Unsolved
This post is more than 5 years old
29 Posts
0
11777
October 1st, 2010 08:00
Rootkit.Win32.TDSS.tdl4 virus
Hi,
My wife has this virus on her Dell Vostro 410 PC. From what I can gather off the web it hides in the MBR and reinfects the machine on every boot even after rootkit cleaners have erased it from the OS.
I have tried Kaspersy's TDSSKiller, and although it appears to have killed the OS rootkit with a tweak (renamed the file before running it), on reboot it's still in the MBR. And we are still getting redirects.
None of the tools I've been trying will function. Gner, unhackme, prevxcsi etc. wont run - they either freeze or shut down. I haven't tried Combofix yet but I don't expect I'll fare any better with that and I wouldn't know how to use it anyway without help. Kaspersy's online scanner freezes on the page as do all other Kaspersy pages (I managed to download TDSSkiller by downloading it to my machine and transferring it using a pendrive).
One fix appears to be replacing the MBR with a copy through the recovery console using the fixmbr tool. However, Dell PCs
use a
proprietary
MBR and replacing it in this way
will bugger up the partitions, see here:
http://en.community.dell.com/support-forums/software-os/f/3524/t/19325495.aspx
and here:
I need help with this and if possible a copy of a Dell MBR. Apparently it doesn't matter which Dell model it comes from. The site above explains it in more detail.
Hitting F12 at boot gives me the following information:
HARD DISK
- SATA-0 Hitachihi HDP725050GLA36
- BOOTABLE ADD-IN CARDS
CDROM
UTILITY PARTITION
I tried Dell telephone support (we still have support until 2012, but only hardware, it seems, so no help there except a remote reinstall for a fee. I'm hoping to avoid that).
I've been at this for a days now and am exhausted looking for a fix.
Tony
No Events found!
kevinf80_1d0ac6
2 Intern
•
1.1K Posts
0
October 2nd, 2010 10:00
Hiya Tony,
Kaspersky online scan is very thorough and can take a considerable time to complete. I prefer it because it only identifies and doesn`t fix issues, that allows us to decide if an item is really malicious.Only one item to deal with from the log, the rest will go with our clean up procedure.
Proceed as follows please :-
Step 1
Please download OTM by OldTimer.
Alternative Mirror
Save it to your desktop.
Double click OTM.exe to start the tool.
-------------------------------------------------------------------
:Processes
:Files
C:\Tony\DVD region free stuff\DVD region killer v2.7.0.2.exe
ipconfig /flushdns /c
:Commands
[CreateRestorePoint]
[EmptyFlash]
[EmptyTemp]
[Purity]
[ResetHosts]
[Reboot]
---------------------------------------------------------------------
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
If the machine reboots, the Results log can be found here:
c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log
Where mmddyyyy_hhmmss is the date of the tool run.
Step 2
Uninstall the following from Add/Remove Programs via the Control Panel
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Adobe Reader 8.1.2 } If you need this version of Adobe reader do not uninstall
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Step 3
Your Adobe Acrobat Reader is out of date. Older versions are vulnerable to attack.
Please go to the link below to update.
Adobe Reader Untick the Free McAfee® Security Scan Plus (optional) unless you want it.
Post log from OTM, also system review, improvements? issues?
Kevin
Anthony Boyle
29 Posts
0
October 2nd, 2010 11:00
Sorry Kevin - didn't see your reply.
I'm going to delete Adobe Acrobat and replace it with Foxit. I've got Foxit on my PC and it's way faster.
Regarding the "C:\Tony\DVD region free stuff\DVD region killer v2.7.0.2.exe" you are looking at. I downloaded it years ago but never ran it. The DVD in our living room is multiregion so we never bothered. I really should have deleted it, which I'm happy to do now. Do you want me to still proceed with OTM?
BTW - when do you sleep?
Tony
Anthony Boyle
29 Posts
0
October 2nd, 2010 11:00
Hi Kevin,
Just a quick system update, which I forgot to include in the last post:
PC shut down and started up normally for a change, - could be a lucky one off - but Kaspersky's TDSSKiller still finds the rootkit in the MBA. Also, still getting google redirects. McAffee update seems to work, although if it is - how come it's not finding anything on its scans?. Attempts to get to windows update fail - connection closed by remote server or can't open the page depending on which browser you use.
Few of other issues that may, or may not be related:
Message window on windows start about Sony Ericsson suite failing to initialize.
Just before windows starts to boot a light blue screen flashes past with "regrun greatis antirootkit" splashed across the screen. It's been there before but has always flashed past too quick for me to see what it was saying. This time it was slow enough for me to catch some of it.
There were no programs propagating in the "add/remove programs" window. I brought them back with REGSVR32 APPWIZ.CPL. Had this earlier in the week when I tried to remove some of those applications I had tried over the last week to clean up the infection. Ran REGSVR32 APPWIZ.CPL to get them back but something hid them again. I think the "regrun greatis antirootkit" message may be a leftover from one of the applications I had to try and remove manually then.
Tony
kevinf80_1d0ac6
2 Intern
•
1.1K Posts
0
October 2nd, 2010 11:00
Hiya Tony dont run anything for now, I need to go back over your thread. I did see something related to to a registry program, but thought it was something you had installed. Uninstall the old Java and Adobe entries also delete that DVD file, it is infected.
I`ll give you a fix to run shortly..
Kevin.
kevinf80_1d0ac6
2 Intern
•
1.1K Posts
0
October 2nd, 2010 12:00
There are some remnants on your system from Registry protection program, it is possible that when TDSSKiller removes the infection it actually comes back on re-boot. OK lets try a fix.
Proceed as follows :-
Step 1
Step 2
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in between the dotted lines below into it:
-------------------------------------------------------------------------------------------------------------------
KillAll::
File::
c:\windows\system32\drivers\regguard.sys
c:\windows\winstart.bat
c:\windows\system32\Partizan.exe
c:\windows\system32\drivers\Partizan.sys
Driver::
Partizan
RegGuard
RegLock::
[HKEY_USERS\S-1-5-21-4154240400-2109932074-3037798612-500\Software\Microsoft\Internet Explorer\User Preferences]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
-------------------------------------------------------------------------------------------------------------------
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Step 3
Please read carefully and follow these steps.
Step 4
Alernative D/L mirror
Alternative D/L mirror
Double Click mbam-setup.exe to install the application.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
What i`d like in your reply :-
Kevin.
Anthony Boyle
29 Posts
0
October 2nd, 2010 14:00
Kevin,
Add/remove programs was empty again, Getting it back required several reboots including a trip to safe mode land. Despite updates being ticked, can't find Adobe Reader 8.1.2 Security Update 1 (KB403742) listed. Other Java stuff removed. Will try Adobe reader update again on the next reboot. Problem is add/remove programs keeps going blank and it requires running regsvr32 and rebooting to get it back and rebooting is needing several attempts and in some cases a disk cleanup so everything is taking ages.
Also, I've broken out in my own virus and am now running a temperature and have the worst head cold I've had for ages. My eyes are running so much I can hardly see the keyboard. Can we pick this up again tomorrow?
Once again, thanks for all the help - it's much appreciated.
Tony
BTW, I'm convinced the route to a fix is via the MBR as in the links in my first post. I've not come across anyone that has fixed this TDL4 variant that did it without going down that route.
kevinf80_1d0ac6
2 Intern
•
1.1K Posts
0
October 2nd, 2010 14:00
Have faith Tony, go with the fix i`ve given, I`ve fixed numerous TDL4 infections both here and my home site SpywareHammer.
Have a read here http://en.community.dell.com/support-forums/virus-spyware/f/3521/t/19347933.aspx
Kevin
Anthony Boyle
29 Posts
0
October 3rd, 2010 08:00
OK Kevin - I put my trust in you.
Some notes:
TDSSKiller once again finds the rootkit but on stalls on shutdown requiring switching off and on of the PC manually. On restart it stalls on starting windows requiring another manual shutdown and a boot into safe mode to get things going again. Running TDSSKiller again shows that the rootkit is still in the MBR.
Still can't access windows update and still getting redirects - plus continued flaky behaviour on browsers e.g. Chrome doesn't work, Safari and Opera sometimes won't open.
Greatis Antirootkit splash screen seemed to be absent this time.
Logs:
ComboFix 10-09-30.05 - Administrator 03/10/2010 13:21:46.2.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2571 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\zfh.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FILE ::
"c:\windows\system32\drivers\Partizan.sys"
"c:\windows\system32\drivers\regguard.sys"
"c:\windows\system32\Partizan.exe"
"c:\windows\winstart.bat"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\Partizan.sys
c:\windows\system32\drivers\regguard.sys
c:\windows\system32\Partizan.exe
c:\windows\winstart.bat
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_PARTIZAN
-------\Legacy_REGGUARD
-------\Service_Partizan
-------\Service_RegGuard
((((((((((((((((((((((((( Files Created from 2010-09-03 to 2010-10-03 )))))))))))))))))))))))))))))))
.
2010-10-03 12:01 . 2010-10-03 12:01 -------- d-----w- c:\program files\ERUNT
2010-10-01 20:42 . 2010-10-01 20:43 -------- d-----w- C:\Gotcha
2010-10-01 20:27 . 2010-10-01 20:33 -------- d-----w- C:\32788R22FWJFW.1.tmp
2010-10-01 16:46 . 2010-10-01 16:46 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\MicroVision Applications
2010-09-29 10:43 . 2010-09-29 10:43 2206006444 ----a-w- C:\Ingela.zip
2010-09-27 21:28 . 2010-09-27 21:28 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Help
2010-09-24 20:31 . 2010-09-24 20:32 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-09-20 16:21 . 2010-09-20 16:21 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-09-18 10:30 . 2010-09-18 10:30 57940 ---ha-w- c:\windows\system32\mlfcache.dat
2010-09-16 07:47 . 2010-09-16 07:49 -------- d-----w- c:\program files\QuickTime
2010-09-16 07:46 . 2010-09-16 07:46 -------- d-----w- c:\program files\Safari
2010-09-16 07:44 . 2010-09-16 07:44 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.18.5\SetupAdmin.exe
2010-09-16 07:43 . 2010-09-16 07:44 -------- d-----w- c:\program files\iTunes
2010-09-16 07:43 . 2010-09-16 07:44 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-09-16 07:38 . 2010-09-16 07:38 -------- d-----w- c:\program files\Bonjour
2010-09-16 07:36 . 2010-09-16 07:36 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-03 12:05 . 2009-08-08 15:54 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-10-02 19:59 . 2008-10-07 07:23 -------- d-----w- c:\program files\Common Files\Adobe
2010-10-02 19:53 . 2008-08-06 20:51 -------- d-----w- c:\program files\Java
2010-10-02 19:53 . 2008-08-06 20:51 -------- d-----w- c:\program files\Common Files\Java
2010-10-01 11:58 . 2006-05-27 10:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\Cyiq
2010-09-29 16:19 . 2008-03-28 09:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Afkuc
2010-09-27 13:37 . 2010-10-03 12:04 207584 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-09-18 10:28 . 2008-08-16 11:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-09-16 07:55 . 2008-09-07 07:50 -------- d-----w- c:\program files\Apple Software Update
2010-09-16 07:43 . 2008-08-16 10:58 -------- d-----w- c:\program files\iPod
2010-09-16 07:43 . 2008-09-07 07:50 -------- d-----w- c:\program files\Common Files\Apple
2010-09-14 17:23 . 2010-04-21 16:56 -------- d-----w- c:\program files\Common Files\TerraTec
2010-09-12 07:24 . 2009-06-22 19:57 -------- d-----w- c:\program files\Opera 10 Beta
2010-09-05 13:32 . 2008-08-28 13:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\ZoomBrowser EX
2010-09-05 13:32 . 2008-08-28 13:43 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-09-05 13:14 . 2008-08-06 21:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Dell
2010-08-24 13:58 . 2008-08-06 20:58 -------- d-----w- c:\program files\McAfee.com
2010-08-24 13:57 . 2010-08-23 17:24 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-08-24 13:57 . 2010-08-23 17:24 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-08-24 13:57 . 2010-08-23 17:24 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-08-24 13:57 . 2010-08-23 17:24 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-08-24 13:57 . 2010-08-23 17:24 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-08-24 13:57 . 2010-08-23 17:24 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-08-24 13:57 . 2010-08-23 17:24 312904 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-08-24 13:57 . 2008-08-06 20:58 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-08-24 13:57 . 2008-08-06 20:58 152992 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-08-24 13:57 . 2008-08-06 20:58 386712 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-08-23 21:54 . 2008-08-06 20:57 -------- d-----w- c:\program files\McAfee
2010-08-23 21:54 . 2008-08-06 20:58 -------- d-----w- c:\program files\Common Files\McAfee
2010-08-17 18:10 . 2010-09-01 02:37 372736 ------w- c:\documents and settings\All Users\Application Data\Dell\DSL\DSLCheck.exe
2010-08-17 13:17 . 2004-08-11 16:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-04 13:52 . 2010-08-04 13:52 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4f257f6f-n\decora-sse.dll
2010-08-04 13:52 . 2010-08-04 13:52 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5f7810d4-n\msvcp71.dll
2010-08-04 13:52 . 2010-08-04 13:52 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5f7810d4-n\jmc.dll
2010-08-04 13:52 . 2010-08-04 13:52 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5f7810d4-n\msvcr71.dll
2010-08-04 13:52 . 2010-08-04 13:52 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4f257f6f-n\decora-d3d.dll
2010-07-27 17:44 . 2010-07-27 17:44 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-27 17:44 . 2010-07-27 17:44 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-07-27 17:44 . 2010-07-27 17:44 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-07-22 15:49 . 2004-08-11 16:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-05-30 18:26 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-17 04:00 . 2010-05-06 22:03 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-09 14:26 . 2010-09-01 02:38 475136 ----a-w- c:\documents and settings\All Users\Application Data\Dell\RMC\RMCCreationInfo.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-06 68856]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-02-25 135664]
"Remote Control Editor"="c:\program files\Common Files\TerraTec\Remote\TTTVRC.exe" [2010-06-09 1689088]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-09 8523776]
"RTHDCPL"="RTHDCPL.EXE" [2008-01-31 16860672]
"PMX Daemon"="ICO.EXE" [2006-11-08 49152]
"8169Diag"="c:\program files\Realtek\Diagnostics Utility\8169Diag.exe" [2008-02-26 909312]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-20 30192]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-28 17920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-15 524632]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 159744]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-06-30 1193848]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-4-14 596584]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-08-21 14:21 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete\0Partizan
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Opera 10 Beta\\opera.exe"=
"c:\\Program Files\\TerraTec\\TerraTec Home Cinema\\tvtvSetup\\tvtv_Wizard.exe"=
"c:\\Program Files\\TerraTec\\TerraTec Home Cinema\\CinergyDvr.exe"=
"c:\\Program Files\\TerraTec\\TerraTec Home Cinema\\VersionCheck\\VersionCheck.exe"=
"c:\\Program Files\\TerraTec\\TerraTec Home Cinema\\ChannelEditor\\CinergyDvrChannelEditor.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\TerraTec\\TerraTec Home Cinema\\InstTool.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [30/05/2009 20:37 64160]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [23/08/2010 18:24 84072]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [23/08/2010 18:24 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [23/08/2010 18:24 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [23/08/2010 18:24 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [23/08/2010 18:24 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [23/08/2010 18:24 55840]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [23/08/2010 18:24 312904]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [23/08/2010 18:24 88544]
S2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [06/08/2008 21:55 8960]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [06/08/2008 21:55 11264]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [06/08/2008 21:56 30192]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 20:06 1029456]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [23/08/2010 18:24 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [23/08/2010 18:24 84264]
S3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [11/08/2008 14:23 18432]
S3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [11/08/2008 14:23 14336]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [06/08/2008 21:55 16640]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [07/03/2010 17:26 87824]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [07/03/2010 17:26 85696]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [06/01/2010 20:42 135664]
--- Other Services/Drivers In Memory ---
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
2010-09-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 20:37]
2010-09-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 11:34]
2010-10-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-06 17:34]
2010-09-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 19:42]
2010-09-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 19:42]
2010-09-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4154240400-2109932074-3037798612-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-11 19:47]
2010-09-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4154240400-2109932074-3037798612-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-11 19:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://195.196.36.242/activex/AMC.cab
DPF: {FD0EBBED-0C42-4D0F-82DA-44399B5C420A} - hxxp://downloads.virginmedia.com/CST/ver1/xp_mail.cab
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-03 13:44
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1148)
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
- - - - - - - > 'lsass.exe'(1208)
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(1240)
c:\windows\system32\WININET.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\ICO.EXE
c:\program files\Common Files\Teleca Shared\CapabilityManager.exe
c:\program files\Common Files\Teleca Shared\Generic.exe
c:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-10-03 13:45:15 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-03 12:45
ComboFix2.txt 2010-10-02 08:02
Pre-Run: 295,105,679,360 bytes free
Post-Run: 295,210,065,920 bytes free
- - End Of File - - 53F1FE092BC758D23F3A151B6ED046CE
kevinf80_1d0ac6
2 Intern
•
1.1K Posts
0
October 3rd, 2010 09:00
This definitely proving to be a very stubborn one to shift. I`d like you to run TDSSKiller again, this time run it from Safemode. When it re-boots for the cure be on hand and re-boot into safe mode again with networking.
Run Combofix again, it will check for an update, allow it if asked. When Combofix finishes if it reboots be on hand again and boot into safe mode with networking again. Open Malwarebytes, check for updates and run a quick scan as before. Kill anything it finds.
Post the three logs in your reply, I know this is a bit long winded, but feel that doing it all from Safe mode gives the best chance. Something is re-installing or protecting the rootkit, Regguard is gone now so we can rule that out, lets see how it goes..
You should still have all relevant links on your Desktop,
Kevin.
Anthony Boyle
29 Posts
0
October 3rd, 2010 11:00
Hi Kevin,
Ran those again as suggested from safe mode and ran TDSSKiller again just to see if anything had changed. It hasn't - it's still reporting that it's in the MBR.
Logs:
2010/10/03 17:48:40.0171 TDSS rootkit removing tool 2.4.2.1 Sep 7 2010 14:43:44
2010/10/03 17:48:40.0171 ================================================================================
2010/10/03 17:48:40.0171 SystemInfo:
2010/10/03 17:48:40.0171
2010/10/03 17:48:40.0171 OS Version: 5.1.2600 ServicePack: 3.0
2010/10/03 17:48:40.0171 Product type: Workstation
2010/10/03 17:48:40.0171 ComputerName: INGELA2
2010/10/03 17:48:40.0171 UserName: Administrator
2010/10/03 17:48:40.0171 Windows directory: C:\WINDOWS
2010/10/03 17:48:40.0171 System windows directory: C:\WINDOWS
2010/10/03 17:48:40.0171 Processor architecture: Intel x86
2010/10/03 17:48:40.0171 Number of processors: 4
2010/10/03 17:48:40.0171 Page size: 0x1000
2010/10/03 17:48:40.0171 Boot type: Safe boot
2010/10/03 17:48:40.0171 ================================================================================
2010/10/03 17:48:41.0156 Initialize success
2010/10/03 17:48:42.0562 ================================================================================
2010/10/03 17:48:42.0562 Scan started
2010/10/03 17:48:42.0562 Mode: Manual;
2010/10/03 17:48:42.0562 ================================================================================
2010/10/03 17:48:46.0562 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2010/10/03 17:48:47.0140 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/10/03 17:48:47.0515 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/10/03 17:48:47.0828 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2010/10/03 17:48:48.0312 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/10/03 17:48:48.0828 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/10/03 17:48:49.0578 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/10/03 17:48:49.0890 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2010/10/03 17:48:50.0234 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2010/10/03 17:48:50.0609 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2010/10/03 17:48:50.0906 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2010/10/03 17:48:51.0406 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2010/10/03 17:48:51.0859 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2010/10/03 17:48:52.0250 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2010/10/03 17:48:52.0593 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2010/10/03 17:48:52.0906 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/10/03 17:48:53.0546 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2010/10/03 17:48:53.0859 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2010/10/03 17:48:54.0171 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2010/10/03 17:48:54.0593 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/10/03 17:48:55.0046 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/10/03 17:48:55.0718 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/10/03 17:48:56.0031 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/10/03 17:48:56.0421 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/10/03 17:48:57.0203 btaudio (faba1418646a2b433c0bded6ff92d2fa) C:\WINDOWS\system32\drivers\btaudio.sys
2010/10/03 17:48:57.0843 BTDriver (2f9f111d31aa3fbbe5781d829a4524e6) C:\WINDOWS\system32\DRIVERS\btport.sys
2010/10/03 17:48:58.0531 BTKRNL (aef038061bc1cafb4865d43a85beb1a1) C:\WINDOWS\system32\DRIVERS\btkrnl.sys
2010/10/03 17:48:59.0062 BTWDNDIS (80f61de965c116051614ac2f04222ff7) C:\WINDOWS\system32\DRIVERS\btwdndis.sys
2010/10/03 17:48:59.0359 btwhid (949eca9c56f657c06d3166d51f3226c7) C:\WINDOWS\system32\DRIVERS\btwhid.sys
2010/10/03 17:48:59.0625 btwmodem (5922bae0cd84924b9cd7e6bb515ee070) C:\WINDOWS\system32\DRIVERS\btwmodem.sys
2010/10/03 17:48:59.0843 BTWUSB (179a37c86fd2b9cc28eb93d093d394c7) C:\WINDOWS\system32\Drivers\btwusb.sys
2010/10/03 17:49:00.0125 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2010/10/03 17:49:00.0296 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/10/03 17:49:00.0562 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/10/03 17:49:00.0796 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2010/10/03 17:49:00.0984 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/10/03 17:49:01.0218 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/10/03 17:49:01.0468 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/10/03 17:49:01.0734 cfwids (426ee59b25988bb3382fc0a3655deaa2) C:\WINDOWS\system32\drivers\cfwids.sys
2010/10/03 17:49:02.0171 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2010/10/03 17:49:02.0406 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2010/10/03 17:49:02.0781 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2010/10/03 17:49:03.0015 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2010/10/03 17:49:03.0234 Diag69xp (a22d5a027f397e412cbb2d97e8661bff) C:\WINDOWS\system32\Drivers\Diag69xp.sys
2010/10/03 17:49:03.0468 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/10/03 17:49:03.0750 DLABMFSM (a0500678a33802d8954153839301d539) C:\WINDOWS\system32\Drivers\DLABMFSM.SYS
2010/10/03 17:49:03.0937 DLABOIOM (b8d2f68cac54d46281399f9092644794) C:\WINDOWS\system32\Drivers\DLABOIOM.SYS
2010/10/03 17:49:04.0156 DLACDBHM (0ee93ab799d1cb4ec90b36f3612fe907) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
2010/10/03 17:49:04.0343 DLADResM (87413b94ae1fabc117c4e8ae6725134e) C:\WINDOWS\system32\Drivers\DLADResM.SYS
2010/10/03 17:49:04.0562 DLAIFS_M (766a148235be1c0039c974446e4c0edc) C:\WINDOWS\system32\Drivers\DLAIFS_M.SYS
2010/10/03 17:49:04.0765 DLAOPIOM (38267cca177354f1c64450a43a4f7627) C:\WINDOWS\system32\Drivers\DLAOPIOM.SYS
2010/10/03 17:49:04.0968 DLAPoolM (fd363369fd313b46b5aeab1a688b52e9) C:\WINDOWS\system32\Drivers\DLAPoolM.SYS
2010/10/03 17:49:05.0171 DLARTL_M (336ae18f0912ef4fbe5518849e004d74) C:\WINDOWS\system32\Drivers\DLARTL_M.SYS
2010/10/03 17:49:05.0375 DLAUDFAM (fd85f682c1cc2a7ca878c7a448e6d87e) C:\WINDOWS\system32\Drivers\DLAUDFAM.SYS
2010/10/03 17:49:05.0593 DLAUDF_M (af389ce587b6bf5bbdcd6f6abe5eabc0) C:\WINDOWS\system32\Drivers\DLAUDF_M.SYS
2010/10/03 17:49:06.0046 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/10/03 17:49:06.0484 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/10/03 17:49:06.0765 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/10/03 17:49:07.0031 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/10/03 17:49:07.0281 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2010/10/03 17:49:07.0500 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/10/03 17:49:07.0734 DRVMCDB (5d3b71bb2bb0009d65d290e2ef374bd3) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
2010/10/03 17:49:08.0031 DRVNDDM (c591ba9f96f40a1fd6494dafdcd17185) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
2010/10/03 17:49:08.0265 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2010/10/03 17:49:08.0609 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/10/03 17:49:08.0843 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/10/03 17:49:09.0078 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/10/03 17:49:09.0328 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/10/03 17:49:09.0609 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/10/03 17:49:09.0906 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/10/03 17:49:10.0171 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/10/03 17:49:10.0484 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2010/10/03 17:49:10.0812 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/10/03 17:49:11.0093 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/10/03 17:49:11.0296 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/10/03 17:49:11.0562 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2010/10/03 17:49:11.0843 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/10/03 17:49:12.0140 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2010/10/03 17:49:12.0343 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2010/10/03 17:49:12.0593 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/10/03 17:49:12.0906 iaStor (e5a0034847537eaee3c00349d5c34c5f) C:\WINDOWS\system32\drivers\iaStor.sys
2010/10/03 17:49:13.0265 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/10/03 17:49:13.0484 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2010/10/03 17:49:14.0921 IntcAzAudAddService (811b31e0e0ac7be484efbffc42afcbbe) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2010/10/03 17:49:16.0281 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/10/03 17:49:16.0500 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/10/03 17:49:16.0718 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/10/03 17:49:16.0937 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/10/03 17:49:17.0156 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/10/03 17:49:17.0390 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/10/03 17:49:17.0718 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/10/03 17:49:17.0953 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/10/03 17:49:18.0156 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/10/03 17:49:18.0406 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/10/03 17:49:18.0656 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/10/03 17:49:18.0921 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/10/03 17:49:19.0203 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/10/03 17:49:19.0562 LANPkt (8f5795b166cbb50966e29982f8cdb310) C:\WINDOWS\system32\DRIVERS\LANPkt.sys
2010/10/03 17:49:19.0843 Lbd (419590ebe7855215bb157ea0cf0d0531) C:\WINDOWS\system32\DRIVERS\Lbd.sys
2010/10/03 17:49:20.0406 mfeapfk (5bd0c401a8ee4a54f6176c0a10d595ae) C:\WINDOWS\system32\drivers\mfeapfk.sys
2010/10/03 17:49:20.0656 mfeavfk (f3bb4dc61b4dc662bdc778cf1634fae1) C:\WINDOWS\system32\drivers\mfeavfk.sys
2010/10/03 17:49:20.0906 mfebopk (b1498db38d129ed31650422fc8bab9c5) C:\WINDOWS\system32\drivers\mfebopk.sys
2010/10/03 17:49:21.0203 mfefirek (51e9ccea45c78858a229afb6e682cf41) C:\WINDOWS\system32\drivers\mfefirek.sys
2010/10/03 17:49:21.0578 mfehidk (32f7298664874715ce469a79078853c4) C:\WINDOWS\system32\drivers\mfehidk.sys
2010/10/03 17:49:21.0921 mfendisk (9d346b15bb3f4aa323784e2774b4e580) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
2010/10/03 17:49:21.0984 mfendiskmp (9d346b15bb3f4aa323784e2774b4e580) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
2010/10/03 17:49:22.0203 mferkdet (858337b64484cd80eee7d2eba5ac61bc) C:\WINDOWS\system32\drivers\mferkdet.sys
2010/10/03 17:49:22.0453 mferkdk (41fe2f288e05a6c8ab85dd56770ffbad) C:\WINDOWS\system32\drivers\mferkdk.sys
2010/10/03 17:49:22.0718 mfesmfk (096b52ea918aa909ba5903d79e129005) C:\WINDOWS\system32\drivers\mfesmfk.sys
2010/10/03 17:49:22.0984 mfetdi2k (3363aca7b66bd6b37d0f5c148dc9d34b) C:\WINDOWS\system32\drivers\mfetdi2k.sys
2010/10/03 17:49:23.0218 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/10/03 17:49:23.0468 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/10/03 17:49:23.0812 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/10/03 17:49:24.0187 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/10/03 17:49:24.0421 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/10/03 17:49:24.0656 MPE (c0f8e0c2c3c0437cf37c6781896dc3ec) C:\WINDOWS\system32\DRIVERS\MPE.sys
2010/10/03 17:49:24.0937 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2010/10/03 17:49:25.0234 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/10/03 17:49:25.0765 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/10/03 17:49:26.0343 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/10/03 17:49:26.0718 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/10/03 17:49:27.0156 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/10/03 17:49:27.0359 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/10/03 17:49:27.0578 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/10/03 17:49:27.0828 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/10/03 17:49:28.0109 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/10/03 17:49:28.0359 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/10/03 17:49:28.0671 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/10/03 17:49:29.0015 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/10/03 17:49:29.0250 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/10/03 17:49:29.0437 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/10/03 17:49:29.0640 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/10/03 17:49:29.0890 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/10/03 17:49:30.0125 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/10/03 17:49:30.0437 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/10/03 17:49:30.0734 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/10/03 17:49:30.0968 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/10/03 17:49:31.0312 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/10/03 17:49:31.0718 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/10/03 17:49:33.0859 nv (44067bf7d3e291cc38d9cf9aea1bd99d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/10/03 17:49:36.0062 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/10/03 17:49:36.0250 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/10/03 17:49:36.0500 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/10/03 17:49:36.0765 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/10/03 17:49:37.0000 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/10/03 17:49:37.0234 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/10/03 17:49:37.0468 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/10/03 17:49:37.0859 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/10/03 17:49:38.0093 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/10/03 17:49:39.0093 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2010/10/03 17:49:39.0312 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2010/10/03 17:49:39.0546 pmxmouse (fab495f1defeb596c44b9752a25e2a60) C:\WINDOWS\system32\DRIVERS\pmxmouse.sys
2010/10/03 17:49:39.0734 pmxusblf (1971e853b598bf9baabff2b652e5cd4d) C:\WINDOWS\system32\DRIVERS\pmxusblf.sys
2010/10/03 17:49:39.0968 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/10/03 17:49:40.0218 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/10/03 17:49:40.0453 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/10/03 17:49:40.0687 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/10/03 17:49:40.0968 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2010/10/03 17:49:41.0171 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2010/10/03 17:49:41.0375 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2010/10/03 17:49:41.0578 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2010/10/03 17:49:41.0796 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2010/10/03 17:49:41.0984 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/10/03 17:49:42.0234 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/10/03 17:49:42.0453 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/10/03 17:49:42.0671 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/10/03 17:49:42.0937 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/10/03 17:49:43.0218 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/10/03 17:49:43.0453 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/10/03 17:49:43.0734 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/10/03 17:49:44.0015 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/10/03 17:49:44.0312 RTLE8023xp (89619ef503f949fae09252a8b883ee11) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2010/10/03 17:49:44.0593 RTLVLAN (b9ca69921379ea2931c4450fe975bce7) C:\WINDOWS\system32\DRIVERS\RTLVLAN.SYS
2010/10/03 17:49:44.0828 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/10/03 17:49:45.0062 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/10/03 17:49:45.0296 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/10/03 17:49:45.0515 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/10/03 17:49:45.0984 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2010/10/03 17:49:46.0218 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/10/03 17:49:46.0437 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2010/10/03 17:49:46.0656 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/10/03 17:49:46.0921 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/10/03 17:49:47.0328 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/10/03 17:49:47.0656 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/10/03 17:49:47.0875 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/10/03 17:49:48.0078 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/10/03 17:49:48.0328 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2010/10/03 17:49:48.0515 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2010/10/03 17:49:48.0765 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2010/10/03 17:49:48.0968 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2010/10/03 17:49:49.0218 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/10/03 17:49:49.0562 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/10/03 17:49:50.0015 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/10/03 17:49:50.0234 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/10/03 17:49:50.0437 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/10/03 17:49:50.0796 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2010/10/03 17:49:51.0078 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/10/03 17:49:51.0328 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2010/10/03 17:49:51.0625 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/10/03 17:49:52.0046 USB28xxBGA (67d8495cdad131ddbd602e8f9d5b06fb) C:\WINDOWS\system32\DRIVERS\emBDA.sys
2010/10/03 17:49:52.0328 USB28xxOEM (639e78cc98caf18f89dd94cf24e6e46d) C:\WINDOWS\system32\DRIVERS\emOEM.sys
2010/10/03 17:49:52.0562 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/10/03 17:49:52.0781 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/10/03 17:49:53.0031 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/10/03 17:49:53.0296 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/10/03 17:49:53.0515 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/10/03 17:49:53.0718 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/10/03 17:49:53.0921 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/10/03 17:49:54.0156 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/10/03 17:49:54.0437 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2010/10/03 17:49:54.0640 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/10/03 17:49:54.0859 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/10/03 17:49:55.0140 w300bus (d4baa1ac8dcea1382e81aa6fe48cdd7c) C:\WINDOWS\system32\DRIVERS\w300bus.sys
2010/10/03 17:49:55.0406 w300mdfl (12d415ab0ddd86c42cdc5f120a381f24) C:\WINDOWS\system32\DRIVERS\w300mdfl.sys
2010/10/03 17:49:55.0625 w300mdm (f470d5e61ee7f951883f70d676551c89) C:\WINDOWS\system32\DRIVERS\w300mdm.sys
2010/10/03 17:49:55.0859 w300mgmt (1b575b7384e22f5b278d3d7fc1bae682) C:\WINDOWS\system32\DRIVERS\w300mgmt.sys
2010/10/03 17:49:56.0093 w300obex (a2bc36924ae02ca1e01ec39c99afea09) C:\WINDOWS\system32\DRIVERS\w300obex.sys
2010/10/03 17:49:56.0359 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/10/03 17:49:56.0781 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/10/03 17:49:57.0187 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/10/03 17:49:57.0421 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/10/03 17:49:57.0656 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/10/03 17:49:57.0921 \HardDisk0\MBR - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/10/03 17:49:57.0937 ================================================================================
2010/10/03 17:49:57.0937 Scan finished
2010/10/03 17:49:57.0937 ================================================================================
2010/10/03 17:49:57.0968 Detected object count: 1
2010/10/03 17:50:01.0218 \HardDisk0\MBR - will be cured after reboot
2010/10/03 17:50:01.0218 Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) - User select action: Cure
_____________________________________________________________________________________________
ComboFix 10-10-02.02 - Administrator 03/10/2010 18:06:03.3.4 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2795 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\zfh.exe
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((( Files Created from 2010-09-03 to 2010-10-03 )))))))))))))))))))))))))))))))
.
2010-10-03 13:28 . 2010-10-03 13:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-10-03 13:27 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-03 13:27 . 2010-10-03 13:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-03 13:27 . 2010-10-03 13:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-03 13:27 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-03 12:01 . 2010-10-03 12:01 -------- d-----w- c:\program files\ERUNT
2010-10-01 20:42 . 2010-10-01 20:43 -------- d-----w- C:\Gotcha
2010-10-01 20:27 . 2010-10-01 20:33 -------- d-----w- C:\32788R22FWJFW.1.tmp
2010-10-01 16:46 . 2010-10-01 16:46 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\MicroVision Applications
2010-09-29 10:43 . 2010-09-29 10:43 2206006444 ----a-w- C:\Ingela.zip
2010-09-27 21:28 . 2010-09-27 21:28 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Help
2010-09-24 20:31 . 2010-09-24 20:32 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-09-20 16:21 . 2010-09-20 16:21 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-09-18 10:30 . 2010-09-18 10:30 57940 ---ha-w- c:\windows\system32\mlfcache.dat
2010-09-16 07:47 . 2010-09-16 07:49 -------- d-----w- c:\program files\QuickTime
2010-09-16 07:46 . 2010-09-16 07:46 -------- d-----w- c:\program files\Safari
2010-09-16 07:44 . 2010-09-16 07:44 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.18.5\SetupAdmin.exe
2010-09-16 07:43 . 2010-09-16 07:44 -------- d-----w- c:\program files\iTunes
2010-09-16 07:43 . 2010-09-16 07:44 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-09-16 07:38 . 2010-09-16 07:38 -------- d-----w- c:\program files\Bonjour
2010-09-16 07:36 . 2010-09-16 07:36 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-03 15:04 . 2009-08-08 15:54 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-10-02 19:59 . 2008-10-07 07:23 -------- d-----w- c:\program files\Common Files\Adobe
2010-10-02 19:53 . 2008-08-06 20:51 -------- d-----w- c:\program files\Java
2010-10-02 19:53 . 2008-08-06 20:51 -------- d-----w- c:\program files\Common Files\Java
2010-10-01 11:58 . 2006-05-27 10:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\Cyiq
2010-09-29 16:19 . 2008-03-28 09:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Afkuc
2010-09-27 13:37 . 2010-10-03 12:04 207584 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-09-18 10:28 . 2008-08-16 11:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-09-16 07:55 . 2008-09-07 07:50 -------- d-----w- c:\program files\Apple Software Update
2010-09-16 07:43 . 2008-08-16 10:58 -------- d-----w- c:\program files\iPod
2010-09-16 07:43 . 2008-09-07 07:50 -------- d-----w- c:\program files\Common Files\Apple
2010-09-14 17:23 . 2010-04-21 16:56 -------- d-----w- c:\program files\Common Files\TerraTec
2010-09-12 07:24 . 2009-06-22 19:57 -------- d-----w- c:\program files\Opera 10 Beta
2010-09-05 13:32 . 2008-08-28 13:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\ZoomBrowser EX
2010-09-05 13:32 . 2008-08-28 13:43 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-09-05 13:14 . 2008-08-06 21:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Dell
2010-08-24 13:58 . 2008-08-06 20:58 -------- d-----w- c:\program files\McAfee.com
2010-08-24 13:57 . 2010-08-23 17:24 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-08-24 13:57 . 2010-08-23 17:24 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-08-24 13:57 . 2010-08-23 17:24 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-08-24 13:57 . 2010-08-23 17:24 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-08-24 13:57 . 2010-08-23 17:24 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-08-24 13:57 . 2010-08-23 17:24 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-08-24 13:57 . 2010-08-23 17:24 312904 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-08-24 13:57 . 2008-08-06 20:58 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-08-24 13:57 . 2008-08-06 20:58 152992 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-08-24 13:57 . 2008-08-06 20:58 386712 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-08-23 21:54 . 2008-08-06 20:57 -------- d-----w- c:\program files\McAfee
2010-08-23 21:54 . 2008-08-06 20:58 -------- d-----w- c:\program files\Common Files\McAfee
2010-08-17 18:10 . 2010-09-01 02:37 372736 ------w- c:\documents and settings\All Users\Application Data\Dell\DSL\DSLCheck.exe
2010-08-17 13:17 . 2004-08-11 16:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-04 13:52 . 2010-08-04 13:52 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4f257f6f-n\decora-sse.dll
2010-08-04 13:52 . 2010-08-04 13:52 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5f7810d4-n\msvcp71.dll
2010-08-04 13:52 . 2010-08-04 13:52 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5f7810d4-n\jmc.dll
2010-08-04 13:52 . 2010-08-04 13:52 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5f7810d4-n\msvcr71.dll
2010-08-04 13:52 . 2010-08-04 13:52 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4f257f6f-n\decora-d3d.dll
2010-07-27 17:44 . 2010-07-27 17:44 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-27 17:44 . 2010-07-27 17:44 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-07-27 17:44 . 2010-07-27 17:44 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-07-22 15:49 . 2004-08-11 16:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-05-30 18:26 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-17 04:00 . 2010-05-06 22:03 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-09 14:26 . 2010-09-01 02:38 475136 ----a-w- c:\documents and settings\All Users\Application Data\Dell\RMC\RMCCreationInfo.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-06 68856]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-02-25 135664]
"Remote Control Editor"="c:\program files\Common Files\TerraTec\Remote\TTTVRC.exe" [2010-06-09 1689088]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-09 8523776]
"RTHDCPL"="RTHDCPL.EXE" [2008-01-31 16860672]
"PMX Daemon"="ICO.EXE" [2006-11-08 49152]
"8169Diag"="c:\program files\Realtek\Diagnostics Utility\8169Diag.exe" [2008-02-26 909312]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-20 30192]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-28 17920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-15 524632]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 159744]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-06-30 1193848]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-4-14 596584]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-08-21 14:21 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete\0Partizan
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Opera 10 Beta\\opera.exe"=
"c:\\Program Files\\TerraTec\\TerraTec Home Cinema\\tvtvSetup\\tvtv_Wizard.exe"=
"c:\\Program Files\\TerraTec\\TerraTec Home Cinema\\CinergyDvr.exe"=
"c:\\Program Files\\TerraTec\\TerraTec Home Cinema\\VersionCheck\\VersionCheck.exe"=
"c:\\Program Files\\TerraTec\\TerraTec Home Cinema\\ChannelEditor\\CinergyDvrChannelEditor.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\TerraTec\\TerraTec Home Cinema\\InstTool.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [30/05/2009 20:37 64160]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [23/08/2010 18:24 84072]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [23/08/2010 18:24 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [23/08/2010 18:24 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [23/08/2010 18:24 141792]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [23/08/2010 18:24 312904]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [23/08/2010 18:24 88544]
S2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [06/08/2008 21:55 8960]
S2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [23/08/2010 18:24 271480]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [23/08/2010 18:24 55840]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [06/08/2008 21:55 11264]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [06/08/2008 21:56 30192]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 20:06 1029456]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [23/08/2010 18:24 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [23/08/2010 18:24 84264]
S3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [11/08/2008 14:23 18432]
S3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [11/08/2008 14:23 14336]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [06/08/2008 21:55 16640]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [07/03/2010 17:26 87824]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [07/03/2010 17:26 85696]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [06/01/2010 20:42 135664]
.
Contents of the 'Scheduled Tasks' folder
2010-09-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 20:37]
2010-09-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 11:34]
2010-10-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-06 17:34]
2010-09-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 19:42]
2010-09-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 19:42]
2010-09-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4154240400-2109932074-3037798612-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-11 19:47]
2010-09-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4154240400-2109932074-3037798612-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-11 19:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://195.196.36.242/activex/AMC.cab
DPF: {FD0EBBED-0C42-4D0F-82DA-44399B5C420A} - hxxp://downloads.virginmedia.com/CST/ver1/xp_mail.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-03 18:15
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AD11C76]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf74a0852
\Driver\iaStor -> iaStor.sys @ 0xf7b52002
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
NDIS: Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xba75bbb0
PacketIndicateHandler -> NDIS.sys @ 0xba768a21
SendHandler -> NDIS.sys @ 0xba74687b
user & kernel MBR OK
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(944)
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
- - - - - - - > 'lsass.exe'(1004)
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(636)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-10-03 18:18:43
ComboFix-quarantined-files.txt 2010-10-03 17:18
ComboFix2.txt 2010-10-02 08:02
Pre-Run: 298,404,446,208 bytes free
Post-Run: 298,386,714,624 bytes free
- - End Of File - - AA71212F57E898C176AF572EBFC56D3B
______________________________________________________________________________________________
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4736
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702
03/10/2010 18:26:53
mbam-log-2010-10-03 (18-26-53).txt
Scan type: Quick scan
Objects scanned: 147615
Time elapsed: 3 minute(s), 5 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
kevinf80_1d0ac6
2 Intern
•
1.1K Posts
0
October 3rd, 2010 11:00
Lets run GMER see if will identify what is re-infecting the MBR on re-boot. As follows please :-
Step 1
Download
Link 1
Link 2
Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.
Step 2
Download GMER Rootkit Scanner from Here or Here.
In the right panel, you will see several boxes that, by default, have already been checked. Please uncheck the following ...
Then click the Scan button & wait for it to finish
Once the scan completes, click on the [Save..] button, and in the File name area, type in "ark.txt"
Save it where you can easily find it, such as your desktop
**Caution**
Rootkit scans often produce false positives.
Do NOT take any action on any of these "<--- ROOKIT" entries without proper guidance from an expert user.
Copy and paste the log in next reply.....
Although the document itself may instruct you to zip and attach when posting, please ignore that and copy/paste instead...unless of course, your log is so large that the forum software tells you that it is too large for posting. Only in that case would you need to zip it and attach it. Thanks!
Anthony Boyle
29 Posts
0
October 4th, 2010 15:00
Hi Kevin,
It's been a bad 24hrs.
Attempt 1:
TFC runs fine but GNER freezes. Switched PC off.
Attempt 2:
Booted into safe model. Ran TFC again and then GNER. This time it finished the scan (at least it stopped doing anything - e.g. no files listed in the bottom window). Unfortunately it froze again, this time when I hit the save button. Switched PC off.
Attempt 3:
Booted into safe mode again but it hung on "mup.sys". Switched PC off.
Attempt 4:
Booted into safe mode again. BSOD with a 0x0000007F (0x0000000D, 0x00000000, 0x00000000) error. Switched PC off.
Attempt 5:
Booted into safe mode yet again, but again, it hung on "mup.sys". Switched PC off.
Attempt 6:
Booted into normal windows this time, not safe mode, I managed to get in and ran the disk repair tool then booted back into safe mode. No desktop icons visible. Ran GNER from task manager. This took ages as disk repair and GNER both take hours. This time, when GNER finishes, I try the copy button and get the message to paste the results to notepad. When I switch to task manager GNER disappears - along with task manager. Left with black screen with "safe mode" at each corner and the cursor - nothing else. Nothing happens when I Alt-Tab or Ctrl-Alt-Del. Switched PC off.
Attempt 7:
Suicide?
Seriously, this is one MF. It's doing very good job of protecting itself. Like I said in my original post, I think the only way to clean it out is by rewriting the code in the MBR. That's where the bugger is hiding. Spawning itself after every restart. For more info read this article I came across last week when trying to find a fix:
http://www.securelist.com/en/analysis/204792131/TDSS
One of the posts in that article led me to TDSSKiller but when I tried it, it failed to get rid of the one in the MBR and only got rid of the one in the windows by being tricked (I changed the name as others had done). This has to be a newer variant.
Posts on other forums, including: http://spywarehammer.com/simplemachinesforum/index.php?topic=8990.0 (which I only discovered was yours on revisiting it yesterday - my problems are almost the same as that poster), led me to the conclusion that fixmbr was the way to go. At least as a first stage - there's still the problem of cleaning out all the friends this virus is inviting to party through my wife's PC's open door.
From what I can gather from the article above, Dells must be very vulnerable to this type of attack. Their MBRs are not protected and you can't run fixmbr and fixboot as the MBR code is specific to Dells and you would destroy the partitions. It would be a good idea therefore for anyone who has a Dell PC to back up their MBR as per the instructions here:
http://www.goodells.net/dellrestore/fixmbr.htm
They can then restore it using the same tool.
It would also be a good ideal if Dell could work out a fix based on the work done by Goodells. If this spreads, and looking at the graph in the Securelist article it would appear this is already happening, Dells are going to be falling like 9 pins. Remind me, how many Dell PCs are there out there?
I might sound like I know a bit but just like the poster in the link at the beginning of this thread I too am pretty green. I'd just like to express again how much I appreciate your help. I can see from your other posts, both here are on Spywarehammar, that you are pretty busy.
So where to next?
Tony
PS: It just occurred to me that when when GNER crashed during the save stage it may have saved the file before crashing. Admittedly, it didn't get so far as to ask me to name the file and choose a location but it's worth a go. I'll run a search on .txt files and see what it throws up. It that fails I'll physically take a picture of the results with a camera and attach that to the next post.
Also, I'm going to try and run TDSSKiller from a DOS prompt.
kevinf80_1d0ac6
2 Intern
•
1.1K Posts
0
October 4th, 2010 17:00
Hiya Tony,
This is the first one I`ve encountered that has given this much trouble, granted the one you quoted at my home site was done by re-writing the MBR. The big problem with Dell computers is the specific MBR, rewrite with a standard and you lose the recovery partition. That`s not too bad if you have installation CD`s but Dell dont usually supply them.
Have a read through the instructions at the following Dell site, it gives full instructions and tools for replacing the MBR in XP, i`ve never used this myself so cannot vouch for it
http://support.ap.dell.com/support/topics/global.aspx/support/dsn/en/document?c=my&dl=false&l=en&s=gen&docid=28D6863EBF509D7DE040A68F5B286451&doclang=en&cs
You may find this site very interesting http://www.wilderssecurity.com/showthread.php?t=281747 a nice tool to backup your MBR for future reference.
I would have preferred to have seen a Gmer log, but if it will not run we`re out of luck. You have to make sure that your Security is off, McAfee still gives a degree of protection in safe mode.
How to turn off McAfee, instructions from there forum :-
Turn off McAfee.
Double-click the taskbar icon to open SecurityCenter
Click Advanced Menu (bottom)
Click Configure (left)
Click Computer & Files (top left)
You can disable VirusScan and tell it for how long over at the right.
If you click the Advanced button at the right you can then go to Active Protection on the left and uncheck it. Don't forget to click Apply and OK.
Try TDSSKiller from DOS and see how you go, if successful follow up with Combofix. If not successful, turn off McAfee as above and try GMER again
If non of the above work try running Rootkitunhooker as follows :-
Copy the entire contents of the report and paste it in a reply here.
Note** you may get the following warning, just click OK and continue.
"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"
Post whichever log is applicable, let me know how you get on...
Kevin
Anthony Boyle
29 Posts
0
October 5th, 2010 06:00
Hi Kevin,
I'm a bit confused as this looks like a straightforward fix for the rootkit infection in the MBR yet the Goodells site doesn't mention it.
How does restoring the MBR using the Dell tool differ from using fixmbr or the Goodells program? Does it use a Dell specific MBR that retains the original partitions, with the recovery and utilities still there, or does it wipe them?
Also, does this put the PC back to a factory state meaning all personal data/setting would be lost - new drivers, updates, apps etc will have to be reinstalled, or does it just return the MBR code to the state it was before it got corrupted?
I have an XP CD for my own PC and the licence for my wife's PC. I could run fixmbr from the recovery console but I'm not sure what that would do in my case. I think I only have 2 partitions. Hitting F12 at boot gives me the following information:
HARD DISK
- SATA-0 Hitachihi HDP725050GLA36
- BOOTABLE ADD-IN CARDS
CDROM
UTILITY PARTITION
Tony
BTW - TDSSKiller failed again. Currently running GNER again.
kevinf80_1d0ac6
2 Intern
•
1.1K Posts
0
October 5th, 2010 09:00
Hi Tony,
If we run Fixmbr from the recovery console your Dell specific MBR will be overwritten with a standard Windows XP MBR. I`ve no doubt this will rid you of the root/boot kit. However, you have another problem as you will have no access to the Dell recovery partition. That is the dilemma you face.
The link I gave you to DELL has the necessary resources to replace your MBR so you will be left with a new clean MBR that will work as the old one did pre infection. You have to make that decision.
If you try the Dell MBR repair system and it fails, you will still be able to use FIXMBR from the RC and get your PC working, but with no access to the recovery partition.
Let me know what you want to do, if you are successful with GMER post the log.
If you cant get GMER to run lets try it another way, this only does a very fast scan that checks crucial areas only as follows :-
Step 1
Please download GMER Antirootkit Program and save to a folder that you have created C:\ARK (create that folder first) by choosing the "Download EXE" button on the webpage. Save the randomly named executible to that folder.
Disable the active protection component of your antivirus and antispyware programs by following the directions at this Link
Step 2
Next, please perform a "quick" rootkit scan:
Please reply with log from the rootkit scan,