Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

two red flags in aswMBR. what to do next?


  • This topic is locked This topic is locked
31 replies to this topic

#1 effingmalware

effingmalware

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 15 September 2013 - 12:27 AM

a friend and i communicate online. occasionally one of us will get infected somehow and then the other person typically does. as if a hacker watches one of us or both of us and just decides to screw around once in awhile.  earlier today in trillian, her text would constantly be selected/deleted without her doing so or it would become bold or italized, even after fully disabling all the keyboard shortcut commands. 

 

further, they seem to be able to disable our scanning programs from producing any results.  example : every single time i run superantispyware or hitmanpro i typically get at the very least, a ton of tracking cookies. however, not anymore.  they don't find anything which to me means they have been remotely modified somehow.  i don't know. even when i uninstall and reinstall them they still don't seem to work.  

 

anyway, i decided to do a scan to see if i got infected too today.  i just ran aswmbr (plan to run more) and it found 2 red flags.  never seen these before on this os install or this comp.  

 

I will attach the log here :  

 

 

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-09-14 21:50:52
-----------------------------
21:50:52.984    OS Version: Windows 5.1.2600 Service Pack 3
21:50:52.984    Number of processors: 2 586 0x200
21:50:52.984    ComputerName: COMPUTER-3815  UserName: Owner
21:50:55.781    Initialize success
21:51:05.218    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi\ahcix861Port1Path0Target0Lun0
21:51:05.265    Disk 0 Vendor: WDC____ 01.01A01 Size: 305245MB BusType: 3
21:51:05.328    Disk 0 MBR read successfully
21:51:05.375    Disk 0 MBR scan
21:51:05.421    Disk 0 Windows XP default MBR code
21:51:05.484    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       305234 MB offset 63
21:51:05.546    Disk 0 scanning sectors +625121280
21:51:05.703    Disk 0 scanning C:\WINDOWS\system32\drivers
21:51:11.687    Service scanning
21:51:29.796    Modules scanning
21:51:41.468    Disk 0 trace - called modules:
21:51:41.484    ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8ac4e1f8]<<
21:51:41.500    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ac837b8]
21:51:41.500    3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Scsi\ahcix861Port1Path0Target0Lun0[0x8ab85a38]
21:51:41.500    \Driver\ahcix86[0x8ac844c8] -> IRP_MJ_CREATE -> 0x8ac4e1f8
21:51:41.500    Scan finished successfully
22:18:07.546    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\My Documents\MBR.dat"
22:18:07.734    The log file has been saved successfully to "C:\Documents and Settings\Owner\My Documents\aswMBR.txt"
 

I am about to run some more scans next like mbam and mbar and tdsskiller.  what else should I try?  thanks for responses  

 

oh one last thing, at one point i ran hitmanpro and tdsskiller.exe came back as a trojan.  amazing? does this kind of thing happen frequently?  thanks again



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:55 PM

Posted 16 September 2013 - 03:52 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running programs as well as your Browser.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.
  • Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

 

 

 

Scan with TDSS-Killer

Please read and follow these instructions carefully. We do not want it to fix anything yet (if found), we need to see a report first.

Download TDSSKiller.exe and save it to your desktop

  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found, do NOT select Cure. Change the action to Skip, and save the log.
  • Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt


Please post the contents of that log in your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 effingmalware

effingmalware
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 18 September 2013 - 02:43 AM

 
TDSSKILLER finds nothing.  results :
 
00:39:42.0640 0664  ============================================================
00:39:42.0640 0664  Current date / time: 2013/09/18 00:39:42.0640
00:39:42.0640 0664  SystemInfo:
00:39:42.0640 0664  
00:39:42.0640 0664  OS Version: 5.1.2600 ServicePack: 3.0
00:39:42.0640 0664  Product type: Workstation
00:39:42.0656 0664  ComputerName: COMPUTER-3815
00:39:42.0656 0664  UserName: Owner
00:39:42.0656 0664  Windows directory: C:\WINDOWS
00:39:42.0656 0664  System windows directory: C:\WINDOWS
00:39:42.0656 0664  Processor architecture: Intel x86
00:39:42.0656 0664  Number of processors: 2
00:39:42.0656 0664  Page size: 0x1000
00:39:42.0656 0664  Boot type: Normal boot
00:39:42.0656 0664  ============================================================
00:39:46.0015 0664  Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000058
00:39:46.0031 0664  ============================================================
00:39:46.0031 0664  \Device\Harddisk0\DR0:
00:39:46.0031 0664  MBR partitions:
00:39:46.0031 0664  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x254297C1
00:39:46.0031 0664  ============================================================
00:39:46.0062 0664  C: <-> \Device\Harddisk0\DR0\Partition1
00:39:46.0093 0664  ============================================================
00:39:46.0093 0664  Initialize success
00:39:46.0093 0664  ============================================================
00:39:48.0218 2672  ============================================================
00:39:48.0218 2672  Scan started
00:39:48.0218 2672  Mode: Manual; 
00:39:48.0218 2672  ============================================================
00:39:50.0453 2672  ================ Scan system memory ========================
00:39:52.0000 2672  System memory - ok
00:39:52.0000 2672  ================ Scan services =============================
00:39:54.0218 2672  Abiosdsk - ok
00:39:54.0234 2672  abp480n5 - ok
00:39:54.0281 2672  [ 8FD99680A539792A30E97944FDAECF17 ] ACPI            C:\WINDOWS\system32\DRIVERS\ACPI.sys
00:39:54.0281 2672  ACPI - ok
00:39:54.0359 2672  [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC          C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
00:39:54.0359 2672  ACPIEC - ok
00:39:54.0375 2672  adpu160m - ok
00:39:54.0453 2672  [ 8BED39E3C35D6A489438B8141717A557 ] aec             C:\WINDOWS\system32\drivers\aec.sys
00:39:54.0453 2672  aec - ok
00:39:54.0484 2672  [ F6B7B1ECD7B41736BDB6FF4B092BCB79 ] AFD             C:\WINDOWS\System32\drivers\afd.sys
00:39:54.0484 2672  AFD - ok
00:39:54.0500 2672  Aha154x - ok
00:39:54.0546 2672  [ 530936C879AD456C22D1B3520805E476 ] ahcix80x        C:\WINDOWS\system32\drivers\ahcix80x.sys
00:39:54.0843 2672  ahcix80x - ok
00:39:54.0984 2672  [ 530936C879AD456C22D1B3520805E476 ] ahcix86         C:\WINDOWS\system32\DRIVERS\ahcix86.sys
00:39:55.0000 2672  ahcix86 - ok
00:39:55.0000 2672  aic78u2 - ok
00:39:55.0015 2672  aic78xx - ok
00:39:55.0046 2672  [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter         C:\WINDOWS\system32\alrsvc.dll
00:39:55.0046 2672  Alerter - ok
00:39:55.0062 2672  [ 8C515081584A38AA007909CD02020B3D ] ALG             C:\WINDOWS\System32\alg.exe
00:39:55.0062 2672  ALG - ok
00:39:55.0062 2672  AliIde - ok
00:39:55.0234 2672  [ 267FC636801EDC5AB28E14036349E3BE ] Ambfilt         C:\WINDOWS\system32\drivers\Ambfilt.sys
00:39:55.0296 2672  Ambfilt - ok
00:39:55.0406 2672  [ B39F8C63F6E0655B6CF99899BE039250 ] amdide          C:\WINDOWS\system32\DRIVERS\amdide.sys
00:39:55.0437 2672  amdide - ok
00:39:55.0468 2672  [ 033448D435E65C4BD72E70521FD05C76 ] AmdPPM          C:\WINDOWS\system32\DRIVERS\AmdPPM.sys
00:39:55.0484 2672  AmdPPM - ok
00:39:55.0484 2672  amsint - ok
00:39:55.0531 2672  [ D8849F77C0B66226335A59D26CB4EDC6 ] AppMgmt         C:\WINDOWS\System32\appmgmts.dll
00:39:55.0531 2672  AppMgmt - ok
00:39:55.0640 2672  [ 3526C5195CE471B2C113BBDC1375BD00 ] AR5416          C:\WINDOWS\system32\DRIVERS\athw.sys
00:39:56.0062 2672  AR5416 - ok
00:39:56.0062 2672  asc - ok
00:39:56.0078 2672  asc3350p - ok
00:39:56.0078 2672  asc3550 - ok
00:39:57.0093 2672  [ 0E5E4957549056E2BF2C49F4F6B601AD ] aspnet_state    C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
00:39:57.0109 2672  aspnet_state - ok
00:39:57.0125 2672  [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac        C:\WINDOWS\system32\DRIVERS\asyncmac.sys
00:39:57.0125 2672  AsyncMac - ok
00:39:57.0140 2672  [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi           C:\WINDOWS\system32\DRIVERS\atapi.sys
00:39:57.0140 2672  atapi - ok
00:39:57.0140 2672  Atdisk - ok
00:39:57.0312 2672  [ A10E4AE69C81B4EBF0096CF867133D6F ] Ati HotKey Poller C:\WINDOWS\system32\Ati2evxx.exe
00:39:57.0421 2672  Ati HotKey Poller - ok
00:39:58.0234 2672  [ F55A1AE5A66BD314421E07164A7CA69B ] ati2mtag        C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
00:39:58.0359 2672  ati2mtag - ok
00:39:58.0468 2672  [ 0D6B8359677D05142B624F09C28D643A ] AtiHDAudioService C:\WINDOWS\system32\drivers\AtihdXP3.sys
00:39:58.0468 2672  AtiHDAudioService - ok
00:39:58.0531 2672  [ 9916C1225104BA14794209CFA8012159 ] Atmarpc         C:\WINDOWS\system32\DRIVERS\atmarpc.sys
00:39:58.0546 2672  Atmarpc - ok
00:39:58.0593 2672  [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv        C:\WINDOWS\System32\audiosrv.dll
00:39:58.0593 2672  AudioSrv - ok
00:39:58.0671 2672  [ D9F724AA26C010A217C97606B160ED68 ] audstub         C:\WINDOWS\system32\DRIVERS\audstub.sys
00:39:58.0671 2672  audstub - ok
00:39:58.0703 2672  [ 139723C3A6EB619CBD62ABB437E930DF ] avgtp           C:\WINDOWS\system32\drivers\avgtpx86.sys
00:39:58.0703 2672  avgtp - ok
00:39:58.0859 2672  [ 7692F4B242E45870873CAF4CB85CF769 ] AxAutoMntSrv    C:\Program Files\Alcohol Soft\Alcohol 52\AxAutoMntSrv.exe
00:39:58.0875 2672  AxAutoMntSrv - ok
00:39:58.0890 2672  [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep            C:\WINDOWS\system32\drivers\Beep.sys
00:39:58.0890 2672  Beep - ok
00:39:58.0921 2672  [ 574738F61FCA2935F5265DC4E5691314 ] BITS            C:\WINDOWS\system32\qmgr.dll
00:39:59.0062 2672  BITS - ok
00:39:59.0125 2672  [ FC6D1D80588D371F0321E15A75B2F8F2 ] Browser         C:\WINDOWS\System32\browser.dll
00:39:59.0125 2672  Browser - ok
00:39:59.0156 2672  [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k         C:\WINDOWS\system32\drivers\cbidf2k.sys
00:39:59.0156 2672  cbidf2k - ok
00:39:59.0187 2672  [ 0BE5AEF125BE881C4F854C554F2B025C ] CCDECODE        C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
00:39:59.0187 2672  CCDECODE - ok
00:39:59.0187 2672  cd20xrnt - ok
00:39:59.0203 2672  [ C1B486A7658353D33A10CC15211A873B ] Cdaudio         C:\WINDOWS\system32\drivers\Cdaudio.sys
00:39:59.0203 2672  Cdaudio - ok
00:39:59.0250 2672  [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs            C:\WINDOWS\system32\drivers\Cdfs.sys
00:39:59.0250 2672  Cdfs - ok
00:39:59.0265 2672  [ 4B0A100EAF5C49EF3CCA8C641431EACC ] Cdrom           C:\WINDOWS\system32\DRIVERS\cdrom.sys
00:39:59.0281 2672  Cdrom - ok
00:39:59.0296 2672  Changer - ok
00:39:59.0328 2672  [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc           C:\WINDOWS\system32\cisvc.exe
00:39:59.0328 2672  CiSvc - ok
00:39:59.0343 2672  [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv         C:\WINDOWS\system32\clipsrv.exe
00:39:59.0343 2672  ClipSrv - ok
00:39:59.0390 2672  [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
00:39:59.0421 2672  clr_optimization_v2.0.50727_32 - ok
00:39:59.0484 2672  [ C5A75EB48E2344ABDC162BDA79E16841 ] clr_optimization_v4.0.30319_32 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
00:39:59.0484 2672  clr_optimization_v4.0.30319_32 - ok
00:39:59.0515 2672  [ 0F6C187D38D98F8DF904589A5F94D411 ] CmBatt          C:\WINDOWS\system32\DRIVERS\CmBatt.sys
00:39:59.0515 2672  CmBatt - ok
00:39:59.0531 2672  CmdIde - ok
00:39:59.0546 2672  [ 6E4C9F21F0FAE8940661144F41B13203 ] Compbatt        C:\WINDOWS\system32\DRIVERS\compbatt.sys
00:39:59.0546 2672  Compbatt - ok
00:39:59.0546 2672  COMSysApp - ok
00:39:59.0562 2672  Cpqarray - ok
00:39:59.0578 2672  [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc        C:\WINDOWS\System32\cryptsvc.dll
00:39:59.0578 2672  CryptSvc - ok
00:39:59.0593 2672  dac2w2k - ok
00:39:59.0593 2672  dac960nt - ok
00:39:59.0671 2672  [ 9222562D44021B988B9F9F62207FB6F2 ] DcomLaunch      C:\WINDOWS\system32\rpcss.dll
00:39:59.0765 2672  DcomLaunch - ok
00:39:59.0843 2672  [ C51DE19619D50CBD03708647ACA10E70 ] Dhcp            C:\WINDOWS\System32\dhcpcsvc.dll
00:39:59.0843 2672  Dhcp - ok
00:39:59.0859 2672  [ 47B6AAEC570F2C11D8BAD80A064D8ED1 ] Disk            C:\WINDOWS\system32\DRIVERS\disk.sys
00:39:59.0859 2672  Disk - ok
00:39:59.0875 2672  dmadmin - ok
00:39:59.0953 2672  [ AEE02DE337D8E038D31630EA26286C8E ] dmboot          C:\WINDOWS\system32\drivers\dmboot.sys
00:39:59.0984 2672  dmboot - ok
00:40:00.0015 2672  [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio            C:\WINDOWS\system32\drivers\dmio.sys
00:40:00.0015 2672  dmio - ok
00:40:00.0046 2672  [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload          C:\WINDOWS\system32\drivers\dmload.sys
00:40:00.0046 2672  dmload - ok
00:40:00.0062 2672  [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver        C:\WINDOWS\System32\dmserver.dll
00:40:00.0062 2672  dmserver - ok
00:40:00.0093 2672  [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic          C:\WINDOWS\system32\drivers\DMusic.sys
00:40:00.0093 2672  DMusic - ok
00:40:00.0109 2672  [ D977659AE4D8ECE5286D99D1ED34614D ] Dnscache        C:\WINDOWS\System32\dnsrslvr.dll
00:40:00.0109 2672  Dnscache - ok
00:40:00.0140 2672  [ B4109C8C3D54C83246997A777724F318 ] Dot3svc         C:\WINDOWS\System32\dot3svc.dll
00:40:00.0156 2672  Dot3svc - ok
00:40:00.0156 2672  dpti2o - ok
00:40:00.0265 2672  [ 308195495181C8F3D51E6ED5B58D54AC ] DragonUpdater   C:\Program Files\Comodo\Dragon\dragon_updater.exe
00:40:00.0390 2672  DragonUpdater - ok
00:40:00.0453 2672  [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud         C:\WINDOWS\system32\drivers\drmkaud.sys
00:40:00.0453 2672  drmkaud - ok
00:40:00.0500 2672  [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost         C:\WINDOWS\System32\eapsvc.dll
00:40:00.0500 2672  EapHost - ok
00:40:00.0515 2672  [ BC93B4A066477954555966D77FEC9ECB ] ERSvc           C:\WINDOWS\System32\ersvc.dll
00:40:00.0515 2672  ERSvc - ok
00:40:00.0593 2672  [ B98B5BD5FDAB0D2CD0737F4716C337EA ] ETD             C:\WINDOWS\system32\DRIVERS\ETD.sys
00:40:00.0593 2672  ETD - ok
00:40:00.0640 2672  [ C519E15665CD89A91AD383FCE3CB556A ] Eventlog        C:\WINDOWS\system32\services.exe
00:40:00.0640 2672  Eventlog - ok
00:40:00.0656 2672  [ F17F6226BDC0CD5F0BEF0DAF84D29BEC ] EventSystem     C:\WINDOWS\system32\es.dll
00:40:00.0671 2672  EventSystem - ok
00:40:00.0750 2672  [ 4D893323DAE445E34A4C9038B0551BC9 ] exFat           C:\WINDOWS\system32\drivers\exFat.sys
00:40:00.0765 2672  exFat - ok
00:40:00.0781 2672  [ 38D332A6D56AF32635675F132548343E ] Fastfat         C:\WINDOWS\system32\drivers\Fastfat.sys
00:40:00.0781 2672  Fastfat - ok
00:40:00.0796 2672  [ 888CD7B39C37E13A2419BECFAAF0A28C ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
00:40:00.0812 2672  FastUserSwitchingCompatibility - ok
00:40:00.0859 2672  [ E97D6A8684466DF94FF3BC24FB787A07 ] Fax             C:\WINDOWS\system32\fxssvc.exe
00:40:00.0875 2672  Fax - ok
00:40:00.0875 2672  [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc             C:\WINDOWS\system32\drivers\Fdc.sys
00:40:00.0875 2672  Fdc - ok
00:40:00.0890 2672  [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips            C:\WINDOWS\system32\drivers\Fips.sys
00:40:00.0890 2672  Fips - ok
00:40:00.0968 2672  [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk        C:\WINDOWS\system32\drivers\Flpydisk.sys
00:40:00.0968 2672  Flpydisk - ok
00:40:01.0000 2672  [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr          C:\WINDOWS\system32\DRIVERS\fltMgr.sys
00:40:01.0015 2672  FltMgr - ok
00:40:01.0046 2672  [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
00:40:01.0062 2672  FontCache3.0.0.0 - ok
00:40:01.0093 2672  [ 30D42943A54704EF13E2562911DBFCEA ] Fs_Rec          C:\WINDOWS\system32\drivers\Fs_Rec.sys
00:40:01.0093 2672  Fs_Rec - ok
00:40:01.0109 2672  [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk          C:\WINDOWS\system32\DRIVERS\ftdisk.sys
00:40:01.0109 2672  Ftdisk - ok
00:40:01.0171 2672  [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc             C:\WINDOWS\system32\DRIVERS\msgpc.sys
00:40:01.0171 2672  Gpc - ok
00:40:01.0218 2672  [ 506708142BC63DABA64F2D3AD1DCD5BF ] gupdate         C:\Program Files\Google\Update\GoogleUpdate.exe
00:40:01.0218 2672  gupdate - ok
00:40:01.0234 2672  [ 506708142BC63DABA64F2D3AD1DCD5BF ] gupdatem        C:\Program Files\Google\Update\GoogleUpdate.exe
00:40:01.0234 2672  gupdatem - ok
00:40:01.0265 2672  [ 573C7D0A32852B48F3058CFD8026F511 ] HDAudBus        C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
00:40:01.0265 2672  HDAudBus - ok
00:40:01.0343 2672  [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc         C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
00:40:01.0343 2672  helpsvc - ok
00:40:01.0343 2672  HidServ - ok
00:40:01.0375 2672  [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc          C:\WINDOWS\System32\kmsvc.dll
00:40:01.0390 2672  hkmsvc - ok
00:40:01.0390 2672  hpn - ok
00:40:01.0468 2672  [ 937031C085718C1C04A9C0864625EC6B ] HTTP            C:\WINDOWS\system32\Drivers\HTTP.sys
00:40:01.0468 2672  HTTP - ok
00:40:01.0531 2672  [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter      C:\WINDOWS\System32\w3ssl.dll
00:40:01.0546 2672  HTTPFilter - ok
00:40:01.0546 2672  i2omgmt - ok
00:40:01.0562 2672  i2omp - ok
00:40:01.0593 2672  [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt        C:\WINDOWS\system32\DRIVERS\i8042prt.sys
00:40:01.0593 2672  i8042prt - ok
00:40:01.0671 2672  [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc           C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
00:40:01.0703 2672  idsvc - ok
00:40:01.0718 2672  [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi           C:\WINDOWS\system32\DRIVERS\imapi.sys
00:40:01.0734 2672  Imapi - ok
00:40:01.0765 2672  [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService    C:\WINDOWS\system32\imapi.exe
00:40:01.0765 2672  ImapiService - ok
00:40:01.0765 2672  ini910u - ok
00:40:02.0015 2672  [ 58DABDEF7A35F9E3AB1FABD2CBAF3D13 ] IntcAzAudAddService C:\WINDOWS\system32\drivers\RtkHDAud.sys
00:40:02.0125 2672  IntcAzAudAddService - ok
00:40:02.0140 2672  IntelIde - ok
00:40:02.0171 2672  [ 3BB22519A194418D5FEC05D800A19AD0 ] Ip6Fw           C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
00:40:02.0171 2672  Ip6Fw - ok
00:40:02.0203 2672  [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver  C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
00:40:02.0203 2672  IpFilterDriver - ok
00:40:02.0218 2672  [ B87AB476DCF76E72010632B5550955F5 ] IpInIp          C:\WINDOWS\system32\DRIVERS\ipinip.sys
00:40:02.0218 2672  IpInIp - ok
00:40:02.0218 2672  [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat           C:\WINDOWS\system32\DRIVERS\ipnat.sys
00:40:02.0234 2672  IpNat - ok
00:40:02.0250 2672  [ 23C74D75E36E7158768DD63D92789A91 ] IPSec           C:\WINDOWS\system32\DRIVERS\ipsec.sys
00:40:02.0250 2672  IPSec - ok
00:40:02.0281 2672  [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM          C:\WINDOWS\system32\DRIVERS\irenum.sys
00:40:02.0281 2672  IRENUM - ok
00:40:02.0312 2672  [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp          C:\WINDOWS\system32\DRIVERS\isapnp.sys
00:40:02.0312 2672  isapnp - ok
00:40:02.0328 2672  [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass        C:\WINDOWS\system32\DRIVERS\kbdclass.sys
00:40:02.0328 2672  Kbdclass - ok
00:40:02.0359 2672  [ 692BCF44383D056AED41B045A323D378 ] kmixer          C:\WINDOWS\system32\drivers\kmixer.sys
00:40:02.0375 2672  kmixer - ok
00:40:02.0390 2672  [ C6EBF1D6AD71DF30DB49B8D3287E1368 ] KSecDD          C:\WINDOWS\system32\drivers\KSecDD.sys
00:40:02.0406 2672  KSecDD - ok
00:40:02.0421 2672  [ 3695B8D03745B2F8022B161238347A9D ] LanmanServer    C:\WINDOWS\System32\srvsvc.dll
00:40:02.0437 2672  LanmanServer - ok
00:40:02.0453 2672  [ 3B9324D60DD321BAB7BF6F77931D3FD1 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
00:40:02.0468 2672  lanmanworkstation - ok
00:40:02.0468 2672  lbrtfdc - ok
00:40:02.0531 2672  [ A7DB739AE99A796D91580147E919CC59 ] LmHosts         C:\WINDOWS\System32\lmhsvc.dll
00:40:02.0531 2672  LmHosts - ok
00:40:02.0546 2672  [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger       C:\WINDOWS\System32\msgsvc.dll
00:40:02.0546 2672  Messenger - ok
00:40:02.0562 2672  [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem           C:\WINDOWS\system32\drivers\Modem.sys
00:40:02.0562 2672  Modem - ok
00:40:02.0640 2672  [ C7D9F9717916B34C1B00DD4834AF485C ] Monfilt         C:\WINDOWS\system32\drivers\Monfilt.sys
00:40:02.0718 2672  Monfilt - ok
00:40:02.0734 2672  [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass        C:\WINDOWS\system32\DRIVERS\mouclass.sys
00:40:02.0734 2672  Mouclass - ok
00:40:02.0750 2672  [ 1A1FAA5102466F418494E94FF9B0B091 ] MountMgr        C:\WINDOWS\system32\drivers\MountMgr.sys
00:40:02.0750 2672  MountMgr - ok
00:40:02.0765 2672  mraid35x - ok
00:40:02.0781 2672  [ 4FEFD389D71126EE581B9F9CB2918BE4 ] MRxDAV          C:\WINDOWS\system32\DRIVERS\mrxdav.sys
00:40:02.0781 2672  MRxDAV - ok
00:40:02.0796 2672  [ FB2FCCC70F7174C7BF64F48E96D3ADF4 ] MRxSmb          C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
00:40:02.0812 2672  MRxSmb - ok
00:40:02.0859 2672  [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC           C:\WINDOWS\system32\msdtc.exe
00:40:02.0859 2672  MSDTC - ok
00:40:02.0906 2672  [ C941EA2454BA8350021D774DAF0F1027 ] Msfs            C:\WINDOWS\system32\drivers\Msfs.sys
00:40:02.0906 2672  Msfs - ok
00:40:02.0906 2672  MSIServer - ok
00:40:02.0984 2672  [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV         C:\WINDOWS\system32\drivers\MSKSSRV.sys
00:40:02.0984 2672  MSKSSRV - ok
00:40:03.0031 2672  [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK        C:\WINDOWS\system32\drivers\MSPCLOCK.sys
00:40:03.0031 2672  MSPCLOCK - ok
00:40:03.0046 2672  [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM           C:\WINDOWS\system32\drivers\MSPQM.sys
00:40:03.0046 2672  MSPQM - ok
00:40:03.0078 2672  [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios        C:\WINDOWS\system32\DRIVERS\mssmbios.sys
00:40:03.0078 2672  mssmbios - ok
00:40:03.0093 2672  [ E53736A9E30C45FA9E7B5EAC55056D1D ] MSTEE           C:\WINDOWS\system32\drivers\MSTEE.sys
00:40:03.0093 2672  MSTEE - ok
00:40:03.0125 2672  [ F7B1AD991491F02AF6DA70B00B8BF114 ] Mup             C:\WINDOWS\system32\drivers\Mup.sys
00:40:03.0125 2672  Mup - ok
00:40:03.0140 2672  [ 8CE3E969D857AAC02C3FE23AA0DC7B82 ] mv61xxmm        C:\WINDOWS\system32\drivers\mv61xxmm.sys
00:40:03.0140 2672  mv61xxmm - ok
00:40:03.0156 2672  [ 6090786DAA545A3EC7D34A46A8CD1661 ] mv64xxmm        C:\WINDOWS\system32\drivers\mv64xxmm.sys
00:40:03.0156 2672  mv64xxmm - ok
00:40:03.0171 2672  [ 70EBDF0D7D16CDDA5FAA7D3102748371 ] mvxxmm          C:\WINDOWS\system32\drivers\mvxxmm.sys
00:40:03.0171 2672  mvxxmm - ok
00:40:03.0218 2672  [ 5B50F1B2A2ED47D560577B221DA734DB ] NABTSFEC        C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
00:40:03.0218 2672  NABTSFEC - ok
00:40:03.0265 2672  [ 0102140028FAD045756796E1C685D695 ] napagent        C:\WINDOWS\System32\qagentrt.dll
00:40:03.0281 2672  napagent - ok
00:40:03.0359 2672  [ 1DF7F42665C94B825322FAE71721130D ] NDIS            C:\WINDOWS\system32\drivers\NDIS.sys
00:40:03.0359 2672  NDIS - ok
00:40:03.0375 2672  [ 7FF1F1FD8609C149AA432F95A8163D97 ] NdisIP          C:\WINDOWS\system32\DRIVERS\NdisIP.sys
00:40:03.0375 2672  NdisIP - ok
00:40:03.0406 2672  [ 091735A5F20ACB1DC147383A905AE002 ] NdisTapi        C:\WINDOWS\system32\DRIVERS\ndistapi.sys
00:40:03.0406 2672  NdisTapi - ok
00:40:03.0421 2672  [ F927A4434C5028758A842943EF1A3849 ] Ndisuio         C:\WINDOWS\system32\DRIVERS\ndisuio.sys
00:40:03.0421 2672  Ndisuio - ok
00:40:03.0437 2672  [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan         C:\WINDOWS\system32\DRIVERS\ndiswan.sys
00:40:03.0453 2672  NdisWan - ok
00:40:03.0453 2672  [ 816460BD4B4ACD27937D1D0813E2E9E9 ] NDProxy         C:\WINDOWS\system32\drivers\NDProxy.sys
00:40:03.0453 2672  NDProxy - ok
00:40:03.0468 2672  [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS         C:\WINDOWS\system32\DRIVERS\netbios.sys
00:40:03.0468 2672  NetBIOS - ok
00:40:03.0515 2672  [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT           C:\WINDOWS\system32\DRIVERS\netbt.sys
00:40:03.0531 2672  NetBT - ok
00:40:03.0546 2672  [ B857BA82860D7FF85AE29B095645563B ] NetDDE          C:\WINDOWS\system32\netdde.exe
00:40:03.0546 2672  NetDDE - ok
00:40:03.0562 2672  [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm      C:\WINDOWS\system32\netdde.exe
00:40:03.0562 2672  NetDDEdsdm - ok
00:40:03.0593 2672  [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon        C:\WINDOWS\system32\lsass.exe
00:40:03.0593 2672  Netlogon - ok
00:40:03.0609 2672  [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman          C:\WINDOWS\System32\netman.dll
00:40:03.0625 2672  Netman - ok
00:40:03.0656 2672  [ D34612C5D02D026535B3095D620626AE ] NetTcpPortSharing C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
00:40:03.0656 2672  NetTcpPortSharing - ok
00:40:03.0687 2672  [ FCEE5FCB99F7C724593365C706D28388 ] Nla             C:\WINDOWS\System32\mswsock.dll
00:40:03.0687 2672  Nla - ok
00:40:03.0718 2672  [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs            C:\WINDOWS\system32\drivers\Npfs.sys
00:40:03.0718 2672  Npfs - ok
00:40:03.0750 2672  [ 4C51D5275AE8A16999EDFE7E647D00DE ] Ntfs            C:\WINDOWS\system32\drivers\Ntfs.sys
00:40:03.0781 2672  Ntfs - ok
00:40:03.0796 2672  [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp         C:\WINDOWS\system32\lsass.exe
00:40:03.0796 2672  NtLmSsp - ok
00:40:03.0828 2672  [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc         C:\WINDOWS\system32\ntmssvc.dll
00:40:03.0859 2672  NtmsSvc - ok
00:40:03.0890 2672  [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null            C:\WINDOWS\system32\drivers\Null.sys
00:40:03.0890 2672  Null - ok
00:40:03.0906 2672  [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt        C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
00:40:03.0906 2672  NwlnkFlt - ok
00:40:03.0921 2672  [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd        C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
00:40:03.0921 2672  NwlnkFwd - ok
00:40:03.0968 2672  [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport         C:\WINDOWS\system32\drivers\Parport.sys
00:40:03.0968 2672  Parport - ok
00:40:03.0984 2672  Partizan - ok
00:40:03.0984 2672  [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr         C:\WINDOWS\system32\drivers\PartMgr.sys
00:40:03.0984 2672  PartMgr - ok
00:40:04.0000 2672  [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm          C:\WINDOWS\system32\drivers\ParVdm.sys
00:40:04.0015 2672  ParVdm - ok
00:40:04.0031 2672  [ A219903CCF74233761D92BEF471A07B1 ] PCI             C:\WINDOWS\system32\DRIVERS\pci.sys
00:40:04.0031 2672  PCI - ok
00:40:04.0046 2672  PCIDump - ok
00:40:04.0046 2672  PCIIde - ok
00:40:04.0062 2672  [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia          C:\WINDOWS\system32\drivers\Pcmcia.sys
00:40:04.0062 2672  Pcmcia - ok
00:40:04.0078 2672  PDCOMP - ok
00:40:04.0078 2672  PDFRAME - ok
00:40:04.0093 2672  PDRELI - ok
00:40:04.0093 2672  PDRFRAME - ok
00:40:04.0093 2672  perc2 - ok
00:40:04.0109 2672  perc2hib - ok
00:40:04.0140 2672  [ C519E15665CD89A91AD383FCE3CB556A ] PlugPlay        C:\WINDOWS\system32\services.exe
00:40:04.0140 2672  PlugPlay - ok
00:40:04.0156 2672  [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent     C:\WINDOWS\system32\lsass.exe
00:40:04.0156 2672  PolicyAgent - ok
00:40:04.0171 2672  [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport    C:\WINDOWS\system32\DRIVERS\raspptp.sys
00:40:04.0187 2672  PptpMiniport - ok
00:40:04.0187 2672  [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
00:40:04.0187 2672  ProtectedStorage - ok
00:40:04.0203 2672  [ D8E11D311785F89F1D70A28B0E879127 ] PSched          C:\WINDOWS\system32\DRIVERS\psched.sys
00:40:04.0218 2672  PSched - ok
00:40:04.0234 2672  [ 45D961FAF405848DCEEBC3F459DC90B3 ] pssnap          C:\WINDOWS\system32\DRIVERS\pssnap.sys
00:40:04.0250 2672  pssnap - ok
00:40:04.0281 2672  [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink         C:\WINDOWS\system32\DRIVERS\ptilink.sys
00:40:04.0281 2672  Ptilink - ok
00:40:04.0281 2672  ql1080 - ok
00:40:04.0296 2672  Ql10wnt - ok
00:40:04.0296 2672  ql12160 - ok
00:40:04.0312 2672  ql1240 - ok
00:40:04.0312 2672  ql1280 - ok
00:40:04.0328 2672  [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd          C:\WINDOWS\system32\DRIVERS\rasacd.sys
00:40:04.0328 2672  RasAcd - ok
00:40:04.0375 2672  [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto         C:\WINDOWS\System32\rasauto.dll
00:40:04.0390 2672  RasAuto - ok
00:40:04.0421 2672  [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp         C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
00:40:04.0421 2672  Rasl2tp - ok
00:40:04.0421 2672  [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan          C:\WINDOWS\System32\rasmans.dll
00:40:04.0437 2672  RasMan - ok
00:40:04.0453 2672  [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe        C:\WINDOWS\system32\DRIVERS\raspppoe.sys
00:40:04.0453 2672  RasPppoe - ok
00:40:04.0453 2672  [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti          C:\WINDOWS\system32\DRIVERS\raspti.sys
00:40:04.0453 2672  Raspti - ok
00:40:04.0468 2672  [ 77050C6615F6EB5402F832B27FD695E0 ] Rdbss           C:\WINDOWS\system32\DRIVERS\rdbss.sys
00:40:04.0484 2672  Rdbss - ok
00:40:04.0484 2672  [ 4912D5B403614CE99C28420F75353332 ] RDPCDD          C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
00:40:04.0484 2672  RDPCDD - ok
00:40:04.0515 2672  [ 47EA20320E3D6FDC7B7BB22B2B881CA6 ] rdpdr           C:\WINDOWS\system32\DRIVERS\rdpdr.sys
00:40:04.0531 2672  rdpdr - ok
00:40:04.0578 2672  [ C7D9BC54354B8C706ABF172D48313F1B ] RDPWD           C:\WINDOWS\system32\drivers\RDPWD.sys
00:40:04.0593 2672  RDPWD - ok
00:40:04.0640 2672  [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr       C:\WINDOWS\system32\sessmgr.exe
00:40:04.0640 2672  RDSessMgr - ok
00:40:04.0671 2672  [ F828DD7E1419B6653894A8F97A0094C5 ] redbook         C:\WINDOWS\system32\DRIVERS\redbook.sys
00:40:04.0671 2672  redbook - ok
00:40:04.0734 2672  [ 4B01F83ED002489FEB0FD12D62FD231D ] ReflectService.exe C:\Program Files\Macrium\Reflect\ReflectService.exe
00:40:04.0734 2672  ReflectService.exe - ok
00:40:04.0781 2672  [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess    C:\WINDOWS\System32\mprdim.dll
00:40:04.0781 2672  RemoteAccess - ok
00:40:04.0812 2672  [ 5B19B557B0C188210A56A6B699D90B8F ] RemoteRegistry  C:\WINDOWS\system32\regsvc.dll
00:40:04.0828 2672  RemoteRegistry - ok
00:40:04.0843 2672  [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator      C:\WINDOWS\system32\locator.exe
00:40:04.0859 2672  RpcLocator - ok
00:40:04.0875 2672  [ 9222562D44021B988B9F9F62207FB6F2 ] RpcSs           C:\WINDOWS\system32\rpcss.dll
00:40:04.0890 2672  RpcSs - ok
00:40:04.0906 2672  [ 743D7D59767073A617B1DCC6C546F234 ] rspndr          C:\WINDOWS\system32\DRIVERS\rspndr.sys
00:40:04.0906 2672  rspndr - ok
00:40:04.0953 2672  [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP            C:\WINDOWS\system32\rsvp.exe
00:40:04.0968 2672  RSVP - ok
00:40:05.0000 2672  [ EB6CAF7C5FCCB50C3E62F878640E082E ] RTLE8023xp      C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
00:40:05.0000 2672  RTLE8023xp - ok
00:40:05.0031 2672  [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs           C:\WINDOWS\system32\lsass.exe
00:40:05.0031 2672  SamSs - ok
00:40:05.0062 2672  [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr        C:\WINDOWS\System32\SCardSvr.exe
00:40:05.0062 2672  SCardSvr - ok
00:40:05.0156 2672  [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule        C:\WINDOWS\system32\schedsvc.dll
00:40:05.0171 2672  Schedule - ok
00:40:05.0187 2672  [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv          C:\WINDOWS\system32\DRIVERS\secdrv.sys
00:40:05.0187 2672  Secdrv - ok
00:40:05.0203 2672  [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon        C:\WINDOWS\System32\seclogon.dll
00:40:05.0203 2672  seclogon - ok
00:40:05.0218 2672  [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS            C:\WINDOWS\system32\sens.dll
00:40:05.0234 2672  SENS - ok
00:40:05.0234 2672  [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial          C:\WINDOWS\system32\drivers\Serial.sys
00:40:05.0234 2672  Serial - ok
00:40:05.0281 2672  [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy         C:\WINDOWS\system32\drivers\Sfloppy.sys
00:40:05.0281 2672  Sfloppy - ok
00:40:05.0312 2672  [ 4F10A2FA76B5BD54CD68AFA94E8ADB39 ] SharedAccess    C:\WINDOWS\System32\ipnathlp.dll
00:40:05.0328 2672  SharedAccess - ok
00:40:05.0390 2672  [ 888CD7B39C37E13A2419BECFAAF0A28C ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
00:40:05.0406 2672  ShellHWDetection - ok
00:40:05.0406 2672  Simbad - ok
00:40:05.0453 2672  [ 5E065268F31F5CBEFE37FE24D7A3ABF0 ] SkypeUpdate     C:\Program Files\Skype\Updater\Updater.exe
00:40:05.0468 2672  SkypeUpdate - ok
00:40:05.0484 2672  [ 866D538EBE33709A5C9F5C62B73B7D14 ] SLIP            C:\WINDOWS\system32\DRIVERS\SLIP.sys
00:40:05.0484 2672  SLIP - ok
00:40:05.0515 2672  Sparrow - ok
00:40:05.0562 2672  [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter        C:\WINDOWS\system32\drivers\splitter.sys
00:40:05.0562 2672  splitter - ok
00:40:05.0609 2672  [ 258DD5D4283FD9F9A7166BE9AE45CE73 ] Spooler         C:\WINDOWS\system32\spoolsv.exe
00:40:05.0609 2672  Spooler - ok
00:40:05.0656 2672  [ 68103A2B441BBF3908EBB587F0704D6C ] sptd            C:\WINDOWS\System32\Drivers\sptd.sys
00:40:05.0671 2672  sptd - ok
00:40:05.0703 2672  [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr              C:\WINDOWS\system32\DRIVERS\sr.sys
00:40:05.0703 2672  sr - ok
00:40:05.0734 2672  [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice       C:\WINDOWS\system32\srsvc.dll
00:40:05.0734 2672  srservice - ok
00:40:05.0765 2672  [ 9B390283569EA58D43D2586032B892F5 ] Srv             C:\WINDOWS\system32\DRIVERS\srv.sys
00:40:05.0781 2672  Srv - ok
00:40:05.0796 2672  [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV         C:\WINDOWS\System32\ssdpsrv.dll
00:40:05.0812 2672  SSDPSRV - ok
00:40:05.0843 2672  [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc          C:\WINDOWS\system32\wiaservc.dll
00:40:05.0875 2672  stisvc - ok
00:40:05.0890 2672  [ 77813007BA6265C4B6098187E6ED79D2 ] streamip        C:\WINDOWS\system32\DRIVERS\StreamIP.sys
00:40:05.0890 2672  streamip - ok
00:40:05.0906 2672  [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum          C:\WINDOWS\system32\DRIVERS\swenum.sys
00:40:05.0921 2672  swenum - ok
00:40:05.0937 2672  [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi          C:\WINDOWS\system32\drivers\swmidi.sys
00:40:05.0937 2672  swmidi - ok
00:40:05.0953 2672  SwPrv - ok
00:40:05.0953 2672  symc810 - ok
00:40:05.0968 2672  symc8xx - ok
00:40:05.0968 2672  sym_hi - ok
00:40:05.0984 2672  sym_u3 - ok
00:40:06.0062 2672  [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio        C:\WINDOWS\system32\drivers\sysaudio.sys
00:40:06.0062 2672  sysaudio - ok
00:40:06.0109 2672  [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog       C:\WINDOWS\system32\smlogsvc.exe
00:40:06.0109 2672  SysmonLog - ok
00:40:06.0203 2672  [ E2B32B10ACC5D97623275AAFB67E5F03 ] TapiSrv         C:\WINDOWS\System32\tapisrv.dll
00:40:06.0234 2672  TapiSrv - ok
00:40:06.0250 2672  [ 474D3DCCB57DEFCD917311EEC47204B9 ] Tcpip           C:\WINDOWS\system32\DRIVERS\tcpip.sys
00:40:06.0265 2672  Tcpip - ok
00:40:06.0281 2672  [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE          C:\WINDOWS\system32\drivers\TDPIPE.sys
00:40:06.0281 2672  TDPIPE - ok
00:40:06.0296 2672  [ C0578456F29E5F26285F81B7B71FE57D ] TDTCP           C:\WINDOWS\system32\drivers\TDTCP.sys
00:40:06.0296 2672  TDTCP - ok
00:40:06.0312 2672  [ 88155247177638048422893737429D9E ] TermDD          C:\WINDOWS\system32\DRIVERS\termdd.sys
00:40:06.0312 2672  TermDD - ok
00:40:06.0359 2672  [ 5128852A18AE46C387F87BF27DA4C9DD ] TermService     C:\WINDOWS\System32\termsrv.dll
00:40:06.0406 2672  TermService - ok
00:40:06.0453 2672  [ 888CD7B39C37E13A2419BECFAAF0A28C ] Themes          C:\WINDOWS\System32\shsvcs.dll
00:40:06.0468 2672  Themes - ok
00:40:06.0515 2672  [ DB7205804759FF62C34E3EFD8A4CC76A ] TlntSvr         C:\WINDOWS\system32\tlntsvr.exe
00:40:06.0515 2672  TlntSvr - ok
00:40:06.0531 2672  TosIde - ok
00:40:06.0531 2672  [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks          C:\WINDOWS\system32\trkwks.dll
00:40:06.0546 2672  TrkWks - ok
00:40:06.0562 2672  [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs            C:\WINDOWS\system32\drivers\Udfs.sys
00:40:06.0562 2672  Udfs - ok
00:40:06.0578 2672  ultra - ok
00:40:06.0593 2672  [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update          C:\WINDOWS\system32\DRIVERS\update.sys
00:40:06.0609 2672  Update - ok
00:40:06.0625 2672  [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost        C:\WINDOWS\System32\upnphost.dll
00:40:06.0640 2672  upnphost - ok
00:40:06.0765 2672  [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS             C:\WINDOWS\System32\ups.exe
00:40:06.0812 2672  UPS - ok
00:40:06.0828 2672  [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp         C:\WINDOWS\system32\DRIVERS\usbccgp.sys
00:40:06.0953 2672  usbccgp - ok
00:40:07.0109 2672  [ D8B72BC1A9D28F98497C730E7FC13DFB ] usbehci         C:\WINDOWS\system32\DRIVERS\usbehci.sys
00:40:07.0125 2672  usbehci - ok
00:40:07.0171 2672  [ 933EFB453A2C54CE4B2631B318D41959 ] usbfilter       C:\WINDOWS\system32\DRIVERS\usbfilter.sys
00:40:07.0171 2672  usbfilter - ok
00:40:07.0171 2672  [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub          C:\WINDOWS\system32\DRIVERS\usbhub.sys
00:40:07.0187 2672  usbhub - ok
00:40:07.0234 2672  [ C5E11CD822ADF0019A5A862D9C4E2222 ] usbohci         C:\WINDOWS\system32\DRIVERS\usbohci.sys
00:40:07.0234 2672  usbohci - ok
00:40:07.0250 2672  [ A32426D9B14A089EAA1D922E0C5801A9 ] usbstor         C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
00:40:07.0250 2672  usbstor - ok
00:40:07.0296 2672  [ 63BBFCA7F390F4C49ED4B96BFB1633E0 ] usbvideo        C:\WINDOWS\system32\Drivers\usbvideo.sys
00:40:07.0312 2672  usbvideo - ok
00:40:07.0328 2672  [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave         C:\WINDOWS\System32\drivers\vga.sys
00:40:07.0328 2672  VgaSave - ok
00:40:07.0343 2672  ViaIde - ok
00:40:07.0359 2672  [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap         C:\WINDOWS\system32\drivers\VolSnap.sys
00:40:07.0359 2672  VolSnap - ok
00:40:07.0437 2672  [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS             C:\WINDOWS\System32\vssvc.exe
00:40:07.0453 2672  VSS - ok
00:40:07.0468 2672  [ 9F8A0D0CBB2FA265A754516128C00E22 ] W32Time         C:\WINDOWS\system32\w32time.dll
00:40:07.0484 2672  W32Time - ok
00:40:07.0484 2672  [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp          C:\WINDOWS\system32\DRIVERS\wanarp.sys
00:40:07.0500 2672  Wanarp - ok
00:40:07.0500 2672  WDICA - ok
00:40:07.0546 2672  [ 6768ACF64B18196494413695F0C3A00F ] wdmaud          C:\WINDOWS\system32\drivers\wdmaud.sys
00:40:07.0546 2672  wdmaud - ok
00:40:07.0562 2672  [ 703591CD1403BC19E7198CA7B314E132 ] WebClient       C:\WINDOWS\System32\webclnt.dll
00:40:07.0562 2672  WebClient - ok
00:40:07.0593 2672  [ 05FB36A51E04A6C6B3A5F125FA692E6B ] WIMMount        C:\Program Files\Macrium\Reflect\wimmount.sys
00:40:07.0593 2672  WIMMount - ok
00:40:07.0671 2672  [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt         C:\WINDOWS\system32\wbem\WMIsvc.dll
00:40:07.0687 2672  winmgmt - ok
00:40:07.0718 2672  [ 051B1BDECD6DEE18C771B5D5EC7F044D ] WmdmPmSN        C:\WINDOWS\system32\MsPMSNSv.dll
00:40:07.0718 2672  WmdmPmSN - ok
00:40:07.0765 2672  [ 652C0DB3B76746CC1E50823E1FCF7B13 ] Wmi             C:\WINDOWS\System32\advapi32.dll
00:40:07.0796 2672  Wmi - ok
00:40:07.0828 2672  [ C42584FD66CE9E17403AEBCA199F7BDB ] WmiAcpi         C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
00:40:07.0828 2672  WmiAcpi - ok
00:40:07.0875 2672  [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv        C:\WINDOWS\system32\wbem\wmiapsrv.exe
00:40:07.0875 2672  WmiApSrv - ok
00:40:07.0937 2672  [ 6BAB4DC65515A098505F8B3D01FB6FE5 ] WMPNetworkSvc   C:\Program Files\Windows Media Player\WMPNetwk.exe
00:40:07.0968 2672  WMPNetworkSvc - ok
00:40:08.0078 2672  [ 120F3B596F79FC990B7D808857A8B3BC ] WPFFontCache_v0400 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
00:40:08.0125 2672  WPFFontCache_v0400 - ok
00:40:08.0171 2672  [ 7C278E6408D1DCE642230C0585A854D5 ] wscsvc          C:\WINDOWS\system32\wscsvc.dll
00:40:08.0171 2672  wscsvc - ok
00:40:08.0187 2672  [ C98B39829C2BBD34E454150633C62C78 ] WSTCODEC        C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
00:40:08.0187 2672  WSTCODEC - ok
00:40:08.0218 2672  [ 37E17DF31E2883F394FABFBC93AC3069 ] wuauserv        C:\WINDOWS\system32\wuauserv.dll
00:40:08.0234 2672  wuauserv - ok
00:40:08.0281 2672  [ EAA6324F51214D2F6718977EC9CE0DEF ] WudfPf          C:\WINDOWS\system32\DRIVERS\WudfPf.sys
00:40:08.0296 2672  WudfPf - ok
00:40:08.0312 2672  [ F91FF1E51FCA30B3C3981DB7D5924252 ] WudfRd          C:\WINDOWS\system32\DRIVERS\wudfrd.sys
00:40:08.0312 2672  WudfRd - ok
00:40:08.0328 2672  [ DDEE3682FE97037C45F4D7AB467CB8B6 ] WudfSvc         C:\WINDOWS\System32\WUDFSvc.dll
00:40:08.0343 2672  WudfSvc - ok
00:40:08.0375 2672  [ 349B8D2BB755E8C3B0E3E82A87663E55 ] WZCSVC          C:\WINDOWS\System32\wzcsvc.dll
00:40:08.0437 2672  WZCSVC - ok
00:40:08.0453 2672  [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov         C:\WINDOWS\System32\xmlprov.dll
00:40:08.0484 2672  xmlprov - ok
00:40:08.0500 2672  ================ Scan global ===============================
00:40:08.0515 2672  [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll
00:40:08.0546 2672  [ A6430B97C05DA8A4BA70E8280B2E6287 ] C:\WINDOWS\system32\winsrv.dll
00:40:08.0593 2672  [ A6430B97C05DA8A4BA70E8280B2E6287 ] C:\WINDOWS\system32\winsrv.dll
00:40:08.0625 2672  [ C519E15665CD89A91AD383FCE3CB556A ] C:\WINDOWS\system32\services.exe
00:40:08.0625 2672  [Global] - ok
00:40:08.0640 2672  ================ Scan MBR ==================================
00:40:08.0640 2672  [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk0\DR0
00:40:08.0953 2672  \Device\Harddisk0\DR0 - ok
00:40:08.0953 2672  ================ Scan VBR ==================================
00:40:08.0953 2672  [ 47825B698373B40D68652927CFF59452 ] \Device\Harddisk0\DR0\Partition1
00:40:08.0953 2672  \Device\Harddisk0\DR0\Partition1 - ok
00:40:08.0953 2672  ============================================================
00:40:08.0953 2672  Scan finished
00:40:08.0953 2672  ============================================================
00:40:08.0968 2656  Detected object count: 0
00:40:08.0968 2656  Actual detected object count: 0


#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:55 PM

Posted 18 September 2013 - 02:59 AM

OK, then post the gmer log as well.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 effingmalware

effingmalware
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 18 September 2013 - 03:08 AM

sorry. the gmer took longer so i posted tds first

 

gmer results : 

 

GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-09-18 01:08:35
Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Scsi\ahcix861Port1Path0Target0Lun0 WDC____ rev.01.01A01 298.09GB
Running: f6jykcry.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kglirkog.sys
 
 
---- System - GMER 2.1 ----
 
SSDT      \??\C:\WINDOWS\system32\drivers\avgtpx86.sys                                                                          ZwQueryValueKey [0xBA2A91AE]
 
INT 0x62  ?                                                                                                                     8AC94CC8
INT 0x63  ?                                                                                                                     8ABAFCC8
INT 0x63  ?                                                                                                                     8ABAFCC8
INT 0x63  ?                                                                                                                     8ABAFCC8
INT 0x63  ?                                                                                                                     8ABAFCC8
INT 0x73  ?                                                                                                                     8AC52CC8
INT 0xB4  ?                                                                                                                     8ABAFCC8
INT 0xB4  ?                                                                                                                     8ABAFCC8
INT 0xB4  ?                                                                                                                     8ABAFCC8
INT 0xB4  ?                                                                                                                     8ABAFCC8
 
---- Devices - GMER 2.1 ----
 
Device    \FileSystem\Ntfs \Ntfs                                                                                                8AC911F8
Device    \FileSystem\Udfs \UdfsCdRom                                                                                           88B9B430
Device    \FileSystem\Udfs \UdfsDisk                                                                                            88B9B430
Device    \Driver\Kbdclass \Device\KeyboardClass0                                                                               ETD.sys
Device    \Driver\Kbdclass \Device\KeyboardClass1                                                                               ETD.sys
Device    \Driver\usbohci \Device\USBPDO-0                                                                                      89E4D1F8
Device    \Driver\usbehci \Device\USBPDO-1                                                                                      89E441F8
Device    \Driver\usbehci \Device\USBPDO-2                                                                                      89E441F8
Device    \Driver\usbohci \Device\USBPDO-3                                                                                      89E4D1F8
Device    \Driver\usbohci \Device\USBPDO-4                                                                                      89E4D1F8
Device    \Driver\usbehci \Device\USBPDO-5                                                                                      89E441F8
Device    \Driver\usbohci \Device\USBPDO-6                                                                                      89E4D1F8
Device    \Driver\Cdrom \Device\CdRom0                                                                                          89E541F8
Device    \Driver\Cdrom \Device\CdRom1                                                                                          89E541F8
Device    \Driver\atapi \Device\Ide\IdePort0                                                                                    [B9DFDB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device    \Driver\usbstor \Device\00000081                                                                                      895BD1F8
Device    \Driver\usbstor \Device\00000083                                                                                      895BD1F8
Device    \Driver\NetBT \Device\NetBt_Wins_Export                                                                               896201F8
Device    \Driver\PCI_PNP3524 \Device\0000004a                                                                                  sptd.sys
Device    \Driver\PCI_PNP3524 \Device\0000004a                                                                                  sptd.sys
Device    \Driver\NetBT \Device\NetbiosSmb                                                                                      896201F8
Device    \Driver\NetBT \Device\NetBT_Tcpip_{D2C0BFCA-D670-4213-A046-9CDFB9B611BE}                                              896201F8
Device    \Driver\NetBT \Device\NetBT_Tcpip_{FEDBD01E-4C63-43CA-821E-8BBB4619A146}                                              896201F8
Device    \Driver\usbohci \Device\USBFDO-0                                                                                      89E4D1F8
Device    \Driver\usbehci \Device\USBFDO-1                                                                                      89E441F8
Device    \FileSystem\MRxSmb \Device\LanmanDatagramReceiver                                                                     8931B1F8
Device    \Driver\usbohci \Device\USBFDO-2                                                                                      89E4D1F8
Device    \FileSystem\MRxSmb \Device\LanmanRedirector                                                                           8931B1F8
Device    \Driver\usbehci \Device\USBFDO-3                                                                                      89E441F8
Device    \Driver\usbohci \Device\USBFDO-4                                                                                      89E4D1F8
Device    \Driver\usbohci \Device\USBFDO-5                                                                                      89E4D1F8
Device    \Driver\usbehci \Device\USBFDO-6                                                                                      89E441F8
Device    \Driver\ahcix86 \Device\Scsi\ahcix861                                                                                 8AC4E1F8
Device    \Driver\asqt3p2o \Device\Scsi\asqt3p2o1Port2Path0Target0Lun0                                                          8AB97430
Device    \Driver\asqt3p2o \Device\Scsi\asqt3p2o1                                                                               8AB97430
Device    \Driver\ahcix86 \Device\Scsi\ahcix861Port1Path0Target1Lun0                                                            8AC4E1F8
Device    \Driver\ahcix86 \Device\Scsi\ahcix861Port1Path0Target0Lun0                                                            8AC4E1F8
Device    \FileSystem\Cdfs \Cdfs                                                                                                89310430
 
---- Trace I/O - GMER 2.1 ----
 
Trace     ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8ac4e1f8]<<                                                           8ac4e1f8
Trace     1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8abfc8c8]                                                               8abfc8c8
Trace     3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Scsi\ahcix861Port1Path0Target0Lun0[0x89e90030]                89e90030
Trace     \Driver\ahcix86[0x8ac05378] -> IRP_MJ_CREATE -> 0x8ac4e1f8                                                            8ac4e1f8
 
---- Registry - GMER 2.1 ----
 
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)                  
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0                                       C:\Program Files\Alcohol Soft\Alcohol 52\
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0                                       0
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew                                    0xB8 0x0E 0x93 0x3C ...
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)         
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0                              0xA0 0x02 0x00 0x00 ...
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew                           0xBD 0x2C 0x33 0xFB ...
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)  
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew                    0xC2 0xB9 0x2D 0x33 ...
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04                                      
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0                                   C:\Program Files\Alcohol Soft\Alcohol 52\
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0                                   0
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew                                0xB8 0x0E 0x93 0x3C ...
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001                             
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0                          0xA0 0x02 0x00 0x00 ...
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew                       0xBD 0x2C 0x33 0xFB ...
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40                      
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew                0xC2 0xB9 0x2D 0x33 ...
Reg       HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)                  
Reg       HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0                                       C:\Program Files\Alcohol Soft\Alcohol 52\
Reg       HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0                                       0
Reg       HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew                                    0xB8 0x0E 0x93 0x3C ...
Reg       HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)         
Reg       HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0                              0xA0 0x02 0x00 0x00 ...
Reg       HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew                           0xBD 0x2C 0x33 0xFB ...
Reg       HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)  
Reg       HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew                    0xC2 0xB9 0x2D 0x33 ...
 
---- EOF - GMER 2.1 ----

Edited by effingmalware, 18 September 2013 - 03:08 AM.


#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:55 PM

Posted 18 September 2013 - 03:25 AM

Disable CD Emulation with DeFogger

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers.
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK


IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

 

 

 

Combofix

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications


====================================================


Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RC_update.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


cfRC_screen_2.png


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 effingmalware

effingmalware
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 18 September 2013 - 04:13 AM

combofix deleted some things. i know a few of the file signatures are invalid because its a customized windows xp, but im not sure about alot of the other stuff.  i saw something called catchme.sys near the gmer results. i've looked it up before and found its a keylogging trojan is that true?  or is it some part of gmer? i can't really understand the results of course.  anyway.. thanks for helping. 
 
combofix results :
 
ComboFix 13-09-17.01 - Owner 09/18/2013   1:57.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2668.1992 [GMT -7:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Owner\My Documents\~WRL3480.tmp
c:\documents and settings\Owner\My Documents\Internet Explorer.lnk
c:\windows\system\VB40032.DLL
c:\windows\system32\config\systemprofile\DELA8E.tmp
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-18 to 2013-09-18  )))))))))))))))))))))))))))))))
.
.
2013-09-15 05:31 . 2013-09-15 05:31 -------- d-----w- C:\TDSSKiller_Quarantine
2013-09-03 04:45 . 2013-09-15 12:52 -------- d-----w- C:\AdwCleaner
2013-08-24 03:39 . 2013-09-17 02:53 -------- d-----w- C:\Games
2013-08-24 02:52 . 2013-08-24 02:52 -------- d-----w- C:\boot
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-07 05:57 . 2013-07-09 12:45 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-09-07 05:57 . 2013-07-09 12:45 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-08-09 01:56 . 2008-04-14 12:00 386560 ----a-w- c:\windows\system32\themeui.dll
2013-08-08 06:05 . 2013-06-07 21:56 920064 ----a-w- c:\windows\system32\wininet.dll
2013-08-08 06:05 . 2013-06-07 21:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-08-08 06:05 . 2009-03-07 20:33 18944 ----a-w- c:\windows\system32\corpol.dll
2013-08-08 01:27 . 2013-06-04 01:40 1877760 ----a-w- c:\windows\system32\win32k.sys
2013-08-08 00:02 . 2013-06-08 05:55 385024 ----a-w- c:\windows\system32\html.iec
2013-08-05 13:30 . 2011-11-01 16:05 1289728 ----a-w- c:\windows\system32\ole32.dll
2013-08-03 21:18 . 2013-05-08 22:28 1543680 ----a-w- c:\windows\system32\wmvdecod.dll
2013-08-01 22:47 . 2013-08-01 22:47 65144 ----a-w- c:\windows\system32\drivers\psmounterex.sys
2013-07-12 17:37 . 2013-07-12 17:37 3186 ----a-w- c:\windows\system32\presetup.cmd
2013-07-12 17:37 . 2013-07-12 17:37 28672 ----a-w- c:\windows\system32\setupold.exe
2013-07-12 17:36 . 2013-07-12 17:36 5632 ----a-w- c:\windows\system32\drivers\mv64xxmm.sys
2013-07-12 17:36 . 2013-07-12 17:36 14184 ----a-w- c:\windows\system32\drivers\mvxxmm.sys
2013-07-12 17:36 . 2013-07-12 17:36 14184 ----a-w- c:\windows\system32\drivers\mv61xxmm.sys
2013-07-12 17:36 . 2013-07-12 17:36 228648 ----a-w- c:\windows\system32\drivers\ahcix80x.sys
2013-07-12 17:35 . 2009-11-27 17:23 17920 ----a-w- c:\windows\system32\msyuv.dll
2013-07-12 17:35 . 2009-11-27 16:28 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2013-07-12 17:35 . 2009-11-27 16:28 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2013-07-12 17:35 . 2008-04-22 17:03 483328 ----a-w- c:\windows\system32\wzcsvc.dll
2013-07-12 17:35 . 2008-04-14 03:42 294912 ----a-w- c:\windows\system32\msh263.drv
2013-07-12 17:35 . 2008-04-14 03:42 52736 ----a-w- c:\windows\system32\wzcsapi.dll
2013-07-12 17:35 . 2008-04-14 03:42 35328 ----a-w- c:\windows\system32\pid.dll
2013-07-12 17:35 . 2008-04-14 03:42 15360 ----a-w- c:\windows\system32\pjlmon.dll
2013-07-12 17:35 . 2008-04-14 03:41 20992 ----a-w- c:\windows\system32\hid.dll
2013-07-12 17:35 . 2008-04-14 03:41 52224 ----a-w- c:\windows\system32\dmutil.dll
2013-07-12 17:35 . 2008-04-14 03:41 47104 ----a-w- c:\windows\system32\cnbjmon.dll
2013-07-12 17:35 . 2008-04-13 22:30 30080 ----a-w- c:\windows\system32\drivers\modem.sys
2013-07-12 17:35 . 2008-04-13 22:26 12288 ----a-w- c:\windows\system32\drivers\tunmp.sys
2013-07-12 17:35 . 2008-04-13 22:26 14592 ----a-w- c:\windows\system32\drivers\ndisuio.sys
2013-07-12 17:35 . 2008-04-13 22:21 61824 ----a-w- c:\windows\system32\drivers\nic1394.sys
2013-07-12 17:35 . 2008-04-13 22:21 60800 ----a-w- c:\windows\system32\drivers\arp1394.sys
2013-07-12 17:35 . 2008-04-13 22:16 25344 ----a-w- c:\windows\system32\drivers\sonydcam.sys
2013-07-12 17:35 . 2008-04-13 22:15 15872 ----a-w- c:\windows\system32\drivers\usbintel.sys
2013-07-12 17:35 . 2008-04-13 22:15 25728 ----a-w- c:\windows\system32\drivers\usbcamd2.sys
2013-07-12 17:35 . 2008-04-13 22:15 25600 ----a-w- c:\windows\system32\drivers\usbcamd.sys
2013-07-12 17:35 . 2008-04-13 22:10 80128 ----a-w- c:\windows\system32\drivers\parport.sys
2013-07-12 17:35 . 2008-04-13 22:09 4352 ----a-w- c:\windows\system32\drivers\swenum.sys
2013-07-12 17:35 . 2008-04-13 22:06 15488 ----a-w- c:\windows\system32\drivers\mssmbios.sys
2013-07-12 17:35 . 2008-04-13 22:06 63744 ----a-w- c:\windows\system32\drivers\mf.sys
2013-07-12 17:35 . 2008-04-13 22:01 37760 ----a-w- c:\windows\system32\drivers\amdk7.sys
2013-07-12 17:35 . 2008-04-13 22:01 37376 ----a-w- c:\windows\system32\drivers\amdk6.sys
2013-07-12 17:35 . 2008-04-13 22:01 36736 ----a-w- c:\windows\system32\drivers\crusoe.sys
2013-07-12 17:35 . 2008-04-13 22:01 42752 ----a-w- c:\windows\system32\drivers\p3.sys
2013-07-12 17:35 . 2008-04-13 22:01 35840 ----a-w- c:\windows\system32\drivers\processr.sys
2013-07-12 17:35 . 2001-08-17 20:37 77891 ----a-w- c:\windows\system32\usrmlnka.exe
2013-07-12 17:35 . 2001-08-17 20:37 69700 ----a-w- c:\windows\system32\usrshuta.exe
2013-07-12 17:35 . 2001-08-17 20:37 61508 ----a-w- c:\windows\system32\usrprbda.exe
2013-07-12 17:35 . 2001-08-17 20:36 55296 ----a-w- c:\windows\system32\dvdplay.exe
2013-07-12 17:35 . 2001-08-17 20:36 3200 ----a-w- c:\windows\system32\wowfax.dll
2013-07-12 17:35 . 2001-08-17 20:36 13824 ----a-w- c:\windows\system32\wowfaxui.dll
2013-07-12 17:35 . 2001-08-17 20:36 86073 ----a-w- c:\windows\system32\usrfaxa.dll
2013-07-12 17:35 . 2001-08-17 20:36 77890 ----a-w- c:\windows\system32\usrdpa.dll
2013-07-12 17:35 . 2001-08-17 20:36 77883 ----a-w- c:\windows\system32\usrrtosa.dll
2013-07-12 17:35 . 2001-08-17 20:36 69699 ----a-w- c:\windows\system32\usrcoina.dll
2013-07-12 17:35 . 2001-08-17 20:36 61500 ----a-w- c:\windows\system32\usrcntra.dll
2013-07-12 17:35 . 2001-08-17 20:36 53305 ----a-w- c:\windows\system32\usrlbva.dll
2013-07-12 17:35 . 2001-08-17 20:36 49211 ----a-w- c:\windows\system32\usrvpa.dll
2013-07-12 17:35 . 2001-08-17 20:36 49211 ----a-w- c:\windows\system32\usrsdpia.dll
2013-07-12 17:35 . 2001-08-17 20:36 49209 ----a-w- c:\windows\system32\usrv80a.dll
2013-07-12 17:35 . 2001-08-17 20:36 45116 ----a-w- c:\windows\system32\usrvoica.dll
2013-07-12 17:35 . 2001-08-17 20:36 41019 ----a-w- c:\windows\system32\usrsvpia.dll
2013-07-12 17:35 . 2001-08-17 20:36 323641 ----a-w- c:\windows\system32\usrdtea.dll
2013-07-12 17:35 . 2001-08-17 20:36 102457 ----a-w- c:\windows\system32\usrv42a.dll
2013-07-12 17:35 . 2001-08-17 20:36 8192 ----a-w- c:\windows\system32\streamci.dll
2013-07-12 17:35 . 2001-08-17 20:36 72192 ----a-w- c:\windows\system32\sprio800.dll
2013-07-12 17:35 . 2001-08-17 20:36 70656 ----a-w- c:\windows\system32\sprio600.dll
2013-07-12 17:35 . 2001-08-17 20:36 69632 ----a-w- c:\windows\system32\spnike.dll
2013-07-12 17:35 . 2001-08-17 20:36 157696 ----a-w- c:\windows\system32\paqsp.dll
2013-07-12 17:35 . 2001-08-17 20:36 147968 ----a-w- c:\windows\system32\mdwmdmsp.dll
2013-07-12 17:35 . 2001-08-17 12:06 21376 ----a-w- c:\windows\system32\drivers\tsbvcap.sys
2013-07-12 17:35 . 2001-08-17 11:57 12160 ----a-w- c:\windows\system32\drivers\fsvga.sys
2013-07-12 17:35 . 2001-08-17 11:52 18688 ----a-w- c:\windows\system32\drivers\cdaudio.sys
2013-07-12 17:35 . 2001-08-17 11:24 12032 ----a-w- c:\windows\system32\drivers\riodrv.sys
2013-07-12 17:35 . 2001-08-17 11:24 12032 ----a-w- c:\windows\system32\drivers\rio8drv.sys
2013-07-12 17:35 . 2001-08-17 11:24 12032 ----a-w- c:\windows\system32\drivers\nikedrv.sys
2013-07-12 17:35 . 2001-08-17 11:24 11776 ----a-w- c:\windows\system32\drivers\cpqdap01.sys
2013-07-12 17:31 . 2013-07-12 17:31 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-07-12 17:31 . 2013-07-12 17:31 218624 ----a-w- c:\windows\system32\uxtheme.dll
2013-07-12 17:31 . 2013-07-12 17:31 140288 ----a-w- c:\windows\system32\sfc_os.dll
2013-07-12 17:31 . 2013-07-12 17:31 990208 ----a-w- c:\windows\system32\syssetup.dll
2013-07-10 10:37 . 2010-04-16 15:29 406016 ----a-w- c:\windows\system32\usp10.dll
2013-07-04 03:03 . 2013-05-03 01:30 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-07-04 02:08 . 2013-05-03 00:38 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-06-28 23:02 . 2013-06-28 23:02 13432 ----a-w- c:\windows\system32\drivers\PSVolAcc.sys
2013-06-28 23:02 . 2013-06-28 23:02 16504 ----a-w- c:\windows\system32\drivers\pssnap.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2013-07-12 . 474D3DCCB57DEFCD917311EEC47204B9 . 361600 . . [5.1.2600.6009] . . c:\windows\system32\drivers\tcpip.sys
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ETDCtrl"="c:\program files\Elantech\ETDCtrl.exe" [2011-12-20 2038568]
"RTHDCPL"="RTHDCPL.EXE" [2011-10-15 20064872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-07 128512]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft .NET Framework v4 - Slow Windows XP Boot Fix.vbs [2013-5-21 874]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 18 (0x12)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
2011-06-27 22:21 188416 ----a-w- c:\windows\system32\ati2evxx.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, credssp.dll, digest.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
2012-01-05 15:42 75624 ----a-w- c:\program files\Alcohol Soft\Alcohol 52\AxAutoMntSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2008-04-14 12:00 208952 ----a-w- c:\windows\ime\IMJP8_1\imjpmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2008-04-14 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2008-04-14 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Documents and Settings\\Owner\\Application Data\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Games\\Shadowrun Returns\\Shadowrun.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
.
R0 ahcix80x;ahcix80x;c:\windows\system32\drivers\ahcix80x.sys [7/12/2013 10:36 AM 228648]
R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [8/23/2013 8:34 AM 228648]
R0 mv61xxmm;mv61xxmm;c:\windows\system32\drivers\mv61xxmm.sys [7/12/2013 10:36 AM 14184]
R0 mv64xxmm;mv64xxmm;c:\windows\system32\drivers\mv64xxmm.sys [7/12/2013 10:36 AM 5632]
R0 mvxxmm;mvxxmm;c:\windows\system32\drivers\mvxxmm.sys [7/12/2013 10:36 AM 14184]
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [6/28/2013 4:02 PM 16504]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [8/31/2013 6:10 PM 31576]
R2 ReflectService.exe;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [6/28/2013 4:01 PM 249976]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [8/24/2013 4:17 PM 101392]
R3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\drivers\ETD.sys [8/24/2013 5:13 PM 171816]
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [8/24/2013 4:19 PM 36096]
S2 AxAutoMntSrv;Alcohol Virtual Drive Auto-mount Service;c:\program files\Alcohol Soft\Alcohol 52\AxAutoMntSrv.exe [1/5/2012 8:42 AM 75624]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/24/2013 4:53 PM 1691480]
S3 WIMMount;WIMMount;c:\program files\Macrium\Reflect\wimmount.sys [8/23/2013 8:35 PM 19024]
S4 DragonUpdater;COMODO Dragon Update Service;c:\program files\Comodo\Dragon\dragon_updater.exe [8/1/2013 4:20 AM 2095808]
S4 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [7/25/2013 9:40 AM 162672]
S4 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\AutorunsDisabled\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-08-24 02:02 1177552 ----a-w- c:\program files\Google\Chrome\Application\29.0.1547.57\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-08-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-08-24 01:55]
.
2013-08-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-08-24 01:55]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\t56x47ku.default\
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-40332274.sys
SafeBoot-86021435.sys
SafeBoot-WudfPf
SafeBoot-WudfRd
MSConfigStartUp-APSDaemon - c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\QTTask.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-09-18 02:06
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"v5Licence0"="15-KF58-RUPX-YV8G-R8RE-X566-3MZB2C9"
"Activated"="Y"
.
Completion time: 2013-09-18  02:09:15
ComboFix-quarantined-files.txt  2013-09-18 09:09
.
Pre-Run: 197,091,033,088 bytes free
Post-Run: 197,049,921,536 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 211F84C241791FFDF5198735C799AC31
8F558EB6672622401DA993E1E865C861


#8 effingmalware

effingmalware
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 18 September 2013 - 04:20 AM

another question... when i was running combifix it killed my internet.  im guessing this is part of the combofix process right? i re-enabled it. maybe i shouldnt have but i was in the middle of something and didnt realize it might have needed to stay off.  i can run it again later or tomorrow or something... anyway whats the next step or did it remove anything risky? am i better now? should i just revert it back to before i ran it?  thanks for helping. appreciated 



#9 effingmalware

effingmalware
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 18 September 2013 - 04:26 AM

oh. sorry for utorrent. i forgot to delete it i realize you guys dont like that. i can remove all the file sharing aps now if theres more steps to take.  

 

anyway, i have a few os backups from shortly after installing. i have been reformating and reinstalling periodically and i dont really mind doing it again. i never have anything THAT important that i need to back up.  but i would like to figure out how to cleanse my system and keep it clean. if its even possible. its hard for me to understand where i go wrong, unless its from talking to my online friend who goes through similar issues.  



#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:55 PM

Posted 18 September 2013 - 05:04 AM

Please upload c:\windows\system32\drivers\tcpip.sys here:

 

http://www.bleepingcomputer.com/submit-malware.php?channel=156

 

 

Scan with CKScanner

Download CKScanner by askey127 from Here & save it to your Desktop.

  • Right-click and Run as Administrator CKScanner.exe then click Search For Files
  • When the cursor hourglass disappears, click Save List To File
  • A message box will verify the file saved
  • Double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply

 

 

Please download this tool and save it to your desktop: http://go.microsoft.com/fwlink/?linkid=52012

Run the file by double click and press the "Continue" button.

When the tool is finished, click the "Copy" button in the lower right corner.

Reply to your topic here, right click into the reply box and select paste.

Post up.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 effingmalware

effingmalware
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 19 September 2013 - 01:40 AM

submitted tcpip.sys file.

 

when i just went to one of my emails (the email thats associated with this site i guess...) it had email notifications of these last 3 posts. this is weird because it never notified any other posts though to that email before, which seems suspicious... none of the other posts on this thread got sent there.  further, i tried to send a reply to someone else from in that email, but yahoo mail came up saying that i was not allowed to send any emails because of suspicious activity on my account :|  

 

ckscanner found a sleu of cracked software i was trying out. none of it says its trojans though.  im sure in the next response whoever responds will say that these are the source of my woes but im not convinced.  anyway, here it is:  

 

CKScanner 2.4 - Additional Security Risks - These are not necessarily bad
c:\documents and settings\owner\favorites\various\epcgaming - cracked servers database.url
c:\documents and settings\owner\favorites\warze\gamecopyworld - game cracks.url
c:\documents and settings\owner\my documents\cool edit pro 2.1 with crack.zip
c:\documents and settings\owner\my documents\image-line\data\drumaxx\drum patches\sound fx\crack.dmpatch
c:\games\shadowrun returns\shadowrun_data\streamingassets\contentpacks\dead_man_switch\data\props\hive_floor_cementcracked01.pb.bytes
c:\games\shadowrun returns\shadowrun_data\streamingassets\contentpacks\dead_man_switch\data\props\hive_floor_cementcracked02.pb.bytes
c:\games\shadowrun returns\shadowrun_data\streamingassets\contentpacks\dead_man_switch\data\props\hive_floor_cementcracked03.pb.bytes
c:\games\shadowrun returns\shadowrun_data\streamingassets\contentpacks\dead_man_switch\data\props\hive_floor_cementcracked04.pb.bytes
c:\games\shadowrun returns\shadowrun_data\streamingassets\contentpacks\dead_man_switch\data\props\hive_floor_cementcracked05.pb.bytes
c:\games\shadowrun returns\shadowrun_data\streamingassets\contentpacks\seattle\data\props\office_decor_wallcrack01.pb.bytes
c:\games\shadowrun returns\shadowrun_data\streamingassets\contentpacks\seattle\data\props\office_ground_groundcrack01.pb.bytes
c:\games\shadowrun returns\shadowrun_data\streamingassets\contentpacks\seattle\data\props\office_ground_groundcrack02.pb.bytes
c:\games\shadowrun returns\shadowrun_data\streamingassets\contentpacks\seattle\data\props\pikeplace_ground_cracks01.pb.bytes
c:\games\shadowrun returns\shadowrun_data\streamingassets\contentpacks\seattle\data\props\pikeplace_ground_cracks02.pb.bytes
c:\games\shadowrun returns\shadowrun_data\streamingassets\contentpacks\seattle\data\props\pikeplace_ground_cracks03.pb.bytes
c:\program files\coolpro2\keygen.nfo
c:\program files\image-line\fl studio 11\data\patches\plugin presets\generators\drumpad\sound fx\crack.fst
c:\program files\image-line\fl studio 11\plugins\fruity\effects\hardcore\presets\i cracked my tube!.hdprg
c:\program files\image-line\fl studio 11\plugins\fruity\generators\drumaxx\drum patches\sound fx\crack.dmpatch
c:\program files\image-line\fl studio 11\plugins\fruity\generators\drumpad\drum patches\sound fx\crack.dmpatch
c:\program files\sophos\sophos virus removal tool\engine\crack-aq.ide
scanner sequence 3.ZZ.11.RTLBV0
 ----- EOF ----- 
 

cool avatar btw... love ebm and industrial... so do my stalker/hackers tho. (is it you? lol) i met a bunch of industrial/bleeps about 10 years ago via slsk and they rediscovered me several years back. i assume its one or several of them who harass me, they have periodically explained how they are never going to leave me alone.  i dont know why im so interesting to them. id never want to follow around someone i dont like and know every detail about them. isnt it more fun to live your own life? dont get it. anyway. could be them, might not be.  if it is them, they succeed in keeping me paranoid so i keep scanning.  guess theres no way to get away from someone who wants to follow you.  heh. 

 

give me advice. tell me some ideas. appreciate the help

 

EDIT: wait a second. i noticed your name has changed, i think? it did NOT say Marius initially did it ? nor have those ebm/industrial pictures.   did he hack this page? there is a prick i had met on soulseek before named Marius. i no longer use soulseek because of such people but apparently they still stalk me.  though I did not think he was a hacker.  let me know... this is ridiculous.  


Edited by effingmalware, 19 September 2013 - 01:51 AM.


#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:55 PM

Posted 19 September 2013 - 02:58 AM

Don´t panic!

 

 

Please download this tool and save it to your desktop: http://go.microsoft.com/fwlink/?linkid=52012

Run the file by double click and press the "Continue" button.

When the tool is finished, click the "Copy" button in the lower right corner.

Reply to your topic here, right click into the reply box and select paste.

Post up.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 effingmalware

effingmalware
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 19 September 2013 - 03:38 AM

this is not a genuine copy of windows. i have several xp keys but this install i figured i would try out one of the hijacked xp's. it works pretty well. it has a super fast boot time. anyways, i was also just kind of curious to find out what sort of malware they might contain.  that is why i think the tcpip.sys is also flagged... but im curious what specialists might have to say about it.

 

still, the aswmbr red flag results i initially posted were NEW.  i never saw those flags when i first installed and they are there now. thats why i started this post that way.  as im sure this will show, this windows is not genuine.  this computer originally came with windows 7 on it which i also have several valid keys for.  what im trying to explain is that i do have valid keys, i simply do not wish to use them.  this windows also came bundled with netframeworks preinstalled, which saved about 10 hours of time having to download all the updates. if you know of a zip type link to all the frameworks, i would be willing to reinstall a genuine windows... but downloading it all @ 150kbs is not worth the effort just to have a genuine windows. 

 

cheers, here are the results. 

 

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Cryptographic Errors Detected
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-RKPMH-M2WFT-P4WQJ
Windows Product Key Hash: RQOITWLBzl1A5FKfiK7Q4hst0n8=
Windows Product ID: 76487-640-1457236-23100
Windows Product ID Type: 1
Windows License Type: Volume
Windows OS version: 5.1.2600.2.00010100.3.0.pro
ID: {8EE2B75D-B32E-43B8-8543-59F49BC9E004}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.9.42.0
Signed By: N/A, hr = 0x80004005
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A
 
Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A
 
Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002
 
OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002
 
OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-543-80070002_025D1FF3-230-1
 
Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed
 
File Scan Data-->
 
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{8EE2B75D-B32E-43B8-8543-59F49BC9E004}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.3.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-P4WQJ</PKey><PID>76487-640-1457236-23100</PID><PIDType>1</PIDType><SID>S-1-5-21-842925246-616249376-1644491937</SID><SYSTEM><Manufacturer>ASUSTeK Computer Inc.</Manufacturer><Model>K53U </Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>223</Version><SMBIOSVersion major="2" minor="7"/><Date>20120410000000.000000+000</Date></BIOS><HWID>AB453AC701846173</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Pacific Standard Time(GMT-08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>  
 
Licensing Data-->
N/A
 
Windows Activation Technologies-->
N/A
 
HWID Data-->
N/A
 
OEM Activation 1.0 Data-->
BIOS string matches: no
Marker string from BIOS: N/A
Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005
 
OEM Activation 2.0 Data-->
N/A
 
 
EDIT: about the only downfall i can find from this windows is that sfc /scannow does not work.  but i guess thats to be expected since everything is hacked around. 

Edited by effingmalware, 19 September 2013 - 03:41 AM.


#14 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:55 PM

Posted 19 September 2013 - 03:51 AM

Scan with SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    tcpip.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#15 effingmalware

effingmalware
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 19 September 2013 - 04:23 AM

SystemLook 30.07.11 by jpshortstuff
Log created at 02:22 on 19/09/2013 by Owner
Administrator - Elevation successful
 
========== filefind ==========
 
Searching for "tcpip.sys"
C:\WINDOWS\system32\drivers\tcpip.sys --a---- 361600 bytes [17:31 12/07/2013] [17:31 12/07/2013] 474D3DCCB57DEFCD917311EEC47204B9
 
-= EOF =-

 

 

its where it should be yeah. i tried to delete it before on several other installs and it ruined my ability to connect to internet (expectedly)






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users