Trojan.Dropper, Rootkit.Agent, Trojan.Agent

treb · November 29, 2010

When I run a full scan mbam I get the Following 4 Files infected:

C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\msscript.ocx (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\netbios.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\swmidi.sys (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\SoftwareDistribution\Download\f0887635de7e5cef708668e8841014e1\sp3gdr\wininet.dll (Trojan.Dropper) -> Quarantined and deleted successfully.

When I delete, nothing shows in quarantined, contrary to the above, and they all show up the next time I run a full scan,they don't show up on Quick Scan or any other of my Malware Programs. The only other symptom I've noticed is defrag (both native windows & Smart Defrag) don"t defrag & each shows a large block of immovable files after running. I'm running WINXP Home SP3.

Any insight or help will be greatly appreciated. Thank You, Treb

negster22 · November 30, 2010

Those detections are in your windows update download folder so they may be resistant to removal just because that folder is protected by Windows.

Let's run a couple more helpful troubleshooting programs.

Please download this Antirootkit Program to a folder that you create such as C:\ARK.

Disable the active protection component of your antivirus and antispyware programs by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Please launch the rootkit scanner as follows to produce a quick scan report ONLY!:

Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
When the scan is finished (a few seconds), save the scan log to the Windows clipboard
Open Notepad or a similar text editor
Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
Exit the Program
Save the Scan log as ARKQ.txt and post it in your next reply. If the log is very long attach it please.

Please Run ComboFix by following the steps provided in exactly this sequence:

Here is a tutorial that describes how to download, install and run Combofix. Please thoroughly review it before proceeding:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Note: The above tutorial does not tell you to rename Combofix as I am about to instruct you to do in the following instructions, so make sure you complete the renaming step before launching Combofix.

Using ComboFix ->

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to iexplore.exe

Notes:

It is very important that save the newly renamed EXE file to your desktop.
You must rename Combofixe.exe as you download it and not after it is on your computer.
You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
- Open Firefox
- Click Tools -> Options -> Main
- Under the downloads section check the button that says "Always ask me where to save files".
- Click OK
[*]For Internet Explorer:
- Choose to save, not open the file
- When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

Close any open browsers and programs.
Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
If You are running Windows XP, and Combofix asks to install the Recovery Console, please allow it to do so or it WILL NOT perform it's normal malware removal capabilities. This is for your safety !!

1. To Launch Combofix

Click Start --> Run, and Copy/Paste or Enter this command exactly as shown (including the quotes):

"%userprofile%\desktop\iexplore.exe" /killall

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Please post ARKQ.txt and C:\ComboFix.txt in your next reply.[/b

treb · December 1, 2010

Those detections are in your windows update download folder so they may be resistant to removal just because that folder is protected by Windows.
Let's run a couple more helpful troubleshooting programs.
Please download this Antirootkit Program to a folder that you create such as C:\ARK.
Disable the active protection component of your antivirus and antispyware programs by following the directions that apply here:
http://www.bleepingcomputer.com/forums/topic114351.html
Please launch the rootkit scanner as follows to produce a quick scan report ONLY!:
Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
When the scan is finished (a few seconds), save the scan log to the Windows clipboard
Open Notepad or a similar text editor
Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
Exit the Program
Save the Scan log as ARKQ.txt and post it in your next reply. If the log is very long attach it please.
Please Run ComboFix by following the steps provided in exactly this sequence:
Here is a tutorial that describes how to download, install and run Combofix. Please thoroughly review it before proceeding:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Note: The above tutorial does not tell you to rename Combofix as I am about to instruct you to do in the following instructions, so make sure you complete the renaming step before launching Combofix.
Using ComboFix ->
Please download Combofix from one of these locations:
HERE or HERE
I want you to rename Combofix.exe as you download it to iexplore.exe
Notes:
It is very important that save the newly renamed EXE file to your desktop.
You must rename Combofixe.exe as you download it and not after it is on your computer.
You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
Open Firefox
Click Tools -> Options -> Main
Under the downloads section check the button that says "Always ask me where to save files".
Click OK
[*]For Internet Explorer:
Choose to save, not open the file
When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.
Running Combofix
In the event you already have Combofix, please delete it as this is a new version.
Close any open browsers and programs.
Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
If You are running Windows XP, and Combofix asks to install the Recovery Console, please allow it to do so or it WILL NOT perform it's normal malware removal capabilities. This is for your safety !!

1. To Launch Combofix
Click Start --> Run, and Copy/Paste or Enter this command exactly as shown (including the quotes):
"%userprofile%\desktop\iexplore.exe" /killall
2. When finished, it will produce a logfile located at C:\ComboFix.txt
3. Post the contents of that log in your next reply.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
Please post ARKQ.txt and C:\ComboFix.txt in your next reply.[/b

treb · December 1, 2010

Those detections are in your windows update download folder so they may be resistant to removal just because that folder is protected by Windows.
Let's run a couple more helpful troubleshooting programs.
Please download this Antirootkit Program to a folder that you create such as C:\ARK.
Disable the active protection component of your antivirus and antispyware programs by following the directions that apply here:
http://www.bleepingcomputer.com/forums/topic114351.html
Please launch the rootkit scanner as follows to produce a quick scan report ONLY!:
Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
When the scan is finished (a few seconds), save the scan log to the Windows clipboard
Open Notepad or a similar text editor
Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
Exit the Program
Save the Scan log as ARKQ.txt and post it in your next reply. If the log is very long attach it please.
Please Run ComboFix by following the steps provided in exactly this sequence:
Here is a tutorial that describes how to download, install and run Combofix. Please thoroughly review it before proceeding:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Note: The above tutorial does not tell you to rename Combofix as I am about to instruct you to do in the following instructions, so make sure you complete the renaming step before launching Combofix.
Using ComboFix ->
Please download Combofix from one of these locations:
HERE or HERE
I want you to rename Combofix.exe as you download it to iexplore.exe
Notes:
It is very important that save the newly renamed EXE file to your desktop.
You must rename Combofixe.exe as you download it and not after it is on your computer.
You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
Open Firefox
Click Tools -> Options -> Main
Under the downloads section check the button that says "Always ask me where to save files".
Click OK
[*]For Internet Explorer:
Choose to save, not open the file
When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.
Running Combofix
In the event you already have Combofix, please delete it as this is a new version.
Close any open browsers and programs.
Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
If You are running Windows XP, and Combofix asks to install the Recovery Console, please allow it to do so or it WILL NOT perform it's normal malware removal capabilities. This is for your safety !!

1. To Launch Combofix
Click Start --> Run, and Copy/Paste or Enter this command exactly as shown (including the quotes):
"%userprofile%\desktop\iexplore.exe" /killall
2. When finished, it will produce a logfile located at C:\ComboFix.txt
3. Post the contents of that log in your next reply.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
Please post ARKQ.txt and C:\ComboFix.txt in your next reply.[/b

treb · December 1, 2010

ComboFix 10-11-30.02 - Eric 11/30/2010 20:59:07.2.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3317.2636 [GMT -7:00]

Running from: c:\documents and settings\Eric\Desktop\ComboFix.exe

AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}

AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

.

((((((((((((((((((((((((( Files Created from 2010-11-01 to 2010-12-01 )))))))))))))))))))))))))))))))

.

2010-12-01 00:55 . 2010-12-01 01:09 -------- d-----w- C:\ARK

2010-11-29 22:41 . 2010-11-29 22:41 388096 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-11-25 00:23 . 2010-11-25 00:23 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Parallels

2010-11-22 23:38 . 2010-11-22 23:49 -------- d-----w- c:\program files\TheSage

2010-11-22 23:08 . 2010-11-22 23:08 -------- d-----w- c:\program files\Intel Corporation

2010-11-19 00:49 . 2010-11-19 00:49 -------- d-----w- c:\documents and settings\Eric\Application Data\BB0AD3B6-F851-4F30-ACAF-6AF2872244A6

2010-11-19 00:49 . 2010-11-19 00:49 -------- d-----w- c:\documents and settings\Eric\Application Data\C0F187D3-7A7F-4728-ABF3-D08E9F09A665

2010-11-19 00:48 . 2010-11-19 00:48 752128 ----a-w- c:\windows\system32\drivers\tdrpm273.sys

2010-11-15 04:48 . 2010-09-23 07:46 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-11-15 04:14 . 2010-11-15 04:14 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{E961CE1B-C3EA-4882-9F67-F859B555D097}

2010-11-15 04:13 . 2010-11-15 04:13 -------- d-----w- c:\program files\Lavasoft

2010-11-15 03:58 . 2010-11-15 03:58 -------- d--h--w- c:\windows\PIF

2010-11-13 03:24 . 2010-11-13 03:27 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\Temp

2010-11-13 03:24 . 2010-11-13 03:27 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\Google

2010-11-13 02:05 . 2010-11-13 02:05 2470752 ----a-w- c:\windows\system32\AutoPartNt.exe

2010-11-09 23:32 . 2010-11-09 23:32 -------- d-----w- c:\program files\NoVirusThanks

2010-11-06 18:37 . 2010-11-06 18:37 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll

2010-11-02 23:04 . 2010-11-22 02:13 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate

2010-11-02 00:02 . 2010-07-15 14:44 14848 ----a-w- c:\windows\system32\EuEpmGdi.dll

2010-11-02 00:02 . 2010-10-28 18:23 2217088 ----a-w- c:\windows\system32\BootMan.exe

2010-11-02 00:02 . 2010-07-15 14:44 86408 ----a-w- c:\windows\system32\setupempdrv03.exe

2010-11-02 00:02 . 2010-07-15 14:44 8456 ----a-w- c:\windows\system32\EuGdiDrv.sys

2010-11-02 00:02 . 2010-07-15 14:44 13192 ----a-w- c:\windows\system32\epmntdrv.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-11-19 00:49 . 2010-08-11 23:23 163232 ----a-w- c:\windows\system32\drivers\afcdp.sys

2010-11-19 00:48 . 2010-07-29 21:30 600928 ----a-w- c:\windows\system32\drivers\timntr.sys

2010-11-19 00:48 . 2010-07-29 21:30 170464 ----a-w- c:\windows\system32\drivers\snapman.sys

2010-11-15 04:48 . 2010-08-10 03:18 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-10-19 20:51 . 2010-08-04 23:12 222080 ------w- c:\windows\system32\MpSigStub.exe

2010-10-13 21:14 . 2010-10-13 21:14 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-10-13 21:14 . 2010-08-01 01:02 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-09-28 21:13 . 2010-06-02 01:00 285480 ----a-w- c:\windows\system32\guard32.dll

2010-09-28 21:13 . 2010-06-02 01:00 91560 ----a-w- c:\windows\system32\drivers\inspect.sys

2010-09-28 21:13 . 2010-06-02 01:00 25240 ----a-w- c:\windows\system32\drivers\cmdhlp.sys

2010-09-28 21:13 . 2010-06-02 01:00 15592 ----a-w- c:\windows\system32\drivers\cmderd.sys

2010-09-28 21:13 . 2010-06-04 17:55 239240 ----a-w- c:\windows\system32\drivers\cmdGuard.sys

2010-09-18 18:23 . 2006-02-28 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2006-02-28 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2006-02-28 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2006-02-28 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:58 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-09-02 14:21 . 2010-10-15 22:59 131072 ----a-w- c:\windows\system32\EKIJCOINST09.dll

2010-09-02 14:17 . 2010-10-15 22:59 196608 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\EKIJ5000PPR.dll

2010-09-02 14:17 . 2010-10-15 22:59 421888 ----a-w- c:\windows\system32\EKIJ5000MON.dll

2010-07-26 17:52 . 2010-07-26 17:52 43627008 ----a-w- c:\program files\CIS_Setup.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\documents and settings\Eric\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-11-13 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-11 131072]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-11 131072]

"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-09-28 2500552]

"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]

"COMODO_TimeMachine"="c:\program files\COMODO\Time Machine\CTMTRAY.exe" [2010-07-20 4910904]

"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2010-09-13 390736]

"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2010-09-13 5479424]

"TMRUBottedTray"="c:\program files\Trend Micro\RUBotted\TMRUBottedTray.exe" [2008-11-06 288088]

"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-02 1638400]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

"SAOB Monitor"="c:\program files\Acronis\OnlineBackupStandalone\TrueImageMonitor.exe" [2010-09-02 2536440]

c:\documents and settings\Eric\Start Menu\Programs\Startup\

Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2010-7-21 965176]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLinkedConnections"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^What's my computer doing.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\What's my computer doing.lnk

backup=c:\windows\pss\What's my computer doing.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Aware.exe]

2010-11-25 00:05 1528424 ----a-w- c:\program files\Lavasoft\Ad-Aware\Ad-Aware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

2007-07-11 04:07 69632 ------r- c:\windows\Alcmtr.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Laplink\\PCmover\\PCmover.exe"=

"c:\\Program Files\\Kodak\\AiO\\Center\\AiOHomeCenter.exe"=

"c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"=

"c:\\Program Files\\Kodak\\AiO\\Center\\NetworkPrinterDiscovery.exe"=

"c:\\Program Files\\Kodak\\AiO\\Firmware\\KodakAiOUpdater.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\Kodak\\Installer\\Setup.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"9322:TCP"= 9322:TCP:EKDiscovery

"5353:UDP"= 5353:UDP:Bonjour Port 5353

R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [10/14/2010 4:39 PM 26248]

R0 EUFS;EUFS;c:\windows\system32\drivers\eufs.sys [10/14/2010 4:39 PM 20616]

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/14/2010 9:48 PM 64288]

R0 tdrpman273;Acronis Try&Decide and Restore Points filter (build 273);c:\windows\system32\drivers\tdrpm273.sys [11/18/2010 5:48 PM 752128]

R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [6/1/2010 6:00 PM 15592]

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [6/4/2010 10:55 AM 239240]

R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [6/1/2010 6:00 PM 25240]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]

R2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [8/11/2010 4:22 PM 3975088]

R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [9/13/2010 4:18 PM 308656]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/23/2010 12:46 AM 1375992]

R2 RUBotted;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\TMRUBotted.exe [10/13/2010 4:13 PM 582992]

R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [8/11/2010 4:23 PM 163232]

R3 EuDisk;EASEUS Disk Enumerator;c:\windows\system32\drivers\EuDisk.sys [10/14/2010 4:39 PM 122504]

R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [10/13/2010 4:13 PM 206608]

S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [11/1/2010 5:02 PM 13192]

S3 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [10/14/2010 4:39 PM 14216]

S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [11/1/2010 5:02 PM 8456]

S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [7/7/2010 7:05 AM 14904]

S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [10/13/2010 4:13 PM 206608]

.

Contents of the 'Scheduled Tasks' folder

2010-12-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-09-23 00:05]

2010-11-07 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-11-26 c:\windows\Tasks\FileTask.job

- c:\program files\FileTask\FileTask.exe [2010-09-14 01:04]

2010-12-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-764733703-839522115-1004Core.job

- c:\documents and settings\Eric\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-13 03:24]

2010-12-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-764733703-839522115-1004UA.job

- c:\documents and settings\Eric\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-13 03:24]

2010-12-01 c:\windows\Tasks\RegistryBooster.job

- c:\program files\Uniblue\RegistryBooster\rbmonitor.exe [2010-09-15 14:25]

2010-11-26 c:\windows\Tasks\StartUp_FileTask.job

- c:\program files\FileTask\FileTask.exe [2010-09-14 01:04]

2010-11-26 c:\windows\Tasks\StartUp_FileTask.job

- c:\program files\FileTask\FileTask.exe [2010-09-14 01:04]

2010-11-26 c:\windows\Tasks\Update_FileTask.job

- c:\program files\FileTask\FileTask.exe [2010-09-14 01:04]

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Settings,ProxyOverride = *.local

FF - ProfilePath - c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\gnfkpn3n.default\

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\gnfkpn3n.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Extension: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\gnfkpn3n.default\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}

FF - Extension: Team Cymru's MHR: mhr@team.cymru - c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\gnfkpn3n.default\extensions\mhr@team.cymru

---- FIREFOX POLICIES ----

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-11-30 21:02

Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:

ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600

CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.

device: opened successfully

user: error reading MBR

Disk trace:

called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS

c:\combofix\catchme.sys

1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8AC6BAB8]

3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000064[0x8ACA99E8]

5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Ide\IdeDeviceP2T0L0-10[0x8AC6DD98]

kernel: MBR read successfully

_asm { CLI ; JMP 0xef; }

user != kernel MBR !!!

copy of MBR has been found in sector 22 !

copy of MBR has been found in sector 23 !

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-436374069-764733703-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1148)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1204)

c:\windows\system32\guard32.dll

- - - - - - - > 'explorer.exe'(3648)

c:\windows\system32\WININET.dll

c:\windows\system32\guard32.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

Completion time: 2010-11-30 21:03:40

ComboFix-quarantined-files.txt 2010-12-01 04:03

ComboFix2.txt 2010-12-01 03:52

Pre-Run: 231,271,768,064 bytes free

Post-Run: 231,260,385,280 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 83E7F8D3ADE78E35938341A31C12E6B7

GMER 1.0.15.15530 - http://www.gmer.net

Rootkit quick scan 2010-11-30 18:45:11

Windows 5.1.2600 Service Pack 3

Running: dzkzsrpv.exe; Driver: C:\DOCUME~1\Eric\LOCALS~1\Temp\kxloiuog.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateKey [0xA8D2A768]

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateValueKey [0xA8D2A9BE]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs tdrpm273.sys (Acronis Try&Decide Volume Filter Driver/Acronis)

AttachedDevice \FileSystem\Ntfs \Ntfs CTMFLT.sys

AttachedDevice \FileSystem\Ntfs \Ntfs eufs.sys (File System Filter Driver/CHENGDU YIWO Tech Development Co., Ltd)

AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)

AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)

AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)

AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)

---- Services - GMER 1.0.15 ----

Service C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (*** hidden *** ) [AUTO] AcrSch2Svc <-- ROOTKIT !!!

Service C:\WINDOWS\System32\svchost.exe (*** hidden *** ) [AUTO] ERSvc <-- ROOTKIT !!!

Service C:\WINDOWS\System32\svchost.exe (*** hidden *** ) [AUTO] helpsvc <-- ROOTKIT !!!

Service C:\WINDOWS\system32\mnmsrvc.exe (*** hidden *** ) [MANUAL] mnmsrvc <-- ROOTKIT !!!

Service C:\WINDOWS\system32\sessmgr.exe (*** hidden *** ) [MANUAL] RDSessMgr <-- ROOTKIT !!!

Service system32\DRIVERS\tdrpman.sys (*** hidden *** ) [bOOT] tdrpman <-- ROOTKIT !!!

Service C:\WINDOWS\system32\DRIVERS\timntr.sys (*** hidden *** ) [bOOT] timounter <-- ROOTKIT !!!

Service C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe (*** hidden *** ) [AUTO] TryAndDecideService <-- ROOTKIT !!!

Service C:\WINDOWS\System32\ups.exe (*** hidden *** ) [MANUAL] UPS <-- ROOTKIT !!!

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] winmgmt <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

treb · December 1, 2010

TO: Negstr22/ thanks for your attention/ Hope these logs give what you need- Treb

negster22 · December 1, 2010

You're welcome, treb,

You're results are inconclusive so I need You to do a couple more things.

Please make files and folders visible:

Click Start > Control Panel > Folder Options.

Select the View Tab.

Under the Hidden files and folders heading, select Show hidden files and folders.

Uncheck: Hide file extensions for known file types

Uncheck: the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

Upload each one of these files one at a time to the VirusTotal Scanner using the "Upload a file" function and post back the links to their respective scan reports. If VirusTotal says a file was already scanned, I want you to rescan it and do not just post back the previous scan results.

C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\msscript.ocx

C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\netbios.sys

C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\swmidi.sys

C:\WINDOWS\SoftwareDistribution\Download\f0887635de7e5cef708668e8841014e1\sp3gdr\wininet.dll

Download TFC to your desktop

http://oldtimer.geekstogo.com/TFC.exe

Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
If it doesn't, YOU must manually reboot before performing the next requested scan.

It's normal after running TFC cleaner that the PC will be slower to boot the first time.

After You Reboot your PC, wait for about 2 minutes for all system activity to stabilize.

Next, disable the active protection component of your anti-virus by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Relaunch the Anti-rootkit (ARK) program and perform a full rootkit scan as follows:

Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
After the automatic "quick" scan is finished (a few seconds), if you're alerted to ROOTKIT activity and prompted to perform a full system - respond with a No
In the right pane, UNCHECK the following items:
- Drives/Partition other than System drive (typically only C:\ should be checked)
- IAT/EAT
- Show All (this should be unchecked by default)
[*]Select the Scan button.
[*]Leave your system completely idle while this longer scan is in progress.
[*]When the scan is done, save the scan log to the Windows clipboard
[*]Open Notepad or a similar text editor
[*]Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
[*]Exit the Program
[*]Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.
[*]Re-enable your antivirus and any antimalware programs you disabled before running the scan

Note: If you have trouble completing a full Rootkit/Malware scan with the ARK program then just copy/paste the "Full scan" results (ARK.txt) into your next reply.

treb · December 2, 2010

negster22- I apologize for my ineptness but I can't figure out how to upload those files to VirusTotal Scanner as you requested because I can't find them, they aren't in C:\Windows\ softwareDistribution\Download\......... ,I've tried copy\paste from the logs of my scans but VTS won't accept it, I'm at a loss as how to get One into VTS. I tried to copy/paste onto notepad & then to VTS, no joy! I'm so frustrated I could chew nails!Treb

negster22 · December 2, 2010

I have a feeling those files are not there- try this:

Open Notepad

Click Format and UNCheck Wordwrap (disable)

Copy/Paste the following text into Notepad

Set the "Save as Type" to "All Files", and the Save this file to your Desktop as wups.bat

dir /a C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\msscript.ocx > wupslog.txt
dir /a C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\netbios.sys >> wupslog.txt
dir /a C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\swmidi.sys >> wupslog.txt
dir /a C:\WINDOWS\SoftwareDistribution\Download\f0887635de7e5cef708668e8841014e1\sp3gdr\wininet.dll >> wupslog.txt
Notepad wupslog.txt
Exit

Double-click wups.bat on your Desktop to run the script (You may have to disable your anti-malware programs for this batch file to run properly).

Copy/paste back the contents of wupslog.txt that opens into your next reply.

Also, I'd like You to run another program:

Some background information on what we're planning to do can be found HERE

Please read carefully and follow these steps.

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

treb · December 2, 2010

I have a feeling those files are not there- try this:
Open Notepad
Click Format and UNCheck Wordwrap (disable)
Copy/Paste the following text into Notepad
Set the "Save as Type" to "All Files", and the Save this file to your Desktop as wups.bat
dir /a C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\msscript.ocx > wupslog.txt
dir /a C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\netbios.sys >> wupslog.txt
dir /a C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\swmidi.sys >> wupslog.txt
dir /a C:\WINDOWS\SoftwareDistribution\Download\f0887635de7e5cef708668e8841014e1\sp3gdr\wininet.dll >> wupslog.txt
Notepad wupslog.txt
Exit
Double-click wups.bat on your Desktop to run the script (You may have to disable your anti-malware programs for this batch file to run properly).
Copy/paste back the contents of wupslog.txt that opens into your next reply.
Also, I'd like You to run another program:
Some background information on what we're planning to do can be found HERE
Please read carefully and follow these steps.
Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.

If a suspicious file is detected, the default action will be Skip, click on Continue.

It may ask you to reboot the computer to complete the process. Click on Reboot Now.

If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

OK, the wupslog.txt came up empty, The TDSSKiller log follows:

2010/12/02 14:21:19.0000 TDSS rootkit removing tool 2.4.10.1 Dec 2 2010 12:28:01

2010/12/02 14:21:19.0000 ================================================================================

2010/12/02 14:21:19.0000 SystemInfo:

2010/12/02 14:21:19.0000

2010/12/02 14:21:19.0000 OS Version: 5.1.2600 ServicePack: 3.0

2010/12/02 14:21:19.0000 Product type: Workstation

2010/12/02 14:21:19.0000 ComputerName: ERICSINTEL

2010/12/02 14:21:19.0000 UserName: Eric

2010/12/02 14:21:19.0000 Windows directory: C:\WINDOWS

2010/12/02 14:21:19.0000 System windows directory: C:\WINDOWS

2010/12/02 14:21:19.0000 Processor architecture: Intel x86

2010/12/02 14:21:19.0000 Number of processors: 2

2010/12/02 14:21:19.0000 Page size: 0x1000

2010/12/02 14:21:19.0000 Boot type: Normal boot

2010/12/02 14:21:19.0000 ================================================================================

2010/12/02 14:21:19.0187 Initialize success

2010/12/02 14:21:30.0000 ================================================================================

2010/12/02 14:21:30.0000 Scan started

2010/12/02 14:21:30.0000 Mode: Manual;

2010/12/02 14:21:30.0000 ================================================================================

2010/12/02 14:21:30.0484 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/12/02 14:21:30.0515 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/12/02 14:21:30.0562 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/12/02 14:21:30.0640 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/12/02 14:21:30.0828 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/12/02 14:21:30.0875 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/12/02 14:21:30.0906 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/12/02 14:21:31.0031 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/12/02 14:21:31.0109 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/12/02 14:21:31.0156 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/12/02 14:21:31.0203 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/12/02 14:21:31.0265 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/12/02 14:21:31.0375 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/12/02 14:21:31.0421 cmderd (5455c2a8eb379df5d55252a3827ef252) C:\WINDOWS\system32\DRIVERS\cmderd.sys

2010/12/02 14:21:31.0421 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\cmderd.sys. Real md5: 5455c2a8eb379df5d55252a3827ef252, Fake md5: 7060bae48c2c122f3041cccf9ade3bf7

2010/12/02 14:21:31.0437 cmderd - detected Forged file (1)

2010/12/02 14:21:31.0468 cmdGuard (d7c17cc5038773aa717864a5555465de) C:\WINDOWS\system32\DRIVERS\cmdguard.sys

2010/12/02 14:21:31.0468 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\cmdguard.sys. Real md5: d7c17cc5038773aa717864a5555465de, Fake md5: bbe9f023dfd2c4d2755da3fa47e4da08

2010/12/02 14:21:31.0468 cmdGuard - detected Forged file (1)

2010/12/02 14:21:31.0484 cmdHlp (81ceedf3501cd5ccae3dceb204af1634) C:\WINDOWS\system32\DRIVERS\cmdhlp.sys

2010/12/02 14:21:31.0484 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\cmdhlp.sys. Real md5: 81ceedf3501cd5ccae3dceb204af1634, Fake md5: 111e6755acb5f236e2465e24508f6367

2010/12/02 14:21:31.0484 cmdHlp - detected Forged file (1)

2010/12/02 14:21:31.0593 CTMFLT (11e870356b43d2241ea04b75a62b09a3) C:\WINDOWS\system32\drivers\CTMFLT.sys

2010/12/02 14:21:31.0593 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\CTMFLT.sys. md5: 11e870356b43d2241ea04b75a62b09a3

2010/12/02 14:21:31.0609 CTMFLT - detected Locked file (1)

2010/12/02 14:21:31.0703 CTMMOUNT (6da40556d17dd58a84b00b6ddaa96b36) C:\WINDOWS\system32\drivers\CTMMOUNT.sys

2010/12/02 14:21:31.0703 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\CTMMOUNT.sys. md5: 6da40556d17dd58a84b00b6ddaa96b36

2010/12/02 14:21:31.0718 CTMMOUNT - detected Locked file (1)

2010/12/02 14:21:31.0781 CTMSHD (aeeda83d0d29359d3d8fb6b1bf038cc1) C:\WINDOWS\system32\drivers\CTMSHD.sys

2010/12/02 14:21:31.0796 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\CTMSHD.sys. md5: aeeda83d0d29359d3d8fb6b1bf038cc1

2010/12/02 14:21:31.0796 CTMSHD - detected Locked file (1)

2010/12/02 14:21:31.0906 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/12/02 14:21:31.0953 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/12/02 14:21:32.0000 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/12/02 14:21:32.0078 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/12/02 14:21:32.0140 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/12/02 14:21:32.0171 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/12/02 14:21:32.0281 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/12/02 14:21:32.0328 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2010/12/02 14:21:32.0406 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/12/02 14:21:32.0406 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2010/12/02 14:21:32.0468 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/12/02 14:21:32.0546 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/12/02 14:21:32.0578 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/12/02 14:21:32.0656 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/12/02 14:21:32.0718 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2010/12/02 14:21:32.0781 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/12/02 14:21:32.0859 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/12/02 14:21:32.0906 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/12/02 14:21:33.0062 ialm (c1c2d6940d6ec2f247b0f3c11e0a18e0) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys

2010/12/02 14:21:33.0281 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/12/02 14:21:33.0359 Inspect (bf141304f251563b63e64cb3c036de74) C:\WINDOWS\system32\DRIVERS\inspect.sys

2010/12/02 14:21:33.0359 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\inspect.sys. Real md5: bf141304f251563b63e64cb3c036de74, Fake md5: 343ac4733c1e8b7ab6454178e4fcd4ad

2010/12/02 14:21:33.0359 Inspect - detected Forged file (1)

2010/12/02 14:21:33.0500 IntcAzAudAddService (b45a576ad280dd4f605f58b24cdaafe1) C:\WINDOWS\system32\drivers\RtkHDAud.sys

2010/12/02 14:21:33.0625 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/12/02 14:21:33.0656 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/12/02 14:21:33.0687 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/12/02 14:21:33.0734 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/12/02 14:21:33.0843 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/12/02 14:21:33.0859 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/12/02 14:21:33.0890 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/12/02 14:21:33.0921 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/12/02 14:21:33.0937 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/12/02 14:21:33.0968 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2010/12/02 14:21:34.0062 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/12/02 14:21:34.0125 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/12/02 14:21:34.0187 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/12/02 14:21:34.0203 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/12/02 14:21:34.0234 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/12/02 14:21:34.0328 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/12/02 14:21:34.0390 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/12/02 14:21:34.0421 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/12/02 14:21:34.0484 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/12/02 14:21:34.0500 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/12/02 14:21:34.0578 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/12/02 14:21:34.0640 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/12/02 14:21:34.0703 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/12/02 14:21:34.0734 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/12/02 14:21:34.0765 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/12/02 14:21:34.0828 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/12/02 14:21:34.0859 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/12/02 14:21:34.0906 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/12/02 14:21:34.0921 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/12/02 14:21:34.0937 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/12/02 14:21:34.0953 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/12/02 14:21:35.0015 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/12/02 14:21:35.0046 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/12/02 14:21:35.0078 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/12/02 14:21:35.0140 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/12/02 14:21:35.0187 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/12/02 14:21:35.0234 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/12/02 14:21:35.0296 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/12/02 14:21:35.0312 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/12/02 14:21:35.0359 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/12/02 14:21:35.0390 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/12/02 14:21:35.0437 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/12/02 14:21:35.0515 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2010/12/02 14:21:35.0625 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/12/02 14:21:35.0656 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/12/02 14:21:35.0703 PSI (1df21f001f3a94eba4a2950c70cc358f) C:\WINDOWS\system32\DRIVERS\psi_mf.sys

2010/12/02 14:21:35.0703 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/12/02 14:21:35.0781 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/12/02 14:21:35.0796 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/12/02 14:21:35.0843 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/12/02 14:21:35.0859 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/12/02 14:21:35.0890 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/12/02 14:21:35.0921 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/12/02 14:21:35.0953 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/12/02 14:21:36.0000 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/12/02 14:21:36.0078 RTLE8023xp (bb0ae2171f08129f4f3ff9df20ffbf89) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys

2010/12/02 14:21:36.0078 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys. Real md5: bb0ae2171f08129f4f3ff9df20ffbf89, Fake md5: 40607773fecd00708354809e233823f2

2010/12/02 14:21:36.0078 RTLE8023xp - detected Forged file (1)

2010/12/02 14:21:36.0187 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS

2010/12/02 14:21:36.0203 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS

2010/12/02 14:21:36.0296 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/12/02 14:21:36.0343 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/12/02 14:21:36.0359 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2010/12/02 14:21:36.0375 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/12/02 14:21:36.0484 snapman (c3bf55189aa92b8f919108ef9e4accae) C:\WINDOWS\system32\DRIVERS\snapman.sys

2010/12/02 14:21:36.0484 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\snapman.sys. Real md5: c3bf55189aa92b8f919108ef9e4accae, Fake md5: 85bada660d57bc5aef52b11cabd6d8f9

2010/12/02 14:21:36.0500 snapman - detected Forged file (1)

2010/12/02 14:21:36.0609 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/12/02 14:21:36.0609 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/12/02 14:21:36.0687 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/12/02 14:21:36.0703 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\srv.sys. Real md5: 89220b427890aa1dffd1a02648ae51c3, Fake md5: 0f6aefad3641a657e18081f52d0c15af

2010/12/02 14:21:36.0703 Srv - detected Forged file (1)

2010/12/02 14:21:36.0718 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/12/02 14:21:36.0796 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/12/02 14:21:36.0875 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/12/02 14:21:36.0921 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/12/02 14:21:36.0953 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/12/02 14:21:37.0078 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/12/02 14:21:37.0125 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/12/02 14:21:37.0203 tifsfilter (b0b3122bff3910e0ba97014045467778) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys

2010/12/02 14:21:37.0234 timounter (13bfe330880ac0ce8672d00aa5aff738) C:\WINDOWS\system32\DRIVERS\timntr.sys

2010/12/02 14:21:37.0296 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\timntr.sys. Real md5: 13bfe330880ac0ce8672d00aa5aff738, Fake md5: a34d7024bb7140ec785c86bc065d4f60

2010/12/02 14:21:37.0296 timounter - detected Forged file (1)

2010/12/02 14:21:37.0437 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/12/02 14:21:37.0484 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/12/02 14:21:37.0515 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/12/02 14:21:37.0546 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/12/02 14:21:37.0593 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/12/02 14:21:37.0656 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2010/12/02 14:21:37.0671 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/12/02 14:21:37.0703 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/12/02 14:21:37.0734 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/12/02 14:21:37.0781 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/12/02 14:21:37.0890 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/12/02 14:21:37.0968 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/12/02 14:21:38.0000 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/12/02 14:21:38.0109 ================================================================================

2010/12/02 14:21:38.0109 Scan finished

2010/12/02 14:21:38.0109 ================================================================================

2010/12/02 14:21:38.0125 Detected object count: 11

2010/12/02 14:23:29.0718 Forged file(cmderd) - User select action: Skip

2010/12/02 14:23:29.0718 Forged file(cmdGuard) - User select action: Skip

2010/12/02 14:23:29.0718 Forged file(cmdHlp) - User select action: Skip

2010/12/02 14:23:29.0718 Locked file(CTMFLT) - User select action: Skip

2010/12/02 14:23:29.0718 Locked file(CTMMOUNT) - User select action: Skip

2010/12/02 14:23:29.0718 Locked file(CTMSHD) - User select action: Skip

2010/12/02 14:23:29.0734 Forged file(Inspect) - User select action: Skip

2010/12/02 14:23:29.0734 Forged file(RTLE8023xp) - User select action: Skip

2010/12/02 14:23:29.0734 Forged file(snapman) - User select action: Skip

2010/12/02 14:23:29.0734 Forged file(Srv) - User select action: Skip

2010/12/02 14:23:29.0734 Forged file(timounter) - User select action: Skip

2010/12/02 14:24:32.0187 ================================================================================

2010/12/02 14:24:32.0187 Scan started

2010/12/02 14:24:32.0187 Mode: Manual;

2010/12/02 14:24:32.0187 ================================================================================

2010/12/02 14:24:32.0546 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/12/02 14:24:32.0578 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/12/02 14:24:32.0625 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/12/02 14:24:32.0687 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/12/02 14:24:32.0828 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/12/02 14:24:32.0890 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/12/02 14:24:32.0921 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/12/02 14:24:32.0968 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/12/02 14:24:33.0031 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/12/02 14:24:33.0078 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/12/02 14:24:33.0125 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/12/02 14:24:33.0171 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/12/02 14:24:33.0187 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/12/02 14:24:33.0250 cmderd (5455c2a8eb379df5d55252a3827ef252) C:\WINDOWS\system32\DRIVERS\cmderd.sys

2010/12/02 14:24:33.0250 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\cmderd.sys. Real md5: 5455c2a8eb379df5d55252a3827ef252, Fake md5: 7060bae48c2c122f3041cccf9ade3bf7

2010/12/02 14:24:33.0250 cmderd - detected Forged file (1)

2010/12/02 14:24:33.0265 cmdGuard (d7c17cc5038773aa717864a5555465de) C:\WINDOWS\system32\DRIVERS\cmdguard.sys

2010/12/02 14:24:33.0265 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\cmdguard.sys. Real md5: d7c17cc5038773aa717864a5555465de, Fake md5: bbe9f023dfd2c4d2755da3fa47e4da08

2010/12/02 14:24:33.0265 cmdGuard - detected Forged file (1)

2010/12/02 14:24:33.0296 cmdHlp (81ceedf3501cd5ccae3dceb204af1634) C:\WINDOWS\system32\DRIVERS\cmdhlp.sys

2010/12/02 14:24:33.0296 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\cmdhlp.sys. Real md5: 81ceedf3501cd5ccae3dceb204af1634, Fake md5: 111e6755acb5f236e2465e24508f6367

2010/12/02 14:24:33.0296 cmdHlp - detected Forged file (1)

2010/12/02 14:24:33.0468 CTMFLT (11e870356b43d2241ea04b75a62b09a3) C:\WINDOWS\system32\drivers\CTMFLT.sys

2010/12/02 14:24:33.0468 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\CTMFLT.sys. md5: 11e870356b43d2241ea04b75a62b09a3

2010/12/02 14:24:33.0484 CTMFLT - detected Locked file (1)

2010/12/02 14:24:33.0640 CTMMOUNT (6da40556d17dd58a84b00b6ddaa96b36) C:\WINDOWS\system32\drivers\CTMMOUNT.sys

2010/12/02 14:24:33.0640 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\CTMMOUNT.sys. md5: 6da40556d17dd58a84b00b6ddaa96b36

2010/12/02 14:24:33.0640 CTMMOUNT - detected Locked file (1)

2010/12/02 14:24:33.0687 CTMSHD (aeeda83d0d29359d3d8fb6b1bf038cc1) C:\WINDOWS\system32\drivers\CTMSHD.sys

2010/12/02 14:24:33.0687 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\CTMSHD.sys. md5: aeeda83d0d29359d3d8fb6b1bf038cc1

2010/12/02 14:24:33.0687 CTMSHD - detected Locked file (1)

2010/12/02 14:24:33.0796 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/12/02 14:24:33.0843 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/12/02 14:24:33.0875 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/12/02 14:24:33.0906 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/12/02 14:24:34.0000 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/12/02 14:24:34.0015 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/12/02 14:24:34.0125 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/12/02 14:24:34.0156 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2010/12/02 14:24:34.0203 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/12/02 14:24:34.0203 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2010/12/02 14:24:34.0265 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/12/02 14:24:34.0296 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/12/02 14:24:34.0312 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/12/02 14:24:34.0328 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/12/02 14:24:34.0359 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2010/12/02 14:24:34.0421 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/12/02 14:24:34.0484 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/12/02 14:24:34.0562 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/12/02 14:24:34.0781 ialm (c1c2d6940d6ec2f247b0f3c11e0a18e0) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys

2010/12/02 14:24:34.0906 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/12/02 14:24:34.0968 Inspect (bf141304f251563b63e64cb3c036de74) C:\WINDOWS\system32\DRIVERS\inspect.sys

2010/12/02 14:24:34.0968 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\inspect.sys. Real md5: bf141304f251563b63e64cb3c036de74, Fake md5: 343ac4733c1e8b7ab6454178e4fcd4ad

2010/12/02 14:24:34.0968 Inspect - detected Forged file (1)

2010/12/02 14:24:35.0109 IntcAzAudAddService (b45a576ad280dd4f605f58b24cdaafe1) C:\WINDOWS\system32\drivers\RtkHDAud.sys

2010/12/02 14:24:35.0234 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/12/02 14:24:35.0265 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/12/02 14:24:35.0296 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/12/02 14:24:35.0328 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/12/02 14:24:35.0359 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/12/02 14:24:35.0468 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/12/02 14:24:35.0500 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/12/02 14:24:35.0531 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/12/02 14:24:35.0546 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/12/02 14:24:35.0562 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2010/12/02 14:24:35.0578 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/12/02 14:24:35.0656 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/12/02 14:24:35.0718 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/12/02 14:24:35.0750 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/12/02 14:24:35.0781 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/12/02 14:24:35.0828 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/12/02 14:24:35.0890 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/12/02 14:24:35.0953 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/12/02 14:24:36.0000 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/12/02 14:24:36.0031 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/12/02 14:24:36.0046 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/12/02 14:24:36.0078 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/12/02 14:24:36.0093 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/12/02 14:24:36.0109 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/12/02 14:24:36.0171 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/12/02 14:24:36.0187 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/12/02 14:24:36.0218 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/12/02 14:24:36.0265 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/12/02 14:24:36.0265 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/12/02 14:24:36.0281 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/12/02 14:24:36.0296 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/12/02 14:24:36.0328 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/12/02 14:24:36.0390 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/12/02 14:24:36.0437 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/12/02 14:24:36.0500 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/12/02 14:24:36.0531 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/12/02 14:24:36.0546 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/12/02 14:24:36.0593 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/12/02 14:24:36.0609 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/12/02 14:24:36.0671 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/12/02 14:24:36.0671 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/12/02 14:24:36.0718 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/12/02 14:24:36.0750 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2010/12/02 14:24:36.0875 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/12/02 14:24:36.0906 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/12/02 14:24:36.0937 PSI (1df21f001f3a94eba4a2950c70cc358f) C:\WINDOWS\system32\DRIVERS\psi_mf.sys

2010/12/02 14:24:36.0953 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/12/02 14:24:37.0015 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/12/02 14:24:37.0062 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/12/02 14:24:37.0109 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/12/02 14:24:37.0109 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/12/02 14:24:37.0171 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/12/02 14:24:37.0187 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/12/02 14:24:37.0218 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/12/02 14:24:37.0265 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/12/02 14:24:37.0343 RTLE8023xp (bb0ae2171f08129f4f3ff9df20ffbf89) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys

2010/12/02 14:24:37.0343 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys. Real md5: bb0ae2171f08129f4f3ff9df20ffbf89, Fake md5: 40607773fecd00708354809e233823f2

2010/12/02 14:24:37.0343 RTLE8023xp - detected Forged file (1)

2010/12/02 14:24:37.0437 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS

2010/12/02 14:24:37.0484 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS

2010/12/02 14:24:37.0562 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/12/02 14:24:37.0609 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/12/02 14:24:37.0625 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2010/12/02 14:24:37.0640 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/12/02 14:24:37.0718 snapman (c3bf55189aa92b8f919108ef9e4accae) C:\WINDOWS\system32\DRIVERS\snapman.sys

2010/12/02 14:24:37.0718 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\snapman.sys. Real md5: c3bf55189aa92b8f919108ef9e4accae, Fake md5: 85bada660d57bc5aef52b11cabd6d8f9

2010/12/02 14:24:37.0718 snapman - detected Forged file (1)

2010/12/02 14:24:37.0750 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/12/02 14:24:37.0828 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/12/02 14:24:37.0875 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/12/02 14:24:37.0875 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\srv.sys. Real md5: 89220b427890aa1dffd1a02648ae51c3, Fake md5: 0f6aefad3641a657e18081f52d0c15af

2010/12/02 14:24:37.0875 Srv - detected Forged file (1)

2010/12/02 14:24:37.0906 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/12/02 14:24:38.0000 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/12/02 14:24:38.0062 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/12/02 14:24:38.0125 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/12/02 14:24:38.0140 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/12/02 14:24:38.0171 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/12/02 14:24:38.0203 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/12/02 14:24:38.0312 tifsfilter (b0b3122bff3910e0ba97014045467778) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys

2010/12/02 14:24:38.0312 timounter (13bfe330880ac0ce8672d00aa5aff738) C:\WINDOWS\system32\DRIVERS\timntr.sys

2010/12/02 14:24:38.0328 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\timntr.sys. Real md5: 13bfe330880ac0ce8672d00aa5aff738, Fake md5: a34d7024bb7140ec785c86bc065d4f60

2010/12/02 14:24:38.0328 timounter - detected Forged file (1)

2010/12/02 14:24:38.0406 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/12/02 14:24:38.0453 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/12/02 14:24:38.0531 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/12/02 14:24:38.0546 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/12/02 14:24:38.0546 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/12/02 14:24:38.0562 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2010/12/02 14:24:38.0593 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/12/02 14:24:38.0625 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/12/02 14:24:38.0656 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/12/02 14:24:38.0734 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/12/02 14:24:38.0765 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/12/02 14:24:38.0796 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/12/02 14:24:38.0859 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/12/02 14:24:38.0968 ================================================================================

2010/12/02 14:24:38.0968 Scan finished

2010/12/02 14:24:38.0968 ================================================================================

2010/12/02 14:24:38.0968 Detected object count: 11

2010/12/02 14:26:39.0000 Forged file(cmderd) - User select action: Skip

2010/12/02 14:26:39.0000 Forged file(cmdGuard) - User select action: Skip

2010/12/02 14:26:39.0000 Forged file(cmdHlp) - User select action: Skip

2010/12/02 14:26:39.0000 Locked file(CTMFLT) - User select action: Skip

2010/12/02 14:26:39.0000 Locked file(CTMMOUNT) - User select action: Skip

2010/12/02 14:26:39.0000 Locked file(CTMSHD) - User select action: Skip

2010/12/02 14:26:39.0000 Forged file(Inspect) - User select action: Skip

2010/12/02 14:26:39.0000 Forged file(RTLE8023xp) - User select action: Skip

2010/12/02 14:26:39.0000 Forged file(snapman) - User select action: Skip

2010/12/02 14:26:39.0015 Forged file(Srv) - User select action: Skip

2010/12/02 14:26:39.0015 Forged file(timounter) - User select action: Skip

negster22 · December 3, 2010

Hi treb,

I need to see that Full Antirootkit Scan Report performed under the exact conditions outlined in my previous reply #7

Make sure You reboot before performing the scan!!

There are many files that TDSSKiller identified as "forged" which essentially means it detected a hash value (MD5) that is does not not match any known legitimate version of that file in its database (I edited the results by appending the origin of the file - ie Comodo):

2010/12/02 14:24:38.0968 Detected object count: 11
2010/12/02 14:26:39.0000 Forged file(cmderd) - User select action: Skip - Comodo
2010/12/02 14:26:39.0000 Forged file(cmdGuard) - User select action: Skip - Comodo
2010/12/02 14:26:39.0000 Forged file(cmdHlp) - User select action: Skip - Comodo
2010/12/02 14:26:39.0000 Locked file(CTMFLT) - User select action: Skip - Comodo
2010/12/02 14:26:39.0000 Locked file(CTMMOUNT) - User select action: Skip - Comodo
2010/12/02 14:26:39.0000 Locked file(CTMSHD) - User select action: Skip - Comodo
2010/12/02 14:26:39.0000 Forged file(Inspect) - User select action: Skip - Comodo
2010/12/02 14:26:39.0000 Forged file(RTLE8023xp) - User select action: Skip - Realtek Audio Driver filename=C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2010/12/02 14:26:39.0000 Forged file(snapman) - User select action: Skip - Acronis True Image
2010/12/02 14:26:39.0015 Forged file(Srv) - User select action: Skip - Windows Operating System File
I found this Virusscan report of file with same MD5 and it scans clean:
http://virscan.org/report/4dbe2093c5dd24f0...499506d18d.html
2010/12/02 14:26:39.0015 Forged file(timounter) - User select action: Skip - Comodo

This is troubling - so as a first step, I would like You to upload all of this files one at a time to the Virustotal scanner to get a second opinion on their threat status:

C:\WINDOWS\system32\drivers\cmderd.sys

C:\WINDOWS\system32\drivers\cmdGuard.sys

C:\WINDOWS\system32\drivers\cmdHlp.sys

C:\WINDOWS\system32\drivers\Inspect.sys

C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys

C:\WINDOWS\system32\drivers\snapman.sys

C:\WINDOWS\system32\drivers\Srv.sys

I found this Virusscan report of a srv.sys file with the same MD5 and it scans clean:

http://virscan.org/report/4dbe2093c5dd24f0...499506d18d.html

C:\WINDOWS\system32\drivers\timounter.sys

If any of the files are confirmed to be infected, then you can replace them by reinstalling the applications they're derived from (Comodo or Acronis). If you can't do that (you don't have the installer) or if it's a system file that's infected (ie srv.sys), then we can try to do it with Combofix or have TDSSKiller try to "Cure" the file.

treb · December 3, 2010

Hi treb,
I need to see that Full Antirootkit Scan Report performed under the exact conditions outlined in my previous reply #7
Make sure You reboot before performing the scan!!
There are many files that TDSSKiller identified as "forged" which essentially means it detected a hash value (MD5) that is does not not match any known legitimate version of that file in its database (I edited the results by appending the origin of the file - ie Comodo):
This is troubling - so as a first step, I would like You to upload all of this files one at a time to the Virustotal scanner to get a second opinion on their threat status:
C:\WINDOWS\system32\drivers\cmderd.sys
C:\WINDOWS\system32\drivers\cmdGuard.sys
C:\WINDOWS\system32\drivers\cmdHlp.sys
C:\WINDOWS\system32\drivers\Inspect.sys
C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
C:\WINDOWS\system32\drivers\snapman.sys
C:\WINDOWS\system32\drivers\Srv.sys
I found this Virusscan report of a srv.sys file with the same MD5 and it scans clean:
http://virscan.org/report/4dbe2093c5dd24f0...499506d18d.html
C:\WINDOWS\system32\drivers\timounter.sys
If any of the files are confirmed to be infected, then you can replace them by reinstalling the applications they're derived from (Comodo or Acronis). If you can't do that (you don't have the installer) or if it's a system file that's infected (ie srv.sys), then we can try to do it with Combofix or have TDSSKiller try to "Cure" the file.

negster22: please tell me how to submit one of the above 5 files to VirusTotal?

negster22 · December 4, 2010

Go HERE:

http://www.virustotal.com/

Select the "Upload a File" Tab.

Click the "Browse" button and a Windows Explorer-type interface will open that enables you to navigate through your file system.

Locate the file you want analyzed for it's threat potential, left-click that file, and click "Send File" to upload it to VirusTotal.

If the file was previously scanned VirusTotal will display this message:

File already submitted: The file sent has already been analysed by VirusTotal in the past. This is same basic info regarding the sample itself and its last analysis:
What do you wish to do?

If this happens Select "Reanalyze".

Wait for it to be scanned and post back the url (copy/paste the link to the scan result page from your browser's address bar) if any of the scanners determine the file to be a threat.

Repeat this same procedure for the 8 files I listed in my last reply.

treb · December 4, 2010

Go HERE:
http://www.virustotal.com/
Select the "Upload a File" Tab.
Click the "Browse" button and a Windows Explorer-type interface will open that enables you to navigate through your file system.
Locate the file you want analyzed for it's threat potential, left-click that file, and click "Send File" to upload it to VirusTotal.
If the file was previously scanned VirusTotal will display this message:
If this happens Select "Reanalyze".
Wait for it to be scanned and post back the url (copy/paste the link to the scan result page from your browser's address bar) if any of the scanners determine the file to be a threat.
Repeat this same procedure for the 8 files I listed in my last reply.

treb · December 4, 2010

OK, I ran all 8 files on VT, they all came back clean, but I saved all the URL's if you would like to see them. while I was waiting earlier I ran a full MBAM scan and IT came back clean. I'm mystified, what do you think?

negster22 · December 4, 2010

Hi treb,

I think those files could be "false positives" meaning they were erroneously detected as "forged" by TDSSKiller, alternatively they may have been altered such that only a anti-rootkit program can detect the changes. For that reason, I need that full ARK scan report and I NEED you to perform the following online scan, because ESET incorporates anti-rootkit technology. We can see if it flags any of those files:

Please perform a scan with the ESET online virus scanner. You can expect some detections in Combofix's quarantine (Qoobox) and system volume information. They will not represent active malware so don't worry:

http://www.eset.com/onlinescan/index.php

ESET recommends disabling your resident antivirus's auto-protection feature before beginning the scan to avoid conflicts and system hangs
Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.
Check the "Yes, I accept the terms of use" box.
Click "Start"
Approve the installation of the ActiveX control that's required to enable scanning
Make sure the box to
- Remove found threats. is CHECKED!!
- Click "Start"
[*]Allow the definition data base to install
[*]Click "Scan"

When the scan is done, please post the scan report in your next reply. It can be found in this location:

C:\Program Files\EsetOnlineScanner\log.txt

Note to Windows 7 and Vista users, and anyone with restrictive IE security settings:

Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode).

To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then UNcheck "Require server verification for all sites in this zone" checkbox at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE Privacy tab and add the above eset.com url to the exceptions list for cookie blocking.

I will be away until Wednesday so I'll be looking forward to the results of these scans when I return and Good Luck!!

treb · December 7, 2010

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - delete file error:The process cannot access the file because it is being used by another process.

OnlineScanner.ocx - copy file error :The process cannot access the file because it is being used by another process.

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6415

# api_version=3.0.2

# EOSSerial=23f64a7f29d5ca41978fc528275b3683

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-12-07 12:14:32

# local_time=2010-12-06 05:14:32 (-0700, Mountain Standard Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 519771 519771 0 0

# compatibility_mode=3073 16777189 80 92 0 5878431 0 0

# compatibility_mode=5891 16776869 100 100 0 21173627 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=39012

# found=10

# cleaned=10

# scan_time=7823

C:\Documents and Settings\Eric\Application Data\Uniblue\RegistryBooster\_temp\ub.exe Win32/RegistryBooster application (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Eric\Desktop\Unused Desktop Shortcuts\registrybooster.exe Win32/RegistryBooster application (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Eric\My Documents\Downloads\registrybooster.exe a variant of Win32/RegistryBooster application (deleted - quarantined) 00000000000000000000000000000000 C

C:\Program Files\Uniblue\RegistryBooster\Launcher.exe Win32/RegistryBooster application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{27777358-E789-4D49-A269-FC07666AB5DD}\RP177\A0017024.exe a variant of Win32/Adware.PerfectOptimizer application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{27777358-E789-4D49-A269-FC07666AB5DD}\RP192\A0018391.exe a variant of Win32/Adware.PerfectOptimizer application (deleted - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{27777358-E789-4D49-A269-FC07666AB5DD}\RP217\A0019638.exe Win32/RegistryBooster application (deleted - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{27777358-E789-4D49-A269-FC07666AB5DD}\RP217\A0019639.exe Win32/RegistryBooster application (deleted - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{27777358-E789-4D49-A269-FC07666AB5DD}\RP217\A0019640.exe Win32/RegistryBooster application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{27777358-E789-4D49-A269-FC07666AB5DD}\RP97\A0011945.exe a variant of Win32/RegistryBooster application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

treb · December 7, 2010

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - delete file error:The process cannot access the file because it is being used by another process.
OnlineScanner.ocx - copy file error :The process cannot access the file because it is being used by another process.
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6415
# api_version=3.0.2
# EOSSerial=23f64a7f29d5ca41978fc528275b3683
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-12-07 12:14:32
# local_time=2010-12-06 05:14:32 (-0700, Mountain Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 519771 519771 0 0
# compatibility_mode=3073 16777189 80 92 0 5878431 0 0
# compatibility_mode=5891 16776869 100 100 0 21173627 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=39012
# found=10
# cleaned=10
# scan_time=7823
C:\Documents and Settings\Eric\Application Data\Uniblue\RegistryBooster\_temp\ub.exe Win32/RegistryBooster application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Eric\Desktop\Unused Desktop Shortcuts\registrybooster.exe Win32/RegistryBooster application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Eric\My Documents\Downloads\registrybooster.exe a variant of Win32/RegistryBooster application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Uniblue\RegistryBooster\Launcher.exe Win32/RegistryBooster application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{27777358-E789-4D49-A269-FC07666AB5DD}\RP177\A0017024.exe a variant of Win32/Adware.PerfectOptimizer application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{27777358-E789-4D49-A269-FC07666AB5DD}\RP192\A0018391.exe a variant of Win32/Adware.PerfectOptimizer application (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{27777358-E789-4D49-A269-FC07666AB5DD}\RP217\A0019638.exe Win32/RegistryBooster application (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{27777358-E789-4D49-A269-FC07666AB5DD}\RP217\A0019639.exe Win32/RegistryBooster application (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{27777358-E789-4D49-A269-FC07666AB5DD}\RP217\A0019640.exe Win32/RegistryBooster application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{27777358-E789-4D49-A269-FC07666AB5DD}\RP97\A0011945.exe a variant of Win32/RegistryBooster application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

treb · December 7, 2010