Jump to content

Cannot boot PC after removing infections with Malwarebytes


heks
 Share

Recommended Posts

Hi there,

Having a big problem with one of my PC's. I've been infected for some time now with a virus that has prevented me from opening programs, though it usually only kicked in about 5 mins after booting up the system. I'm guessing this is the TDSS Rootkit, but I don't know much about this stuff. Today I also got hit on that system with the Privacy Protection virus that was preventing me from opening ANYTHING from as soon as Windows XP loaded. I followed the instructions on bleepingcomputer.com to get rid of the virus with malwarebytes, but after running it and removing the selected infections in safe mode, I can't boot my system ... even into Safe Mode.

I then started to follow the following instructions in this forum, since the problem matched mine: http://forums.malwarebytes.org/index.php?showtopic=68960&hl=

I used PE Builder to create a boot disk from my Win XP Pro SP 3 disk and put OTLPE on my flash drive, but when I loaded up the BART PE environment and ran the file management utility, my Hard Disks didn't show up, which meant I couldn't point start.cmd to my Windows install directory. I have no idea how to resolve this. I'm hoping that someone can help me from the beginning of the process, because I really need to get this system up and running again.

So, following the first question that was asked of the person in that thread I linked above, I turned off the auto-rebooting on system failure and checked out the Blue Screen of Death. The only "Technical information" I have on the screen at all is:

*** STOP: 0x0000007B (OxBA4C7528, Ox0000034, 0x00000000, 0x00000000)

Please help me.

Thanks in advance.

heks

I'd just like to add a point to my previous post. Perhaps it goes without saying, but I couldn't follow instructions on what to do before posting my problem in terms of generating logs, etc., because I can't boot my system, so I hope this fact doesn't deter someone from helping me.

Take care,

heks

Link to post
Share on other sites

In that case, lets start having a look at the master boot record of your drive.

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer

  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following and press enter:
    dd if=/dev/sda of=mbr.bin bs=512 count=1
  • Press Enter
  • After it has finished a file will be located on your USB drive named mbr.bin
  • Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.

This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

Link to post
Share on other sites

The MBR is indeed infected, which is most possibly causing the problem.

Try this please. You will need a USB drive.

  • Download xPUDtestdisk.exe and save it to the USB device
  • Double click xPUDtestdisk.exe to extract the contents to your USB device
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type testdisk/testdisk_static
  • Press Enter

The first screen will present log options - press Enter to continue.

td1.gif

TestDisk will scan the system and show drive information.

If more than 1 drive, select the correct drive, make sure [Proceed] is selected then press Enter to continue.

td2.gif

Select [intel] partiton and press Enter to continue.

td3.gif

Select [MBR Code] and press Enter to continue.

td5.gif

Type Y when prompted to write a new mbr code to the first sector, then confirm at the next screen by typing Y again.

td6.gif

Press Q repeatedly until TestDisk exits then reboot.

Link to post
Share on other sites

Please rerun TestDisk as before. After choosing Intel, instead of MBR code, choose Analyse.

Menus.gif

The next screen will list all found partitions. Press Enter to run a Quick Search.

Analyse.gif

When asked, say No to this screen:

Vista_check.gif

You'll now see a list of partitions; at this point press Q until you exit and post the testdisk log created on your USB drive.

Link to post
Share on other sites

Please rerun TestDisk as before. After choosing Intel, instead of MBR code, choose Analyse.

Hi Elise,

I'm sorry, disregard my last post. I had stupidly left the USB drive plugged in and that's what was causing the "no bootable partition" message. Your last instructions did, indeed, get the system to boot, though it doesn't automatically recognize what drive to boot from (even though it used to), so I'm having to pull up the boot selection menu to choose the 2nd HDD in the list.

At this point the Privacy Protection malware seems to be gone, but my guess is that the system is not all well yet. Should I follow the instructions in your last post even though I've resolved this "no bootable partition" issue or should we proceed differently from here?

heks

Link to post
Share on other sites

What is the computer trying to boot from now if you don't bring up the Boot order menu?

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.

    [*]Double click on the DDS icon, allow it to run.

    [*]A small box will open, with an explaination about the tool. No input is needed, the scan is running.

    [*]Notepad will open with the results.

    [*]Follow the instructions that pop up for posting the results.

    [*]Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Link to post
Share on other sites

What is the computer trying to boot from now if you don't bring up the Boot order menu?

It tries to boot from the other hard drive, which is listed as hdd 1 in the boot order menu.

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.

    [*]Double click on the DDS icon, allow it to run.

    [*]A small box will open, with an explaination about the tool. No input is needed, the scan is running.

    [*]Notepad will open with the results.

    [*]Follow the instructions that pop up for posting the results.

    [*]Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Ok, here's the contents of the DDS.txt file:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23

Run by Ryan at 16:24:46 on 2011-11-08

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1588 [GMT -5:00]

.

AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Synergy\synergyc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Brother\ControlCenter3\brccMCtl.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe

.

============== Pseudo HJT Report ===============

.

uInternet Settings,ProxyOverride = *.local

BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [appMouseSched] rundll32.exe

mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [CTHelper] CTHELPER.EXE

mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun

mRun: [brMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"

IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\ryan\application data\mozilla\firefox\profiles\qjohnile.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: network.proxy.ftp - 151.100.59.11

FF - prefs.js: network.proxy.ftp_port - 3128

FF - prefs.js: network.proxy.gopher - 151.100.59.11

FF - prefs.js: network.proxy.gopher_port - 3128

FF - prefs.js: network.proxy.http - 151.100.59.11

FF - prefs.js: network.proxy.http_port - 3128

FF - prefs.js: network.proxy.socks - 151.100.59.11

FF - prefs.js: network.proxy.socks_port - 3128

FF - prefs.js: network.proxy.ssl - 151.100.59.11

FF - prefs.js: network.proxy.ssl_port - 3128

FF - component: c:\documents and settings\ryan\application data\mozilla\firefox\profiles\qjohnile.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - component: c:\documents and settings\ryan\application data\mozilla\firefox\profiles\qjohnile.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll

FF - plugin: c:\program files\adobe\acrobat 9.0\acrobat\air\nppdf32.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll

FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

FF - Ext: Answers: {C0D0F6D1-9FC9-4b0a-B485-D5E13AF40D51} - %profile%\extensions\{C0D0F6D1-9FC9-4b0a-B485-D5E13AF40D51}

FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}

FF - Ext: UnPlug: unplug@compunach - %profile%\extensions\unplug@compunach

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

.

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

.

============= SERVICES / DRIVERS ===============

.

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2003-12-12 77312]

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-8-2 11608]

R1 SASDIFSV;SASDIFSV;c:\docume~1\admini~1.lit\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2011-7-12 12880]

R1 SASKUTIL;SASKUTIL;c:\docume~1\admini~1.lit\locals~1\temp\sas_selfextract\SASKUTIL.SYS [2011-7-12 67664]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-8-2 136360]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-8-2 269480]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-8-2 66616]

S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]

S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]

.

=============== Created Last 30 ================

.

2011-11-07 05:52:37 -------- d-----w- c:\documents and settings\ryan\application data\Malwarebytes

2011-11-07 05:52:31 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-11-07 05:52:28 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-07 05:52:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.

==================== Find3M ====================

.

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: ST350041 rev.CC34 -> Harddisk1\DR1 -> \Device\Scsi\viasraid1Port2Path0Target2Lun0

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntkrnlpa.exe >>UNKNOWN [0x8A6958C0]<<

_asm { MOV EAX, 0x8a6957e0; XCHG [ESP], EAX; PUSH EAX; PUSH 0x8a69ca74; RET ; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; }

1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk1\DR1[0x8A645770]

\Driver\Disk[0x8A657A68] -> IRP_MJ_CREATE -> 0x8A6958C0

kernel: MBR read successfully

_asm { CLD ; XOR AX, AX; MOV SS, AX; XOR SP, SP; MOV DS, AX; MOV ES, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x100; REP MOVSW ; MOV SI, 0x7ee; MOV AL, 0x8; JMP FAR 0x0:0x620; }

detected disk devices:

detected hooks:

\Driver\Disk -> 0x8a6958c0

user & kernel MBR OK

Warning: possible MBR rootkit infection !

.

============= FINISH: 16:25:19.28 ===============

And here's attach.zip:

attach.zip

Thanks,

heks

Link to post
Share on other sites

It tries to boot from the other hard drive, which is listed as hdd 1 in the boot order menu.
Can you change the boot order in BIOS so it will use the HD that contains your windows installation?

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Link to post
Share on other sites

Can you change the boot order in BIOS so it will use the HD that contains your windows installation?

My BIOS seems to have a password on it that I don't remember putting there, so it must have been added when the system was built. I'm looking into how to bypass it.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

TDSSKiller doesn't seem to find 'malicious objects' per se. It found two "suspicious objects" of "medium risk" ... Service: dtscsi & Service: sptd (both say "Locked file"). The default option for both is "Skip". "Cure" is not an option.

I left it on "Skip", pressed the "Continue" button, and closed the program.

What now?

heks

Link to post
Share on other sites

TDSSKiller doesn't seem to find 'malicious objects' per se. It found two "suspicious objects" of "medium risk" ... Service: dtscsi & Service: sptd (both say "Locked file"). The default option for both is "Skip". "Cure" is not an option.

I left it on "Skip", pressed the "Continue" button, and closed the program.

What now?

heks

There doesn't seem to be an option to edit my posts. Here's the contents of the TDSSKiller log:

04:09:23.0062 3228 TDSS rootkit removing tool 2.6.16.0 Nov 7 2011 16:26:51

04:09:23.0421 3228 ============================================================

04:09:23.0421 3228 Current date / time: 2011/11/09 04:09:23.0421

04:09:23.0421 3228 SystemInfo:

04:09:23.0421 3228

04:09:23.0421 3228 OS Version: 5.1.2600 ServicePack: 3.0

04:09:23.0421 3228 Product type: Workstation

04:09:23.0421 3228 ComputerName: ******

04:09:23.0421 3228 UserName: Ryan

04:09:23.0421 3228 Windows directory: C:\WINDOWS

04:09:23.0421 3228 System windows directory: C:\WINDOWS

04:09:23.0421 3228 Processor architecture: Intel x86

04:09:23.0421 3228 Number of processors: 1

04:09:23.0421 3228 Page size: 0x1000

04:09:23.0421 3228 Boot type: Normal boot

04:09:23.0421 3228 ============================================================

04:09:23.0812 3228 Initialize success

04:09:55.0125 3100 ============================================================

04:09:55.0125 3100 Scan started

04:09:55.0125 3100 Mode: Manual;

04:09:55.0125 3100 ============================================================

04:09:55.0328 3100 Abiosdsk - ok

04:09:55.0343 3100 abp480n5 - ok

04:09:55.0406 3100 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

04:09:55.0406 3100 ACPI - ok

04:09:55.0437 3100 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

04:09:55.0453 3100 ACPIEC - ok

04:09:55.0484 3100 adfs (6d7f09cd92a9fef3a8efce66231fdd79) C:\WINDOWS\system32\drivers\adfs.sys

04:09:55.0500 3100 adfs - ok

04:09:55.0515 3100 adpu160m - ok

04:09:55.0578 3100 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

04:09:55.0593 3100 aec - ok

04:09:55.0656 3100 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

04:09:55.0656 3100 AFD - ok

04:09:55.0671 3100 Aha154x - ok

04:09:55.0703 3100 aic78u2 - ok

04:09:55.0718 3100 aic78xx - ok

04:09:55.0750 3100 AliIde - ok

04:09:55.0796 3100 AmdPPM (033448d435e65c4bd72e70521fd05c76) C:\WINDOWS\system32\DRIVERS\AmdPPM.sys

04:09:55.0812 3100 AmdPPM - ok

04:09:55.0828 3100 amsint - ok

04:09:55.0890 3100 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

04:09:55.0906 3100 Arp1394 - ok

04:09:55.0906 3100 asc - ok

04:09:55.0937 3100 asc3350p - ok

04:09:55.0953 3100 asc3550 - ok

04:09:56.0000 3100 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

04:09:56.0015 3100 AsyncMac - ok

04:09:56.0046 3100 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

04:09:56.0062 3100 atapi - ok

04:09:56.0078 3100 Atdisk - ok

04:09:56.0203 3100 ati2mtag (e9375396f55b58c2042c7c9844d297e3) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

04:09:56.0234 3100 ati2mtag - ok

04:09:56.0265 3100 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

04:09:56.0281 3100 Atmarpc - ok

04:09:56.0328 3100 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

04:09:56.0328 3100 audstub - ok

04:09:56.0484 3100 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys

04:09:56.0484 3100 avgio - ok

04:09:56.0593 3100 avgntflt (1e4114685de1ffa9675e09c6a1fb3f4b) C:\WINDOWS\system32\DRIVERS\avgntflt.sys

04:09:56.0593 3100 avgntflt - ok

04:09:56.0640 3100 avipbb (0f78d3dae6dedd99ae54c9491c62adf2) C:\WINDOWS\system32\DRIVERS\avipbb.sys

04:09:56.0640 3100 avipbb - ok

04:09:56.0687 3100 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

04:09:56.0687 3100 Beep - ok

04:09:56.0734 3100 BrScnUsb (92a964547b96d697e5e9ed43b4297f5a) C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys

04:09:56.0734 3100 BrScnUsb - ok

04:09:56.0765 3100 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

04:09:56.0765 3100 cbidf2k - ok

04:09:56.0781 3100 cd20xrnt - ok

04:09:56.0812 3100 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

04:09:56.0812 3100 Cdaudio - ok

04:09:56.0843 3100 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

04:09:56.0859 3100 Cdfs - ok

04:09:56.0906 3100 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

04:09:56.0906 3100 Cdrom - ok

04:09:56.0921 3100 Changer - ok

04:09:56.0968 3100 CmdIde - ok

04:09:57.0015 3100 COMMONFX.DLL (1ef05b641e9a67ded74ac8ad40055dbf) C:\WINDOWS\system32\COMMONFX.DLL

04:09:57.0031 3100 COMMONFX.DLL - ok

04:09:57.0062 3100 Cpqarray - ok

04:09:57.0109 3100 CT20XUT.DLL (6191a973461852a09d643609e1d5f7c6) C:\WINDOWS\system32\CT20XUT.DLL

04:09:57.0125 3100 CT20XUT.DLL - ok

04:09:57.0171 3100 ctac32k (8ac5f77e30e37d2d11bd99eff0c53d8c) C:\WINDOWS\system32\drivers\ctac32k.sys

04:09:57.0187 3100 ctac32k - ok

04:09:57.0234 3100 ctaud2k (673241d314e932f4890509ae8ebf26db) C:\WINDOWS\system32\drivers\ctaud2k.sys

04:09:57.0234 3100 ctaud2k - ok

04:09:57.0296 3100 CTAUDFX.DLL (472b82d7e549e7fab428852e4d16f21d) C:\WINDOWS\system32\CTAUDFX.DLL

04:09:57.0296 3100 CTAUDFX.DLL - ok

04:09:57.0390 3100 ctdvda2k (ed316d4c3d39c5b6c23de067e275c183) C:\WINDOWS\system32\drivers\ctdvda2k.sys

04:09:57.0421 3100 ctdvda2k - ok

04:09:57.0468 3100 CTEAPSFX.DLL (6a57f82009563aee8826f117e1d3c72c) C:\WINDOWS\system32\CTEAPSFX.DLL

04:09:57.0484 3100 CTEAPSFX.DLL - ok

04:09:57.0546 3100 CTEDSPFX.DLL (c8ac1ffaeadd655193d7b1811a572d8d) C:\WINDOWS\system32\CTEDSPFX.DLL

04:09:57.0562 3100 CTEDSPFX.DLL - ok

04:09:57.0593 3100 CTEDSPIO.DLL (44495d9daf675257d00b25b041ee6667) C:\WINDOWS\system32\CTEDSPIO.DLL

04:09:57.0609 3100 CTEDSPIO.DLL - ok

04:09:57.0640 3100 CTEDSPSY.DLL (8e90b1762cb42e2fc76dac9210c83c66) C:\WINDOWS\system32\CTEDSPSY.DLL

04:09:57.0656 3100 CTEDSPSY.DLL - ok

04:09:57.0687 3100 CTERFXFX.DLL (d3fbd9983325435b06795f29cb57ed3d) C:\WINDOWS\system32\CTERFXFX.DLL

04:09:57.0687 3100 CTERFXFX.DLL - ok

04:09:57.0765 3100 CTEXFIFX.DLL (2c48e9d8ca703964463f27ae341115b7) C:\WINDOWS\system32\CTEXFIFX.DLL

04:09:57.0796 3100 CTEXFIFX.DLL - ok

04:09:57.0828 3100 CTHWIUT.DLL (f7657c598e7c29c6683c1e4a8dd68884) C:\WINDOWS\system32\CTHWIUT.DLL

04:09:57.0843 3100 CTHWIUT.DLL - ok

04:09:57.0890 3100 ctprxy2k (34e7f8a499fd8361df14fedb724c0ad3) C:\WINDOWS\system32\drivers\ctprxy2k.sys

04:09:57.0890 3100 ctprxy2k - ok

04:09:57.0921 3100 CTSBLFX.DLL (679ae21eb7f48a08184813aebabdec7c) C:\WINDOWS\system32\CTSBLFX.DLL

04:09:57.0937 3100 CTSBLFX.DLL - ok

04:09:57.0984 3100 ctsfm2k (32098497cb4dfe9ea7660fa62dd91060) C:\WINDOWS\system32\drivers\ctsfm2k.sys

04:09:57.0984 3100 ctsfm2k - ok

04:09:58.0000 3100 dac2w2k - ok

04:09:58.0031 3100 dac960nt - ok

04:09:58.0078 3100 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

04:09:58.0093 3100 Disk - ok

04:09:58.0156 3100 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

04:09:58.0171 3100 dmboot - ok

04:09:58.0203 3100 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

04:09:58.0218 3100 dmio - ok

04:09:58.0234 3100 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

04:09:58.0234 3100 dmload - ok

04:09:58.0296 3100 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

04:09:58.0312 3100 DMusic - ok

04:09:58.0343 3100 dpti2o - ok

04:09:58.0359 3100 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

04:09:58.0359 3100 drmkaud - ok

04:09:58.0421 3100 dtscsi (12aca694b50ea53563c1e7c99e7bb27d) C:\WINDOWS\System32\Drivers\dtscsi.sys

04:09:58.0421 3100 Suspicious file (NoAccess): C:\WINDOWS\System32\Drivers\dtscsi.sys. md5: 12aca694b50ea53563c1e7c99e7bb27d

04:09:58.0421 3100 dtscsi ( LockedFile.Multi.Generic ) - warning

04:09:58.0421 3100 dtscsi - detected LockedFile.Multi.Generic (1)

04:09:58.0468 3100 emupia (2885f72d2daffd0329272f12e16d6579) C:\WINDOWS\system32\drivers\emupia2k.sys

04:09:58.0468 3100 emupia - ok

04:09:58.0546 3100 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

04:09:58.0562 3100 Fastfat - ok

04:09:58.0609 3100 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

04:09:58.0609 3100 Fdc - ok

04:09:58.0640 3100 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

04:09:58.0640 3100 Fips - ok

04:09:58.0671 3100 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

04:09:58.0671 3100 Flpydisk - ok

04:09:58.0703 3100 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys

04:09:58.0718 3100 FltMgr - ok

04:09:58.0750 3100 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

04:09:58.0750 3100 Fs_Rec - ok

04:09:58.0765 3100 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

04:09:58.0781 3100 Ftdisk - ok

04:09:58.0812 3100 gagp30kx (3a74c423cf6bcca6982715878f450a3b) C:\WINDOWS\system32\DRIVERS\gagp30kx.sys

04:09:58.0812 3100 gagp30kx - ok

04:09:58.0859 3100 GEARAspiWDM (f2f431d1573ee632975c524418655b84) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

04:09:58.0859 3100 GEARAspiWDM - ok

04:09:58.0890 3100 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

04:09:58.0906 3100 Gpc - ok

04:09:58.0968 3100 ha10kx2k (da2c735b66d2e7b739f9a46146581a9d) C:\WINDOWS\system32\drivers\ha10kx2k.sys

04:09:58.0984 3100 ha10kx2k - ok

04:09:59.0015 3100 hap16v2k (5c7d6d68796e4621b4168c879908dae0) C:\WINDOWS\system32\drivers\hap16v2k.sys

04:09:59.0031 3100 hap16v2k - ok

04:09:59.0078 3100 hap17v2k (a595b88ad16d8b5693ddf08113caf30e) C:\WINDOWS\system32\drivers\hap17v2k.sys

04:09:59.0078 3100 hap17v2k - ok

04:09:59.0125 3100 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

04:09:59.0125 3100 hidusb - ok

04:09:59.0140 3100 hpn - ok

04:09:59.0203 3100 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

04:09:59.0203 3100 HTTP - ok

04:09:59.0218 3100 i2omgmt - ok

04:09:59.0250 3100 i2omp - ok

04:09:59.0296 3100 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

04:09:59.0312 3100 i8042prt - ok

04:09:59.0390 3100 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

04:09:59.0406 3100 Imapi - ok

04:09:59.0421 3100 ini910u - ok

04:09:59.0453 3100 IntelIde - ok

04:09:59.0500 3100 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys

04:09:59.0515 3100 Ip6Fw - ok

04:09:59.0546 3100 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

04:09:59.0562 3100 IpFilterDriver - ok

04:09:59.0578 3100 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

04:09:59.0578 3100 IpInIp - ok

04:09:59.0625 3100 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

04:09:59.0640 3100 IpNat - ok

04:09:59.0687 3100 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

04:09:59.0687 3100 IPSec - ok

04:09:59.0718 3100 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

04:09:59.0734 3100 IRENUM - ok

04:09:59.0765 3100 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

04:09:59.0781 3100 isapnp - ok

04:09:59.0812 3100 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

04:09:59.0828 3100 Kbdclass - ok

04:09:59.0859 3100 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

04:09:59.0859 3100 kbdhid - ok

04:09:59.0921 3100 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

04:09:59.0937 3100 kmixer - ok

04:09:59.0984 3100 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

04:10:00.0000 3100 KSecDD - ok

04:10:00.0015 3100 lbrtfdc - ok

04:10:00.0062 3100 MBAMSwissArmy - ok

04:10:00.0125 3100 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

04:10:00.0125 3100 mnmdd - ok

04:10:00.0171 3100 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

04:10:00.0171 3100 Modem - ok

04:10:00.0218 3100 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

04:10:00.0218 3100 Mouclass - ok

04:10:00.0250 3100 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

04:10:00.0250 3100 mouhid - ok

04:10:00.0265 3100 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

04:10:00.0281 3100 MountMgr - ok

04:10:00.0296 3100 mraid35x - ok

04:10:00.0343 3100 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

04:10:00.0343 3100 MRxDAV - ok

04:10:00.0406 3100 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

04:10:00.0437 3100 MRxSmb - ok

04:10:00.0453 3100 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

04:10:00.0468 3100 Msfs - ok

04:10:00.0515 3100 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

04:10:00.0531 3100 MSKSSRV - ok

04:10:00.0578 3100 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

04:10:00.0578 3100 MSPCLOCK - ok

04:10:00.0609 3100 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

04:10:00.0609 3100 MSPQM - ok

04:10:00.0656 3100 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

04:10:00.0656 3100 mssmbios - ok

04:10:00.0718 3100 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

04:10:00.0734 3100 Mup - ok

04:10:00.0765 3100 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

04:10:00.0781 3100 NDIS - ok

04:10:00.0828 3100 ndiscm (b797ee2ef919c95561dee78b72b33e5b) C:\WINDOWS\system32\DRIVERS\NetMotCM.sys

04:10:00.0828 3100 ndiscm - ok

04:10:00.0859 3100 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

04:10:00.0859 3100 NdisTapi - ok

04:10:00.0890 3100 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

04:10:00.0890 3100 Ndisuio - ok

04:10:00.0937 3100 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

04:10:00.0953 3100 NdisWan - ok

04:10:01.0000 3100 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

04:10:01.0000 3100 NDProxy - ok

04:10:01.0031 3100 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

04:10:01.0046 3100 NetBIOS - ok

04:10:01.0078 3100 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

04:10:01.0093 3100 NetBT - ok

04:10:01.0171 3100 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

04:10:01.0171 3100 NIC1394 - ok

04:10:01.0203 3100 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

04:10:01.0203 3100 Npfs - ok

04:10:01.0234 3100 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

04:10:01.0250 3100 Ntfs - ok

04:10:01.0312 3100 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

04:10:01.0312 3100 Null - ok

04:10:01.0343 3100 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

04:10:01.0343 3100 NwlnkFlt - ok

04:10:01.0359 3100 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

04:10:01.0375 3100 NwlnkFwd - ok

04:10:01.0421 3100 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

04:10:01.0421 3100 ohci1394 - ok

04:10:01.0468 3100 ossrv (61c85afeaa6ef0c1b32d43f84f7bfbcf) C:\WINDOWS\system32\drivers\ctoss2k.sys

04:10:01.0468 3100 ossrv - ok

04:10:01.0500 3100 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

04:10:01.0515 3100 Parport - ok

04:10:01.0531 3100 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

04:10:01.0531 3100 PartMgr - ok

04:10:01.0578 3100 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

04:10:01.0578 3100 ParVdm - ok

04:10:01.0625 3100 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

04:10:01.0640 3100 PCI - ok

04:10:01.0656 3100 PCIDump - ok

04:10:01.0671 3100 PCIIde - ok

04:10:01.0718 3100 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

04:10:01.0718 3100 Pcmcia - ok

04:10:01.0765 3100 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys

04:10:01.0781 3100 pcouffin - ok

04:10:01.0796 3100 PDCOMP - ok

04:10:01.0812 3100 PDFRAME - ok

04:10:01.0828 3100 PDRELI - ok

04:10:01.0843 3100 PDRFRAME - ok

04:10:01.0875 3100 perc2 - ok

04:10:01.0890 3100 perc2hib - ok

04:10:01.0968 3100 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

04:10:01.0968 3100 PptpMiniport - ok

04:10:02.0000 3100 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

04:10:02.0015 3100 Processor - ok

04:10:02.0046 3100 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

04:10:02.0062 3100 PSched - ok

04:10:02.0078 3100 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

04:10:02.0093 3100 Ptilink - ok

04:10:02.0140 3100 PxHelp20 (d970470f8f39470bdae94d313a1ccdce) C:\WINDOWS\system32\Drivers\PxHelp20.sys

04:10:02.0140 3100 PxHelp20 - ok

04:10:02.0156 3100 ql1080 - ok

04:10:02.0187 3100 Ql10wnt - ok

04:10:02.0203 3100 ql12160 - ok

04:10:02.0218 3100 ql1240 - ok

04:10:02.0234 3100 ql1280 - ok

04:10:02.0265 3100 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

04:10:02.0265 3100 RasAcd - ok

04:10:02.0312 3100 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

04:10:02.0312 3100 Rasl2tp - ok

04:10:02.0343 3100 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

04:10:02.0343 3100 RasPppoe - ok

04:10:02.0375 3100 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

04:10:02.0375 3100 Raspti - ok

04:10:02.0421 3100 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

04:10:02.0437 3100 Rdbss - ok

04:10:02.0453 3100 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

04:10:02.0453 3100 RDPCDD - ok

04:10:02.0500 3100 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

04:10:02.0515 3100 rdpdr - ok

04:10:02.0562 3100 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

04:10:02.0578 3100 RDPWD - ok

04:10:02.0625 3100 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

04:10:02.0625 3100 redbook - ok

04:10:02.0703 3100 RT2500 (ae1e626f00180bfb3ca5a81fffc65332) C:\WINDOWS\system32\DRIVERS\RT2500.sys

04:10:02.0718 3100 RT2500 - ok

04:10:02.0828 3100 SASDIFSV (4bfbb868c869a4f8486d4c36849d59cf) C:\DOCUME~1\ADMINI~1.LIT\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS

04:10:02.0828 3100 SASDIFSV - ok

04:10:02.0859 3100 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\DOCUME~1\ADMINI~1.LIT\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS

04:10:02.0859 3100 SASKUTIL - ok

04:10:02.0984 3100 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

04:10:02.0984 3100 Secdrv - ok

04:10:03.0031 3100 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

04:10:03.0031 3100 serenum - ok

04:10:03.0046 3100 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

04:10:03.0062 3100 Serial - ok

04:10:03.0109 3100 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

04:10:03.0109 3100 Sfloppy - ok

04:10:03.0140 3100 Simbad - ok

04:10:03.0171 3100 Sparrow - ok

04:10:03.0203 3100 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

04:10:03.0203 3100 splitter - ok

04:10:03.0281 3100 sptd (9be313c5e6cd3e5dee5f94fbb5ca3ca4) C:\WINDOWS\system32\Drivers\sptd.sys

04:10:03.0281 3100 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: 9be313c5e6cd3e5dee5f94fbb5ca3ca4

04:10:03.0281 3100 sptd ( LockedFile.Multi.Generic ) - warning

04:10:03.0281 3100 sptd - detected LockedFile.Multi.Generic (1)

04:10:03.0312 3100 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

04:10:03.0328 3100 sr - ok

04:10:03.0375 3100 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys

04:10:03.0390 3100 Srv - ok

04:10:03.0437 3100 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys

04:10:03.0453 3100 ssmdrv - ok

04:10:03.0484 3100 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

04:10:03.0484 3100 swenum - ok

04:10:03.0531 3100 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

04:10:03.0531 3100 swmidi - ok

04:10:03.0562 3100 symc810 - ok

04:10:03.0578 3100 symc8xx - ok

04:10:03.0593 3100 sym_hi - ok

04:10:03.0625 3100 sym_u3 - ok

04:10:03.0656 3100 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

04:10:03.0671 3100 sysaudio - ok

04:10:03.0703 3100 tap0901 (60b6aedad7fc00a4d76a05bb8df5fe86) C:\WINDOWS\system32\DRIVERS\tap0901.sys

04:10:03.0718 3100 tap0901 - ok

04:10:03.0765 3100 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

04:10:03.0781 3100 Tcpip - ok

04:10:03.0828 3100 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

04:10:03.0828 3100 TDPIPE - ok

04:10:03.0859 3100 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

04:10:03.0859 3100 TDTCP - ok

04:10:03.0890 3100 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

04:10:03.0890 3100 TermDD - ok

04:10:03.0937 3100 TosIde - ok

04:10:03.0968 3100 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

04:10:03.0984 3100 Udfs - ok

04:10:04.0000 3100 ultra - ok

04:10:04.0046 3100 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

04:10:04.0062 3100 Update - ok

04:10:04.0109 3100 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

04:10:04.0109 3100 usbccgp - ok

04:10:04.0156 3100 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

04:10:04.0156 3100 usbehci - ok

04:10:04.0187 3100 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

04:10:04.0187 3100 usbhub - ok

04:10:04.0218 3100 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

04:10:04.0218 3100 usbprint - ok

04:10:04.0250 3100 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

04:10:04.0265 3100 USBSTOR - ok

04:10:04.0296 3100 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

04:10:04.0296 3100 usbuhci - ok

04:10:04.0328 3100 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

04:10:04.0328 3100 VgaSave - ok

04:10:04.0359 3100 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

04:10:04.0359 3100 ViaIde - ok

04:10:04.0375 3100 viasraid (ebe101c01d80a42868f57b327be1b564) C:\WINDOWS\system32\drivers\viasraid.sys

04:10:04.0375 3100 viasraid - ok

04:10:04.0421 3100 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

04:10:04.0421 3100 VolSnap - ok

04:10:04.0453 3100 vulfnths (c9a8ba443f809b70bccccd60cc73fa5c) C:\WINDOWS\System32\Drivers\vulfnth.sys

04:10:04.0453 3100 vulfnths - ok

04:10:04.0484 3100 vulfntrs (2d8c55889616f7767e9fb8adee37a02a) C:\WINDOWS\System32\Drivers\vulfntr.sys

04:10:04.0484 3100 vulfntrs - ok

04:10:04.0546 3100 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

04:10:04.0546 3100 Wanarp - ok

04:10:04.0562 3100 WDICA - ok

04:10:04.0609 3100 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

04:10:04.0609 3100 wdmaud - ok

04:10:04.0718 3100 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys

04:10:04.0718 3100 WS2IFSL - ok

04:10:04.0765 3100 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

04:10:04.0781 3100 WudfPf - ok

04:10:04.0796 3100 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

04:10:04.0812 3100 WudfRd - ok

04:10:04.0890 3100 yukonwxp (4322c32ced8c4772e039616dcbf01d3f) C:\WINDOWS\system32\DRIVERS\yk51x86.sys

04:10:04.0890 3100 yukonwxp - ok

04:10:04.0937 3100 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk0\DR0

04:10:04.0953 3100 \Device\Harddisk0\DR0 - ok

04:10:04.0968 3100 MBR (0x1B8) (4c54042f5b2569c9ddcf173120d730f9) \Device\Harddisk1\DR1

04:10:04.0984 3100 \Device\Harddisk1\DR1 - ok

04:10:04.0984 3100 Boot (0x1200) (7e2101ff502a22a819189355cfcc2f5f) \Device\Harddisk0\DR0\Partition0

04:10:05.0000 3100 \Device\Harddisk0\DR0\Partition0 - ok

04:10:05.0000 3100 Boot (0x1200) (b3d460b15132a3a19c28ef33db100cc9) \Device\Harddisk1\DR1\Partition0

04:10:05.0000 3100 \Device\Harddisk1\DR1\Partition0 - ok

04:10:05.0015 3100 ============================================================

04:10:05.0015 3100 Scan finished

04:10:05.0015 3100 ============================================================

04:10:05.0031 3160 Detected object count: 2

04:10:05.0031 3160 Actual detected object count: 2

04:14:36.0671 3160 dtscsi ( LockedFile.Multi.Generic ) - skipped by user

04:14:36.0671 3160 dtscsi ( LockedFile.Multi.Generic ) - User select action: Skip

04:14:36.0671 3160 sptd ( LockedFile.Multi.Generic ) - skipped by user

04:14:36.0671 3160 sptd ( LockedFile.Multi.Generic ) - User select action: Skip

04:14:45.0828 3232 Deinitialize success

heks

Link to post
Share on other sites

I seem to have resolved my booting problem just by reversing the power cables that were plugged into the two drives.

TDSSKiller doesn't seem to find 'malicious objects' per se. It found two "suspicious objects" of "medium risk" ... Service: dtscsi & Service: sptd (both say "Locked file"). The default option for both is "Skip". "Cure" is not an option.

I left it on "Skip", pressed the "Continue" button, and closed the program.

What now?

heks

There doesn't seem to be an option to edit my posts. Here's the contents of the TDSSKiller log:

04:09:23.0062 3228 TDSS rootkit removing tool 2.6.16.0 Nov 7 2011 16:26:51

04:09:23.0421 3228 ============================================================

04:09:23.0421 3228 Current date / time: 2011/11/09 04:09:23.0421

04:09:23.0421 3228 SystemInfo:

04:09:23.0421 3228

04:09:23.0421 3228 OS Version: 5.1.2600 ServicePack: 3.0

04:09:23.0421 3228 Product type: Workstation

04:09:23.0421 3228 ComputerName: ******

04:09:23.0421 3228 UserName: Ryan

04:09:23.0421 3228 Windows directory: C:\WINDOWS

04:09:23.0421 3228 System windows directory: C:\WINDOWS

04:09:23.0421 3228 Processor architecture: Intel x86

04:09:23.0421 3228 Number of processors: 1

04:09:23.0421 3228 Page size: 0x1000

04:09:23.0421 3228 Boot type: Normal boot

04:09:23.0421 3228 ============================================================

04:09:23.0812 3228 Initialize success

04:09:55.0125 3100 ============================================================

04:09:55.0125 3100 Scan started

04:09:55.0125 3100 Mode: Manual;

04:09:55.0125 3100 ============================================================

04:09:55.0328 3100 Abiosdsk - ok

04:09:55.0343 3100 abp480n5 - ok

04:09:55.0406 3100 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

04:09:55.0406 3100 ACPI - ok

04:09:55.0437 3100 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

04:09:55.0453 3100 ACPIEC - ok

04:09:55.0484 3100 adfs (6d7f09cd92a9fef3a8efce66231fdd79) C:\WINDOWS\system32\drivers\adfs.sys

04:09:55.0500 3100 adfs - ok

04:09:55.0515 3100 adpu160m - ok

04:09:55.0578 3100 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

04:09:55.0593 3100 aec - ok

04:09:55.0656 3100 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

04:09:55.0656 3100 AFD - ok

04:09:55.0671 3100 Aha154x - ok

04:09:55.0703 3100 aic78u2 - ok

04:09:55.0718 3100 aic78xx - ok

04:09:55.0750 3100 AliIde - ok

04:09:55.0796 3100 AmdPPM (033448d435e65c4bd72e70521fd05c76) C:\WINDOWS\system32\DRIVERS\AmdPPM.sys

04:09:55.0812 3100 AmdPPM - ok

04:09:55.0828 3100 amsint - ok

04:09:55.0890 3100 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

04:09:55.0906 3100 Arp1394 - ok

04:09:55.0906 3100 asc - ok

04:09:55.0937 3100 asc3350p - ok

04:09:55.0953 3100 asc3550 - ok

04:09:56.0000 3100 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

04:09:56.0015 3100 AsyncMac - ok

04:09:56.0046 3100 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

04:09:56.0062 3100 atapi - ok

04:09:56.0078 3100 Atdisk - ok

04:09:56.0203 3100 ati2mtag (e9375396f55b58c2042c7c9844d297e3) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

04:09:56.0234 3100 ati2mtag - ok

04:09:56.0265 3100 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

04:09:56.0281 3100 Atmarpc - ok

04:09:56.0328 3100 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

04:09:56.0328 3100 audstub - ok

04:09:56.0484 3100 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys

04:09:56.0484 3100 avgio - ok

04:09:56.0593 3100 avgntflt (1e4114685de1ffa9675e09c6a1fb3f4b) C:\WINDOWS\system32\DRIVERS\avgntflt.sys

04:09:56.0593 3100 avgntflt - ok

04:09:56.0640 3100 avipbb (0f78d3dae6dedd99ae54c9491c62adf2) C:\WINDOWS\system32\DRIVERS\avipbb.sys

04:09:56.0640 3100 avipbb - ok

04:09:56.0687 3100 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

04:09:56.0687 3100 Beep - ok

04:09:56.0734 3100 BrScnUsb (92a964547b96d697e5e9ed43b4297f5a) C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys

04:09:56.0734 3100 BrScnUsb - ok

04:09:56.0765 3100 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

04:09:56.0765 3100 cbidf2k - ok

04:09:56.0781 3100 cd20xrnt - ok

04:09:56.0812 3100 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

04:09:56.0812 3100 Cdaudio - ok

04:09:56.0843 3100 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

04:09:56.0859 3100 Cdfs - ok

04:09:56.0906 3100 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

04:09:56.0906 3100 Cdrom - ok

04:09:56.0921 3100 Changer - ok

04:09:56.0968 3100 CmdIde - ok

04:09:57.0015 3100 COMMONFX.DLL (1ef05b641e9a67ded74ac8ad40055dbf) C:\WINDOWS\system32\COMMONFX.DLL

04:09:57.0031 3100 COMMONFX.DLL - ok

04:09:57.0062 3100 Cpqarray - ok

04:09:57.0109 3100 CT20XUT.DLL (6191a973461852a09d643609e1d5f7c6) C:\WINDOWS\system32\CT20XUT.DLL

04:09:57.0125 3100 CT20XUT.DLL - ok

04:09:57.0171 3100 ctac32k (8ac5f77e30e37d2d11bd99eff0c53d8c) C:\WINDOWS\system32\drivers\ctac32k.sys

04:09:57.0187 3100 ctac32k - ok

04:09:57.0234 3100 ctaud2k (673241d314e932f4890509ae8ebf26db) C:\WINDOWS\system32\drivers\ctaud2k.sys

04:09:57.0234 3100 ctaud2k - ok

04:09:57.0296 3100 CTAUDFX.DLL (472b82d7e549e7fab428852e4d16f21d) C:\WINDOWS\system32\CTAUDFX.DLL

04:09:57.0296 3100 CTAUDFX.DLL - ok

04:09:57.0390 3100 ctdvda2k (ed316d4c3d39c5b6c23de067e275c183) C:\WINDOWS\system32\drivers\ctdvda2k.sys

04:09:57.0421 3100 ctdvda2k - ok

04:09:57.0468 3100 CTEAPSFX.DLL (6a57f82009563aee8826f117e1d3c72c) C:\WINDOWS\system32\CTEAPSFX.DLL

04:09:57.0484 3100 CTEAPSFX.DLL - ok

04:09:57.0546 3100 CTEDSPFX.DLL (c8ac1ffaeadd655193d7b1811a572d8d) C:\WINDOWS\system32\CTEDSPFX.DLL

04:09:57.0562 3100 CTEDSPFX.DLL - ok

04:09:57.0593 3100 CTEDSPIO.DLL (44495d9daf675257d00b25b041ee6667) C:\WINDOWS\system32\CTEDSPIO.DLL

04:09:57.0609 3100 CTEDSPIO.DLL - ok

04:09:57.0640 3100 CTEDSPSY.DLL (8e90b1762cb42e2fc76dac9210c83c66) C:\WINDOWS\system32\CTEDSPSY.DLL

04:09:57.0656 3100 CTEDSPSY.DLL - ok

04:09:57.0687 3100 CTERFXFX.DLL (d3fbd9983325435b06795f29cb57ed3d) C:\WINDOWS\system32\CTERFXFX.DLL

04:09:57.0687 3100 CTERFXFX.DLL - ok

04:09:57.0765 3100 CTEXFIFX.DLL (2c48e9d8ca703964463f27ae341115b7) C:\WINDOWS\system32\CTEXFIFX.DLL

04:09:57.0796 3100 CTEXFIFX.DLL - ok

04:09:57.0828 3100 CTHWIUT.DLL (f7657c598e7c29c6683c1e4a8dd68884) C:\WINDOWS\system32\CTHWIUT.DLL

04:09:57.0843 3100 CTHWIUT.DLL - ok

04:09:57.0890 3100 ctprxy2k (34e7f8a499fd8361df14fedb724c0ad3) C:\WINDOWS\system32\drivers\ctprxy2k.sys

04:09:57.0890 3100 ctprxy2k - ok

04:09:57.0921 3100 CTSBLFX.DLL (679ae21eb7f48a08184813aebabdec7c) C:\WINDOWS\system32\CTSBLFX.DLL

04:09:57.0937 3100 CTSBLFX.DLL - ok

04:09:57.0984 3100 ctsfm2k (32098497cb4dfe9ea7660fa62dd91060) C:\WINDOWS\system32\drivers\ctsfm2k.sys

04:09:57.0984 3100 ctsfm2k - ok

04:09:58.0000 3100 dac2w2k - ok

04:09:58.0031 3100 dac960nt - ok

04:09:58.0078 3100 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

04:09:58.0093 3100 Disk - ok

04:09:58.0156 3100 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

04:09:58.0171 3100 dmboot - ok

04:09:58.0203 3100 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

04:09:58.0218 3100 dmio - ok

04:09:58.0234 3100 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

04:09:58.0234 3100 dmload - ok

04:09:58.0296 3100 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

04:09:58.0312 3100 DMusic - ok

04:09:58.0343 3100 dpti2o - ok

04:09:58.0359 3100 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

04:09:58.0359 3100 drmkaud - ok

04:09:58.0421 3100 dtscsi (12aca694b50ea53563c1e7c99e7bb27d) C:\WINDOWS\System32\Drivers\dtscsi.sys

04:09:58.0421 3100 Suspicious file (NoAccess): C:\WINDOWS\System32\Drivers\dtscsi.sys. md5: 12aca694b50ea53563c1e7c99e7bb27d

04:09:58.0421 3100 dtscsi ( LockedFile.Multi.Generic ) - warning

04:09:58.0421 3100 dtscsi - detected LockedFile.Multi.Generic (1)

04:09:58.0468 3100 emupia (2885f72d2daffd0329272f12e16d6579) C:\WINDOWS\system32\drivers\emupia2k.sys

04:09:58.0468 3100 emupia - ok

04:09:58.0546 3100 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

04:09:58.0562 3100 Fastfat - ok

04:09:58.0609 3100 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

04:09:58.0609 3100 Fdc - ok

04:09:58.0640 3100 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

04:09:58.0640 3100 Fips - ok

04:09:58.0671 3100 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

04:09:58.0671 3100 Flpydisk - ok

04:09:58.0703 3100 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys

04:09:58.0718 3100 FltMgr - ok

04:09:58.0750 3100 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

04:09:58.0750 3100 Fs_Rec - ok

04:09:58.0765 3100 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

04:09:58.0781 3100 Ftdisk - ok

04:09:58.0812 3100 gagp30kx (3a74c423cf6bcca6982715878f450a3b) C:\WINDOWS\system32\DRIVERS\gagp30kx.sys

04:09:58.0812 3100 gagp30kx - ok

04:09:58.0859 3100 GEARAspiWDM (f2f431d1573ee632975c524418655b84) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

04:09:58.0859 3100 GEARAspiWDM - ok

04:09:58.0890 3100 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

04:09:58.0906 3100 Gpc - ok

04:09:58.0968 3100 ha10kx2k (da2c735b66d2e7b739f9a46146581a9d) C:\WINDOWS\system32\drivers\ha10kx2k.sys

04:09:58.0984 3100 ha10kx2k - ok

04:09:59.0015 3100 hap16v2k (5c7d6d68796e4621b4168c879908dae0) C:\WINDOWS\system32\drivers\hap16v2k.sys

04:09:59.0031 3100 hap16v2k - ok

04:09:59.0078 3100 hap17v2k (a595b88ad16d8b5693ddf08113caf30e) C:\WINDOWS\system32\drivers\hap17v2k.sys

04:09:59.0078 3100 hap17v2k - ok

04:09:59.0125 3100 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

04:09:59.0125 3100 hidusb - ok

04:09:59.0140 3100 hpn - ok

04:09:59.0203 3100 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

04:09:59.0203 3100 HTTP - ok

04:09:59.0218 3100 i2omgmt - ok

04:09:59.0250 3100 i2omp - ok

04:09:59.0296 3100 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

04:09:59.0312 3100 i8042prt - ok

04:09:59.0390 3100 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

04:09:59.0406 3100 Imapi - ok

04:09:59.0421 3100 ini910u - ok

04:09:59.0453 3100 IntelIde - ok

04:09:59.0500 3100 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys

04:09:59.0515 3100 Ip6Fw - ok

04:09:59.0546 3100 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

04:09:59.0562 3100 IpFilterDriver - ok

04:09:59.0578 3100 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

04:09:59.0578 3100 IpInIp - ok

04:09:59.0625 3100 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

04:09:59.0640 3100 IpNat - ok

04:09:59.0687 3100 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

04:09:59.0687 3100 IPSec - ok

04:09:59.0718 3100 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

04:09:59.0734 3100 IRENUM - ok

04:09:59.0765 3100 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

04:09:59.0781 3100 isapnp - ok

04:09:59.0812 3100 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

04:09:59.0828 3100 Kbdclass - ok

04:09:59.0859 3100 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

04:09:59.0859 3100 kbdhid - ok

04:09:59.0921 3100 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

04:09:59.0937 3100 kmixer - ok

04:09:59.0984 3100 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

04:10:00.0000 3100 KSecDD - ok

04:10:00.0015 3100 lbrtfdc - ok

04:10:00.0062 3100 MBAMSwissArmy - ok

04:10:00.0125 3100 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

04:10:00.0125 3100 mnmdd - ok

04:10:00.0171 3100 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

04:10:00.0171 3100 Modem - ok

04:10:00.0218 3100 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

04:10:00.0218 3100 Mouclass - ok

04:10:00.0250 3100 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

04:10:00.0250 3100 mouhid - ok

04:10:00.0265 3100 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

04:10:00.0281 3100 MountMgr - ok

04:10:00.0296 3100 mraid35x - ok

04:10:00.0343 3100 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

04:10:00.0343 3100 MRxDAV - ok

04:10:00.0406 3100 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

04:10:00.0437 3100 MRxSmb - ok

04:10:00.0453 3100 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

04:10:00.0468 3100 Msfs - ok

04:10:00.0515 3100 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

04:10:00.0531 3100 MSKSSRV - ok

04:10:00.0578 3100 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

04:10:00.0578 3100 MSPCLOCK - ok

04:10:00.0609 3100 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

04:10:00.0609 3100 MSPQM - ok

04:10:00.0656 3100 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

04:10:00.0656 3100 mssmbios - ok

04:10:00.0718 3100 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

04:10:00.0734 3100 Mup - ok

04:10:00.0765 3100 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

04:10:00.0781 3100 NDIS - ok

04:10:00.0828 3100 ndiscm (b797ee2ef919c95561dee78b72b33e5b) C:\WINDOWS\system32\DRIVERS\NetMotCM.sys

04:10:00.0828 3100 ndiscm - ok

04:10:00.0859 3100 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

04:10:00.0859 3100 NdisTapi - ok

04:10:00.0890 3100 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

04:10:00.0890 3100 Ndisuio - ok

04:10:00.0937 3100 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

04:10:00.0953 3100 NdisWan - ok

04:10:01.0000 3100 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

04:10:01.0000 3100 NDProxy - ok

04:10:01.0031 3100 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

04:10:01.0046 3100 NetBIOS - ok

04:10:01.0078 3100 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

04:10:01.0093 3100 NetBT - ok

04:10:01.0171 3100 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

04:10:01.0171 3100 NIC1394 - ok

04:10:01.0203 3100 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

04:10:01.0203 3100 Npfs - ok

04:10:01.0234 3100 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

04:10:01.0250 3100 Ntfs - ok

04:10:01.0312 3100 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

04:10:01.0312 3100 Null - ok

04:10:01.0343 3100 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

04:10:01.0343 3100 NwlnkFlt - ok

04:10:01.0359 3100 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

04:10:01.0375 3100 NwlnkFwd - ok

04:10:01.0421 3100 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

04:10:01.0421 3100 ohci1394 - ok

04:10:01.0468 3100 ossrv (61c85afeaa6ef0c1b32d43f84f7bfbcf) C:\WINDOWS\system32\drivers\ctoss2k.sys

04:10:01.0468 3100 ossrv - ok

04:10:01.0500 3100 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

04:10:01.0515 3100 Parport - ok

04:10:01.0531 3100 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

04:10:01.0531 3100 PartMgr - ok

04:10:01.0578 3100 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

04:10:01.0578 3100 ParVdm - ok

04:10:01.0625 3100 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

04:10:01.0640 3100 PCI - ok

04:10:01.0656 3100 PCIDump - ok

04:10:01.0671 3100 PCIIde - ok

04:10:01.0718 3100 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

04:10:01.0718 3100 Pcmcia - ok

04:10:01.0765 3100 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys

04:10:01.0781 3100 pcouffin - ok

04:10:01.0796 3100 PDCOMP - ok

04:10:01.0812 3100 PDFRAME - ok

04:10:01.0828 3100 PDRELI - ok

04:10:01.0843 3100 PDRFRAME - ok

04:10:01.0875 3100 perc2 - ok

04:10:01.0890 3100 perc2hib - ok

04:10:01.0968 3100 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

04:10:01.0968 3100 PptpMiniport - ok

04:10:02.0000 3100 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

04:10:02.0015 3100 Processor - ok

04:10:02.0046 3100 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

04:10:02.0062 3100 PSched - ok

04:10:02.0078 3100 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

04:10:02.0093 3100 Ptilink - ok

04:10:02.0140 3100 PxHelp20 (d970470f8f39470bdae94d313a1ccdce) C:\WINDOWS\system32\Drivers\PxHelp20.sys

04:10:02.0140 3100 PxHelp20 - ok

04:10:02.0156 3100 ql1080 - ok

04:10:02.0187 3100 Ql10wnt - ok

04:10:02.0203 3100 ql12160 - ok

04:10:02.0218 3100 ql1240 - ok

04:10:02.0234 3100 ql1280 - ok

04:10:02.0265 3100 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

04:10:02.0265 3100 RasAcd - ok

04:10:02.0312 3100 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

04:10:02.0312 3100 Rasl2tp - ok

04:10:02.0343 3100 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

04:10:02.0343 3100 RasPppoe - ok

04:10:02.0375 3100 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

04:10:02.0375 3100 Raspti - ok

04:10:02.0421 3100 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

04:10:02.0437 3100 Rdbss - ok

04:10:02.0453 3100 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

04:10:02.0453 3100 RDPCDD - ok

04:10:02.0500 3100 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

04:10:02.0515 3100 rdpdr - ok

04:10:02.0562 3100 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

04:10:02.0578 3100 RDPWD - ok

04:10:02.0625 3100 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

04:10:02.0625 3100 redbook - ok

04:10:02.0703 3100 RT2500 (ae1e626f00180bfb3ca5a81fffc65332) C:\WINDOWS\system32\DRIVERS\RT2500.sys

04:10:02.0718 3100 RT2500 - ok

04:10:02.0828 3100 SASDIFSV (4bfbb868c869a4f8486d4c36849d59cf) C:\DOCUME~1\ADMINI~1.LIT\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS

04:10:02.0828 3100 SASDIFSV - ok

04:10:02.0859 3100 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\DOCUME~1\ADMINI~1.LIT\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS

04:10:02.0859 3100 SASKUTIL - ok

04:10:02.0984 3100 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

04:10:02.0984 3100 Secdrv - ok

04:10:03.0031 3100 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

04:10:03.0031 3100 serenum - ok

04:10:03.0046 3100 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

04:10:03.0062 3100 Serial - ok

04:10:03.0109 3100 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

04:10:03.0109 3100 Sfloppy - ok

04:10:03.0140 3100 Simbad - ok

04:10:03.0171 3100 Sparrow - ok

04:10:03.0203 3100 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

04:10:03.0203 3100 splitter - ok

04:10:03.0281 3100 sptd (9be313c5e6cd3e5dee5f94fbb5ca3ca4) C:\WINDOWS\system32\Drivers\sptd.sys

04:10:03.0281 3100 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: 9be313c5e6cd3e5dee5f94fbb5ca3ca4

04:10:03.0281 3100 sptd ( LockedFile.Multi.Generic ) - warning

04:10:03.0281 3100 sptd - detected LockedFile.Multi.Generic (1)

04:10:03.0312 3100 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

04:10:03.0328 3100 sr - ok

04:10:03.0375 3100 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys

04:10:03.0390 3100 Srv - ok

04:10:03.0437 3100 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys

04:10:03.0453 3100 ssmdrv - ok

04:10:03.0484 3100 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

04:10:03.0484 3100 swenum - ok

04:10:03.0531 3100 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

04:10:03.0531 3100 swmidi - ok

04:10:03.0562 3100 symc810 - ok

04:10:03.0578 3100 symc8xx - ok

04:10:03.0593 3100 sym_hi - ok

04:10:03.0625 3100 sym_u3 - ok

04:10:03.0656 3100 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

04:10:03.0671 3100 sysaudio - ok

04:10:03.0703 3100 tap0901 (60b6aedad7fc00a4d76a05bb8df5fe86) C:\WINDOWS\system32\DRIVERS\tap0901.sys

04:10:03.0718 3100 tap0901 - ok

04:10:03.0765 3100 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

04:10:03.0781 3100 Tcpip - ok

04:10:03.0828 3100 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

04:10:03.0828 3100 TDPIPE - ok

04:10:03.0859 3100 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

04:10:03.0859 3100 TDTCP - ok

04:10:03.0890 3100 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

04:10:03.0890 3100 TermDD - ok

04:10:03.0937 3100 TosIde - ok

04:10:03.0968 3100 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

04:10:03.0984 3100 Udfs - ok

04:10:04.0000 3100 ultra - ok

04:10:04.0046 3100 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

04:10:04.0062 3100 Update - ok

04:10:04.0109 3100 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

04:10:04.0109 3100 usbccgp - ok

04:10:04.0156 3100 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

04:10:04.0156 3100 usbehci - ok

04:10:04.0187 3100 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

04:10:04.0187 3100 usbhub - ok

04:10:04.0218 3100 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

04:10:04.0218 3100 usbprint - ok

04:10:04.0250 3100 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

04:10:04.0265 3100 USBSTOR - ok

04:10:04.0296 3100 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

04:10:04.0296 3100 usbuhci - ok

04:10:04.0328 3100 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

04:10:04.0328 3100 VgaSave - ok

04:10:04.0359 3100 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

04:10:04.0359 3100 ViaIde - ok

04:10:04.0375 3100 viasraid (ebe101c01d80a42868f57b327be1b564) C:\WINDOWS\system32\drivers\viasraid.sys

04:10:04.0375 3100 viasraid - ok

04:10:04.0421 3100 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

04:10:04.0421 3100 VolSnap - ok

04:10:04.0453 3100 vulfnths (c9a8ba443f809b70bccccd60cc73fa5c) C:\WINDOWS\System32\Drivers\vulfnth.sys

04:10:04.0453 3100 vulfnths - ok

04:10:04.0484 3100 vulfntrs (2d8c55889616f7767e9fb8adee37a02a) C:\WINDOWS\System32\Drivers\vulfntr.sys

04:10:04.0484 3100 vulfntrs - ok

04:10:04.0546 3100 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

04:10:04.0546 3100 Wanarp - ok

04:10:04.0562 3100 WDICA - ok

04:10:04.0609 3100 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

04:10:04.0609 3100 wdmaud - ok

04:10:04.0718 3100 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys

04:10:04.0718 3100 WS2IFSL - ok

04:10:04.0765 3100 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

04:10:04.0781 3100 WudfPf - ok

04:10:04.0796 3100 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

04:10:04.0812 3100 WudfRd - ok

04:10:04.0890 3100 yukonwxp (4322c32ced8c4772e039616dcbf01d3f) C:\WINDOWS\system32\DRIVERS\yk51x86.sys

04:10:04.0890 3100 yukonwxp - ok

04:10:04.0937 3100 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk0\DR0

04:10:04.0953 3100 \Device\Harddisk0\DR0 - ok

04:10:04.0968 3100 MBR (0x1B8) (4c54042f5b2569c9ddcf173120d730f9) \Device\Harddisk1\DR1

04:10:04.0984 3100 \Device\Harddisk1\DR1 - ok

04:10:04.0984 3100 Boot (0x1200) (7e2101ff502a22a819189355cfcc2f5f) \Device\Harddisk0\DR0\Partition0

04:10:05.0000 3100 \Device\Harddisk0\DR0\Partition0 - ok

04:10:05.0000 3100 Boot (0x1200) (b3d460b15132a3a19c28ef33db100cc9) \Device\Harddisk1\DR1\Partition0

04:10:05.0000 3100 \Device\Harddisk1\DR1\Partition0 - ok

04:10:05.0015 3100 ============================================================

04:10:05.0015 3100 Scan finished

04:10:05.0015 3100 ============================================================

04:10:05.0031 3160 Detected object count: 2

04:10:05.0031 3160 Actual detected object count: 2

04:14:36.0671 3160 dtscsi ( LockedFile.Multi.Generic ) - skipped by user

04:14:36.0671 3160 dtscsi ( LockedFile.Multi.Generic ) - User select action: Skip

04:14:36.0671 3160 sptd ( LockedFile.Multi.Generic ) - skipped by user

04:14:36.0671 3160 sptd ( LockedFile.Multi.Generic ) - User select action: Skip

04:14:45.0828 3232 Deinitialize success

heks

Link to post
Share on other sites

There are still some leftovers that need cleaned up, as well as some malicious settings, so lets work on that next. :)

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Link to post
Share on other sites

Hi Elise,

There are still some leftovers that need cleaned up, as well as some malicious settings, so lets work on that next. :)

COMBOFIX

---------------

Please download ComboFix from one of these locations:

(SNIPPED)

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Here's the ComboFix log...

ComboFix 11-11-10.02 - Ryan 11/10/2011 11:37:25.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1500 [GMT -5:00]

Running from: c:\documents and settings\Ryan\Desktop\ComboFix.exe

AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Application Data\TEMP

c:\documents and settings\Ryan\Application Data\Adobe\plugs

c:\documents and settings\Ryan\Application Data\Adobe\shed

c:\documents and settings\Ryan\Application Data\inst.exe

c:\documents and settings\Ryan\Application Data\mIRC\logs\status.log

c:\documents and settings\Ryan\WINDOWS

.

.

((((((((((((((((((((((((( Files Created from 2011-10-10 to 2011-11-10 )))))))))))))))))))))))))))))))

.

.

2011-11-07 05:52 . 2011-11-07 05:52 -------- d-----w- c:\documents and settings\Ryan\Application Data\Malwarebytes

2011-11-07 05:52 . 2011-11-07 05:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-11-07 05:52 . 2011-11-07 05:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-11-07 05:52 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2006-02-23 12:16 . 2009-07-20 22:18 34048 ----a-w- c:\program files\mozilla firefox\plugins\upd62i9x.dll

2006-02-23 12:16 . 2009-07-20 22:18 45056 ----a-w- c:\program files\mozilla firefox\plugins\upd62int.dll

.

<pre>
c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl .exe
c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VERSIO~2 .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdupdate .exe
c:\program files\DAEMON Tools\daemon .exe
c:\program files\Microsoft Office\Office12\GrooveMonitor .exe
c:\program files\ScanSoft\PaperPort\IndexSearch .exe
c:\program files\ScanSoft\PaperPort\Ereg\Ereg .exe
c:\windows\system32\CTXFIHLP .exe
</pre>

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"appMouseSched"="" [N/A]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-11 29984]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

"CTHelper"="CTHELPER.EXE" [2007-04-09 19456]

"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-10-30 77824]

"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-11-06 741376]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2011-06-08 40376]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-22 640440]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk /p \??\G:\0autocheck autochk *

.

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator.LITTLEBONES^Start Menu^Programs^Startup^dunoi.exe]

path=c:\documents and settings\Administrator.LITTLEBONES\Start Menu\Programs\Startup\dunoi.exe

backup=c:\windows\pss\dunoi.exeStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"iPod Service"=3 (0x3)

"Apple Mobile Device"=2 (0x2)

"Bonjour Service"=2 (0x2)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Vuze\\Azureus.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\phpDesigner 2008\\phpDesigner2008.exe"=

"c:\\Program Files\\mIRC\\mirc.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\xampp\\mysql\\bin\\mysqld.exe"=

"c:\\xampp\\apache\\bin\\httpd.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"49156:TCP"= 49156:TCP:Vuze Port TCP

"49156:UDP"= 49156:UDP:Vuze Port UDP

"5353:TCP"= 5353:TCP:Adobe CSI CS4

"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server

"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server

"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server

"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

.

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/20/2009 11:58 AM 642560]

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [12/12/2003 10:49 AM 77312]

R1 SASDIFSV;SASDIFSV;\??\c:\docume~1\ADMINI~1.LIT\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\ADMINI~1.LIT\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]

R1 SASKUTIL;SASKUTIL;\??\c:\docume~1\ADMINI~1.LIT\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\ADMINI~1.LIT\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/2/2011 12:53 PM 136360]

S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 4:46 AM 284016]

S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]

S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [7/25/2009 7:00 PM 47360]

.

Contents of the 'Scheduled Tasks' folder

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 216.254.141.2 209.90.160.222

FF - ProfilePath - c:\documents and settings\Ryan\Application Data\Mozilla\Firefox\Profiles\qjohnile.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: network.proxy.ftp - 151.100.59.11

FF - prefs.js: network.proxy.ftp_port - 3128

FF - prefs.js: network.proxy.gopher - 151.100.59.11

FF - prefs.js: network.proxy.gopher_port - 3128

FF - prefs.js: network.proxy.http - 151.100.59.11

FF - prefs.js: network.proxy.http_port - 3128

FF - prefs.js: network.proxy.socks - 151.100.59.11

FF - prefs.js: network.proxy.socks_port - 3128

FF - prefs.js: network.proxy.ssl - 151.100.59.11

FF - prefs.js: network.proxy.ssl_port - 3128

FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

FF - Ext: Answers: {C0D0F6D1-9FC9-4b0a-B485-D5E13AF40D51} - %profile%\extensions\{C0D0F6D1-9FC9-4b0a-B485-D5E13AF40D51}

FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}

FF - Ext: UnPlug: unplug@compunach - %profile%\extensions\unplug@compunach

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-11-10 11:42

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,70,7c,0e,17,db,a3,03,48,a7,2d,f4,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,70,7c,0e,17,db,a3,03,48,a7,2d,f4,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(768)

c:\windows\system32\Ati2evxx.dll

.

Completion time: 2011-11-10 11:44:32

ComboFix-quarantined-files.txt 2011-11-10 16:44

.

Pre-Run: 433,995,689,984 bytes free

Post-Run: 436,240,900,096 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - ED486F042C89B3BFD72F92BAAB33C4BD

Take care,

heks

Link to post
Share on other sites

Have you set a firefox network proxy yourself?

CF-SCRIPT

-------------

We need to execute a CF-script.

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:


RenV::
c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl .exe
c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VERSIO~2 .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdupdate .exe
c:\program files\DAEMON Tools\daemon .exe
c:\program files\Microsoft Office\Office12\GrooveMonitor .exe
c:\program files\ScanSoft\PaperPort\IndexSearch .exe
c:\program files\ScanSoft\PaperPort\Ereg\Ereg .exe
c:\windows\system32\CTXFIHLP .exe

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.