299fb31) \Device\Harddisk0\DR0\Partition0
21:13:30.0453 3976 \Device\Harddisk0\DR0\Partition0 - ok
21:13:30.0468 3976 Boot (0x1200) (8e51c5e3f07e8875c9a3c046a5030cb9) \Device\Harddisk1\DR5\Partition0
21:13:30.0468 3976 \Device\Harddisk1\DR5\Partition0 - ok
21:13:30.0468 3976 ============================================================
21:13:30.0468 3976 Scan finished
21:13:30.0468 3976 ============================================================
21:13:30.0484 3968 Detected object count: 1
21:13:30.0484 3968 Actual detected object count: 1
21:13:37.0671 3968 C:\WINDOWS\system32\DRIVERS\redbook.sys - copied to quarantine
21:13:38.0812 3968 Backup copy found, using it..
21:13:38.0859 3968 C:\WINDOWS\system32\DRIVERS\redbook.sys - will be cured on reboot
21:13:40.0156 3968 redbook ( Virus.Win32.ZAccess.c ) - User select action: Cure
21:13:48.0640 3940 Deinitialize success

**************************************************************************************************************************************
aswMBR Log:

aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-02-23 21:19:13
-----------------------------
21:19:13.159 OS Version: Windows 5.1.2600 Service Pack 3
21:19:13.159 Number of processors: 2 586 0x170A
21:19:13.159 ComputerName: CRAIGS-LAPTOP UserName: Craig
21:19:14.066 Initialize success
21:20:30.925 AVAST engine defs: 12022301
21:20:53.894 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
21:20:53.894 Disk 0 Vendor: ST925042 DE17 Size: 238475MB BusType: 3
21:20:53.909 Disk 0 MBR read successfully
21:20:53.909 Disk 0 MBR scan
21:20:53.956 Disk 0 unknown MBR code
21:20:53.988 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
21:20:53.988 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 238434 MB offset 81920
21:20:54.003 Disk 0 scanning sectors +488395120
21:20:54.034 Disk 0 malicious Win32:MBRoot code @ sector 488395177 !
21:20:54.175 Disk 0 scanning C:\WINDOWS\system32\drivers
21:20:58.894 File: C:\WINDOWS\system32\drivers\cdrom.sys **INFECTED** Win32:Sirefef-JQ [Trj]
21:21:04.769 Disk 0 trace - called modules:
21:21:04.784 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x9da7dfc0]<<
21:21:05.284 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ac9c678]
21:21:05.284 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> [0x89bc4f08]
21:21:05.284 \Driver\00002967[0x89b148e8] -> IRP_MJ_CREATE -> 0x9da7dfc0
21:21:09.441 AVAST engine scan C:\WINDOWS
21:21:27.769 AVAST engine scan C:\WINDOWS\system32
21:21:27.972 File: C:\WINDOWS\system32\02ebI0lT.com_ **INFECTED** Win32:Malware-gen
21:24:07.909 AVAST engine scan C:\WINDOWS\system32\drivers
21:24:13.066 File: C:\WINDOWS\system32\drivers\cdrom.sys **INFECTED** Win32:Sirefef-JQ [Trj]
21:24:27.081 AVAST engine scan C:\Documents and Settings\Craig
21:27:17.284 AVAST engine scan C:\Documents and Settings\All Users
21:29:02.753 Scan finished successfully
21:29:13.988 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
21:29:14.316 The log file has been saved successfully to "E:\aswMBR - Feb 23.txt"

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:32 PM

Posted 23 February 2012 - 09:34 PM

Hello

I would like you to run this tool for me - fixTDSS

download it to your desktop and start the program

Follow the prompts and Ok any security prompts

when it is complete it will say the infection was cleared or no infection was found - let me know what it says

after it is complete I want you to restart the computer and try to rerun ASWMbr for me and send me the report

  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 nexus_99

nexus_99
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 23 February 2012 - 09:55 PM

Thanks Gringo!

On the FixTDSS, I received the message:

"Backdoor.Tidserv has not been found on your computer".

aswMBR log below, but before we go too much further, a couple things for you.

1 - reboots are still taking much longer than normal
2 - I cannot reboot without manually killing a program (End Program) called SIGMATEL - IDT - SYSTRAY
3 - I can now connect to the internet with the infected machine (previously, it would find the network but not be able to secure an IP address)

*****************************************************************************************************************************
aswMBR log:

aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-02-23 21:46:30
-----------------------------
21:46:30.921 OS Version: Windows 5.1.2600 Service Pack 3
21:46:30.921 Number of processors: 2 586 0x170A
21:46:30.921 ComputerName: CRAIGS-LAPTOP UserName: Craig
21:46:33.046 Initialize success
21:46:41.046 AVAST engine defs: 12022301
21:46:44.187 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
21:46:44.187 Disk 0 Vendor: ST925042 DE17 Size: 238475MB BusType: 3
21:46:44.203 Disk 0 MBR read successfully
21:46:44.203 Disk 0 MBR scan
21:46:44.218 Disk 0 unknown MBR code
21:46:44.218 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
21:46:44.234 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 238434 MB offset 81920
21:46:44.234 Disk 0 scanning sectors +488395120
21:46:44.265 Disk 0 malicious Win32:MBRoot code @ sector 488395177 !
21:46:44.406 Disk 0 scanning C:\WINDOWS\system32\drivers
21:46:46.328 File: C:\WINDOWS\system32\drivers\cdrom.sys **INFECTED** Win32:Sirefef-JQ [Trj]
21:46:55.046 Disk 0 trace - called modules:
21:46:55.062 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xba1abfc0]<<
21:46:55.578 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ac8aab8]
21:46:55.578 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> [0x8a0df350]
21:46:55.578 \Driver\00000513[0x8a22fa80] -> IRP_MJ_CREATE -> 0xba1abfc0
21:46:56.234 AVAST engine scan C:\WINDOWS
21:47:14.078 AVAST engine scan C:\WINDOWS\system32
21:47:14.296 File: C:\WINDOWS\system32\02ebI0lT.com_ **INFECTED** Win32:Malware-gen
21:50:06.515 AVAST engine scan C:\WINDOWS\system32\drivers
21:50:08.593 File: C:\WINDOWS\system32\drivers\cdrom.sys **INFECTED** Win32:Sirefef-JQ [Trj]
21:50:24.781 AVAST engine scan C:\Documents and Settings\Craig
21:53:07.906 AVAST engine scan C:\Documents and Settings\All Users
21:54:48.968 Scan finished successfully
21:55:01.312 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
21:55:01.437 The log file has been saved successfully to "E:\aswMBR Feb 23-2.txt"

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:32 PM

Posted 23 February 2012 - 10:00 PM

Re-Run aswMBR

  • Click Scan
  • On completion of the scan, click the FIXMBR button
  • There is a slight pause after clicking the 'Fix' button.
  • Wait for the tool to report 'Infection fixed successfully', now reboot the machine.
  • Rebooting the machine prematurely, before seeing this line will result in an incomplete fix.

    Note:After the 'Infection fixed successfully' message appears, the machine may became unresponsive. You may have to do a hard boot of your machine. That may be a side effect from the fix. All will be well after the reboot.
  • Save the log as before and post in your next reply.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 nexus_99

nexus_99
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 23 February 2012 - 10:20 PM

Hi Gringo,

I repeated the scan, then the 'Fix MBR' button was faded out and I couldn't press it. I did press 'Fix', and the computer rebooted - but aswMBR didn't restart.

I'm re-running a scan - what would you like me to do if the Fix MBR button is blanked out again? Click 'Fix', or simply reboot and hit 'Fix MBR' from the start (before a scan)?

Thanks!

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:32 PM

Posted 23 February 2012 - 10:29 PM

just run a scan and send me the report


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 nexus_99

nexus_99
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 23 February 2012 - 10:31 PM

Here you go!

*********************************************************************************************************************
aswMBR log:

aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-02-23 22:17:24
-----------------------------
22:17:24.718 OS Version: Windows 5.1.2600 Service Pack 3
22:17:24.718 Number of processors: 2 586 0x170A
22:17:24.718 ComputerName: CRAIGS-LAPTOP UserName: Craig
22:17:25.343 Initialize success
22:17:34.671 AVAST engine defs: 12022301
22:18:16.859 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
22:18:16.875 Disk 0 Vendor: ST925042 DE17 Size: 238475MB BusType: 3
22:18:16.875 Disk 0 MBR read successfully
22:18:16.890 Disk 0 MBR scan
22:18:16.937 Disk 0 unknown MBR code
22:18:16.937 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
22:18:16.953 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 238434 MB offset 81920
22:18:16.953 Disk 0 scanning sectors +488395120
22:18:17.000 Disk 0 malicious Win32:MBRoot code @ sector 488395177 !
22:18:17.109 Disk 0 scanning C:\WINDOWS\system32\drivers
22:18:19.046 File: C:\WINDOWS\system32\drivers\cdrom.sys **INFECTED** Win32:Sirefef-JQ [Trj]
22:18:24.406 File: C:\WINDOWS\system32\drivers\mrxsmb.sys **INFECTED** Win32:Sirefef-JQ [Trj]
22:18:35.000 Disk 0 trace - called modules:
22:18:35.093 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xa55a7fc0]<<
22:18:35.093 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ac83030]
22:18:35.093 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> [0x894eb598]
22:18:35.109 \Driver\00003832[0x89b68f38] -> IRP_MJ_CREATE -> 0xa55a7fc0
22:18:37.859 AVAST engine scan C:\WINDOWS
22:18:52.062 AVAST engine scan C:\WINDOWS\system32
22:21:43.421 AVAST engine scan C:\WINDOWS\system32\drivers
22:21:45.531 File: C:\WINDOWS\system32\drivers\cdrom.sys **INFECTED** Win32:Sirefef-JQ [Trj]
22:21:50.921 File: C:\WINDOWS\system32\drivers\mrxsmb.sys **INFECTED** Win32:Sirefef-JQ [Trj]
22:22:11.406 AVAST engine scan C:\Documents and Settings\Craig
22:25:12.718 AVAST engine scan C:\Documents and Settings\All Users
22:26:55.375 Scan finished successfully
22:30:17.906 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
22:30:18.015 The log file has been saved successfully to "E:\aswMBR Feb 23-3.txt"

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:32 PM

Posted 23 February 2012 - 10:34 PM

Print out these instructions to use while in the Recovery Console:

1.Restart your computer.
2.Before Windows loads, you will be prompted to choose which Operating System to start.
3.Use the up and down arrow key to select Microsoft Windows Recovery Console
4.You must enter which Windows installation to log onto. Type 1 and press 'Enter'.
5.At the C:\Windows prompt, type the following bolded entries, and press 'Enter'

fixmbr
[/list]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 nexus_99

nexus_99
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 23 February 2012 - 10:42 PM

Thank you so much. Not that I doubt anything you are saying, but just to be sure...

The following has popped up:

**CAUTION **

This computer appears to have a non-standard or invalid master boot record.

FIXMBR may damage your partition tables if you proceed.

This could cause all the partitions on the current hard disk to become inaccessible.

If you are not having problems accessing your dirve, do not continue.

Are you sure you want to write a new MBR?

Please advise, and thanks.

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:32 PM

Posted 24 February 2012 - 12:08 AM

yes that is a standerd warning and you can proceed


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 nexus_99

nexus_99
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 24 February 2012 - 09:38 AM

Thanks Gringo. Please don't think I ever doubted your abilities :)

That's been done, computer is back to not connecting to the network.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users