PDA

View Full Version : Address has been blocked - DDS scan


spandau
2010-11-02, 20:17
Hello again.

I have done what Tashi said to me; I have tryed to scan with D.D.S. and I have waited not 3 minutes, which the black screen said to me, but more than half an hour, but... nothing - a logfile/report does not open; it seems that the infection prevents DDS from running. I can not close the black screen.
It seems that is a severe infection here.
The problem is again described below, in case that is another analyst who didn't read my previous post.
Another thing: concernes "Please do not use a usb/external hard drive that has been connected to the infected machine to transfer media", is too late - I didn't knew - so, now I have an USB stick possibly infected; but for now, please help me with the computer and then...will see.
Of course, I have done all that Tashi told me, Erunt and all...

Thank you,
Spandau

For some days, my security software Eset Smart Security 4.0.417.0 give me continuously the following message:

"ESET SMART SECURITY

Address has been blocked
URL address:
lkckclckli1i.com/zK12S7gp893
IP address:
62.122.75.136:80"

This is only an example, URL and IP are changing each time.
peku006
2010-11-09, 10:57
Hi spandau

Please download gmer.zip (http://www.gmer.net/gmer.zip) from Gmer and save it to your desktop.

***Please close any open programs ***

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure that the 'Sections' button is ticked and the 'Show All' button is unticked. Click the Scan button and let the program do its work. GMER will produce a log.

Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.

GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.

Thanks peku006
spandau
2010-11-09, 19:23
Hello.

Thank you for help.
Below, the requested log.
Only some informations please, maybe are important:
1. First scan: computer interrupted; I don't know where.
2. Second scan: computer interrupted again; to some movies on the hard C.; I have deleted the movies.
3. Third scan: at last, it works; but he didn't gave me notice about rootkit activity.
4. In the log, before saving in txt format, the last sentence (about pciide.sys) was colourfull in red.
5. Maybe is relevant: when I give Start / Windows Update, IE cannot display the webpage (of course, hi,hi, I am connected to the net, he works fine).

Best regards,
Spandau

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-11-09 20:05:49
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort3 WDC_WD6400AACS-00G8B1 rev.05.04C05
Running: gmer.exe; Driver: C:\DOCUME~1\a\LOCALS~1\Temp\fgxoipoc.sys


---- System - GMER 1.0.15 ----

SSDT 892ED580 ZwAssignProcessToJobObject
SSDT spgc.sys ZwCreateKey [0xB9EA80E0]
SSDT 892EE100 ZwDebugActiveProcess
SSDT 892EDB30 ZwDuplicateObject
SSDT spgc.sys ZwEnumerateKey [0xB9EC6CA2]
SSDT spgc.sys ZwEnumerateValueKey [0xB9EC7030]
SSDT spgc.sys ZwOpenKey [0xB9EA80C0]
SSDT 892ECCC0 ZwOpenProcess
SSDT 892ECFC0 ZwOpenThread
SSDT 892ED9C0 ZwProtectVirtualMemory
SSDT spgc.sys ZwQueryKey [0xB9EC7108]
SSDT spgc.sys ZwQueryValueKey [0xB9EC6F88]
SSDT 892ED860 ZwSetContextThread
SSDT 892ED6E0 ZwSetInformationThread
SSDT 892EA700 ZwSetSecurityObject
SSDT spgc.sys ZwSetValueKey [0xB9EC719A]
SSDT 892ED420 ZwSuspendProcess
SSDT 892ED2C0 ZwSuspendThread
SSDT 892ECE50 ZwTerminateProcess
SSDT 892ED150 ZwTerminateThread
SSDT 892EDF50 ZwWriteVirtualMemory

INT 0x63 ? 89E56BF8
INT 0x63 ? 89E56BF8
INT 0x63 ? 89E56BF8
INT 0x63 ? 89E56BF8
INT 0x63 ? 89E56BF8
INT 0x83 ? 89E56BF8
INT 0x83 ? 89E56BF8
INT 0x83 ? 89BA0BF8
INT 0x83 ? 89E56BF8
INT 0x84 ? 89BA0BF8
INT 0x94 ? 89BA0BF8
INT 0xA4 ? 89BA0BF8
INT 0xA4 ? 89BA0BF8
INT 0xA4 ? 89BA0BF8
INT 0xA4 ? 89BA0BF8
INT 0xB4 ? 89BA0BF8

---- Kernel code sections - GMER 1.0.15 ----

? spgc.sys The system cannot find the file specified. !
.rsrc C:\WINDOWS\system32\drivers\pciide.sys entry point in ".rsrc" section [0xBA670814]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB7F6A360, 0x35483F, 0xE8000020]
.text USBPORT.SYS!DllUnload B7F4A8AC 5 Bytes JMP 89BA01D8
.text ay3b6lfo.SYS B7BEF386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text ay3b6lfo.SYS B7BEF3AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text ay3b6lfo.SYS B7BEF3C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text ay3b6lfo.SYS B7BEF3C9 1 Byte [2E]
.text ay3b6lfo.SYS B7BEF3C9 11 Bytes [2E, 00, 00, 00, 5C, 02, 00, ...] {ADD CS:[EAX], AL; ADD [EDX+EAX+0x0], BL; ADD [EAX], AL; ADD [EAX], AL}
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[260] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]
.text C:\WINDOWS\Explorer.EXE[320] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F6000A
.text C:\WINDOWS\Explorer.EXE[320] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00F7000A
.text C:\WINDOWS\Explorer.EXE[320] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D4000C
.text C:\WINDOWS\System32\svchost.exe[1660] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00EE000A
.text C:\WINDOWS\System32\svchost.exe[1660] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00EF000A
.text C:\WINDOWS\System32\svchost.exe[1660] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D9000C
.text C:\WINDOWS\System32\svchost.exe[1660] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 010D000A
.text C:\WINDOWS\system32\wuauclt.exe[2432] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F9000A
.text C:\WINDOWS\system32\wuauclt.exe[2432] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00FA000A
.text C:\WINDOWS\system32\wuauclt.exe[2432] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00F8000C

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EA9040] spgc.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EA913C] spgc.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EA90BE] spgc.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EA97FC] spgc.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EA96D2] spgc.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EB9048] spgc.sys
IAT \SystemRoot\System32\Drivers\ay3b6lfo.SYS[HAL.dll!KfAcquireSpinLock] 4B8BDF8B
IAT \SystemRoot\System32\Drivers\ay3b6lfo.SYS[HAL.dll!READ_PORT_UCHAR] 8D3F0304
IAT \SystemRoot\System32\Drivers\ay3b6lfo.SYS[HAL.dll!KeGetCurrentIrql] CB033043
IAT \SystemRoot\System32\Drivers\ay3b6lfo.SYS[HAL.dll!KfRaiseIrql] 0673C13B
IAT \SystemRoot\System32\Drivers\ay3b6lfo.SYS[HAL.dll!KfLowerIrql] C13B0003
IAT \SystemRoot\System32\Drivers\ay3b6lfo.SYS[HAL.dll!HalGetInterruptVector] 8366FA72
IAT \SystemRoot\System32\Drivers\ay3b6lfo.SYS[HAL.dll!HalTranslateBusAddress] 75000E7B
IAT \SystemRoot\System32\Drivers\ay3b6lfo.SYS[HAL.dll!KeStallExecutionProcessor] 0B7D80E3
IAT \SystemRoot\System32\Drivers\ay3b6lfo.SYS[HAL.dll!KfReleaseSpinLock] 307B8D00
IAT \SystemRoot\System32\Drivers\ay3b6lfo.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 00AA840F
IAT \SystemRoot\System32\Drivers\ay3b6lfo.SYS[HAL.dll!READ_PORT_USHORT] 83660000
IAT \SystemRoot\System32\Drivers\ay3b6lfo.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 6A000E7A
IAT \SystemRoot\System32\Drivers\ay3b6lfo.SYS[HAL.dll!WRITE_PORT_UCHAR] C6647400
IAT \SystemRoot\System32\Drivers\ay3b6lfo.SYS[WMILIB.SYS!WmiSystemControl] 4F8B0200
IAT \SystemRoot\System32\Drivers\ay3b6lfo.SYS[WMILIB.SYS!WmiCompleteRequest] 968D5140

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 89E551F8

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)

Device \Driver\PCI_PNP5630 \Device\00000043 spgc.sys
Device \Driver\usbuhci \Device\USBPDO-0 89B9F1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 89DE31F8
Device \Driver\dmio \Device\DmControl\DmConfig 89DE31F8
Device \Driver\dmio \Device\DmControl\DmPnP 89DE31F8
Device \Driver\dmio \Device\DmControl\DmInfo 89DE31F8
Device \Driver\usbuhci \Device\USBPDO-1 89B9F1F8
Device \Driver\usbuhci \Device\USBPDO-2 89B9F1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{892781EA-94A8-4939-B829-BD66217FEE7D} 894321F8
Device \Driver\usbehci \Device\USBPDO-3 89B701F8
Device \Driver\usbuhci \Device\USBPDO-4 89B9F1F8

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)

Device \Driver\usbuhci \Device\USBPDO-5 89B9F1F8
Device \Driver\usbuhci \Device\USBPDO-6 89B9F1F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 89E571F8
Device \Driver\usbehci \Device\USBPDO-7 89B701F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 89E571F8
Device \Driver\Cdrom \Device\CdRom0 89B521F8
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 89CDBAEA
Device \Driver\atapi \Device\Ide\IdePort0 [B9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 89CDBAEA
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 89CDBAEA
Device \Driver\atapi \Device\Ide\IdePort1 [B9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 89CDBAEA
Device \Driver\atapi \Device\Ide\IdePort2 [B9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 89CDBAEA
Device \Driver\atapi \Device\Ide\IdePort3 [B9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort4 89CDBAEA
Device \Driver\atapi \Device\Ide\IdePort4 [B9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort5 89CDBAEA
Device \Driver\atapi \Device\Ide\IdePort5 [B9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Ftdisk \Device\HarddiskVolume3 89E571F8
Device \Driver\Cdrom \Device\CdRom1 89B521F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 894321F8
Device \Driver\NetBT \Device\NetbiosSmb 894321F8
Device \Driver\sptd \Device\2056155630 spgc.sys

AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)

Device \Driver\usbuhci \Device\USBFDO-0 89B9F1F8
Device \Driver\usbstor \Device\0000007a 89A08500
Device \Driver\usbuhci \Device\USBFDO-1 89B9F1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8911C1F8
Device \Driver\usbuhci \Device\USBFDO-2 89B9F1F8
Device \Driver\usbstor \Device\0000007c 89A08500
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8911C1F8
Device \Driver\usbehci \Device\USBFDO-3 89B701F8
Device \Driver\usbstor \Device\0000007d 89A08500
Device \Driver\usbuhci \Device\USBFDO-4 89B9F1F8
Device \Driver\Ftdisk \Device\FtControl 89E571F8
Device \Driver\usbstor \Device\0000007e 89A08500
Device \Driver\usbuhci \Device\USBFDO-5 89B9F1F8
Device \Driver\usbstor \Device\0000007f 89A08500
Device \Driver\usbuhci \Device\USBFDO-6 89B9F1F8
Device \Driver\usbehci \Device\USBFDO-7 89B701F8
Device \Driver\ay3b6lfo \Device\Scsi\ay3b6lfo1Port6Path0Target0Lun0 89A641F8
Device \Driver\ay3b6lfo \Device\Scsi\ay3b6lfo1 89A641F8
Device \FileSystem\Cdfs \Cdfs 89A09500
Device \Device\Ide\IdeDeviceP3T0L0-12 -> \??\IDE#DiskWDC_WD6400AACS-00G8B1___________________05.04C05#5&643f929&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x7A 0xE9 0x89 0x07 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x03 0x43 0x4E 0x64 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xEB 0xE2 0xC5 0xB1 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x7A 0xE9 0x89 0x07 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x03 0x43 0x4E 0x64 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xEB 0xE2 0xC5 0xB1 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E18336E1-CC46-01E8-0635-1D16F4E8C193}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E18336E1-CC46-01E8-0635-1D16F4E8C193}@iaikjpapngokmnajhc 0x6A 0x61 0x6E 0x6F ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E18336E1-CC46-01E8-0635-1D16F4E8C193}@haclppjemnmphfjm 0x6A 0x61 0x6E 0x6F ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sectors 1250263472 (+254): rootkit-like behavior;

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\pciide.sys suspicious modification; TDL3 <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----
peku006
2010-11-09, 19:52
Hi spandau

Ok........


Download TDSSKiller.exe (http://support.kaspersky.com/downloads/utils/tdsskiller.exe) and save it to your desktop.
Double-click TDSSKiller.exe to run it.
Under "Objects to scan" ensure both "Services and Drivers" and "Boot Sectors" are checked.
Click Start scan and allow it to scan for Malicious objects.
If malicious objects are found, the default action will be Cure, ensure Cure is selected then click Continue.
If suspicious objects are detected, the default action will be Skip, ensure Skip is selected then click Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now and allow the computer to reboot.
A log will be created on your root (usually C:) drive. The log is like UtilityName.Version_Date_Time_log.txt.
for example, C:\TDSSKiller.2.4.1.2_20.04.2010_15.31.43_log.txt
If no reboot is required, click on Report. A log file should appear.
Please post the contents of the logfile in your next reply

Thanks peku006
spandau
2010-11-09, 20:21
Hello.

Below, the requested log.
Well, until now no more annoying message.
WONDERFULL.
And I bet that also the Windows update is OK.
Please tell me what I do next.

Thank you,
Spandau


2010/11/09 21:04:25.0890 TDSS rootkit removing tool 2.4.7.0 Nov 8 2010 10:52:22
2010/11/09 21:04:25.0890 ================================================================================
2010/11/09 21:04:25.0890 SystemInfo:
2010/11/09 21:04:25.0890
2010/11/09 21:04:25.0890 OS Version: 5.1.2600 ServicePack: 3.0
2010/11/09 21:04:25.0890 Product type: Workstation
2010/11/09 21:04:25.0890 ComputerName: A-1D2D0368C7834
2010/11/09 21:04:25.0890 UserName: a
2010/11/09 21:04:25.0890 Windows directory: C:\WINDOWS
2010/11/09 21:04:25.0890 System windows directory: C:\WINDOWS
2010/11/09 21:04:25.0890 Processor architecture: Intel x86
2010/11/09 21:04:25.0890 Number of processors: 2
2010/11/09 21:04:25.0890 Page size: 0x1000
2010/11/09 21:04:25.0890 Boot type: Normal boot
2010/11/09 21:04:25.0890 ================================================================================
2010/11/09 21:04:26.0265 Initialize success
2010/11/09 21:04:48.0234 ================================================================================
2010/11/09 21:04:48.0234 Scan started
2010/11/09 21:04:48.0234 Mode: Manual;
2010/11/09 21:04:48.0234 ================================================================================
2010/11/09 21:04:48.0562 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/11/09 21:04:48.0593 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/11/09 21:04:48.0640 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/11/09 21:04:48.0671 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/11/09 21:04:48.0765 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/11/09 21:04:48.0781 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/11/09 21:04:48.0812 AtcL001 (19f277bc4ce5689f20f347a6b8aa8c42) C:\WINDOWS\system32\DRIVERS\atl01_xp.sys
2010/11/09 21:04:48.0843 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/11/09 21:04:48.0875 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/11/09 21:04:48.0906 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/11/09 21:04:48.0937 Cardex (04e1c782cf14b7282ebc633b0fd3ed16) C:\WINDOWS\system32\drivers\TBPANEL.SYS
2010/11/09 21:04:48.0953 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/11/09 21:04:48.0968 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/11/09 21:04:49.0000 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/11/09 21:04:49.0015 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/11/09 21:04:49.0031 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/11/09 21:04:49.0093 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/11/09 21:04:49.0140 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/11/09 21:04:49.0171 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/11/09 21:04:49.0171 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/11/09 21:04:49.0187 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/11/09 21:04:49.0203 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/11/09 21:04:49.0218 eamon (d4f94d45e25d764462a5b95bc426c8d0) C:\WINDOWS\system32\DRIVERS\eamon.sys
2010/11/09 21:04:49.0250 ehdrv (9456462c1425d2bbf1616edabfaba5f4) C:\WINDOWS\system32\DRIVERS\ehdrv.sys
2010/11/09 21:04:49.0281 epfw (9957f65bedc0c5f654ff5be4552f3df7) C:\WINDOWS\system32\DRIVERS\epfw.sys
2010/11/09 21:04:49.0296 Epfwndis (a39214536abb60dc3ac73c6fc963e06d) C:\WINDOWS\system32\DRIVERS\Epfwndis.sys
2010/11/09 21:04:49.0312 epfwtdi (7119e9001fbb9d562905cc3932400683) C:\WINDOWS\system32\DRIVERS\epfwtdi.sys
2010/11/09 21:04:49.0328 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/11/09 21:04:49.0343 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/11/09 21:04:49.0359 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/11/09 21:04:49.0359 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/11/09 21:04:49.0390 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2010/11/09 21:04:49.0390 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/11/09 21:04:49.0421 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/11/09 21:04:49.0437 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/11/09 21:04:49.0453 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/11/09 21:04:49.0500 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/11/09 21:04:49.0531 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/11/09 21:04:49.0562 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/11/09 21:04:49.0578 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/11/09 21:04:49.0671 IntcAzAudAddService (cbddab14249b2f05407fc09ab8fffb88) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2010/11/09 21:04:49.0703 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/11/09 21:04:49.0734 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2010/11/09 21:04:49.0750 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/11/09 21:04:49.0750 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/11/09 21:04:49.0765 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/11/09 21:04:49.0781 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/11/09 21:04:49.0812 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/11/09 21:04:49.0828 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/11/09 21:04:49.0828 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/11/09 21:04:49.0843 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/11/09 21:04:49.0875 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/11/09 21:04:49.0890 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/11/09 21:04:49.0906 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/11/09 21:04:49.0921 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/11/09 21:04:49.0921 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/11/09 21:04:49.0937 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/11/09 21:04:49.0953 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/11/09 21:04:49.0984 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/11/09 21:04:50.0000 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/11/09 21:04:50.0015 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/11/09 21:04:50.0031 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/11/09 21:04:50.0046 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/11/09 21:04:50.0078 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/11/09 21:04:50.0109 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/11/09 21:04:50.0140 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
2010/11/09 21:04:50.0140 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/11/09 21:04:50.0171 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/11/09 21:04:50.0171 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/11/09 21:04:50.0187 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/11/09 21:04:50.0203 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/11/09 21:04:50.0218 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/11/09 21:04:50.0218 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/11/09 21:04:50.0234 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/11/09 21:04:50.0234 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/11/09 21:04:50.0250 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/11/09 21:04:50.0296 Nokia USB Generic (5abb6b2461c4eb0afdf1bf7f03963d59) C:\WINDOWS\system32\drivers\nmwcdc.sys
2010/11/09 21:04:50.0312 Nokia USB Modem (353c16d21eec1f11306270040b3713c1) C:\WINDOWS\system32\drivers\nmwcdcm.sys
2010/11/09 21:04:50.0328 Nokia USB Phone Parent (f5b1200c75b160c81e7e48cc0489aa5e) C:\WINDOWS\system32\drivers\nmwcd.sys
2010/11/09 21:04:50.0359 Nokia USB Port (353c16d21eec1f11306270040b3713c1) C:\WINDOWS\system32\drivers\nmwcdcj.sys
2010/11/09 21:04:50.0359 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/11/09 21:04:50.0390 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/11/09 21:04:50.0421 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/11/09 21:04:50.0546 nv (07e25fe08344021091f000d84611a2ab) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/11/09 21:04:50.0656 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/11/09 21:04:50.0671 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/11/09 21:04:50.0687 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2010/11/09 21:04:50.0687 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/11/09 21:04:50.0718 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/11/09 21:04:50.0718 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/11/09 21:04:50.0734 PCIIde (dd89e7d7915982f3273655f63ee1fe1e) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/11/09 21:04:50.0734 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\pciide.sys. Real md5: dd89e7d7915982f3273655f63ee1fe1e, Fake md5: ccf5f451bb1a5a2a522a76e670000ff0
2010/11/09 21:04:50.0734 PCIIde - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/11/09 21:04:50.0765 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/11/09 21:04:50.0781 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
2010/11/09 21:04:50.0859 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/11/09 21:04:50.0859 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/11/09 21:04:50.0890 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/11/09 21:04:50.0921 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/11/09 21:04:50.0984 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/11/09 21:04:51.0000 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/11/09 21:04:51.0015 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/11/09 21:04:51.0015 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/11/09 21:04:51.0031 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/11/09 21:04:51.0046 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/11/09 21:04:51.0062 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/11/09 21:04:51.0078 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/11/09 21:04:51.0093 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/11/09 21:04:51.0109 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/11/09 21:04:51.0140 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/11/09 21:04:51.0140 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/11/09 21:04:51.0156 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/11/09 21:04:51.0203 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/11/09 21:04:51.0281 SNP2UVC (9e027c8ec85d33a0ac1f34bbac58763d) C:\WINDOWS\system32\DRIVERS\snp2uvc.sys
2010/11/09 21:04:51.0359 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/11/09 21:04:51.0406 sptd (71e276f6d189413266ea22171806597b) C:\WINDOWS\system32\Drivers\sptd.sys
2010/11/09 21:04:51.0406 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: 71e276f6d189413266ea22171806597b
2010/11/09 21:04:51.0406 sptd - detected Locked file (1)
2010/11/09 21:04:51.0421 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/11/09 21:04:51.0437 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/11/09 21:04:51.0453 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/11/09 21:04:51.0484 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/11/09 21:04:51.0500 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/11/09 21:04:51.0562 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/11/09 21:04:51.0656 TBPanel (04e1c782cf14b7282ebc633b0fd3ed16) C:\WINDOWS\system32\drivers\TBPanel.sys
2010/11/09 21:04:51.0687 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/11/09 21:04:51.0734 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/11/09 21:04:51.0750 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/11/09 21:04:51.0765 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/11/09 21:04:51.0890 TuneUpUtilitiesDrv (f2107c9d85ec0df116939ccce06ae697) C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys
2010/11/09 21:04:51.0890 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/11/09 21:04:51.0921 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/11/09 21:04:51.0953 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2010/11/09 21:04:51.0953 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/11/09 21:04:52.0000 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/11/09 21:04:52.0000 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/11/09 21:04:52.0031 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/11/09 21:04:52.0046 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/11/09 21:04:52.0046 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/11/09 21:04:52.0062 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2010/11/09 21:04:52.0093 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/11/09 21:04:52.0140 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/11/09 21:04:52.0156 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/11/09 21:04:52.0187 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2010/11/09 21:04:52.0234 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/11/09 21:04:52.0265 WFPVRBAR (ad54c6e174b220a7226ecd339425ad1e) C:\WINDOWS\system32\drivers\WFPVRBAR.sys
2010/11/09 21:04:52.0296 WFPVRENC (5258ad62098325736f0dc68e2a6b9470) C:\WINDOWS\system32\drivers\wfpvrenc.sys
2010/11/09 21:04:52.0312 WFPVRTUNER (0dd8e9e4ca0525bdb1bd17652f422bdf) C:\WINDOWS\system32\drivers\wfpvrtun.sys
2010/11/09 21:04:52.0343 WFPVRVIDEO (8e22bbdc0461deee73253e862da49656) C:\WINDOWS\system32\drivers\wfpvrcap.sys
2010/11/09 21:04:52.0375 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/11/09 21:04:52.0390 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/11/09 21:04:52.0406 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/11/09 21:04:52.0515 ================================================================================
2010/11/09 21:04:52.0515 Scan finished
2010/11/09 21:04:52.0515 ================================================================================
2010/11/09 21:04:52.0515 Detected object count: 2
2010/11/09 21:06:35.0812 PCIIde (dd89e7d7915982f3273655f63ee1fe1e) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/11/09 21:06:35.0812 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\pciide.sys. Real md5: dd89e7d7915982f3273655f63ee1fe1e, Fake md5: ccf5f451bb1a5a2a522a76e670000ff0
2010/11/09 21:06:41.0906 Backup copy found, using it..
2010/11/09 21:06:41.0921 C:\WINDOWS\system32\DRIVERS\pciide.sys - will be cured after reboot
2010/11/09 21:06:41.0921 Rootkit.Win32.TDSS.tdl3(PCIIde) - User select action: Cure
2010/11/09 21:06:41.0921 Locked file(sptd) - User select action: Skip
2010/11/09 21:06:57.0750 Deinitialize success
peku006
2010-11-09, 21:17
Hi spandau

yeah, looks better.........

Download and Run Malwarebytes' Anti-Malware

Please save any items you were working on... close any open programs. You may be asked to reboot your machine.
Please download Malwarebytes Anti-Malware (http://www.malwarebytes.org/mbam-download.php) and save it to your desktop. If needed...Tutorial w/screenshots (http://thespykiller.co.uk/index.php/topic,5946.0.html)
Alternate download sites available here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or here (http://www.besttechie.net/tools/mbam-setup.exe).
Make sure you are connected to the Internet.
Double-click on mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.
If an update is found, the program will automatically update itself.
Press the OK button to close that box and continue.
Problems downloading the updates? Manually download them from here (http://malwarebytes.gt500.org/mbam-rules.exe) and double-click on "mbam-rules.exe" to install.
On the Scanner tab:
Make sure the "Perform full scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
Click on the Show Results button to see a list of any malware that was found.
Check all items except items in the C:\System Volume Information folder... then click on Remove Selected.
We will take care of the System Volume Information items later.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
[/list]

Please reply with

Malwarebytes' Anti-Malware Log

Thanks peku006
spandau
2010-11-09, 22:20
Hello.

Below, the requested log.
I hope is a good report.
Please tell me what I do next and don't forget that I have also a suspicios to be infected USB stick, because I have used it in the period of time when the computer was infected.
Sorry.

Thank you,
Spandau

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5084

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

11/9/2010 11:02:21 PM
mbam-log-2010-11-09 (23-02-21).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 196203
Time elapsed: 18 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
peku006
2010-11-10, 10:13
Hi spandau

Scan your USB stick with mbam

Please run this free online virus scanner from ESET (http://www.eset.com/onlinescan/)

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic


Thanks peku006
spandau
2010-11-10, 17:43
Hello.

Below, the requested scan.
Additional information: MBAM has not detected threat in my USB stick.

Thank you,
Spandau

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17091 (vista_gdr.100824-1500)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=95ff7597fec7b4488f1c8550d600e8ca
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-11-10 04:30:03
# local_time=2010-11-10 06:30:03 (+0200, E. Europe Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 46223663 46223663 0 0
# compatibility_mode=6912 16777215 100 0 0 0 0 0
# compatibility_mode=8202 22379861 100 100 5685 51956517 0 0
# scanned=55118
# found=1
# cleaned=1
# scan_time=1015
# nod_component=V3 Build:0x30000000
C:\WINDOWS\FixCamera.exe a variant of Win32/KillProc.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
peku006
2010-11-10, 19:57
Hi spandau

Security Check
Please download Security Check (http://screen317.spywareinfoforum.org/SecurityCheck.exe) ... by screen317. Save it to your desktop.
Alternate download site: Link 2 (http://screen317.changelog.fr/SecurityCheck.exe)
Double click the SecurityCheck.exe icon to begin.
Press the Space Bar when you see the "press any key to continue..." message.
A Notepad results file will open automatically called checkup.txt
Save "checkup.txt" to your desktop. (This output file is NOT automatically saved!)
Please copy/paste the entire contents of the checkup.txt file into your next reply.

Thanks peku006
spandau
2010-11-10, 20:47
Hello.

Below, the requested log.

Best regards,
Spandau

Results of screen317's Security Check version 0.99.6
Windows XP Service Pack 3 (UAC is disabled!)
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Disabled!
ESET Online Scanner v3
ESET Smart Security
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
HijackThis 2.0.2
TuneUp Utilities
TuneUp Utilities Language Pack (en-US)
Adobe Flash Player
Adobe Reader 9.4.0
````````````````````````````````
Process Check:
objlist.exe by Laurent
````````````````````````````````
DNS Vulnerability Check:
Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?)

``````````End of Log````````````
peku006
2010-11-11, 09:13
Hi Spandau

all logs are ok......

How's the computer running now? Any problems?

Thanks peku006
spandau
2010-11-12, 19:46
Hello peku006.

Sorry for delay, I'm not home all the time.
Yes, the computer is ok, is running ok.
Now I saw that is something strange, at start he show me a white window named "Install manager", and then tell me that he can't .... I don't know what he can't do.
But, first I will scan with all my softwares (in safe mode I think is better) and if this strange behavior repeats itself, I will open a new thread.
Until then, I thank you from the bottom of my heart.
You are people who are doing good without reword.
Unbelievable.
Great respect.
All the best and all the luck in the world to you and your family.

Best regards,
Spandau