Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Click.GiftLoad Removal Help!

  1. #1
    Junior Member
    Join Date
    Mar 2011
    Posts
    7

    Unhappy Click.GiftLoad Removal Help!

    Hello

    I know I'm new to the forum but please help! Recently i keep getting redirected when i search things on google, get fake virus reports, and my sound suddenly stops working. In general my computer is a lot slower and i have to remove the Click.GiftLoad on spybot everyday to get my computer to run normally (but it won't stop appearing!) In my task manager there are also multiple svchost.exe processes running. I have run system restore a couple of times but it hasn't done anything. Please help

    Thanks,
    Alison

    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Alison at 16:33:34.20 on Fri 03/18/2011
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.92 [GMT -4:00]
    .
    FW: McAfee Personal Firewall Plus *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    svchost.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\Pen_Tablet.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
    C:\WINDOWS\system32\Pen_Tablet.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\stsystra.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\program files\real\realplayer\update\realsched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\America Online 9.0\aoltray.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Documents and Settings\Alison\My Documents\Downloads\dds.scr
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.dell4me.com/mywaybiz
    uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
    uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html?p=DS
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: AOL Messaging Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
    mURLSearchHooks: AOL Messaging Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application

    data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: AOL Messaging Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: McAfee VirusScan: {ba52b914-b692-46c4-b683-905236f6f655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    TB: AOL Messaging Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
    uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [Google Update] "c:\documents and settings\alison\local settings\application data\google\update\GoogleUpdate.exe" /c
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
    mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
    mRun: [CTSysVol] c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r
    mRun: [P17Helper] Rundll32 P17.dll,P17Helper
    mRun: [UpdReg] c:\windows\UpdReg.EXE
    mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
    mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [VSOCheckTask] "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
    mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\McUpdate.exe
    mRun: [SigmatelSysTrayApp] stsystra.exe
    mRun: [VirusScan Online] c:\progra~1\mcafee.com\vso\mcvsshld.exe
    mRun: [MPFExe] c:\progra~1\mcafee.com\person~1\MpfTray.exe
    mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
    mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
    mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\docume~1\alison\applic~1\mozilla\firefox\profiles\qvtibfxe.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-

    us&tb_uuid=20101222043212296&tb_oid=22-12-2010&tb_mrud=22-12-2010
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - youtube.com
    FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-

    us&tb_uuid=20101222043212296&tb_oid=22-12-2010&tb_mrud=22-12-2010&query=
    FF - plugin: c:\documents and settings\alison\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
    FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJPI142_03.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
    FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application

    data\real\realplayer\browserrecordplugin\firefox\Ext
    FF - Ext: AOL Messaging Toolbar: {c2f863cd-0429-48c7-bb54-db756a951760} - %profile%\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
    FF - user.js: browser.sessionstore.resume_from_crash - false
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false
    ============= SERVICES / DRIVERS ===============
    .
    R1 MPFIREWL;MPFIREWL;c:\windows\system32\drivers\MpFirewall.sys [2005-8-16 83325]
    R2 MCVSRte;McAfee.com VirusScan Online Realtime Engine;c:\progra~1\mcafee.com\vso\mcvsrte.exe [2005-8-16 122880]
    R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2010-12-13 1373480]
    R3 McShield;McAfee.com McShield;c:\progra~1\mcafee.com\vso\mcshield.exe [2005-8-16 225375]
    R3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [2005-8-16 23296]
    S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2005-8-16 249856]
    .
    =============== Created Last 30 ================
    .
    2011-03-18 20:26:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-03-18 20:26:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-03-18 20:26:53 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    2011-03-18 20:17:35 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
    2011-03-18 20:17:34 -------- d-----w- c:\program files\SpywareBlaster
    2011-03-18 20:00:10 -------- d-----w- c:\docume~1\alison\locals~1\applic~1\AIM Toolbar
    2011-03-18 19:26:23 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-03-18 19:26:23 -------- d-----w- c:\windows\system32\wbem\Repository
    .
    ==================== Find3M ====================
    .
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: WDC_WD80 rev.09.0 -> Harddisk0\DR0 -> \Device\Ide\iaStor0
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x81C45439]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x81c4b7d0]; MOV EAX, [0x81c4b84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX,

    [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EF0BC] -> \Device\Harddisk0\DR0[0x82570AB8]
    3 CLASSPNP[0xF86A805B] -> ntkrnlpa!IofCallDriver[0x804EF0BC] -> [0x81BC2030]
    \Driver\iastor[0x81C623D0] -> IRP_MJ_CREATE -> 0x81C45439
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c;

    RETF ; STI ; PUSHA ; MOV CX, 0x147; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
    detected disk devices:
    \Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskWDC_WD800JD-75LSA0______________________09.01D09#4&a820f75&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

    device not found
    detected hooks:
    user != kernel MBR !!!
    sectors 156249998 (+255): user != kernel
    Warning: possible TDL4 rootkit infection !
    TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
    .
    ============= FINISH: 16:35:54.80 ===============

  2. #2
    Emeritus- Malware Team
    Join Date
    May 2009
    Location
    Buenos Aires, Argentina
    Posts
    340

    Default

    Hi alison210,


    Welcome to Safer Networking. My name is Blottedisk and I will be helping you with your malware issues.


    • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Thread Tools box to the top right of your topic title and then choosing Suscribe to this Thread (then choose Instant Notification by email). If the button says Unsuscribe from this Thread, then you are already subscribed.
    • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.


    The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then the thread will be locked due to inactivity. However, if you will be away, let us know and we will be sure to keep the thread open.


    Please follow these steps in order:


    Step 1 | Please download aswMBR to your desktop.

    • Double click the aswMBR icon to run it.
      Vista and Windows 7 users right click the icon and choose "Run as administrator".
    • Click the Scan button to start scan.
    • When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.


    Step 2 | Please download GMER from one of the following locations and save it to your desktop:

    Main Mirror - This version will download a randomly named file (Recommended)
    Zipped Mirror - This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

    --------------------------------------------------------------------

    • Disconnect from the Internet and close all running programs.
    • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
    • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.


    Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.



    • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
    • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
    • Make sure all options are checked except:
      • IAT/EAT
      • Drives/Partition other than Systemdrive, which is typically C:\
      • Show All (This is important, so do not miss it.)



    Click the image to enlarge it

    • Now click the Scan button. If you see a rootkit warning window, click OK.
    • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
    • Click the Copy button and paste the results into your next reply.
    • Exit GMER and re-enable all active protection when done.

    -- If you encounter any problems, try running GMER in Safe Mode.


    Step 3 | Please download MBRCheck.exe to your desktop.
    • Be sure to disable your security programs
    • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
    • A window will open on your desktop
    • if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
    • If nothing unusual is found just press Enter
    • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
    • Please post the contents of that file.

  3. #3
    Junior Member
    Join Date
    Mar 2011
    Posts
    7

    Smile

    Thank you for replying so quickly :D
    Here is what you requested:

    aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
    Run date: 2011-03-18 20:38:49
    -----------------------------
    20:38:49.158 OS Version: Windows 5.1.2600 Service Pack 2
    20:38:49.158 Number of processors: 2 586 0x407
    20:38:49.174 ComputerName: D164L581 UserName: Alison
    20:38:52.815 Initialize success
    20:39:05.643 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\iaStor0
    20:39:05.643 Disk 0 Vendor: WDC_WD80 09.0 Size: 76293MB BusType: 3
    20:39:05.643 Device \Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskWDC_WD800JD-75LSA0______________________09.01D09#4&a820f75&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
    20:39:05.674 Disk 0 MBR read successfully
    20:39:05.674 Disk 0 MBR scan
    20:39:05.674 Disk 0 TDL4@MBR code has been found
    20:39:05.674 Disk 0 MBR hidden
    20:39:05.690 Disk 0 MBR [TDL4] **ROOTKIT**
    20:39:05.690 Disk 0 trace - called modules:
    20:39:05.705 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x81c49439]<<
    20:39:05.705 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82587030]
    20:39:05.705 3 CLASSPNP.SYS[f86a805b] -> nt!IofCallDriver -> [0x81bc3030]
    20:39:05.721 \Driver\iastor[0x81c46f38] -> IRP_MJ_CREATE -> 0x81c49439
    20:39:05.721 Scan finished successfully


    GMER 1.0.15.15565 - http://www.gmer.net
    Rootkit scan 2011-03-18 21:11:53
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\iaStor0 WDC_WD80 rev.09.0
    Running: zrh9kkod.exe; Driver: C:\DOCUME~1\Alison\LOCALS~1\Temp\pfdyapob.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    ? C:\DOCUME~1\Alison\LOCALS~1\Temp\aswMBR.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\stsystra.exe[140] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00FF5C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/Networks Associates Technology, Inc)
    .text C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe[148] WS2_32.dll!connect 71AB406A 5 Bytes JMP 01775C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/Networks Associates Technology, Inc)
    .text C:\program files\real\realplayer\update\realsched.exe[164] kernel32.dll!SetUnhandledExceptionFilter 7C8447ED 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
    .text C:\program files\real\realplayer\update\realsched.exe[164] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10005C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/Networks Associates Technology, Inc)
    .text C:\Program Files\Dell Support\DSAgnt.exe[240] ws2_32.dll!connect 71AB406A 5 Bytes JMP 011E5C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/Networks Associates Technology, Inc)
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[248] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10005C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/Networks Associates Technology, Inc)
    .text C:\WINDOWS\system32\ctfmon.exe[304] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10005C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/Networks Associates Technology, Inc)
    .text C:\Program Files\America Online 9.0\aoltray.exe[408] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10005C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/Networks Associates Technology, Inc)
    .text C:\WINDOWS\Explorer.EXE[1764] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BC000A
    .text C:\WINDOWS\Explorer.EXE[1764] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
    .text C:\WINDOWS\Explorer.EXE[1764] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00BB000C
    .text C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe[1976] WS2_32.dll!connect 71AB406A 5 Bytes JMP 01205C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/Networks Associates Technology, Inc)
    .text C:\WINDOWS\system32\Rundll32.exe[1984] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10005C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/Networks Associates Technology, Inc)
    .text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[2000] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10005C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/Networks Associates Technology, Inc)
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2016] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10005C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/Networks Associates Technology, Inc)
    .text C:\PROGRA~1\mcafee.com\agent\mcagent.exe[2032] WS2_32.dll!connect 71AB406A 5 Bytes JMP 01565C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/Networks Associates Technology, Inc)
    .text ...
    .text C:\WINDOWS\System32\svchost.exe[3624] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B8000A
    .text C:\WINDOWS\System32\svchost.exe[3624] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00B9000A
    .text C:\WINDOWS\System32\svchost.exe[3624] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B7000C
    .text C:\WINDOWS\System32\svchost.exe[3624] USER32.dll!GetForegroundWindow 77D4C4AE 5 Bytes JMP 015A000A
    .text C:\WINDOWS\System32\svchost.exe[3624] USER32.dll!GetCursorPos 77D4C566 5 Bytes JMP 0158000A
    .text C:\WINDOWS\System32\svchost.exe[3624] USER32.dll!WindowFromPoint 77D4C57E 5 Bytes JMP 0159000A
    .text C:\WINDOWS\System32\svchost.exe[3624] ole32.dll!CoCreateInstance 77526009 5 Bytes JMP 00C9000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3756] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[4028] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs NaiFiltr.sys
    AttachedDevice \Driver\Tcpip \Device\Ip MpFirewall.sys (McAfee Personal Firewall Plus 5.0/McAfee Security)
    AttachedDevice \Driver\Tcpip \Device\Ip ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp MpFirewall.sys (McAfee Personal Firewall Plus 5.0/McAfee Security)
    AttachedDevice \Driver\Tcpip \Device\Tcp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp MpFirewall.sys (McAfee Personal Firewall Plus 5.0/McAfee Security)
    AttachedDevice \Driver\Tcpip \Device\Udp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp MpFirewall.sys (McAfee Personal Firewall Plus 5.0/McAfee Security)
    AttachedDevice \Driver\Tcpip \Device\RawIp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat NaiFiltr.sys

    Device \Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskWDC_WD800JD-75LSA0______________________09.01D09#4&a820f75&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
    Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

    ---- EOF - GMER 1.0.15 ----

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Home Edition
    Windows Information: Service Pack 2 (build 2600)
    Logical Drives Mask: 0x0000000c

    Kernel Drivers (total 113):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806E2000 \WINDOWS\system32\hal.dll
    0x81C08000 \WINDOWS\system32\KDCOM.DLL
    0xF8A7B000 \WINDOWS\system32\BOOTVID.dll
    0xF8538000 ACPI.sys
    0xF8B67000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xF8527000 pci.sys
    0xF8667000 isapnp.sys
    0xF8C2F000 pciide.sys
    0xF88E7000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xF8677000 MountMgr.sys
    0xF8508000 ftdisk.sys
    0xF88EF000 PartMgr.sys
    0xF8687000 VolSnap.sys
    0xF84F0000 atapi.sys
    0xF841B000 iastor.sys
    0xF8697000 disk.sys
    0xF86A7000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xF83FC000 fltMgr.sys
    0xF83EA000 sr.sys
    0xF83D3000 KSecDD.sys
    0xF8346000 Ntfs.sys
    0xF8319000 NDIS.sys
    0xF82FE000 Mup.sys
    0xF8747000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xF78F6000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
    0xF78E2000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xF78BC000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xF8967000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xF7899000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF896F000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF7873000 \SystemRoot\system32\DRIVERS\e100b325.sys
    0xF8757000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xF8767000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xF7850000 \SystemRoot\system32\DRIVERS\ks.sys
    0xF8977000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    0xF8BA7000 \SystemRoot\system32\DRIVERS\wacomvhid.sys
    0xF8777000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0xF897F000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xF8BA9000 \SystemRoot\system32\DRIVERS\WacomVKHid.sys
    0xF8CCA000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xF8787000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xF7DF8000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xF7839000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF8797000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF87A7000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF8987000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xF7828000 \SystemRoot\system32\DRIVERS\psched.sys
    0xF87B7000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF898F000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF8997000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xF899F000 \SystemRoot\system32\DRIVERS\wanatw4.sys
    0xF87C7000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF89A7000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xF89AF000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF8BAB000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xF77F4000 \SystemRoot\system32\DRIVERS\update.sys
    0xF7DEC000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xF89B7000 \SystemRoot\system32\DRIVERS\omci.sys
    0xF7DE8000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0xF89BF000 \SystemRoot\system32\DRIVERS\wacommousefilter.sys
    0xF7DE4000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0xF87D7000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xEF239000 \SystemRoot\system32\drivers\sthda.sys
    0xEF217000 \SystemRoot\system32\drivers\portcls.sys
    0xF7A4B000 \SystemRoot\system32\drivers\drmk.sys
    0xF7A3B000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xF8BB5000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xF8C0B000 \SystemRoot\System32\Drivers\i2omgmt.SYS
    0xF8C0D000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xEC532000 \SystemRoot\System32\Drivers\Null.SYS
    0xF8C0F000 \SystemRoot\System32\Drivers\Beep.SYS
    0xED120000 \SystemRoot\System32\drivers\vga.sys
    0xF8C11000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF8C13000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xED118000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xED110000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xEEBF0000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xBA71D000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xBA6C5000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xBA6B1000 \SystemRoot\System32\Drivers\MpFirewall.sys
    0xBA690000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xECE38000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xBA668000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xBA646000 \SystemRoot\System32\drivers\afd.sys
    0xECE28000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xBA61B000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xBA5AC000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xECA9F000 \SystemRoot\System32\Drivers\Fips.SYS
    0xF8B5F000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0xF88B7000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xB889C000 \SystemRoot\System32\Drivers\dump_iastor.sys
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xEC928000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF8A47000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF8CDD000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\ati2dvag.dll
    0xBF04E000 \SystemRoot\System32\ati2cqag.dll
    0xBF080000 \SystemRoot\System32\atikvmag.dll
    0xBF0B2000 \SystemRoot\System32\ati3duag.dll
    0xBF2E6000 \SystemRoot\System32\ativvaxx.dll
    0xB777F000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xB4C05000 \SystemRoot\system32\drivers\wdmaud.sys
    0xEBDFF000 \SystemRoot\system32\drivers\sysaudio.sys
    0xB4A00000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xB3C31000 \SystemRoot\system32\DRIVERS\srv.sys
    0xB35D8000 \SystemRoot\System32\Drivers\HTTP.sys
    0xB3709000 \SystemRoot\System32\DRIVERS\ipfltdrv.sys
    0xF891F000 \SystemRoot\system32\DRIVERS\NaiFiltr.sys
    0xB3480000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xB3366000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 53):
    0 System Idle Process
    4 System
    572 C:\WINDOWS\system32\smss.exe
    620 csrss.exe
    644 C:\WINDOWS\system32\winlogon.exe
    692 C:\WINDOWS\system32\services.exe
    704 C:\WINDOWS\system32\lsass.exe
    868 C:\WINDOWS\system32\ati2evxx.exe
    908 C:\WINDOWS\system32\svchost.exe
    1000 svchost.exe
    1116 C:\WINDOWS\system32\svchost.exe
    1232 svchost.exe
    1388 svchost.exe
    1536 C:\WINDOWS\system32\spoolsv.exe
    1760 C:\WINDOWS\explorer.exe
    1868 svchost.exe
    1924 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    1956 C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    1972 C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
    1988 C:\WINDOWS\system32\rundll32.exe
    2004 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    2032 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    140 C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
    160 C:\WINDOWS\stsystra.exe
    176 C:\PROGRA~1\McAfee.com\VSO\mcvsshld.exe
    196 C:\Program Files\real\realplayer\Update\realsched.exe
    248 C:\Program Files\iTunes\iTunesHelper.exe
    256 C:\Program Files\Dell Support\DSAgnt.exe
    264 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    276 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    372 C:\WINDOWS\system32\ctfmon.exe
    384 C:\Program Files\America Online 9.0\aoltray.exe
    496 C:\PROGRA~1\McAfee.com\VSO\McVSEscn.exe
    1604 C:\Program Files\Bonjour\mDNSResponder.exe
    2000 C:\WINDOWS\system32\CTSVCCDA.EXE
    2076 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    2148 C:\Program Files\Java\jre6\bin\jqs.exe
    2264 C:\PROGRA~1\McAfee.com\VSO\mcvsrte.exe
    2368 C:\WINDOWS\system32\HPZipm12.exe
    2408 C:\WINDOWS\system32\svchost.exe
    2524 C:\WINDOWS\system32\Pen_Tablet.exe
    2556 wdfmgr.exe
    2616 C:\WINDOWS\system32\MsPMSPSv.exe
    2676 C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
    2708 C:\WINDOWS\system32\Pen_Tablet.exe
    2940 C:\WINDOWS\system32\wuauclt.exe
    3256 C:\Program Files\iPod\bin\iPodService.exe
    3496 C:\PROGRA~1\McAfee.com\VSO\McShield.exe
    3544 C:\WINDOWS\system32\wscntfy.exe
    3920 alg.exe
    1216 C:\Program Files\Mozilla Firefox\firefox.exe
    3756 C:\WINDOWS\system32\wuauclt.exe
    1088 C:\Documents and Settings\Alison\My Documents\Downloads\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`036e8e00 (NTFS)

    PhysicalDrive0 Model Number: WDCWD800JD-75LSA0, Rev: 09.01D09

    Size Device Name MBR Status
    --------------------------------------------
    74 GB \\.\PhysicalDrive0 Unknown MBR code
    SHA1: E66C176942DF42CCFE7A0113EAFF39E82F8B0047


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    Done!

  4. #4
    Emeritus- Malware Team
    Join Date
    May 2009
    Location
    Buenos Aires, Argentina
    Posts
    340

    Default

    Hi Alison,


    Please follow these steps in order:


    Step 1 | Please double click the aswMBR icon to run it.
    Vista and Windows 7 users right click the icon and choose "Run as administrator".

    • Click the Scan button to start scan.
    • When scan finishes, press the Fix Button. Once the Fix is done, press the Save Log button and save the log to your desktop. You need to reboot your computer when its done before you do anything else, then post the log that will be on your desktop.



    Click the image to enlarge it


    Step 2 | Please run DDS and post a new log.
    Last edited by Blottedisk; 2011-03-19 at 20:06.
    -- WTT Classroom Graduate --
    -- ASAP Member --
    -- UNITE Trained Eliminator --

  5. #5
    Junior Member
    Join Date
    Mar 2011
    Posts
    7

    Talking

    Hi blottedisk :D

    Thanks again for being so speedy. I don't know if you need the attachment so I didn't attach it. Any how here are the logs:

    aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
    Run date: 2011-03-19 19:56:00
    -----------------------------
    19:56:00.202 OS Version: Windows 5.1.2600 Service Pack 2
    19:56:00.202 Number of processors: 2 586 0x407
    19:56:00.202 ComputerName: D164L581 UserName: Alison
    19:56:03.015 Initialize success
    19:56:20.936 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\iaStor0
    19:56:20.952 Disk 0 Vendor: WDC_WD80 09.0 Size: 76293MB BusType: 3
    19:56:20.952 Device \Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskWDC_WD800JD-75LSA0______________________09.01D09#4&a820f75&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
    19:56:20.952 Disk 0 MBR read successfully
    19:56:20.952 Disk 0 MBR scan
    19:56:20.968 Disk 0 TDL4@MBR code has been found
    19:56:20.968 Disk 0 MBR hidden
    19:56:20.968 Disk 0 MBR [TDL4] **ROOTKIT**
    19:56:20.983 Disk 0 trace - called modules:
    19:56:20.983 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x81c51439]<<
    19:56:20.999 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82575030]
    19:56:20.999 3 CLASSPNP.SYS[f86a805b] -> nt!IofCallDriver -> [0x825d91d8]
    19:56:20.999 \Driver\iastor[0x82574598] -> IRP_MJ_CREATE -> 0x81c51439
    19:56:21.015 Scan finished successfully
    19:56:31.858 Disk 0 fixing MBR
    19:56:41.890 Disk 0 MBR restored successfully
    19:56:41.890 Infection fixed successfully - please reboot ASAP

    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Alison at 20:04:20.14 on Sat 03/19/2011
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.118 [GMT -4:00]
    .
    FW: McAfee Personal Firewall Plus *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    svchost.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\stsystra.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\program files\real\realplayer\update\realsched.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\America Online 9.0\aoltray.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\Pen_Tablet.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
    C:\WINDOWS\system32\Pen_Tablet.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wscntfy.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\Documents and Settings\Alison\Desktop\dds.scr
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.dell4me.com/mywaybiz
    uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
    uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html?p=DS
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: AOL Messaging Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
    mURLSearchHooks: AOL Messaging Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: AOL Messaging Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: McAfee VirusScan: {ba52b914-b692-46c4-b683-905236f6f655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    TB: AOL Messaging Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
    uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [Google Update] "c:\documents and settings\alison\local settings\application data\google\update\GoogleUpdate.exe" /c
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
    mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
    mRun: [CTSysVol] c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r
    mRun: [P17Helper] Rundll32 P17.dll,P17Helper
    mRun: [UpdReg] c:\windows\UpdReg.EXE
    mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
    mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [VSOCheckTask] "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
    mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\McUpdate.exe
    mRun: [SigmatelSysTrayApp] stsystra.exe
    mRun: [VirusScan Online] c:\progra~1\mcafee.com\vso\mcvsshld.exe
    mRun: [MPFExe] c:\progra~1\mcafee.com\person~1\MpfTray.exe
    mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
    mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
    mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\docume~1\alison\applic~1\mozilla\firefox\profiles\qvtibfxe.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us&tb_uuid=20101222043212296&tb_oid=22-12-2010&tb_mrud=22-12-2010
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - youtube.com
    FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&tb_uuid=20101222043212296&tb_oid=22-12-2010&tb_mrud=22-12-2010&query=
    FF - component: c:\documents and settings\alison\application data\mozilla\firefox\profiles\qvtibfxe.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\MailUtil.dll
    FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
    FF - plugin: c:\documents and settings\alison\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
    FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: AOL Messaging Toolbar: {c2f863cd-0429-48c7-bb54-db756a951760} - %profile%\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
    FF - user.js: browser.sessionstore.resume_from_crash - false
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false
    ============= SERVICES / DRIVERS ===============
    .
    R1 MPFIREWL;MPFIREWL;c:\windows\system32\drivers\MpFirewall.sys [2005-8-16 83325]
    R2 MCVSRte;McAfee.com VirusScan Online Realtime Engine;c:\progra~1\mcafee.com\vso\mcvsrte.exe [2005-8-16 122880]
    R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2010-12-13 1373480]
    R3 McShield;McAfee.com McShield;c:\progra~1\mcafee.com\vso\mcshield.exe [2005-8-16 225375]
    R3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [2005-8-16 23296]
    S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2005-8-16 249856]
    .
    =============== Created Last 30 ================
    .
    2011-03-18 20:26:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-03-18 20:26:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-03-18 20:26:53 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    2011-03-18 20:17:35 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
    2011-03-18 20:17:34 -------- d-----w- c:\program files\SpywareBlaster
    2011-03-18 20:00:10 -------- d-----w- c:\docume~1\alison\locals~1\applic~1\AIM Toolbar
    2011-03-18 19:26:23 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-03-18 19:26:23 -------- d-----w- c:\windows\system32\wbem\Repository
    .
    ==================== Find3M ====================
    .
    .
    ============= FINISH: 20:05:28.53 ===============

  6. #6
    Emeritus- Malware Team
    Join Date
    May 2009
    Location
    Buenos Aires, Argentina
    Posts
    340

    Default

    Hi Alice


    Please visit the following and have a look how you can disable your security software (Spybot's S&D Teatimer and McAfee).

    How to disable your security programs

    After disabling your security programs, download Combofix from any of the links below and save it to your desktop.

    Link 1
    Link 2

    --------------------------------------------------------------------

    • Double click on Combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.


    If you need help, see this link:
    http://www.bleepingcomputer.com/comb...o-use-combofix
    -- WTT Classroom Graduate --
    -- ASAP Member --
    -- UNITE Trained Eliminator --

  7. #7
    Junior Member
    Join Date
    Mar 2011
    Posts
    7

    Red face

    Hello Blottedisk

    I don't know if I did something wrong but ComboFix won't run properly for me. The first time I ran it:
    1. Security Warning popped up and I clicked "Run"
    2. The screen where is says "ComboFix is preparing to run" did not come up.
    3. Instead it went directly to the Disclaimer where i clicked "Yes"
    4. Afterwards the blue screen comes up but there is just an "_" dissapearing and reappearing.

    I have tried leaving the screen there for over 30 minutes but nothing happens and I can't close the screen either. I have also tried downloading from the other link and running it but I had the same results. I don't know what to do!

    Perplexed,
    Alison

  8. #8
    Emeritus- Malware Team
    Join Date
    May 2009
    Location
    Buenos Aires, Argentina
    Posts
    340

    Default

    Hi Alison,


    Don't worry about Combofix for now. Before we continue with this, one word of caution. Unfortunately your computer appears to have been infected by a backdoor infection. These programs have the ability to steal passwords and other information from your system. If you use your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

    • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other
      site you use.
    • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
    • Consider what other private information could possibly have been taken from your computer and take appropriate steps


    This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the
    system partition and reinstalling Windows as this is the only 100% sure answer.You should not be following fixes in another threads as those fixes are specifically for those computers.

    Please read these for more information:

    How Do I Handle Possible
    Identify Theft, Internet Fraud and CC Fraud?


    When Should I Format, How
    Should I Reinstall?



    Should you have any questions, please feel free to ask. Please let me know what you have decided to do in your next post. If you decide you want to try and clean your PC then please continue with the following instructions:


    Please download TDSSKiller from one of the following mirrors and save it in your desktop:

    This is THE Mirror

    • Extract its contents to your desktop.
    • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.




    • If a suspicious file is detected, the default action will be Skip, click on Continue.




    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.




    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "[TDSSKiller.Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
    -- WTT Classroom Graduate --
    -- ASAP Member --
    -- UNITE Trained Eliminator --

  9. #9
    Junior Member
    Join Date
    Mar 2011
    Posts
    7

    Unhappy

    Hi blottedisk,

    I didn't expect to have a backdoor infection but I'm not too worried about my information getting stolen (I don't use this computer for much besides gaming/watching videos/writing papers.) Unfortunately (!!!!) I used my mom's credit card yesterday to register for an SAT II and I'm not sure if I should get her to take action on securing her account because I didn't actually log into her bank account. (I typed in her card # though...) What do you suggest?

    Thank you for the warning but I think I'll continue cleaning my PC.
    Here's the log

    2011/03/21 16:00:50.0562 3120 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
    2011/03/21 16:00:52.0562 3120 ================================================================================
    2011/03/21 16:00:52.0562 3120 SystemInfo:
    2011/03/21 16:00:52.0562 3120
    2011/03/21 16:00:52.0562 3120 OS Version: 5.1.2600 ServicePack: 2.0
    2011/03/21 16:00:52.0562 3120 Product type: Workstation
    2011/03/21 16:00:52.0562 3120 ComputerName: D164L581
    2011/03/21 16:00:52.0562 3120 UserName: Alison
    2011/03/21 16:00:52.0562 3120 Windows directory: C:\WINDOWS
    2011/03/21 16:00:52.0562 3120 System windows directory: C:\WINDOWS
    2011/03/21 16:00:52.0562 3120 Processor architecture: Intel x86
    2011/03/21 16:00:52.0562 3120 Number of processors: 2
    2011/03/21 16:00:52.0562 3120 Page size: 0x1000
    2011/03/21 16:00:52.0562 3120 Boot type: Normal boot
    2011/03/21 16:00:52.0562 3120 ================================================================================
    2011/03/21 16:00:54.0234 3120 Initialize success
    2011/03/21 16:01:09.0078 3204 ================================================================================
    2011/03/21 16:01:09.0078 3204 Scan started
    2011/03/21 16:01:09.0078 3204 Mode: Manual;
    2011/03/21 16:01:09.0078 3204 ================================================================================
    2011/03/21 16:01:10.0312 3204 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
    2011/03/21 16:01:10.0375 3204 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/03/21 16:01:10.0453 3204 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2011/03/21 16:01:10.0531 3204 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
    2011/03/21 16:01:10.0593 3204 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
    2011/03/21 16:01:10.0671 3204 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
    2011/03/21 16:01:10.0718 3204 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys
    2011/03/21 16:01:10.0828 3204 agpCPQ (67288b07d6aba6c1267b626e67bc56fd) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
    2011/03/21 16:01:10.0875 3204 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
    2011/03/21 16:01:10.0937 3204 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
    2011/03/21 16:01:11.0031 3204 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
    2011/03/21 16:01:11.0078 3204 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
    2011/03/21 16:01:11.0140 3204 alim1541 (f312b7cef21eff52fa23056b9d815fad) C:\WINDOWS\system32\DRIVERS\alim1541.sys
    2011/03/21 16:01:11.0187 3204 amdagp (675c16a3c1f8482f85ee4a97fc0dde3d) C:\WINDOWS\system32\DRIVERS\amdagp.sys
    2011/03/21 16:01:11.0203 3204 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
    2011/03/21 16:01:11.0250 3204 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
    2011/03/21 16:01:11.0265 3204 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
    2011/03/21 16:01:11.0296 3204 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
    2011/03/21 16:01:11.0328 3204 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/03/21 16:01:11.0343 3204 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/03/21 16:01:11.0437 3204 ati2mtag (b8142104502f794689c1c0bcbfb53b98) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
    2011/03/21 16:01:11.0656 3204 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/03/21 16:01:11.0718 3204 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/03/21 16:01:11.0781 3204 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/03/21 16:01:11.0828 3204 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
    2011/03/21 16:01:11.0859 3204 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/03/21 16:01:11.0921 3204 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
    2011/03/21 16:01:12.0000 3204 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/03/21 16:01:12.0046 3204 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/03/21 16:01:12.0125 3204 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/03/21 16:01:12.0234 3204 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
    2011/03/21 16:01:12.0328 3204 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
    2011/03/21 16:01:12.0390 3204 ctsfm2k (b459ae4afca570088adddbe55eabbc92) C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys
    2011/03/21 16:01:12.0437 3204 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
    2011/03/21 16:01:12.0468 3204 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
    2011/03/21 16:01:12.0531 3204 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/03/21 16:01:12.0593 3204 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/03/21 16:01:12.0687 3204 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
    2011/03/21 16:01:12.0718 3204 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/03/21 16:01:12.0796 3204 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/03/21 16:01:12.0843 3204 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
    2011/03/21 16:01:12.0906 3204 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/03/21 16:01:12.0953 3204 E100B (95974e66d3de4951d29e28e8bc0b644c) C:\WINDOWS\system32\DRIVERS\e100b325.sys
    2011/03/21 16:01:13.0218 3204 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/03/21 16:01:13.0296 3204 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
    2011/03/21 16:01:13.0343 3204 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
    2011/03/21 16:01:13.0421 3204 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    2011/03/21 16:01:13.0484 3204 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
    2011/03/21 16:01:13.0500 3204 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/03/21 16:01:13.0546 3204 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/03/21 16:01:13.0609 3204 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
    2011/03/21 16:01:13.0640 3204 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/03/21 16:01:13.0718 3204 HDAudBus (e31363d186b3e1d7c4e9117884a6aee5) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    2011/03/21 16:01:13.0781 3204 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2011/03/21 16:01:13.0828 3204 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
    2011/03/21 16:01:13.0875 3204 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
    2011/03/21 16:01:13.0906 3204 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
    2011/03/21 16:01:14.0000 3204 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
    2011/03/21 16:01:14.0078 3204 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/03/21 16:01:14.0218 3204 i2omgmt (8f09f91b5c91363b77bcd15599570f2c) C:\WINDOWS\system32\drivers\i2omgmt.sys
    2011/03/21 16:01:14.0343 3204 i2omp (ed6bf9e441fdea13292a6d30a64a24c3) C:\WINDOWS\system32\DRIVERS\i2omp.sys
    2011/03/21 16:01:14.0375 3204 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/03/21 16:01:14.0453 3204 iastor (d593517879e65167df35f6015814ac59) C:\WINDOWS\system32\drivers\iastor.sys
    2011/03/21 16:01:14.0531 3204 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/03/21 16:01:14.0640 3204 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
    2011/03/21 16:01:14.0734 3204 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
    2011/03/21 16:01:14.0781 3204 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2011/03/21 16:01:14.0843 3204 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
    2011/03/21 16:01:14.0906 3204 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2011/03/21 16:01:14.0984 3204 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/03/21 16:01:15.0031 3204 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/03/21 16:01:15.0109 3204 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/03/21 16:01:15.0203 3204 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/03/21 16:01:15.0250 3204 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/03/21 16:01:15.0312 3204 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/03/21 16:01:15.0390 3204 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    2011/03/21 16:01:15.0421 3204 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/03/21 16:01:15.0468 3204 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/03/21 16:01:15.0609 3204 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/03/21 16:01:15.0656 3204 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
    2011/03/21 16:01:15.0703 3204 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/03/21 16:01:15.0750 3204 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2011/03/21 16:01:15.0781 3204 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/03/21 16:01:15.0859 3204 MPFIREWL (8867e5937ecae0782bdba20c8a6ad586) C:\WINDOWS\system32\Drivers\MpFirewall.sys
    2011/03/21 16:01:15.0921 3204 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
    2011/03/21 16:01:16.0000 3204 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/03/21 16:01:16.0078 3204 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/03/21 16:01:16.0187 3204 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/03/21 16:01:16.0234 3204 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/03/21 16:01:16.0312 3204 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/03/21 16:01:16.0359 3204 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/03/21 16:01:16.0390 3204 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/03/21 16:01:16.0421 3204 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
    2011/03/21 16:01:16.0468 3204 NaiFiltr (102de6d24087fb53ad47ca059a32fb66) C:\WINDOWS\system32\DRIVERS\NaiFiltr.sys
    2011/03/21 16:01:16.0515 3204 NAL (9121d8ffff773c66bbf4955e4f7aac23) C:\WINDOWS\system32\Drivers\iqvw32.sys
    2011/03/21 16:01:16.0562 3204 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/03/21 16:01:16.0609 3204 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/03/21 16:01:16.0671 3204 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/03/21 16:01:16.0703 3204 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/03/21 16:01:16.0734 3204 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/03/21 16:01:16.0750 3204 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/03/21 16:01:16.0843 3204 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2011/03/21 16:01:16.0906 3204 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/03/21 16:01:17.0031 3204 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/03/21 16:01:17.0078 3204 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/03/21 16:01:17.0187 3204 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    2011/03/21 16:01:17.0328 3204 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/03/21 16:01:17.0390 3204 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/03/21 16:01:17.0468 3204 omci (53d5f1278d9edb21689bbbcecc09108d) C:\WINDOWS\system32\DRIVERS\omci.sys
    2011/03/21 16:01:17.0546 3204 ossrv (c720c25b2d0c93dc425155f5b6a707f3) C:\WINDOWS\system32\DRIVERS\ctoss2k.sys
    2011/03/21 16:01:17.0593 3204 P17 (3a7290f2c423b80ba95becae015b9b1b) C:\WINDOWS\system32\drivers\P17.sys
    2011/03/21 16:01:17.0671 3204 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
    2011/03/21 16:01:17.0703 3204 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/03/21 16:01:17.0781 3204 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/03/21 16:01:17.0843 3204 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/03/21 16:01:17.0921 3204 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2011/03/21 16:01:18.0031 3204 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2011/03/21 16:01:18.0171 3204 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
    2011/03/21 16:01:18.0203 3204 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
    2011/03/21 16:01:18.0312 3204 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/03/21 16:01:18.0375 3204 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
    2011/03/21 16:01:18.0406 3204 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/03/21 16:01:18.0437 3204 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
    2011/03/21 16:01:18.0484 3204 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
    2011/03/21 16:01:18.0531 3204 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
    2011/03/21 16:01:18.0578 3204 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
    2011/03/21 16:01:18.0609 3204 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
    2011/03/21 16:01:18.0656 3204 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/03/21 16:01:18.0703 3204 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/03/21 16:01:18.0750 3204 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/03/21 16:01:18.0765 3204 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/03/21 16:01:18.0843 3204 Rdbss (809ca45caa9072b3176ad44579d7f688) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/03/21 16:01:18.0937 3204 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/03/21 16:01:19.0093 3204 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2011/03/21 16:01:19.0140 3204 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/03/21 16:01:19.0203 3204 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/03/21 16:01:19.0328 3204 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/03/21 16:01:19.0359 3204 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2011/03/21 16:01:19.0406 3204 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
    2011/03/21 16:01:19.0453 3204 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2011/03/21 16:01:19.0531 3204 sisagp (732d859b286da692119f286b21a2a114) C:\WINDOWS\system32\DRIVERS\sisagp.sys
    2011/03/21 16:01:19.0625 3204 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
    2011/03/21 16:01:19.0671 3204 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
    2011/03/21 16:01:19.0718 3204 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
    2011/03/21 16:01:19.0828 3204 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/03/21 16:01:19.0921 3204 STHDA (6b14c6e98f752ebbab24a4e0bd0f3a24) C:\WINDOWS\system32\drivers\sthda.sys
    2011/03/21 16:01:20.0046 3204 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/03/21 16:01:20.0078 3204 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/03/21 16:01:20.0203 3204 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
    2011/03/21 16:01:20.0359 3204 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
    2011/03/21 16:01:20.0437 3204 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
    2011/03/21 16:01:20.0468 3204 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
    2011/03/21 16:01:20.0531 3204 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/03/21 16:01:20.0656 3204 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/03/21 16:01:20.0718 3204 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/03/21 16:01:20.0734 3204 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/03/21 16:01:20.0796 3204 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/03/21 16:01:20.0843 3204 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
    2011/03/21 16:01:20.0906 3204 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/03/21 16:01:21.0000 3204 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
    2011/03/21 16:01:21.0078 3204 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/03/21 16:01:21.0218 3204 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
    2011/03/21 16:01:21.0312 3204 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2011/03/21 16:01:21.0359 3204 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2011/03/21 16:01:21.0390 3204 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/03/21 16:01:21.0453 3204 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2011/03/21 16:01:21.0500 3204 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2011/03/21 16:01:21.0546 3204 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/03/21 16:01:21.0609 3204 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2011/03/21 16:01:21.0687 3204 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
    2011/03/21 16:01:21.0750 3204 viaagp (d92e7c8a30cfd14d8e15b5f7f032151b) C:\WINDOWS\system32\DRIVERS\viaagp.sys
    2011/03/21 16:01:21.0781 3204 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys
    2011/03/21 16:01:21.0828 3204 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/03/21 16:01:21.0890 3204 wacommousefilter (427a8bc96f16c40df81c2d2f4edd32dd) C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys
    2011/03/21 16:01:22.0015 3204 wacomvhid (73e6f16a1f187d71fb26af308551e54a) C:\WINDOWS\system32\DRIVERS\wacomvhid.sys
    2011/03/21 16:01:22.0046 3204 WacomVKHid (889459833432b161cb99cfdf84a1a9bb) C:\WINDOWS\system32\DRIVERS\WacomVKHid.sys
    2011/03/21 16:01:22.0078 3204 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/03/21 16:01:22.0171 3204 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
    2011/03/21 16:01:22.0265 3204 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/03/21 16:01:22.0453 3204 ================================================================================
    2011/03/21 16:01:22.0453 3204 Scan finished
    2011/03/21 16:01:22.0453 3204 ================================================================================

  10. #10
    Emeritus- Malware Team
    Join Date
    May 2009
    Location
    Buenos Aires, Argentina
    Posts
    340

    Default

    Hi Alison,


    Hopefully we took care of the backdoor infection with aswMBR the day before yesterday. However, when dealing with these types of infections we can't be 100% sure that the machine is clean; I would suggest you to have a look at the following thread and take the necessary actions:

    http://www.dslreports.com/faq/10451


    Ok, we continue with this steps:


    Step 1 | Please download CCleaner (freeware)

    • Run the installer.
    • Once installed, run CCleaner click the Windows [tab]
    • The following should be selected by default, if not, please select:

    • Next: click Options (in the left panel) and click the Advanced button.
    • Uncheck: "Only delete files in Windows Temp folders older than 24 hours."
    • Go back to Cleaner (in the left panel) and click the Run Cleaner button (bottom right). Then exit CCleaner.


    Step 2 | Please download Malwarebytes' Anti-Malware to your desktop.

    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform quick scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.


    Step 3 | Let's perform an ESET Online Scan

    Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

    • Please go here then click on:
      Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
      All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
    • Select the option YES, I accept the Terms of Use then click on:
    • When prompted allow the Add-On/Active X to install.
    • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
    • Now click on Advanced Settings and select the following:
      • Scan for potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth Technology
    • Now click on:
    • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
    • When completed the Online Scan will begin automatically.
    • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
    • When completed make sure you first copy the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt
    • Copy and paste that log as a reply to this topic.
    • Now click on: (Selecting Uninstall application on close if you so wish)
    -- WTT Classroom Graduate --
    -- ASAP Member --
    -- UNITE Trained Eliminator --

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •