Jump to content

Constant blocking of malicious IPs


Recommended Posts

The name says it all, please help me. Thanks

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Chris at 7:58:39 on 2011-12-17

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2010 [GMT -5:00]

.

.

============== Running Processes ===============

.

C:\PROGRA~1\AVG\AVG2012\avgrsx.exe

C:\Program Files\AVG\AVG2012\avgcsrvx.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

C:\Program Files\AVG\AVG2012\avgtray.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\WINDOWS\vVX3000.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG2012\avgwdsvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Microsoft LifeCam\MSCamS32.exe

C:\Program Files\AVG\AVG2012\avgemcx.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe

C:\Program Files\iPod\bin\iPodService.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uSearch Page = hxxp://www.google.com/

uDefault_Search_URL = hxxp://www.google.com/

uDefault_Page_URL = hxxp://www.google.com/

uURLSearchHooks: H - No File

mWinlogon: SfcDisable=-99 (0xffffff9d)

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll

BHO: EpicPlay: {56e4076b-a42b-4745-ba35-34da8ac4c2f2} - EpicPlay

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [<NO NAME>]

mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [soundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [VX3000] c:\windows\vVX3000.exe

mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

dRun: [ctfmon.exe] ctfmon.exe

dRun: [iDMan] c:\program files\internet download manager\IDMan.exe /onboot

dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

StartupFolder: c:\docume~1\chris\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe

uPolicies-explorer: NoResolveTrack = 1 (0x1)

uPolicies-explorer: NoInstrumentation = 1 (0x1)

uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)

uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)

mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)

dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)

dPolicies-explorer: NoResolveTrack = 1 (0x1)

dPolicies-explorer: NoInstrumentation = 1 (0x1)

dPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)

dPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

LSP: mswsock.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

TCP: DhcpNameServer = 192.168.2.1

TCP: Interfaces\{6896E33E-4593-48DB-986D-BD4544F92BFA} : DhcpNameServer = 192.168.2.1

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SecurityProviders: schannel.dll, credssp.dll, digest.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\chris\application data\mozilla\firefox\profiles\jjgrz6tx.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll

.

---- FIREFOX POLICIES ----

FF - user.js: general.useragent.extra.brc -

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-7-11 230608]

R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]

R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]

R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-15 366152]

R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [2011-3-9 101904]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134608]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-7-11 16720]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-15 22216]

S1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys --> c:\windows\system32\drivers\avgtdix.sys [?]

S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\lavalys\everest home edition\kerneld.wnt [2005-8-17 7168]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]

.

=============== Created Last 30 ================

.

2011-12-15 23:49:45 -------- d-----w- c:\windows\system32\appmgmt

2011-12-15 23:17:53 -------- d-----w- c:\documents and settings\chris\application data\Malwarebytes

2011-12-15 23:17:47 -------- d-----w- c:\program files\MALWAREBYTES ANTI-MALWARE

2011-12-15 23:17:44 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-12-15 23:17:40 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-12-15 23:17:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-12-14 12:18:56 -------- d-----w- c:\program files\iPod

2011-12-14 12:18:54 -------- d-----w- c:\program files\iTunes

2011-12-14 12:16:03 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll

2011-12-14 12:16:03 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll

2011-12-14 12:16:03 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll

2011-12-14 12:16:03 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll

2011-12-14 12:16:03 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll

2011-12-14 12:16:03 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll

2011-12-14 12:16:03 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll

2011-12-04 13:58:38 -------- d-----w- c:\program files\StarCraft II

2011-12-04 13:58:38 -------- d-----w- c:\documents and settings\all users\application data\Blizzard Entertainment

2011-12-04 04:25:19 -------- d-----w- c:\program files\SCII

2011-12-04 04:25:02 -------- d-----w- c:\program files\common files\Blizzard Entertainment

2011-12-04 04:14:40 -------- d-----w- c:\documents and settings\chris\local settings\application data\AA2DeployClient

2011-12-04 04:14:40 -------- d-----w- c:\documents and settings\all users\application data\AA2DeployClient

2011-12-04 04:14:21 -------- d-----w- c:\documents and settings\chris\local settings\application data\Deployment

2011-12-04 03:57:30 -------- d-----w- C:\New Folder

2011-12-03 23:46:07 -------- d-----w- c:\documents and settings\all users\application data\WeCareReminder

2011-12-03 23:46:02 -------- d--h--w- C:\$AVG

2011-11-28 17:52:36 -------- d-----w- c:\program files\Yahoo!

.

==================== Find3M ====================

.

2011-12-06 03:37:44 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-27 21:26:02 319488 ----a-w- c:\windows\HideWin.exe

2011-10-25 17:25:15 0 ----a-w- c:\windows\ativpsrm.bin

2011-10-25 14:34:42 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-10-25 14:34:42 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-10-25 14:34:25 428088 ----a-w- c:\windows\system32\drivers\sptd.sys

2011-10-24 19:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2011-10-24 19:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts

2011-10-10 14:21:17 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-10-07 10:23:48 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2011-10-04 10:21:42 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys

2011-09-28 07:05:47 599552 ----a-w- c:\windows\system32\crypt32.dll

2011-09-26 08:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 08:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 08:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: ST3250410AS rev.3.AAF -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP5T0L0-d

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89DAB49F]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89db2738]; MOV EAX, [0x89db28ac]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x8A0FAAB8]

3 CLASSPNP[0xF7657FD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\0000006f[0x8A114030]

5 ACPI[0xF7487620] -> nt!IofCallDriver[0x804E13B9] -> [0x8A0FFD98]

\Driver\atapi[0x8A11AA98] -> IRP_MJ_CREATE -> 0x89DAB49F

error: Read A device attached to the system is not functioning.

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; }

detected disk devices:

detected hooks:

\Driver\atapi DriverStartIo -> 0x89DAB2C6

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

.

============= FINISH: 8:00:10.12 ===============

Link to post
Share on other sites

Hello and welcome. Please follow these guidelines while we work on your PC:

  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.

icon11.gif Download GMER Rootkit Scanner from here to your desktop.

  • Double click the exe file. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    GMER_thumb.jpg
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)

    [*] Then click the Scan button & wait for it to finish.

    [*] Once done click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

    [*]Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

If you have trouble running GEMR:

  • Make sure that your security software is disabled
  • Uncheck the box next to "Files" this time also
  • If you still can't run it, try in the Safe Mode

Please include the following in your next post:

  • The Attach.txt log from DDS
  • GMER log

Link to post
Share on other sites

Thank you very much for the effort you are putting into my problem. It is very much appreciated.

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 10/25/2011 10:37:13 AM

System Uptime: 12/17/2011 7:47:45 AM (1 hours ago)

.

Motherboard: ASUSTeK Computer INC. | | M3A32-MVP DELUXE

Processor: AMD Phenom 9950 Quad-Core Processor | CPU 1 | 2607/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 233 GiB total, 185.701 GiB free.

D: is FIXED (FAT32) - 466 GiB total, 384.214 GiB free.

E: is CDROM (CDFS)

.

==== Disabled Device Manager Items =============

.

Class GUID:

Description: SM Bus Controller

Device ID: PCI\VEN_1002&DEV_4385&SUBSYS_82881043&REV_14\3&267A616A&0&A0

Manufacturer:

Name: SM Bus Controller

PNP Device ID: PCI\VEN_1002&DEV_4385&SUBSYS_82881043&REV_14\3&267A616A&0&A0

Service:

.

Class GUID:

Description:

Device ID: ACPI\ATK0110\1010110

Manufacturer:

Name:

PNP Device ID: ACPI\ATK0110\1010110

Service:

.

==== System Restore Points ===================

.

No restore point in system.

.

==== Installed Programs ======================

.

Adobe AIR

Adobe Flash Player 11 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader X (10.1.1)

Apple Application Support

Apple Mobile Device Support

Apple Software Update

AVG 2012

Broadcom Gigabit Integrated Controller

Coupon Printer for Windows

EVEREST Home Edition v2.20

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows XP (KB2570791)

Hotfix for Windows XP (KB954550-v5)

HP Deskjet 2050 J510 series Basic Device Software

HP Deskjet 2050 J510 series Help

HP Deskjet 2050 J510 series Product Improvement Study

HP Photo Creations

HP Update

iTunes

Java Auto Updater

Java 6 Update 22

Java 6 Update 24

Malwarebytes' Anti-Malware version 1.51.2.1300

Marvell Miniport Driver

McAfee Security Scan Plus

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Corporation

Microsoft LifeCam

Microsoft Silverlight

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2005 Redistributable - KB2467175

Microsoft Visual C++ 2008 Redistributable - SP1 x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319

Mozilla Firefox 5.0 (x86 en-US)

OpenOffice.org 3.3

QuickTime

Security Update for CAPICOM (KB931906)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)

Security Update for Microsoft Windows (KB2564958)

Security Update for Windows Internet Explorer 8 (KB2510531)

Security Update for Windows Internet Explorer 8 (KB2544521)

Security Update for Windows Internet Explorer 8 (KB2586448)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2476490)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2507938)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2535512)

Security Update for Windows XP (KB2536276-v2)

Security Update for Windows XP (KB2544893-v2)

Security Update for Windows XP (KB2544893)

Security Update for Windows XP (KB2562937)

Security Update for Windows XP (KB2566454)

Security Update for Windows XP (KB2567053)

Security Update for Windows XP (KB2567680)

Security Update for Windows XP (KB2570222)

Security Update for Windows XP (KB2570947)

Security Update for Windows XP (KB2592799)

SoundMAX

StarCraft II

Unlocker 1.9.0

Update for Windows XP (KB2541763)

Update for Windows XP (KB2616676-v2)

Update for Windows XP (KB2641690)

WebFldrs XP

Windows Media Format 11 runtime

WinRAR 4.00 (32-bit)

Yahoo! Messenger

Yahoo! Software Update

.

==== End Of File ===========================

GMER 1.0.15.15641 - http://www.gmer.net

Rootkit scan 2011-12-18 16:41:31

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort5 ST3250410AS rev.3.AAF

Running: 3p6urbdm.exe; Driver: C:\DOCUME~1\Chris\LOCALS~1\Temp\axrcykog.sys

---- System - GMER 1.0.15 ----

SSDT sptd.sys ZwCreateKey [0xF7504EB0]

SSDT sptd.sys ZwEnumerateKey [0xF7539018]

SSDT sptd.sys ZwEnumerateValueKey [0xF75393A6]

SSDT sptd.sys ZwOpenKey [0xF7504E90]

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0x9281DF3C]

SSDT sptd.sys ZwQueryKey [0xF753947E]

SSDT sptd.sys ZwQueryValueKey [0xF75392FE]

SSDT sptd.sys ZwSetValueKey [0xF7539510]

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0x9281DFE4]

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0x9281E080]

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0x9281E11C]

INT 0x62 ? 8A17CCB8

INT 0x63 ? 8A17CCB8

INT 0x63 ? 8A17CCB8

INT 0x63 ? 89F85CB8

INT 0x63 ? 8A17CCB8

INT 0x73 ? 8A17CCB8

INT 0x73 ? 8A17CCB8

INT 0x73 ? 89F85CB8

INT 0x73 ? 8A17CCB8

INT 0x83 ? 8A17CCB8

INT 0x83 ? 8A17CCB8

INT 0xA4 ? 89F85CB8

INT 0xB4 ? 89F85CB8

INT 0xB4 ? 89F85CB8

---- Kernel code sections - GMER 1.0.15 ----

PAGE sptd.sys F7528000 1 Byte [74]

PAGE sptd.sys F7528004 5 Bytes [40, 83, 52, F7, A3] {INC EAX; ADC DWORD [EDX-0x9], -0x5d}

PAGE sptd.sys F752800C 5 Bytes [50, 84, 52, F7, 98] {PUSH EAX; TEST [EDX-0x9], DL; CWDE }

PAGE sptd.sys F7528014 5 Bytes [b8, 83, 52, F7, 59] {MOV EAX, 0x59f75283}

PAGE sptd.sys F752801C 5 Bytes [78, 82, 52, F7, 61]

PAGE ...

.sptd2 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd2" section [0xF7574B0B]

? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB1791000, 0x29C9F0, 0xE8000020]

.text USBPORT.SYS!DllUnload B170C934 5 Bytes JMP 89F851C8

init C:\WINDOWS\system32\drivers\Senfilt.sys entry point in "init" section [0xB10CCA00]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1596] kernel32.dll!WriteFile 7C810E27 5 Bytes JMP 0090000C

.text C:\WINDOWS\System32\svchost.exe[1596] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 01CF000A

.text C:\WINDOWS\System32\svchost.exe[1596] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 01D0000A

.text C:\WINDOWS\System32\svchost.exe[1596] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 01D1000A

.text C:\WINDOWS\System32\svchost.exe[1596] ole32.dll!CoCreateInstance 774FF1C4 5 Bytes JMP 00E1000A

.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2948] USER32.dll!SetWindowLongA 7E42C29D 5 Bytes JMP 1068EDA6 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2948] USER32.dll!SetWindowLongW 7E42C2BB 5 Bytes JMP 1068ED38 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2948] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 104A5451 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2948] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 104A5A99 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

.text C:\Program Files\Mozilla Firefox\firefox.exe[3608] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 00401410 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A1C41E8

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

Device \FileSystem\Fastfat \FatCdrom 898B1430

Device \Driver\usbehci \Device\USBPDO-0 89E721E8

Device \Driver\usbohci \Device\USBPDO-1 89EDC1E8

Device \Driver\usbohci \Device\USBPDO-2 89EDC1E8

Device \Driver\usbohci \Device\USBPDO-3 89EDC1E8

Device \Driver\usbohci \Device\USBPDO-4 89EDC1E8

Device \Driver\NetBT \Device\NetBT_Tcpip_{6896E33E-4593-48DB-986D-BD4544F92BFA} 899651E8

Device \Driver\usbohci \Device\USBPDO-5 89EDC1E8

Device \Driver\Cdrom \Device\CdRom0 89E50430

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP6T0L0-1a 89E212C6

Device \Driver\atapi \Device\Ide\IdeDeviceP6T0L0-1a [F7833B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 89E212C6

Device \Driver\atapi \Device\Ide\IdePort0 [F7833B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 89E212C6

Device \Driver\atapi \Device\Ide\IdePort1 [F7833B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 89E212C6

Device \Driver\atapi \Device\Ide\IdePort2 [F7833B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 89E212C6

Device \Driver\atapi \Device\Ide\IdePort3 [F7833B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort4 89E212C6

Device \Driver\atapi \Device\Ide\IdePort4 [F7833B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort5 89E212C6

Device \Driver\atapi \Device\Ide\IdePort5 [F7833B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort6 89E212C6

Device \Driver\atapi \Device\Ide\IdePort6 [F7833B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort7 89E212C6

Device \Driver\atapi \Device\Ide\IdePort7 [F7833B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP5T0L0-d 89E212C6

Device \Driver\atapi \Device\Ide\IdeDeviceP5T0L0-d [F7833B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\usbstor \Device\00000081 8993B430

Device \Driver\NetBT \Device\NetBt_Wins_Export 899651E8

Device \Driver\NetBT \Device\NetbiosSmb 899651E8

Device \Driver\usbohci \Device\USBFDO-0 89EDC1E8

Device \Driver\usbohci \Device\USBFDO-1 89EDC1E8

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8995A430

Device \Driver\usbohci \Device\USBFDO-2 89EDC1E8

Device \FileSystem\MRxSmb \Device\LanmanRedirector 8995A430

Device \Driver\usbohci \Device\USBFDO-3 89EDC1E8

Device \Driver\usbohci \Device\USBFDO-4 89EDC1E8

Device \Driver\usbstor \Device\0000007e 8993B430

Device \Driver\usbehci \Device\USBFDO-5 89E721E8

Device \FileSystem\Fastfat \Fat 898B1430

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

Device \FileSystem\Cdfs \Cdfs 89933430

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

ccrrll10:

Please do this next:

icon11.gif Download TDSSKiller.zip and extract TDSSKiller.exe to your desktop

  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found then ensure Cure is selected. Important - If there is no option to "Cure" it is critical that you select "Skip"
  • Then click Continue > Reboot now
  • Once complete, a log will be produced in c:\. It will be named for example, TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt
  • Post that log, please.

icon11.gif Download ComboFix from one of the following locations:

Link 1

Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link

  • Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

  • Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please include the following in your next post:

  • TDSSKiller log
  • ComboFix log

Link to post
Share on other sites

Here's the situation. TDSSkiller worked perfectly fine and I will copy the txt. Combo works up until the blue window says it's currently scanning for infections. I had it say something along the lines of me having a bad infection, a rootkit in my icp/ip (something like that)and it would take many moments. I waited many moments only to find out my computer had froze. I can move my mouse, however, I can not click on anything and ctrl alt del doesn't work either. I tried it again. It froze again, this time it didn't say it had found anything which is why I can't remember exactly what it had said. Should I keep trying?

20:28:58.0296 2632 TDSS rootkit removing tool 2.6.23.0 Dec 13 2011 10:39:31

20:28:58.0562 2632 ============================================================

20:28:58.0562 2632 Current date / time: 2011/12/18 20:28:58.0562

20:28:58.0562 2632 SystemInfo:

20:28:58.0562 2632

20:28:58.0562 2632 OS Version: 5.1.2600 ServicePack: 3.0

20:28:58.0562 2632 Product type: Workstation

20:28:58.0562 2632 ComputerName: CHRIS-C5D967D61

20:28:58.0562 2632 UserName: Chris

20:28:58.0562 2632 Windows directory: C:\WINDOWS

20:28:58.0562 2632 System windows directory: C:\WINDOWS

20:28:58.0562 2632 Processor architecture: Intel x86

20:28:58.0562 2632 Number of processors: 4

20:28:58.0562 2632 Page size: 0x1000

20:28:58.0562 2632 Boot type: Normal boot

20:28:58.0562 2632 ============================================================

20:28:59.0890 2632 Initialize success

20:29:01.0046 3092 ============================================================

20:29:01.0046 3092 Scan started

20:29:01.0046 3092 Mode: Manual;

20:29:01.0046 3092 ============================================================

20:29:02.0546 3092 Abiosdsk - ok

20:29:03.0359 3092 abp480n5 - ok

20:29:04.0187 3092 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

20:29:04.0187 3092 ACPI - ok

20:29:05.0453 3092 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

20:29:05.0453 3092 ACPIEC - ok

20:29:06.0296 3092 ADIHdAudAddService (0158f4027c0808ff65ed3b3d683339c9) C:\WINDOWS\system32\drivers\ADIHdAud.sys

20:29:06.0296 3092 ADIHdAudAddService - ok

20:29:07.0093 3092 adpu160m - ok

20:29:07.0937 3092 AEAudio (358063ab6c1c4173b735525cdfa65f94) C:\WINDOWS\system32\drivers\AEAudio.sys

20:29:07.0953 3092 AEAudio - ok

20:29:08.0796 3092 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

20:29:08.0796 3092 aec - ok

20:29:09.0625 3092 AFD (f6b7b1ecd7b41736bdb6ff4b092bcb79) C:\WINDOWS\System32\drivers\afd.sys

20:29:09.0640 3092 AFD - ok

20:29:10.0453 3092 Aha154x - ok

20:29:11.0250 3092 aic78u2 - ok

20:29:12.0062 3092 aic78xx - ok

20:29:12.0890 3092 AliIde - ok

20:29:13.0718 3092 AmdPPM (033448d435e65c4bd72e70521fd05c76) C:\WINDOWS\system32\DRIVERS\AmdPPM.sys

20:29:13.0718 3092 AmdPPM - ok

20:29:14.0546 3092 amsint - ok

20:29:15.0375 3092 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

20:29:15.0375 3092 Arp1394 - ok

20:29:16.0187 3092 asc - ok

20:29:17.0062 3092 asc3350p - ok

20:29:17.0921 3092 asc3550 - ok

20:29:18.0781 3092 Aspi32 (5b01af89d16d562825c4db4530f20cbb) C:\WINDOWS\system32\drivers\Aspi32.sys

20:29:18.0781 3092 Aspi32 - ok

20:29:19.0609 3092 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

20:29:19.0609 3092 AsyncMac - ok

20:29:20.0546 3092 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

20:29:20.0562 3092 atapi - ok

20:29:21.0359 3092 Atdisk - ok

20:29:22.0359 3092 ati2mtag (c2b6f2161abd498d2b453050ffc81812) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

20:29:22.0390 3092 ati2mtag - ok

20:29:23.0250 3092 AtiHDAudioService (b2a236dc65e90170a369164384efb460) C:\WINDOWS\system32\drivers\AtihdXP3.sys

20:29:23.0250 3092 AtiHDAudioService - ok

20:29:24.0093 3092 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

20:29:24.0093 3092 Atmarpc - ok

20:29:25.0421 3092 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

20:29:25.0421 3092 audstub - ok

20:29:26.0250 3092 AVGIDSDriver (4fa401b33c1b50c816486f6951244a14) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys

20:29:26.0250 3092 AVGIDSDriver - ok

20:29:27.0078 3092 AVGIDSEH (69578bc9d43d614c6b3455db4af19762) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys

20:29:27.0078 3092 AVGIDSEH - ok

20:29:27.0890 3092 AVGIDSFilter (6df528406aa22201f392b9b19121cd6f) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys

20:29:27.0890 3092 AVGIDSFilter - ok

20:29:28.0734 3092 AVGIDSShim (1e01c2166b5599802bcd61b9691f7476) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys

20:29:28.0734 3092 AVGIDSShim - ok

20:29:29.0546 3092 Avgldx86 (bf8118cd5e2255387b715b534d64acd1) C:\WINDOWS\system32\DRIVERS\avgldx86.sys

20:29:29.0546 3092 Avgldx86 - ok

20:29:30.0359 3092 Avgmfx86 (1c77ef67f196466adc9924cb288afe87) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys

20:29:30.0359 3092 Avgmfx86 - ok

20:29:31.0296 3092 Avgrkx86 (f2038ed7284b79dcef581468121192a9) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys

20:29:31.0296 3092 Avgrkx86 - ok

20:29:32.0203 3092 Avgtdix - ok

20:29:33.0062 3092 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

20:29:33.0062 3092 Beep - ok

20:29:33.0890 3092 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

20:29:33.0890 3092 cbidf2k - ok

20:29:34.0750 3092 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

20:29:34.0750 3092 CCDECODE - ok

20:29:35.0546 3092 cd20xrnt - ok

20:29:36.0453 3092 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

20:29:36.0453 3092 Cdaudio - ok

20:29:37.0296 3092 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

20:29:37.0296 3092 Cdfs - ok

20:29:38.0156 3092 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys

20:29:38.0156 3092 Cdrom - ok

20:29:38.0968 3092 Changer - ok

20:29:39.0781 3092 CmdIde - ok

20:29:41.0468 3092 Cpqarray - ok

20:29:44.0359 3092 dac2w2k - ok

20:29:46.0906 3092 dac960nt - ok

20:29:48.0406 3092 Disk (47b6aaec570f2c11d8bad80a064d8ed1) C:\WINDOWS\system32\DRIVERS\disk.sys

20:29:48.0406 3092 Disk - ok

20:29:50.0265 3092 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

20:29:50.0281 3092 dmboot - ok

20:29:51.0296 3092 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

20:29:51.0296 3092 dmio - ok

20:29:52.0375 3092 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

20:29:52.0375 3092 dmload - ok

20:29:53.0328 3092 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

20:29:53.0328 3092 DMusic - ok

20:29:54.0265 3092 dpti2o - ok

20:29:55.0390 3092 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

20:29:55.0390 3092 drmkaud - ok

20:29:55.0484 3092 EverestDriver (76984d46b2abaa46f8b3fcef82c9217d) C:\Program Files\Lavalys\EVEREST Home Edition\kerneld.wnt

20:29:55.0484 3092 EverestDriver - ok

20:29:56.0343 3092 exFat (4d893323dae445e34a4c9038b0551bc9) C:\WINDOWS\system32\drivers\exFat.sys

20:29:56.0343 3092 exFat - ok

20:29:57.0718 3092 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

20:29:57.0718 3092 Fastfat - ok

20:29:58.0593 3092 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

20:29:58.0593 3092 Fdc - ok

20:29:59.0453 3092 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

20:29:59.0453 3092 Fips - ok

20:30:00.0406 3092 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

20:30:00.0406 3092 Flpydisk - ok

20:30:01.0281 3092 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys

20:30:01.0296 3092 FltMgr - ok

20:30:04.0796 3092 Fs_Rec (30d42943a54704ef13e2562911dbfcea) C:\WINDOWS\system32\drivers\Fs_Rec.sys

20:30:04.0796 3092 Fs_Rec - ok

20:30:07.0562 3092 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

20:30:07.0562 3092 Ftdisk - ok

20:30:09.0328 3092 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys

20:30:09.0343 3092 GEARAspiWDM - ok

20:30:11.0250 3092 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

20:30:11.0265 3092 Gpc - ok

20:30:13.0968 3092 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

20:30:13.0968 3092 HDAudBus - ok

20:30:16.0140 3092 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

20:30:16.0140 3092 hidusb - ok

20:30:17.0890 3092 hpn - ok

20:30:19.0359 3092 HTTP (937031c085718c1c04a9c0864625ec6b) C:\WINDOWS\system32\Drivers\HTTP.sys

20:30:19.0359 3092 HTTP - ok

20:30:22.0453 3092 i2omgmt - ok

20:30:25.0687 3092 i2omp - ok

20:30:27.0796 3092 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys

20:30:27.0796 3092 i8042prt - ok

20:30:31.0359 3092 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

20:30:31.0359 3092 Imapi - ok

20:30:32.0437 3092 ini910u - ok

20:30:34.0171 3092 IntelIde - ok

20:30:35.0187 3092 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys

20:30:35.0187 3092 Ip6Fw - ok

20:30:36.0156 3092 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

20:30:36.0156 3092 IpFilterDriver - ok

20:30:37.0625 3092 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

20:30:37.0625 3092 IpInIp - ok

20:30:40.0437 3092 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

20:30:40.0468 3092 IpNat - ok

20:30:43.0984 3092 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

20:30:44.0015 3092 IPSec - ok

20:30:45.0921 3092 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

20:30:45.0921 3092 IRENUM - ok

20:30:47.0234 3092 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

20:30:47.0234 3092 isapnp - ok

20:30:49.0515 3092 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

20:30:49.0546 3092 Kbdclass - ok

20:30:53.0062 3092 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

20:30:53.0093 3092 kbdhid - ok

20:30:55.0046 3092 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

20:30:55.0046 3092 kmixer - ok

20:30:57.0062 3092 KSecDD (c6ebf1d6ad71df30db49b8d3287e1368) C:\WINDOWS\system32\drivers\KSecDD.sys

20:30:57.0062 3092 KSecDD - ok

20:30:58.0187 3092 lbrtfdc - ok

20:30:59.0359 3092 MBAMProtector (69a6268d7f81e53d568ab4e7e991caf3) C:\WINDOWS\system32\drivers\mbam.sys

20:30:59.0359 3092 MBAMProtector - ok

20:31:03.0250 3092 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

20:31:03.0250 3092 mnmdd - ok

20:31:04.0343 3092 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

20:31:04.0343 3092 Modem - ok

20:31:05.0468 3092 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

20:31:05.0484 3092 Mouclass - ok

20:31:06.0531 3092 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

20:31:06.0546 3092 mouhid - ok

20:31:07.0609 3092 MountMgr (1a1faa5102466f418494e94ff9b0b091) C:\WINDOWS\system32\drivers\MountMgr.sys

20:31:07.0609 3092 MountMgr - ok

20:31:08.0734 3092 mraid35x - ok

20:31:09.0937 3092 MRxDAV (4fefd389d71126ee581b9f9cb2918be4) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

20:31:09.0953 3092 MRxDAV - ok

20:31:11.0546 3092 MRxSmb (fb2fccc70f7174c7bf64f48e96d3adf4) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

20:31:11.0593 3092 MRxSmb - ok

20:31:14.0578 3092 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

20:31:14.0578 3092 Msfs - ok

20:31:17.0578 3092 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

20:31:17.0578 3092 MSKSSRV - ok

20:31:20.0343 3092 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

20:31:20.0343 3092 MSPCLOCK - ok

20:31:21.0500 3092 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

20:31:21.0500 3092 MSPQM - ok

20:31:22.0468 3092 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

20:31:22.0500 3092 mssmbios - ok

20:31:24.0390 3092 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

20:31:24.0406 3092 MSTEE - ok

20:31:26.0109 3092 Mup (f7b1ad991491f02af6da70b00b8bf114) C:\WINDOWS\system32\drivers\Mup.sys

20:31:26.0109 3092 Mup - ok

20:31:27.0375 3092 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

20:31:27.0375 3092 NABTSFEC - ok

20:31:28.0203 3092 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

20:31:28.0218 3092 NDIS - ok

20:31:29.0125 3092 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

20:31:29.0125 3092 NdisIP - ok

20:31:30.0078 3092 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

20:31:30.0093 3092 NdisTapi - ok

20:31:30.0921 3092 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

20:31:30.0937 3092 Ndisuio - ok

20:31:32.0046 3092 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

20:31:32.0046 3092 NdisWan - ok

20:31:34.0562 3092 NDProxy (816460bd4b4acd27937d1d0813e2e9e9) C:\WINDOWS\system32\drivers\NDProxy.sys

20:31:34.0562 3092 NDProxy - ok

20:31:35.0406 3092 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

20:31:35.0406 3092 NetBIOS - ok

20:31:36.0234 3092 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

20:31:36.0234 3092 NetBT - ok

20:31:37.0062 3092 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

20:31:37.0062 3092 NIC1394 - ok

20:31:37.0859 3092 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

20:31:37.0859 3092 Npfs - ok

20:31:38.0781 3092 Ntfs (4c51d5275ae8a16999edfe7e647d00de) C:\WINDOWS\system32\drivers\Ntfs.sys

20:31:38.0812 3092 Ntfs - ok

20:31:39.0984 3092 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

20:31:39.0984 3092 Null - ok

20:31:41.0093 3092 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

20:31:41.0109 3092 NwlnkFlt - ok

20:31:42.0187 3092 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

20:31:42.0187 3092 NwlnkFwd - ok

20:31:43.0093 3092 ohci1394 (2553f7c60b8d291b5a812245e6d4da6e) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

20:31:43.0093 3092 ohci1394 - ok

20:31:44.0140 3092 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys

20:31:44.0140 3092 Parport - ok

20:31:45.0609 3092 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

20:31:45.0609 3092 PartMgr - ok

20:31:46.0750 3092 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

20:31:46.0750 3092 ParVdm - ok

20:31:47.0656 3092 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

20:31:47.0656 3092 PCI - ok

20:31:48.0500 3092 PCIDump - ok

20:31:49.0359 3092 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

20:31:49.0359 3092 PCIIde - ok

20:31:50.0171 3092 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

20:31:50.0171 3092 Pcmcia - ok

20:31:53.0500 3092 PDCOMP - ok

20:31:54.0390 3092 PDFRAME - ok

20:31:55.0171 3092 PDRELI - ok

20:31:56.0250 3092 PDRFRAME - ok

20:31:57.0062 3092 perc2 - ok

20:31:57.0875 3092 perc2hib - ok

20:31:58.0734 3092 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

20:31:58.0734 3092 PptpMiniport - ok

20:31:59.0562 3092 PSched (d8e11d311785f89f1d70a28b0e879127) C:\WINDOWS\system32\DRIVERS\psched.sys

20:31:59.0562 3092 PSched - ok

20:32:00.0406 3092 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

20:32:00.0406 3092 Ptilink - ok

20:32:01.0296 3092 ql1080 - ok

20:32:02.0171 3092 Ql10wnt - ok

20:32:03.0125 3092 ql12160 - ok

20:32:03.0953 3092 ql1240 - ok

20:32:04.0781 3092 ql1280 - ok

20:32:06.0265 3092 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

20:32:06.0265 3092 RasAcd - ok

20:32:07.0578 3092 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

20:32:07.0578 3092 Rasl2tp - ok

20:32:08.0406 3092 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

20:32:08.0406 3092 RasPppoe - ok

20:32:09.0812 3092 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

20:32:09.0828 3092 Raspti - ok

20:32:12.0093 3092 Rdbss (77050c6615f6eb5402f832b27fd695e0) C:\WINDOWS\system32\DRIVERS\rdbss.sys

20:32:12.0109 3092 Rdbss - ok

20:32:14.0140 3092 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

20:32:14.0140 3092 RDPCDD - ok

20:32:15.0140 3092 rdpdr (47ea20320e3d6fdc7b7bb22b2b881ca6) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

20:32:15.0140 3092 rdpdr - ok

20:32:15.0953 3092 RDPWD (3348e61a78ba4f79c795aad6565d3b6f) C:\WINDOWS\system32\drivers\RDPWD.sys

20:32:15.0968 3092 RDPWD - ok

20:32:16.0796 3092 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

20:32:16.0812 3092 redbook - ok

20:32:17.0640 3092 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

20:32:17.0640 3092 Secdrv - ok

20:32:18.0484 3092 SenFiltService (b6a6b409fda9d9ebd3aadb838d3d7173) C:\WINDOWS\system32\drivers\Senfilt.sys

20:32:18.0484 3092 SenFiltService - ok

20:32:21.0171 3092 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys

20:32:21.0171 3092 Serial - ok

20:32:22.0125 3092 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

20:32:22.0140 3092 Sfloppy - ok

20:32:23.0015 3092 Si3112 (f459dd5ee69d4b68cb6767c9731b5faf) C:\WINDOWS\system32\drivers\Si3112.sys

20:32:23.0031 3092 Si3112 - ok

20:32:23.0828 3092 Simbad - ok

20:32:24.0671 3092 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

20:32:24.0671 3092 SLIP - ok

20:32:25.0468 3092 Sparrow - ok

20:32:26.0750 3092 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

20:32:26.0765 3092 splitter - ok

20:32:27.0859 3092 sptd (ca9a2690a2b53662565654b48f7ae68f) C:\WINDOWS\System32\Drivers\sptd.sys

20:32:27.0859 3092 Suspicious file (NoAccess): C:\WINDOWS\System32\Drivers\sptd.sys. md5: ca9a2690a2b53662565654b48f7ae68f

20:32:27.0859 3092 sptd ( LockedFile.Multi.Generic ) - warning

20:32:27.0859 3092 sptd - detected LockedFile.Multi.Generic (1)

20:32:28.0687 3092 Sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

20:32:28.0703 3092 Sr - ok

20:32:29.0500 3092 Srv (9b390283569ea58d43d2586032b892f5) C:\WINDOWS\system32\DRIVERS\srv.sys

20:32:29.0515 3092 Srv - ok

20:32:30.0328 3092 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

20:32:30.0328 3092 streamip - ok

20:32:31.0156 3092 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

20:32:31.0156 3092 swenum - ok

20:32:32.0000 3092 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

20:32:32.0000 3092 swmidi - ok

20:32:32.0796 3092 symc810 - ok

20:32:33.0593 3092 symc8xx - ok

20:32:34.0406 3092 sym_hi - ok

20:32:35.0203 3092 sym_u3 - ok

20:32:36.0031 3092 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

20:32:36.0031 3092 sysaudio - ok

20:32:36.0859 3092 Tcpip (474d3dccb57defcd917311eec47204b9) C:\WINDOWS\system32\DRIVERS\tcpip.sys

20:32:36.0875 3092 Tcpip - ok

20:32:37.0703 3092 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

20:32:37.0703 3092 TDPIPE - ok

20:32:38.0515 3092 TDTCP (c0578456f29e5f26285f81b7b71fe57d) C:\WINDOWS\system32\drivers\TDTCP.sys

20:32:38.0515 3092 TDTCP - ok

20:32:39.0328 3092 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

20:32:39.0343 3092 TermDD - ok

20:32:40.0125 3092 TosIde - ok

20:32:40.0968 3092 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

20:32:40.0968 3092 Udfs - ok

20:32:41.0781 3092 ultra - ok

20:32:41.0828 3092 UnlockerDriver5 (bb879dcfd22926efbeb3298129898cbb) C:\Program Files\Unlocker\UnlockerDriver5.sys

20:32:41.0828 3092 UnlockerDriver5 - ok

20:32:42.0671 3092 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

20:32:42.0671 3092 Update - ok

20:32:43.0546 3092 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys

20:32:43.0546 3092 USBAAPL - ok

20:32:44.0406 3092 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys

20:32:44.0406 3092 usbaudio - ok

20:32:45.0265 3092 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

20:32:45.0265 3092 usbccgp - ok

20:32:46.0109 3092 usbehci (52674b5dbee499342a599c7771abecaa) C:\WINDOWS\system32\DRIVERS\usbehci.sys

20:32:46.0109 3092 usbehci - ok

20:32:47.0000 3092 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

20:32:47.0000 3092 usbhub - ok

20:32:47.0812 3092 usbohci (c5e11cd822adf0019a5a862d9c4e2222) C:\WINDOWS\system32\DRIVERS\usbohci.sys

20:32:47.0812 3092 usbohci - ok

20:32:48.0640 3092 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

20:32:48.0640 3092 usbprint - ok

20:32:49.0453 3092 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

20:32:49.0453 3092 usbscan - ok

20:32:50.0328 3092 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

20:32:50.0328 3092 usbstor - ok

20:32:51.0140 3092 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

20:32:51.0156 3092 VgaSave - ok

20:32:51.0968 3092 ViaIde - ok

20:32:52.0781 3092 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

20:32:52.0781 3092 VolSnap - ok

20:32:53.0640 3092 VX3000 (e26744e5dd71a16e80d4dd5a286b8423) C:\WINDOWS\system32\DRIVERS\VX3000.sys

20:32:53.0640 3092 VX3000 - ok

20:32:54.0468 3092 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

20:32:54.0468 3092 Wanarp - ok

20:32:55.0281 3092 WDICA - ok

20:32:56.0093 3092 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

20:32:56.0109 3092 wdmaud - ok

20:32:56.0937 3092 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys

20:32:56.0937 3092 WmiAcpi - ok

20:32:57.0781 3092 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

20:32:57.0781 3092 WSTCODEC - ok

20:32:58.0609 3092 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

20:32:58.0609 3092 WudfPf - ok

20:32:59.0437 3092 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

20:32:59.0437 3092 WudfRd - ok

20:33:00.0265 3092 yukonwxp (a0b1420ee7756c2c9d6b8bfb57693744) C:\WINDOWS\system32\DRIVERS\yk51x86.sys

20:33:00.0265 3092 yukonwxp - ok

20:33:00.0281 3092 MBR (0x1B8) (1f753b395539269a3484aecd505b79bd) \Device\Harddisk0\DR0

20:33:00.0281 3092 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected

20:33:00.0281 3092 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)

20:33:00.0281 3092 MBR (0x1B8) (8ff255184f078c9c04e6a2ce66117c5c) \Device\Harddisk1\DR2

20:33:00.0296 3092 \Device\Harddisk1\DR2 - ok

20:33:00.0296 3092 Boot (0x1200) (1449b4bd9d12ba34b2b5e54e9e314caa) \Device\Harddisk0\DR0\Partition0

20:33:00.0296 3092 \Device\Harddisk0\DR0\Partition0 - ok

20:33:00.0296 3092 Boot (0x1200) (436cd9874a564b31f6028db28127bf02) \Device\Harddisk1\DR2\Partition0

20:33:00.0296 3092 \Device\Harddisk1\DR2\Partition0 - ok

20:33:00.0296 3092 ============================================================

20:33:00.0296 3092 Scan finished

20:33:00.0296 3092 ============================================================

20:33:00.0296 3000 Detected object count: 2

20:33:00.0296 3000 Actual detected object count: 2

20:33:37.0484 3000 sptd ( LockedFile.Multi.Generic ) - skipped by user

20:33:37.0484 3000 sptd ( LockedFile.Multi.Generic ) - User select action: Skip

20:33:37.0531 3000 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot

20:33:37.0531 3000 \Device\Harddisk0\DR0 - ok

20:33:37.0531 3000 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure

20:33:53.0984 1764 Deinitialize success

Link to post
Share on other sites

ccrrll10:

Please do this next:

icon11.gif You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:

  • MBAM log

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8400

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/19/2011 10:36:20 PM

mbam-log-2011-12-19 (22-36-20).txt

Scan type: Full scan (C:\|D:\|E:\|)

Objects scanned: 235571

Time elapsed: 55 minute(s), 52 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\Chris\application data\Sun\Java\deployment\cache\6.0\29\758eb99d-26bf9a8f (Rootkit.0Access) -> Quarantined and deleted successfully.

c:\WINDOWS\Temp\nnnv0.3241714338339684.exe (Exploit.Drop.6) -> Quarantined and deleted successfully.

c:\WINDOWS\Temp\opre0.46059484578473076.exe (Exploit.Drop.6) -> Quarantined and deleted successfully.

Link to post
Share on other sites

ccrrll10:

How is your computer running now? Please do this next:

icon11.gifYour Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Go to this page to download the latest version. Press the download button under JRE and follow the prompts. Accept the agreement and choose the Windows x86 offline option.
  • Run the insatller you just downloaded

icon11.gif Please go to here to run an online scan with ESET.


    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Click Start
    • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
    • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Click Scan

[*]Wait for the scan to finish

[*]If any threats were found, click the 'List of found threats' , then click Export to text file....

[*]Save it to your desktop, then please copy and paste that log as a reply to this topic.

Please include the following in your next post:

  • How is the computer running now?
  • ESET log

Link to post
Share on other sites

The computer has been running better, no more constant malicious ip notices anyway. It's obviously still not healthy though :(

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=8fef223567a68e43bab292740f29c6bc

# end=finished

# remove_checked=false

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2011-12-20 01:36:38

# local_time=2011-12-20 08:36:38 (-0500, Eastern Standard Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=crash

# scanned=79975

# found=1

# cleaned=0

# scan_time=1444

C:\Documents and Settings\Chris\Local Settings\Temp\182.tmp Win32/Olmarik.AXW trojan (unable to clean) 00000000000000000000000000000000 I

Link to post
Share on other sites

ccrrll10:

Please do this next:

Click Start > Run or Press Windows Key + R and copy/paste the following single-line command into the Run box and click OK:

cmd /c del /f/a/q "C:\Documents and Settings\Chris\Local Settings\Temp\182.tmp"  

icon11.gif Download TFC to your desktop

  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean

icon11.gif Now try running ComboFix again.

Please include the following in your next post:

  • ComboFix log

Link to post
Share on other sites

ccrrll10:

Please do this next:

icon11.gif Please download MBRCheck.exe to your desktop.

  • Be sure to disable your security programs
  • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
  • A small window should open on your desktop
  • if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop. Please post the contents of that file.

Please include the following in your next post:

  • MBRCheck log

Link to post
Share on other sites

MBRCheck, version 1.2.3

© 2010, AD

Command-line:

Windows Version: Windows XP Professional

Windows Information: Service Pack 3 (build 2600)

Logical Drives Mask: 0x0000001c

Kernel Drivers (total 134):

0x804D7000 \WINDOWS\system32\ntoskrnl.exe

0x80700000 \WINDOWS\system32\hal.dll

0xF7987000 \WINDOWS\system32\KDCOM.DLL

0xF7897000 \WINDOWS\system32\BOOTVID.dll

0xF74C7000 sptd.sys

0xF7989000 \WINDOWS\System32\Drivers\WMILIB.SYS

0xF74AF000 \WINDOWS\System32\Drivers\SCSIPORT.SYS

0xF7481000 ACPI.sys

0xF7470000 pci.sys

0xF75F7000 ohci1394.sys

0xF7607000 \WINDOWS\system32\DRIVERS\1394BUS.SYS

0xF7617000 isapnp.sys

0xF7A4F000 pciide.sys

0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

0xF7627000 MountMgr.sys

0xF7868000 ftdisk.sys

0xF798B000 dmload.sys

0xF7842000 dmio.sys

0xF770F000 PartMgr.sys

0xF7637000 VolSnap.sys

0xF782A000 atapi.sys

0xF7971000 Si3112.sys

0xF7647000 disk.sys

0xF7657000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

0xB6B40000 fltMgr.sys

0xB6B2E000 sr.sys

0xB6B17000 KSecDD.sys

0xB6A8A000 Ntfs.sys

0xB6A5D000 NDIS.sys

0xB6A43000 Mup.sys

0xF7717000 avgrkx86.sys

0xF789B000 AVGIDSEH.Sys

0xB6BA0000 \SystemRoot\system32\DRIVERS\AmdPPM.sys

0xB15EB000 \SystemRoot\system32\DRIVERS\ati2mtag.sys

0xB15D7000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS

0xB15AF000 \SystemRoot\system32\DRIVERS\HDAudBus.sys

0xB1573000 \SystemRoot\system32\DRIVERS\yk51x86.sys

0xF77DF000 \SystemRoot\system32\DRIVERS\usbohci.sys

0xB154F000 \SystemRoot\system32\DRIVERS\USBPORT.SYS

0xF77E7000 \SystemRoot\system32\DRIVERS\usbehci.sys

0xB6B90000 \SystemRoot\system32\DRIVERS\imapi.sys

0xB6B80000 \SystemRoot\system32\DRIVERS\cdrom.sys

0xB6B70000 \SystemRoot\system32\DRIVERS\redbook.sys

0xB152C000 \SystemRoot\system32\DRIVERS\ks.sys

0xF77EF000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys

0xB6B60000 \SystemRoot\system32\DRIVERS\nic1394.sys

0xB6A17000 \SystemRoot\system32\DRIVERS\wmiacpi.sys

0xF7A89000 \SystemRoot\system32\DRIVERS\audstub.sys

0xF76A7000 \SystemRoot\system32\DRIVERS\rasl2tp.sys

0xB6A13000 \SystemRoot\system32\DRIVERS\ndistapi.sys

0xB1515000 \SystemRoot\system32\DRIVERS\ndiswan.sys

0xB20B9000 \SystemRoot\system32\DRIVERS\raspppoe.sys

0xB20A9000 \SystemRoot\system32\DRIVERS\raspptp.sys

0xF77F7000 \SystemRoot\system32\DRIVERS\TDI.SYS

0xB1503000 \SystemRoot\system32\DRIVERS\psched.sys

0xB2099000 \SystemRoot\system32\DRIVERS\msgpc.sys

0xF77FF000 \SystemRoot\system32\DRIVERS\ptilink.sys

0xF7807000 \SystemRoot\system32\DRIVERS\raspti.sys

0xB14D3000 \SystemRoot\system32\DRIVERS\rdpdr.sys

0xB2089000 \SystemRoot\system32\DRIVERS\termdd.sys

0xF780F000 \SystemRoot\system32\DRIVERS\kbdclass.sys

0xF7817000 \SystemRoot\system32\DRIVERS\mouclass.sys

0xF799D000 \SystemRoot\system32\DRIVERS\swenum.sys

0xB144D000 \SystemRoot\system32\DRIVERS\update.sys

0xB69F7000 \SystemRoot\system32\DRIVERS\mssmbios.sys

0xB1401000 \SystemRoot\system32\drivers\ADIHdAud.sys

0xB13DD000 \SystemRoot\system32\drivers\portcls.sys

0xB2079000 \SystemRoot\system32\drivers\drmk.sys

0xB13C6000 \SystemRoot\system32\drivers\AEAudio.sys

0xB1366000 \SystemRoot\system32\drivers\Senfilt.sys

0xB2069000 \SystemRoot\System32\Drivers\NDProxy.SYS

0xA4C38000 \SystemRoot\system32\drivers\AtihdXP3.sys

0xB2029000 \SystemRoot\system32\DRIVERS\usbhub.sys

0xF79A3000 \SystemRoot\system32\DRIVERS\USBD.SYS

0xF76E7000 \SystemRoot\system32\DRIVERS\avgmfx86.sys

0xB699F000 \SystemRoot\System32\Drivers\Fs_Rec.SYS

0xB1C59000 \SystemRoot\System32\Drivers\Null.SYS

0xF79A7000 \SystemRoot\System32\Drivers\Beep.SYS

0xB25DA000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS

0xB25D2000 \SystemRoot\System32\drivers\vga.sys

0xF79A9000 \SystemRoot\System32\Drivers\mnmdd.SYS

0xF79AB000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0xB25CA000 \SystemRoot\System32\Drivers\Msfs.SYS

0xB25C2000 \SystemRoot\System32\Drivers\Npfs.SYS

0xB6997000 \SystemRoot\system32\DRIVERS\rasacd.sys

0x97897000 \SystemRoot\system32\DRIVERS\ipsec.sys

0x9783E000 \SystemRoot\system32\DRIVERS\tcpip.sys

0x97816000 \SystemRoot\system32\DRIVERS\netbt.sys

0xF7460000 \SystemRoot\system32\DRIVERS\wanarp.sys

0x977F4000 \SystemRoot\System32\drivers\afd.sys

0xF7450000 \SystemRoot\system32\DRIVERS\arp1394.sys

0xF7440000 \SystemRoot\system32\DRIVERS\netbios.sys

0x977C9000 \SystemRoot\system32\DRIVERS\rdbss.sys

0x97759000 \SystemRoot\system32\DRIVERS\mrxsmb.sys

0xF7430000 \SystemRoot\System32\Drivers\Fips.SYS

0x97636000 \SystemRoot\system32\DRIVERS\avgldx86.sys

0xB25BA000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS

0xB25B2000 \SystemRoot\system32\DRIVERS\usbccgp.sys

0xB6A1F000 \SystemRoot\system32\DRIVERS\usbscan.sys

0xB25AA000 \SystemRoot\system32\DRIVERS\usbprint.sys

0xB14CF000 \SystemRoot\system32\DRIVERS\hidusb.sys

0xB6BB0000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS

0xB14C3000 \SystemRoot\system32\DRIVERS\kbdhid.sys

0xB14BF000 \SystemRoot\system32\DRIVERS\mouhid.sys

0x974FA000 \SystemRoot\System32\Drivers\Fastfat.SYS

0xA4CB4000 \SystemRoot\System32\Drivers\Cdfs.SYS

0x973F2000 \SystemRoot\System32\Drivers\dump_atapi.sys

0xF79C1000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS

0xBF800000 \SystemRoot\System32\win32k.sys

0x9748A000 \SystemRoot\System32\drivers\Dxapi.sys

0xF7797000 \SystemRoot\System32\watchdog.sys

0xBE000000 \SystemRoot\System32\drivers\dxg.sys

0xA4D26000 \SystemRoot\System32\drivers\dxgthk.sys

0xBE012000 \SystemRoot\System32\ati2dvag.dll

0xBE060000 \SystemRoot\System32\ati2cqag.dll

0xBE12F000 \SystemRoot\System32\atikvmag.dll

0xBE1DE000 \SystemRoot\System32\atiok3x2.dll

0xBE259000 \SystemRoot\System32\ati3duag.dll

0xBE631000 \SystemRoot\System32\ativvaxx.dll

0xBE8BE000 \SystemRoot\System32\ATMFD.DLL

0x949B8000 \??\C:\WINDOWS\system32\drivers\mbam.sys

0x948C4000 \SystemRoot\system32\DRIVERS\ndisuio.sys

0x94583000 \SystemRoot\system32\drivers\wdmaud.sys

0x94708000 \SystemRoot\system32\drivers\sysaudio.sys

0x9402B000 \SystemRoot\system32\DRIVERS\mrxdav.sys

0x941A8000 \SystemRoot\System32\Drivers\Aspi32.SYS

0x941A4000 \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys

0x93EBB000 \SystemRoot\system32\DRIVERS\srv.sys

0x9760E000 \SystemRoot\system32\DRIVERS\AVGIDSFilter.Sys

0x93D33000 \SystemRoot\system32\DRIVERS\AVGIDSDriver.Sys

0x93C53000 \SystemRoot\system32\DRIVERS\ipfltdrv.sys

0x93A72000 \SystemRoot\System32\Drivers\HTTP.sys

0x93784000 \SystemRoot\system32\drivers\kmixer.sys

0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 40):

0 System Idle Process

4 System

624 C:\WINDOWS\system32\smss.exe

960 csrss.exe

1044 C:\WINDOWS\system32\winlogon.exe

1092 C:\WINDOWS\system32\services.exe

1104 C:\WINDOWS\system32\lsass.exe

1264 C:\WINDOWS\system32\ati2evxx.exe

1284 C:\WINDOWS\system32\svchost.exe

1356 svchost.exe

1464 C:\WINDOWS\system32\svchost.exe

1588 svchost.exe

1624 svchost.exe

1756 C:\WINDOWS\system32\ati2evxx.exe

176 C:\WINDOWS\explorer.exe

348 C:\Program Files\HP\HP Software Update\hpwuschd2.exe

356 C:\Program Files\AVG\AVG2012\avgtray.exe

392 C:\Program Files\Analog Devices\Core\smax4pnp.exe

400 C:\Program Files\Analog Devices\SoundMAX\SMax4.exe

420 C:\WINDOWS\vVX3000.exe

464 C:\Program Files\iTunes\iTunesHelper.exe

476 C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

488 C:\Program Files\Common Files\Java\Java Update\jusched.exe

500 C:\WINDOWS\system32\ctfmon.exe

580 C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe

648 C:\Program Files\OpenOffice.org 3\program\soffice.exe

652 C:\Program Files\OpenOffice.org 3\program\soffice.bin

1348 svchost.exe

1824 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

1896 C:\Program Files\AVG\AVG2012\avgwdsvc.exe

1960 C:\Program Files\Java\jre7\bin\jqs.exe

2156 C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

2256 C:\Program Files\Microsoft LifeCam\MSCamS32.exe

2424 C:\WINDOWS\system32\svchost.exe

2640 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

2740 C:\Program Files\iPod\bin\iPodService.exe

2464 C:\Program Files\Mozilla Firefox\firefox.exe

1936 C:\Program Files\Mozilla Firefox\plugin-container.exe

3044 C:\Program Files\Mozilla Firefox\plugin-container.exe

2992 C:\Documents and Settings\Chris\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

\\.\D: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (FAT32)

PhysicalDrive0 Model Number: ST3250410AS, Rev: 3.AAF

PhysicalDrive1 Model Number: WD5000AAV External, Rev: 1.65

Size Device Name MBR Status

--------------------------------------------

232 GB \\.\PhysicalDrive0 Windows XP MBR code detected

SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

465 GB \\.\PhysicalDrive1 RE: Western Digital MBR code detected

SHA1: CCCF1B32EE08ECFB66B30883CFF6110F69219FEA

Done!

Link to post
Share on other sites

ccrrll10:

Please do this next:

icon11.gif Please follow these instructions to run System File Checker:

  • Click Start > Run or press the Windows Key + R, and enter the following command into the run box and click OK:
    sfc /scannow
    sfc<space>/scannow
  • If that won't run in the normal mode, try in the Safe Mode.

Please include the following in your next post:

  • Let me know what, if anything, sfc turned up

Link to post
Share on other sites

ccrrll10:

At this point I'd recommend that you try a repair install of Windows XP. I don't see signs of remaining infection(s), but you shouldn't be having the troubles you are with running tools, etc. While we may have been able to identify and remove the malware, we can't always undo the damage the infections cause with the Windows Operating System.

There is a decent tutorial HERE If the problems remain after doing a repair install you may just have to back up your data and reinstall the OS completely.

Link to post
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.