Jump to content

Recommended Posts

Hello All !

First off, great work all of you helpers; I've read many of these topics and your help is very impressive !

As mentionned above, I did read quite a few posts since many have the same issue that I got with my brother's computer. Being IT support myself I did manage to clean up parts of it but for the rest I tried many "solutions" posted here and there but nothing works.

So his computer was infected with XP 2011 and most of it is gone (nothing seems to be running) BUT, searching Google does still send us to the wrong sites with publicity, Mbam closes itself right before scanning and other anti-spyware software need the calcs tweak to run everytime and they too stall at some point. Also, ESET is on there but HTTP and POP3 services are down and NOD32 is detecting Virut.NDB in some good software (such as himself).

So now I'm asking you guy, what next ?

Thank you very much !

Louis

Also I forgot to add this (probably) useful information; MBAM and GMER (renamed version) closes themselves automatically before scanning and then I am unable to open/rename/delete them without doing the cacls /g username:F command.

Also, NOD32 detected Rootkits in his modem.sys and afd.sys files under system32\drivers.

Thank you !

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu). Rename mbam.exe to explorer.com; try running it. If it works, run a Quick Scan, and post its log.

Back in Normal Mode, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

Link to post
Share on other sites

*** First off, many thanx for your reply / help !! So many users here in you debt. Second, MBAM didn't work in Safe mode with the renaming trick; it did the same thing and is now locked by permissions.

As for DDS :

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by Utilisateur at 9:20:15,62 on 2011-05-13

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.511.148 [GMT -4:00]

.

.

============== Running Processes ===============

.

"\\.\globalroot\Device\svchost.exe\svchost.exe"

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\Lexmark Pro200-S500 Series\lxebmon.exe

C:\Program Files\Lexmark Pro200-S500 Series\ezprint.exe

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Apoint\Apntex.exe

svchost.exe

C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Utilisateur\Bureau\dds.scr

.

============== Pseudo HJT Report ===============

.

uSearch Page = hxxp://search.live.com

uSearch Bar = hxxp://search.live.com/sphome.aspx

uStart Page = hxxp://www.google.ca/

uInternet Connection Wizard,ShellNext = iexplore

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://search.live.com/sphome.aspx

BHO: Aide pour le lien d'Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\fichiers communs\adobe\acrobat\activex\AcroIEHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: Programme d'aide de l'Assistant de connexion Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\fichiers communs\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Lexmark : {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

TB: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe

uRun: [msnmsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background

mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"

mRun: [Apoint] c:\program files\apoint\Apoint.exe

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [lxebmon.exe] "c:\program files\lexmark pro200-s500 series\lxebmon.exe"

mRun: [EzPrint] "c:\program files\lexmark pro200-s500 series\ezprint.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

LSP: mswsock.dll

Trusted Zone: dyndns.info\osg

DPF: {2D36AF92-04D3-11D8-B719-0000865F231B} - hxxps://my.sabre.com/jars/TMinReqX.dll

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1222893759179

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Notify: AtiExtEvent - Ati2evxx.dll

Notify: LMIinit - LMIinit.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

============= SERVICES / DRIVERS ===============

.

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-9-9 54752]

R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2011-3-1 374152]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-9-17 12856]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-3-17 47640]

R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-1-26 50704]

R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [2005-1-26 92550]

R3 vbma11df;Virtual Bus for Microsoft ACPI-Compliant System;c:\windows\system32\drivers\vbma11df.sys [2004-8-5 62592]

S1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys --> c:\windows\system32\drivers\ehdrv.sys [?]

S1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys --> c:\windows\system32\drivers\epfwtdir.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 ekrn;ESET Service;"c:\program files\eset\eset nod32 antivirus\ekrn.exe" --> c:\program files\eset\eset nod32 antivirus\ekrn.exe [?]

S2 lxeb_device;lxeb_device;c:\windows\system32\lxebcoms.exe -service --> c:\windows\system32\lxebcoms.exe -service [?]

S2 lxebCATSCustConnectService;lxebCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\\lxebserv.exe --> c:\windows\system32\spool\drivers\w32x86\3\\lxebserv.exe [?]

S3 fsssvc;Service Windows Live Contr

Link to post
Share on other sites

  • Staff

Hi,

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Link to post
Share on other sites

2011/05/17 08:22:08.0265 2868 TDSS rootkit removing tool 2.5.1.0 May 13 2011 13:20:29

2011/05/17 08:22:08.0585 2868 ================================================================================

2011/05/17 08:22:08.0585 2868 SystemInfo:

2011/05/17 08:22:08.0585 2868

2011/05/17 08:22:08.0585 2868 OS Version: 5.1.2600 ServicePack: 3.0

2011/05/17 08:22:08.0585 2868 Product type: Workstation

2011/05/17 08:22:08.0585 2868 ComputerName: USER-93614EA3BC

2011/05/17 08:22:08.0585 2868 UserName: Utilisateur

2011/05/17 08:22:08.0585 2868 Windows directory: C:\WINDOWS

2011/05/17 08:22:08.0585 2868 System windows directory: C:\WINDOWS

2011/05/17 08:22:08.0585 2868 Processor architecture: Intel x86

2011/05/17 08:22:08.0585 2868 Number of processors: 1

2011/05/17 08:22:08.0585 2868 Page size: 0x1000

2011/05/17 08:22:08.0585 2868 Boot type: Normal boot

2011/05/17 08:22:08.0585 2868 ================================================================================

2011/05/17 08:22:09.0126 2868 Initialize success

2011/05/17 08:22:13.0422 3132 ================================================================================

2011/05/17 08:22:13.0422 3132 Scan started

2011/05/17 08:22:13.0422 3132 Mode: Manual;

2011/05/17 08:22:13.0422 3132 ================================================================================

2011/05/17 08:22:16.0377 3132 ACPI (e5e6dbfc41ea8aad005cb9a57a96b43b) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/05/17 08:22:16.0457 3132 ACPIEC (e4abc1212b70bb03d35e60681c447210) C:\WINDOWS\system32\drivers\ACPIEC.sys

2011/05/17 08:22:16.0587 3132 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/05/17 08:22:16.0657 3132 AFD (9b876160fae880a4203ab71810a8549a) C:\WINDOWS\System32\drivers\afd.sys

2011/05/17 08:22:16.0677 3132 AFD - detected Rootkit.Win32.ZAccess.c (0)

2011/05/17 08:22:16.0737 3132 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

2011/05/17 08:22:17.0158 3132 ApfiltrService (090880e9bf20f928bc341f96d27c019e) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys

2011/05/17 08:22:17.0498 3132 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/05/17 08:22:17.0568 3132 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/05/17 08:22:17.0819 3132 ati2mtag (246248aada156450be611eceaa5fe033) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

2011/05/17 08:22:17.0999 3132 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/05/17 08:22:18.0099 3132 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/05/17 08:22:18.0179 3132 b57w2k (48bf91cffbcdd12a710207f2a08fec4d) C:\WINDOWS\system32\DRIVERS\b57xp32.sys

2011/05/17 08:22:18.0289 3132 BCM43XX (30d20fc98bcfd52e1da778cf19b223d4) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys

2011/05/17 08:22:18.0440 3132 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/05/17 08:22:18.0530 3132 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/05/17 08:22:18.0650 3132 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/05/17 08:22:18.0740 3132 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/05/17 08:22:18.0810 3132 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/05/17 08:22:19.0010 3132 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2011/05/17 08:22:19.0120 3132 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2011/05/17 08:22:19.0411 3132 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/05/17 08:22:19.0521 3132 dmboot (f5deadd42335fb33edca74ecb2f36cba) C:\WINDOWS\system32\drivers\dmboot.sys

2011/05/17 08:22:19.0651 3132 dmio (5a7c47c9b3f9fb92a66410a7509f0c71) C:\WINDOWS\system32\drivers\dmio.sys

2011/05/17 08:22:19.0751 3132 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/05/17 08:22:19.0842 3132 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2011/05/17 08:22:19.0992 3132 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/05/17 08:22:20.0332 3132 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/05/17 08:22:20.0422 3132 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2011/05/17 08:22:20.0492 3132 Fips (31f923eb2170fc172c81abda0045d18c) C:\WINDOWS\system32\drivers\Fips.sys

2011/05/17 08:22:20.0553 3132 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2011/05/17 08:22:20.0623 3132 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2011/05/17 08:22:20.0733 3132 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys

2011/05/17 08:22:20.0813 3132 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/05/17 08:22:20.0903 3132 Ftdisk (a86859b77b908c18c2657f284aa29fe3) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/05/17 08:22:20.0983 3132 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

2011/05/17 08:22:21.0053 3132 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/05/17 08:22:21.0173 3132 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/05/17 08:22:21.0334 3132 HSFHWICH (a84bbbdd125d370593004f6429f8445c) C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys

2011/05/17 08:22:21.0444 3132 HSF_DPV (b678fa91cf4a1c19b462d8db04cd02ab) C:\WINDOWS\system32\DRIVERS\HSF_DPV.SYS

2011/05/17 08:22:21.0604 3132 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/05/17 08:22:21.0814 3132 i8042prt (a09bdc4ed10e3b2e0ec27bb94af32516) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/05/17 08:22:21.0904 3132 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/05/17 08:22:22.0075 3132 IntelIde (4b6da2f0a4095857a9e3f3697399d575) C:\WINDOWS\system32\DRIVERS\intelide.sys

2011/05/17 08:22:22.0125 3132 intelppm (ad340800c35a42d4de1641a37feea34c) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/05/17 08:22:22.0215 3132 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2011/05/17 08:22:22.0305 3132 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/05/17 08:22:22.0375 3132 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/05/17 08:22:22.0475 3132 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/05/17 08:22:22.0575 3132 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/05/17 08:22:22.0656 3132 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/05/17 08:22:22.0746 3132 isapnp (355836975a67b6554bca60328cd6cb74) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/05/17 08:22:22.0846 3132 Kbdclass (16813155807c6881f4bfbf6657424659) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/05/17 08:22:22.0926 3132 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2011/05/17 08:22:22.0986 3132 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/05/17 08:22:23.0186 3132 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys

2011/05/17 08:22:23.0296 3132 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys

2011/05/17 08:22:23.0447 3132 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys

2011/05/17 08:22:23.0567 3132 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

2011/05/17 08:22:23.0657 3132 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/05/17 08:22:23.0807 3132 Mouclass (027c01bd7ef3349aaebc883d8a799efb) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/05/17 08:22:23.0897 3132 mouhid (124d6846040c79b9c997f78ef4b2a4e5) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/05/17 08:22:23.0967 3132 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/05/17 08:22:24.0128 3132 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/05/17 08:22:24.0218 3132 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/05/17 08:22:24.0348 3132 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2011/05/17 08:22:24.0428 3132 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/05/17 08:22:24.0498 3132 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/05/17 08:22:24.0578 3132 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/05/17 08:22:24.0648 3132 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/05/17 08:22:24.0699 3132 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2011/05/17 08:22:24.0789 3132 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2011/05/17 08:22:24.0879 3132 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/05/17 08:22:24.0949 3132 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/05/17 08:22:25.0009 3132 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/05/17 08:22:25.0059 3132 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/05/17 08:22:25.0139 3132 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/05/17 08:22:25.0199 3132 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/05/17 08:22:25.0339 3132 npf (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\drivers\npf.sys

2011/05/17 08:22:25.0390 3132 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2011/05/17 08:22:25.0490 3132 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/05/17 08:22:25.0600 3132 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/05/17 08:22:25.0710 3132 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/05/17 08:22:25.0770 3132 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/05/17 08:22:25.0900 3132 OZSCR (ab2b07ac4afd38f574d903eaf9e98a60) C:\WINDOWS\system32\DRIVERS\ozscr.sys

2011/05/17 08:22:25.0980 3132 Parport (8fd0bdbea875d06ccf6c945ca9abaf75) C:\WINDOWS\system32\DRIVERS\parport.sys

2011/05/17 08:22:26.0030 3132 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/05/17 08:22:26.0101 3132 ParVdm (9575c5630db8fb804649a6959737154c) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/05/17 08:22:26.0191 3132 PCI (043410877bda580c528f45165f7125bc) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/05/17 08:22:26.0341 3132 PCIIde (f4bfde7209c14a07aaa61e4d6ae69eac) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/05/17 08:22:26.0401 3132 Pcmcia (f0406cbc60bdb0394a0e17ffb04cdd3d) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

2011/05/17 08:22:26.0842 3132 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/05/17 08:22:26.0892 3132 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/05/17 08:22:26.0952 3132 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/05/17 08:22:27.0292 3132 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/05/17 08:22:27.0362 3132 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/05/17 08:22:27.0442 3132 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/05/17 08:22:27.0503 3132 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/05/17 08:22:27.0583 3132 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/05/17 08:22:27.0643 3132 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/05/17 08:22:27.0723 3132 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2011/05/17 08:22:27.0883 3132 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/05/17 08:22:27.0973 3132 redbook (d8eb2a7904db6c916eb5361878ddcbae) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/05/17 08:22:28.0184 3132 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/05/17 08:22:28.0274 3132 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2011/05/17 08:22:28.0344 3132 Serial (93d313c31f7ad9ea2b75f26075413c7c) C:\WINDOWS\system32\DRIVERS\serial.sys

2011/05/17 08:22:28.0504 3132 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys

2011/05/17 08:22:28.0694 3132 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2011/05/17 08:22:28.0794 3132 sr (39626e6dc1fb39434ec40c42722b660a) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/05/17 08:22:28.0895 3132 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/05/17 08:22:29.0015 3132 STAC97 (5813d453ef8ce49d607c255cf128aceb) C:\WINDOWS\system32\drivers\stac97.sys

2011/05/17 08:22:29.0115 3132 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/05/17 08:22:29.0185 3132 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2011/05/17 08:22:29.0525 3132 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/05/17 08:22:29.0646 3132 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/05/17 08:22:29.0746 3132 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/05/17 08:22:29.0826 3132 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/05/17 08:22:29.0886 3132 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/05/17 08:22:30.0026 3132 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/05/17 08:22:30.0206 3132 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2011/05/17 08:22:30.0337 3132 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys

2011/05/17 08:22:30.0427 3132 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/05/17 08:22:30.0497 3132 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/05/17 08:22:30.0577 3132 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/05/17 08:22:30.0657 3132 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2011/05/17 08:22:30.0777 3132 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2011/05/17 08:22:30.0917 3132 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/05/17 08:22:30.0988 3132 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/05/17 08:22:31.0088 3132 vbma11df (9da42526fabf8ff7c992a9662a82a1bf) C:\WINDOWS\system32\drivers\vbma11df.sys

2011/05/17 08:22:31.0088 3132 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\vbma11df.sys. md5: 9da42526fabf8ff7c992a9662a82a1bf

2011/05/17 08:22:31.0108 3132 vbma11df - detected LockedFile.Multi.Generic (1)

2011/05/17 08:22:31.0168 3132 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2011/05/17 08:22:31.0328 3132 VolSnap (46de1126684369bace4849e4fc8c43ca) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/05/17 08:22:31.0418 3132 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/05/17 08:22:31.0568 3132 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/05/17 08:22:31.0679 3132 winachsf (0c5b9cf1bdf998750d9c5eeb5f8c55ac) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys

2011/05/17 08:22:31.0969 3132 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2011/05/17 08:22:32.0059 3132 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2011/05/17 08:22:32.0329 3132 ================================================================================

2011/05/17 08:22:32.0329 3132 Scan finished

2011/05/17 08:22:32.0329 3132 ================================================================================

2011/05/17 08:22:32.0360 1580 Detected object count: 2

2011/05/17 08:23:06.0579 1580 AFD (9b876160fae880a4203ab71810a8549a) C:\WINDOWS\System32\drivers\afd.sys

2011/05/17 08:23:09.0172 1580 Backup copy found, using it..

2011/05/17 08:23:09.0182 1580 C:\WINDOWS\System32\drivers\afd.sys - will be cured after reboot

2011/05/17 08:23:09.0182 1580 Rootkit.Win32.ZAccess.c(AFD) - User select action: Cure

2011/05/17 08:23:09.0192 1580 LockedFile.Multi.Generic(vbma11df) - User select action: Skip

2011/05/17 08:23:18.0366 4028 Deinitialize success

Link to post
Share on other sites

TDSSKiller : Log below. Found 2 threats again, the same vbmaXXX.sys and now another system file.

MBAM : Updated to last version, tried to run but no avail. Still closes right at the beginning and then is impossible to open without cacls. I did rename it to explorer.com.

DDS : Log below.

2011/05/20 08:08:30.0243 2468 TDSS rootkit removing tool 2.5.1.0 May 13 2011 13:20:29

2011/05/20 08:08:30.0544 2468 ================================================================================

2011/05/20 08:08:30.0544 2468 SystemInfo:

2011/05/20 08:08:30.0544 2468

2011/05/20 08:08:30.0544 2468 OS Version: 5.1.2600 ServicePack: 3.0

2011/05/20 08:08:30.0544 2468 Product type: Workstation

2011/05/20 08:08:30.0544 2468 ComputerName: USER-93614EA3BC

2011/05/20 08:08:30.0544 2468 UserName: Utilisateur

2011/05/20 08:08:30.0544 2468 Windows directory: C:\WINDOWS

2011/05/20 08:08:30.0544 2468 System windows directory: C:\WINDOWS

2011/05/20 08:08:30.0544 2468 Processor architecture: Intel x86

2011/05/20 08:08:30.0544 2468 Number of processors: 1

2011/05/20 08:08:30.0544 2468 Page size: 0x1000

2011/05/20 08:08:30.0544 2468 Boot type: Normal boot

2011/05/20 08:08:30.0544 2468 ================================================================================

2011/05/20 08:08:30.0754 2468 Initialize success

2011/05/20 08:08:34.0740 2632 ================================================================================

2011/05/20 08:08:34.0740 2632 Scan started

2011/05/20 08:08:34.0740 2632 Mode: Manual;

2011/05/20 08:08:34.0740 2632 ================================================================================

2011/05/20 08:08:37.0925 2632 ACPI (e5e6dbfc41ea8aad005cb9a57a96b43b) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/05/20 08:08:38.0045 2632 ACPIEC (e4abc1212b70bb03d35e60681c447210) C:\WINDOWS\system32\drivers\ACPIEC.sys

2011/05/20 08:08:38.0205 2632 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/05/20 08:08:38.0315 2632 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\system32\drivers\tsk27.tmp

2011/05/20 08:08:38.0385 2632 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

2011/05/20 08:08:38.0956 2632 ApfiltrService (090880e9bf20f928bc341f96d27c019e) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys

2011/05/20 08:08:39.0307 2632 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/05/20 08:08:39.0367 2632 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/05/20 08:08:39.0597 2632 ati2mtag (246248aada156450be611eceaa5fe033) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

2011/05/20 08:08:39.0667 2632 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/05/20 08:08:39.0767 2632 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/05/20 08:08:39.0847 2632 b57w2k (48bf91cffbcdd12a710207f2a08fec4d) C:\WINDOWS\system32\DRIVERS\b57xp32.sys

2011/05/20 08:08:40.0028 2632 BCM43XX (30d20fc98bcfd52e1da778cf19b223d4) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys

2011/05/20 08:08:40.0228 2632 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/05/20 08:08:40.0348 2632 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/05/20 08:08:40.0508 2632 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/05/20 08:08:40.0628 2632 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/05/20 08:08:40.0749 2632 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/05/20 08:08:40.0889 2632 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2011/05/20 08:08:40.0949 2632 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2011/05/20 08:08:41.0209 2632 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/05/20 08:08:41.0309 2632 dmboot (f5deadd42335fb33edca74ecb2f36cba) C:\WINDOWS\system32\drivers\dmboot.sys

2011/05/20 08:08:41.0470 2632 dmio (5a7c47c9b3f9fb92a66410a7509f0c71) C:\WINDOWS\system32\drivers\dmio.sys

2011/05/20 08:08:41.0590 2632 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/05/20 08:08:41.0670 2632 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2011/05/20 08:08:41.0780 2632 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/05/20 08:08:42.0171 2632 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/05/20 08:08:42.0291 2632 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2011/05/20 08:08:42.0351 2632 Fips (31f923eb2170fc172c81abda0045d18c) C:\WINDOWS\system32\drivers\Fips.sys

2011/05/20 08:08:42.0391 2632 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2011/05/20 08:08:42.0481 2632 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2011/05/20 08:08:42.0591 2632 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys

2011/05/20 08:08:42.0651 2632 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/05/20 08:08:42.0751 2632 Ftdisk (a86859b77b908c18c2657f284aa29fe3) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/05/20 08:08:42.0822 2632 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

2011/05/20 08:08:42.0882 2632 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/05/20 08:08:42.0982 2632 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/05/20 08:08:43.0122 2632 HSFHWICH (a84bbbdd125d370593004f6429f8445c) C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys

2011/05/20 08:08:43.0262 2632 HSF_DPV (b678fa91cf4a1c19b462d8db04cd02ab) C:\WINDOWS\system32\DRIVERS\HSF_DPV.SYS

2011/05/20 08:08:43.0473 2632 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/05/20 08:08:43.0763 2632 i8042prt (a09bdc4ed10e3b2e0ec27bb94af32516) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/05/20 08:08:43.0923 2632 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/05/20 08:08:44.0123 2632 IntelIde (4b6da2f0a4095857a9e3f3697399d575) C:\WINDOWS\system32\DRIVERS\intelide.sys

2011/05/20 08:08:44.0204 2632 intelppm (ad340800c35a42d4de1641a37feea34c) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/05/20 08:08:44.0284 2632 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2011/05/20 08:08:44.0414 2632 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/05/20 08:08:44.0604 2632 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/05/20 08:08:44.0794 2632 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/05/20 08:08:45.0195 2632 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/05/20 08:08:45.0505 2632 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/05/20 08:08:45.0606 2632 isapnp (355836975a67b6554bca60328cd6cb74) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/05/20 08:08:45.0686 2632 Kbdclass (16813155807c6881f4bfbf6657424659) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/05/20 08:08:45.0766 2632 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2011/05/20 08:08:45.0856 2632 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/05/20 08:08:46.0176 2632 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys

2011/05/20 08:08:46.0297 2632 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys

2011/05/20 08:08:46.0417 2632 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys

2011/05/20 08:08:46.0537 2632 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

2011/05/20 08:08:46.0637 2632 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/05/20 08:08:46.0797 2632 Mouclass (027c01bd7ef3349aaebc883d8a799efb) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/05/20 08:08:46.0907 2632 mouhid (124d6846040c79b9c997f78ef4b2a4e5) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/05/20 08:08:46.0998 2632 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/05/20 08:08:47.0138 2632 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/05/20 08:08:47.0298 2632 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/05/20 08:08:47.0418 2632 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2011/05/20 08:08:47.0558 2632 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/05/20 08:08:47.0649 2632 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/05/20 08:08:47.0739 2632 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/05/20 08:08:47.0869 2632 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/05/20 08:08:47.0959 2632 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2011/05/20 08:08:48.0119 2632 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2011/05/20 08:08:48.0199 2632 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/05/20 08:08:48.0309 2632 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/05/20 08:08:48.0380 2632 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/05/20 08:08:48.0450 2632 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/05/20 08:08:48.0550 2632 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/05/20 08:08:48.0630 2632 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/05/20 08:08:48.0830 2632 npf (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\drivers\npf.sys

2011/05/20 08:08:48.0920 2632 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2011/05/20 08:08:49.0020 2632 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/05/20 08:08:49.0171 2632 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/05/20 08:08:49.0261 2632 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/05/20 08:08:49.0321 2632 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/05/20 08:08:49.0431 2632 OZSCR (ab2b07ac4afd38f574d903eaf9e98a60) C:\WINDOWS\system32\DRIVERS\ozscr.sys

2011/05/20 08:08:49.0511 2632 Parport (8fd0bdbea875d06ccf6c945ca9abaf75) C:\WINDOWS\system32\DRIVERS\parport.sys

2011/05/20 08:08:49.0571 2632 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/05/20 08:08:49.0651 2632 ParVdm (9575c5630db8fb804649a6959737154c) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/05/20 08:08:49.0732 2632 PCI (043410877bda580c528f45165f7125bc) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/05/20 08:08:49.0892 2632 PCIIde (f4bfde7209c14a07aaa61e4d6ae69eac) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/05/20 08:08:49.0972 2632 Pcmcia (f0406cbc60bdb0394a0e17ffb04cdd3d) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

2011/05/20 08:08:50.0543 2632 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/05/20 08:08:50.0673 2632 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/05/20 08:08:50.0803 2632 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/05/20 08:08:51.0244 2632 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/05/20 08:08:51.0354 2632 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/05/20 08:08:51.0424 2632 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/05/20 08:08:51.0514 2632 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/05/20 08:08:51.0584 2632 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/05/20 08:08:51.0634 2632 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/05/20 08:08:51.0714 2632 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2011/05/20 08:08:51.0804 2632 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/05/20 08:08:51.0895 2632 redbook (d8eb2a7904db6c916eb5361878ddcbae) C:\WINDOWS\system32\drivers\tsk1E.tmp

2011/05/20 08:08:52.0115 2632 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/05/20 08:08:52.0235 2632 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2011/05/20 08:08:52.0305 2632 Serial (93d313c31f7ad9ea2b75f26075413c7c) C:\WINDOWS\system32\DRIVERS\serial.sys

2011/05/20 08:08:52.0445 2632 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys

2011/05/20 08:08:52.0836 2632 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2011/05/20 08:08:52.0946 2632 sr (39626e6dc1fb39434ec40c42722b660a) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/05/20 08:08:53.0046 2632 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/05/20 08:08:53.0186 2632 STAC97 (5813d453ef8ce49d607c255cf128aceb) C:\WINDOWS\system32\drivers\stac97.sys

2011/05/20 08:08:53.0247 2632 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/05/20 08:08:53.0307 2632 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2011/05/20 08:08:53.0567 2632 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/05/20 08:08:53.0727 2632 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/05/20 08:08:53.0827 2632 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/05/20 08:08:53.0978 2632 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/05/20 08:08:54.0048 2632 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/05/20 08:08:54.0198 2632 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/05/20 08:08:54.0378 2632 Update (30b840843824c95b25c0631f86ac71bc) C:\WINDOWS\system32\DRIVERS\update.sys

2011/05/20 08:08:54.0378 2632 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\update.sys. Real md5: 30b840843824c95b25c0631f86ac71bc, Fake md5: 402ddc88356b1bac0ee3dd1580c76a31

2011/05/20 08:08:54.0408 2632 Update - detected Rootkit.Win32.ZAccess.c (0)

2011/05/20 08:08:54.0548 2632 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys

2011/05/20 08:08:54.0619 2632 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/05/20 08:08:54.0719 2632 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/05/20 08:08:54.0789 2632 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/05/20 08:08:54.0879 2632 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2011/05/20 08:08:55.0009 2632 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2011/05/20 08:08:55.0159 2632 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/05/20 08:08:55.0269 2632 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/05/20 08:08:55.0410 2632 vbma11df (9da42526fabf8ff7c992a9662a82a1bf) C:\WINDOWS\system32\drivers\vbma11df.sys

2011/05/20 08:08:55.0410 2632 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\vbma11df.sys. md5: 9da42526fabf8ff7c992a9662a82a1bf

2011/05/20 08:08:55.0430 2632 vbma11df - detected LockedFile.Multi.Generic (1)

2011/05/20 08:08:55.0540 2632 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2011/05/20 08:08:55.0670 2632 VolSnap (46de1126684369bace4849e4fc8c43ca) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/05/20 08:08:55.0780 2632 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/05/20 08:08:55.0910 2632 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/05/20 08:08:56.0091 2632 winachsf (0c5b9cf1bdf998750d9c5eeb5f8c55ac) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys

2011/05/20 08:08:56.0381 2632 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2011/05/20 08:08:56.0431 2632 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2011/05/20 08:08:56.0692 2632 ================================================================================

2011/05/20 08:08:56.0692 2632 Scan finished

2011/05/20 08:08:56.0692 2632 ================================================================================

2011/05/20 08:08:56.0722 0452 Detected object count: 2

2011/05/20 08:09:45.0742 0452 Update (30b840843824c95b25c0631f86ac71bc) C:\WINDOWS\system32\DRIVERS\update.sys

2011/05/20 08:09:45.0752 0452 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\update.sys. Real md5: 30b840843824c95b25c0631f86ac71bc, Fake md5: 402ddc88356b1bac0ee3dd1580c76a31

2011/05/20 08:09:47.0374 0452 Backup copy found, using it..

2011/05/20 08:09:47.0404 0452 C:\WINDOWS\system32\DRIVERS\update.sys - will be cured after reboot

2011/05/20 08:09:47.0404 0452 Rootkit.Win32.ZAccess.c(Update) - User select action: Cure

2011/05/20 08:09:47.0404 0452 LockedFile.Multi.Generic(vbma11df) - User select action: Skip

2011/05/20 08:09:56.0648 2352 Deinitialize success

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by Utilisateur at 8:26:16,58 on 2011-05-20

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.511.186 [GMT -4:00]

.

.

============== Running Processes ===============

.

"\\.\globalroot\Device\svchost.exe\svchost.exe"

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\Lexmark Pro200-S500 Series\lxebmon.exe

C:\Program Files\Lexmark Pro200-S500 Series\ezprint.exe

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Apoint\Apntex.exe

svchost.exe

C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Documents and Settings\Utilisateur\Bureau\dds.scr

.

============== Pseudo HJT Report ===============

.

uSearch Page = hxxp://search.live.com

uSearch Bar = hxxp://search.live.com/sphome.aspx

uStart Page = hxxp://www.google.ca/

uInternet Connection Wizard,ShellNext = iexplore

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://search.live.com/sphome.aspx

BHO: Aide pour le lien d'Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\fichiers communs\adobe\acrobat\activex\AcroIEHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: Programme d'aide de l'Assistant de connexion Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\fichiers communs\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Lexmark : {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

TB: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe

uRun: [msnmsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background

mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"

mRun: [Apoint] c:\program files\apoint\Apoint.exe

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [lxebmon.exe] "c:\program files\lexmark pro200-s500 series\lxebmon.exe"

mRun: [EzPrint] "c:\program files\lexmark pro200-s500 series\ezprint.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

LSP: mswsock.dll

Trusted Zone: dyndns.info\osg

DPF: {2D36AF92-04D3-11D8-B719-0000865F231B} - hxxps://my.sabre.com/jars/TMinReqX.dll

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1222893759179

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Notify: AtiExtEvent - Ati2evxx.dll

Notify: LMIinit - LMIinit.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

============= SERVICES / DRIVERS ===============

.

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-9-9 54752]

R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2011-3-1 374152]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-9-17 12856]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-3-17 47640]

R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-1-26 50704]

R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [2005-1-26 92550]

R3 vbma11df;Virtual Bus for Microsoft ACPI-Compliant System;c:\windows\system32\drivers\vbma11df.sys [2004-8-5 62592]

S1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys --> c:\windows\system32\drivers\ehdrv.sys [?]

S1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys --> c:\windows\system32\drivers\epfwtdir.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 ekrn;ESET Service;"c:\program files\eset\eset nod32 antivirus\ekrn.exe" --> c:\program files\eset\eset nod32 antivirus\ekrn.exe [?]

S2 lxeb_device;lxeb_device;c:\windows\system32\lxebcoms.exe -service --> c:\windows\system32\lxebcoms.exe -service [?]

S2 lxebCATSCustConnectService;lxebCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\\lxebserv.exe --> c:\windows\system32\spool\drivers\w32x86\3\\lxebserv.exe [?]

S3 fsssvc;Service Windows Live Contr

Link to post
Share on other sites

  • Staff

Hi,

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) ( 511KB ) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time)
  • Please post the contents of that log in your next reply.

There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

Link to post
Share on other sites

aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software

Run date: 2011-05-24 08:44:01

-----------------------------

08:44:01.015 OS Version: Windows 5.1.2600 Service Pack 3

08:44:01.015 Number of processors: 1 586 0x905

08:44:01.015 ComputerName: USER-93614EA3BC UserName: Utilisateur

08:44:02.026 Initialize success

08:44:08.415 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

08:44:08.415 Disk 0 Vendor: FUJITSU_MHT2040AH 006C Size: 38154MB BusType: 3

08:44:10.508 Disk 0 MBR read successfully

08:44:10.508 Disk 0 MBR scan

08:44:10.508 Disk 0 unknown MBR code

08:44:12.551 Disk 0 scanning sectors +78124095

08:44:12.591 Disk 0 scanning C:\WINDOWS\system32\drivers

08:44:19.511 Service scanning

08:44:21.354 Disk 0 trace - called modules:

08:44:21.364 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS

08:44:21.364 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82389ab8]

08:44:21.384 3 CLASSPNP.SYS[f8574fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x823ce030]

08:44:21.384 Scan finished successfully

08:45:17.935 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Utilisateur\Mes documents\MBR.dat"

08:45:17.935 The log file has been saved successfully to "C:\Documents and Settings\Utilisateur\Mes documents\aswMBR.txt"

MBR.zip

Link to post
Share on other sites

  • Staff

Hi,

Grab a fresh copy of TDSSKiller and run it. Cure all items found.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Here is the new DDS log. As for Combofix I did read a few times the instructions, did as said and when I run ComboFix it does the extraction part and then closes, nothing else.

2011/05/26 16:51:45.0268 1280 TDSS rootkit removing tool 2.5.3.0 May 25 2011 07:09:24

2011/05/26 16:51:45.0538 1280 ================================================================================

2011/05/26 16:51:45.0538 1280 SystemInfo:

2011/05/26 16:51:45.0538 1280

2011/05/26 16:51:45.0538 1280 OS Version: 5.1.2600 ServicePack: 3.0

2011/05/26 16:51:45.0538 1280 Product type: Workstation

2011/05/26 16:51:45.0538 1280 ComputerName: USER-93614EA3BC

2011/05/26 16:51:45.0538 1280 UserName: Utilisateur

2011/05/26 16:51:45.0538 1280 Windows directory: C:\WINDOWS

2011/05/26 16:51:45.0538 1280 System windows directory: C:\WINDOWS

2011/05/26 16:51:45.0538 1280 Processor architecture: Intel x86

2011/05/26 16:51:45.0538 1280 Number of processors: 1

2011/05/26 16:51:45.0538 1280 Page size: 0x1000

2011/05/26 16:51:45.0538 1280 Boot type: Normal boot

2011/05/26 16:51:45.0538 1280 ================================================================================

2011/05/26 16:51:47.0391 1280 Initialize success

2011/05/26 16:51:50.0085 3712 ================================================================================

2011/05/26 16:51:50.0085 3712 Scan started

2011/05/26 16:51:50.0085 3712 Mode: Manual;

2011/05/26 16:51:50.0085 3712 ================================================================================

2011/05/26 16:51:51.0617 3712 ACPI (e5e6dbfc41ea8aad005cb9a57a96b43b) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/05/26 16:51:51.0737 3712 ACPIEC (e4abc1212b70bb03d35e60681c447210) C:\WINDOWS\system32\drivers\ACPIEC.sys

2011/05/26 16:51:51.0897 3712 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/05/26 16:51:52.0018 3712 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\system32\drivers\tsk27.tmp

2011/05/26 16:51:52.0118 3712 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

2011/05/26 16:51:52.0799 3712 ApfiltrService (090880e9bf20f928bc341f96d27c019e) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys

2011/05/26 16:51:53.0079 3712 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/05/26 16:51:53.0129 3712 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/05/26 16:51:53.0360 3712 ati2mtag (246248aada156450be611eceaa5fe033) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

2011/05/26 16:51:53.0420 3712 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/05/26 16:51:53.0540 3712 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/05/26 16:51:53.0590 3712 b57w2k (48bf91cffbcdd12a710207f2a08fec4d) C:\WINDOWS\system32\DRIVERS\b57xp32.sys

2011/05/26 16:51:53.0720 3712 BCM43XX (30d20fc98bcfd52e1da778cf19b223d4) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys

2011/05/26 16:51:53.0900 3712 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/05/26 16:51:54.0061 3712 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/05/26 16:51:54.0221 3712 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/05/26 16:51:54.0341 3712 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/05/26 16:51:54.0411 3712 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/05/26 16:51:54.0621 3712 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2011/05/26 16:51:54.0762 3712 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2011/05/26 16:51:55.0012 3712 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/05/26 16:51:55.0112 3712 dmboot (f5deadd42335fb33edca74ecb2f36cba) C:\WINDOWS\system32\drivers\dmboot.sys

2011/05/26 16:51:55.0262 3712 dmio (5a7c47c9b3f9fb92a66410a7509f0c71) C:\WINDOWS\system32\drivers\dmio.sys

2011/05/26 16:51:55.0312 3712 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/05/26 16:51:55.0392 3712 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2011/05/26 16:51:55.0533 3712 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/05/26 16:51:55.0833 3712 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/05/26 16:51:55.0903 3712 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2011/05/26 16:51:55.0953 3712 Fips (31f923eb2170fc172c81abda0045d18c) C:\WINDOWS\system32\drivers\Fips.sys

2011/05/26 16:51:55.0993 3712 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2011/05/26 16:51:56.0053 3712 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2011/05/26 16:51:56.0164 3712 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys

2011/05/26 16:51:56.0304 3712 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/05/26 16:51:56.0404 3712 Ftdisk (a86859b77b908c18c2657f284aa29fe3) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/05/26 16:51:56.0564 3712 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

2011/05/26 16:51:56.0674 3712 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/05/26 16:51:56.0814 3712 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/05/26 16:51:57.0005 3712 HSFHWICH (a84bbbdd125d370593004f6429f8445c) C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys

2011/05/26 16:51:57.0145 3712 HSF_DPV (b678fa91cf4a1c19b462d8db04cd02ab) C:\WINDOWS\system32\DRIVERS\HSF_DPV.SYS

2011/05/26 16:51:57.0325 3712 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/05/26 16:51:57.0836 3712 i8042prt (a09bdc4ed10e3b2e0ec27bb94af32516) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/05/26 16:51:58.0116 3712 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/05/26 16:51:58.0677 3712 IntelIde (4b6da2f0a4095857a9e3f3697399d575) C:\WINDOWS\system32\DRIVERS\intelide.sys

2011/05/26 16:51:58.0928 3712 intelppm (ad340800c35a42d4de1641a37feea34c) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/05/26 16:51:59.0078 3712 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2011/05/26 16:51:59.0218 3712 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/05/26 16:51:59.0588 3712 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/05/26 16:51:59.0759 3712 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/05/26 16:51:59.0909 3712 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/05/26 16:52:00.0460 3712 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/05/26 16:52:00.0740 3712 isapnp (355836975a67b6554bca60328cd6cb74) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/05/26 16:52:01.0091 3712 Kbdclass (16813155807c6881f4bfbf6657424659) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/05/26 16:52:01.0441 3712 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2011/05/26 16:52:01.0651 3712 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/05/26 16:52:02.0202 3712 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys

2011/05/26 16:52:02.0653 3712 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys

2011/05/26 16:52:02.0933 3712 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys

2011/05/26 16:52:03.0194 3712 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

2011/05/26 16:52:03.0434 3712 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/05/26 16:52:04.0015 3712 Mouclass (027c01bd7ef3349aaebc883d8a799efb) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/05/26 16:52:04.0255 3712 mouhid (124d6846040c79b9c997f78ef4b2a4e5) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/05/26 16:52:04.0425 3712 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/05/26 16:52:04.0886 3712 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/05/26 16:52:05.0527 3712 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/05/26 16:52:05.0707 3712 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2011/05/26 16:52:05.0837 3712 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/05/26 16:52:06.0128 3712 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/05/26 16:52:06.0288 3712 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/05/26 16:52:06.0348 3712 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/05/26 16:52:06.0408 3712 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2011/05/26 16:52:06.0488 3712 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2011/05/26 16:52:06.0599 3712 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/05/26 16:52:06.0659 3712 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/05/26 16:52:06.0759 3712 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/05/26 16:52:06.0809 3712 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/05/26 16:52:06.0909 3712 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/05/26 16:52:07.0009 3712 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/05/26 16:52:07.0320 3712 npf (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\drivers\npf.sys

2011/05/26 16:52:07.0380 3712 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2011/05/26 16:52:07.0450 3712 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/05/26 16:52:07.0900 3712 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/05/26 16:52:08.0201 3712 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/05/26 16:52:08.0541 3712 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/05/26 16:52:08.0662 3712 OZSCR (ab2b07ac4afd38f574d903eaf9e98a60) C:\WINDOWS\system32\DRIVERS\ozscr.sys

2011/05/26 16:52:08.0832 3712 Parport (8fd0bdbea875d06ccf6c945ca9abaf75) C:\WINDOWS\system32\DRIVERS\parport.sys

2011/05/26 16:52:08.0892 3712 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/05/26 16:52:08.0942 3712 ParVdm (9575c5630db8fb804649a6959737154c) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/05/26 16:52:08.0972 3712 PCI (043410877bda580c528f45165f7125bc) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/05/26 16:52:09.0072 3712 PCIIde (f4bfde7209c14a07aaa61e4d6ae69eac) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/05/26 16:52:09.0102 3712 Pcmcia (f0406cbc60bdb0394a0e17ffb04cdd3d) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

2011/05/26 16:52:10.0164 3712 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/05/26 16:52:10.0414 3712 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/05/26 16:52:10.0755 3712 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/05/26 16:52:11.0085 3712 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/05/26 16:52:11.0185 3712 Rasl2tp (ed9cd4394c90f33577618d6994031fb4) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/05/26 16:52:11.0215 3712 Rasl2tp - detected Rootkit.Win32.ZAccess.c (0)

2011/05/26 16:52:11.0315 3712 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/05/26 16:52:11.0516 3712 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/05/26 16:52:11.0686 3712 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/05/26 16:52:11.0926 3712 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/05/26 16:52:12.0217 3712 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2011/05/26 16:52:12.0888 3712 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/05/26 16:52:13.0529 3712 redbook (d8eb2a7904db6c916eb5361878ddcbae) C:\WINDOWS\system32\drivers\tsk1E.tmp

2011/05/26 16:52:14.0049 3712 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/05/26 16:52:14.0360 3712 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2011/05/26 16:52:15.0081 3712 Serial (93d313c31f7ad9ea2b75f26075413c7c) C:\WINDOWS\system32\DRIVERS\serial.sys

2011/05/26 16:52:15.0561 3712 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys

2011/05/26 16:52:17.0024 3712 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2011/05/26 16:52:17.0414 3712 sr (39626e6dc1fb39434ec40c42722b660a) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/05/26 16:52:17.0755 3712 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/05/26 16:52:18.0145 3712 STAC97 (5813d453ef8ce49d607c255cf128aceb) C:\WINDOWS\system32\drivers\stac97.sys

2011/05/26 16:52:18.0516 3712 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/05/26 16:52:19.0227 3712 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2011/05/26 16:52:20.0458 3712 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/05/26 16:52:21.0260 3712 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/05/26 16:52:21.0660 3712 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/05/26 16:52:21.0891 3712 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/05/26 16:52:22.0411 3712 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/05/26 16:52:22.0952 3712 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/05/26 16:52:23.0232 3712 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\drivers\tsk3.tmp

2011/05/26 16:52:23.0423 3712 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys

2011/05/26 16:52:23.0833 3712 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/05/26 16:52:23.0954 3712 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/05/26 16:52:24.0004 3712 usbhub (6f9d3feed8f04e7338ffbd13c95ceef0) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/05/26 16:52:24.0014 3712 usbhub - detected Rootkit.Win32.ZAccess.c (0)

2011/05/26 16:52:24.0134 3712 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2011/05/26 16:52:24.0294 3712 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2011/05/26 16:52:24.0464 3712 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/05/26 16:52:24.0534 3712 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/05/26 16:52:24.0675 3712 vbma11df (9da42526fabf8ff7c992a9662a82a1bf) C:\WINDOWS\system32\drivers\vbma11df.sys

2011/05/26 16:52:24.0675 3712 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\vbma11df.sys. md5: 9da42526fabf8ff7c992a9662a82a1bf

2011/05/26 16:52:24.0685 3712 vbma11df - detected LockedFile.Multi.Generic (1)

2011/05/26 16:52:24.0765 3712 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2011/05/26 16:52:24.0905 3712 VolSnap (46de1126684369bace4849e4fc8c43ca) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/05/26 16:52:25.0015 3712 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/05/26 16:52:25.0105 3712 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/05/26 16:52:25.0255 3712 winachsf (0c5b9cf1bdf998750d9c5eeb5f8c55ac) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys

2011/05/26 16:52:25.0546 3712 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2011/05/26 16:52:25.0616 3712 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2011/05/26 16:52:25.0706 3712 MBR (0x1B8) (c99c3199cfaa4cbdcd91493f6d113a50) \Device\Harddisk0\DR0

2011/05/26 16:52:25.0866 3712 ================================================================================

2011/05/26 16:52:25.0866 3712 Scan finished

2011/05/26 16:52:25.0866 3712 ================================================================================

2011/05/26 16:52:25.0876 3704 Detected object count: 3

2011/05/26 16:52:25.0876 3704 Actual detected object count: 3

2011/05/26 16:53:07.0035 3704 Rasl2tp (ed9cd4394c90f33577618d6994031fb4) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/05/26 16:53:08.0347 3704 Backup copy not found, trying to cure infected file..

2011/05/26 16:53:08.0347 3704 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys - Cure failed (FFFFFFFF)

2011/05/26 16:53:08.0347 3704 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys - processing error

2011/05/26 16:53:08.0347 3704 Rootkit.Win32.ZAccess.c(Rasl2tp) - User select action: Cure

2011/05/26 16:53:08.0548 3704 usbhub (6f9d3feed8f04e7338ffbd13c95ceef0) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/05/26 16:53:08.0578 3704 Backup copy not found, trying to cure infected file..

2011/05/26 16:53:08.0578 3704 C:\WINDOWS\system32\DRIVERS\usbhub.sys - Cure failed (FFFFFFFF)

2011/05/26 16:53:08.0578 3704 C:\WINDOWS\system32\DRIVERS\usbhub.sys - processing error

2011/05/26 16:53:08.0578 3704 Rootkit.Win32.ZAccess.c(usbhub) - User select action: Cure

2011/05/26 16:53:08.0588 3704 HKLM\SYSTEM\ControlSet001\services\vbma11df - will be deleted after reboot

2011/05/26 16:53:08.0588 3704 HKLM\SYSTEM\ControlSet003\services\vbma11df - will be deleted after reboot

2011/05/26 16:53:08.0598 3704 C:\WINDOWS\system32\drivers\vbma11df.sys - will be deleted after reboot

2011/05/26 16:53:08.0598 3704 LockedFile.Multi.Generic(vbma11df) - User select action: Delete

Link to post
Share on other sites

  • Staff

Hi,

You have a new variant of a nasty infection. We appreciate your patience as we develop solutions for it.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Hi There ! Not to worry, I am patient and I guess my young brother might think he's cool that we got this new nasty variant ;)

Also I appreciate all the work and your patience too.

As for combofix, I deleted my old file, installed a freshly downloaded one, and same thing happens (extracting files, then closes with nothing else happening).

Here is my DDS log :

2011/05/30 10:29:48.0823 0416 TDSS rootkit removing tool 2.5.3.0 May 25 2011 07:09:24

2011/05/30 10:29:49.0144 0416 ================================================================================

2011/05/30 10:29:49.0144 0416 SystemInfo:

2011/05/30 10:29:49.0144 0416

2011/05/30 10:29:49.0144 0416 OS Version: 5.1.2600 ServicePack: 3.0

2011/05/30 10:29:49.0144 0416 Product type: Workstation

2011/05/30 10:29:49.0144 0416 ComputerName: USER-93614EA3BC

2011/05/30 10:29:49.0144 0416 UserName: Utilisateur

2011/05/30 10:29:49.0144 0416 Windows directory: C:\WINDOWS

2011/05/30 10:29:49.0144 0416 System windows directory: C:\WINDOWS

2011/05/30 10:29:49.0144 0416 Processor architecture: Intel x86

2011/05/30 10:29:49.0144 0416 Number of processors: 1

2011/05/30 10:29:49.0144 0416 Page size: 0x1000

2011/05/30 10:29:49.0144 0416 Boot type: Normal boot

2011/05/30 10:29:49.0144 0416 ================================================================================

2011/05/30 10:29:50.0926 0416 Initialize success

2011/05/30 10:29:53.0440 3948 ================================================================================

2011/05/30 10:29:53.0440 3948 Scan started

2011/05/30 10:29:53.0440 3948 Mode: Manual;

2011/05/30 10:29:53.0440 3948 ================================================================================

2011/05/30 10:29:55.0292 3948 ACPI (e5e6dbfc41ea8aad005cb9a57a96b43b) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/05/30 10:29:55.0373 3948 ACPIEC (e4abc1212b70bb03d35e60681c447210) C:\WINDOWS\system32\drivers\ACPIEC.sys

2011/05/30 10:29:55.0503 3948 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/05/30 10:29:55.0603 3948 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\system32\drivers\tsk27.tmp

2011/05/30 10:29:55.0653 3948 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

2011/05/30 10:29:56.0344 3948 ApfiltrService (090880e9bf20f928bc341f96d27c019e) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys

2011/05/30 10:29:56.0584 3948 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/05/30 10:29:56.0624 3948 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/05/30 10:29:56.0795 3948 ati2mtag (246248aada156450be611eceaa5fe033) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

2011/05/30 10:29:56.0885 3948 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/05/30 10:29:56.0955 3948 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/05/30 10:29:57.0005 3948 b57w2k (48bf91cffbcdd12a710207f2a08fec4d) C:\WINDOWS\system32\DRIVERS\b57xp32.sys

2011/05/30 10:29:57.0095 3948 BCM43XX (30d20fc98bcfd52e1da778cf19b223d4) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys

2011/05/30 10:29:57.0255 3948 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/05/30 10:29:57.0355 3948 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/05/30 10:29:57.0466 3948 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/05/30 10:29:57.0556 3948 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/05/30 10:29:57.0596 3948 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/05/30 10:29:57.0776 3948 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2011/05/30 10:29:57.0896 3948 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2011/05/30 10:29:58.0237 3948 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/05/30 10:29:58.0357 3948 dmboot (f5deadd42335fb33edca74ecb2f36cba) C:\WINDOWS\system32\drivers\dmboot.sys

2011/05/30 10:29:58.0467 3948 dmio (5a7c47c9b3f9fb92a66410a7509f0c71) C:\WINDOWS\system32\drivers\dmio.sys

2011/05/30 10:29:58.0577 3948 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/05/30 10:29:58.0667 3948 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2011/05/30 10:29:58.0828 3948 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/05/30 10:29:59.0128 3948 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/05/30 10:29:59.0218 3948 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2011/05/30 10:29:59.0288 3948 Fips (31f923eb2170fc172c81abda0045d18c) C:\WINDOWS\system32\drivers\Fips.sys

2011/05/30 10:29:59.0338 3948 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2011/05/30 10:29:59.0428 3948 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2011/05/30 10:29:59.0539 3948 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys

2011/05/30 10:29:59.0599 3948 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/05/30 10:29:59.0659 3948 Ftdisk (a86859b77b908c18c2657f284aa29fe3) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/05/30 10:29:59.0739 3948 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

2011/05/30 10:29:59.0809 3948 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/05/30 10:29:59.0909 3948 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/05/30 10:30:00.0119 3948 HSFHWICH (a84bbbdd125d370593004f6429f8445c) C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys

2011/05/30 10:30:00.0220 3948 HSF_DPV (b678fa91cf4a1c19b462d8db04cd02ab) C:\WINDOWS\system32\DRIVERS\HSF_DPV.SYS

2011/05/30 10:30:00.0370 3948 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/05/30 10:30:00.0590 3948 i8042prt (a09bdc4ed10e3b2e0ec27bb94af32516) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/05/30 10:30:00.0660 3948 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/05/30 10:30:00.0850 3948 IntelIde (4b6da2f0a4095857a9e3f3697399d575) C:\WINDOWS\system32\DRIVERS\intelide.sys

2011/05/30 10:30:00.0941 3948 intelppm (ad340800c35a42d4de1641a37feea34c) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/05/30 10:30:01.0001 3948 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2011/05/30 10:30:01.0081 3948 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/05/30 10:30:01.0141 3948 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/05/30 10:30:01.0231 3948 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/05/30 10:30:01.0321 3948 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/05/30 10:30:01.0381 3948 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/05/30 10:30:01.0451 3948 isapnp (355836975a67b6554bca60328cd6cb74) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/05/30 10:30:01.0561 3948 Kbdclass (16813155807c6881f4bfbf6657424659) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/05/30 10:30:01.0632 3948 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2011/05/30 10:30:01.0702 3948 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/05/30 10:30:01.0922 3948 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys

2011/05/30 10:30:02.0032 3948 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys

2011/05/30 10:30:02.0162 3948 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys

2011/05/30 10:30:02.0313 3948 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

2011/05/30 10:30:02.0423 3948 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/05/30 10:30:02.0573 3948 Mouclass (027c01bd7ef3349aaebc883d8a799efb) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/05/30 10:30:02.0643 3948 mouhid (124d6846040c79b9c997f78ef4b2a4e5) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/05/30 10:30:02.0733 3948 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/05/30 10:30:02.0853 3948 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/05/30 10:30:02.0984 3948 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/05/30 10:30:03.0104 3948 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2011/05/30 10:30:03.0184 3948 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/05/30 10:30:03.0254 3948 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/05/30 10:30:03.0324 3948 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/05/30 10:30:03.0414 3948 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/05/30 10:30:03.0484 3948 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2011/05/30 10:30:03.0574 3948 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2011/05/30 10:30:03.0634 3948 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/05/30 10:30:03.0705 3948 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/05/30 10:30:03.0775 3948 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/05/30 10:30:03.0835 3948 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/05/30 10:30:03.0925 3948 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/05/30 10:30:04.0035 3948 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/05/30 10:30:04.0185 3948 npf (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\drivers\npf.sys

2011/05/30 10:30:04.0235 3948 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2011/05/30 10:30:04.0676 3948 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/05/30 10:30:04.0856 3948 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/05/30 10:30:05.0046 3948 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/05/30 10:30:05.0207 3948 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/05/30 10:30:05.0687 3948 OZSCR (ab2b07ac4afd38f574d903eaf9e98a60) C:\WINDOWS\system32\DRIVERS\ozscr.sys

2011/05/30 10:30:05.0998 3948 Parport (8fd0bdbea875d06ccf6c945ca9abaf75) C:\WINDOWS\system32\DRIVERS\parport.sys

2011/05/30 10:30:06.0178 3948 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/05/30 10:30:06.0348 3948 ParVdm (9575c5630db8fb804649a6959737154c) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/05/30 10:30:06.0489 3948 PCI (043410877bda580c528f45165f7125bc) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/05/30 10:30:06.0869 3948 PCIIde (f4bfde7209c14a07aaa61e4d6ae69eac) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/05/30 10:30:07.0200 3948 Pcmcia (f0406cbc60bdb0394a0e17ffb04cdd3d) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

2011/05/30 10:30:07.0680 3948 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/05/30 10:30:07.0730 3948 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/05/30 10:30:07.0790 3948 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/05/30 10:30:08.0051 3948 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/05/30 10:30:08.0121 3948 Rasl2tp (ed9cd4394c90f33577618d6994031fb4) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/05/30 10:30:08.0131 3948 Rasl2tp - detected Rootkit.Win32.ZAccess.c (0)

2011/05/30 10:30:08.0201 3948 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/05/30 10:30:08.0241 3948 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/05/30 10:30:08.0301 3948 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/05/30 10:30:08.0361 3948 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/05/30 10:30:08.0451 3948 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2011/05/30 10:30:08.0542 3948 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/05/30 10:30:08.0612 3948 redbook (d8eb2a7904db6c916eb5361878ddcbae) C:\WINDOWS\system32\drivers\tsk1E.tmp

2011/05/30 10:30:08.0762 3948 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/05/30 10:30:08.0832 3948 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2011/05/30 10:30:08.0872 3948 Serial (93d313c31f7ad9ea2b75f26075413c7c) C:\WINDOWS\system32\DRIVERS\serial.sys

2011/05/30 10:30:08.0972 3948 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys

2011/05/30 10:30:09.0162 3948 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2011/05/30 10:30:09.0222 3948 sr (39626e6dc1fb39434ec40c42722b660a) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/05/30 10:30:09.0303 3948 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/05/30 10:30:09.0473 3948 STAC97 (5813d453ef8ce49d607c255cf128aceb) C:\WINDOWS\system32\drivers\stac97.sys

2011/05/30 10:30:09.0583 3948 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/05/30 10:30:09.0643 3948 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2011/05/30 10:30:09.0843 3948 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/05/30 10:30:09.0944 3948 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/05/30 10:30:10.0024 3948 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/05/30 10:30:10.0104 3948 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/05/30 10:30:10.0174 3948 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/05/30 10:30:10.0294 3948 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/05/30 10:30:10.0695 3948 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\drivers\tsk3.tmp

2011/05/30 10:30:11.0105 3948 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys

2011/05/30 10:30:11.0295 3948 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/05/30 10:30:11.0656 3948 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/05/30 10:30:11.0896 3948 usbhub (6f9d3feed8f04e7338ffbd13c95ceef0) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/05/30 10:30:11.0906 3948 usbhub - detected Rootkit.Win32.ZAccess.c (0)

2011/05/30 10:30:11.0976 3948 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2011/05/30 10:30:12.0067 3948 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2011/05/30 10:30:12.0677 3948 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/05/30 10:30:12.0958 3948 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/05/30 10:30:13.0449 3948 vbma11df (9da42526fabf8ff7c992a9662a82a1bf) C:\WINDOWS\system32\drivers\vbma11df.sys

2011/05/30 10:30:13.0449 3948 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\vbma11df.sys. md5: 9da42526fabf8ff7c992a9662a82a1bf

2011/05/30 10:30:13.0459 3948 vbma11df - detected LockedFile.Multi.Generic (1)

2011/05/30 10:30:13.0709 3948 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2011/05/30 10:30:14.0069 3948 VolSnap (46de1126684369bace4849e4fc8c43ca) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/05/30 10:30:14.0490 3948 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/05/30 10:30:14.0871 3948 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/05/30 10:30:15.0231 3948 winachsf (0c5b9cf1bdf998750d9c5eeb5f8c55ac) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys

2011/05/30 10:30:16.0032 3948 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2011/05/30 10:30:16.0383 3948 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2011/05/30 10:30:16.0683 3948 MBR (0x1B8) (c99c3199cfaa4cbdcd91493f6d113a50) \Device\Harddisk0\DR0

2011/05/30 10:30:17.0715 3948 ================================================================================

2011/05/30 10:30:17.0715 3948 Scan finished

2011/05/30 10:30:17.0715 3948 ================================================================================

2011/05/30 10:30:17.0725 1280 Detected object count: 3

2011/05/30 10:30:17.0725 1280 Actual detected object count: 3

2011/05/30 10:30:40.0177 1280 Rasl2tp (ed9cd4394c90f33577618d6994031fb4) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/05/30 10:30:41.0519 1280 Backup copy not found, trying to cure infected file..

2011/05/30 10:30:41.0519 1280 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys - Cure failed (FFFFFFFF)

2011/05/30 10:30:41.0519 1280 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys - processing error

2011/05/30 10:30:41.0519 1280 Rootkit.Win32.ZAccess.c(Rasl2tp) - User select action: Cure

2011/05/30 10:30:41.0639 1280 usbhub (6f9d3feed8f04e7338ffbd13c95ceef0) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/05/30 10:30:41.0669 1280 Backup copy not found, trying to cure infected file..

2011/05/30 10:30:41.0669 1280 C:\WINDOWS\system32\DRIVERS\usbhub.sys - Cure failed (FFFFFFFF)

2011/05/30 10:30:41.0669 1280 C:\WINDOWS\system32\DRIVERS\usbhub.sys - processing error

2011/05/30 10:30:41.0669 1280 Rootkit.Win32.ZAccess.c(usbhub) - User select action: Cure

2011/05/30 10:30:41.0679 1280 HKLM\SYSTEM\ControlSet001\services\vbma11df - will be deleted after reboot

2011/05/30 10:30:41.0689 1280 HKLM\SYSTEM\ControlSet003\services\vbma11df - will be deleted after reboot

2011/05/30 10:30:41.0699 1280 C:\WINDOWS\system32\drivers\vbma11df.sys - will be deleted after reboot

2011/05/30 10:30:41.0699 1280 LockedFile.Multi.Generic(vbma11df) - User select action: Delete

I did reboot and re-ran DDS and I got the same report (unable to cure, file will be deleted on reboot).

Thank you !

Link to post
Share on other sites

  • Staff

Hi,

You must first verify that you can logon to the Windows Recovery Console.

To do so, you must have the Recovery Console installed or use the Windows XP installation cd.

How to install and use the Windows XP Recovery Console

Next, please download maxlook, saving the file to your desktop.

Double click maxlook.exe to run it. Note - you must run it only once!

As instructed when the tool runs, restart the computer and logon to the Recovery Console.

Execute the following bolded command at the x:\windows> prompt <--- the red x represents your operating system drive letter, usually C

batch look.bat

lookXP.gif

You will see 1 file copied many times then return to the x:\windows> prompt.

Type Exit to restart your computer then logon in normal mode.

Please run maxlook.exe again now. Note - you must run it only once!

It will produce looklog.txt on the desktop and open it.

Please post the results here.

Link to post
Share on other sites

Alright, first off I just want to say that since I had to use the Windows XP Cd I decided to copy the faulted .sys files from the cd to my computer to fix the USB ports. This worked fine.

I then did another DSS scan to check if the attack would react after a reboot but it didn't :

2011/06/01 10:34:06.0047 0760 TDSS rootkit removing tool 2.5.3.0 May 25 2011 07:09:24

2011/06/01 10:34:06.0327 0760 ================================================================================

2011/06/01 10:34:06.0327 0760 SystemInfo:

2011/06/01 10:34:06.0327 0760

2011/06/01 10:34:06.0327 0760 OS Version: 5.1.2600 ServicePack: 3.0

2011/06/01 10:34:06.0327 0760 Product type: Workstation

2011/06/01 10:34:06.0327 0760 ComputerName: USER-93614EA3BC

2011/06/01 10:34:06.0327 0760 UserName: Utilisateur

2011/06/01 10:34:06.0327 0760 Windows directory: C:\WINDOWS

2011/06/01 10:34:06.0327 0760 System windows directory: C:\WINDOWS

2011/06/01 10:34:06.0327 0760 Processor architecture: Intel x86

2011/06/01 10:34:06.0327 0760 Number of processors: 1

2011/06/01 10:34:06.0327 0760 Page size: 0x1000

2011/06/01 10:34:06.0327 0760 Boot type: Normal boot

2011/06/01 10:34:06.0327 0760 ================================================================================

2011/06/01 10:34:08.0000 0760 Initialize success

2011/06/01 10:34:09.0502 0740 ================================================================================

2011/06/01 10:34:09.0502 0740 Scan started

2011/06/01 10:34:09.0502 0740 Mode: Manual;

2011/06/01 10:34:09.0502 0740 ================================================================================

2011/06/01 10:34:11.0515 0740 ACPI (e5e6dbfc41ea8aad005cb9a57a96b43b) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/06/01 10:34:11.0605 0740 ACPIEC (e4abc1212b70bb03d35e60681c447210) C:\WINDOWS\system32\drivers\ACPIEC.sys

2011/06/01 10:34:11.0725 0740 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/06/01 10:34:11.0815 0740 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\system32\drivers\tsk27.tmp

2011/06/01 10:34:11.0905 0740 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

2011/06/01 10:34:12.0296 0740 ApfiltrService (090880e9bf20f928bc341f96d27c019e) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys

2011/06/01 10:34:12.0596 0740 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/06/01 10:34:12.0687 0740 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/06/01 10:34:13.0338 0740 ati2mtag (246248aada156450be611eceaa5fe033) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

2011/06/01 10:34:13.0588 0740 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/06/01 10:34:13.0708 0740 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/06/01 10:34:13.0758 0740 b57w2k (48bf91cffbcdd12a710207f2a08fec4d) C:\WINDOWS\system32\DRIVERS\b57xp32.sys

2011/06/01 10:34:13.0888 0740 BCM43XX (30d20fc98bcfd52e1da778cf19b223d4) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys

2011/06/01 10:34:13.0988 0740 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/06/01 10:34:14.0069 0740 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/06/01 10:34:14.0149 0740 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/06/01 10:34:14.0209 0740 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/06/01 10:34:14.0249 0740 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/06/01 10:34:14.0389 0740 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2011/06/01 10:34:14.0549 0740 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2011/06/01 10:34:14.0910 0740 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/06/01 10:34:15.0020 0740 dmboot (f5deadd42335fb33edca74ecb2f36cba) C:\WINDOWS\system32\drivers\dmboot.sys

2011/06/01 10:34:15.0150 0740 dmio (5a7c47c9b3f9fb92a66410a7509f0c71) C:\WINDOWS\system32\drivers\dmio.sys

2011/06/01 10:34:15.0220 0740 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/06/01 10:34:15.0320 0740 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2011/06/01 10:34:15.0441 0740 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/06/01 10:34:15.0841 0740 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/06/01 10:34:15.0951 0740 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2011/06/01 10:34:16.0011 0740 Fips (31f923eb2170fc172c81abda0045d18c) C:\WINDOWS\system32\drivers\Fips.sys

2011/06/01 10:34:16.0091 0740 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2011/06/01 10:34:16.0152 0740 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2011/06/01 10:34:16.0272 0740 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys

2011/06/01 10:34:16.0362 0740 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/06/01 10:34:16.0412 0740 Ftdisk (a86859b77b908c18c2657f284aa29fe3) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/06/01 10:34:16.0502 0740 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

2011/06/01 10:34:16.0642 0740 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/06/01 10:34:16.0823 0740 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/06/01 10:34:17.0263 0740 HSFHWICH (a84bbbdd125d370593004f6429f8445c) C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys

2011/06/01 10:34:17.0574 0740 HSF_DPV (b678fa91cf4a1c19b462d8db04cd02ab) C:\WINDOWS\system32\DRIVERS\HSF_DPV.SYS

2011/06/01 10:34:17.0804 0740 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/06/01 10:34:18.0094 0740 i8042prt (a09bdc4ed10e3b2e0ec27bb94af32516) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/06/01 10:34:18.0245 0740 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/06/01 10:34:18.0405 0740 IntelIde (4b6da2f0a4095857a9e3f3697399d575) C:\WINDOWS\system32\DRIVERS\intelide.sys

2011/06/01 10:34:18.0475 0740 intelppm (ad340800c35a42d4de1641a37feea34c) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/06/01 10:34:18.0585 0740 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2011/06/01 10:34:18.0665 0740 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/06/01 10:34:18.0745 0740 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/06/01 10:34:18.0815 0740 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/06/01 10:34:18.0976 0740 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/06/01 10:34:19.0036 0740 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/06/01 10:34:19.0116 0740 isapnp (355836975a67b6554bca60328cd6cb74) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/06/01 10:34:19.0216 0740 Kbdclass (16813155807c6881f4bfbf6657424659) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/06/01 10:34:19.0286 0740 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2011/06/01 10:34:19.0356 0740 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/06/01 10:34:19.0617 0740 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys

2011/06/01 10:34:19.0737 0740 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys

2011/06/01 10:34:19.0877 0740 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys

2011/06/01 10:34:19.0987 0740 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

2011/06/01 10:34:20.0077 0740 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/06/01 10:34:20.0207 0740 Modem (510ade9327fe84c10254e1902697e25f) C:\WINDOWS\system32\drivers\Modem.sys

2011/06/01 10:34:20.0277 0740 Mouclass (027c01bd7ef3349aaebc883d8a799efb) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/06/01 10:34:20.0368 0740 mouhid (124d6846040c79b9c997f78ef4b2a4e5) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/06/01 10:34:20.0448 0740 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/06/01 10:34:20.0598 0740 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/06/01 10:34:20.0698 0740 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/06/01 10:34:20.0828 0740 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2011/06/01 10:34:20.0908 0740 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/06/01 10:34:20.0978 0740 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/06/01 10:34:21.0049 0740 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/06/01 10:34:21.0119 0740 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/06/01 10:34:21.0229 0740 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2011/06/01 10:34:21.0309 0740 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2011/06/01 10:34:21.0379 0740 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/06/01 10:34:21.0469 0740 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/06/01 10:34:21.0519 0740 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/06/01 10:34:21.0599 0740 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/06/01 10:34:21.0680 0740 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/06/01 10:34:21.0740 0740 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/06/01 10:34:21.0930 0740 npf (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\drivers\npf.sys

2011/06/01 10:34:21.0990 0740 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2011/06/01 10:34:22.0090 0740 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/06/01 10:34:22.0210 0740 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/06/01 10:34:22.0300 0740 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/06/01 10:34:22.0360 0740 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/06/01 10:34:22.0511 0740 OZSCR (ab2b07ac4afd38f574d903eaf9e98a60) C:\WINDOWS\system32\DRIVERS\ozscr.sys

2011/06/01 10:34:22.0621 0740 Parport (8fd0bdbea875d06ccf6c945ca9abaf75) C:\WINDOWS\system32\DRIVERS\parport.sys

2011/06/01 10:34:22.0661 0740 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/06/01 10:34:22.0771 0740 ParVdm (9575c5630db8fb804649a6959737154c) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/06/01 10:34:22.0831 0740 PCI (043410877bda580c528f45165f7125bc) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/06/01 10:34:22.0991 0740 PCIIde (f4bfde7209c14a07aaa61e4d6ae69eac) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/06/01 10:34:23.0061 0740 Pcmcia (f0406cbc60bdb0394a0e17ffb04cdd3d) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

2011/06/01 10:34:23.0572 0740 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/06/01 10:34:23.0632 0740 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/06/01 10:34:23.0692 0740 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/06/01 10:34:24.0063 0740 radpms (b953369c5ef43615f1bfa9cea69fc9aa) C:\WINDOWS\system32\DRIVERS\radpms.sys

2011/06/01 10:34:24.0143 0740 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/06/01 10:34:24.0243 0740 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/06/01 10:34:24.0333 0740 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/06/01 10:34:24.0403 0740 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/06/01 10:34:24.0504 0740 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/06/01 10:34:24.0584 0740 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/06/01 10:34:24.0674 0740 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2011/06/01 10:34:24.0744 0740 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/06/01 10:34:24.0844 0740 redbook (d8eb2a7904db6c916eb5361878ddcbae) C:\WINDOWS\system32\drivers\tsk1E.tmp

2011/06/01 10:34:25.0064 0740 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/06/01 10:34:25.0134 0740 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2011/06/01 10:34:25.0205 0740 Serial (93d313c31f7ad9ea2b75f26075413c7c) C:\WINDOWS\system32\DRIVERS\serial.sys

2011/06/01 10:34:25.0385 0740 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys

2011/06/01 10:34:25.0625 0740 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2011/06/01 10:34:25.0695 0740 sr (39626e6dc1fb39434ec40c42722b660a) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/06/01 10:34:25.0795 0740 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/06/01 10:34:25.0916 0740 STAC97 (5813d453ef8ce49d607c255cf128aceb) C:\WINDOWS\system32\drivers\stac97.sys

2011/06/01 10:34:26.0016 0740 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/06/01 10:34:26.0086 0740 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2011/06/01 10:34:26.0416 0740 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/06/01 10:34:26.0536 0740 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/06/01 10:34:26.0657 0740 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/06/01 10:34:26.0727 0740 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/06/01 10:34:26.0817 0740 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/06/01 10:34:26.0997 0740 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/06/01 10:34:27.0207 0740 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\drivers\tsk3.tmp

2011/06/01 10:34:27.0348 0740 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys

2011/06/01 10:34:27.0438 0740 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/06/01 10:34:27.0528 0740 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/06/01 10:34:27.0658 0740 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/06/01 10:34:27.0748 0740 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2011/06/01 10:34:27.0848 0740 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2011/06/01 10:34:27.0949 0740 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/06/01 10:34:28.0049 0740 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/06/01 10:34:28.0129 0740 vbma11df (9da42526fabf8ff7c992a9662a82a1bf) C:\WINDOWS\system32\drivers\vbma11df.sys

2011/06/01 10:34:28.0129 0740 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\vbma11df.sys. md5: 9da42526fabf8ff7c992a9662a82a1bf

2011/06/01 10:34:28.0149 0740 vbma11df - detected LockedFile.Multi.Generic (1)

2011/06/01 10:34:28.0239 0740 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2011/06/01 10:34:28.0349 0740 VolSnap (46de1126684369bace4849e4fc8c43ca) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/06/01 10:34:28.0449 0740 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/06/01 10:34:28.0599 0740 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/06/01 10:34:28.0760 0740 winachsf (0c5b9cf1bdf998750d9c5eeb5f8c55ac) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys

2011/06/01 10:34:29.0090 0740 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2011/06/01 10:34:29.0160 0740 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2011/06/01 10:34:29.0240 0740 MBR (0x1B8) (c99c3199cfaa4cbdcd91493f6d113a50) \Device\Harddisk0\DR0

2011/06/01 10:34:29.0401 0740 ================================================================================

2011/06/01 10:34:29.0401 0740 Scan finished

2011/06/01 10:34:29.0401 0740 ================================================================================

2011/06/01 10:34:29.0431 1556 Detected object count: 1

2011/06/01 10:34:29.0431 1556 Actual detected object count: 1

2011/06/01 10:34:33.0507 1556 LockedFile.Multi.Generic(vbma11df) - User select action: Skip

2011/06/01 10:34:37.0542 0700 Deinitialize success

So then I did your procedure and here are the requested results :

Run from C:\Documents and Settings\Utilisateur\Bureau\maxlook.exe on 2011-06-01 at 10:48:27,20

No infected file found

Link to post
Share on other sites

  • Staff

Things are looking better!

Can you grab a fresh copy of TDSSKiller and run it please. Cure all found.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Hi there,

Killer is still only finding my vbma...sys that he can't delete but not causing any more trouble for now which is good !

I'm having problems with F-Secure thought; when I choose Full Scan it stops at 0% saying that the software doesn't have the requiered permissions to scan the whole computer.

I don't understand though since the user is the computer admin. I'll try to figure this out and come back with the logs.

Thank you !

Link to post
Share on other sites

  • Staff

Hi,

Grab a fresh copy of ComboFix. Before you download it, rename it to lol.com; save it to your Desktop.

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

Click Start --> Run, and enter this command exactly as shown:

"%userprofile%\desktop\lol.com" /killall

See if it runs now.

Link to post
Share on other sites

  • 3 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.