Jump to content

dbb

Members
 View Profile  See their activity

  • Posts

    8

  • Joined

  • Last visited

 Content Type 

Everything posted by dbb

  1. dbb
    Sorry.. I didn't word that very well.. It appears that the rootkit was causing the explorer crashes, as the crashes were resolved after removing the rootkit. I've not read anything online that that indicates that Antispyware Soft installs the rootkit. I was trying to figure out whether the rootkit was installed by Antispyware Soft, the rkill utility I used initially, or if the rootkit was present prior to the Antispyware Soft infection, and removing Antispyware Soft then caused the rootkit to begin crashing Explorer.. I hope that makes more sense. In any case, Thank You very much for the assistance!!! I'm disappointed that Viper allowed these pests in the first place.
  2. dbb
    I've uninstalled Combofix, and deleted the others from the desktop. (don't see GMER) I also ran Defogger and re-enabled Virtual CD. The computer seems to working normally now. Thank You VERY much!! I wonder if the TDSS rootkit was installed by the AntispywareSoft, the rkill utility that I initially ran to get rid of AntispywareSoft, or if it was already there, and the AntispywareSoft infection caused the explorer problem, allowing us to find the rootkit.... ?
  3. dbb
    No explorer crashes, and the Nostromo software is working again. It seems to be working as it should!! Thank You!!! I was a little surprised that combofix indicated it detected rootkit activity after the tdsskiller cleanup. I hope that was just doing housekeeping and not detecting something active lingering. These three files, listed in the "Find3M Report" section of the conbofix report, do not exist. 2006-05-03 10:06 . 2009-09-10 04:29 163328 --sh--r- c:\windows\system32\flvDX.dll 2007-02-21 11:47 . 2009-09-10 04:29 31232 --sh--r- c:\windows\system32\msfDX.dll 2008-03-16 13:30 . 2009-09-10 04:29 216064 --sh--r- c:\windows\system32\nbDX.dll
  4. dbb
    Hello Borislav , The Explorer crashes have stopped since running the tdsskiller. I deleted the existing combo-fix.exe from the desktop and downloaded a fresh version as instructed. Below is the log file.. Thank you VERY much !!! ComboFix 10-05-20.04 - Don 05/20/2010 16:50:22.2.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2970 [GMT -4:00] Running from: c:\documents and settings\Don\Desktop\Combo-Fix.exe AV: Sunbelt VIPRE *On-access scanning disabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C} * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2010-04-20 to 2010-05-20 ))))))))))))))))))))))))))))))) . 2010-05-17 21:25 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-05-17 21:25 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-05-17 21:20 . 2010-05-17 21:22 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp 2010-05-17 12:47 . 2001-08-17 17:28 771581 -c--a-w- c:\windows\system32\dllcache\winacisa.sys 2010-05-17 12:46 . 2001-08-17 17:28 794399 -c--a-w- c:\windows\system32\dllcache\usr1806v.sys 2010-05-17 12:45 . 2001-08-18 02:36 31744 -c--a-w- c:\windows\system32\dllcache\tp4.dll 2010-05-17 12:44 . 2008-04-14 04:16 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys 2010-05-17 12:43 . 2001-08-18 02:36 28672 -c--a-w- c:\windows\system32\dllcache\sma0w.dll 2010-05-17 12:42 . 2001-08-17 17:51 23936 -c--a-w- c:\windows\system32\dllcache\sccmusbm.sys 2010-05-17 12:41 . 2001-08-17 17:28 714762 -c--a-w- c:\windows\system32\dllcache\r2mdmkxx.sys 2010-05-17 12:40 . 2001-08-18 02:36 86016 -c--a-w- c:\windows\system32\dllcache\pctspk.exe 2010-05-17 12:39 . 2001-08-17 16:20 87040 -c--a-w- c:\windows\system32\dllcache\nm6wdm.sys 2010-05-17 12:38 . 2001-08-17 18:02 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys 2010-05-17 12:37 . 2001-08-17 16:12 26442 -c--a-w- c:\windows\system32\dllcache\lanepic5.sys 2010-05-17 12:36 . 2001-08-17 18:06 154496 -c--a-w- c:\windows\system32\dllcache\icam4usb.sys 2010-05-17 12:35 . 2001-08-18 02:36 165888 -c--a-w- c:\windows\system32\dllcache\hpgt53.dll 2010-05-17 12:34 . 2001-08-17 17:52 7040 -c--a-w- c:\windows\system32\dllcache\exabyte2.sys 2010-05-17 12:33 . 2001-08-18 02:36 37962 -c--a-w- c:\windows\system32\dllcache\divaprop.dll 2010-05-17 12:32 . 2001-08-17 16:13 21530 -c--a-w- c:\windows\system32\dllcache\ce2n5.sys 2010-05-17 12:31 . 2008-04-14 09:41 3775 -c--a-w- c:\windows\system32\dllcache\adv11nt5.dll 2010-05-17 12:21 . 2010-05-17 12:21 -------- d-----w- c:\windows\system32\wbem\Repository . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-05-19 21:32 . 2009-04-07 02:24 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys 2010-05-18 22:03 . 2009-01-06 05:43 -------- d-----w- c:\documents and settings\Don\Application Data\Folding@home-x86 2010-05-17 21:23 . 2009-08-27 03:00 -------- d-----w- c:\program files\Google 2010-05-17 12:21 . 2010-01-29 04:25 -------- d-----w- c:\program files\Panda Security 2010-04-18 01:52 . 2010-01-30 18:55 1 ----a-w- c:\documents and settings\Don\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys 2010-04-17 02:38 . 2009-05-24 23:21 -------- d-----w- c:\documents and settings\Don\Application Data\FileZilla 2010-04-17 01:39 . 2010-04-17 01:27 -------- d-----w- c:\documents and settings\Don\Application Data\ArcSoft 2010-04-17 01:38 . 2010-04-17 01:28 -------- d--h--w- c:\documents and settings\All Users\Application Data\ArcSoft 2010-04-17 01:33 . 2009-01-06 04:14 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-04-17 01:28 . 2010-04-17 01:28 -------- d-----w- c:\program files\Common Files\ArcSoft 2010-04-13 22:37 . 2010-04-13 22:37 -------- d-----w- c:\documents and settings\Don\Application Data\GrabPro 2010-04-13 22:33 . 2010-04-13 22:33 -------- d-----w- c:\documents and settings\LocalService\Application Data\MiniDm 2010-04-13 22:33 . 2010-04-13 22:33 -------- d-----w- c:\documents and settings\LocalService\Application Data\IEPro 2010-03-19 01:16 . 2010-03-19 01:16 1656832 ----a-w- c:\documents and settings\Don\Application Data\Folding@home-x86\FahCore_a0.exe 2010-03-19 01:16 . 2010-03-19 01:16 1382280 ----a-w- c:\documents and settings\Don\Application Data\Folding@home-x86\libfftw3f-3.dll 2010-02-22 01:39 . 2010-02-22 01:39 27984 ----a-w- c:\windows\system32\sbbd.exe 2010-02-22 00:30 . 2010-04-13 22:34 85080 ----a-w- c:\windows\system32\drivers\sbhips.sys 2006-05-03 10:06 . 2009-09-10 04:29 163328 --sh--r- c:\windows\system32\flvDX.dll 2007-02-21 11:47 . 2009-09-10 04:29 31232 --sh--r- c:\windows\system32\msfDX.dll 2008-03-16 13:30 . 2009-09-10 04:29 216064 --sh--r- c:\windows\system32\nbDX.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TClockEx"="d:\program files\TClockEx\TCLOCKEX.EXE" [2000-03-09 89088] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440] "Ai Nap"="d:\program files\ASUS\AI Suite\AiNap\AiNap.exe" [2008-05-26 1423360] "QFan Help"="d:\program files\ASUS\AI Suite\QFan3\QFanHelp.exe" [2008-05-06 594432] "Cpu Level Up help"="d:\program files\ASUS\AI Suite\CpuLevelUpHelp.exe" [2007-12-01 881152] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "zBrowser Launcher"="d:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928] "CTHelper"="CTHELPER.EXE" [2009-03-04 19456] "CTSysVol"="d:\program files\Creative\Surround Mixer\CTSysVol.exe" [2003-09-17 57344] "VirtualDrive"="d:\program files\FarStone\VirtualDrive\VDTask.exe" [2008-11-06 166416] "SBAMTray"="d:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2010-02-22 1291600] "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360] c:\documents and settings\Don\Start Menu\Programs\Startup\ Folding@home.lnk - c:\documents and settings\Don\Application Data\Microsoft\Installer\{6B755EC3-C709-4F5C-BC58-BC0D3967B6B6}\_2377D972A0372FCB34E3F7.exe [2009-1-6 98477] Shortcut to deskview.lnk - d:\program files\deskview.exe [2009-1-9 36864] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Nostromo Loadout Manager.lnk - c:\windows\Installer\{548C7B77-8B04-427E-ACD0-D0E6E6E59BCF}\NewShortcut2_548C7B778B04427EACD0D0E6E6E59BCF.exe [2009-4-6 45056] Task Manager.lnk - c:\windows\system32\taskmgr.exe [2008-4-14 135680] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk * [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc] @="Service" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "e:\\Program Files\\EA GAMES\\Battlefield 2 Demo\\BF2.exe"= "e:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\WINDOWS\\system32\\PnkBstrB.exe"= "e:\\Program Files\\Codemasters\\DiRT Demo\\DiRTDemo.exe"= "d:\\Program Files\\IEPro\\MiniDM.exe"= "e:\\Makena\\There\\ThereClient\\There.exe"= "e:\\Program Files\\EA GAMES\\Need For Speed Underground\\Speed.exe"= "e:\\Program Files\\EA GAMES\\Battlefield Vietnam\\bfvietnam.exe"= "e:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "21:TCP"= 21:TCP:FTP R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [1/29/2010 12:25 AM 28552] R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [4/14/2010 5:57 PM 13400] R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [10/14/2009 3:39 AM 95024] R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [10/2/2009 7:50 PM 203056] R2 PDSched;PDScheduler;d:\program files\Raxco\PerfectDisk\PDSched.exe [11/29/2005 11:16 AM 241731] R2 SBAMSvc;VIPRE Antivirus;d:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [2/21/2010 9:40 PM 2726000] R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [4/14/2010 5:59 PM 69720] R2 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys [4/13/2010 6:34 PM 85080] R2 SBPIMSvc;SB Recovery Service;d:\program files\Sunbelt Software\VIPRE\SBPIMSvc.exe [2/21/2010 9:39 PM 181584] R3 ArcCD;ArcCD Filter Driver Service;c:\windows\system32\drivers\ArcCD.sys [4/16/2010 9:28 PM 36224] R3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [4/6/2009 10:24 PM 23040] R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [3/4/2009 2:42 PM 99352] R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [3/4/2009 2:42 PM 555032] R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [3/4/2009 2:42 PM 566296] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/26/2009 11:00 PM 133104] S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [3/4/2009 2:42 PM 99352] S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [4/7/2009 7:01 PM 79360] S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [3/4/2009 2:42 PM 555032] S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [3/4/2009 2:42 PM 100888] S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [3/4/2009 2:42 PM 100888] S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [3/4/2009 2:42 PM 566296] S4 ArcUdfs;ArcUdfs FileSystem Driver Service;c:\windows\system32\drivers\ArcUdfs.sys [4/16/2010 9:28 PM 134912] --- Other Services/Drivers In Memory --- *Deregistered* - ArcRec . Contents of the 'Scheduled Tasks' folder 2010-05-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-08-27 03:00] 2010-05-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-08-27 03:00] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html Trusted Zone: centralink.org\www DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.21.0.cab FF - ProfilePath - c:\documents and settings\Don\Application Data\Mozilla\Firefox\Profiles\7eliypcl.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com FF - component: c:\documents and settings\Don\Application Data\Mozilla\Firefox\Profiles\7eliypcl.default\extensions\{7E7165E2-0767-448c-852F-5FA8714F2C37}\components\PlainOldFavorites.dll FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - ORPHANS REMOVED - - - - SafeBoot-klmdb.sys ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-05-20 16:55 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run CTHelper = CTHELPER.EXE? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(712) c:\windows\system32\Ati2evxx.dll . Completion time: 2010-05-20 16:57:33 ComboFix-quarantined-files.txt 2010-05-20 20:57 Pre-Run: 22,414,708,736 bytes free Post-Run: 22,440,030,208 bytes free - - End Of File - - 136F2CE4D9753AEF9272A9A4FB3223CF
  5. dbb
    Hello. Here are the results: Thank You! VirusTotal - sbbd.exe file ================ Antivirus Version Last Update Result a-squared 4.5.0.50 2010.05.10 - AhnLab-V3 2010.05.19.03 2010.05.19 - AntiVir 8.2.1.242 2010.05.19 - Antiy-AVL 2.0.3.7 2010.05.19 - Authentium 5.2.0.5 2010.05.19 - Avast 4.8.1351.0 2010.05.19 - Avast5 5.0.332.0 2010.05.19 - AVG 9.0.0.787 2010.05.19 - BitDefender 7.2 2010.05.19 - CAT-QuickHeal 10.00 2010.05.19 - ClamAV 0.96.0.3-git 2010.05.19 - Comodo 4887 2010.05.19 - DrWeb 5.0.2.03300 2010.05.19 - eSafe 7.0.17.0 2010.05.17 - eTrust-Vet 35.2.7498 2010.05.19 - F-Prot 4.5.1.85 2010.05.19 - F-Secure 9.0.15370.0 2010.05.19 - Fortinet 4.1.133.0 2010.05.19 - GData 21 2010.05.19 - Ikarus T3.1.1.84.0 2010.05.19 - Jiangmin 13.0.900 2010.05.19 - Kaspersky 7.0.0.125 2010.05.19 - McAfee 5.400.0.1158 2010.05.19 - McAfee-GW-Edition 2010.1 2010.05.19 - Microsoft 1.5802 2010.05.18 - NOD32 5130 2010.05.19 - Norman 6.04.12 2010.05.19 - nProtect 2010-05-19.02 2010.05.19 - PCTools 7.0.3.5 2010.05.19 - Prevx 3.0 2010.05.19 - Rising 22.48.02.04 2010.05.19 - Sophos 4.53.0 2010.05.19 - Sunbelt 6324 2010.05.19 - Symantec 20101.1.0.89 2010.05.19 - TheHacker 6.5.2.0.283 2010.05.19 - TrendMicro 9.120.0.1004 2010.05.19 - TrendMicro-HouseCall 9.120.0.1004 2010.05.19 - VBA32 3.12.12.5 2010.05.19 - ViRobot 2010.5.19.2324 2010.05.19 - VirusBuster 5.0.27.0 2010.05.19 - Additional information File size: 27984 bytes MD5...: 45b665c80211599db14b96acbd73ace6 SHA1..: fc09ca713cef953cbf888fb2d72e512de9b8eb4f SHA256: 2e9a21222e326cf2f8ea9de7e3f67325c45d39fc6b813c0158684f6cb87c1b9b ssdeep: 384:c3OtQBmj5vO3AqJYHVcuFdeIIzMueE1piAYp7DaYJLFCwebC51o:nQGtquHe tIIAueyif7vLIwebCro PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x2fa6 timedatestamp.....: 0x4b81e99a (Mon Feb 22 02:19:06 2010) machinetype.......: 0x14c (I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x4590 0x4600 5.87 928b778a324155f0b6320c7217fcc0ea .data 0x6000 0x24a8 0x200 0.59 7777dadd8eb2518d59f74aba105e6366 .rsrc 0x9000 0x548 0x600 3.83 42b504aecff60111635c734643941c63 .reloc 0xa000 0x490 0x600 3.44 6d4a516806942dcb8243cdee99023013 ( 1 imports ) > ntdll.dll: memcpy, RtlFreeHeap, RtlQueryRegistryValues, RtlAllocateHeap, memset, ZwClose, _snwprintf, ZwCreateFile, RtlUnicodeStringToInteger, _wcsupr, ZwSetValueKey, ZwCreateKey, RtlInitUnicodeString, NtTerminateProcess, RtlDestroyHeap, RtlCreateHeap, memmove, RtlFreeAnsiString, ZwWriteFile, RtlUnicodeStringToAnsiString, RtlCompareUnicodeString, RtlUpcaseUnicodeChar, ZwReadFile, ZwQueryInformationFile, ZwSetInformationFile, ZwDeleteFile, NtDisplayString, ZwQueryValueKey, RtlAppendUnicodeToString, ZwDeviceIoControlFile, ZwLoadDriver, RtlAdjustPrivilege, RtlUnwind ( 0 exports ) RDS...: NSRL Reference Data Set - pdfid.: - trid..: Win32 Executable Generic (68.0%) Generic Win/DOS Executable (15.9%) DOS Executable Generic (15.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) sigcheck: publisher....: Sunbelt Software copyright....: Copyright © 2002-2010 Sunbelt Software. All rights reserved. product......: Sunbelt AntiMalware Common SDK Merge Module description..: Boot Delete Utility original name: SBBD.exe internal name: SBBD.exe file version.: 4.0.3248 comments.....: n/a signers......: Sunbelt Software, Inc. VeriSign Class 3 Code Signing 2009-2 CA Class 3 Public Primary Certification Authority signing date.: 4:39 AM 2/22/2010 verified.....: - TDSS KILLER Log file ============== 17:31:04:953 0800 TDSS rootkit removing tool 2.3.0.0 May 12 2010 18:11:17 17:31:04:953 0800 ================================================================================ 17:31:04:953 0800 SystemInfo: 17:31:04:953 0800 OS Version: 5.1.2600 ServicePack: 3.0 17:31:04:953 0800 Product type: Workstation 17:31:04:953 0800 ComputerName: CHAOS 17:31:04:953 0800 UserName: Don 17:31:04:953 0800 Windows directory: C:\WINDOWS 17:31:04:953 0800 Processor architecture: Intel x86 17:31:04:953 0800 Number of processors: 2 17:31:04:953 0800 Page size: 0x1000 17:31:04:953 0800 Boot type: Safe boot with network 17:31:04:953 0800 ================================================================================ 17:31:04:984 0800 UnloadDriverW: NtUnloadDriver error 2 17:31:04:984 0800 ForceUnloadDriverW: UnloadDriverW(klmd23) error 2 17:31:05:015 0800 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system 17:31:05:015 0800 wfopen_ex: MyNtCreateFileW error 32 (C0000043) 17:31:05:015 0800 wfopen_ex: Trying to KLMD file open 17:31:05:015 0800 wfopen_ex: File opened ok (Flags 2) 17:31:05:015 0800 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software 17:31:05:015 0800 wfopen_ex: MyNtCreateFileW error 32 (C0000043) 17:31:05:015 0800 wfopen_ex: Trying to KLMD file open 17:31:05:015 0800 wfopen_ex: File opened ok (Flags 2) 17:31:05:015 0800 KLAVA engine initialized 17:31:05:359 0800 Initialize success 17:31:05:359 0800 17:31:05:359 0800 Scanning Services ... 17:31:05:671 0800 Raw services enum returned 355 services 17:31:05:687 0800 17:31:05:687 0800 Scanning Drivers ... 17:31:05:984 0800 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys 17:31:06:015 0800 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys 17:31:06:046 0800 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys 17:31:06:078 0800 Afc (fe3ea6e9afc1a78e6edca121e006afb7) C:\WINDOWS\system32\drivers\Afc.sys 17:31:06:125 0800 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys 17:31:06:171 0800 ArcCD (a82f1a1b09593c73efd02a59dc94920c) C:\WINDOWS\system32\drivers\ArcCD.sys 17:31:06:171 0800 ArcRec (1af9061b61741a912368ab4dc309d25e) C:\WINDOWS\system32\drivers\ArcRec.sys 17:31:06:187 0800 ArcUdfs (3ee9e41102a2c6b8f7dbad5d44abda05) C:\WINDOWS\system32\drivers\ArcUdfs.sys 17:31:06:234 0800 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys 17:31:06:281 0800 AsIO (2b4e66fac6503494a2c6f32bb6ab3826) C:\WINDOWS\system32\drivers\AsIO.sys 17:31:06:281 0800 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys 17:31:06:312 0800 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys 17:31:06:406 0800 ati2mtag (15b2fe76e2eceb98c49ed52311a6f26f) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 17:31:06:453 0800 AtiHdmiService (dc6957811ff95f2dd3004361b20d8d3f) C:\WINDOWS\system32\drivers\AtiHdmi.sys 17:31:06:484 0800 ATITool (0e4bb35c5305099ac82053ac992e3e0e) C:\WINDOWS\system32\DRIVERS\ATITool.sys 17:31:06:515 0800 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys 17:31:06:546 0800 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys 17:31:06:562 0800 bcgame (a840dcce93c91fc4f69c04a42cd7a180) C:\WINDOWS\system32\drivers\bcgame.sys 17:31:06:593 0800 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys 17:31:06:625 0800 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys 17:31:06:640 0800 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys 17:31:06:640 0800 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys 17:31:06:703 0800 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys 17:31:06:734 0800 COMMONFX (22f8692fd3e017ead334945b3199b0e3) C:\WINDOWS\system32\drivers\COMMONFX.SYS 17:31:06:750 0800 COMMONFX.SYS (22f8692fd3e017ead334945b3199b0e3) C:\WINDOWS\System32\drivers\COMMONFX.SYS 17:31:06:765 0800 ctac32k (aa7e939bc07965a807c6ac2f1d4d22b7) C:\WINDOWS\system32\drivers\ctac32k.sys 17:31:06:796 0800 ctaud2k (79e7abbf928d8a8002ebba0985905dc1) C:\WINDOWS\system32\drivers\ctaud2k.sys 17:31:06:812 0800 CTAUDFX (6d98048890b44191e0daed4639a9f18c) C:\WINDOWS\system32\drivers\CTAUDFX.SYS 17:31:06:812 0800 CTAUDFX.SYS (6d98048890b44191e0daed4639a9f18c) C:\WINDOWS\System32\drivers\CTAUDFX.SYS 17:31:06:843 0800 ctdvda2k (a216c8698c4406a031af6f867afe4f92) C:\WINDOWS\system32\drivers\ctdvda2k.sys 17:31:06:859 0800 CTERFXFX (5192225e2adfd36d0fc7d61b8e0bae87) C:\WINDOWS\system32\drivers\CTERFXFX.SYS 17:31:06:859 0800 CTERFXFX.SYS (5192225e2adfd36d0fc7d61b8e0bae87) C:\WINDOWS\System32\drivers\CTERFXFX.SYS 17:31:06:875 0800 ctprxy2k (ce3395b054b641e454c8861020ff1d82) C:\WINDOWS\system32\drivers\ctprxy2k.sys 17:31:06:890 0800 CTSBLFX (8750c640d3068861117fa9166b8aecde) C:\WINDOWS\system32\drivers\CTSBLFX.SYS 17:31:06:921 0800 CTSBLFX.SYS (8750c640d3068861117fa9166b8aecde) C:\WINDOWS\System32\drivers\CTSBLFX.SYS 17:31:06:937 0800 ctsfm2k (01b9017d05d82b6fbcd5cecce93f3aa7) C:\WINDOWS\system32\drivers\ctsfm2k.sys 17:31:06:953 0800 Defrag32 (e511e32308414829d38a4ecc3dd66aa1) C:\WINDOWS\system32\drivers\Defrag32.sys 17:31:06:953 0800 Defrag32b (48ba6646b3a17f0e7ffdeb020309846f) C:\WINDOWS\system32\drivers\Defrag32b.sys 17:31:06:984 0800 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys 17:31:07:015 0800 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys 17:31:07:062 0800 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys 17:31:07:078 0800 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys 17:31:07:093 0800 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys 17:31:07:125 0800 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys 17:31:07:140 0800 emupia (71b09041642de925e6150eb525dcc3bf) C:\WINDOWS\system32\drivers\emupia2k.sys 17:31:07:171 0800 ENTECH (16ebd8bf1d5090923694cc972c7ce1b4) C:\WINDOWS\system32\DRIVERS\ENTECH.sys 17:31:07:218 0800 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys 17:31:07:234 0800 fcdabus (985709505c80b88c1b41908c0075ca0d) C:\WINDOWS\system32\DRIVERS\fcdabus.sys 17:31:07:250 0800 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys 17:31:07:265 0800 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys 17:31:07:281 0800 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys 17:31:07:328 0800 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys 17:31:07:343 0800 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys 17:31:07:375 0800 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys 17:31:07:421 0800 FVXSCSI (8e2be5233c88a50ee69442b4a4937fce) C:\WINDOWS\system32\DRIVERS\fvxscsi.sys 17:31:07:437 0800 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys 17:31:07:468 0800 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys 17:31:07:515 0800 ha10kx2k (2e37c43fb534f1d85dcf552d5b2af9ba) C:\WINDOWS\system32\drivers\ha10kx2k.sys 17:31:07:531 0800 hap16v2k (607b73dc2a69a98c7f10b5702d947319) C:\WINDOWS\system32\drivers\hap16v2k.sys 17:31:07:546 0800 hap17v2k (f674eeaa2d1ed14606aedfed65c34893) C:\WINDOWS\system32\drivers\hap17v2k.sys 17:31:07:578 0800 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 17:31:07:593 0800 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys 17:31:07:625 0800 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys 17:31:07:656 0800 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys 17:31:07:671 0800 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys 17:31:07:718 0800 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys 17:31:07:734 0800 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys 17:31:07:765 0800 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 17:31:07:781 0800 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys 17:31:07:796 0800 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys 17:31:07:828 0800 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys 17:31:07:859 0800 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys 17:31:07:875 0800 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys 17:31:07:906 0800 itchfltr (8f1ba487b35f0c8f637e05113aa815f8) C:\WINDOWS\system32\DRIVERS\itchfltr.sys 17:31:07:937 0800 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys 17:31:07:968 0800 kbdhid (bb6275fcada09e6f2eff467c746733e1) C:\WINDOWS\system32\DRIVERS\kbdhid.sys 17:31:07:968 0800 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\kbdhid.sys. Real md5: bb6275fcada09e6f2eff467c746733e1, Fake md5: 9ef487a186dea361aa06913a75b3fa99 17:31:07:968 0800 File "C:\WINDOWS\system32\DRIVERS\kbdhid.sys" infected by TDSS rootkit ... 17:31:08:718 0800 Backup copy found, using it.. 17:31:08:718 0800 will be cured on next reboot 17:31:08:828 0800 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys 17:31:08:843 0800 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys 17:31:08:875 0800 LwUsbHid (066ed0baa4faeb1475b9f06b8c319fc6) C:\WINDOWS\system32\DRIVERS\LwUsbHid.sys 17:31:08:906 0800 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys 17:31:08:937 0800 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys 17:31:08:968 0800 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys 17:31:09:000 0800 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys 17:31:09:015 0800 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys 17:31:09:031 0800 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys 17:31:09:062 0800 MRxSmb (60ae98742484e7ab80c3c1450e708148) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 17:31:09:078 0800 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys 17:31:09:093 0800 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys 17:31:09:109 0800 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys 17:31:09:125 0800 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys 17:31:09:140 0800 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys 17:31:09:171 0800 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys 17:31:09:203 0800 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys 17:31:09:234 0800 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys 17:31:09:250 0800 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys 17:31:09:265 0800 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys 17:31:09:265 0800 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys 17:31:09:281 0800 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys 17:31:09:312 0800 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys 17:31:09:343 0800 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys 17:31:09:359 0800 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys 17:31:09:375 0800 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys 17:31:09:390 0800 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys 17:31:09:421 0800 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys 17:31:09:453 0800 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys 17:31:09:453 0800 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys 17:31:09:484 0800 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys 17:31:09:515 0800 ossrv (e852a590216f0da2b94df5a937585554) C:\WINDOWS\system32\drivers\ctoss2k.sys 17:31:09:546 0800 PalmUSBD (f49e3b9fb2dd84fca2f6310a147c43fe) C:\WINDOWS\system32\drivers\PalmUSBD.sys 17:31:09:578 0800 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys 17:31:09:593 0800 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys 17:31:09:609 0800 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys 17:31:09:640 0800 pavboot (3adb8bd6154a3ef87496e8fce9c22493) C:\WINDOWS\system32\drivers\pavboot.sys 17:31:09:656 0800 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys 17:31:09:687 0800 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys 17:31:09:718 0800 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys 17:31:09:765 0800 PfModNT (e4b7b7c29d7bf6b8f262231213d2504a) C:\WINDOWS\system32\drivers\PfModNT.sys 17:31:09:812 0800 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys 17:31:09:812 0800 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys 17:31:09:828 0800 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys 17:31:09:843 0800 PxHelp20 (b572ed0c3e6165643fa116af20425a54) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys 17:31:09:890 0800 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys 17:31:09:906 0800 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 17:31:09:906 0800 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys 17:31:09:906 0800 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys 17:31:09:953 0800 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys 17:31:09:984 0800 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys 17:31:10:000 0800 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys 17:31:10:015 0800 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys 17:31:10:062 0800 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys 17:31:10:078 0800 RTLE8023xp (89619ef503f949fae09252a8b883ee11) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys 17:31:10:093 0800 sbaphd (ac62ea25bea53ced3ba537324c5714d4) C:\WINDOWS\system32\drivers\sbaphd.sys 17:31:10:125 0800 sbapifs (9215ce4563c5d1e402c85e5cfbf51488) C:\WINDOWS\system32\drivers\sbapifs.sys 17:31:10:171 0800 sbhips (fef084bbf0a59081b6a0d119290a0b58) C:\WINDOWS\system32\drivers\sbhips.sys 17:31:10:203 0800 SBRE (06cf3163f98aa1b8b6812b7d2d60941a) C:\WINDOWS\system32\drivers\SBREdrv.sys 17:31:10:265 0800 sbtis (cf0ae6434a4c37a1232cfd71a31813b4) C:\WINDOWS\system32\drivers\sbtis.sys 17:31:10:296 0800 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys 17:31:10:328 0800 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys 17:31:10:359 0800 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys 17:31:10:375 0800 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys 17:31:10:406 0800 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys 17:31:10:437 0800 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys 17:31:10:484 0800 Srv (3bb03f2ba89d2be417206c373d2af17c) C:\WINDOWS\system32\DRIVERS\srv.sys 17:31:10:484 0800 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys 17:31:10:500 0800 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys 17:31:10:531 0800 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys 17:31:10:593 0800 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys 17:31:10:625 0800 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys 17:31:10:625 0800 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys 17:31:10:656 0800 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys 17:31:10:687 0800 truecrypt (db0815523ac07445a2f09dcd2acea8c3) C:\WINDOWS\system32\drivers\truecrypt.sys 17:31:10:718 0800 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys 17:31:10:750 0800 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys 17:31:10:796 0800 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys 17:31:10:828 0800 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys 17:31:10:828 0800 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys 17:31:10:859 0800 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys 17:31:10:875 0800 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 17:31:10:890 0800 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys 17:31:10:921 0800 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys 17:31:10:953 0800 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys 17:31:10:968 0800 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys 17:31:10:984 0800 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys 17:31:11:015 0800 WmBEnum (1abfd1399436e81c9d857f5fc76eaf98) C:\WINDOWS\system32\drivers\WmBEnum.sys 17:31:11:015 0800 WmVirHid (a40d2dd0f019423ef6c363f1295eb38d) C:\WINDOWS\system32\drivers\WmVirHid.sys 17:31:11:031 0800 WmXlCore (2bf505424f469155cd90d7b3301d7adc) C:\WINDOWS\system32\drivers\WmXlCore.sys 17:31:11:031 0800 Reboot required for cure complete.. 17:31:11:062 0800 Cure on reboot scheduled successfully 17:31:11:062 0800 17:31:11:062 0800 Completed 17:31:11:062 0800 17:31:11:062 0800 Results: 17:31:11:062 0800 Registry objects infected / cured / cured on reboot: 0 / 0 / 0 17:31:11:062 0800 File objects infected / cured / cured on reboot: 1 / 0 / 1 17:31:11:062 0800 17:31:11:062 0800 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system 17:31:11:062 0800 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software 17:31:11:062 0800 UnloadDriverW: NtUnloadDriver error 1 17:31:11:062 0800 KLMD(ARK) unloaded successfully
  6. dbb
    Hello Borislav!! Thank you for the help! Here are the requested logs, gathered after removing java. ======= JavaRA log JavaRa 1.15 Removal Log. Report follows after line. ------------------------------------ The JavaRa removal process was started on Tue May 18 17:23:12 2010 ------------------------------------ Finished reporting. ========= Combofix log ComboFix 10-05-17.01 - Don 05/18/2010 17:39:57.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2958 [GMT -4:00] Running from: c:\documents and settings\Don\Desktop\Combo-Fix.exe AV: Sunbelt VIPRE *On-access scanning enabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C} . ((((((((((((((((((((((((( Files Created from 2010-04-18 to 2010-05-18 ))))))))))))))))))))))))))))))) . 2010-05-17 21:25 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-05-17 21:25 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-05-17 21:20 . 2010-05-17 21:22 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp 2010-05-17 12:47 . 2001-08-17 17:28 771581 -c--a-w- c:\windows\system32\dllcache\winacisa.sys 2010-05-17 12:46 . 2001-08-17 17:28 794399 -c--a-w- c:\windows\system32\dllcache\usr1806v.sys 2010-05-17 12:45 . 2001-08-18 02:36 31744 -c--a-w- c:\windows\system32\dllcache\tp4.dll 2010-05-17 12:44 . 2008-04-14 04:16 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys 2010-05-17 12:43 . 2001-08-18 02:36 28672 -c--a-w- c:\windows\system32\dllcache\sma0w.dll 2010-05-17 12:42 . 2001-08-17 17:51 23936 -c--a-w- c:\windows\system32\dllcache\sccmusbm.sys 2010-05-17 12:41 . 2001-08-17 17:28 714762 -c--a-w- c:\windows\system32\dllcache\r2mdmkxx.sys 2010-05-17 12:40 . 2001-08-18 02:36 86016 -c--a-w- c:\windows\system32\dllcache\pctspk.exe 2010-05-17 12:39 . 2001-08-17 16:20 87040 -c--a-w- c:\windows\system32\dllcache\nm6wdm.sys 2010-05-17 12:38 . 2001-08-17 18:02 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys 2010-05-17 12:37 . 2001-08-17 16:12 26442 -c--a-w- c:\windows\system32\dllcache\lanepic5.sys 2010-05-17 12:36 . 2001-08-17 18:06 154496 -c--a-w- c:\windows\system32\dllcache\icam4usb.sys 2010-05-17 12:35 . 2001-08-18 02:36 165888 -c--a-w- c:\windows\system32\dllcache\hpgt53.dll 2010-05-17 12:34 . 2001-08-17 17:52 7040 -c--a-w- c:\windows\system32\dllcache\exabyte2.sys 2010-05-17 12:33 . 2001-08-18 02:36 37962 -c--a-w- c:\windows\system32\dllcache\divaprop.dll 2010-05-17 12:32 . 2001-08-17 16:13 21530 -c--a-w- c:\windows\system32\dllcache\ce2n5.sys 2010-05-17 12:31 . 2008-04-14 09:41 3775 -c--a-w- c:\windows\system32\dllcache\adv11nt5.dll 2010-05-17 12:21 . 2010-05-17 12:21 -------- d-----w- c:\windows\system32\wbem\Repository . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-05-17 21:23 . 2009-08-27 03:00 -------- d-----w- c:\program files\Google 2010-05-17 12:21 . 2010-01-29 04:25 -------- d-----w- c:\program files\Panda Security 2010-05-09 15:27 . 2009-01-06 05:43 -------- d-----w- c:\documents and settings\Don\Application Data\Folding@home-x86 2010-04-18 01:52 . 2010-01-30 18:55 1 ----a-w- c:\documents and settings\Don\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys 2010-04-17 02:38 . 2009-05-24 23:21 -------- d-----w- c:\documents and settings\Don\Application Data\FileZilla 2010-04-17 01:39 . 2010-04-17 01:27 -------- d-----w- c:\documents and settings\Don\Application Data\ArcSoft 2010-04-17 01:38 . 2010-04-17 01:28 -------- d--h--w- c:\documents and settings\All Users\Application Data\ArcSoft 2010-04-17 01:33 . 2009-01-06 04:14 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-04-17 01:28 . 2010-04-17 01:28 -------- d-----w- c:\program files\Common Files\ArcSoft 2010-04-13 22:37 . 2010-04-13 22:37 -------- d-----w- c:\documents and settings\Don\Application Data\GrabPro 2010-04-13 22:33 . 2010-04-13 22:33 -------- d-----w- c:\documents and settings\LocalService\Application Data\MiniDm 2010-04-13 22:33 . 2010-04-13 22:33 -------- d-----w- c:\documents and settings\LocalService\Application Data\IEPro 2010-03-19 01:16 . 2010-03-19 01:16 1656832 ----a-w- c:\documents and settings\Don\Application Data\Folding@home-x86\FahCore_a0.exe 2010-03-19 01:16 . 2010-03-19 01:16 1382280 ----a-w- c:\documents and settings\Don\Application Data\Folding@home-x86\libfftw3f-3.dll 2010-02-22 01:39 . 2010-02-22 01:39 27984 ----a-w- c:\windows\system32\sbbd.exe 2010-02-22 00:30 . 2010-04-13 22:34 85080 ----a-w- c:\windows\system32\drivers\sbhips.sys 2006-05-03 10:06 . 2009-09-10 04:29 163328 --sh--r- c:\windows\system32\flvDX.dll 2007-02-21 11:47 . 2009-09-10 04:29 31232 --sh--r- c:\windows\system32\msfDX.dll 2008-03-16 13:30 . 2009-09-10 04:29 216064 --sh--r- c:\windows\system32\nbDX.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TClockEx"="d:\program files\TClockEx\TCLOCKEX.EXE" [2000-03-09 89088] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440] "Ai Nap"="d:\program files\ASUS\AI Suite\AiNap\AiNap.exe" [2008-05-26 1423360] "QFan Help"="d:\program files\ASUS\AI Suite\QFan3\QFanHelp.exe" [2008-05-06 594432] "Cpu Level Up help"="d:\program files\ASUS\AI Suite\CpuLevelUpHelp.exe" [2007-12-01 881152] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "zBrowser Launcher"="d:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928] "CTHelper"="CTHELPER.EXE" [2009-03-04 19456] "CTSysVol"="d:\program files\Creative\Surround Mixer\CTSysVol.exe" [2003-09-17 57344] "VirtualDrive"="d:\program files\FarStone\VirtualDrive\VDTask.exe" [2008-11-06 166416] "SBAMTray"="d:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2010-02-22 1291600] "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360] c:\documents and settings\Don\Start Menu\Programs\Startup\ Folding@home.lnk - c:\documents and settings\Don\Application Data\Microsoft\Installer\{6B755EC3-C709-4F5C-BC58-BC0D3967B6B6}\_2377D972A0372FCB34E3F7.exe [2009-1-6 98477] Shortcut to deskview.lnk - d:\program files\deskview.exe [2009-1-9 36864] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Nostromo Loadout Manager.lnk - c:\windows\Installer\{548C7B77-8B04-427E-ACD0-D0E6E6E59BCF}\NewShortcut2_548C7B778B04427EACD0D0E6E6E59BCF.exe [2009-4-6 45056] Task Manager.lnk - c:\windows\system32\taskmgr.exe [2008-4-14 135680] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk * [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc] @="Service" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "e:\\Program Files\\EA GAMES\\Battlefield 2 Demo\\BF2.exe"= "e:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"= "c:\\Documents and Settings\\Don\\Desktop\\WallWatcher\\WallWatcher.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\WINDOWS\\system32\\PnkBstrB.exe"= "e:\\Program Files\\Codemasters\\DiRT Demo\\DiRTDemo.exe"= "d:\\Program Files\\IEPro\\MiniDM.exe"= "e:\\Makena\\There\\ThereClient\\There.exe"= "e:\\Program Files\\EA GAMES\\Need For Speed Underground\\Speed.exe"= "e:\\Program Files\\EA GAMES\\Battlefield Vietnam\\bfvietnam.exe"= "e:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "21:TCP"= 21:TCP:FTP R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [1/29/2010 12:25 AM 28552] R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [4/14/2010 5:57 PM 13400] R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [10/14/2009 3:39 AM 95024] R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [10/2/2009 7:50 PM 203056] R2 PDSched;PDScheduler;d:\program files\Raxco\PerfectDisk\PDSched.exe [11/29/2005 11:16 AM 241731] R2 SBAMSvc;VIPRE Antivirus;d:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [2/21/2010 9:40 PM 2726000] R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [4/14/2010 5:59 PM 69720] R2 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys [4/13/2010 6:34 PM 85080] R2 SBPIMSvc;SB Recovery Service;d:\program files\Sunbelt Software\VIPRE\SBPIMSvc.exe [2/21/2010 9:39 PM 181584] R3 ArcCD;ArcCD Filter Driver Service;c:\windows\system32\drivers\ArcCD.sys [4/16/2010 9:28 PM 36224] R3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [4/6/2009 10:24 PM 23040] R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [3/4/2009 2:42 PM 99352] R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [3/4/2009 2:42 PM 555032] R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [3/4/2009 2:42 PM 566296] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/26/2009 11:00 PM 133104] S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [3/4/2009 2:42 PM 99352] S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [4/7/2009 7:01 PM 79360] S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [3/4/2009 2:42 PM 555032] S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [3/4/2009 2:42 PM 100888] S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [3/4/2009 2:42 PM 100888] S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [3/4/2009 2:42 PM 566296] S4 ArcUdfs;ArcUdfs FileSystem Driver Service;c:\windows\system32\drivers\ArcUdfs.sys [4/16/2010 9:28 PM 134912] --- Other Services/Drivers In Memory --- *Deregistered* - ArcRec . Contents of the 'Scheduled Tasks' folder 2010-05-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-08-27 03:00] 2010-05-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-08-27 03:00] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html Trusted Zone: centralink.org\www DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.21.0.cab FF - ProfilePath - c:\documents and settings\Don\Application Data\Mozilla\Firefox\Profiles\7eliypcl.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com FF - component: c:\documents and settings\Don\Application Data\Mozilla\Firefox\Profiles\7eliypcl.default\extensions\{7E7165E2-0767-448c-852F-5FA8714F2C37}\components\PlainOldFavorites.dll FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll FF - plugin: c:\documents and settings\Don\Application Data\Mozilla\Firefox\Profiles\7eliypcl.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll FF - plugin: d:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - ORPHANS REMOVED - - - - MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe AddRemove-WZCLINE - d:\program files\WinZip\winzip32 ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-05-18 17:48 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run CTHelper = CTHELPER.EXE? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89D81CEC]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28 \Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8 \Driver\atapi -> atapi.sys @ 0xb9f11852 IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8 ParseProcedure -> ntkrnlpa.exe @ 0x805827e8 \Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8 ParseProcedure -> ntkrnlpa.exe @ 0x805827e8 NDIS: Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xb9ddfbb0 PacketIndicateHandler -> NDIS.sys @ 0xb9deca21 SendHandler -> NDIS.sys @ 0xb9dca87b user & kernel MBR OK ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(712) c:\windows\system32\WININET.dll c:\windows\system32\Ati2evxx.dll - - - - - - - > 'lsass.exe'(776) c:\windows\system32\WININET.dll . Completion time: 2010-05-18 17:52:06 ComboFix-quarantined-files.txt 2010-05-18 21:51 Pre-Run: 22,031,122,432 bytes free Post-Run: 22,482,903,040 bytes free - - End Of File - - FD78B0290260FFF2AF8136618A327C81
  7. dbb
    Initial post explaining problem: http://forums.malwarebytes.org/index.php?showtopic=50639 Here are the requested logs. Thank You!! ======== MBAM Log 1: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4052 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.13 5/14/2010 8:50:43 AM mbam-log-2010-05-14 (08-50-43).txt Scan type: Quick scan Objects scanned: 113577 Time elapsed: 3 minute(s), 8 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 4 Registry Values Infected: 0 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ======== MBAM Log 2: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4110 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.13 5/17/2010 5:29:44 PM mbam-log-2010-05-17 (17-29-44).txt Scan type: Quick scan Objects scanned: 116694 Time elapsed: 3 minute(s), 14 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: G:\TEMP\10C.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully. G:\TEMP\c42908b1.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. ====== DDS Log: DDS (Ver_10-03-17.01) - NTFSx86 Run by Don at 18:31:21.42 on Mon 05/17/2010 Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_16 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2538 [GMT -4:00] AV: Sunbelt VIPRE *On-access scanning enabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C} ============== Running Processes =============== C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe svchost.exe svchost.exe C:\WINDOWS\SYSTEM32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Creative\Shared Files\CTAudSvc.exe D:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe D:\Program Files\Logitech\iTouch\iTouch.exe C:\WINDOWS\system32\CTHELPER.EXE D:\Program Files\Creative\Surround Mixer\CTSysVol.exe D:\Program Files\FarStone\VirtualDrive\VDTask.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe D:\Program Files\Belkin\Nostromo\nost_LM.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\Folding@home\Folding@home-x86\Folding@home.exe svchost.exe C:\Documents and Settings\Don\Application Data\Folding@home-x86\FahCore_78.exe C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Google\Update\GoogleUpdate.exe C:\WINDOWS\system32\PnkBstrA.exe D:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe D:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe C:\WINDOWS\system32\svchost.exe -k imgsvc D:\Program Files\Raxco\PerfectDisk\PDSched.exe D:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe C:\WINDOWS\explorer.exe C:\WINDOWS\System32\svchost.exe -k netsvcs D:\PROGRA~1\FOXITS~1\FOXITR~1\FOXITR~1.EXE C:\Documents and Settings\Don\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com/ BHO: IE7Pro BHO: {00011268-e188-40df-a514-835fcd78b1bf} - d:\program files\iepro\iepro.dll BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - d:\program files\iepro\IEProRecorder.dll uRun: [TClockEx] d:\program files\tclockex\TCLOCKEX.EXE mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun mRun: [Ai Nap] "d:\program files\asus\ai suite\ainap\AiNap.exe" mRun: [QFan Help] "d:\program files\asus\ai suite\qfan3\QFanHelp.exe" mRun: [Cpu Level Up help] d:\program files\asus\ai suite\CpuLevelUpHelp.exe mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe mRun: [zBrowser Launcher] d:\program files\logitech\itouch\iTouch.exe mRun: [CTHelper] CTHELPER.EXE mRun: [CTSysVol] d:\program files\creative\surround mixer\CTSysVol.exe /r mRun: [VirtualDrive] "d:\program files\farstone\virtualdrive\VDTask.exe" /AutoRestore mRun: [<NO NAME>] mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [sBAMTray] "d:\program files\sunbelt software\vipre\SBAMTray.exe" mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe StartupFolder: c:\docume~1\don\startm~1\programs\startup\foldin~1.lnk - c:\docume~1\don\applic~1\microsoft\installer\{6b755ec3-c709-4f5c-bc58-bc0d3967b6b6}\_2377D972A0372FCB34E3F7.exe StartupFolder: c:\docume~1\don\startm~1\programs\startup\shortc~1.lnk - d:\program files\deskview.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nostro~1.lnk - c:\windows\installer\{548c7b77-8b04-427e-acd0-d0e6e6e59bcf}\NewShortcut2_548C7B778B04427EACD0D0E6E6E59BCF.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\taskma~1.lnk - c:\windows\system32\taskmgr.exe IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {000002a3-84fe-43f1-b958-f2c3ca804f1a} - {CD275D4E-791A-4993-9D4D-6A071EDD2709} - d:\program files\iepro\iepro.dll IE: {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - {B119EB0C-C021-46CF-85B0-34A760E0D5FE} - d:\program files\iepro\iepro.dll Trusted Zone: centralink.org\www DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231219257375 DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.21.0.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su/ocx/15106/CTPID.cab Notify: AtiExtEvent - Ati2evxx.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\don\applic~1\mozilla\firefox\profiles\7eliypcl.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com FF - component: c:\documents and settings\don\application data\mozilla\firefox\profiles\7eliypcl.default\extensions\{7e7165e2-0767-448c-852f-5fa8714f2c37}\components\PlainOldFavorites.dll FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll FF - plugin: c:\documents and settings\don\application data\mozilla\firefox\profiles\7eliypcl.default\extensions\battlefieldheroespatcher@ea.com\platform\winnt_x86-msvc\plugins\npBFHUpdater.dll FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll FF - plugin: d:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); ============= SERVICES / DRIVERS =============== R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-1-29 28552] R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2010-4-14 13400] R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2009-10-14 95024] R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2009-10-2 203056] R2 PDSched;PDScheduler;d:\program files\raxco\perfectdisk\PDSched.exe [2005-11-29 241731] R2 SBAMSvc;VIPRE Antivirus;d:\program files\sunbelt software\vipre\SBAMSvc.exe [2010-2-21 2726000] R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2010-4-14 69720] R2 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys [2010-4-13 85080] R2 SBPIMSvc;SB Recovery Service;d:\program files\sunbelt software\vipre\SBPIMSvc.exe [2010-2-21 181584] R3 ArcCD;ArcCD Filter Driver Service;c:\windows\system32\drivers\ArcCD.sys [2010-4-16 36224] R3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [2009-4-6 23040] R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2009-3-4 99352] R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2009-3-4 555032] R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2009-3-4 566296] R4 ArcUdfs;ArcUdfs FileSystem Driver Service;c:\windows\system32\drivers\ArcUdfs.sys [2010-4-16 134912] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-8-26 133104] S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2009-3-4 99352] S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-4-7 79360] S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2009-3-4 555032] S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2009-3-4 100888] S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2009-3-4 100888] S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2009-3-4 566296] =============== Created Last 30 ================ 2010-05-17 21:36:48 0 ----a-w- c:\documents and settings\don\defogger_reenable 2010-05-17 21:25:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-05-17 21:25:32 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-05-17 12:47:56 771581 -c--a-w- c:\windows\system32\dllcache\winacisa.sys 2010-05-17 12:46:59 794399 -c--a-w- c:\windows\system32\dllcache\usr1806v.sys 2010-05-17 12:45:57 31744 -c--a-w- c:\windows\system32\dllcache\tp4.dll 2010-05-17 12:44:59 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys 2010-05-17 12:43:58 28672 -c--a-w- c:\windows\system32\dllcache\sma0w.dll 2010-05-17 12:42:59 23936 -c--a-w- c:\windows\system32\dllcache\sccmusbm.sys 2010-05-17 12:41:59 714762 -c--a-w- c:\windows\system32\dllcache\r2mdmkxx.sys 2010-05-17 12:40:58 86016 -c--a-w- c:\windows\system32\dllcache\pctspk.exe 2010-05-17 12:39:57 87040 -c--a-w- c:\windows\system32\dllcache\nm6wdm.sys 2010-05-17 12:38:56 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys 2010-05-17 12:37:59 26442 -c--a-w- c:\windows\system32\dllcache\lanepic5.sys 2010-05-17 12:36:58 154496 -c--a-w- c:\windows\system32\dllcache\icam4usb.sys 2010-05-17 12:35:59 165888 -c--a-w- c:\windows\system32\dllcache\hpgt53.dll 2010-05-17 12:34:58 7040 -c--a-w- c:\windows\system32\dllcache\exabyte2.sys 2010-05-17 12:33:59 37962 -c--a-w- c:\windows\system32\dllcache\divaprop.dll 2010-05-17 12:32:59 21530 -c--a-w- c:\windows\system32\dllcache\ce2n5.sys 2010-05-17 12:31:59 24576 -c--a-w- c:\windows\system32\dllcache\agcgauge.ax 2010-05-17 12:21:57 0 d-----w- c:\windows\system32\wbem\Repository ==================== Find3M ==================== 2010-02-22 01:39:16 27984 ----a-w- c:\windows\system32\sbbd.exe 2006-05-03 10:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll 2007-02-21 11:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll 2008-03-16 13:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll ============= FINISH: 18:33:03.53 =============== Attach.zip
  8. dbb
    Hello, Recently infected with Antispyware Soft. It got past Vipre ver 4... I used Vipre for initial clean up. Vipre found 2 items. Followed up with rkill.com and MBAM, which found a few more (5?) registry keys, which were cleaned. Now, after a reboot, opening/running any program crashes explorer. It only crashes once, then is OK. I say OK, as Explorer doesn't crash again, but I've noticed at least one application not working correclty. This is the Belkin Nostromo Loadout Manger - Game controller software, which allows keypress, and macros, to be used. I've uninstalled and re-installed it. (I need to re-test to confirm whether it's not working correctly now) Explorer still crashes after re-installing Nostromo software. I initially thought that rkill was getting launched, as I'd left it on the desktop. Deleted rkill with no change. System restore to a restore point several days prior to the infection didn't help. I hadn't yet set up ERUNT to backup the registry regularly... Vipre and MBAM are both not finding anything else. I don't see anything obvious in start up (msconfig and vipre tools - startup). Due to the way that Antispyware Soft was intercepting and shutting down applications, I suspect that this behavior is left-over from the infection... Something that seems odd... I've opened regedit a couple of times from the Run prompt, and each time it's been on a xxvietnamese.xxvietnmese registry key. I'm at work and didn't write it down while at home. It seems odd that key would be highlighted. I thought that it opened to the last/previous highlighted key, and I closed all expanded keys when I exited regedit. Has this been seen before? Suggestions/ideas? I didn't find anything using the search function... XP SP3 All (most) updates. I passed on the one that was causing blue screens (KB977165, I think) Thanks!
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.