Jump to content

Website redirects


cr74mz

Recommended Posts

Hello,

A few days ago my machine began to display a "Disk Doctor" pop up showing many fake warnings. I used taskmanager to kill the foreign processes, and msconfig to remove them from startup. My desktop icons and taskbar were gone, so I used system restore to restore to a point about a week ago. I updated MBAM, and ran a full scan (log below). I also downloaded and ran Spybot Search & Destroy, as well as AVG 2011 Free Edition. All 3 programs found infections (somewhere in the neighborhood of 20 total). After removing all located infections and tracking cookies through Spybot and MBAM, but before AVG, I noticed an alarming behavior in Firefox. Occasionally, during normal browsing, a new tab would open with a pop up about a free gift card. After downloading and running AVG multiple times, I no longer get this new tab behavior, however, Firefox will redirect randomly. I've only attempted this from Google search results, specifically a search for "buy" clicking on the Buy.com first non-sponsored listing. Firefox will load buy.com, and it will then suddenly load several different pages, all in the same tab. Below are my initial MBAM log from the first scan, as well as one in the current condition, and my Hijackthis log.

Malwarebytes' Anti-Malware 1.50

www.malwarebytes.org

Database version: 5214

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

12/3/2010 3:08:47 PM

mbam-log-2010-12-03 (15-08-47).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 267323

Time elapsed: 49 minute(s), 29 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 2

Registry Keys Infected: 0

Registry Values Infected: 3

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 10

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\Users\Jason\AppData\Local\GEFCFX.dll (Trojan.Hiloti.Gen) -> Delete on reboot.

c:\Users\Jason\AppData\Local\iroxaroyuy.dll (Trojan.Agent.U) -> Delete on reboot.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wsojodadod (Trojan.Hiloti.Gen) -> Value: Wsojodadod -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Oheredec (Trojan.Agent.U) -> Value: Oheredec -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{EAC3452C-D78D-66A1-27CB-A06D3E37C829} (Trojan.ZbotR.Gen) -> Value: {EAC3452C-D78D-66A1-27CB-A06D3E37C829} -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Users\Jason\AppData\Local\GEFCFX.dll (Trojan.Hiloti.Gen) -> Delete on reboot.

c:\Users\Jason\AppData\Local\Temp\err.log289476890 (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

c:\Users\Jason\AppData\Roaming\Adobe\plugs\kb289520367.exe (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.

c:\Users\Jason\AppData\Roaming\Adobe\plugs\kb289562737.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\Users\Jason\AppData\Local\Temp\0.5388177971257877.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

c:\Users\Jason\AppData\Local\Temp\windows update.exe (Trojan.VB) -> Quarantined and deleted successfully.

c:\Users\Public\documents\Server\admin.txt (Malware.Trace) -> Quarantined and deleted successfully.

c:\Users\Public\documents\Server\server.dat (Malware.Trace) -> Quarantined and deleted successfully.

c:\Users\Jason\AppData\Local\iroxaroyuy.dll (Trojan.Agent.U) -> Delete on reboot.

c:\Users\Jason\AppData\Roaming\Ignau\irlig.exe (Trojan.ZbotR.Gen) -> Quarantined and deleted successfully.

****

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4356

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

12/5/2010 4:27:51 AM

mbam-log-2010-12-05 (04-27-51).txt

Scan type: Full scan (C:\|D:\|E:\|)

Objects scanned: 253485

Time elapsed: 49 minute(s), 34 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

****

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 2:29:46 AM, on 12/5/2010

Platform: Windows 7 (WinNT 6.00.3504)

MSIE: Internet Explorer v8.00 (8.00.7600.16385)

Boot mode: Normal

Running processes:

C:\windows\system32\taskhost.exe

C:\windows\system32\Dwm.exe

C:\windows\Explorer.EXE

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Lenovo\Energy Management\utility.exe

C:\Program Files\Lenovo\Energy Management\Energy Management.exe

C:\Program Files\Zune\ZuneLauncher.exe

C:\Program Files\AVG\AVG10\avgtray.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\windows\system32\igfxsrvc.exe

C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe

C:\windows\system32\conhost.exe

C:\windows\system32\taskmgr.exe

C:\Users\Jason\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.msn.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [igfxTray] C:\windows\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\windows\system32\igfxpers.exe

O4 - HKLM\..\Run: [EnergyUtility] C:\Program Files\Lenovo\Energy Management\utility.exe

O4 - HKLM\..\Run: [Energy Management] C:\Program Files\Lenovo\Energy Management\Energy Management.exe

O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"

O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\RunOnce: [WLStart] "C:\Program Files\Windows Live\Installer\wlstart.exe" /nosearch /nohomepage (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [WLStart] "C:\Program Files\Windows Live\Installer\wlstart.exe" /nosearch /nohomepage (User 'Default user')

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll

O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe

O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

--

End of file - 4623 bytes

Please note, I am using a different computer to access this forum. Currently, I do not have my infected machine connected to the internet.

Link to post
Share on other sites

Hi cr74mz

:(

We need to look at some more information about what is going on in your computer:

Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.

    [*]Double click on the DDS icon, allow it to run.

    [*]A small box will open, with an explanation about the tool.

    [*]When done, DDS will open two (2) logs

    1. DDS.txt

    2. Attach.txt

    [*] Save both reports to your desktop.

    [*] The instructions here ask you to attach the Attach.txt.

    DDS.jpg

    [*]Instead of attaching, please copy/past both logs into your Thread

    [*]Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.

After downloading the tool, disconnect from the internet and disable all antivirus protection.

Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HEREThen post your DDS (DDS.txt and Attach.txt

Next

Please Download Rootkit Unhooker Save it to your desktop.

  • extract RKUnhooker to your desktop
    • Note** it is zipped up in a .rar file - If you do not have a program to unzip this type of file -
      you can get a free one from here -
    http://www.7-zip.org/

  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.

Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

"just click on Cancel, then Accept".

In your next reply, please include these log(s):

1.DDS.txt

2.Attach.txt

3.RKU log

Link to post
Share on other sites

...

[*]Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.

After downloading the tool, disconnect from the internet and disable all antivirus protection.

Run the scan, enable your A/V and reconnect to the internet.

...

Is it important that I connect the computer to the internet? Currently, I have it disconnected and I am using a flash drive to transport the request files .

Please Download Rootkit Unhooker Save it to your desktop.

  • extract RKUnhooker to your desktop
    • Note** it is zipped up in a .rar file - If you do not have a program to unzip this type of file -
      you can get a free one from here -
    http://www.7-zip.org/

  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.

Copy the entire contents of the report and paste it in a reply here.

When I extracted it to the desktop, it was named "RkU3.8.288.590.exe" Running that installed some files in my system32 folder, and the program I ran was titled "rac82252811.exe" I'm not sure if it's consequential, but I figured I should let you know that I never found a file titled "RKUnhookerLE.exe"

In your next reply, please include these log(s):

1.DDS.txt

2.Attach.txt

3.RKU log

As requested, here are the logs.

DDS (Ver_10-12-05.01) - NTFSx86

Run by Jason at 21:55:56.18 on Sun 12/05/2010

Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_22

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3005.1806 [GMT -7:00]

============== Running Processes ===============

C:\windows\system32\wininit.exe

C:\windows\system32\lsm.exe

C:\windows\system32\svchost.exe -k DcomLaunch

C:\windows\system32\svchost.exe -k RPCSS

C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\windows\system32\svchost.exe -k netsvcs

C:\windows\system32\svchost.exe -k LocalService

C:\windows\system32\svchost.exe -k NetworkService

C:\windows\system32\WLANExt.exe

C:\windows\system32\conhost.exe

C:\windows\System32\spoolsv.exe

C:\windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\AVG\AVG10\avgwdsvc.exe

c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\windows\system32\svchost.exe -k imgsvc

C:\windows\system32\taskhost.exe

C:\windows\system32\Dwm.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

C:\windows\Explorer.EXE

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Lenovo\Energy Management\utility.exe

C:\Program Files\Lenovo\Energy Management\Energy Management.exe

C:\Program Files\Zune\ZuneLauncher.exe

C:\Program Files\AVG\AVG10\avgtray.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\windows\system32\igfxsrvc.exe

C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe

C:\windows\system32\conhost.exe

C:\windows\system32\SearchIndexer.exe

C:\Program Files\Zune\Zune.exe

C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\windows\system32\wbem\wmiprvse.exe

C:\Program Files\AVG\AVG10\avgui.exe

\\?\C:\windows\system32\wbem\WMIADAP.EXE

C:\Program Files\AVG\AVG10\avgcfgex.exe

C:\windows\system32\DllHost.exe

C:\windows\system32\DllHost.exe

C:\Users\Jason\Desktop\dds.scr

C:\windows\system32\conhost.exe

C:\windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://lenovo.msn.com

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [EnergyUtility] c:\program files\lenovo\energy management\utility.exe

mRun: [Energy Management] c:\program files\lenovo\energy management\Energy Management.exe

mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"

mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

dRunOnce: [WLStart] "c:\program files\windows live\installer\wlstart.exe" /nosearch /nohomepage

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll

Notify: igfxcui - igfxdev.dll

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\jason\appdata\roaming\mozilla\firefox\profiles\d6omy9sx.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: network.proxy.type - 0

FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll

FF - component: c:\users\jason\appdata\roaming\mozilla\firefox\profiles\d6omy9sx.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft\web platform installer\NPWPIDetector.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Extension: Firebug: firebug@software.joehewitt.com - c:\users\jason\appdata\roaming\mozilla\firefox\profiles\d6omy9sx.default\extensions\firebug@software.joehewitt.com

FF - Extension: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - c:\users\jason\appdata\roaming\mozilla\firefox\profiles\d6omy9sx.default\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}

FF - Extension: FoxyTunes: {463F6CA5-EE3C-4be1-B7E6-7FEE11953374} - c:\users\jason\appdata\roaming\mozilla\firefox\profiles\d6omy9sx.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}

FF - Extension: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]

R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-9 299984]

R1 funfrm;funfrm;c:\windows\system32\drivers\funfrm.sys [2009-12-9 54800]

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]

R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]

R3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\drivers\AcpiVpc.sys [2009-12-9 21520]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 21072]

R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-5-30 260648]

S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-10 6127184]

S3 k57nd60x;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2009-7-13 229888]

S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]

S3 wdmirror;wdmirror;c:\windows\system32\drivers\WDMirror.sys [2009-12-9 11792]

S3 wsvd;wsvd;c:\windows\system32\drivers\wsvd.sys [2009-7-21 81704]

S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-3-31 47128]

S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]

S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]

=============== Created Last 30 ================

2010-12-05 08:06:05 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-12-05 08:06:05 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll

2010-12-04 08:50:44 -------- d--h--w- C:\$AVG

2010-12-04 08:25:31 -------- d-----w- c:\users\jason\appdata\roaming\AVG10

2010-12-04 08:24:55 -------- d--h--w- c:\progra~2\Common Files

2010-12-04 08:24:18 -------- d-----w- c:\windows\system32\drivers\AVG

2010-12-04 08:24:18 -------- d-----w- c:\progra~2\AVG10

2010-12-04 08:23:53 -------- d-----w- c:\program files\AVG

2010-12-04 08:21:28 -------- d-----w- c:\progra~2\MFAData

2010-12-04 06:58:31 -------- d-sh--w- c:\users\jason\%APPDATA%

2010-12-04 06:47:43 -------- d-sh--w- c:\program files\%APPDATA%

2010-12-03 20:30:52 -------- d-----w- c:\users\jason\appdata\roaming\Ignau

2010-12-03 20:30:52 -------- d-----w- c:\users\jason\appdata\roaming\Akyzu

2010-12-03 19:25:51 -------- d-----w- c:\users\jason\appdata\local\{740381A0-F7ED-4E22-B09C-8153E8274AAB}

2010-11-30 13:35:00 -------- d-----w- c:\windows\system32\drivers\umdf\pt-BR

2010-11-30 13:34:58 -------- d-----w- c:\windows\system32\drivers\umdf\nl-NL

2010-11-25 11:30:59 -------- d-----w- c:\users\jason\sample_sounds

2010-11-25 05:21:52 -------- d-----w- c:\progra~2\Ableton

2010-11-25 05:21:51 -------- d-----w- c:\users\jason\appdata\roaming\Ableton

2010-11-25 05:16:27 -------- d-----w- c:\program files\Ableton

2010-11-10 05:20:58 299984 ----a-w- c:\windows\system32\drivers\avgtdix.sys

==================== Find3M ====================

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 6.1.7600 Disk: WDC_WD25 rev.11.0 -> Harddisk0\DR0 -> \Device\Ide\iaStor0

device: opened successfully

user: MBR read successfully

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86E38555]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86e3e7b0]; MOV EAX, [0x86e3e82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 ntkrnlpa!IofCallDriver[0x82C77458] -> \Device\Harddisk0\DR0[0x86E167C8]

3 CLASSPNP[0x8B20459E] -> ntkrnlpa!IofCallDriver[0x82C77458] -> [0x8709E118]

\Driver\iaStor[0x86E184F0] -> IRP_MJ_CREATE -> 0x86E38555

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x132; MOV BP, 0x62a; ROR BYTE [bP+0x0], CL; INC BP; }

detected disk devices:

\Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskWDC_WD2500BEVT-22ZCT0___________________11.01A11#4&41b376f&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

user != kernel MBR !!!

error: Read The request could not be performed because of an I/O device error.

sectors 488397166 (+255): user != kernel

Warning: possible TDL4 rootkit infection !

TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 21:56:36.08 ===============

****

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-05.01)

Microsoft Windows 7 Home Premium

Boot Device: \Device\HarddiskVolume1

Install Date: 2/2/2010 3:23:21 PM

System Uptime: 12/5/2010 9:45:05 PM (0 hours ago)

Motherboard: LENOVO | | NITU1

Processor: Pentium® Dual-Core CPU T4400 @ 2.20GHz | U2E1 | 2200/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 188 GiB total, 102.19 GiB free.

D: is FIXED (NTFS) - 30 GiB total, 29.533 GiB free.

E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {6bdd1fc6-810f-11d0-bec7-08002be2092f}

Description: USB Video Device

Device ID: USB\VID_5986&PID_0145&MI_00\6&3A8CA859&1&0000

Manufacturer: Microsoft

Name: Lenovo EasyCamera

PNP Device ID: USB\VID_5986&PID_0145&MI_00\6&3A8CA859&1&0000

Service: usbvideo

==== System Restore Points ===================

RP51: 9/30/2010 9:12:44 AM - Scheduled Checkpoint

RP52: 10/7/2010 6:25:56 PM - Scheduled Checkpoint

RP53: 10/16/2010 6:21:23 PM - Scheduled Checkpoint

RP54: 10/25/2010 4:10:59 PM - Scheduled Checkpoint

RP55: 11/3/2010 9:20:57 PM - Scheduled Checkpoint

RP56: 11/16/2010 8:20:14 PM - Scheduled Checkpoint

RP57: 11/30/2010 6:33:02 AM - Windows Update

RP58: 12/3/2010 3:15:03 PM - Restore Operation

RP59: 12/4/2010 1:23:34 AM - Installed AVG 2011

RP60: 12/4/2010 1:24:00 AM - Installed AVG 2011

RP61: 12/4/2010 3:46:53 AM - Removed Apple Mobile Device Support

RP62: 12/4/2010 3:47:34 AM - Removed Apple Software Update

RP63: 12/4/2010 3:48:40 AM - Removed Apple Application Support

RP64: 12/4/2010 3:49:41 AM - Removed Bonjour

RP65: 12/4/2010 3:51:48 AM - Removed Google Earth.

RP66: 12/4/2010 3:52:49 AM - Removed iTunes

RP67: 12/4/2010 3:54:53 AM - Removed QuickTime

RP68: 12/4/2010 4:54:45 AM - Removed Java 6 Update 16

RP69: 12/4/2010 11:30:48 PM - Installed Microsoft Fix it 50267

RP70: 12/5/2010 1:05:28 AM - Installed Java 6 Update 22

==== Installed Programs ======================

7-Zip 4.65

Acrobat.com

Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Photoshop 7.0

Adobe Reader 9.2

ALPS Touch Pad Driver

AVG 2011

Broadcom 802.11 Wireless Driver

Broadcom Gigabit Integrated Controller

Canon MX320 series MP Drivers

Conexant HD Audio

Energy Management

FileZilla Client 3.3.3

FoxyTunes for Firefox

Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB945282)

Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB946040)

Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB946308)

Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB947540)

Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB947789)

Hotfix for Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU (KB945282)

Hotfix for Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU (KB946040)

Hotfix for Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU (KB946308)

Hotfix for Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU (KB946344)

Hotfix for Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU (KB946581)

Hotfix for Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU (KB947540)

Hotfix for Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU (KB947789)

Hotfix for Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU (KB951708)

Hotfix for Office (KB950278)

Intel® Graphics Media Accelerator Driver

Intel® TV Wizard

Intel

Link to post
Share on other sites

Also, I have a question. While this is going on, is it safe for me to run xampp? (Apache/MySQL)

Try not to until we are done.

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

Link to post
Share on other sites

No need for the dmp files.

Right click on ComboFix and drop down to Rename change the name to eXplorer.exe In normal mode.

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\]eXplorer.exe" /KillAll

Continue the application will launch. When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt" .

Link to post
Share on other sites

No need for the dmp files.

Right click on ComboFix and drop down to Rename change the name to eXplorer.exe In normal mode.

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\]eXplorer.exe" /KillAll

Continue the application will launch. When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt" .

I get the error "Windows cannot find 'C:\Users\Jason\desktop\]eXplorer.exe'. Make sure you typed the name correctly, and then try again." I followed the path and verified that is is, indeed, in C:\Users\Jason\desktop and it is named "eXplorer.exe"

Link to post
Share on other sites

Just a quick update, I was trying a few variations of the name (double extention, removing the "]") and I got it to run. Unfortunately, I still got a BSOD, except this time the message was DRIVER_IRQL_NOT_LESS_THAN_OR_EQUAL and it referenced Iastor.sys (or iaStor.sys, or iastor.sys, I don't recall the exact capitalization and I can't duplicate the issue in the exact manner. Trying to run it again gives me the same blue screen as before.)

Link to post
Share on other sites

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • Click the Report button and copy/paste the contents of it into your next reply

Note:It will also create a log in the C:\ directory.

Link to post
Share on other sites

This report is the log from the C:\ directory. I didn't see a report button after I selected the reboot now option

2010/12/06 08:58:14.0865 TDSS rootkit removing tool 2.4.10.1 Dec 2 2010 12:28:01

2010/12/06 08:58:14.0865 ================================================================================

2010/12/06 08:58:14.0865 SystemInfo:

2010/12/06 08:58:14.0865

2010/12/06 08:58:14.0865 OS Version: 6.1.7600 ServicePack: 0.0

2010/12/06 08:58:14.0865 Product type: Workstation

2010/12/06 08:58:14.0866 ComputerName: DEV

2010/12/06 08:58:14.0867 UserName: Jason

2010/12/06 08:58:14.0867 Windows directory: C:\windows

2010/12/06 08:58:14.0867 System windows directory: C:\windows

2010/12/06 08:58:14.0867 Processor architecture: Intel x86

2010/12/06 08:58:14.0867 Number of processors: 2

2010/12/06 08:58:14.0867 Page size: 0x1000

2010/12/06 08:58:14.0867 Boot type: Normal boot

2010/12/06 08:58:14.0867 ================================================================================

2010/12/06 08:58:15.0320 Initialize success

2010/12/06 08:58:20.0618 ================================================================================

2010/12/06 08:58:20.0618 Scan started

2010/12/06 08:58:20.0618 Mode: Manual;

2010/12/06 08:58:20.0618 ================================================================================

2010/12/06 08:58:21.0123 1394ohci (6d2aca41739bfe8cb86ee8e85f29697d) C:\windows\system32\DRIVERS\1394ohci.sys

2010/12/06 08:58:21.0196 ACPI (f0e07d144c8685b8774bc32fc8da4df0) C:\windows\system32\DRIVERS\ACPI.sys

2010/12/06 08:58:21.0327 AcpiPmi (98d81ca942d19f7d9153b095162ac013) C:\windows\system32\DRIVERS\acpipmi.sys

2010/12/06 08:58:21.0412 ACPIVPC (87114efedeb94af49323ca61f344716d) C:\windows\system32\DRIVERS\AcpiVpc.sys

2010/12/06 08:58:21.0534 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\windows\system32\DRIVERS\adp94xx.sys

2010/12/06 08:58:21.0582 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\windows\system32\DRIVERS\adpahci.sys

2010/12/06 08:58:21.0638 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\windows\system32\DRIVERS\adpu320.sys

2010/12/06 08:58:21.0832 AFD (ddc040fdb01ef1712a6b13e52afb104c) C:\windows\system32\drivers\afd.sys

2010/12/06 08:58:21.0875 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\windows\system32\DRIVERS\agp440.sys

2010/12/06 08:58:21.0998 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\windows\system32\DRIVERS\djsvs.sys

2010/12/06 08:58:22.0141 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\windows\system32\DRIVERS\aliide.sys

2010/12/06 08:58:22.0188 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\windows\system32\DRIVERS\amdagp.sys

2010/12/06 08:58:22.0241 amdide (cd5914170297126b6266860198d1d4f0) C:\windows\system32\DRIVERS\amdide.sys

2010/12/06 08:58:22.0288 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\windows\system32\DRIVERS\amdk8.sys

2010/12/06 08:58:22.0322 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\windows\system32\DRIVERS\amdppm.sys

2010/12/06 08:58:22.0369 amdsata (2101a86c25c154f8314b24ef49d7fbc2) C:\windows\system32\DRIVERS\amdsata.sys

2010/12/06 08:58:22.0458 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\windows\system32\DRIVERS\amdsbs.sys

2010/12/06 08:58:22.0553 amdxata (b81c2b5616f6420a9941ea093a92b150) C:\windows\system32\DRIVERS\amdxata.sys

2010/12/06 08:58:22.0651 ApfiltrService (fd6d4bc1cf7d1fec5a17588007ecafb5) C:\windows\system32\DRIVERS\Apfiltr.sys

2010/12/06 08:58:22.0731 AppID (feb834c02ce1e84b6a38f953ca067706) C:\windows\system32\drivers\appid.sys

2010/12/06 08:58:22.0867 arc (2932004f49677bd84dbc72edb754ffb3) C:\windows\system32\DRIVERS\arc.sys

2010/12/06 08:58:22.0909 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\windows\system32\DRIVERS\arcsas.sys

2010/12/06 08:58:22.0968 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\windows\system32\DRIVERS\asyncmac.sys

2010/12/06 08:58:23.0071 atapi (338c86357871c167a96ab976519bf59e) C:\windows\system32\DRIVERS\atapi.sys

2010/12/06 08:58:23.0224 AVGIDSDriver (1ca8e5fe74efd5826bbd76c0470e6ae4) C:\windows\system32\DRIVERS\AVGIDSDriver.Sys

2010/12/06 08:58:23.0253 AVGIDSEH (b9b6e535b9b49c463f68f4bcdd232944) C:\windows\system32\DRIVERS\AVGIDSEH.Sys

2010/12/06 08:58:23.0276 AVGIDSFilter (32a76fd3fc12d09c586730ef63b4b20b) C:\windows\system32\DRIVERS\AVGIDSFilter.Sys

2010/12/06 08:58:23.0314 AVGIDSShim (84431da40330cdfd84a7b92bcf0d4a05) C:\windows\system32\DRIVERS\AVGIDSShim.Sys

2010/12/06 08:58:23.0431 Avgldx86 (1119e5bec6e749e0d292f0f84d48edba) C:\windows\system32\DRIVERS\avgldx86.sys

2010/12/06 08:58:23.0469 Avgmfx86 (54f1a9b4c9b540c2d8ac4baa171696b1) C:\windows\system32\DRIVERS\avgmfx86.sys

2010/12/06 08:58:23.0617 Avgrkx86 (8da3b77993c5f354cc2977b7ea06d03a) C:\windows\system32\DRIVERS\avgrkx86.sys

2010/12/06 08:58:23.0721 Avgtdix (354e0fec3bfdfa9c369e0f67ac362f9f) C:\windows\system32\DRIVERS\avgtdix.sys

2010/12/06 08:58:23.0936 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\windows\system32\DRIVERS\bxvbdx.sys

2010/12/06 08:58:24.0053 b57nd60x (6f41a4c5745bb99f89406f57164f099e) C:\windows\system32\DRIVERS\b57nd60x.sys

2010/12/06 08:58:24.0270 BCM43XX (f9ce9b5e049efc66b8e6c73c18ee8438) C:\windows\system32\DRIVERS\bcmwl6.sys

2010/12/06 08:58:24.0360 Beep (505506526a9d467307b3c393dedaf858) C:\windows\system32\drivers\Beep.sys

2010/12/06 08:58:24.0499 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\windows\system32\DRIVERS\blbdrive.sys

2010/12/06 08:58:24.0527 bowser (fcafaef6798d7b51ff029f99a9898961) C:\windows\system32\DRIVERS\bowser.sys

2010/12/06 08:58:24.0550 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\windows\system32\DRIVERS\BrFiltLo.sys

2010/12/06 08:58:24.0595 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\windows\system32\DRIVERS\BrFiltUp.sys

2010/12/06 08:58:24.0710 Brserid (845b8ce732e67f3b4133164868c666ea) C:\windows\System32\Drivers\Brserid.sys

2010/12/06 08:58:24.0765 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\windows\System32\Drivers\BrSerWdm.sys

2010/12/06 08:58:24.0800 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\windows\System32\Drivers\BrUsbMdm.sys

2010/12/06 08:58:24.0836 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\windows\System32\Drivers\BrUsbSer.sys

2010/12/06 08:58:24.0910 BthEnum (2865a5c8e98c70c605f417908cebb3a4) C:\windows\system32\DRIVERS\BthEnum.sys

2010/12/06 08:58:24.0945 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\windows\system32\DRIVERS\bthmodem.sys

2010/12/06 08:58:24.0962 BthPan (ad1872e5829e8a2c3b5b4b641c3eab0e) C:\windows\system32\DRIVERS\bthpan.sys

2010/12/06 08:58:25.0005 BTHPORT (4a34888e13224678dd062466afec4240) C:\windows\system32\Drivers\BTHport.sys

2010/12/06 08:58:25.0049 BTHUSB (fa04c63916fa221dbb91fce153d07a55) C:\windows\system32\Drivers\BTHUSB.sys

2010/12/06 08:58:25.0148 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\windows\system32\DRIVERS\cdfs.sys

2010/12/06 08:58:25.0248 cdrom (ba6e70aa0e6091bc39de29477d866a77) C:\windows\system32\DRIVERS\cdrom.sys

2010/12/06 08:58:25.0374 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\windows\system32\DRIVERS\circlass.sys

2010/12/06 08:58:25.0452 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\windows\system32\CLFS.sys

2010/12/06 08:58:25.0528 CmBatt (dea805815e587dad1dd2c502220b5616) C:\windows\system32\DRIVERS\CmBatt.sys

2010/12/06 08:58:25.0583 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\windows\system32\DRIVERS\cmdide.sys

2010/12/06 08:58:25.0653 CNG (1b675691ed940766149c93e8f4488d68) C:\windows\system32\Drivers\cng.sys

2010/12/06 08:58:25.0815 CnxtHdAudService (7c47786b58ae503777dbd12fae20ed42) C:\windows\system32\drivers\CHDRT32.sys

2010/12/06 08:58:25.0930 Compbatt (a6023d3823c37043986713f118a89bee) C:\windows\system32\DRIVERS\compbatt.sys

2010/12/06 08:58:26.0058 CompositeBus (f1724ba27e97d627f808fb0ba77a28a6) C:\windows\system32\DRIVERS\CompositeBus.sys

2010/12/06 08:58:26.0150 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\windows\system32\DRIVERS\crcdisk.sys

2010/12/06 08:58:26.0277 DfsC (8e09e52ee2e3ceb199ef3dd99cf9e3fb) C:\windows\system32\Drivers\dfsc.sys

2010/12/06 08:58:26.0326 discache (1a050b0274bfb3890703d490f330c0da) C:\windows\system32\drivers\discache.sys

2010/12/06 08:58:26.0402 Disk (565003f326f99802e68ca78f2a68e9ff) C:\windows\system32\DRIVERS\disk.sys

2010/12/06 08:58:26.0497 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\windows\system32\drivers\drmkaud.sys

2010/12/06 08:58:26.0547 DXGKrnl (39806cfeddcc55e686a49bccd2972f23) C:\windows\System32\drivers\dxgkrnl.sys

2010/12/06 08:58:26.0755 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\windows\system32\DRIVERS\evbdx.sys

2010/12/06 08:58:27.0032 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\windows\system32\DRIVERS\elxstor.sys

2010/12/06 08:58:27.0121 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\windows\system32\DRIVERS\errdev.sys

2010/12/06 08:58:27.0192 exfat (2dc9108d74081149cc8b651d3a26207f) C:\windows\system32\drivers\exfat.sys

2010/12/06 08:58:27.0225 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\windows\system32\drivers\fastfat.sys

2010/12/06 08:58:27.0294 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\windows\system32\DRIVERS\fdc.sys

2010/12/06 08:58:27.0336 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\windows\system32\drivers\fileinfo.sys

2010/12/06 08:58:27.0375 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\windows\system32\drivers\filetrace.sys

2010/12/06 08:58:27.0408 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\windows\system32\DRIVERS\flpydisk.sys

2010/12/06 08:58:27.0459 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\windows\system32\drivers\fltmgr.sys

2010/12/06 08:58:27.0510 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\windows\system32\drivers\FsDepends.sys

2010/12/06 08:58:27.0538 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\windows\system32\drivers\Fs_Rec.sys

2010/12/06 08:58:27.0611 funfrm (f626f291e3f56e8969e35945552feca3) C:\windows\system32\drivers\funfrm.sys

2010/12/06 08:58:27.0695 fvevol (5592f5dba26282d24d2b080eb438a4d7) C:\windows\system32\DRIVERS\fvevol.sys

2010/12/06 08:58:27.0754 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\windows\system32\DRIVERS\gagp30kx.sys

2010/12/06 08:58:27.0815 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\windows\system32\drivers\hcw85cir.sys

2010/12/06 08:58:27.0875 HdAudAddService (3530cad25deba7dc7de8bb51632cbc5f) C:\windows\system32\drivers\HdAudio.sys

2010/12/06 08:58:27.0916 HDAudBus (717a2207fd6f13ad3e664c7d5a43c7bf) C:\windows\system32\DRIVERS\HDAudBus.sys

2010/12/06 08:58:27.0978 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\windows\system32\DRIVERS\HidBatt.sys

2010/12/06 08:58:28.0040 HidBth (89448f40e6df260c206a193a4683ba78) C:\windows\system32\DRIVERS\hidbth.sys

2010/12/06 08:58:28.0114 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\windows\system32\DRIVERS\hidir.sys

2010/12/06 08:58:28.0210 HidUsb (25072fb35ac90b25f9e4e3bacf774102) C:\windows\system32\DRIVERS\hidusb.sys

2010/12/06 08:58:28.0294 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\windows\system32\DRIVERS\HpSAMD.sys

2010/12/06 08:58:28.0367 HTTP (c531c7fd9e8b62021112787c4e2c5a5a) C:\windows\system32\drivers\HTTP.sys

2010/12/06 08:58:28.0442 hwpolicy (8305f33cde89ad6c7a0763ed0b5a8d42) C:\windows\system32\drivers\hwpolicy.sys

2010/12/06 08:58:28.0494 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\windows\system32\DRIVERS\i8042prt.sys

2010/12/06 08:58:28.0599 iaStor (d483687eace0c065ee772481a96e05f5) C:\windows\system32\DRIVERS\iaStor.sys

2010/12/06 08:58:28.0668 iaStorV (934af4d7c5f457b9f0743f4299b77b67) C:\windows\system32\DRIVERS\iaStorV.sys

2010/12/06 08:58:28.0854 igfx (45d1a22c0e932768729dd422e175a448) C:\windows\system32\DRIVERS\igdkmd32.sys

2010/12/06 08:58:29.0119 iirsp (4173ff5708f3236cf25195fecd742915) C:\windows\system32\DRIVERS\iirsp.sys

2010/12/06 08:58:29.0206 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\windows\system32\DRIVERS\intelide.sys

2010/12/06 08:58:29.0267 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\windows\system32\DRIVERS\intelppm.sys

2010/12/06 08:58:29.0326 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\windows\system32\DRIVERS\ipfltdrv.sys

2010/12/06 08:58:29.0390 IPMIDRV (e4454b6c37d7ffd5649611f6496308a7) C:\windows\system32\DRIVERS\IPMIDrv.sys

2010/12/06 08:58:29.0424 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\windows\system32\drivers\ipnat.sys

2010/12/06 08:58:29.0481 IRENUM (42996cff20a3084a56017b7902307e9f) C:\windows\system32\drivers\irenum.sys

2010/12/06 08:58:29.0522 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\windows\system32\DRIVERS\isapnp.sys

2010/12/06 08:58:29.0571 iScsiPrt (ed46c223ae46c6866ab77cdc41c404b7) C:\windows\system32\DRIVERS\msiscsi.sys

2010/12/06 08:58:29.0621 k57nd60x (c4c95805b85bce1eb9d20f4a02fc5f9b) C:\windows\system32\DRIVERS\k57nd60x.sys

2010/12/06 08:58:29.0672 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\windows\system32\DRIVERS\kbdclass.sys

2010/12/06 08:58:29.0737 kbdhid (3d9f0ebf350edcfd6498057301455964) C:\windows\system32\DRIVERS\kbdhid.sys

2010/12/06 08:58:29.0785 KSecDD (e36a061ec11b373826905b21be10948f) C:\windows\system32\Drivers\ksecdd.sys

2010/12/06 08:58:29.0813 KSecPkg (26c046977e85b95036453d7b88ba1820) C:\windows\system32\Drivers\ksecpkg.sys

2010/12/06 08:58:29.0889 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\windows\system32\DRIVERS\lltdio.sys

2010/12/06 08:58:29.0961 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\windows\system32\DRIVERS\lsi_fc.sys

2010/12/06 08:58:30.0001 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\windows\system32\DRIVERS\lsi_sas.sys

2010/12/06 08:58:30.0038 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\windows\system32\DRIVERS\lsi_sas2.sys

2010/12/06 08:58:30.0079 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\windows\system32\DRIVERS\lsi_scsi.sys

2010/12/06 08:58:30.0153 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\windows\system32\drivers\luafv.sys

2010/12/06 08:58:30.0205 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\windows\system32\DRIVERS\megasas.sys

2010/12/06 08:58:30.0258 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\windows\system32\DRIVERS\MegaSR.sys

2010/12/06 08:58:30.0294 Modem (f001861e5700ee84e2d4e52c712f4964) C:\windows\system32\drivers\modem.sys

2010/12/06 08:58:30.0345 monitor (79d10964de86b292320e9dfe02282a23) C:\windows\system32\DRIVERS\monitor.sys

2010/12/06 08:58:30.0397 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\windows\system32\DRIVERS\mouclass.sys

2010/12/06 08:58:30.0460 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\windows\system32\DRIVERS\mouhid.sys

2010/12/06 08:58:30.0484 mountmgr (921c18727c5920d6c0300736646931c2) C:\windows\system32\drivers\mountmgr.sys

2010/12/06 08:58:30.0522 mpio (2af5997438c55fb79d33d015c30e1974) C:\windows\system32\DRIVERS\mpio.sys

2010/12/06 08:58:30.0546 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\windows\system32\drivers\mpsdrv.sys

2010/12/06 08:58:30.0578 MRxDAV (b1be47008d20e43da3adc37c24cdb89d) C:\windows\system32\drivers\mrxdav.sys

2010/12/06 08:58:30.0631 mrxsmb (f4a054be78af7f410129c4b64b07dc9b) C:\windows\system32\DRIVERS\mrxsmb.sys

2010/12/06 08:58:30.0665 mrxsmb10 (deffa295bd1895c6ed8e3078412ac60b) C:\windows\system32\DRIVERS\mrxsmb10.sys

2010/12/06 08:58:30.0690 mrxsmb20 (24d76abe5dcad22f19d105f76fdf0ce1) C:\windows\system32\DRIVERS\mrxsmb20.sys

2010/12/06 08:58:30.0753 msahci (4326d168944123f38dd3b2d9c37a0b12) C:\windows\system32\DRIVERS\msahci.sys

2010/12/06 08:58:30.0819 msdsm (455029c7174a2dbb03dba8a0d8bddd9a) C:\windows\system32\DRIVERS\msdsm.sys

2010/12/06 08:58:30.0865 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\windows\system32\drivers\Msfs.sys

2010/12/06 08:58:30.0892 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\windows\System32\drivers\mshidkmdf.sys

2010/12/06 08:58:30.0929 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\windows\system32\DRIVERS\msisadrv.sys

2010/12/06 08:58:30.0999 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\windows\system32\drivers\MSKSSRV.sys

2010/12/06 08:58:31.0014 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\windows\system32\drivers\MSPCLOCK.sys

2010/12/06 08:58:31.0035 MSPQM (f456e973590d663b1073e9c463b40932) C:\windows\system32\drivers\MSPQM.sys

2010/12/06 08:58:31.0072 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\windows\system32\drivers\MsRPC.sys

2010/12/06 08:58:31.0100 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\windows\system32\DRIVERS\mssmbios.sys

2010/12/06 08:58:31.0178 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\windows\system32\drivers\MSTEE.sys

2010/12/06 08:58:31.0221 MTConfig (33599130f44e1f34631cea241de8ac84) C:\windows\system32\DRIVERS\MTConfig.sys

2010/12/06 08:58:31.0253 Mup (159fad02f64e6381758c990f753bcc80) C:\windows\system32\Drivers\mup.sys

2010/12/06 08:58:31.0311 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\windows\system32\DRIVERS\nwifi.sys

2010/12/06 08:58:31.0355 NDIS (23759d175a0a9baaf04d05047bc135a8) C:\windows\system32\drivers\ndis.sys

2010/12/06 08:58:31.0426 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\windows\system32\DRIVERS\ndiscap.sys

2010/12/06 08:58:31.0478 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\windows\system32\DRIVERS\ndistapi.sys

2010/12/06 08:58:31.0537 Ndisuio (b30ae7f2b6d7e343b0df32e6c08fce75) C:\windows\system32\DRIVERS\ndisuio.sys

2010/12/06 08:58:31.0559 NdisWan (267c415eadcbe53c9ca873dee39cf3a4) C:\windows\system32\DRIVERS\ndiswan.sys

2010/12/06 08:58:31.0587 NDProxy (af7e7c63dcef3f8772726f86039d6eb4) C:\windows\system32\drivers\NDProxy.sys

2010/12/06 08:58:31.0643 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\windows\system32\DRIVERS\netbios.sys

2010/12/06 08:58:31.0671 NetBT (dd52a733bf4ca5af84562a5e2f963b91) C:\windows\system32\DRIVERS\netbt.sys

2010/12/06 08:58:31.0839 netw5v32 (58218ec6b61b1169cf54aab0d00f5fe2) C:\windows\system32\DRIVERS\netw5v32.sys

2010/12/06 08:58:32.0061 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\windows\system32\DRIVERS\nfrd960.sys

2010/12/06 08:58:32.0147 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\windows\system32\drivers\Npfs.sys

2010/12/06 08:58:32.0177 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\windows\system32\drivers\nsiproxy.sys

2010/12/06 08:58:32.0232 Ntfs (3795dcd21f740ee799fb7223234215af) C:\windows\system32\drivers\Ntfs.sys

2010/12/06 08:58:32.0299 Null (f9756a98d69098dca8945d62858a812c) C:\windows\system32\drivers\Null.sys

2010/12/06 08:58:32.0348 nvraid (3f3d04b1d08d43c16ea7963954ec768d) C:\windows\system32\DRIVERS\nvraid.sys

2010/12/06 08:58:32.0387 nvstor (c99f251a5de63c6f129cf71933aced0f) C:\windows\system32\DRIVERS\nvstor.sys

2010/12/06 08:58:32.0414 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\windows\system32\DRIVERS\nv_agp.sys

2010/12/06 08:58:32.0464 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\windows\system32\DRIVERS\ohci1394.sys

2010/12/06 08:58:32.0565 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\windows\system32\DRIVERS\parport.sys

2010/12/06 08:58:32.0587 partmgr (ff4218952b51de44fe910953a3e686b9) C:\windows\system32\drivers\partmgr.sys

2010/12/06 08:58:32.0611 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\windows\system32\DRIVERS\parvdm.sys

2010/12/06 08:58:32.0647 pci (c858cb77c577780ecc456a892e7e7d0f) C:\windows\system32\DRIVERS\pci.sys

2010/12/06 08:58:32.0695 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\windows\system32\DRIVERS\pciide.sys

2010/12/06 08:58:32.0737 pcmcia (f396431b31693e71e8a80687ef523506) C:\windows\system32\DRIVERS\pcmcia.sys

2010/12/06 08:58:32.0762 pcw (250f6b43d2b613172035c6747aeeb19f) C:\windows\system32\drivers\pcw.sys

2010/12/06 08:58:32.0798 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\windows\system32\drivers\peauth.sys

2010/12/06 08:58:32.0934 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\windows\system32\DRIVERS\raspptp.sys

2010/12/06 08:58:32.0974 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\windows\system32\DRIVERS\processr.sys

2010/12/06 08:58:33.0043 Psched (6270ccae2a86de6d146529fe55b3246a) C:\windows\system32\DRIVERS\pacer.sys

2010/12/06 08:58:33.0098 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\windows\system32\DRIVERS\ql2300.sys

2010/12/06 08:58:33.0181 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\windows\system32\DRIVERS\ql40xx.sys

2010/12/06 08:58:33.0212 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\windows\system32\drivers\qwavedrv.sys

2010/12/06 08:58:33.0239 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\windows\system32\DRIVERS\rasacd.sys

2010/12/06 08:58:33.0300 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\windows\system32\DRIVERS\AgileVpn.sys

2010/12/06 08:58:33.0329 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\windows\system32\DRIVERS\rasl2tp.sys

2010/12/06 08:58:33.0385 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\windows\system32\DRIVERS\raspppoe.sys

2010/12/06 08:58:33.0435 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\windows\system32\DRIVERS\rassstp.sys

2010/12/06 08:58:33.0469 rdbss (835d7e81bf517a3b72384bdcc85e1ce6) C:\windows\system32\DRIVERS\rdbss.sys

2010/12/06 08:58:33.0507 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\windows\system32\DRIVERS\rdpbus.sys

2010/12/06 08:58:33.0532 RDPCDD (1e016846895b15a99f9a176a05029075) C:\windows\system32\DRIVERS\RDPCDD.sys

2010/12/06 08:58:33.0583 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\windows\system32\drivers\rdpencdd.sys

2010/12/06 08:58:33.0615 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\windows\system32\drivers\rdprefmp.sys

2010/12/06 08:58:33.0642 RDPWD (801371ba9782282892d00aadb08ee367) C:\windows\system32\drivers\RDPWD.sys

2010/12/06 08:58:33.0692 rdyboost (4ea225bf1cf05e158853f30a99ca29a7) C:\windows\system32\drivers\rdyboost.sys

2010/12/06 08:58:33.0739 RFCOMM (cb928d9e6daf51879dd6ba8d02f01321) C:\windows\system32\DRIVERS\rfcomm.sys

2010/12/06 08:58:33.0816 RsFx0103 (fd692c6ffade58f7c4c3c3c9a0ec35bd) C:\windows\system32\DRIVERS\RsFx0103.sys

2010/12/06 08:58:33.0880 rspndr (032b0d36ad92b582d869879f5af5b928) C:\windows\system32\DRIVERS\rspndr.sys

2010/12/06 08:58:34.0016 sbp2port (34ee0c44b724e3e4ce2eff29126de5b5) C:\windows\system32\DRIVERS\sbp2port.sys

2010/12/06 08:58:34.0064 scfilter (a95c54b2ac3cc9c73fcdf9e51a1d6b51) C:\windows\system32\DRIVERS\scfilter.sys

2010/12/06 08:58:34.0130 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\windows\system32\drivers\secdrv.sys

2010/12/06 08:58:34.0190 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\windows\system32\DRIVERS\serenum.sys

2010/12/06 08:58:34.0235 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\windows\system32\DRIVERS\serial.sys

2010/12/06 08:58:34.0272 sermouse (79bffb520327ff916a582dfea17aa813) C:\windows\system32\DRIVERS\sermouse.sys

2010/12/06 08:58:34.0324 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\windows\system32\DRIVERS\sffdisk.sys

2010/12/06 08:58:34.0360 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\windows\system32\DRIVERS\sffp_mmc.sys

2010/12/06 08:58:34.0399 sffp_sd (4f1e5b0fe7c8050668dbfade8999aefb) C:\windows\system32\DRIVERS\sffp_sd.sys

2010/12/06 08:58:34.0455 sfloppy (db96666cc8312ebc45032f30b007a547) C:\windows\system32\DRIVERS\sfloppy.sys

2010/12/06 08:58:34.0523 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\windows\system32\DRIVERS\sisagp.sys

2010/12/06 08:58:34.0569 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\windows\system32\DRIVERS\SiSRaid2.sys

2010/12/06 08:58:34.0618 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\windows\system32\DRIVERS\sisraid4.sys

2010/12/06 08:58:34.0668 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\windows\system32\DRIVERS\smb.sys

2010/12/06 08:58:34.0726 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\windows\system32\drivers\spldr.sys

2010/12/06 08:58:34.0819 srv (2ba4ebc7dfba845a1edbe1f75913be33) C:\windows\system32\DRIVERS\srv.sys

2010/12/06 08:58:34.0855 srv2 (dce7e10feaabd4cae95948b3de5340bb) C:\windows\system32\DRIVERS\srv2.sys

2010/12/06 08:58:34.0901 srvnet (b5665baa2120b8a54e22e9cd07c05106) C:\windows\system32\DRIVERS\srvnet.sys

2010/12/06 08:58:34.0982 stexstor (db32d325c192b801df274bfd12a7e72b) C:\windows\system32\DRIVERS\stexstor.sys

2010/12/06 08:58:35.0049 swenum (e58c78a848add9610a4db6d214af5224) C:\windows\system32\DRIVERS\swenum.sys

2010/12/06 08:58:35.0131 Tcpip (2cc3d75488abd3ec628bbb9a4fc84efc) C:\windows\system32\drivers\tcpip.sys

2010/12/06 08:58:35.0212 TCPIP6 (2cc3d75488abd3ec628bbb9a4fc84efc) C:\windows\system32\DRIVERS\tcpip.sys

2010/12/06 08:58:35.0258 tcpipreg (e64444523add154f86567c469bc0b17f) C:\windows\system32\drivers\tcpipreg.sys

2010/12/06 08:58:35.0293 TDPIPE (1875c1490d99e70e449e3afae9fcbadf) C:\windows\system32\drivers\tdpipe.sys

2010/12/06 08:58:35.0310 TDTCP (7551e91ea999ee9a8e9c331d5a9c31f3) C:\windows\system32\drivers\tdtcp.sys

2010/12/06 08:58:35.0347 tdx (cb39e896a2a83702d1737bfd402b3542) C:\windows\system32\DRIVERS\tdx.sys

2010/12/06 08:58:35.0387 TermDD (c36f41ee20e6999dbf4b0425963268a5) C:\windows\system32\DRIVERS\termdd.sys

2010/12/06 08:58:35.0475 tssecsrv (98ae6fa07d12cb4ec5cf4a9bfa5f4242) C:\windows\system32\DRIVERS\tssecsrv.sys

2010/12/06 08:58:35.0532 tunnel (3e461d890a97f9d4c168f5fda36e1d00) C:\windows\system32\DRIVERS\tunnel.sys

2010/12/06 08:58:35.0573 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\windows\system32\DRIVERS\uagp35.sys

2010/12/06 08:58:35.0601 udfs (09cc3e16f8e5ee7168e01cf8fcbe061a) C:\windows\system32\DRIVERS\udfs.sys

2010/12/06 08:58:35.0668 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\windows\system32\DRIVERS\uliagpkx.sys

2010/12/06 08:58:35.0734 umbus (049b3a50b3d646baeeee9eec9b0668dc) C:\windows\system32\DRIVERS\umbus.sys

2010/12/06 08:58:35.0766 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\windows\system32\DRIVERS\umpass.sys

2010/12/06 08:58:35.0839 USBAAPL (e8c1b9ebac65288e1b51e8a987d98af6) C:\windows\system32\Drivers\usbaapl.sys

2010/12/06 08:58:35.0883 usbccgp (8455c4ed038efd09e99327f9d2d48ffa) C:\windows\system32\DRIVERS\usbccgp.sys

2010/12/06 08:58:35.0977 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\windows\system32\DRIVERS\usbcir.sys

2010/12/06 08:58:36.0018 usbehci (1c333bfd60f2fed2c7ad5daf533cb742) C:\windows\system32\DRIVERS\usbehci.sys

2010/12/06 08:58:36.0083 usbhub (ee6ef93ccfa94fae8c6ab298273d8ae2) C:\windows\system32\DRIVERS\usbhub.sys

2010/12/06 08:58:36.0114 usbohci (a6fb7957ea7afb1165991e54ce934b74) C:\windows\system32\DRIVERS\usbohci.sys

2010/12/06 08:58:36.0184 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\windows\system32\DRIVERS\usbprint.sys

2010/12/06 08:58:36.0239 usbscan (576096ccbc07e7c4ea4f5e6686d6888f) C:\windows\system32\DRIVERS\usbscan.sys

2010/12/06 08:58:36.0283 USBSTOR (d8889d56e0d27e57ed4591837fe71d27) C:\windows\system32\DRIVERS\USBSTOR.SYS

2010/12/06 08:58:36.0312 usbuhci (78780c3ebce17405b1ccd07a3a8a7d72) C:\windows\system32\DRIVERS\usbuhci.sys

2010/12/06 08:58:36.0386 usbvideo (f642a7e4bf78cfa359cca0a3557c28d7) C:\windows\system32\Drivers\usbvideo.sys

2010/12/06 08:58:36.0472 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\windows\system32\DRIVERS\vdrvroot.sys

2010/12/06 08:58:36.0505 vga (17c408214ea61696cec9c66e388b14f3) C:\windows\system32\DRIVERS\vgapnp.sys

2010/12/06 08:58:36.0531 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\windows\System32\drivers\vga.sys

2010/12/06 08:58:36.0562 vhdmp (3be6e1f3a4f1afec8cee0d7883f93583) C:\windows\system32\DRIVERS\vhdmp.sys

2010/12/06 08:58:36.0621 viaagp (c829317a37b4bea8f39735d4b076e923) C:\windows\system32\DRIVERS\viaagp.sys

2010/12/06 08:58:36.0660 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\windows\system32\DRIVERS\viac7.sys

2010/12/06 08:58:36.0694 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\windows\system32\DRIVERS\viaide.sys

2010/12/06 08:58:36.0735 volmgr (384e5a2aa49934295171e499f86ba6f3) C:\windows\system32\DRIVERS\volmgr.sys

2010/12/06 08:58:36.0783 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\windows\system32\drivers\volmgrx.sys

2010/12/06 08:58:36.0824 volsnap (58df9d2481a56edde167e51b334d44fd) C:\windows\system32\DRIVERS\volsnap.sys

2010/12/06 08:58:36.0885 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\windows\system32\DRIVERS\vsmraid.sys

2010/12/06 08:58:36.0927 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\windows\system32\DRIVERS\vwifibus.sys

2010/12/06 08:58:36.0980 vwififlt (7090d3436eeb4e7da3373090a23448f7) C:\windows\system32\DRIVERS\vwififlt.sys

2010/12/06 08:58:37.0028 WacomPen (de3721e89c653aa281428c8a69745d90) C:\windows\system32\DRIVERS\wacompen.sys

2010/12/06 08:58:37.0077 WANARP (692a712062146e96d28ba0b7d75de31b) C:\windows\system32\DRIVERS\wanarp.sys

2010/12/06 08:58:37.0091 Wanarpv6 (692a712062146e96d28ba0b7d75de31b) C:\windows\system32\DRIVERS\wanarp.sys

2010/12/06 08:58:37.0154 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\windows\system32\DRIVERS\wd.sys

2010/12/06 08:58:37.0193 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\windows\system32\drivers\Wdf01000.sys

2010/12/06 08:58:37.0268 wdmirror (ea4e9dd00e69b35f9bd3d39acb113e3f) C:\windows\system32\DRIVERS\WDMirror.sys

2010/12/06 08:58:37.0333 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\windows\system32\DRIVERS\wfplwf.sys

2010/12/06 08:58:37.0388 WimFltr (f9ad3a5e3fd7e0bdb18b8202b0fdd4e4) C:\windows\system32\DRIVERS\wimfltr.sys

2010/12/06 08:58:37.0417 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\windows\system32\drivers\wimmount.sys

2010/12/06 08:58:37.0574 WinUsb (30fc6e5448d0cbaaa95280eeef7fedae) C:\windows\system32\DRIVERS\WinUsb.sys

2010/12/06 08:58:37.0621 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\windows\system32\DRIVERS\wmiacpi.sys

2010/12/06 08:58:37.0707 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\windows\system32\drivers\ws2ifsl.sys

2010/12/06 08:58:37.0790 wsvd (baedc491374defd5e76336901d6d397d) C:\windows\system32\DRIVERS\wsvd.sys

2010/12/06 08:58:37.0828 WudfPf (6f9b6c0c93232cff47d0f72d6db1d21e) C:\windows\system32\drivers\WudfPf.sys

2010/12/06 08:58:37.0882 WUDFRd (f91ff1e51fca30b3c3981db7d5924252) C:\windows\system32\DRIVERS\WUDFRd.sys

2010/12/06 08:58:37.0978 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)

2010/12/06 08:58:37.0984 ================================================================================

2010/12/06 08:58:37.0984 Scan finished

2010/12/06 08:58:37.0984 ================================================================================

2010/12/06 08:58:37.0997 Detected object count: 1

2010/12/06 08:58:53.0114 \HardDisk0 - will be cured after reboot

2010/12/06 08:58:53.0115 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure

2010/12/06 08:58:56.0745 Deinitialize success

I have another question. As I mentioned previously, I'm using a flash drive to transport these logs and programs back and forth from this computer, which I'm using to access the forums, and the infected computer, which is not connected to the internet. Given this information, do you feel I should be worried about the infection spreading through the flash drive? Also, before I ran TDSSKiller, I didn't get the autoplay popup when I would plug my flash drive into my computer; after the reboot, however, I did. I'm not sure if that's of any significance or not.

Once again, thank you for all of your time and help with this. I really appreciate it.

Link to post
Share on other sites

Your PC had a rootkit that has replaced your ide driver file with malware. We still have work to do.

Make sure you plug in all your removable devices, otherwise you could spread this infecton into another computer. With all computers do the same in your house.

Flash Drive Disinfector

Download Flash_Disinfector.exe by sUBs from here and save it to your desktop.

  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you run it. Don't delete this folder...it will help protect your drives from future infection.

Next

Drag combofix icon into the recycle bin. Lets do it this way:

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

Alright, the Flash Disinfector worked on this computer (the non-infected one (XP)) but when I tried to run it on my infected machine (windows 7) I got an error that the program wasn't installed correctly. I tried troubleshooting it in a few compatibility options, but it never ran on my infected machine. It ran on my non-infected machine, which if I understood you correctly, is likely infected now, but I don't see the autorun.inf folder you were talking about. Show hidden files/folders is turned on in folder options.

As for ComboFix, I had to completely uninstall AVG, turning it off temporarily didn't work. Here's my log:

ComboFix 10-12-04.06 - Jason 12/06/2010 16:02:42.1.2 - x86

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3005.2298 [GMT -7:00]

Running from: c:\users\Jason\Desktop\Combo-Fix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\users\Jason\AppData\Local\{740381A0-F7ED-4E22-B09C-8153E8274AAB}

c:\users\Jason\AppData\Local\{740381A0-F7ED-4E22-B09C-8153E8274AAB}\chrome\content\overlay.xul

c:\users\Jason\AppData\Local\{740381A0-F7ED-4E22-B09C-8153E8274AAB}\install.rdf

c:\users\Jason\AppData\Roaming\Adobe\plugs

c:\windows\system32\12546859

c:\windows\system32\12546859\rac82252811.exe

c:\windows\system32\12546859\RkUnhooker.chm

c:\windows\system32\12546859\unins000.dat

c:\windows\system32\12546859\unins000.exe

.

((((((((((((((((((((((((( Files Created from 2010-11-06 to 2010-12-06 )))))))))))))))))))))))))))))))

.

2010-12-06 23:06 . 2010-12-06 23:07 -------- d-----w- c:\users\Jason\AppData\Local\temp

2010-12-06 23:06 . 2010-12-06 23:06 -------- d-----w- c:\users\Default\AppData\Local\temp

2010-12-05 08:06 . 2010-12-05 08:06 -------- d-----w- c:\program files\Common Files\Java

2010-12-05 08:06 . 2010-12-05 08:05 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

2010-12-05 08:06 . 2010-12-05 08:05 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-12-04 08:50 . 2010-12-04 08:50 -------- d-----w- C:\$AVG

2010-12-04 08:25 . 2010-12-04 08:25 -------- d-----w- c:\users\Jason\AppData\Roaming\AVG10

2010-12-04 08:24 . 2010-12-04 08:24 -------- d--h--w- c:\programdata\Common Files

2010-12-04 08:24 . 2010-12-06 22:56 -------- d-----w- c:\programdata\AVG10

2010-12-04 08:23 . 2010-12-04 08:23 -------- d-----w- c:\program files\AVG

2010-12-04 08:21 . 2010-12-04 08:23 -------- d-----w- c:\programdata\MFAData

2010-12-04 06:58 . 2010-12-04 06:58 -------- d-sh--w- c:\users\Jason\%APPDATA%

2010-12-04 06:47 . 2010-12-04 06:47 -------- d-sh--w- c:\program files\%APPDATA%

2010-12-03 20:30 . 2010-12-03 22:08 -------- d-----w- c:\users\Jason\AppData\Roaming\Ignau

2010-12-03 20:30 . 2010-12-03 20:36 -------- d-----w- c:\users\Jason\AppData\Roaming\Akyzu

2010-12-03 20:30 . 2010-12-03 20:30 -------- d-----w- c:\windows\Sun

2010-11-30 13:35 . 2010-11-30 13:35 -------- d-----w- c:\windows\system32\drivers\UMDF\pt-BR

2010-11-30 13:34 . 2010-12-03 22:16 -------- d-----w- c:\windows\system32\drivers\UMDF\nl-NL

2010-11-25 11:30 . 2010-11-27 00:53 -------- d-----w- c:\users\Jason\sample_sounds

2010-11-25 05:21 . 2010-11-25 05:21 -------- d-----w- c:\programdata\Ableton

2010-11-25 05:21 . 2010-11-25 05:21 -------- d-----w- c:\users\Jason\AppData\Roaming\Ableton

2010-11-25 05:16 . 2010-11-25 05:16 -------- d-----w- c:\program files\Ableton

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-11-11 21:01 . 2010-11-11 21:01 6144 ----a-w- c:\windows\system32\drivers\UMDF\pt-BR\ZuneDriver.dll.mui

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-04 186904]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-18 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-18 174104]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-18 150552]

"EnergyUtility"="c:\program files\Lenovo\Energy Management\utility.exe" [2009-09-29 4114288]

"Energy Management"="c:\program files\Lenovo\Energy Management\Energy Management.exe" [2009-09-29 5064560]

"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-01-07 158448]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"WLStart"="c:\program files\Windows Live\Installer\wlstart.exe" [2009-07-26 768336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

backup=c:\windows\pss\Adobe Gamma Loader.lnk.CommonStartup

backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Jason^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]

path=c:\users\Jason\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk

backup=c:\windows\pss\OpenOffice.org 3.1.lnk.Startup

backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2009-10-03 11:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-03-18 04:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmartAudio]

2009-07-16 05:38 307768 ------w- c:\program files\CONEXANT\SAII\SAIICpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateP2GShortCut]

2008-12-03 22:15 218408 ------w- c:\program files\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

2010-01-13 22:44 37888 ----a-w- c:\program files\Winamp\winampa.exe

R3 k57nd60x;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2009-07-13 229888]

R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]

R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]

R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]

R3 wdmirror;wdmirror;c:\windows\system32\DRIVERS\WDMirror.sys [2009-07-16 11792]

R3 WinRing0_1_2_0;WinRing0_1_2_0;d:\test\ECECECEC\WinRing0.sys [x]

R3 wsvd;wsvd;c:\windows\system32\DRIVERS\wsvd.sys [2009-07-21 81704]

R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-03-31 47128]

R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [2009-03-30 239336]

R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 366936]

S1 funfrm;funfrm; [x]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]

S3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\DRIVERS\AcpiVpc.sys [2009-05-19 21520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc Mcx2Svc

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://lenovo.msn.com

FF - ProfilePath - c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\d6omy9sx.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: network.proxy.type - 0

FF - component: c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\d6omy9sx.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\Microsoft\Web Platform Installer\NPWPIDetector.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll

FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Extension: Firebug: firebug@software.joehewitt.com - c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\d6omy9sx.default\extensions\firebug@software.joehewitt.com

FF - Extension: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\d6omy9sx.default\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}

FF - Extension: FoxyTunes: {463F6CA5-EE3C-4be1-B7E6-7FEE11953374} - c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\d6omy9sx.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}

.

- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)

SafeBoot-mcmscsvc

SafeBoot-MCODS

MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe

MSConfigStartUp-VeriFaceManager - c:\program files\Lenovo\VeriFace\PManage.exe

AddRemove-{E1E502E2-C006-49DB-9C0C-F2196E51826F}_is1 - c:\windows\system32\12546859\unins000.exe

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2010-12-06 16:08:12

ComboFix-quarantined-files.txt 2010-12-06 23:08

Pre-Run: 109,865,877,504 bytes free

Post-Run: 110,022,549,504 bytes free

- - End Of File - - F714F08666BEB71C24C818E25455D8A8

Another question for you, if I may. When my machine is clean again, is there some way I can create a CD that can revert everything to a certain group of settings/installed programs? I recall hearing about something similar once before, I think they are called images?

Thanks

-Jason

Link to post
Share on other sites

It ran on my non-infected machine, which if I understood you correctly, is likely infected now

I don't think so. but when we are done with this PC we'll look at a log on the other PC to make sure.

When my machine is clean again, is there some way I can create a CD that can revert everything to a certain group of settings/installed programs? I recall hearing about something similar once before, I think they are called images?

This I don't know. As I use a external hard drive for back ups. You can post this question at

http://forums.malwarebytes.org/index.php?showforum=6

Also, you can installed AVG now.

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:

    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Next

Download Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Link to post
Share on other sites

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6415

# api_version=3.0.2

# EOSSerial=0038034f32a57542b9cc134a1f4c3d40

# end=finished

# remove_checked=false

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2010-12-07 01:12:03

# local_time=2010-12-07 06:12:03 (-0700, US Mountain Standard Time)

# country="United States"

# lang=1033

# osver=6.1.7600 NT

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=1024 16777215 100 0 0 0 0 0

# compatibility_mode=5893 16776573 100 94 25555001 43270410 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=130904

# found=2

# cleaned=0

# scan_time=1904

C:\Users\Jason\Downloads\iPod_Support_v3_08.exe Win32/PrcView application (unable to clean) 00000000000000000000000000000000 I

C:\Users\Jason\Downloads\iPod_Support_v3_09.exe Win32/PrcView application (unable to clean) 00000000000000000000000000000000 I

Results of screen317's Security Check version 0.99.6

Windows 7 (UAC is enabled)

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

ESET Online Scanner v3

WMI entry may not exist for antivirus; attempting automatic update.

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 22

Adobe Flash Player 10.1.85.3

Adobe Reader 9.2

Out of date Adobe Reader installed!

Mozilla Firefox (3.6.10) Firefox Out of Date!

````````````````````````````````

Process Check:

objlist.exe by Laurent

````````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

Link to post
Share on other sites

The two items that ESET Online Scanner picked up are false positives. I'll give you a tool for outdated software in my last post.

How are things now with this PC?

Well, I'm not getting the redirects anymore (yay!) And MBAM comes up clean, I ran DDS again though (it didn't seem dangerous like combofix, sorry if I shouldn't have) And I'm wondering if you can shed any light on these bolded items

DDS (Ver_10-12-05.01) - NTFSx86

Run by Jason at 8:55:37.51 on Tue 12/07/2010

Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_22

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3005.1990 [GMT -7:00]

============== Running Processes ===============

C:\windows\system32\wininit.exe

C:\windows\system32\lsm.exe

C:\windows\system32\svchost.exe -k DcomLaunch

C:\windows\system32\svchost.exe -k RPCSS

C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\windows\system32\svchost.exe -k netsvcs

C:\windows\system32\svchost.exe -k LocalService

C:\windows\system32\svchost.exe -k NetworkService

C:\windows\system32\WLANExt.exe

C:\windows\system32\conhost.exe

C:\windows\System32\spoolsv.exe

C:\windows\system32\svchost.exe -k LocalServiceNoNetwork

c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\windows\system32\svchost.exe -k imgsvc

C:\windows\System32\svchost.exe -k secsvcs

C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

C:\windows\system32\Dwm.exe

C:\windows\system32\taskhost.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Lenovo\Energy Management\utility.exe

C:\windows\system32\igfxsrvc.exe

C:\Program Files\Lenovo\Energy Management\Energy Management.exe

C:\Program Files\Zune\ZuneLauncher.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\windows\system32\SearchIndexer.exe

C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\windows\explorer.exe

C:\windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files\Mozilla Firefox\firefox.exe

C:\windows\system32\prevhost.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Users\Jason\Desktop\dds.scr

C:\windows\system32\conhost.exe

C:\windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://lenovo.msn.com

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [EnergyUtility] c:\program files\lenovo\energy management\utility.exe

mRun: [Energy Management] c:\program files\lenovo\energy management\Energy Management.exe

mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

dRunOnce: [WLStart] "c:\program files\windows live\installer\wlstart.exe" /nosearch /nohomepage

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\jason\appdata\roaming\mozilla\firefox\profiles\d6omy9sx.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: network.proxy.type - 0

FF - component: c:\users\jason\appdata\roaming\mozilla\firefox\profiles\d6omy9sx.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft\web platform installer\NPWPIDetector.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Extension: Firebug: firebug@software.joehewitt.com - c:\users\jason\appdata\roaming\mozilla\firefox\profiles\d6omy9sx.default\extensions\firebug@software.joehewitt.com

FF - Extension: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - c:\users\jason\appdata\roaming\mozilla\firefox\profiles\d6omy9sx.default\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}

FF - Extension: FoxyTunes: {463F6CA5-EE3C-4be1-B7E6-7FEE11953374} - c:\users\jason\appdata\roaming\mozilla\firefox\profiles\d6omy9sx.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}

============= SERVICES / DRIVERS ===============

R1 funfrm;funfrm;c:\windows\system32\drivers\funfrm.sys [2009-12-9 54800]

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]

R3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\drivers\AcpiVpc.sys [2009-12-9 21520]

R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-5-30 260648]

S3 k57nd60x;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2009-7-13 229888]

S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]

S3 wdmirror;wdmirror;c:\windows\system32\drivers\WDMirror.sys [2009-12-9 11792]

S3 wsvd;wsvd;c:\windows\system32\drivers\wsvd.sys [2009-7-21 81704]

S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-3-31 47128]

S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]

S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]

=============== Created Last 30 ================

2010-12-07 12:37:29 -------- d-----w- c:\program files\ESET

2010-12-06 23:08:16 -------- d-sh--w- C:\$RECYCLE.BIN

2010-12-06 23:08:14 -------- d-----w- c:\users\jason\appdata\local\temp

2010-12-06 22:59:27 98816 ----a-w- c:\windows\sed.exe

2010-12-06 22:59:27 89088 ----a-w- c:\windows\MBR.exe

2010-12-06 22:59:27 256512 ----a-w- c:\windows\PEV.exe

2010-12-06 22:59:27 161792 ----a-w- c:\windows\SWREG.exe

2010-12-05 08:06:05 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-12-05 08:06:05 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll

2010-12-04 08:50:44 -------- d-----w- C:\$AVG

2010-12-04 08:25:31 -------- d-----w- c:\users\jason\appdata\roaming\AVG10

2010-12-04 08:24:55 -------- d--h--w- c:\progra~2\Common Files

2010-12-04 08:24:18 -------- d-----w- c:\progra~2\AVG10

2010-12-04 08:23:53 -------- d-----w- c:\program files\AVG

2010-12-04 08:21:28 -------- d-----w- c:\progra~2\MFAData

2010-12-04 06:58:31 -------- d-sh--w- c:\users\jason\%APPDATA%

2010-12-04 06:47:43 -------- d-sh--w- c:\program files\%APPDATA%

2010-12-03 20:30:52 -------- d-----w- c:\users\jason\appdata\roaming\Ignau

2010-12-03 20:30:52 -------- d-----w- c:\users\jason\appdata\roaming\Akyzu

2010-11-30 13:35:00 -------- d-----w- c:\windows\system32\drivers\umdf\pt-BR

2010-11-30 13:34:58 -------- d-----w- c:\windows\system32\drivers\umdf\nl-NL

2010-11-25 11:30:59 -------- d-----w- c:\users\jason\sample_sounds

2010-11-25 05:21:52 -------- d-----w- c:\progra~2\Ableton

2010-11-25 05:21:51 -------- d-----w- c:\users\jason\appdata\roaming\Ableton

2010-11-25 05:16:27 -------- d-----w- c:\program files\Ableton

==================== Find3M ====================

============= FINISH: 8:56:11.94 ===============

Thank you for all of your help

Link to post
Share on other sites

The bolded items are part of ComboFix. That will be removed with OTC.exe.

Be sure to use Secunia software inspector & update checker below.

Your Computer is Clean

CLEAN-1.jpg

Some final items:

To remove all of the tools we used and the files and folders they created, please do the following:

Please download OTC.exe by OldTimer:

  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Follow these steps to uninstall Combofix and tools used in the removal of malware

  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the x and /)
    CF_Uninstall-1.jpg
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Here are some additional links for you to check out to help you with your computer security.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

Additional Security Measures

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

SpywareBlaster- SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial for Spywareblaster can be found here.

Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.

Secunia software inspector & update checker

Visit My Blog for Malware and Spyware Tips

6567E80CC55576485246E130E48A9FA8.png

Link to post
Share on other sites

  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.