Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Removal


  • This topic is locked This topic is locked
18 replies to this topic

#1 sewerman

sewerman

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:10 AM

Posted 28 February 2012 - 12:18 PM

I opened a tcket yesterday under Windows 7 OS for virus removal (username=sewerman), and an administrator kindly gave me the advice on what's needed (log files, proper area to post, etc). So, hopefully I have the right place with the right attachments in order to get some help.

I have a Windows 7 laptop that has been infected with the Tidserv Activity 2 virus. So far I've tried to run Malwarebytes, Fix TDSS, and TDSS Killer, all to no avail. The TDSS Killer seems to run, but it's not cleaning out the entire virus. It will find 1 or 2 objects and "clean" them, but if I run it repeatedly it just keeps finding 1 or 2 more (different) objects each time.

Per the site's instructions I've now included logs from DDS and GMER, which did find a rootkit infection. I also ran the CD emulation (defogger) as instructed.

I don't have access to an OS CD or other Boot CD.

Thanks in advance for any assistance that can be provided.

Frank (sewerman)

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Alicia Marie at 16:34:20 on 2012-02-27
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2991.1575 [GMT -5:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Symantec Endpoint Protection *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_1fb74af29935fce6\STacSV.exe
C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\vcsFPService.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_1fb74af29935fce6\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe
C:\Program Files\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Windows\System32\igfxtray.exe
C:\Program Files\Motorola Media Link\Lite\NServiceEntry.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe
C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
C:\ProgramData\GameXN\GameXNGO.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Hewlett-Packard\Shared\hpCaslNotification.exe
C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\G3SF33~1.COM
C:\Windows\system32\g3sF33.com
C:\Windows\system32\G3SF33~1.COM
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Windows Live\Companion\companionuser.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://g.live.com/1rewlive4startup/home
uInternet Settings,ProxyOverride = *.local;192.168.*.*
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [GameXN (update)] "c:\programdata\gamexn\GameXNGO.exe" /u
uRun: [GameXN (news)] "c:\programdata\gamexn\GameXNGO.exe" /n
uRun: [GameXN] "c:\programdata\gamexn\GameXNGO.exe" /silent
uRun: [Spyware Doctor] c:\users\alicia marie\desktop\sdsetup_revwire207.exe -min
mRun: [HPWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWA_Main.exe /hidden
mRun: [NUSB3MON] "c:\program files\nec electronics\usb 3.0 host controller driver\application\nusb3mon.exe"
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10n_ActiveX.exe -update activex
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{0314F85A-0B56-4F15-BA8E-873CC3D84D46}\2375942554038323 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{0314F85A-0B56-4F15-BA8E-873CC3D84D46}\2456C6B696E6F574F505C65737F5D494D4F4F5832473244473 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{0314F85A-0B56-4F15-BA8E-873CC3D84D46}\86F6D656 : DhcpNameServer = 68.87.71.230 68.87.73.246
TCP: Interfaces\{0314F85A-0B56-4F15-BA8E-873CC3D84D46}\C696E6B6379737 : DhcpNameServer = 75.75.75.75 75.75.76.76
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\alicia marie\appdata\roaming\mozilla\firefox\profiles\mtsswcnb.default\
FF - prefs.js: browser.startup.homepage - hxxp://global.nytimes.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
============= SERVICES / DRIVERS ===============
.
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_x86_neutral_1fb74af29935fce6\AEstSrv.exe [2010-5-16 81920]
R2 DeviceMonitorService;DeviceMonitorService;c:\program files\motorola media link\lite\NServiceEntry.exe [2011-9-19 87368]
R2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\hewlett-packard\hp wireless assistant\HPWA_Service.exe [2009-10-21 101944]
R2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2010-7-16 26168]
R2 MotoHelper;MotoHelper Service;c:\program files\motorola\motohelper\MotoHelperService.exe [2011-8-10 227184]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-9-17 2477304]
R2 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2011-4-1 428640]
R2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [2010-1-20 1639728]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2010-4-30 228408]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k6232.sys [2010-4-6 214696]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-2-22 106104]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2009-10-26 125696]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2009-10-30 209920]
R3 NETw5s32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETw5s32.sys [2010-2-1 6755840]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2010-4-6 49152]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-5-2 136176]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys [2009-1-29 6016]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-4-14 45736]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2011-3-16 62464]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2011-1-26 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-5-2 136176]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2011-4-4 20480]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2009-1-29 8320]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\Motousbnet.sys [2010-4-1 23424]
S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\drivers\motusbdevice.sys [2011-2-7 11008]
S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [2009-11-20 58880]
S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [2009-11-20 137728]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-11-11 66664]
S3 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [2010-4-6 48640]
S3 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe86.sys [2010-4-6 47616]
S3 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe86.sys [2010-4-6 38912]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2009-6-13 1120752]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\drivers\rtl8192se.sys [2010-4-30 862208]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-3-16 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2011-3-16 27264]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-7 1343400]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-9-18 315392]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2012-02-27 19:23:04 98992 ----a-w- c:\windows\system32\drivers\14255448.sys
2012-02-27 18:59:23 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-22 20:10:24 -------- d-sh--w- C:\found.000
2012-02-22 16:29:16 -------- d-----w- c:\programdata\PC Tools
2012-02-22 14:17:26 84146 ----a-w- c:\windows\system32\g3sF33.com
2012-02-21 22:05:52 84146 ----a-w- c:\windows\system32\g3sF33.com_
2012-02-21 16:24:11 -------- d-----w- C:\Malwarebytes' Anti-Malware
2012-02-20 18:21:59 442880 ----a-w- c:\windows\system32\ntshrui.dll
2012-02-20 18:21:56 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-02-18 23:58:58 478720 ----a-w- c:\windows\system32\timedate.cpl
2012-02-18 23:48:52 690688 ----a-w- c:\windows\system32\msvcrt.dll
2012-02-18 23:44:02 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-01-31 11:41:44 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-31 11:41:44 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-01-31 11:41:44 314880 ----a-w- c:\windows\system32\webio.dll
2012-01-31 11:41:44 22528 ----a-w- c:\windows\system32\lsass.exe
2012-01-31 11:41:44 224768 ----a-w- c:\windows\system32\schannel.dll
2012-01-31 11:41:44 22016 ----a-w- c:\windows\system32\secur32.dll
2012-01-31 11:41:44 15872 ----a-w- c:\windows\system32\sspisrv.dll
2012-01-31 11:41:44 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-01-31 11:41:44 1038848 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-31 11:41:44 100352 ----a-w- c:\windows\system32\sspicli.dll
.
==================== Find3M ====================
.
2012-02-27 19:06:31 388096 ----a-w- c:\windows\system32\drivers\csc.sys
2012-02-27 19:03:59 108544 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-02-27 19:00:57 187904 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-12-28 17:37:44 2828 --sha-w- c:\programdata\KGyGaAvL.sys
2011-12-10 20:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-02 13:16:51 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 16:34:52.65 ===============

Attached Files


Edited by Noviciate, 28 February 2012 - 03:56 PM.
Added DDS log from attachment


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:10 AM

Posted 28 February 2012 - 03:59 PM

Good evening. :)

When you run TDSSKiller it saves a log with the following name: C:\TDSSKiller.Version_Date_Time_log.txt. Will you post the contents of any of these logs that you can find on your system.

So long, and thanks for all the fish.

 

 


#3 sewerman

sewerman
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:10 AM

Posted 28 February 2012 - 04:33 PM

Hi,

I've attached four log files from successive runs of TDSS Killer.

Thanks,

Frank (sewerman)

Attached Files



#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:10 AM

Posted 29 February 2012 - 04:54 PM

Good evening. :)

Do you have a flashdrive of at least 128 Mb that you can wipe clean and use?

So long, and thanks for all the fish.

 

 


#5 sewerman

sewerman
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:10 AM

Posted 01 March 2012 - 08:46 AM

Yes, I have a 1GB flash drive ready to go...

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:10 AM

Posted 01 March 2012 - 03:41 PM

Good evening. :)

Please read through all the instructions BEFORE you begin and ask any questions that you may have first. Be aware that an active infection may interfere with the first part of this procedure. If it doesn't go according to instructions, you may have to use a different PC to write the software to the flash drive.

  • Download both this file and this file and save them to your Desktop.
  • Insert your USB flash drive into your PC.
  • Click Start > My Computer, right click your flash drive's icon and select Format > Quick format - this will wipe the contents of the flash drive, so make sure there is nothing of value on there!
  • Double click unetbootin-xpud-windows-version number.exe that you just downloaded and OK any Security Warning that Windows may offer.
  • Select the Diskimage radio button and then click the browse button (the one with three dots on) located on the right side of the textbox field.
  • Browse to, and select, the xpud-0.9.2.iso file you downloaded above by double clicking it.
  • Verify the correct drive letter is selected for your USB device at the bottom and then click OK.
  • The program will install a little bootable OS onto your flash drive.
  • Once the files have been written to the drive you will be prompted to reboot - this isn't necessary, so just click Exit.
  • Next download http://noahdfear.net/downloads/driver.sh to your USB - directly or drag it there when it's downloaded.
  • Finally, for this part at least, download the following file: dumpit and save it to the flashdrive you've just played with.

The next part is somewhat tricky as it differs on different machines. If you are lucky, then the following will work - if it doesn't, let me know and we'll go for a different angle.
  • If it isn't already there, insert the flash drive into the sick PC and then reboot it.
  • You need to select the OS that is on the stick rather than let Windows take charge, so press F12 and choose to boot from the USB drive before Windows starts loading.
  • Follow the prompts and eventually a Welcome to xPUD screen will appear.
  • Click the File icon on the left.
  • Open the mnt folder by clicking it, just as you do in Windows.
  • You are going to identify the folder that represents to your flash drive.
  • sda1, sda2 etc... will usually be your hard drive(s); sdb1 is likely to be your flash drive.
  • Double click on the flash drive folder, locate the dumpit file you downloaded previously and double click it.
  • A black Terminal window should open and the text therein should contain the legend: Press Enter to exit: - please do so.
  • Make sure that you can still see the contents of the flashdrive folder and do the following:
  • Click Tool at the top.
  • Choose Open Terminal - this will open the Linux equivalent of a Command Window in all it's fashionable black livery.
  • Type bash driver.sh and then <ENTER>
  • You now get to sit and watch some text scroll down the Terminal window until it reports Done - which doesn't need any explanation, hopefully!
  • A report will be located on your flash drive called report.txt (an uninspired choice of name I know!), which is the purpose of this little adventure.
  • Click the Home icon on the left and Power off the machine
  • Remove the USB drive and insert back in your working computer and locate the folder mbr.zip that it should now contain.
  • Please attach this folder in your next reply, you will need to put it in a compressed/zipped folder, or let me know if you had any problems.
  • Last, but not least, post the contents of report.txt.

So long, and thanks for all the fish.

 

 


#7 sewerman

sewerman
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:10 AM

Posted 05 March 2012 - 01:52 PM

Hi There,

I think there was a disconnect somewhere in the chain because I don't see the latest reply that I posted. Just to recap and put things back on track... I completed the first phase of the instructions provided. Everything seemed to work well with one hitch - the "dumpit" link provided seems to produce a text file with what appears to be object code. I tried it in phase 2 and nothing happens when I try to launch it. I suspect something is wrong with it and was wondering if you can suggets another source for that or if I can just download the latest version and attempt to use it.

Things were seemingly well otherwise. Thanks for your help to this point. I'm anxious to see it through...

Regards,

sewerman

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:10 AM

Posted 05 March 2012 - 03:08 PM

Good evening. :)

I've attached a copy of the required file at the bottom of this post.

So long, and thanks for all the fish.

 

 


#9 sewerman

sewerman
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:10 AM

Posted 05 March 2012 - 04:02 PM

Thanks! I'm attaching the zipped mbr folder and Report.txt (which seems thin). Please let me know if everything is as expected or you need anything additional.

sewerman

Attached Files



#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:10 AM

Posted 06 March 2012 - 03:25 PM

Good evening. :)

Report.txt isn't as it should be. Will you run the steps involving bash driver.sh again and see if you get a more complete text file this time - once you have run the command, leave the PC alone until you see the Done response.

So long, and thanks for all the fish.

 

 


#11 sewerman

sewerman
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:10 AM

Posted 07 March 2012 - 02:22 PM

Hi there,

Attached is a new Report.txt file per your request. It appears to be more comprehensive than the last version.

Thanks,

sewerman

Wed Mar 7 13:35:22 UTC 2012
Driver report for /mnt/sdb1/Windows/System32/drivers
c232888d168092ef997856d902160929 sncduvc.sys has NO Company Name!

fbce2f43185104ae8bf4d32571b19203 1394bus.sys
Microsoft Corporation

1b133875b8aa8ac48969bd3458afe9f5 1394ohci.sys
Microsoft Corporation

465b6baaba53a628f7252846d0e900ee Accelerometer.sys
Hewlett-Packard

1efbc664abff416d1d07db115dcb264f acpipmi.sys
Microsoft Corporation

cea80c80bed809aa0da6febc04733349 acpi.sys
Microsoft Corporation

21e785ebd7dc90a06391141aac7892fb adp94xx.sys
Adaptec

0c676bc278d5b59ff5abd57bbe9123f2 adpahci.sys
Adaptec

7c7b5ee4b7b822ec85321fe23a27db33 adpu320.sys
Adaptec

9ebbba55060f786f0fcaa3893bfa2806 afd.sys
Microsoft Corporation

57ec4aef73660166074d8f7f31c0d4fd agilevpn.sys
Microsoft Corporation

507812c3054c21cef746b6ee3d04dd6e AGP440.sys
Microsoft Corporation

7e10e3bb9b258ad8a9300f91214d67b9 AGRSM.sys
tH`pVS_VERSION_INFOYY?RStringFileInfo.BtCompanyNameLSICorpXFileDescriptionSoftModemDeviceDrivertFileVersion...nInternalNameLSISM.sysbLegalCopyrightCopyrightLSICorp-<nOriginalFilenameLSISM.sysJProductNameLSISoftModemDrivertProductVersion...DVarFileInfo$Translation*

0d40bcf52ea90fc7df2aeab6503dea44 aliide.sys
Acer Laboratories

3c6600a0696e90a463771c7422e23ab5 AMDAGP.SYS
Microsoft Corporation

cd5914170297126b6266860198d1d4f0 amdide.sys
Microsoft Corporation

00dda200d71bac534bf56a9db5dfd666 amdk8.sys
Microsoft Corporation

3cbf30f5370fda40dd3e87df38ea53b6 amdppm.sys
Microsoft Corporation

d320bf87125326f996d4904fe24300fc amdsata.sys
Advanced Micro Devices

ea43af0c423ff267355f74e7a53bdaba amdsbs.sys
AMD Technologies

46387fb17b086d16dea267d5be23a2f2 amdxata.sys
Advanced Micro Devices

aea177f783e20150ace5383ee368da19 appid.sys
Microsoft Corporation

5d6f36c46fd283ae1b57bd2e9feb0bc7 arcsas.sys
Adaptec

2932004f49677bd84dbc72edb754ffb3 arc.sys
Adaptec

add2ade1c2b285ab8378d2daaf991481 asyncmac.sys
Microsoft Corporation

338c86357871c167a96ab976519bf59e atapi.sys
Microsoft Corporation

4b55c9f9a93b3bfd01ed7366eb0b9d2e ataport.sys
Microsoft Corporation

76bab0c824e2d05b940c4dd40a9b08bf athr.sys
Atheros Communications

bd8869eb9cde6bbe4508d869929869ee b57nd60x.sys
Broadcom Corporation

2b8ee031fd700ab942ebe60665440e83 battc.sys
Microsoft Corporation

82df0df2eb005f153dcf04c0693ab22c BCMWL6.SYS
Broadcom Corporation

505506526a9d467307b3c393dedaf858 beep.sys
Microsoft Corporation

2287078ed48fcfc477b05b20cf38f36f blbdrive.sys
Microsoft Corporation

8f2da3028d5fcbd1a060a3de64cd6506 bowser.sys
Microsoft Corporation

9f9acc7f7ccde8a15c282d3f88b43309 BrFiltLo.sys
Brother Industries

56801ad62213a41f6497f96dee83755a BrFiltUp.sys
Brother Industries

77361d72a04f18809d0efb6cceb74d4b bridge.sys
Microsoft Corporation

845b8ce732e67f3b4133164868c666ea BrSerId.sys
Brother Industries
Brother Industries
Brother Industries
Brother Industries
Brother Industries
Brother Industries
Brother Industries
Brother Industries
Brother Industries
Brother Industries
Brother Industries
Brother Industries
Brother Industries
Brother Industries
Brother Industries
Brother Industries
Brother Industries

203f0b1e73adadbbb7b7b1fabd901f6b BrSerWdm.sys
Brother Industries

bd456606156ba17e60a04e18016ae54b BrUsbMdm.sys
Brother Industries

af72ed54503f717a43268b3cc5faec2e BrUsbSer.sys
Brother Industries

2865a5c8e98c70c605f417908cebb3a4 bthenum.sys
Microsoft Corporation

ed3df7c56ce0084eb2034432fc56565a bthmodem.sys
Microsoft Corporation

ad1872e5829e8a2c3b5b4b641c3eab0e bthpan.sys
Microsoft Corporation

c2fbf6d271d9a94d839c416bf186ead9 bthport.sys
Microsoft Corporation

c81e9413a25a439f436b1d4b6a0cf9e9 BTHUSB.SYS
Microsoft Corporation

f549c3fb145a4928e40bb1518b2034dc btusbflt.sys
Broadcom Corporation

1a231abec60fd316ec54c66715543cec bxvbdx.sys
Broadcom Corporation

77ea11b065e0a8ab902d78145ca51e10 cdfs.sys
Microsoft Corporation

b025339fbc76547db7d9633d83d0706d cdr4_xp.sys
Sonic Solutions

2ede09c61866fac671953576fe4ca3bc cdralw2k.sys
Sonic Solutions

be167ed0fdb9c1fa1133953c18d5a6c9 cdrom.sys
Microsoft Corporation

3fe3fe94a34df6fb06e6418d0f6a0060 circlass.sys
Microsoft Corporation

a6388a5abf92c7927c085db0a958125f Classpnp.sys
Microsoft Corporation

dea805815e587dad1dd2c502220b5616 CmBatt.sys
Microsoft Corporation

c537b1db64d495b9b4717b4d6d9edbf2 cmdide.sys
CMD Technology

6427525d76f61d0c519b008d3680e8e7 cng.sys
Microsoft Corporation

a6023d3823c37043986713f118a89bee compbatt.sys
Microsoft Corporation

cbe8c58a8579cfe5fccf809e6f114e89 CompositeBus.sys
Microsoft Corporation

7dad592a4d28092d584cfb4deef1373d CPQBttn.sys
Hewlett-Packard

b7efef22ff426ec4158a177cb3b558d3 crashdmp.sys
Microsoft Corporation

2c4ebcfc84a9b44f209dff6c6e6c61d1 crcdisk.sys
Microsoft Corporation

3c2177a897b4ca2788c6fb0c3fd81d4b csc.sys
Microsoft Corporation

f024449c97ec1e464aaffda18593db88 dfsc.sys
Microsoft Corporation

1a050b0274bfb3890703d490f330c0da discache.sys
Microsoft Corporation

d0f0d7a97c90fe72a79732812e65f822 Diskdump.sys
Microsoft Corporation

565003f326f99802e68ca78f2a68e9ff disk.sys
Microsoft Corporation

8b30250d573a8f6b4bd23195160d8707 djsvs.sys
Adaptec

2a958ef85db1b61ffca65044fa4bce9e dmvsc.sys
Microsoft Corporation

b918e7c5f9bf77202f89e1a9539f2eb4 drmkaud.sys
Microsoft Corporation

27f9288af019e6daca281ede51ff5928 drmk.sys
Microsoft Corporation

5428227d4730ebdfc842e9fb593f8c8a Dumpata.sys
Microsoft Corporation

62a63ef2f3053b461cb327e4d69aaa74 dumpfve.sys
Microsoft Corporation

5fcd3320aae71506b43f9e12e4e72172 dxapi.sys
Microsoft Corporation

23f5d28378a160352ba8f817bd8c71cb dxgkrnl.sys
Microsoft Corporation

d458d1c7f1d49869000668e3c3bb0d4d dxgmms1.sys
Microsoft Corporation

1b6242b20cb56f85a158e67f09ee84fe dxg.sys
Microsoft Corporation

034fa3a00fff4f68dd9f6d3793392274 e1k6232.sys
Intel Corporation

0ed67910c8c326796faa00b2bf6d9d3c elxstor.sys
Emulex

8fc3208352dd3912c94367a206ab3f11 errdev.sys
Microsoft Corporation

024e1b5cac09731e4d868e64dbfb4ab0 evbdx.sys
Broadcom Corporation

2dc9108d74081149cc8b651d3a26207f exfat.sys
Microsoft Corporation

7e0ab74553476622fb6ae36f73d97d35 fastfat.sys
Microsoft Corporation

e817a017f82df2a1f8cfdbda29388b29 fdc.sys
Microsoft Corporation

6cf00369c97f3cf563be99be983d13d8 fileinfo.sys
Microsoft Corporation

42c51dc94c91da21cb9196eb64c45db9 filetrace.sys
Microsoft Corporation

87907aa70cb3c56600f1c2fb8841579b flpydisk.sys
Microsoft Corporation

7520ec808e0c35e0ee6f841294316653 fltMgr.sys
Microsoft Corporation

1a16b57943853e598cff37fe2b8cbf1d fsdepends.sys
Microsoft Corporation

a574b4360e438977038aae4bf60d79a2 fs_rec.sys
Microsoft Corporation

d909075fa72c090f27aa926c32cb4612 fssfltr.sys
Microsoft Corporation

8a73e79089b282100b9393b644cb853b fvevol.sys
Microsoft Corporation

56e5c9b62bad9ec85bc76940d28b6c11 FWPKCLNT.SYS
Microsoft Corporation

65ee0c7a58b65e74ae05637418153938 GAGP30KX.SYS
Microsoft Corporation

8182ff89c65e4d38b2de4bb0fb18564e GEARAspiWDM.sys
GEAR Software

c44e3c2bab6837db337ddee7544736db hcw85cir.sys
Hauppauge Computer Works

9036377b8a6c15dc2eec53e489d159b5 hdaudbus.sys
Microsoft Corporation

a5ef29d5315111c80a5c1abad14c8972 HdAudio.sys
Microsoft Corporation

a88485dc6a7136c10d9a6c7e38fdfe3c HECI.sys
Intel Corporation

1d58a7f3e11a9731d0eaaaa8405acc36 hidbatt.sys
Microsoft Corporation

89448f40e6df260c206a193a4683ba78 hidbth.sys
Microsoft Corporation

931a1df1520abc6e84ba4a75e6957025 hidclass.sys
Microsoft Corporation

cf50b4cf4a4f229b9f3c08351f99ca5e hidir.sys
Microsoft Corporation

6c26122f1931d4d7810240f32ddce890 hidparse.sys
Microsoft Corporation

10c19f8290891af023eaec0832e1eb4d hidusb.sys
Microsoft Corporation

d5c35e6416a379c445cda826b9fe452f hpdskflt.sys
Hewlett-Packard

1210960ff8928950d2a786895b0c424a HpqKbFiltr.sys
Hewlett-Packard

295fdc419039090eb8b49ffdbb374549 HpSAMD.sys
Hewlett-Packard

871917b07a141bff43d76d8844d48106 http.sys
Microsoft Corporation

0c4e035c7f105f1299258c90886c64c5 hwpolicy.sys
Microsoft Corporation

f151f0bdc47f4a28b1b20a0818ea36d6 i8042prt.sys
Microsoft Corporation

5cd5f9a5444e6cdcb0ac89bd62d8b76e iaStorV.sys
Intel Corporation

dce0b53570703cce580d066f89ef58cd igdkmd32.sys
Intel Corporation

4173ff5708f3236cf25195fecd742915 iirsp.sys
Intel Corp

2db41ba61d5e44d0667cf126d35dcf34 Impcd.sys
Intel Corporation

29061f25abb6e60a5b49fbeed7a5698a IntcDAud.sys
Intel Corporation

a0f12f2c9ba6c72f3987ce780e77c130 intelide.sys
Microsoft Corporation

3b514d27bfc4accb4037bc6685f766e0 intelppm.sys
Microsoft Corporation

709d1761d3b19a932ff0238ea6d50200 ipfltdrv.sys
Microsoft Corporation

4bd7134618c1d2a27466a099062547bf IPMIDrv.sys
Microsoft Corporation

a5fa468d67abcdaa36264e463a7bb0cd ipnat.sys
Microsoft Corporation

9f7e491fb0ba0f9e370163834fc1fe31 irda.sys
Microsoft Corporation

42996cff20a3084a56017b7902307e9f irenum.sys
Microsoft Corporation

1f32bb6b38f62f7df1a7ab7292638a35 isapnp.sys
Microsoft Corporation

adef52ca1aeae82b50df86b56413107e kbdclass.sys
Microsoft Corporation

9e3ced91863e6ee98c24794d05e27a71 kbdhid.sys
Microsoft Corporation

f4647bb23db9038a7536cf6b68f4207f ksecdd.sys
Microsoft Corporation

e73cae53bbb72ba26918492c6b4c229d ksecpkg.sys
Microsoft Corporation

5dcef0c32be0f33277326586fa503689 ks.sys
Microsoft Corporation

f7611ec07349979da9b0ae1f18ccc7a6 lltdio.sys
Microsoft Corporation

eb119a53ccf2acc000ac71b065b78fef lsi_fc.sys
LSI Corporation

dc9dc3d3daa0e276fd2ec262e38b11e9 lsi_sas2.sys
LSI Corporation

8ade1c877256a22e49b75d1cc9161f9c lsi_sas.sys
LSI Corporation

0a036c7d7cab643a7f07135ac47e0524 lsi_scsi.sys
LSI Corporation

6703e366cc18d3b6e534f5cf7df39cee luafv.sys
Microsoft Corporation

a05f0d7419cf4680eedd5736e6549e7b lv302af.sys
Logitech
Pv?StringFileInforBFCompanyNameLogicoolCo.,Ltd.dFileDescriptionAudiofilterforExpressPlus:rFileVersion...bInternalNamelvaf.sys.LegalCopyright©-Logicool.Allrightsreserved.@bOriginalFilenamelvaf.sys<ProductNameLogicoolQCam>rProductVersion...DVarFileInfo$Translation

4bb5ac2dd485b8eefccb977ee66a68ad LV302V32.SYS
Logitech
Pv?StringFileInfobBFCompanyNameLogicoolCo.,Ltd.RFileDescriptionLogicoolQCamDriver:rFileVersion...bInternalNamelvav.sys.LegalCopyright©-Logicool.Allrightsreserved.@bOriginalFilenamelvav.sys<ProductNameLogicoolQCam>rProductVersion...DVarFileInfo$Translation

b6e1ccd6572984adcae68439afd07011 lvrs.sys
Logitech
?StringFileInfoBFCompanyNameLogicoolCo.,Ltd.FileDescriptionLogicoolKernelAudioImprovementFilterDriver:rFileVersion...tInternalNameLVRS.sys.LegalCopyright©-Logicool.Allrightsreserved.:tOriginalFilenameLVRS.sysRProductNameLogicoolWebcamSoftware>rProductVersion...DVarFileInfo$Translation*

23f8ef78bb9553e465a476f3cee5ca18 LVUSBSta.sys
Logitech
Pv?StringFileInfojBFCompanyNameLogicoolCo.,Ltd.RFileDescriptionUSBStatisticDriver:rFileVersion...:rInternalNameLVUSBSta.sys.LegalCopyright©-Logicool.Allrightsreserved.BrOriginalFilenameLVUSBSta.sys<ProductNameLogicoolQCam>rProductVersion...DVarFileInfo$Translation*

6c42815dd57e397f0cd988304b5eb4b3 lvuvc.sys
Logitech
?StringFileInfoBFCompanyNameLogicoolCo.,Ltd.hFileDescriptionLogicoolUSBVideoClassDriver:rFileVersion...nInternalNamelvuvc.sys.LegalCopyright©-Logicool.Allrightsreserved.<nOriginalFilenamelvuvc.sysRProductNameLogicoolWebcamSoftware>rProductVersion...DVarFileInfo$Translation%

b7ca8cc3f978201856b6ab82f40953c3 mbam.sys
Malwarebytes Corporation

ef08d2ebe3eabba43cc57eee001027b6 mcd.sys
Microsoft Corporation

0fff5b045293002ab38eb1fd1fc2fb74 megasas.sys
LSI Corporation

dcbab2920c75f390caf1d29f675d03d6 MegaSR.sys
LSI Corporation

f001861e5700ee84e2d4e52c712f4964 modem.sys
Microsoft Corporation

79d10964de86b292320e9dfe02282a23 monitor.sys
Microsoft Corporation

b812da6605caf02641312f1f65c75419 motccgpfl.sys
Motorola

f4ea1193a52c8fe4b8a135e210abe546 motccgp.sys
Motorola

4813df77ede536a52e3737971f910baa motfilt.sys
Motorola

69814acd50a9d6d28296050ef6215d46 motmodem.sys
Motorola

ddc489d40b49f443787e7ffa75373522 Motousbnet.sys
Motorola

fd8c2cef7ad8b23c6714103d621fac1f motswch.sys
Motorola

f18898d418f43e74a93edc57e1f28bc9 motusbdevice.sys
Motorola

fb18cc1d4c2e716b6b903b0ac0cc0609 mouclass.sys
Microsoft Corporation

2c388d2cd01c9042596cf3c8f3c7b24d mouhid.sys
Microsoft Corporation

fc8771f45ecccfd89684e38842539b9b mountmgr.sys
Microsoft Corporation

2d699fb6e89ce0d8da14ecc03b3edfe0 mpio.sys
Microsoft Corporation

ad2723a7b53dd1aacae6ad8c0bfbf4d0 mpsdrv.sys
Microsoft Corporation

ceb46ab7c01c9f825f8cc6babc18166a mrxdav.sys
Microsoft Corporation

6d17a4791aca19328c685d256349fefc mrxsmb10.sys
Microsoft Corporation

b81f204d146000be76651a50670a5e9e mrxsmb20.sys
Microsoft Corporation

5d16c921e3671636c0eba3bbaac5fd25 mrxsmb.sys
Microsoft Corporation

012c5f4e9349e711e11e0f19a8589f0a msahci.sys
Microsoft Corporation

55055f8ad8be27a64c831322a780a228 msdsm.sys
Microsoft Corporation

daefb28e3af5a76abcc2c3078c07327f msfs.sys
Microsoft Corporation

3e1e5767043c5af9367f0056295e9f84 mshidkmdf.sys
Microsoft Corporation

0a4e5757ae09fa9622e3158cc1aef114 msisadrv.sys
Microsoft Corporation

cb7a9abb12b8415bce5d74994c7ba3ae msiscsi.sys
Microsoft Corporation

8c0860d6366aaffb6c5bb9df9448e631 mskssrv.sys
Microsoft Corporation

3ea8b949f963562cedbb549eac0c11ce mspclock.sys
Microsoft Corporation

f456e973590d663b1073e9c463b40932 mspqm.sys
Microsoft Corporation

0e008fc4819d238c51d7c93e7b41e560 msrpc.sys
Microsoft Corporation

fc6b9ff600cc585ea38b12589bd4e246 mssmbios.sys
Microsoft Corporation

b42c6b921f61a6e55159b8be6cd54a36 mstee.sys
Microsoft Corporation

33599130f44e1f34631cea241de8ac84 MTConfig.sys
Microsoft Corporation

159fad02f64e6381758c990f753bcc80 mup.sys
Microsoft Corporation

0e1787aa6c9191d3d319e8bafe86f80c ndiscap.sys
Microsoft Corporation

e7c54812a2aaf43316eb6930c1ffa108 ndis.sys
Microsoft Corporation

e4a8aec125a2e43a9e32afeea7c9c888 ndistapi.sys
Microsoft Corporation

d8a65dafb3eb41cbb622745676fcd072 ndisuio.sys
Microsoft Corporation

38fbe267e7e6983311179230facb1017 ndiswan.sys
Microsoft Corporation

a4bdc541e69674fbff1a8ff00be913f2 ndproxy.sys
Microsoft Corporation

80b275b1ce3b0e79909db7b39af74d51 netbios.sys
Microsoft Corporation

42b9d1ae7c8ed132619c7b63c44ad182 netbt.sys
Microsoft Corporation

2899ef7aeef6913ed4fcb0e8a7a04f46 netio.sys
Microsoft Corporation

5b2dfa9c5c02ddf2a113cc0f551b59df NETw5s32.sys
Intel Corporation

1d85c4b390b0ee09c7a46b91efb2c097 nfrd960.sys
IBM Corp

1db262a9f8c087e8153d89bef3d2235f npfs.sys
Microsoft Corporation

e9a0a4d07e53d8fea2bb8387a3293c58 nsiproxy.sys
Microsoft Corporation

81189c3d7763838e55c397759d49007a ntfs.sys
Microsoft Corporation

f9756a98d69098dca8945d62858a812c null.sys
Microsoft Corporation

68c890ddb21028cb1ea5551b47b29e1b nusb3hub.sys
ttX``VS_VERSION_INFO?bStringFileInfoBXCompanyNameNECElectronicsCorporationNFileDescriptionUSB.HubDriver`FileVersion...(nusbdrv.-):rInternalNameNUSBHUB.SYSx*LegalCopyright©-NECElectronicsCorporationBrOriginalFilenameNUSBHUB.SYSLProductNameUSB.DeviceDrivertProductVersion...DVarFileInfo$Translationt

2cf970c1a9e05d3b91039c2dd4471c0e nusb3xhc.sys
ttxxVS_VERSION_INFO?bStringFileInfoBXCompanyNameNECElectronicsCorporationfFileDescriptionUSB.HostControllerDriver`FileVersion...(nusbdrv.-):rInternalNameNUSBXHC.SYSx*LegalCopyright©-NECElectronicsCorporationBrOriginalFilenameNUSBXHC.SYSLProductNameUSB.DeviceDrivertProductVersion...DVarFileInfo$Translationt

5a0983915f02bae73267cc2a041f717d NV_AGP.SYS
Microsoft Corporation

8571011b62ce0207fa1dc95d88308f1d nvhda32v.sys
NVIDIA Corporation

0d4ec0cb32462c8578b17a9e94b7788b nvlddmkm.sys
NVIDIA Corporation

b3e25ee28883877076e0e1ff877d02e0 nvraid.sys
NVIDIA Corporation

4380e59a170d88c4f1022eff6719a8a4 nvstor.sys
NVIDIA Corporation

26384429fcd85d83746f63e798ab1480 nwifi.sys
Microsoft Corporation

08a70a1f2cdde9bb49b885cb817a66eb ohci1394.sys
Microsoft Corporation

6270ccae2a86de6d146529fe55b3246a pacer.sys
Microsoft Corporation

2ea877ed5dd9713c5ac74e8ea7348d14 parport.sys
Microsoft Corporation

bf8f6af06da75b336f07e23aef97d93b partmgr.sys
Microsoft Corporation

eb0a59f29c19b86479d36b35983daadc parvdm.sys
Microsoft Corporation

afe86f419014db4e5593f69ffe26ce0a pciide.sys
Microsoft Corporation

ede040d666ff81bf1978d0f19f799e7a pciidex.sys
Microsoft Corporation

673e55c3498eb970088e812ea820aa8f pci.sys
Microsoft Corporation

f396431b31693e71e8a80687ef523506 pcmcia.sys
Microsoft Corporation

250f6b43d2b613172035c6747aeeb19f pcw.sys
Microsoft Corporation

9e0104ba49f4e6973749a02bf41344ed PEAuth.sys
Microsoft Corporation

d72708c9f49500c13d7d067e169b7715 portcls.sys
Microsoft Corporation

85b1e3a0c7585bc4aae6899ec6fcf011 processr.sys
Microsoft Corporation

40fedd328f98245ad201cf5f9f311724 pxhelp20.sys
Sonic Solutions

ab95ecf1f6659a60ddc166d8315b0751 ql2300.sys
QLogic Corporation

b4dd51dd25182244b86737dc51af2270 ql40xx.sys
QLogic Corporation

584078ca1b95ca72df2a27c336f9719d qwavedrv.sys
Microsoft Corporation

30a81b53c766d0133bb86d234e5556ab rasacd.sys
Microsoft Corporation

d9f91eafec2815365cbe6d167e4e332a rasl2tp.sys
Microsoft Corporation

0fe8b15916307a6ac12bfb6a63e45507 raspppoe.sys
Microsoft Corporation

631e3e205ad6d86f2aed6a4a8e69f2db raspptp.sys
Microsoft Corporation

44101f495a83ea6401d886e7fd70096b rassstp.sys
Microsoft Corporation

d528bc58a489409ba40334ebf96a311b rdbss.sys
Microsoft Corporation

0d8f05481cb76e70e1da06ee9f0da9df rdpbus.sys
Microsoft Corporation

23dae03f29d253ae74c44f99e515f9a1 RDPCDD.sys
Microsoft Corporation

b973fcfc50dc1434e1970a146f7e3885 rdpdr.sys
Microsoft Corporation

5a53ca1598dd4156d44196d200c94b8a RDPENCDD.sys
Microsoft Corporation

44b0a53cd4f27d50ed461dae0c0b4e1f RDPREFMP.sys
Microsoft Corporation

288b06960d78428ff89e811632684e20 rdpwd.sys
Microsoft Corporation

518395321dc96fe2c9f0e96ac743b656 rdyboost.sys
Microsoft Corporation

001b4278407f4303efc902a2b16f2453 regi.sys
InterVideo

cb928d9e6daf51879dd6ba8d02f01321 rfcomm.sys
Microsoft Corporation

df672613fbbcd58c38bb0bc2694bcfb0 rimmptsk.sys
Ricoh Company

e891f07815af88075705ef6a248711f6 rimspe86.sys
Ricoh Company

9bfb54d3559f2ff7301271d29d383564 rimsptsk.sys
Ricoh Company

d853d35f792a3a44726a794bf9a0bbc3 risdpe86.sys
Ricoh Company

470fc46e2989f6606043c1c5365b15fd rismc32.sys
tH`VS_VERSION_INFObb?aStringFileInfoE=CompanyNameRICOHCompany,Ltd.*

cf2de2365fd99e5b8e38c9f3467dcdb8 rixdpe86.sys
Ricoh Company

dcb87da83cc1010cbc9fc4dc9e395bbc rixdptsk.sys
Ricoh Company

906dcfc5ebf4ec0433f8d4fffb0ba334 rmcast.sys
Microsoft Corporation

7400cfab5cf36f2294e80b3f3bda3ebc RNDISMP.sys
Microsoft Corporation

564297827d213f52c7a3a2ff749568ca rootmdm.sys
Microsoft Corporation

032b0d36ad92b582d869879f5af5b928 rspndr.sys
Microsoft Corporation

7dfd48e24479b68b258d8770121155a0 Rt86win7.sys
Realtek Corporation

44b7739f2d623ad6fb46755bb60351a4 rtl8192se.sys
Realtek Semiconductor

05d860da1040f111503ac416ccef2bca sbp2port.sys
Microsoft Corporation

0693b5ec673e34dc147e195779a4dcf6 scfilter.sys
Microsoft Corporation

099972e1faf4950d3994fbab9dd21253 scsiport.sys
Microsoft Corporation

0328be1c7f1cba23848179f8762e391c sdbus.sys
Microsoft Corporation

90a3935d05b494a5a39d37e71f09a677 secdrv.sys
Macrovision Corporation

9ad8b8b515e3df6acd4212ef465de2d1 serenum.sys
Microsoft Corporation

5fb7fcea0490d821f26f39cc5ea3d1e2 serial.sys
Microsoft Corporation

79bffb520327ff916a582dfea17aa813 sermouse.sys
Microsoft Corporation

9f976e1eb233df46fce808d9dea3eb9c sffdisk.sys
Microsoft Corporation

932a68ee27833cfd57c1639d375f2731 sffp_mmc.sys
Microsoft Corporation

6d4ccaedc018f1cf52866bbbaa235982 sffp_sd.sys
Microsoft Corporation

db96666cc8312ebc45032f30b007a547 sfloppy.sys
Microsoft Corporation

2565cac0dc9fe0371bdce60832582b2e SISAGP.SYS
Microsoft Corporation

a9f0486851becb6dda1d89d381e71055 sisraid2.sys
Silicon Integrated Systems

3727097b55738e2f554972c3be5bc1aa sisraid4.sys
Silicon Integrated Systems

3e21c083b8a01cb70ba1f09303010fce smb.sys
Microsoft Corporation

2e467e6ca8e0a140c08011844c0d3936 smclib.sys
Microsoft Corporation

c232888d168092ef997856d902160929 sncduvc.sys

4d8a49526aa035b1a8ff3fe6807783f5 snp2uvc.sys
?bStringFileInfobCommentsCompanyName`FileDescriptionUVCCameraStreamingDriver>FileVersion,,,InternalNameLLegalCopyrightCopyright-(LegalTrademarks(OriginalFilenameDPrivateBuildNoI,v...nProductNameHPWebcamBProductVersion,,,:rSpecialBuildPureVersionDVarFileInfo$Translationt*

95cf1ae7527fb70f7816563cbc09d942 spldr.sys
Microsoft Corporation

d16d818e9930a6e5b4f6476dd0998d1a spsys.sys
Microsoft Corporation

e2f9e5887bea5bd8784d337e06eda31b srtspl.sys
Symantec Corporation

2abf82c8452ab0b9ffc74a2d5da91989 srtsp.sys
Symantec Corporation

3b974c158fabd910186f98df8d3e23f3 srtspx.sys
Symantec Corporation

03f0545bd8d4c77fa0ae1ceedfcc71ab srv2.sys
Microsoft Corporation

be6bd660caa6f291ae06a718a4fa8abc srvnet.sys
Microsoft Corporation

e4c2764065d66ea1d2d3ebc28fe99c46 srv.sys
Microsoft Corporation

db32d325c192b801df274bfd12a7e72b stexstor.sys
Promise Technology

ef3d32464ebbb10449465c8cab57ca19 storport.sys
Microsoft Corporation

dcaffd62259e0bdb433dd67b5bb37619 storvsc.sys
Microsoft Corporation

45b44fc9e5ac0db02b19d515ee809de5 stream.sys
Microsoft Corporation

b205de6202b6a019403cf6395d047ca8 stwrt.sys
nq?btStringFileInfoBnCompanyNameIDT,Inc.BrFileDescriptionIDTPCAudiobFileVersion...bInternalNameIDTPCAh"LegalCopyrightCopyright-IDT,Inc.<nOriginalFilenamestwrt.sys:rProductNameIDTPCAudio<bProductVersion...BrLegalTrademarksIDTPCAudiol*CommentsAllRightsReserved-IDT,Inc.DVarFileInfo$Translationt

e58c78a848add9610a4db6d214af5224 swenum.sys
Microsoft Corporation

51b57cda977170ac608d839dbfa1d3ee symdns.sys
Symantec Corporation

a54ff04bd6e75dc4d8cb6f3e352635e0 SYMEVENT.SYS
Symantec Corporation

a131d8360b01044517aa44529e2137d6 symfw.sys
Symantec Corporation

2b77868f02dae02103380b824431b798 symids.sys
Symantec Corporation

7d3addfe63e5227bd2dbd5692bafb688 symndisv.sys
Symantec Corporation

394b2368212114d538316812af60fddd symredrv.sys
Symantec Corporation

d46676bb414c7531bdffe637a33f5033 symtdi.sys
Symantec Corporation

0e8676fb3bb95aa40fdf7a4a31018c8b SynTP.sys
Synaptics

1295b1da3e2a2c24c7d176f6e97afbd1 SysPlant.sys
Symantec Corporation

949c35bf4ae6c110a924ab5e2175dda7 tape.sys
Microsoft Corporation

cca24162e055c3714ce5a88b100c64ed tcpipreg.sys
Microsoft Corporation

65d10b191c59c5501a1263fc33f6894b tcpip.sys
Microsoft Corporation

2f885864d5bc8a16c86bee595969a48a tdi.sys
Microsoft Corporation

1cb91b2bd8f6dd367dfc2ef26fd751b2 tdpipe.sys
Microsoft Corporation

2c10395baa4847f83042813c515cc289 tdtcp.sys
Microsoft Corporation

b459575348c20e8121d6039da063c704 tdx.sys
Microsoft Corporation

1de2e1357552a79f39bff003a11c533e Teefer2.sys
Symantec Corporation

04dbf4b01ea4bf25a9a3e84affac9b20 termdd.sys
Microsoft Corporation

5ad05191dc8b444a7ba4d79b76c42a30 tpm.sys
Microsoft Corporation

254bb140eee3c59d6114c1a86b636877 tssecsrv.sys
Microsoft Corporation

fd1d6c73e6333be727cbcc6054247654 TsUsbFlt.sys
Microsoft Corporation

01246f0baad7b68ec0f472aa41e33282 TsUsbGD.sys
Microsoft Corporation

b2fa25d9b17a68bb93d58b0556e8c90d tunnel.sys
Microsoft Corporation

750fbcb269f4d7dd2e420c56b795db6d UAGP35.SYS
Microsoft Corporation

ee43346c7e4b5e63e54f927babbb32ff udfs.sys
Microsoft Corporation

44e8048ace47befbfdc2e9be4cbc8880 ULIAGPKX.SYS
Microsoft Corporation

d295bed4b898f0fd999fcfa9b32b071b umbus.sys
Microsoft Corporation

7550ad0c6998ba1cb4843e920ee0feac umpass.sys
Microsoft Corporation

b71da871254d96d0349639d03e4c1cc1 usb8023.sys
Microsoft Corporation

d4fb6ecc60a428564ba8768b0e23c0fc usbaapl.sys
Apple

1d9f2bd026e8e2d45033a4df3f16b78c USBAUDIO.sys
Microsoft Corporation

e071e5be621fec4590117c488a78ae32 USBCAMD2.sys
Microsoft Corporation

fd82d2b38c465a55c527e339ba1201b1 USBCAMD.sys
Microsoft Corporation

bd9c55d7023c5de374507acc7a14e2ac usbccgp.sys
Microsoft Corporation

04ec7cec62ec3b6d9354eee93327fc82 usbcir.sys
Microsoft Corporation

5787196f32d043572ec6565c0ef1b8e0 usbd.sys
Microsoft Corporation

f92de757e4b7ce9c07c5e65423f3ae3b usbehci.sys
Microsoft Corporation

8dc94aec6a7e644a06135ae7506dc2e9 usbhub.sys
Microsoft Corporation

e185d44fac515a18d9deddc23c2cdf44 usbohci.sys
Microsoft Corporation

3aa940aa9ac3055fe32ff2d3d20ccd28 usbport.sys
Microsoft Corporation

797d862fe0875e75c7cc4c1ad7b30252 usbprint.sys
Microsoft Corporation

1a078c3fe1c1f9c8561cd600c69ad300 usbrpm.sys
Microsoft Corporation

576096ccbc07e7c4ea4f5e6686d6888f usbscan.sys
Microsoft Corporation

f991ab9cc6b908db552166768176896a USBSTOR.SYS
Microsoft Corporation

68df884cf41cdada664beb01daf67e3d usbuhci.sys
Microsoft Corporation

45f4e7bf43db40a6c6b4d92c76cbc3f2 usbvideo.sys
Microsoft Corporation

a059c4c3edb09e07d21a8e5c0aabd3cb vdrvroot.sys
Microsoft Corporation

17c408214ea61696cec9c66e388b14f3 vgapnp.sys
Microsoft Corporation

8e38096ad5c8570a6f1570a61e251561 vga.sys
Microsoft Corporation

5461686cca2fda57b024547733ab42e3 vhdmp.sys
Microsoft Corporation

c829317a37b4bea8f39735d4b076e923 VIAAGP.SYS
Microsoft Corporation

e02f079a6aa107f06b16549c6e5c7b74 viac7.sys
Microsoft Corporation

e43574f6a56a0ee11809b48c09e4fd3c viaide.sys
VIA Technologies

15c126d1b55814b9e5cab10a9c1f4c67 videoprt.sys
Microsoft Corporation

d4d77455211e204f370d08f4963063ce VMBusHID.sys
Microsoft Corporation

c2f2911156fdc7817c52829c86da494e vmbus.sys
Microsoft Corporation

7fa7f2e249a5dcbb7970630e15e1f482 vms3cap.sys
Microsoft Corporation

472af0311073dceceaa8fa18ba2bdf89 vmstorfl.sys
Microsoft Corporation

4c63e00f2f4b5f86ab48a58cd990f212 volmgr.sys
Microsoft Corporation

b5bb72067ddddbbfb04b2f89ff8c3c87 volmgrx.sys
Microsoft Corporation

f497f67932c6fa693d7de2780631cfe7 volsnap.sys
Microsoft Corporation

9dfa0cc2f8855a04816729651175b631 vsmraid.sys
VIA Technologies

90567b1e658001e79d7c8bbd3dde5aa6 vwifibus.sys
Microsoft Corporation

7090d3436eeb4e7da3373090a23448f7 vwififlt.sys
Microsoft Corporation

a3f04cbea6c2a10e6cb01f8b47611882 vwifimp.sys
Microsoft Corporation

de3721e89c653aa281428c8a69745d90 wacompen.sys
Microsoft Corporation

3c3c78515f5ab448b022bdf5b8ffdd2e wanarp.sys
Microsoft Corporation

cb45a417c8ef7ba6bac67edcdded8700 watchdog.sys
Microsoft Corporation

9950e3d0f08141c7e89e64456ae7dc73 Wdf01000.sys
Microsoft Corporation

fe7a7675c26fe936226641ef32ae9bb5 WdfLdr.sys
Microsoft Corporation

1112a9badacb47b7c0bb0392e3158dff wd.sys
Microsoft Corporation

8b9a943f3b53861f2bfaf6c186168f79 wfplwf.sys
Microsoft Corporation

5cf95b35e59e2a38023836fff31be64c wimmount.sys
Microsoft Corporation

62ba4fdca65bdb69695e0d1157c57717 winhv.sys
Microsoft Corporation

a67e5f9a400f3bd1be3d80613b45f708 winusb.sys
Microsoft Corporation

0217679b8fca58714c3bf2726d2ca84e wmiacpi.sys
Microsoft Corporation

9a5b1059fe015db5269fbb25acbf841d wmilib.sys
Microsoft Corporation

c1620ebb375d3b02e31fd311c44fedeb WPSDRVnt.sys
Symantec Corporation

ff983a25ae6f7d3f87f26bf51f02a201 wpshelper.sys
Symantec Corporation

6db3276587b853bf886b69528fdb048c ws2ifsl.sys
Microsoft Corporation

e714a1c0354636837e20ccbf00888ee7 WUDFPf.sys
Microsoft Corporation

1023ee888c9b47178c5293ed5336ab69 WUDFRd.sys
Microsoft Corporation

fffe44ecc79187dc3d1951832ab63fc5 yk62x86.sys
Marvell

Attached Files


Edited by Noviciate, 08 March 2012 - 03:46 PM.


#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:10 AM

Posted 08 March 2012 - 03:46 PM

Good evening. :)

I'll need to do a little checking and i'll get back to you as soon as.

So long, and thanks for all the fish.

 

 


#13 sewerman

sewerman
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:10 AM

Posted 08 March 2012 - 03:50 PM

Okay, thanks for touching base...

#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:10 AM

Posted 09 March 2012 - 05:02 PM

Good evening. :)

Download aswMBR.exe from here and save it to your Desktop.

  • Double click the tool to run it.
  • When prompted "Would you like to download latest Avast! virus definitions?" click No .
  • Click the Scan button to, well, start the scan - obvious really!
  • Once the scan reports "Scan finished successfully" click Save log.
  • On my system it offers to save it to the Desktop, which may or may not be it's default behaviour, but it's as handy a place as any.
  • You'll also see a file called MBR.dat appear as well - this is a backup that it created, just in case it's needed. Keep it handy for now.

I'd like the contents of aswMBR.txt in your next reply, if you'd be so kind.

So long, and thanks for all the fish.

 

 


#15 sewerman

sewerman
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:10 AM

Posted 12 March 2012 - 11:39 AM

Hi,

Attached is the file you requested.

Regards,

sewerman

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users