Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Agent/Gen-Packed[LordPE].Process


  • This topic is locked This topic is locked
22 replies to this topic

#1 swanand

swanand

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 10 January 2013 - 05:56 AM

Hey,i am suffering from a virus problem from last 2 weeks. This virus disables task manager and regedit. I guess, the problem is now solved by using malwarebytes and superanti spyware. But everytime i scan my pc by any of these malware removers, they end up with 30-40 threats and say to restart pc to successfully remove them. But the threats are persistent. Also i can see some weird .exe and .pif files in my drives, which reappear even after deleting them.



DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer:
Run by Vic at 16:05:33 on 2013-01-10
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2010.1302 [GMT 5.5:30]
.
.
============== Running Processes ================
.
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.in/
BHO: AcroIEHlprObj Class: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: ZoneAlarm Security Engine Registrar: {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: ZoneAlarm Security Engine: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: ZoneAlarm Security Engine: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [ZoneAlarm] "c:\program files\checkpoint\zonealarm\zatray.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-System: EnableLUA = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-System: DisableRegistryTools = dword:1
mPolicies-System: DISABLETASKMGR = dword:1
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: Interfaces\{22CC374C-1104-4AD0-B88F-32F3EF0D1CD2} : NameServer = 202.54.1.18,172.31.6.5
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\vic\application data\mozilla\firefox\profiles\nl0prazl.default\
FF - plugin: c:\program files\checkpoint\zaforcefield\trustchecker\bin\npFFApi.dll
FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - ExtSQL: 2013-01-09 01:17; {FFB96CC1-7EB3-449D-B827-DB661701C6BB}; c:\program files\checkpoint\zaforcefield\TrustChecker
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-13 67664]
R1 Vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2013-1-2 528000]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2012-7-12 116608]
R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2012-11-22 27056]
R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2012-11-22 571048]
RUnknown amsint32;amsint32; [x]
S2 vsmon;TrueVector Internet Monitor;c:\program files\checkpoint\zonealarm\vsmon.exe -service --> c:\program files\checkpoint\zonealarm\vsmon.exe -service [?]
.
=============== Created Last 30 ================
.
2013-01-10 09:57:37 -------- d-----w- c:\documents and settings\vic\local settings\application data\ApexDC++
2013-01-10 09:57:37 -------- d-----w- c:\documents and settings\vic\application data\ApexDC++
2013-01-10 09:57:27 -------- d-----w- c:\program files\ApexDC++
2013-01-09 19:20:07 -------- d-----w- c:\program files\VideoLAN
2013-01-09 17:12:10 -------- d-----w- c:\documents and settings\vic\local settings\application data\Temp
2013-01-09 17:11:58 -------- d-----w- c:\documents and settings\vic\application data\SUPERAntiSpyware.com
2013-01-09 17:11:41 -------- d-----w- c:\program files\SUPERAntiSpyware
2013-01-09 17:11:41 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2013-01-09 07:47:59 68608 -c--a-w- c:\windows\system32\dllcache\iisext51.dll
2013-01-09 07:40:37 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2013-01-09 07:40:37 24661 ----a-w- c:\windows\system32\spxcoins.dll
2013-01-09 07:40:37 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2013-01-09 07:40:37 13312 ----a-w- c:\windows\system32\irclass.dll
2013-01-09 07:40:25 13753 ----a-r- c:\windows\SET34.tmp
2013-01-09 07:40:23 1086058 ----a-r- c:\windows\SET28.tmp
2013-01-09 07:40:21 1042903 ----a-r- c:\windows\SET25.tmp
.
==================== Find3M ====================
.
.
============= FINISH: 16:06:15.29 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:59 PM

Posted 10 January 2013 - 10:25 AM

Please run the following:

  • Please download aswMBR.exe and save it to your desktop.
  • Double click aswMBR.exe to start the tool.
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click Scan

  • Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 swanand

swanand
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 12 January 2013 - 12:34 PM

aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2013-01-12 22:53:17
-----------------------------
22:53:17.312 OS Version: Windows 5.1.2600 Service Pack 2
22:53:17.312 Number of processors: 2 586 0x170A
22:53:17.312 ComputerName: VICKY UserName: Vic
22:53:19.484 Initialize success
22:59:32.515 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-5
22:59:32.515 Disk 0 Vendor: Hitachi_HDP725025GLA380 GM2OA5CA Size: 238475MB BusType: 3
22:59:32.531 Disk 0 MBR read successfully
22:59:32.531 Disk 0 MBR scan
22:59:32.531 Disk 0 Windows XP default MBR code
22:59:32.531 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 60000 MB offset 63
22:59:32.531 Disk 0 Partition - 00 0F Extended LBA 178464 MB offset 122881185
22:59:32.546 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 60000 MB offset 122881248
22:59:32.546 Disk 0 Partition - 00 05 Extended 60000 MB offset 245762370
22:59:32.578 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 60000 MB offset 245762433
22:59:32.578 Disk 0 Partition - 00 05 Extended 58463 MB offset 491524740
22:59:32.593 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 58463 MB offset 368643618
22:59:32.593 Disk 0 scanning sectors +488376000
22:59:32.656 Disk 0 scanning C:\WINDOWS\system32\drivers
22:59:35.890 Service scanning
22:59:42.828 Modules scanning
22:59:46.531 Disk 0 trace - called modules:
22:59:46.562 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
22:59:46.562 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89d8dab8]
22:59:46.562 3 CLASSPNP.SYS[ba0e905b] -> nt!IofCallDriver -> \Device\0000005f[0x89d90f18]
22:59:46.562 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-5[0x89d8f940]
22:59:46.578 Scan finished successfully
23:00:08.343 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Vic\Desktop\MBR.dat"
23:00:08.343 The log file has been saved successfully to "C:\Documents and Settings\Vic\Desktop\aswMBR.txt"

Attached Files

  • Attached File  MBR.zip   511bytes   0 downloads


#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:59 PM

Posted 12 January 2013 - 03:20 PM

Please do the following:

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • when the window opens, click on Change Parameters
  • under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
  • click OK
  • Press Start Scan
    • If Malicious objects are found then ensure Cure is selected
    • If TDLFS File System is found then ensure Cure is selected (if Cure is not available, select Skip)
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)



NEXT



Download ComboFix from the following location:

Link 1

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 swanand

swanand
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 13 January 2013 - 01:31 PM

Hey,the link you specified for TDSSKLLER was not working for me. Hence i googled and found this link. http://download.cnet.com/Kaspersky-TDSSKiller/3000-2239_4-12684178.html

23:32:54.0281 6468 TDSS rootkit removing tool 2.8.7.0 Aug 20 2012 17:30:03
23:32:56.0281 6468 ============================================================
23:32:56.0281 6468 Current date / time: 2013/01/13 23:32:56.0281
23:32:56.0281 6468 SystemInfo:
23:32:56.0281 6468
23:32:56.0281 6468 OS Version: 5.1.2600 ServicePack: 2.0
23:32:56.0281 6468 Product type: Workstation
23:32:56.0281 6468 ComputerName: VICKY
23:32:56.0281 6468 UserName: Vic
23:32:56.0281 6468 Windows directory: C:\WINDOWS
23:32:56.0281 6468 System windows directory: C:\WINDOWS
23:32:56.0281 6468 Processor architecture: Intel x86
23:32:56.0281 6468 Number of processors: 2
23:32:56.0281 6468 Page size: 0x1000
23:32:56.0281 6468 Boot type: Normal boot
23:32:56.0281 6468 ============================================================
23:32:57.0781 6468 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
23:32:57.0781 6468 ============================================================
23:32:57.0781 6468 \Device\Harddisk0\DR0:
23:32:57.0781 6468 MBR partitions:
23:32:57.0781 6468 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x7530462
23:32:57.0796 6468 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x75304E0, BlocksNum 0x7530462
23:32:57.0828 6468 \Device\Harddisk0\DR0\Partition3: MBR, Type 0x7, StartLBA 0xEA60981, BlocksNum 0x7530462
23:32:57.0859 6468 \Device\Harddisk0\DR0\Partition4: MBR, Type 0x7, StartLBA 0x15F90E22, BlocksNum 0x722F89E
23:32:57.0859 6468 ============================================================
23:32:57.0921 6468 C: <-> \Device\Harddisk0\DR0\Partition1
23:32:58.0000 6468 D: <-> \Device\Harddisk0\DR0\Partition2
23:32:58.0031 6468 E: <-> \Device\Harddisk0\DR0\Partition3
23:32:58.0062 6468 F: <-> \Device\Harddisk0\DR0\Partition4
23:32:58.0062 6468 ============================================================
23:32:58.0062 6468 Initialize success
23:32:58.0062 6468 ============================================================
23:33:20.0890 11444 ============================================================
23:33:20.0890 11444 Scan started
23:33:20.0890 11444 Mode: Manual; TDLFS;
23:33:20.0890 11444 ============================================================
23:33:21.0437 11444 ================ Scan system memory ========================
23:33:21.0437 11444 System memory - ok
23:33:21.0437 11444 ================ Scan services =============================
23:33:21.0546 11444 [ 01E81C84AD1D0ACC61CF3CFD06632210 ] !SASCORE C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
23:33:21.0546 11444 !SASCORE - ok
23:33:21.0578 11444 Abiosdsk - ok
23:33:21.0578 11444 abp480n5 - ok
23:33:21.0609 11444 [ A10C7534F7223F4A73A948967D00E69B ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
23:33:21.0625 11444 ACPI - ok
23:33:21.0656 11444 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\drivers\ACPIEC.sys
23:33:21.0656 11444 ACPIEC - ok
23:33:21.0656 11444 adpu160m - ok
23:33:21.0687 11444 [ 841F385C6CFAF66B58FBD898722BB4F0 ] aec C:\WINDOWS\system32\drivers\aec.sys
23:33:21.0687 11444 aec - ok
23:33:21.0703 11444 [ 5AC495F4CB807B2B98AD2AD591E6D92E ] AFD C:\WINDOWS\System32\drivers\afd.sys
23:33:21.0703 11444 AFD - ok
23:33:21.0703 11444 Aha154x - ok
23:33:21.0703 11444 aic78u2 - ok
23:33:21.0703 11444 aic78xx - ok
23:33:21.0734 11444 [ C7AE0FD3867DB0D42B03B73C18F3D671 ] Alerter C:\WINDOWS\system32\alrsvc.dll
23:33:21.0734 11444 Alerter - ok
23:33:21.0750 11444 [ F1958FBF86D5C004CF19A5951A9514B7 ] ALG C:\WINDOWS\System32\alg.exe
23:33:21.0765 11444 ALG - ok
23:33:21.0765 11444 AliIde - ok
23:33:21.0765 11444 amsint - ok
23:33:21.0781 11444 [ 9C3C12975C97119412802B181FBEEFFE ] AppMgmt C:\WINDOWS\System32\appmgmts.dll
23:33:21.0781 11444 AppMgmt - ok
23:33:21.0781 11444 asc - ok
23:33:21.0781 11444 asc3350p - ok
23:33:21.0796 11444 asc3550 - ok
23:33:21.0796 11444 [ 02000ABF34AF4C218C35D257024807D6 ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
23:33:21.0796 11444 AsyncMac - ok
23:33:21.0812 11444 [ CDFE4411A69C224BD1D11B2DA92DAC51 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
23:33:21.0812 11444 atapi - ok
23:33:21.0828 11444 Atdisk - ok
23:33:21.0828 11444 [ EC88DA854AB7D7752EC8BE11A741BB7F ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
23:33:21.0828 11444 Atmarpc - ok
23:33:21.0828 11444 [ DB66DB626E4882EBEF55F136F12C1829 ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
23:33:21.0843 11444 AudioSrv - ok
23:33:21.0859 11444 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
23:33:21.0859 11444 audstub - ok
23:33:21.0906 11444 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys
23:33:21.0906 11444 Beep - ok
23:33:21.0937 11444 [ 2C69EC7E5A311334D10DD95F338FCCEA ] BITS C:\WINDOWS\system32\qmgr.dll
23:33:21.0953 11444 BITS - ok
23:33:21.0984 11444 [ E3CFCCDDA4EDD1D0DC9168B2E18F27B8 ] Browser C:\WINDOWS\System32\browser.dll
23:33:21.0984 11444 Browser - ok
23:33:22.0000 11444 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
23:33:22.0000 11444 cbidf2k - ok
23:33:22.0000 11444 cd20xrnt - ok
23:33:22.0000 11444 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys
23:33:22.0000 11444 Cdaudio - ok
23:33:22.0031 11444 [ CD7D5152DF32B47F4E36F710B35AAE02 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
23:33:22.0031 11444 Cdfs - ok
23:33:22.0046 11444 [ AF9C19B3100FE010496B1A27181FBF72 ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
23:33:22.0046 11444 Cdrom - ok
23:33:22.0046 11444 Changer - ok
23:33:22.0062 11444 [ 3192BD04D032A9C4A85A3278C268A13A ] CiSvc C:\WINDOWS\system32\cisvc.exe
23:33:22.0062 11444 CiSvc - ok
23:33:22.0062 11444 [ C8DEC22C4137D7A90F8BDF41CA4B82AE ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
23:33:22.0062 11444 ClipSrv - ok
23:33:22.0062 11444 CmdIde - ok
23:33:22.0062 11444 COMSysApp - ok
23:33:22.0078 11444 Cpqarray - ok
23:33:22.0093 11444 [ 10654F9DDCEA9C46CFB77554231BE73B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
23:33:22.0093 11444 CryptSvc - ok
23:33:22.0093 11444 dac2w2k - ok
23:33:22.0093 11444 dac960nt - ok
23:33:22.0109 11444 [ 5C83A4408604F737717AB96371201680 ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
23:33:22.0109 11444 DcomLaunch - ok
23:33:22.0125 11444 [ CB6CA3E5261D65F6F809EED23BF167AA ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
23:33:22.0125 11444 Dhcp - ok
23:33:22.0140 11444 [ 00CA44E4534865F8A3B64F7C0984BFF0 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys
23:33:22.0140 11444 Disk - ok
23:33:22.0140 11444 dmadmin - ok
23:33:22.0171 11444 [ C0FBB516E06E243F0CF31F597E7EBF7D ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
23:33:22.0171 11444 dmboot - ok
23:33:22.0203 11444 [ F5E7B358A732D09F4BCF2824B88B9E28 ] dmio C:\WINDOWS\system32\DRIVERS\dmio.sys
23:33:22.0203 11444 dmio - ok
23:33:22.0218 11444 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys
23:33:22.0218 11444 dmload - ok
23:33:22.0234 11444 [ 1639D9964C9E1B2ECCA95C8217D3E70D ] dmserver C:\WINDOWS\System32\dmserver.dll
23:33:22.0250 11444 dmserver - ok
23:33:22.0281 11444 [ A6F881284AC1150E37D9AE47FF601267 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys
23:33:22.0281 11444 DMusic - ok
23:33:22.0312 11444 [ 7379DE06FD196E396A00AA97B990C00D ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
23:33:22.0312 11444 Dnscache - ok
23:33:22.0312 11444 dpti2o - ok
23:33:22.0328 11444 [ 1ED4DBBAE9F5D558DBBA4CC450E3EB2E ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys
23:33:22.0328 11444 drmkaud - ok
23:33:22.0343 11444 [ 67DFF7BBBD0E80AAB7B3CF061448DB8A ] ERSvc C:\WINDOWS\System32\ersvc.dll
23:33:22.0343 11444 ERSvc - ok
23:33:22.0359 11444 [ C6CE6EEC82F187615D1002BB3BB50ED4 ] Eventlog C:\WINDOWS\system32\services.exe
23:33:22.0359 11444 Eventlog - ok
23:33:22.0359 11444 [ ACD36A2DD7D1E9D8A060AA651DC07E63 ] EventSystem C:\WINDOWS\system32\es.dll
23:33:22.0359 11444 EventSystem - ok
23:33:22.0375 11444 [ 3117F595E9615E04F05A54FC15A03B20 ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
23:33:22.0375 11444 Fastfat - ok
23:33:22.0390 11444 [ E7518DC542D3EBDCB80EDD98462C7821 ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
23:33:22.0390 11444 FastUserSwitchingCompatibility - ok
23:33:22.0453 11444 [ CED2E8396A8838E59D8FD529C680E02C ] Fdc C:\WINDOWS\system32\DRIVERS\fdc.sys
23:33:22.0453 11444 Fdc - ok
23:33:22.0484 11444 [ E153AB8A11DE5452BCF5AC7652DBF3ED ] Fips C:\WINDOWS\system32\drivers\Fips.sys
23:33:22.0484 11444 Fips - ok
23:33:22.0546 11444 [ 0DD1DE43115B93F4D85E889D7A86F548 ] Flpydisk C:\WINDOWS\system32\drivers\Flpydisk.sys
23:33:22.0546 11444 Flpydisk - ok
23:33:22.0578 11444 [ 157754F0DF355A9E0A6F54721914F9C6 ] FltMgr C:\WINDOWS\system32\DRIVERS\fltMgr.sys
23:33:22.0578 11444 FltMgr - ok
23:33:22.0593 11444 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
23:33:22.0593 11444 Fs_Rec - ok
23:33:22.0593 11444 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
23:33:22.0593 11444 Ftdisk - ok
23:33:22.0609 11444 [ C0F1D4A21DE5A415DF8170616703DEBF ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
23:33:22.0609 11444 Gpc - ok
23:33:22.0703 11444 [ 21880A7CD07C54540A530CC251B37E5C ] gupdate C:\Program Files\Google\Update\GoogleUpdate.exe
23:33:22.0703 11444 gupdate - ok
23:33:22.0703 11444 [ 21880A7CD07C54540A530CC251B37E5C ] gupdatem C:\Program Files\Google\Update\GoogleUpdate.exe
23:33:22.0703 11444 gupdatem - ok
23:33:22.0750 11444 [ 3FCC124B6E08EE0E9351F717DD136939 ] HDAudBus C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
23:33:22.0750 11444 HDAudBus - ok
23:33:22.0828 11444 [ 8827911A8C37E40C027CBFC88E69D967 ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
23:33:22.0828 11444 helpsvc - ok
23:33:22.0921 11444 [ 9376E6893E52B368ABC6255BF54F0B28 ] HidServ C:\WINDOWS\System32\hidserv.dll
23:33:22.0921 11444 HidServ - ok
23:33:22.0953 11444 [ 1DE6783B918F540149AA69943BDFEBA8 ] hidusb C:\WINDOWS\system32\DRIVERS\hidusb.sys
23:33:22.0953 11444 hidusb - ok
23:33:22.0953 11444 hpn - ok
23:33:23.0046 11444 [ C19B522A9AE0BBC3293397F3055E80A1 ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
23:33:23.0046 11444 HTTP - ok
23:33:23.0093 11444 [ 064D8581ADF77C25133E7D751D917D83 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll
23:33:23.0109 11444 HTTPFilter - ok
23:33:23.0109 11444 i2omgmt - ok
23:33:23.0109 11444 i2omp - ok
23:33:23.0140 11444 [ 5502B58EEF7486EE6F93F3F164DCB808 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys
23:33:23.0140 11444 i8042prt - ok
23:33:23.0296 11444 [ 3B743262B6456167888D15F1121B3BF7 ] ialm C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
23:33:23.0406 11444 ialm - ok
23:33:23.0453 11444 [ F8AA320C6A0409C0380E5D8A99D76EC6 ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
23:33:23.0453 11444 Imapi - ok
23:33:23.0484 11444 [ FA788520BCAC0F5D9D5CDE5615C0D931 ] ImapiService C:\WINDOWS\system32\imapi.exe
23:33:23.0484 11444 ImapiService - ok
23:33:23.0484 11444 ini910u - ok
23:33:23.0562 11444 [ 9400FE73FD4265ADAAAA1F25ECBCEF3E ] IntcAzAudAddService C:\WINDOWS\system32\drivers\RtkHDAud.sys
23:33:23.0593 11444 Suspicious file (Forged): C:\WINDOWS\system32\drivers\RtkHDAud.sys. Real md5: 9400FE73FD4265ADAAAA1F25ECBCEF3E, Fake md5: 2CB7C44A36B54D1712EA3E537CA827B1
23:33:23.0593 11444 IntcAzAudAddService ( ForgedFile.Multi.Generic ) - warning
23:33:23.0593 11444 IntcAzAudAddService - detected ForgedFile.Multi.Generic (1)
23:33:23.0609 11444 IntelIde - ok
23:33:23.0640 11444 [ 279FB78702454DFF2BB445F238C048D2 ] intelppm C:\WINDOWS\system32\DRIVERS\intelppm.sys
23:33:23.0640 11444 intelppm - ok
23:33:23.0671 11444 [ 4448006B6BC60E6C027932CFC38D6855 ] Ip6Fw C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
23:33:23.0671 11444 Ip6Fw - ok
23:33:23.0687 11444 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
23:33:23.0687 11444 IpFilterDriver - ok
23:33:23.0687 11444 [ E1EC7F5DA720B640CD8FB8424F1B14BB ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys
23:33:23.0687 11444 IpInIp - ok
23:33:23.0687 11444 [ B5A8E215AC29D24D60B4D1250EF05ACE ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
23:33:23.0687 11444 IpNat - ok
23:33:23.0734 11444 [ 64537AA5C003A6AFEEE1DF819062D0D1 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
23:33:23.0734 11444 IPSec - ok
23:33:23.0750 11444 [ 50708DAA1B1CBB7D6AC1CF8F56A24410 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys
23:33:23.0765 11444 IRENUM - ok
23:33:23.0796 11444 [ E504F706CCB699C2596E9A3DA1596E87 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys
23:33:23.0796 11444 isapnp - ok
23:33:23.0890 11444 [ 724A6A9AB5E1807665C5DB71C30BFC5F ] ISWKL C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys
23:33:23.0890 11444 ISWKL - ok
23:33:23.0953 11444 [ 684CCDFD19CE0EE293701CF0F57977BD ] IswSvc C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
23:33:23.0953 11444 IswSvc - ok
23:33:24.0015 11444 [ EBDEE8A2EE5393890A1ACEE971C4C246 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
23:33:24.0046 11444 Kbdclass - ok
23:33:24.0078 11444 [ E182FA8E49E8EE41B4ADC53093F3C7E6 ] kbdhid C:\WINDOWS\system32\DRIVERS\kbdhid.sys
23:33:24.0093 11444 kbdhid - ok
23:33:24.0187 11444 [ D93CAD07C5683DB066B0B2D2D3790EAD ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys
23:33:24.0218 11444 kmixer - ok
23:33:24.0250 11444 [ EB7FFE87FD367EA8FCA0506F74A87FBB ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
23:33:24.0250 11444 KSecDD - ok
23:33:24.0343 11444 [ 93D32468D34E000CB3407947D1D6E22A ] lanmanserver C:\WINDOWS\System32\srvsvc.dll
23:33:24.0343 11444 lanmanserver - ok
23:33:24.0390 11444 [ 2C0A7B2AE9C26F2C163627679B42783C ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
23:33:24.0406 11444 lanmanworkstation - ok
23:33:24.0406 11444 lbrtfdc - ok
23:33:24.0406 11444 [ B3EFF6D938C572E90A07B3D87A3C7657 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
23:33:24.0406 11444 LmHosts - ok
23:33:24.0437 11444 [ 95FD808E4AC22ABA025A7B3EAC0375D2 ] Messenger C:\WINDOWS\System32\msgsvc.dll
23:33:24.0437 11444 Messenger - ok
23:33:24.0453 11444 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys
23:33:24.0453 11444 mnmdd - ok
23:33:24.0484 11444 [ F6415361201915B9FE3896B0E4E724FF ] mnmsrvc C:\WINDOWS\system32\mnmsrvc.exe
23:33:24.0484 11444 mnmsrvc - ok
23:33:24.0515 11444 [ 6FC6F9D7ACC36DCA9B914565A3AEDA05 ] Modem C:\WINDOWS\system32\drivers\Modem.sys
23:33:24.0515 11444 Modem - ok
23:33:24.0546 11444 [ 34E1F0031153E491910E12551400192C ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
23:33:24.0546 11444 Mouclass - ok
23:33:24.0687 11444 [ 65653F3B4477F3C63E68A9659F85EE2E ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
23:33:24.0703 11444 MountMgr - ok
23:33:24.0765 11444 [ 730A519505621DF46BCBF9CDAC9FB6AD ] MozillaMaintenance C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
23:33:24.0781 11444 MozillaMaintenance - ok
23:33:24.0781 11444 mraid35x - ok
23:33:24.0812 11444 [ 46EDCC8F2DB2F322C24F48785CB46366 ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
23:33:24.0812 11444 MRxDAV - ok
23:33:24.0828 11444 [ 1FD607FC67F7F7C633C3DA65BFC53D18 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
23:33:24.0828 11444 MRxSmb - ok
23:33:24.0859 11444 [ C7C3D89EB0A6F3DBA622EA737FA335B1 ] MSDTC C:\WINDOWS\system32\msdtc.exe
23:33:24.0859 11444 MSDTC - ok
23:33:24.0859 11444 [ 561B3A4333CA2DBDBA28B5B956822519 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
23:33:24.0859 11444 Msfs - ok
23:33:24.0859 11444 MSIServer - ok
23:33:24.0890 11444 [ AE431A8DD3C1D0D0610CDBAC16057AD0 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys
23:33:24.0906 11444 MSKSSRV - ok
23:33:24.0953 11444 [ 13E75FEF9DFEB08EEDED9D0246E1F448 ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys
23:33:24.0984 11444 MSPCLOCK - ok
23:33:25.0046 11444 [ 1988A33FF19242576C3D0EF9CE785DA7 ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys
23:33:25.0046 11444 MSPQM - ok
23:33:25.0062 11444 [ 469541F8BFD2B32659D5D463A6714BCE ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
23:33:25.0062 11444 mssmbios - ok
23:33:25.0093 11444 [ 82035E0F41C2DD05AE41D27FE6CF7DE1 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
23:33:25.0109 11444 Mup - ok
23:33:25.0171 11444 [ 558635D3AF1C7546D26067D5D9B6959E ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
23:33:25.0171 11444 NDIS - ok
23:33:25.0187 11444 [ 08D43BBDACDF23F34D79E44ED35C1B4C ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
23:33:25.0187 11444 NdisTapi - ok
23:33:25.0218 11444 [ 34D6CD56409DA9A7ED573E1C90A308BF ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
23:33:25.0218 11444 Ndisuio - ok
23:33:25.0218 11444 [ 0B90E255A9490166AB368CD55A529893 ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
23:33:25.0218 11444 NdisWan - ok
23:33:25.0234 11444 [ 59FC3FB44D2669BC144FD87826BB571F ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
23:33:25.0234 11444 NDProxy - ok
23:33:25.0234 11444 [ 3A2ACA8FC1D7786902CA434998D7CEB4 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys
23:33:25.0234 11444 NetBIOS - ok
23:33:25.0265 11444 [ 05AFB5AD06462257BEA7495283C86D50 ] NetDDE C:\WINDOWS\system32\netdde.exe
23:33:25.0265 11444 NetDDE - ok
23:33:25.0265 11444 [ 05AFB5AD06462257BEA7495283C86D50 ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
23:33:25.0265 11444 NetDDEdsdm - ok
23:33:25.0281 11444 [ 84885F9B82F4D55C6146EBF6065D75D2 ] Netlogon C:\WINDOWS\system32\lsass.exe
23:33:25.0281 11444 Netlogon - ok
23:33:25.0296 11444 [ DAB9E6C7105D2EF49876FE92C524F565 ] Netman C:\WINDOWS\System32\netman.dll
23:33:25.0296 11444 Netman - ok
23:33:25.0312 11444 [ 4E74AF063C3271FBEA20DD940CFD1184 ] Nla C:\WINDOWS\System32\mswsock.dll
23:33:25.0312 11444 Nla - ok
23:33:25.0312 11444 [ 4F601BCB8F64EA3AC0994F98FED03F8E ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
23:33:25.0312 11444 Npfs - ok
23:33:25.0328 11444 [ B78BE402C3F63DD55521F73876951CDD ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
23:33:25.0328 11444 Ntfs - ok
23:33:25.0328 11444 [ 84885F9B82F4D55C6146EBF6065D75D2 ] NtLmSsp C:\WINDOWS\system32\lsass.exe
23:33:25.0328 11444 NtLmSsp - ok
23:33:25.0359 11444 [ B62F29C00AC55A761B2E45877D85EA0F ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
23:33:25.0390 11444 NtmsSvc - ok
23:33:25.0406 11444 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys
23:33:25.0406 11444 Null - ok
23:33:25.0437 11444 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
23:33:25.0437 11444 NwlnkFlt - ok
23:33:25.0437 11444 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
23:33:25.0453 11444 NwlnkFwd - ok
23:33:25.0468 11444 [ 29744EB4CE659DFE3B4122DEB45BC478 ] Parport C:\WINDOWS\system32\DRIVERS\parport.sys
23:33:25.0468 11444 Parport - ok
23:33:25.0468 11444 [ 3334430C29DC338092F79C38EF7B4CD0 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
23:33:25.0468 11444 PartMgr - ok
23:33:25.0500 11444 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys
23:33:25.0500 11444 ParVdm - ok
23:33:25.0515 11444 [ 8086D9979234B603AD5BC2F5D890B234 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
23:33:25.0515 11444 PCI - ok
23:33:25.0515 11444 PCIDump - ok
23:33:25.0531 11444 [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys
23:33:25.0531 11444 PCIIde - ok
23:33:25.0546 11444 [ 82A087207DECEC8456FBE8537947D579 ] Pcmcia C:\WINDOWS\system32\drivers\Pcmcia.sys
23:33:25.0546 11444 Pcmcia - ok
23:33:25.0562 11444 PDCOMP - ok
23:33:25.0562 11444 PDFRAME - ok
23:33:25.0562 11444 PDRELI - ok
23:33:25.0562 11444 PDRFRAME - ok
23:33:25.0562 11444 perc2 - ok
23:33:25.0578 11444 perc2hib - ok
23:33:25.0609 11444 [ C6CE6EEC82F187615D1002BB3BB50ED4 ] PlugPlay C:\WINDOWS\system32\services.exe
23:33:25.0625 11444 PlugPlay - ok
23:33:25.0656 11444 [ 84885F9B82F4D55C6146EBF6065D75D2 ] PolicyAgent C:\WINDOWS\system32\lsass.exe
23:33:25.0656 11444 PolicyAgent - ok
23:33:25.0687 11444 [ 1C5CC65AAC0783C344F16353E60B72AC ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
23:33:25.0687 11444 PptpMiniport - ok
23:33:25.0687 11444 [ 84885F9B82F4D55C6146EBF6065D75D2 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
23:33:25.0687 11444 ProtectedStorage - ok
23:33:25.0703 11444 [ 48671F327553DCF1D27F6197F622A668 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys
23:33:25.0703 11444 PSched - ok
23:33:25.0718 11444 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
23:33:25.0718 11444 Ptilink - ok
23:33:25.0718 11444 ql1080 - ok
23:33:25.0718 11444 Ql10wnt - ok
23:33:25.0718 11444 ql12160 - ok
23:33:25.0718 11444 ql1240 - ok
23:33:25.0718 11444 ql1280 - ok
23:33:25.0750 11444 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
23:33:25.0765 11444 RasAcd - ok
23:33:25.0812 11444 [ 44DB7A9BDD2FB58747D123FBF1D35ADB ] RasAuto C:\WINDOWS\System32\rasauto.dll
23:33:25.0812 11444 RasAuto - ok
23:33:25.0812 11444 [ 98FAEB4A4DCF812BA1C6FCA4AA3E115C ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
23:33:25.0812 11444 Rasl2tp - ok
23:33:25.0843 11444 [ 41A3C11E3517C962C9B44893BCEC3B34 ] RasMan C:\WINDOWS\System32\rasmans.dll
23:33:25.0859 11444 RasMan - ok
23:33:25.0859 11444 [ 7306EEED8895454CBED4669BE9F79FAA ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
23:33:25.0859 11444 RasPppoe - ok
23:33:25.0859 11444 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
23:33:25.0859 11444 Raspti - ok
23:33:25.0890 11444 [ 29D66245ADBA878FFF574CD66ABD2884 ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys
23:33:25.0906 11444 Rdbss - ok
23:33:25.0906 11444 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
23:33:25.0906 11444 RDPCDD - ok
23:33:25.0953 11444 [ A2CAE2C60BC37E0751EF9DDA7CEAF4AD ] rdpdr C:\WINDOWS\system32\DRIVERS\rdpdr.sys
23:33:25.0968 11444 rdpdr - ok
23:33:26.0078 11444 [ D4F5643D7714EF499AE9527FDCD50894 ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
23:33:26.0078 11444 RDPWD - ok
23:33:26.0140 11444 [ 729798E0933076B8FCFCD9934698F164 ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
23:33:26.0218 11444 RDSessMgr - ok
23:33:26.0250 11444 [ B31B4588E4086D8D84ADBF9845C2402B ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
23:33:26.0250 11444 redbook - ok
23:33:26.0265 11444 [ 3046DB917E3CFA040632799DD9B14865 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
23:33:26.0281 11444 RemoteAccess - ok
23:33:26.0312 11444 [ 3151427DB7D87107D1C5BE58FAC53960 ] RemoteRegistry C:\WINDOWS\system32\regsvc.dll
23:33:26.0312 11444 RemoteRegistry - ok
23:33:26.0359 11444 [ 793F04A09B15E7C6C11DBDFFAF06C0AB ] RpcLocator C:\WINDOWS\system32\locator.exe
23:33:26.0359 11444 RpcLocator - ok
23:33:26.0406 11444 [ 5C83A4408604F737717AB96371201680 ] RpcSs C:\WINDOWS\system32\rpcss.dll
23:33:26.0406 11444 RpcSs - ok
23:33:26.0437 11444 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\system32\rsvp.exe
23:33:26.0437 11444 RSVP - ok
23:33:26.0484 11444 [ 7F033E61D7825F10473DCB1D455D3FDE ] RTLE8023xp C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
23:33:26.0484 11444 RTLE8023xp - ok
23:33:26.0484 11444 [ 84885F9B82F4D55C6146EBF6065D75D2 ] SamSs C:\WINDOWS\system32\lsass.exe
23:33:26.0484 11444 SamSs - ok
23:33:26.0515 11444 [ 39763504067962108505BFF25F024345 ] SASDIFSV C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
23:33:26.0515 11444 SASDIFSV - ok
23:33:26.0531 11444 [ 77B9FC20084B48408AD3E87570EB4A85 ] SASKUTIL C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
23:33:26.0531 11444 SASKUTIL - ok
23:33:26.0546 11444 [ 25D8DE134DF108E3DBC8D7D23B1AA58E ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
23:33:26.0546 11444 SCardSvr - ok
23:33:26.0593 11444 [ 92360854316611F6CC471612213C3D92 ] Schedule C:\WINDOWS\system32\schedsvc.dll
23:33:26.0593 11444 Schedule - ok
23:33:26.0609 11444 [ D26E26EA516450AF9D072635C60387F4 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
23:33:26.0609 11444 Secdrv - ok
23:33:26.0625 11444 [ B1E0CE09895376871746F36DC5773B4F ] seclogon C:\WINDOWS\System32\seclogon.dll
23:33:26.0625 11444 seclogon - ok
23:33:26.0625 11444 [ DFD9870CF39C791D86C4C209DA9FA919 ] SENS C:\WINDOWS\system32\sens.dll
23:33:26.0625 11444 SENS - ok
23:33:26.0640 11444 [ A2D868AEEFF612E70E213C451A70CAFB ] serenum C:\WINDOWS\system32\DRIVERS\serenum.sys
23:33:26.0640 11444 serenum - ok
23:33:26.0640 11444 [ CD9404D115A00D249F70A371B46D5A26 ] Serial C:\WINDOWS\system32\DRIVERS\serial.sys
23:33:26.0640 11444 Serial - ok
23:33:26.0656 11444 [ 0D13B6DF6E9E101013A7AFB0CE629FE0 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys
23:33:26.0656 11444 Sfloppy - ok
23:33:26.0671 11444 [ 36CC8C01B5E50163037BEF56CB96DEFF ] SharedAccess C:\WINDOWS\System32\ipnathlp.dll
23:33:26.0687 11444 SharedAccess - ok
23:33:26.0703 11444 [ E7518DC542D3EBDCB80EDD98462C7821 ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
23:33:26.0703 11444 ShellHWDetection - ok
23:33:26.0718 11444 Simbad - ok
23:33:26.0718 11444 Sparrow - ok
23:33:26.0718 11444 [ 8E186B8F23295D1E42C573B82B80D548 ] splitter C:\WINDOWS\system32\drivers\splitter.sys
23:33:26.0718 11444 splitter - ok
23:33:26.0734 11444 [ 7435B108B935E42EA92CA94F59C8E717 ] Spooler C:\WINDOWS\system32\spoolsv.exe
23:33:26.0734 11444 Spooler - ok
23:33:26.0765 11444 [ E41B6D037D6CD08461470AF04500DC24 ] sr C:\WINDOWS\system32\DRIVERS\sr.sys
23:33:26.0765 11444 sr - ok
23:33:26.0765 11444 [ 92BDF74F12D6CBEC43C94D4B7F804838 ] srservice C:\WINDOWS\system32\srsvc.dll
23:33:26.0765 11444 srservice - ok
23:33:26.0781 11444 [ 20B7E396720353E4117D64D9DCB926CA ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
23:33:26.0781 11444 Srv - ok
23:33:26.0812 11444 [ 4B8D61792F7175BED48859CC18CE4E38 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll
23:33:26.0812 11444 SSDPSRV - ok
23:33:26.0843 11444 [ D9F6C4F6B1E188ADAFC42B561D9BC2E6 ] stisvc C:\WINDOWS\system32\wiaservc.dll
23:33:26.0843 11444 stisvc - ok
23:33:26.0859 11444 [ 03C1BAE4766E2450219D20B993D6E046 ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
23:33:26.0859 11444 swenum - ok
23:33:26.0890 11444 [ 94ABC808FC4B6D7D2BBF42B85E25BB4D ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys
23:33:26.0890 11444 swmidi - ok
23:33:26.0890 11444 SwPrv - ok
23:33:26.0890 11444 symc810 - ok
23:33:26.0890 11444 symc8xx - ok
23:33:26.0906 11444 sym_hi - ok
23:33:26.0906 11444 sym_u3 - ok
23:33:26.0921 11444 [ 650AD082D46BAC0E64C9C0E0928492FD ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys
23:33:26.0921 11444 sysaudio - ok
23:33:26.0937 11444 [ 8B54AA346D1B1B113FFAA75501B8B1B2 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe
23:33:26.0937 11444 SysmonLog - ok
23:33:26.0953 11444 [ EB4A4187D74A8EFDCBEA3EA2CB1BDFBD ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
23:33:26.0953 11444 TapiSrv - ok
23:33:26.0968 11444 [ 9F4B36614A0FC234525BA224957DE55C ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
23:33:26.0984 11444 Tcpip - ok
23:33:27.0000 11444 [ 38D437CF2D98965F239B0ABCD66DCB0F ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
23:33:27.0000 11444 TDPIPE - ok
23:33:27.0015 11444 [ ED0580AF02502D00AD8C4C066B156BE9 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
23:33:27.0015 11444 TDTCP - ok
23:33:27.0031 11444 [ A540A99C281D933F3D69D55E48727F47 ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
23:33:27.0031 11444 TermDD - ok
23:33:27.0078 11444 [ B60C877D16D9C880B952FDA04ADF16E6 ] TermService C:\WINDOWS\System32\termsrv.dll
23:33:27.0078 11444 TermService - ok
23:33:27.0140 11444 [ E7518DC542D3EBDCB80EDD98462C7821 ] Themes C:\WINDOWS\System32\shsvcs.dll
23:33:27.0156 11444 Themes - ok
23:33:27.0171 11444 [ 37DB0A7D097310E8B4DE803FC3119C78 ] TlntSvr C:\WINDOWS\system32\tlntsvr.exe
23:33:27.0187 11444 TlntSvr - ok
23:33:27.0187 11444 TosIde - ok
23:33:27.0203 11444 [ 6D9AC544B30F96C57F8206566C1FB6A1 ] TrkWks C:\WINDOWS\system32\trkwks.dll
23:33:27.0203 11444 TrkWks - ok
23:33:27.0250 11444 [ 12F70256F140CD7D52C58C7048FDE657 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
23:33:27.0250 11444 Udfs - ok
23:33:27.0250 11444 ultra - ok
23:33:27.0265 11444 [ AFF2E5045961BBC0A602BB6F95EB1345 ] Update C:\WINDOWS\system32\DRIVERS\update.sys
23:33:27.0265 11444 Update - ok
23:33:27.0281 11444 [ 0546477BDE979E33294FE97F6B3DE84A ] upnphost C:\WINDOWS\System32\upnphost.dll
23:33:27.0281 11444 upnphost - ok
23:33:27.0296 11444 [ 3F5DF65B0758675F95A2D43918A740A3 ] UPS C:\WINDOWS\System32\ups.exe
23:33:27.0296 11444 UPS - ok
23:33:27.0312 11444 [ BFFD9F120CC63BCBAA3D840F3EEF9F79 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys
23:33:27.0312 11444 usbccgp - ok
23:33:27.0328 11444 [ 15E993BA2F6946B2BFBBFCD30398621E ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys
23:33:27.0328 11444 usbehci - ok
23:33:27.0328 11444 [ C72F40947F92CEA56A8FB532EDF025F1 ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys
23:33:27.0328 11444 usbhub - ok
23:33:27.0343 11444 [ 6CD7B22193718F1D17A47A1CD6D37E75 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
23:33:27.0343 11444 USBSTOR - ok
23:33:27.0343 11444 [ F8FD1400092E23C8F2F31406EF06167B ] usbuhci C:\WINDOWS\system32\DRIVERS\usbuhci.sys
23:33:27.0343 11444 usbuhci - ok
23:33:27.0343 11444 [ 8A60EDD72B4EA5AEA8202DAF0E427925 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
23:33:27.0343 11444 VgaSave - ok
23:33:27.0343 11444 ViaIde - ok
23:33:27.0359 11444 [ EE4660083DEBA849FF6C485D944B379B ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys
23:33:27.0359 11444 VolSnap - ok
23:33:27.0406 11444 [ 5C826F02FF76F07B332C764BB9644F27 ] Vsdatant C:\WINDOWS\system32\vsdatant.sys
23:33:27.0406 11444 Vsdatant - ok
23:33:27.0421 11444 vsmon - ok
23:33:27.0453 11444 [ 3EE00364AE0FD8D604F46CBAF512838A ] VSS C:\WINDOWS\System32\vssvc.exe
23:33:27.0453 11444 VSS - ok
23:33:27.0484 11444 [ 2B281958F5D0CF99ED626E3EF39D5C8D ] W32Time C:\WINDOWS\system32\w32time.dll
23:33:27.0484 11444 W32Time - ok
23:33:27.0500 11444 [ 984EF0B9788ABF89974CFED4BFBAACBC ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
23:33:27.0500 11444 Wanarp - ok
23:33:27.0500 11444 WDICA - ok
23:33:27.0515 11444 [ 2797F33EBF50466020C430EE4F037933 ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys
23:33:27.0515 11444 wdmaud - ok
23:33:27.0562 11444 [ 5D0A442864BFBF3B19DCCA4CD29F6E99 ] WebClient C:\WINDOWS\System32\webclnt.dll
23:33:27.0562 11444 WebClient - ok
23:33:27.0812 11444 [ F399242A80C4066FD155EFA4CF96658E ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
23:33:27.0812 11444 winmgmt - ok
23:33:27.0875 11444 [ C086483E3DBA8C1C0A687EC8D5B3D4C1 ] WmdmPmSN C:\WINDOWS\system32\mspmsnsv.dll
23:33:27.0890 11444 WmdmPmSN - ok
23:33:27.0921 11444 [ 1AFF244CA134956C54474F4E2433E4CE ] Wmi C:\WINDOWS\System32\advapi32.dll
23:33:27.0921 11444 Wmi - ok
23:33:27.0968 11444 [ BA8CECC3E813E1F7C441B20393D4F86C ] WmiApSrv C:\WINDOWS\system32\wbem\wmiapsrv.exe
23:33:27.0968 11444 WmiApSrv - ok
23:33:27.0984 11444 [ 4D59DAA66C60858CDF4F67A900F42D4A ] wscsvc C:\WINDOWS\system32\wscsvc.dll
23:33:27.0984 11444 wscsvc - ok
23:33:28.0000 11444 [ 13D72740963CBA12D9FF76A7F218BCD8 ] wuauserv C:\WINDOWS\system32\wuauserv.dll
23:33:28.0000 11444 wuauserv - ok
23:33:28.0031 11444 [ 5A91E6FEAB9F901302FA7FF768C0120F ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
23:33:28.0031 11444 WZCSVC - ok
23:33:28.0062 11444 [ EEF46DAB68229A14DA3D8E73C99E2959 ] xmlprov C:\WINDOWS\System32\xmlprov.dll
23:33:28.0062 11444 xmlprov - ok
23:33:28.0062 11444 ================ Scan global ===============================
23:33:28.0093 11444 [ 00EF9C3AF83EDBAF18CA7A2837750117 ] C:\WINDOWS\system32\basesrv.dll
23:33:28.0140 11444 [ 442D0EAD5534E4ADCF6D4469043C82C0 ] C:\WINDOWS\system32\winsrv.dll
23:33:28.0156 11444 [ 442D0EAD5534E4ADCF6D4469043C82C0 ] C:\WINDOWS\system32\winsrv.dll
23:33:28.0171 11444 [ C6CE6EEC82F187615D1002BB3BB50ED4 ] C:\WINDOWS\system32\services.exe
23:33:28.0171 11444 [Global] - ok
23:33:28.0171 11444 ================ Scan MBR ==================================
23:33:28.0187 11444 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk0\DR0
23:33:28.0421 11444 \Device\Harddisk0\DR0 - ok
23:33:28.0421 11444 ================ Scan VBR ==================================
23:33:28.0421 11444 [ 82BA1804DE826A187D89EA3AF4103DB3 ] \Device\Harddisk0\DR0\Partition1
23:33:28.0421 11444 \Device\Harddisk0\DR0\Partition1 - ok
23:33:28.0437 11444 [ 0FAE509E6025941C775FAE55D198B109 ] \Device\Harddisk0\DR0\Partition2
23:33:28.0437 11444 \Device\Harddisk0\DR0\Partition2 - ok
23:33:28.0468 11444 [ 4DCF498B833ED01FC0228D104BE4345A ] \Device\Harddisk0\DR0\Partition3
23:33:28.0468 11444 \Device\Harddisk0\DR0\Partition3 - ok
23:33:28.0484 11444 [ 9F56C9F977F52539AAF3CEDA559D7CF6 ] \Device\Harddisk0\DR0\Partition4
23:33:28.0484 11444 \Device\Harddisk0\DR0\Partition4 - ok
23:33:28.0484 11444 ============================================================
23:33:28.0484 11444 Scan finished
23:33:28.0484 11444 ============================================================
23:33:28.0484 10496 Detected object count: 1
23:33:28.0484 10496 Actual detected object count: 1
23:34:29.0156 10496 C:\WINDOWS\system32\drivers\RtkHDAud.sys - copied to quarantine
23:34:29.0156 10496 IntcAzAudAddService ( ForgedFile.Multi.Generic ) - User select action: Quarantine
23:35:00.0625 6768 Deinitialize success


There was no cure option, so i quarantined the 1 threat i found by TDSSKILLER.

Next comes the Combofix. I followed your instructions, only to encounter a blue screen error. Something like this but not exactly.
http://imageshack.us/f/690/bluescreen.png/

As the note specified, i tried Combofix only once.
ThankYou.

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:59 PM

Posted 13 January 2013 - 01:41 PM

Please boot into safe mode and try ComboFix again,

To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
  • go into your usual account


Make certain all other windows are closed

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 swanand

swanand
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 13 January 2013 - 02:34 PM

Hey i tried to run in safe mode, but pc used to restart on its own. So i downloaded a fresh copy of combofix, and run it normally. But this time it worked and here is the log.



ComboFix 13-01-13.01 - Vic 14/01/2013 0:53.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2010.1548 [GMT 5.5:30]
Running from: c:\documents and settings\Vic\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Autorun.inf
D:\Autorun.inf
E:\Autorun.inf
F:\Autorun.inf
F:\hrpxhr.pif
.
-- Previous Run --
.
c:\windows\regedit.exe . . . is infected!!
.
c:\windows\system32\drivers\netbt.sys was missing
Restored copy from - c:\windows\system32\dllcache\netbt.sys
.
--------
.
.
((((((((((((((((((((((((( Files Created from 2012-12-13 to 2013-01-13 )))))))))))))))))))))))))))))))
.
.
2013-01-13 19:22 . 2013-01-13 19:22 103140 ----a-w- C:\goxcax.exe
2013-01-13 18:04 . 2013-01-13 18:04 -------- d-----w- C:\TDSSKiller_Quarantine
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-05 03:45 . 2013-01-08 20:04 262704 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2013-01-09 4763008]
"BitTorrent"="c:\program files\BitTorrent\BitTorrent.exe" [2013-01-10 980376]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2012-11-22 808616]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2013-01-02 73984]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-21 208384]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-21 240640]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-21 212480]
"RTHDCPL"="RTHDCPL.EXE" [2008-12-23 18077696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\yevsyy.exe"=
"c:\\Program Files\\CheckPoint\\ZAForceField\\IswSvc.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
.
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [x]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [x]
S2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [x]
S2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\IswSvc.exe [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-01-09 17:11]
.
2013-01-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-01-09 17:11]
.
2013-01-12 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 42ff2982-57ae-4241-8cc4-06f0b321b1b1.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
.
2013-01-12 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 9795c7f3-6a52-4b19-a76d-9733f44fa921.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.in/
TCP: Interfaces\{22CC374C-1104-4AD0-B88F-32F3EF0D1CD2}: NameServer = 202.54.1.18,172.31.6.5
FF - ProfilePath - c:\documents and settings\Vic\Application Data\Mozilla\Firefox\Profiles\nl0prazl.default\
FF - ExtSQL: 2013-01-09 01:17; {FFB96CC1-7EB3-449D-B827-DB661701C6BB}; c:\program files\CheckPoint\ZAForceField\TrustChecker
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-01-14 00:57
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\TEMP\wincvfljw.exe 2015232 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(516)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'lsass.exe'(572)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'explorer.exe'(912)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\imapi.exe
c:\windows\system32\wscntfy.exe
c:\program files\SUPERAntiSpyware\SSUPDATE.EXE
.
**************************************************************************
.
Completion time: 2013-01-14 00:57:38 - machine was rebooted
ComboFix-quarantined-files.txt 2013-01-13 19:27
.
Pre-Run: 43,110,014,976 bytes free
Post-Run: 43,081,637,888 bytes free
.
- - End Of File - - 0481FD234FF8D0E2367BCB4F99E49A45

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:59 PM

Posted 13 January 2013 - 04:03 PM

there are a couple of questionable entries in the log

do you recognize this?

C:\goxcax.exe

(sometimes the tools we use will install with a random name)

please check the properties of this file and report what it says


c:\windows\regedit.exe . . . is infected!!

we need to find a replacement for this file

please do the following:

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    *regedit*
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 swanand

swanand
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 14 January 2013 - 01:00 PM

Hey, the C:\goxcax.exe file which u asked is the virus.
I deleted it number of times but it reappears soon after it. Also Superantispyware always blocks that file by using its realtime shield.
I also wanna ask whether should i keep superantispyware or should i uninstall it.
Thankyou.




SystemLook 30.07.11 by jpshortstuff
Log created at 23:26 on 14/01/2013 by Vic
Administrator - Elevation successful

========== filefind ==========

Searching for "*regedit*"
C:\WINDOWS\regedit.exe ------- 146432 bytes [16:56 03/08/2004] [16:56 03/08/2004] 783AFC80383C176B22DBF8333343992D
C:\WINDOWS\erdnt\cache\regedit.exe --a---- 146432 bytes [19:26 13/01/2013] [16:56 03/08/2004] 783AFC80383C176B22DBF8333343992D
C:\WINDOWS\Help\regedit.chm --a---- 46684 bytes [12:00 23/08/2001] [12:00 23/08/2001] 4AE074CB5A4F5FFF0CDA367FC36054F4
C:\WINDOWS\Help\regedit.hlp --a---- 12886 bytes [12:00 23/08/2001] [12:00 23/08/2001] 0DCC288EBCC1BDB526F13087811E6B1A
C:\WINDOWS\Prefetch\REGEDIT.EXE-1B606482.pf --a---- 18786 bytes [10:36 10/01/2013] [19:27 13/01/2013] CE23F1C55F14C77911D9FCA6CBAFC678
C:\WINDOWS\system32\dllcache\regedit.exe --a--c- 146432 bytes [16:56 03/08/2004] [16:56 03/08/2004] 783AFC80383C176B22DBF8333343992D

-= EOF =-

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:59 PM

Posted 14 January 2013 - 07:11 PM

It's up to you if you uninstall SuperAntiSpyware, I've never used it so i don't know how useful it is.

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Press the WinKey + R to open a run box, type Notepad > click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic481237.html/page__pid__2947296#entry2947296

Collect::
C:\goxcax.exe
c:\windows\TEMP\wincvfljw.exe

Registry::
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
"DisableRegistryTools"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"e:\\yevsyy.exe"=-

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


  • Download RogueKiller and save it to your desktop.
  • Quit all other programs
  • Start RogueKiller.exe
  • Wait until the Prescan has finished ...
  • Click on Scan
    Posted Image
  • Wait for the end of the scan
  • A report will be created on your desktop.
  • Click on the Delete button
    Posted Image
  • Next click on the ShortcutsFix
    Posted Image
  • another report will be created on your desktop.

Please post: All RKreport.txt text files located on your desktop.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 swanand

swanand
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 15 January 2013 - 08:42 AM

Hey, now the problem is that the virus in C has changed its name from goxcax.exe to vusjd.exe, and i think it keeps changing after every reboot. So should i change the name in script for combofix?

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:59 PM

Posted 15 January 2013 - 06:38 PM

yes, use the following script

http://www.bleepingcomputer.com/forums/topic481237.html/page__pid__2947296#entry2947296

Collect::
C:\goxcax.exe
c:\windows\TEMP\wincvfljw.exe
C:\vusjd.exe

Registry::
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
"DisableRegistryTools"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"e:\\yevsyy.exe"=-

ClearJavaCache::

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 swanand

swanand
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 17 January 2013 - 01:20 PM

After 3 unsuccessful try, i succeded in combofix.

ComboFix 13-01-16.01 - Vic 16/01/2013 23:55:43.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2010.1544 [GMT 5.5:30]
Running from: c:\documents and settings\Vic\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Vic\Desktop\CFScript.txt
.
file zipped: C:\vusjd.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\autorun.inf
C:\vusjd.exe
D:\Autorun.inf
D:\gdkp.pif
E:\Autorun.inf
E:\qrmgvg.pif
F:\autorun.inf
F:\wtih.pif
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_AMSINT32
-------\Service_amsint32
.
.
((((((((((((((((((((((((( Files Created from 2012-12-16 to 2013-01-16 )))))))))))))))))))))))))))))))
.
.
2013-01-13 18:04 . 2013-01-13 18:04 -------- d-----w- C:\TDSSKiller_Quarantine
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-16 18:29 . 2013-01-16 18:29 103140 --sh--r- C:\wrlwah.exe
2013-01-05 03:45 . 2013-01-08 20:04 262704 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent"="c:\program files\BitTorrent\BitTorrent.exe" [2013-01-10 1064856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2012-11-22 808616]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2013-01-02 73984]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-21 208384]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-21 240640]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-21 212480]
"RTHDCPL"="RTHDCPL.EXE" [2008-12-23 18077696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CheckPoint\\ZAForceField\\IswSvc.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
.
R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [22/11/2012 8:03 PM 27056]
R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [22/11/2012 8:03 PM 571048]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - AMSINT32
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-01-09 17:11]
.
2013-01-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-01-09 17:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.in/
TCP: Interfaces\{22CC374C-1104-4AD0-B88F-32F3EF0D1CD2}: NameServer = 202.54.1.18,172.31.6.5
FF - ProfilePath - c:\documents and settings\Vic\Application Data\Mozilla\Firefox\Profiles\nl0prazl.default\
FF - ExtSQL: 2013-01-09 01:17; {FFB96CC1-7EB3-449D-B827-DB661701C6BB}; c:\program files\CheckPoint\ZAForceField\TrustChecker
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-01-16 23:59
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(752)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'lsass.exe'(808)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'explorer.exe'(1108)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2013-01-17 00:00:36 - machine was rebooted
ComboFix-quarantined-files.txt 2013-01-16 18:30
ComboFix2.txt 2013-01-13 19:27
.
Pre-Run: 45,274,017,792 bytes free
Post-Run: 45,243,346,944 bytes free
.
- - End Of File - - 6F3DE97113133900AC25B5FFA3DCD202


RogueKiller V8.4.3 [Jan 10 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User : Vic [Admin rights]
Mode : Scan -- Date : 01/17/2013 23:41:54

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 8 ¤¤¤
[DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{22CC374C-1104-4AD0-B88F-32F3EF0D1CD2} : NameServer (202.54.1.18,172.31.6.5) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Services\Tcpip\Interfaces\{22CC374C-1104-4AD0-B88F-32F3EF0D1CD2} : NameServer (202.54.1.18,172.31.6.5) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\Security Center : ANTIVIRUSDISABLENOTIFY (1) -> FOUND
[HJ] HKLM\[...]\Security Center : FIREWALLDISABLENOTIFY (1) -> FOUND
[HJ] HKLM\[...]\Security Center : UPDATESDISABLENOTIFY (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ Extern Hives: ¤¤¤
-> E:\windows\system32\config\SOFTWARE
-> E:\windows\system32\config\SYSTEM
-> E:\Documents and Settings\Default User\NTUSER.DAT
-> E:\Documents and Settings\LocalService\NTUSER.DAT
-> E:\Documents and Settings\NetworkService\NTUSER.DAT
-> E:\Documents and Settings\vicky\NTUSER.DAT

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HDP725025GLA380 +++++
--- User ---
[MBR] d54d8420139b0ce9942ff9c9cb25a564
[BSP] cc41b34755ae6af28095642aa70cf9d7 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 60000 Mo
1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 122881185 | Size: 178464 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: SAMSUNG S5360 Card USB Device +++++
--- User ---
[MBR] 3c1a2818332ba6909d41a8e4a8e704b8
[BSP] 9ab224430cae5d4642efe916dd8f39b0 : Standard MBR Code
Partition table:
0 - [ACTIVE] FAT32 (0x0b) [VISIBLE] Offset (sectors): 8192 | Size: 7592 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1]_S_01172013_02d2341.txt >>
RKreport[1]_S_01172013_02d2341.txt



RogueKiller V8.4.3 [Jan 10 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User : Vic [Admin rights]
Mode : Remove -- Date : 01/17/2013 23:42:05

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 8 ¤¤¤
[DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{22CC374C-1104-4AD0-B88F-32F3EF0D1CD2} : NameServer (202.54.1.18,172.31.6.5) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet002\Services\Tcpip\Interfaces\{22CC374C-1104-4AD0-B88F-32F3EF0D1CD2} : NameServer (202.54.1.18,172.31.6.5) -> NOT REMOVED, USE DNSFIX
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ] HKLM\[...]\Security Center : ANTIVIRUSDISABLENOTIFY (1) -> REPLACED (0)
[HJ] HKLM\[...]\Security Center : FIREWALLDISABLENOTIFY (1) -> REPLACED (0)
[HJ] HKLM\[...]\Security Center : UPDATESDISABLENOTIFY (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ Extern Hives: ¤¤¤
-> E:\windows\system32\config\SOFTWARE
-> E:\windows\system32\config\SYSTEM
-> E:\Documents and Settings\Default User\NTUSER.DAT
-> E:\Documents and Settings\LocalService\NTUSER.DAT
-> E:\Documents and Settings\NetworkService\NTUSER.DAT
-> E:\Documents and Settings\vicky\NTUSER.DAT

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HDP725025GLA380 +++++
--- User ---
[MBR] d54d8420139b0ce9942ff9c9cb25a564
[BSP] cc41b34755ae6af28095642aa70cf9d7 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 60000 Mo
1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 122881185 | Size: 178464 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: SAMSUNG S5360 Card USB Device +++++
--- User ---
[MBR] 3c1a2818332ba6909d41a8e4a8e704b8
[BSP] 9ab224430cae5d4642efe916dd8f39b0 : Standard MBR Code
Partition table:
0 - [ACTIVE] FAT32 (0x0b) [VISIBLE] Offset (sectors): 8192 | Size: 7592 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2]_D_01172013_02d2342.txt >>
RKreport[1]_S_01172013_02d2341.txt ; RKreport[2]_D_01172013_02d2342.txt



RogueKiller V8.4.3 [Jan 10 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User : Vic [Admin rights]
Mode : Shortcuts HJfix -- Date : 01/17/2013 23:42:38

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ Extern Hives: ¤¤¤
-> E:\windows\system32\config\SOFTWARE
-> E:\windows\system32\config\SYSTEM
-> E:\Documents and Settings\Default User\NTUSER.DAT
-> E:\Documents and Settings\LocalService\NTUSER.DAT
-> E:\Documents and Settings\NetworkService\NTUSER.DAT
-> E:\Documents and Settings\vicky\NTUSER.DAT

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 0 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 5 / Fail 0
Start menu: Success 0 / Fail 0
User folder: Success 14 / Fail 0
My documents: Success 0 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 504 / Fail 2
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume1 -- 0x3 --> Restored
[D:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[E:] \Device\HarddiskVolume3 -- 0x3 --> Restored
[F:] \Device\HarddiskVolume4 -- 0x3 --> Restored
[G:] \Device\CdRom0 -- 0x5 --> Skipped
[H:] \Device\Harddisk1\DP(1)0-0+6 -- 0x2 --> Restored

Finished : << RKreport[3]_SC_01172013_02d2342.txt >>
RKreport[1]_S_01172013_02d2341.txt ; RKreport[2]_D_01172013_02d2342.txt ; RKreport[3]_SC_01172013_02d2342.txt



Hey, should i delete the quarantine folder on my desktop.
Unfortunately, a new file wrlwah.exe came on my C drive, just now.

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:59 PM

Posted 17 January 2013 - 07:23 PM

please re-run rogue killer, but this time click the DNSFix button

as soon as you have done that, re-run ComboFix, allow it to update if it asks to do so

post the fresh logs

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 swanand

swanand
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 18 January 2013 - 01:28 PM

RogueKiller V8.4.3 [Jan 10 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User : Vic [Admin rights]
Mode : DNSFix -- Date : 01/18/2013 19:33:09

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤
[DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{22CC374C-1104-4AD0-B88F-32F3EF0D1CD2} : NameServer (202.54.1.18,172.31.6.5) -> REPLACED ()
[DNS] HKLM\[...]\ControlSet002\Services\Tcpip\Interfaces\{22CC374C-1104-4AD0-B88F-32F3EF0D1CD2} : NameServer (202.54.1.18,172.31.6.5) -> REPLACED ()

¤¤¤ Driver : [LOADED] ¤¤¤

Finished : << RKreport[4]_DN_01182013_02d1933.txt >>
RKreport[1]_S_01172013_02d2341.txt ; RKreport[2]_D_01172013_02d2342.txt ; RKreport[3]_SC_01172013_02d2342.txt ; RKreport[4]_DN_01182013_02d1933.txt



I re run a fresh copy of combofix as the old one was not running.
But after completing the 50 stages it stuck at a point where it displayed, system32/fsquirt.exe is infected & Repairing the file.
It stuck there for almost half an hour.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users