Jump to content

Rootkit.TDSS issue

chris7ski
 Share

Recommended Posts

chris7ski

chris7ski

Posted
Posted

Trying to help clean up a friend's heavily infected computer. First scan with mbam & avira found and cleaned a lot of crap. But I continue to get a Rootkit.TDSS detection from mbam by KBIWKMQXRDKMYX.dll. It is disabling Windows Update. I was also getting BSOD by gkn9b32.sys trying to PAGE_FAULT_IN_NONPAGED_AREA, but these have stopped. I have followed your instruction for defogger, DDS, GMER, etc. See below & attachments. Any help provided would be greatly appreciated. Thanks!

First mbam scan log:

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 4033

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

4/24/2010 7:57:27 PM

mbam-log-2010-04-24 (19-57-27).txt

Scan type: Full scan (C:\|)

Objects scanned: 179904

Time elapsed: 57 minute(s), 30 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 1

Registry Keys Infected: 14

Registry Values Infected: 1

Registry Data Items Infected: 3

Folders Infected: 3

Files Infected: 32

Memory Processes Infected:

C:\Program Files\Gamevance\gamevance32.exe (Adware.Gamevance) -> Unloaded process successfully.

Memory Modules Infected:

C:\Program Files\Gamevance\gamevancelib32.dll (Adware.Gamevance) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{0ed403e8-470a-4a8a-85a4-d7688cfe39a3} (Adware.Gamevance) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0ed403e8-470a-4a8a-85a4-d7688cfe39a3} (Adware.Gamevance) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{0ed403e8-470a-4a8a-85a4-d7688cfe39a3} (Adware.Gamevance) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ed403e8-470a-4a8a-85a4-d7688cfe39a3} (Adware.Gamevance) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gamevance (Adware.Gamevance) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\gvtl (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Win Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_ANTIPPRO2009_100 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AntipPro2009_100 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gamevance (Adware.Gamevance) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe logon.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\System32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Folders Infected:

C:\Documents and Settings\All Users\Application Data\12950934 (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program Files\Gamevance (Adware.Gamevance) -> Quarantined and deleted successfully.

C:\Documents and Settings\Leah Morelock\Start Menu\Programs\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

Files Infected:

C:\Program Files\Gamevance\gamevancelib32.dll (Adware.Gamevance) -> Quarantined and deleted successfully.

C:\Documents and Settings\Leah Morelock\Desktop\259b4c25aa08557e7c8892c5d64253db.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\Leah Morelock\Desktop\setup_build7_164.exe (Rogue.Installer) -> Quarantined and deleted successfully.

C:\Documents and Settings\Leah Morelock\Local Settings\Temp\pdfupd.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\Leah Morelock\Local Settings\Temporary Internet Files\Content.IE5\J1QZN2YR\update[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\kbiwkmqxrdkmyx.dll (Rootkit.TDSS) -> Delete on reboot.

C:\WINDOWS\SYSTEM32\kbiwkmwmiturqx.dll (Rootkit.TDSS) -> Delete on reboot.

C:\WINDOWS\SYSTEM32\DRIVERS\kbiwkmtkkyvewq.sys (Rootkit.TDSS) -> Delete on reboot.

C:\WINDOWS\SYSTEM32\DRIVERS\6Iqd0pO.sys (Rootkit.Agent) -> Delete on reboot.

C:\WINDOWS\SYSTEM32\DRIVERS\hlcbo.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\111_[1].exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OT2JQP0H\dj230982[1].exe (Trojan.Otlard) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\rdl88.tmp.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\12950934\pc12950934ins (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program Files\Gamevance\ars.cfg (Adware.Gamevance) -> Quarantined and deleted successfully.

C:\Program Files\Gamevance\gamevance32.exe (Adware.Gamevance) -> Quarantined and deleted successfully.

C:\Program Files\Gamevance\gvtl.dll (Adware.Gamevance) -> Quarantined and deleted successfully.

C:\Program Files\Gamevance\gvun.exe (Adware.Gamevance) -> Quarantined and deleted successfully.

C:\Program Files\Gamevance\icon.ico (Adware.Gamevance) -> Quarantined and deleted successfully.

C:\Documents and Settings\Leah Morelock\Start Menu\Programs\Windows Police Pro\Windows Police Pro.lnk (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

C:\WINDOWS\irc.txt (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\bennuar.old (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\bincd32.dat (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\logon.exe (Backdoor.Bot) -> Delete on reboot.

C:\WINDOWS\SYSTEM32\onhelp.htm (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\sonhelp.htm (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\sysnet.dat (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\wispex.html (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\rdl13.tmp.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\WINDOWS\ppp3.dat (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\ppp4.dat (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\kbiwkmxmibnqeo.dat (Rootkit.TDSS) -> Delete on reboot.

After reboot, mbam scan log:

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 4033

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

4/24/2010 9:07:45 PM

mbam-log-2010-04-24 (21-07-45).txt

Scan type: Quick scan

Objects scanned: 105679

Time elapsed: 7 minute(s), 14 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbiwkmfumafvkl (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\System32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Continue to get KBIWKMQXRDKMYX.dll detection:

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\System32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Here is the DDS.txt:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Leah Morelock at 11:40:37.14 on Sun 04/25/2010

Internet Explorer: 6.0.2900.2180

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1271.827 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\WINDOWS\system32\lxdccoms.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\Dell Support Center\gs_agent\dsc.exe

c:\program files\mcafee\msc\mcuimgr.exe

C:\Documents and Settings\Leah Morelock\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ask.com/?o=20011&l=dis

uDefault_Page_URL = hxxp://www.dell4me.com/myway

uSearch Bar = file://c:\windows\system32\SearchBar.htm

mDefault_Search_URL = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=

mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com

mStart Page = hxxp://www.msn.com

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = iexplore

uSearchAssistant = hxxp://www.google.com/ie

mSearchAssistant = hxxp://www.google.com/ie

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

mWinlogon: Userinit=c:\windows\system32\Userinit.exe

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll

BHO: {33A5322C-B564-21C0-8006-115505802917} - No File

BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll

BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: {BEAC7DC8-E106-4C6A-931E-5A42E7362883} - No File

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

TB: {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - No File

TB: {40D41A8B-D79B-43D7-99A7-9EE0F344C385} - No File

TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File

EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup

uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"

mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe

IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm

IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000

IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm

IE: {120E090D-9136-4b78-8258-F0B44B4BD2AC} - c:\windows\system32\ms.exe

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - hxxp://www.bullseye-network.net/cashback/cab/funcade_EMARKETMKR_install.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409

DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab

DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - c:\program files\yahoo!\common\yinsthelper.dll

DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab

DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - hxxp://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe

DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab

DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab

DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll

DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} - hxxp://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab

DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab

DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - hxxp://cabs.roings.com/cabs/mmed.cab

DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} - hxxp://pbells.broadjump.com/wizlet/StandardInstall/static/controls/WebflowActiveXInstaller_4-2-0.cab

Notify: igfxcui - igfxsrvc.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\leahmo~1\applic~1\mozilla\firefox\profiles\nyn8bt0x.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com/?o=20011&l=dis

FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=

FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll

FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll

---- FIREFOX POLICIES ----

pref(dom.disable_open_during_load, true);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-4-25 11608]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-4-25 135336]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-4-25 267432]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-4-25 60936]

R2 eappkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2007-10-9 38144]

R2 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe -service --> c:\windows\system32\lxdccoms.exe -service [?]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-4-24 303952]

R2 McAfee HackerWatch Service;McAfee HackerWatch Service;c:\program files\common files\mcafee\hackerwatch\HWAPI.exe [2007-2-3 540776]

R2 mcpromgr;McAfee Protection Manager;c:\progra~1\mcafee\msc\mcpromgr.exe [2007-2-3 493144]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-4-24 20824]

S0 gkn9b32;gkn9b32;\SystemRoot\\SystemRoot\System32\drivers\gkn9b32.sys --> \SystemRoot\\SystemRoot\System32\drivers\gkn9b32.sys [?]

S1 6Iqd0pO;6Iqd0pO;\??\c:\windows\system32\drivers\6iqd0po.sys --> c:\windows\system32\drivers\6Iqd0pO.sys [?]

S1 716d2df7.sys;716d2df7.sys;\??\c:\windows\system32\drivers\716d2df7.sys --> c:\windows\system32\drivers\716d2df7.sys [?]

S1 TCPIP6_{ca2f714e-7935-41ce-bf6c-478a115a86e2};TCPIP6_{ca2f714e-7935-41ce-bf6c-478a115a86e2};c:\windows\system32\drivers\TCPIP6_{ca2f714e-7935-41ce-bf6c-478a115a86e2}.sys [2010-1-17 0]

S2 iprip;Iprip;c:\windows\system32\svchost.exe -k netsvcs [2002-8-29 14336]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2009-3-30 17149]

S3 rtl8187b;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-12-28 287232]

S3 vitra;vitra;c:\windows\system32\drivers\vitra.sys --> c:\windows\system32\drivers\vitra.sys [?]

S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\wpn111.sys --> c:\windows\system32\drivers\WPN111.sys [?]

=============== Created Last 30 ================

2010-04-25 16:39:55 0 ----a-w- c:\documents and settings\leah morelock\defogger_reenable

2010-04-25 05:26:36 0 d-----w- c:\windows\system32\NtmsData

2010-04-25 05:25:55 0 d-----w- c:\docume~1\leahmo~1\applic~1\Avira

2010-04-25 05:21:38 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-04-25 05:21:37 0 d-----w- c:\program files\Avira

2010-04-25 05:21:37 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira

2010-04-25 03:59:58 0 d-----w- c:\program files\VS Revo Group

2010-04-25 01:11:36 0 d-----w- c:\program files\CCleaner

2010-04-24 23:36:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-24 23:36:17 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-24 23:36:17 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

============= FINISH: 11:42:07.68 ===============

This is from defogger:

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 11:39 on 25/04/2010

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

Unable to read gkn9b32.sys

-=E.O.F=-

Attach.zip

ark.zip

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.