Page 1 of 3 123 LastLast
Results 1 to 10 of 26
  1. #1
    Member
    Join Date
    May 2011
    Posts
    17
    Points
    0

    Default Click.GiftLoad and "bundle" 5-2-2011

    I've been one of the people to encounter Click.GiftLoad along with a "bundle" of Malware, I am sure most people know or have
    discovered Spybot along with most of the others cannot permanently remove or correct the changes made to the OS.
    I have and use Ad-Aware, SuperAntispyware, I update and scan everyday! with these, next SpyBot is updated weekly
    and a scan is run as well. I have read most of the info I can locate on this Malicious Malware, but I am always ready to
    learn more. I have not installed any new software or utility scanners since the infection. I did run services.msc
    to turn my firewall back on. Thanks, for anytime and energy spent to assist.. Vigilance_12 As I read net_sufer said NOT to add anything please let me know If you want me to download:
    MalwareBytes log
    HijackThis log

    IBM t60P XPpro SP3



    LOGS:

    I woke and updated... scanned all okay, next you can see what happened over the course of an hour.

    SUPERAntiSpyware Scan Log
    SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

    Generated 04/28/2011 at 05:06 AM

    Application Version : 4.46.1000

    Core Rules Database Version : 6943
    Trace Rules Database Version: 4755

    Scan type : Quick Scan
    Total Scan Time : 00:07:53

    Memory items scanned : 731
    Memory threats detected : 0
    Registry items scanned : 2222
    Registry threats detected : 0
    File items scanned : 4528
    File threats detected : 0





    NEXT LOG:

    SUPERAntiSpyware Scan Log
    SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

    Generated 04/28/2011 at 06:35 AM

    Application Version : 4.46.1000

    Core Rules Database Version : 6943
    Trace Rules Database Version: 4755

    Scan type : Quick Scan
    Total Scan Time : 00:11:53

    Memory items scanned : 749
    Memory threats detected : 2
    Registry items scanned : 2229
    Registry threats detected : 6
    File items scanned : 4553
    File threats detected : 46

    Trojan.Agent/Gen-Falprod[RE]
    C:\WINDOWS\TEMP\CONIMA.EXE
    C:\WINDOWS\TEMP\CONIMA.EXE
    C:\WINDOWS\Prefetch\CONIMA.EXE-327D261A.pf

    Trojan.Agent/Gen
    C:\DOCUME~1\HO\LOCALS~1\TEMP\T89FVI3E0.EXE
    C:\DOCUME~1\HO\LOCALS~1\TEMP\T89FVI3E0.EXE
    [tukdtjsrx] C:\WINDOWS\SYSTEM32\TUKDTJSRX.EXE
    C:\WINDOWS\SYSTEM32\TUKDTJSRX.EXE
    C:\DOCUMENTS AND SETTINGS\HO\LOCAL SETTINGS\TEMP\T89FVI3E0.EXE
    C:\WINDOWS\SYSTEM32\DGJASR46W.EXE
    C:\WINDOWS\Prefetch\DGJASR46W.EXE-02E8F278.pf
    C:\WINDOWS\Prefetch\T89FVI3E0.EXE-117266C9.pf

    Trojan.Agent/Gen-AdsBrite
    [tukdtjsr] C:\WINDOWS\SYSTEM32\TUKDTJSR.EXE
    C:\WINDOWS\SYSTEM32\TUKDTJSR.EXE
    C:\WINDOWS\Prefetch\TUKDTJSR.EXE-1847591A.pf

    Trojan.Agent/Gen-Koobface[Bonkers]
    [Manager] C:\WINDOWS\TEMP\MANAGEE.EXE
    C:\WINDOWS\TEMP\MANAGEE.EXE
    [Input Manager] C:\WINDOWS\TEMP\CONIMA.EXE
    [win] C:\WINDOWS\TEMP\CONIMA.EXE
    [init] C:\WINDOWS\TEMP\CONIMA.EXE
    C:\WINDOWS\Prefetch\MANAGEE.EXE-348DC3D6.pf

    Malware.Trace
    C:\WINDOWS\SYSTEM32\COMSATS.SYS

    Trojan.Agent/Gen-Kryptik
    C:\DOCUMENTS AND SETTINGS\HO\LOCAL SETTINGS\TEMP\OCAEWMRXSN.TMP
    C:\DOCUMENTS AND SETTINGS\HO\LOCAL SETTINGS\TEMP\WREACSNMXO.TMP

    Adware.Tracking Cookie
    C:\Documents and Settings\NetworkService\Cookies\system@adserving[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ads.pointroll[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@search.seekfinds[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@lucidmedia[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@bizzclick[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@interclick[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@www.finditch[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@advertise[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ru4[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@beacon.dmsinsights[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@trafficengine[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@adserver.adtechus[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@clicksense[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@bs.serving-sys[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@realmedia[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@mm.chitika[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ads.parkingpath[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ads.undertone[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@pro-market[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@a1.interclick[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@search.hippofind[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@pointroll[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@collective-media[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@www.find-quick-results[1].txt

    Trojan.Agent/Gen-Virut
    C:\WINDOWS\SYSTEM32\SERVICE.SYS







    NEXT LOG:

    SUPERAntiSpyware Scan Log
    SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

    Generated 04/28/2011 at 06:53 AM

    Application Version : 4.46.1000

    Core Rules Database Version : 6943
    Trace Rules Database Version: 4755

    Scan type : Quick Scan
    Total Scan Time : 00:08:46

    Memory items scanned : 730
    Memory threats detected : 0
    Registry items scanned : 2223
    Registry threats detected : 0
    File items scanned : 4535
    File threats detected : 0






    NEXT LOG:

    SUPERAntiSpyware Scan Log
    SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

    Generated 04/28/2011 at 08:44 AM

    Application Version : 4.46.1000

    Core Rules Database Version : 6943
    Trace Rules Database Version: 4755

    Scan type : Quick Scan
    Total Scan Time : 00:08:53

    Memory items scanned : 730
    Memory threats detected : 0
    Registry items scanned : 2229
    Registry threats detected : 0
    File items scanned : 4539
    File threats detected : 11

    Adware.Tracking Cookie
    convoad.technoratimedia.net [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\QFFMY2KS ]
    C:\Documents and Settings\NetworkService\Cookies\system@bizzclick[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@advertise[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@clicksense[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@bs.serving-sys[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@realmedia[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@revsci[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ru4[1].txt


    Ad-aware Log: Appears to be blocking but XPpro SP3 was breached.



    MSG [2064] 2011/04/10 16:27:51: C:\docume~1\ho\locals~1\temp\exrcnsmoaw.tmp (diagnosis: Malware family: virtool.win32.obfuscator.da!e (v)) => Block
    MSG [0572] 2011/04/10 16:27:51: C:\docume~1\ho\locals~1\temp\exrcnsmoaw.tmp (diagnosis: Malware family: virtool.win32.obfuscator.da!e (v)) => Block
    MSG [2208] 2011/04/10 16:28:25: C:\docume~1\ho\locals~1\temp\hletrjql.exe (diagnosis: Malware family: Trojan.Win32.FakeAv.awrp (v)) => Block
    MSG [2112] 2011/04/10 16:28:27: C:\docume~1\ho\locals~1\temp\igumwc.exe (diagnosis: Malware family: Win32.Malware!Drop) => Block
    MSG [2728] 2011/04/10 16:28:34: C:\docume~1\ho\locals~1\temp\yp0.exe (diagnosis: Malware family: virtool.win32.obfuscator.da!e (v)) => Block
    MSG [4352] 2011/04/10 16:28:45: C:\docume~1\ho\locals~1\temp\yp1.exe (diagnosis: Malware family: virtool.win32.obfuscator.da!e (v)) => Block
    MSG [5100] 2011/04/10 16:29:19: C:\docume~1\ho\locals~1\temp\yp2.exe (diagnosis: Malware family: virtool.win32.obfuscator.da!e (v)) => Block
    MSG [5572] 2011/04/10 16:29:25: C:\docume~1\ho\locals~1\temp\4dl980q9.exe (diagnosis: Malware family: Trojan.Win32.Generic!BT) => Block
    MSG [4580] 2011/04/10 16:32:05: C:\docume~1\ho\locals~1\temp\95i6maimj.exe (diagnosis: Malware family: Trojan.Win32.Packer.Upack0.3.9 (ep)) => Block
    MSG [0476] 2011/04/24 10:43:24: C:\docume~1\ho\locals~1\temp\0.025243658950691916.exe (diagnosis: Malware family: Trojan.Win32.FakeAv.awrp (v)) => Block
    MSG [3684] 2011/04/28 06:12:37: C:\docume~1\ho\locals~1\temp\ocaewmrxsn.tmp (diagnosis: Malware family: VirTool.Win32.Obfuscator.hg!b1 (v)) => Block
    MSG [0332] 2011/04/28 06:12:38: C:\docume~1\ho\locals~1\temp\ocaewmrxsn.tmp (diagnosis: Malware family: VirTool.Win32.Obfuscator.hg!b1 (v)) => Block
    MSG [2256] 2011/04/28 06:12:38: C:\docume~1\ho\locals~1\temp\ocaewmrxsn.tmp (diagnosis: Malware family: VirTool.Win32.Obfuscator.hg!b1 (v)) => Block
    MSG [1276] 2011/04/28 06:12:52: C:\docume~1\ho\locals~1\temp\wreacsnmxo.tmp (diagnosis: Malware family: VirTool.Win32.Obfuscator.hg!b1 (v)) => Block
    MSG [3884] 2011/04/28 06:12:52: C:\docume~1\ho\locals~1\temp\wreacsnmxo.tmp (diagnosis: Malware family: VirTool.Win32.Obfuscator.hg!b1 (v)) => Block
    MSG [0764] 2011/04/28 06:12:52: C:\docume~1\ho\locals~1\temp\wreacsnmxo.tmp (diagnosis: Malware family: VirTool.Win32.Obfuscator.hg!b1 (v)) => Block
    MSG [3804] 2011/04/28 06:13:05: C:\docume~1\ho\locals~1\temp\mxrwnoecas.tmp (diagnosis: Malware family: Trojan.Win32.Cimag.gk (v)) => Block
    MSG [2996] 2011/04/28 06:13:06: C:\docume~1\ho\locals~1\temp\maxwnscoer.tmp (diagnosis: Malware family: Trojan.Win32.FakeAv.awrp (v)) => Block
    MSG [2096] 2011/04/28 06:13:06: C:\docume~1\ho\locals~1\temp\maxwnscoer.tmp (diagnosis: Malware family: Trojan.Win32.FakeAv.awrp (v)) => Block
    MSG [3860] 2011/04/28 06:13:06: C:\docume~1\ho\locals~1\temp\maxwnscoer.tmp (diagnosis: Malware family: Trojan.Win32.FakeAv.awrp (v)) => Block
    MSG [3868] 2011/04/28 06:21:11: C:\docume~1\ho\locals~1\temp\xsarwnocme.tmp (diagnosis: Malware family: Trojan.Win32.Cimag.gk (v)) => Block
    MSG [4052] 2011/04/28 06:21:18: C:\windows\system32\dgjasr46w.exe (diagnosis: Malware family: Trojan.Win32.Generic!BT) => Block
    MSG [3532] 2011/04/28 11:29:54: C:\windows\temp\i30427.exe (diagnosis: Malware family: Trojan-Dropper.Win32.Wimpixo.e (v)) => Block
    MSG [3624] 2011/04/28 16:48:15: C:\docume~1\ho\locals~1\temp\6qreiw1ug.exe (diagnosis: Malware family: Trojan.Win32.Generic!BT) => Block
    MSG [2596] 2011/04/28 16:48:20: C:\docume~1\ho\locals~1\temp\j4lyfy51e.exe (diagnosis: Malware family: Trojan.Win32.Generic!BT) => Block
    MSG [3916] 2011/04/28 16:49:32: C:\docume~1\ho\locals~1\temp\5mxrg45k.exe (diagnosis: Malware family: Trojan.Win32.Packer.Upack0.3.9 (ep)) => Block
    MSG [0708] 2011/04/28 21:25:23: C:\windows\temp\lpfn\setup.exe (diagnosis: Malware family: Zugo (fs)) => Block




    --- Report generated: 2011-04-28 06:43 ---

    Tencent.AdressBar: [SBI $58261404] Program directory (Directory, nothing done)
    C:\Program Files\Tencent\

    Click.GiftLoad: [SBI $89783858] User settings (Registry value, nothing done)
    HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe


    --- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

    2009-01-26 blindman.exe (1.0.0.8)
    2009-01-26 SDFiles.exe (1.6.1.7)
    2009-01-26 SDMain.exe (1.0.0.6)
    2009-01-26 SDShred.exe (1.0.2.5)
    2009-01-26 SDUpdate.exe (1.6.0.12)
    2009-01-26 SpybotSD.exe (1.6.2.46)
    2009-03-05 TeaTimer.exe (1.6.6.32)
    2010-07-16 unins000.exe (51.49.0.0)
    2009-01-26 Update.exe (1.6.0.7)
    2009-11-04 advcheck.dll (1.6.5.20)
    2007-04-02 aports.dll (2.1.0.0)
    2008-06-14 DelZip179.dll (1.79.11.1)
    2009-01-26 SDHelper.dll (1.6.2.14)
    2008-06-19 sqlite3.dll
    2009-01-26 Tools.dll (2.1.6.10)
    2009-01-16 UninsSrv.dll (1.0.0.0)
    2011-03-18 Includes\Adware.sbi (*)
    2011-03-22 Includes\AdwareC.sbi (*)
    2010-08-13 Includes\Cookies.sbi (*)
    2010-12-14 Includes\Dialer.sbi (*)
    2011-03-08 Includes\DialerC.sbi (*)
    2011-02-24 Includes\HeavyDuty.sbi (*)
    2011-03-29 Includes\Hijackers.sbi (*)
    2011-03-29 Includes\HijackersC.sbi (*)
    2010-09-15 Includes\iPhone.sbi (*)
    2010-12-14 Includes\Keyloggers.sbi (*)
    2011-03-08 Includes\KeyloggersC.sbi (*)
    2011-04-05 Includes\Malware.sbi (*)
    2011-04-26 Includes\MalwareC.sbi (*)
    2011-02-24 Includes\PUPS.sbi (*)
    2011-03-15 Includes\PUPSC.sbi (*)
    2010-01-25 Includes\Revision.sbi (*)
    2009-01-13 Includes\Security.sbi (*)
    2011-03-08 Includes\SecurityC.sbi (*)
    2008-06-03 Includes\Spybots.sbi (*)
    2008-06-03 Includes\SpybotsC.sbi (*)
    2011-02-24 Includes\Spyware.sbi (*)
    2011-03-15 Includes\SpywareC.sbi (*)
    2010-03-08 Includes\Tracks.uti
    2010-12-28 Includes\Trojans.sbi (*)
    2011-04-26 Includes\TrojansC-02.sbi (*)
    2011-04-26 Includes\TrojansC-03.sbi (*)
    2011-04-18 Includes\TrojansC-04.sbi (*)
    2011-04-26 Includes\TrojansC-05.sbi (*)
    2011-03-08 Includes\TrojansC.sbi (*)
    2008-03-04 Plugins\Chai.dll
    2008-03-05 Plugins\Fennel.dll
    2008-02-26 Plugins\Mate.dll
    2007-12-24 Plugins\TCPIPAddress.dll

  2. #2
    Member Net_Surfer's Avatar
    Join Date
    May 2008
    Location
    Paradise Ca.
    Posts
    1,179
    Points
    89
    Blog Entries
    4

    Default

    Hello Vigilance_12 and Welcome to the Help2Go Spyware Help Forum

    Sorry for the delay!!
    .


    My nick is Net_Surfer and I will be helping you with your malware issues, this may or may not solve other issues you may have with your machine.

    Please note that whatever repairs we make, are for fixing "your computer problems only" and by no means should be used on another computer.

    I would also like to inform you that most of us here at Help2Go support forums offer our expert assistance out of the goodness of our hearts. [b][i]Please be courteous and appreciative for the assistance provided!


    Please be patient and I'd be grateful if you would note the following:

    The cleaning process is not instant. Combofix, OTL and hijackthis logs can take some time to research, Please be aware that I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.

    I use Google as resource to research what the problem is just to understand some of the infections that are infecting the computer and understand where I need to focus more on to ensure that the member get the best and honest service.

    so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.


    1. Please Read All Instructions Carefully and perform the steps fully and in the order they are written.
    2. If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
    3. Do not attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process. Never will there be an all in one solution for repairing an infected computer. You must have a great arsenal of utilities that can take care of what another program may miss or isn't as specialized as another.
    4. In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.
    5. Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
    6. Please continue to review my answers until I tell you that your machine is clean and free of malware. (Absence of symptoms does not mean that everything is clear.
    Just because you can't see a problem doesn't mean it isn't there.

    If you can do these things, everything should go smoothly!


    To verify for some signs of VIRUT, we need to send some files to Jotti.

    Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

    How to see hidden files in Windows

    Please click this link-->>>> Jotti <<<

    When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\svchost.exe

    Please post back the results of the scan in your next post.

    If Jotti is busy, try the same at Virustotal: VirusTotal - Free Online Virus, Malware and URL Scanner

    Please reply back with the report log of Jotti or Virus Total.

    Kind regards
    Net_Surfer
    Our help here is always free but it does cost money to keep the site running. If you feel we've helped you kindly, Click here: >> Please Donate to the Forum <<


    "Obstacles are what you see when yo take your eyes off your Goals"

    Net_Surfer is a Graduate of BleepingComputer Malware Removal Training ProgramYou too could train to help others!.

  3. #3
    Member
    Join Date
    May 2011
    Posts
    17
    Points
    0

    Default

    Hello Net_surfer, Thanks for your replay I am currently following your instructions and will post the results. Also some more information on OS behavior when booting the system this morning 5-07windows hung at "welcome" 2 times each time I pulled the battery for another hard start the third attempt allowed the OS to load..I am still fighting and controlling the browser from trying to redirect and have SVCHost.EXE-Application Error popping open along with Generic Host Process for Win32 Services popping open...

  4. #4
    Member
    Join Date
    May 2011
    Posts
    17
    Points
    0

    Default

    Filename: explorer.exe
    Status:
    Scan finished. 0 out of 20 scanners reported malware.

    File size: 1033728 bytes
    Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5: 12896823fb95bfb3dc9b46bcaedc9923
    SHA1: 9d2bf84874abc5b6e9a2744b7865c193c08d362f

    Filename: lsass.exe
    Status:
    Scan finished. 0 out of 20 scanners reported malware.
    Scan taken on: Fri 6 May 2011 06:53:03 (CET) Permalink

    File size: 13312 bytes
    Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5: bf2466b3e18e970d8a976fb95fc1ca85
    SHA1: de5a73cbb5f51f64c53fb4277ef2c23e70db123f


    Filename: services.exe
    Status:
    Scan finished. 0 out of 20 scanners reported malware.
    Scan taken on: Wed 20 Apr 2011 16:07:43 (CET) Permalink

    File size: 108544 bytes
    Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5: 0e776ed5f7cc9f94299e70461b7b8185
    SHA1: cb5a33cec4c7b8ef4bd5dc8c241005b66b26cbbf


    Filename: winlogon.exe
    Status:
    Scan finished. 0 out of 20 scanners reported malware.
    Scan taken on: Thu 5 May 2011 02:18:03 (CET) Permalink

    File size: 507904 bytes
    Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5: ed0ef0a136dec83df69f04118870003e
    SHA1: f77a7cd78877527023ebfb35e83b75ef59d3df07

    Filename: svchost.exe
    Status:
    Scan finished. 0 out of 20 scanners reported malware.
    Scan taken on: Thu 5 May 2011 14:38:01 (CET) Permalink

    File size: 14336 bytes
    Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5: 27c6d03bcdb8cfeb96b716f3d8be3e18
    SHA1: 49083ae3725a0488e0a8fbbe1335c745f70c4667

  5. #5
    Member Net_Surfer's Avatar
    Join Date
    May 2008
    Location
    Paradise Ca.
    Posts
    1,179
    Points
    89
    Blog Entries
    4

    Default

    Alright...Seems that we can still clean your computer...If virut file infector is present combofix will not run.

    OK..If you have a Vista or Win7 computer ensure that you right click on the tools and run them as an Admin. IF XP double click on the program to run them.

    Before we begin, you should save these instructions in Notepad to your Desktop, or print them, for easy reference and to make sure you don't get lost.
    Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If at any point you have questions, or are unsure of the instructions, do not hesitate to post here and ask for clarification before proceeding with the fixes.

    Please carefully follow the next set of steps:


    If you can not download and run the following tools, then I would like for you to try another approach:

    If you have the use of another computer please either use a Flash Drive or a CD to download the following and transfer them for use on the infected machine.
    Be sure you put them on the desktop of the infected computer.


    Step 1.

    Please download the following 3 programs to a clean computer and then transfer them on to a usb stick.

    Download FixNCR.reg
    Download Rkill
    Download Malwarebytes Anti-Malware

    Step 2.

    Please reboot your Infected computer in Safe Mode with Networking by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, a menu with options should appear;
      You will need to use the 'keyboard arrow keys' to navigate on this menu.
    • Select the option, to run Windows in Safe Mode With Networking, then press "Enter".
    • Then choose your usual account.

    • Once you have downloaded all the necessary files to a removable device, you need to plug it into your infected computer so it can access them.
    • Now open the drive that corresponds to the removable media that you copied the programs from the earlier step. Once open, double-click on the FixNCR.reg file. When Windows prompts whether or not you want to allow the data to be added to your computer, click on the Yes button.
    • Now run RKill.
      If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the malware when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself .

      If the malware is persistant, you may have to run RKill a number of times.
      When it has finished, the black window will automatically close and you can continue with the next step.

      If you continue having problems running rkill.com, you can download iExplore or eXplorer.exe from the rkill download page. Both of these files are renamed copies of rkill.com, which you can try instead. Please note that the download page will open in a new browser window or tab.

      Note: If Rkill detects a proxy, it will disable it and make a backup on the desktop as rk-proxy.reg. At the end of the fix you can safely delete it by right click and select delete.


      Please do not reboot your system until you have completed the following step, or the Malware will restart itself:

    • You should now be able to run the MBAM setup.

    Step 3.
    • Make sure you are connected to the Internet.
    • Double-click on Download_mbam-setup.exe to install the application.
    • When the installation begins, follow the prompts and do not make any changes to default settings.
    • When installation has finished, make sure you leave both of these checked:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
    • On the Scanner tab:
      • Make sure the "Perform Full Scan" option is selected.
      • Then click on the Scan button.
    • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
    • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
    • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
    • Click OK to close the message box and continue with the removal process.
    • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
    • Make sure that everything is checked, and click Remove Selected.
    • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
    • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the contents of that report in your next reply and exit MBAM.
    Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

    Step 4.

    * Please visit this webpage for instructions for downloading and running ComboFix if you have problems running it:

    Please download ComboFix from one of the following mirrors, and save it to your desktop.
    Warning: This tool is not a toy and not for everyday use!.
    Link 1
    Link 2
    Link 3
    • Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
    • Please insert all usb-drives before running Combofix
    • Close any open browsers.
    • Double click on your desktop.
      If using Vista/Win7, right-click and Run as Administrator...
    • Read and accept (Press Yes) to the disclaimer. *If using Windows XP... Please allow Combofix tool to download and install the Microsoft Recovery Console.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
      Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
      **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
    • *Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

      Post the log from ComboFix in your next reply.


    *EXTRA NOTES*

    * If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    * If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    * If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

    Summary of the logs I will need in your next reply:
    • Rkill log.
    • The ComboFix log.
    • MBAM log.

    How are things your end ?


    Upon completing the above steps I will review your logs again and take the steps necessary with you to get your machine back in working order clean and free of malware.

    Again, Please DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean and free of malware!!!

    The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day then I will close the topic.

    Kind regards
    Net_Surfer
    Our help here is always free but it does cost money to keep the site running. If you feel we've helped you kindly, Click here: >> Please Donate to the Forum <<


    "Obstacles are what you see when yo take your eyes off your Goals"

    Net_Surfer is a Graduate of BleepingComputer Malware Removal Training ProgramYou too could train to help others!.

  6. #6
    Member
    Join Date
    May 2011
    Posts
    17
    Points
    0

    Default

    Malwarebytes' Anti-Malware 1.50.1.1100
    Malwarebytes : Free anti-malware, anti-virus and spyware removal download

    Database version: 6533

    Windows 5.1.2600 Service Pack 3 (Safe Mode)
    Internet Explorer 6.0.2900.5512

    5/8/2011 3:32:03 PM
    mbam-log-2011-05-08 (15-32-03).txt

    Scan type: Full scan (C:\|D:\|)
    Objects scanned: 207479
    Time elapsed: 17 minute(s), 55 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 3
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 7

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\SogouExplorer.AssocFile.HTM (Adware.Sogou) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\HTTP\shell\SogouExplorer (Adware.Sogou) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\https\shell\SogouExplorer (Adware.Sogou) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\documents and settings\ho\application data\sogouexplorer\sogouexplorersetup.exe (Adware.Sogou) -> Quarantined and deleted successfully.
    c:\documents and settings\ho\application data\TENCENT\QQ\STemp\~txqq2052~0\program files\Tencent\QQ2009\Plugin\com.tencent.qqpet\bin\QQPet\qqpetdazzle.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
    c:\program files\Tencent\QQ\Plugin\com.tencent.qqpet\bin\QQPet\qqpetdazzle.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{d19a81b8-5eed-4cb5-95e5-d4fe3e0f2630}\RP118\A0018383.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{d19a81b8-5eed-4cb5-95e5-d4fe3e0f2630}\RP118\A0022527.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{d19a81b8-5eed-4cb5-95e5-d4fe3e0f2630}\RP118\A0022528.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{d19a81b8-5eed-4cb5-95e5-d4fe3e0f2630}\RP118\A0022529.exe (Trojan.Agent) -> Quarantined and deleted successfully.

  7. #7
    Member
    Join Date
    May 2011
    Posts
    17
    Points
    0

    Default

    Rkill was run on 05/08/2011 at 14:47:46.
    Operating System: Microsoft Windows XP


    Processes terminated by Rkill or while it was running:

    C:\WINDOWS\system32\grpconv.exe


    Rkill completed on 05/08/2011 at 14:47:49.

  8. #8
    Member
    Join Date
    May 2011
    Posts
    17
    Points
    0

    Default

    Hello, Net_surfer Sorry about the Multi posting...I could not directly download what you requested on my IBM T60p XPpro SP3
    Mozilla.

    So I carefully did the following per your instructions.

    Step 1. Downloaded the following 3 programs to a clean computer (desktop) and then transfered them on to a usb stick.

    Download FixNCR.reg
    Download Rkill
    Download Malwarebytes Anti-Malware

    All Good

    Step 2. Booted the computer in Safe Mode with Networking and installed FixNCR.reg Next let it add the data to the computer.

    All Good

    Next Started Rkill.. It ran fine No trouble running and detected 1 problem. log posted.

    Next I did NOT reboot and proceeded to

    Step 3. Followed all the instructions as listed Malwarebytes. No trouble running it detected and requested a reboot

    after its scan. This is the First reboot since I started working.

    Step 4. Problem Can't download ComboFix...the browser tried to redirect in addition to the Generic Host Process for Win32 Services window opening- and

    SvcHost.exe-Application Error

    I closed the browser and returned to Help2go.com

    But can't download ComboFix from any of the links. Mozilla will say download "canceled"

    I did also try Internet Explorer it also fails to download ComboFix saying security setting will not allow.

    Thanks, again for your time and help!


    LOGS




    Rkill was run on 05/08/2011 at 14:47:46.
    Operating System: Microsoft Windows XP


    Processes terminated by Rkill or while it was running:

    C:\WINDOWS\system32\grpconv.exe


    Rkill completed on 05/08/2011 at 14:47:49.




    5/8/2011 3:32:03 PM
    mbam-log-2011-05-08 (15-32-03).txt

    Scan type: Full scan (C:\|D:\|)
    Objects scanned: 207479
    Time elapsed: 17 minute(s), 55 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 3
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 7

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\SogouExplorer.AssocFile.HTM (Adware.Sogou) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\HTTP\shell\SogouExplorer (Adware.Sogou) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\https\shell\SogouExplorer (Adware.Sogou) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\documents and settings\ho\application data\sogouexplorer\sogouexplorersetup.exe (Adware.Sogou) -> Quarantined and deleted successfully.
    c:\documents and settings\ho\application data\TENCENT\QQ\STemp\~txqq2052~0\program files\Tencent\QQ2009\Plugin\com.tencent.qqpet\bin\QQPet\qqpetdazzle.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
    c:\program files\Tencent\QQ\Plugin\com.tencent.qqpet\bin\QQPet\qqpetdazzle.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{d19a81b8-5eed-4cb5-95e5-d4fe3e0f2630}\RP118\A0018383.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{d19a81b8-5eed-4cb5-95e5-d4fe3e0f2630}\RP118\A0022527.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{d19a81b8-5eed-4cb5-95e5-d4fe3e0f2630}\RP118\A0022528.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{d19a81b8-5eed-4cb5-95e5-d4fe3e0f2630}\RP118\A0022529.exe (Trojan.Agent) -> Quarantined and deleted successfully.

  9. #9
    Member Net_Surfer's Avatar
    Join Date
    May 2008
    Location
    Paradise Ca.
    Posts
    1,179
    Points
    89
    Blog Entries
    4

    Default

    Hi

    Try this tool to check for a TDL rootkit:

    Download TDSSKiller.exe (v2.4.0.0) from Kaspersky Labs and save it to your desktop. <-Important!!!
    • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
      Vista/Windows 7 users right-click and select Run As Administrator
    • If TDSSKiller does not run, try renaming it.
    • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension
    • Click the Start Scan button.
    • Do not use the computer during the scan.
    • If the scan completes with nothing found, click Close to exit.
    • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

    A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_14.17.05_log.txt) will be created and saved to the root directory ( usually Local Disk C ).
    * Post this log to your next message.

    If needed see the TDSS Rootkit Removing Tool website for detailed instructions on running TDSSkiller.
    ========
    Our help here is always free but it does cost money to keep the site running. If you feel we've helped you kindly, Click here: >> Please Donate to the Forum <<


    "Obstacles are what you see when yo take your eyes off your Goals"

    Net_Surfer is a Graduate of BleepingComputer Malware Removal Training ProgramYou too could train to help others!.

  10. #10
    Member
    Join Date
    May 2011
    Posts
    17
    Points
    0

    Default

    Hi ,just finished running TDSSKiller no problems getting it to run. It detected and removed the Root/Bootkit. I can now use the pc (seems stable) but want to rid it of any traces of infection or reminients.

    LOG


    2011/05/09 10:14:56.0921 3220 TDSS rootkit removing tool 2.5.0.0 May 1 2011 14:20:16
    2011/05/09 10:14:56.0921 3220 ================================================================================
    2011/05/09 10:14:56.0921 3220 SystemInfo:
    2011/05/09 10:14:56.0921 3220
    2011/05/09 10:14:56.0921 3220 OS Version: 5.1.2600 ServicePack: 3.0
    2011/05/09 10:14:56.0921 3220 Product type: Workstation
    2011/05/09 10:14:56.0921 3220 ComputerName: Tpad
    2011/05/09 10:14:56.0921 3220 UserName: ho
    2011/05/09 10:14:56.0921 3220 Windows directory: C:\WINDOWS
    2011/05/09 10:14:56.0921 3220 System windows directory: C:\WINDOWS
    2011/05/09 10:14:56.0921 3220 Processor architecture: Intel x86
    2011/05/09 10:14:56.0921 3220 Number of processors: 2
    2011/05/09 10:14:56.0921 3220 Page size: 0x1000
    2011/05/09 10:14:56.0921 3220 Boot type: Normal boot
    2011/05/09 10:14:56.0921 3220 ================================================================================
    2011/05/09 10:14:57.0062 3220 Initialize success
    2011/05/09 10:15:07.0421 3804 ================================================================================
    2011/05/09 10:15:07.0421 3804 Scan started
    2011/05/09 10:15:07.0421 3804 Mode: Manual;
    2011/05/09 10:15:07.0421 3804 ================================================================================
    2011/05/09 10:15:07.0890 3804 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/05/09 10:15:07.0906 3804 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
    2011/05/09 10:15:07.0984 3804 ADIHdAudAddService (ca6d262e0e68da7ac1e2edb0a8324031) C:\WINDOWS\system32\drivers\ADIHdAud.sys
    2011/05/09 10:15:08.0031 3804 AEAudio (b4afcc2f911939a1c16a26e7eba7f36b) C:\WINDOWS\system32\drivers\AEAudio.sys
    2011/05/09 10:15:08.0187 3804 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2011/05/09 10:15:08.0218 3804 AFD (322d0e36693d6e24a2398bee62a268cd) C:\WINDOWS\System32\drivers\afd.sys
    2011/05/09 10:15:08.0359 3804 ANC (11ab185a7af224800bbfb5b836974a17) C:\WINDOWS\system32\drivers\ANC.SYS
    2011/05/09 10:15:08.0453 3804 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/05/09 10:15:08.0484 3804 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/05/09 10:15:08.0640 3804 ati2mtag (d751308d47fdd78ab52477749e7b2431) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
    2011/05/09 10:15:08.0828 3804 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/05/09 10:15:08.0859 3804 atmeltpm (dbf0d7e2df33b469eb55406fea759350) C:\WINDOWS\system32\DRIVERS\atmeltpm.sys
    2011/05/09 10:15:08.0906 3804 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/05/09 10:15:08.0937 3804 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/05/09 10:15:09.0000 3804 BthEnum (b279426e3c0c344893ed78a613a73bde) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
    2011/05/09 10:15:09.0015 3804 BthPan (80602b8746d3738f5886ce3d67ef06b6) C:\WINDOWS\system32\DRIVERS\bthpan.sys
    2011/05/09 10:15:09.0093 3804 BTHPORT (10b85171b90c449f8da71c2640b797e9) C:\WINDOWS\system32\Drivers\BTHport.sys
    2011/05/09 10:15:09.0234 3804 BTHUSB (61364cd71ef63b0f038b7e9df00f1efa) C:\WINDOWS\system32\Drivers\BTHUSB.sys
    2011/05/09 10:15:09.0281 3804 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/05/09 10:15:09.0312 3804 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
    2011/05/09 10:15:09.0390 3804 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/05/09 10:15:09.0421 3804 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/05/09 10:15:09.0453 3804 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/05/09 10:15:09.0531 3804 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
    2011/05/09 10:15:09.0562 3804 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
    2011/05/09 10:15:09.0828 3804 crlscsi (e08ac114b931dacafbdd9d5e0b93815c) C:\WINDOWS\system32\drivers\crlscsi.sys
    2011/05/09 10:15:09.0890 3804 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/05/09 10:15:09.0953 3804 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/05/09 10:15:10.0031 3804 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2011/05/09 10:15:10.0156 3804 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/05/09 10:15:10.0203 3804 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/05/09 10:15:10.0265 3804 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/05/09 10:15:10.0343 3804 e1express (27f19c1cd70ebe00817c1eefc5239de1) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
    2011/05/09 10:15:10.0437 3804 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/05/09 10:15:10.0531 3804 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
    2011/05/09 10:15:10.0640 3804 FilterService (b73ec688c29f81f9da0fcf63682b3ecb) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
    2011/05/09 10:15:10.0703 3804 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2011/05/09 10:15:10.0718 3804 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
    2011/05/09 10:15:10.0765 3804 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
    2011/05/09 10:15:10.0796 3804 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/05/09 10:15:10.0828 3804 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/05/09 10:15:10.0859 3804 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/05/09 10:15:10.0984 3804 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    2011/05/09 10:15:11.0140 3804 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2011/05/09 10:15:11.0218 3804 HSFHWAZL (6a5c4732d6803f84e2987edd8e4359ce) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
    2011/05/09 10:15:11.0265 3804 HSF_DPV (21c31273c6cc4826e74be8ae3b09d4a8) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
    2011/05/09 10:15:11.0484 3804 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/05/09 10:15:11.0578 3804 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/05/09 10:15:11.0656 3804 iaStor (fd7f9d74c2b35dbda400804a3f5ed5d8) C:\WINDOWS\system32\drivers\iaStor.sys
    2011/05/09 10:15:11.0781 3804 IBMPMDRV (400d7095d5ae08970f839bcac1843106) C:\WINDOWS\system32\DRIVERS\ibmpmdrv.sys
    2011/05/09 10:15:11.0843 3804 IBMTPCHK (3a7dbe81ec5edb96a0a61c7d4af3198d) C:\WINDOWS\system32\Drivers\IBMBLDID.sys
    2011/05/09 10:15:11.0890 3804 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/05/09 10:15:11.0984 3804 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2011/05/09 10:15:12.0031 3804 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
    2011/05/09 10:15:12.0062 3804 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2011/05/09 10:15:12.0156 3804 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/05/09 10:15:12.0203 3804 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/05/09 10:15:12.0218 3804 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/05/09 10:15:12.0281 3804 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys
    2011/05/09 10:15:12.0328 3804 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/05/09 10:15:12.0359 3804 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/05/09 10:15:12.0390 3804 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/05/09 10:15:12.0500 3804 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/05/09 10:15:12.0531 3804 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/05/09 10:15:12.0656 3804 Lavasoft Kernexplorer (6c4a3804510ad8e0f0c07b5be3d44ddb) C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys
    2011/05/09 10:15:12.0671 3804 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys
    2011/05/09 10:15:12.0734 3804 lenovo.smi (3c3f7f424e324c6971632c5de5ff458f) C:\WINDOWS\system32\DRIVERS\smiif32.sys
    2011/05/09 10:15:12.0796 3804 LVPr2Mon (1a7db7a00a4b0d8da24cd691a4547291) C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys
    2011/05/09 10:15:13.0125 3804 LVUVC (a240e42a7402e927a71b6e8aa4629b13) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
    2011/05/09 10:15:13.0421 3804 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
    2011/05/09 10:15:13.0484 3804 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/05/09 10:15:13.0515 3804 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2011/05/09 10:15:13.0531 3804 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/05/09 10:15:13.0578 3804 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2011/05/09 10:15:13.0609 3804 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/05/09 10:15:13.0734 3804 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/05/09 10:15:13.0781 3804 MRxSmb (68755f0ff16070178b54674fe5b847b0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/05/09 10:15:13.0843 3804 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/05/09 10:15:13.0875 3804 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/05/09 10:15:13.0890 3804 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/05/09 10:15:13.0906 3804 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/05/09 10:15:14.0046 3804 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/05/09 10:15:14.0093 3804 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
    2011/05/09 10:15:14.0125 3804 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2011/05/09 10:15:14.0171 3804 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
    2011/05/09 10:15:14.0218 3804 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/05/09 10:15:14.0250 3804 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
    2011/05/09 10:15:14.0296 3804 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/05/09 10:15:14.0421 3804 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/05/09 10:15:14.0437 3804 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/05/09 10:15:14.0468 3804 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/05/09 10:15:14.0484 3804 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/05/09 10:15:14.0500 3804 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2011/05/09 10:15:14.0718 3804 NETw5x32 (ccdb8db66acd3c0a6c8e171b79f60ac4) C:\WINDOWS\system32\DRIVERS\NETw5x32.sys
    2011/05/09 10:15:15.0015 3804 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/05/09 10:15:15.0062 3804 NSCIRDA (2adc0ca9945c65284b3d19bc18765974) C:\WINDOWS\system32\DRIVERS\nscirda.sys
    2011/05/09 10:15:15.0109 3804 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/05/09 10:15:15.0171 3804 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/05/09 10:15:15.0265 3804 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/05/09 10:15:15.0296 3804 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/05/09 10:15:15.0343 3804 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
    2011/05/09 10:15:15.0375 3804 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/05/09 10:15:15.0406 3804 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/05/09 10:15:15.0453 3804 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/05/09 10:15:15.0484 3804 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2011/05/09 10:15:15.0515 3804 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
    2011/05/09 10:15:15.0671 3804 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/05/09 10:15:15.0781 3804 psadd (651d3abc1d82d61b6cfb40cb947b3db3) C:\WINDOWS\system32\DRIVERS\psadd.sys
    2011/05/09 10:15:15.0796 3804 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2011/05/09 10:15:15.0828 3804 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/05/09 10:15:15.0843 3804 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2011/05/09 10:15:15.0968 3804 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/05/09 10:15:16.0015 3804 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
    2011/05/09 10:15:16.0062 3804 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/05/09 10:15:16.0078 3804 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/05/09 10:15:16.0109 3804 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/05/09 10:15:16.0203 3804 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/05/09 10:15:16.0234 3804 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/05/09 10:15:16.0265 3804 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2011/05/09 10:15:16.0312 3804 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/05/09 10:15:16.0359 3804 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/05/09 10:15:16.0406 3804 RFCOMM (851c30df2807fcfa21e4c681a7d6440e) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
    2011/05/09 10:15:16.0515 3804 s24trans (96b4494d4734970f47c566e098c4f527) C:\WINDOWS\system32\DRIVERS\s24trans.sys
    2011/05/09 10:15:16.0640 3804 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    2011/05/09 10:15:16.0656 3804 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
    2011/05/09 10:15:16.0781 3804 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/05/09 10:15:16.0843 3804 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
    2011/05/09 10:15:16.0906 3804 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2011/05/09 10:15:17.0062 3804 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
    2011/05/09 10:15:17.0203 3804 smihlp (2a348e2292eb57775787ec4be7622715) C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys
    2011/05/09 10:15:17.0343 3804 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2011/05/09 10:15:17.0421 3804 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2011/05/09 10:15:17.0468 3804 Srv (5252605079810904e31c332e241cd59b) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/05/09 10:15:17.0546 3804 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
    2011/05/09 10:15:17.0593 3804 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/05/09 10:15:17.0625 3804 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/05/09 10:15:17.0765 3804 SynTP (31801b16a0da62afa55e49f1e4c16045) C:\WINDOWS\system32\DRIVERS\SynTP.sys
    2011/05/09 10:15:17.0875 3804 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/05/09 10:15:17.0921 3804 Tcpip (93ea8d04ec73a85db02eb8805988f733) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/05/09 10:15:18.0000 3804 TcUsb (d623a84feaf092ab2fcfbf68d194a3df) C:\WINDOWS\system32\Drivers\tcusb.sys
    2011/05/09 10:15:18.0031 3804 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/05/09 10:15:18.0078 3804 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/05/09 10:15:18.0187 3804 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/05/09 10:15:18.0265 3804 TPHKDRV (8aef2188630f5ecd79ad9abba630630b) C:\WINDOWS\system32\DRIVERS\TPHKDRV.sys
    2011/05/09 10:15:18.0343 3804 TSMAPIP (f10f36e20448a5500a5f83f67ee4aad4) C:\WINDOWS\system32\drivers\TSMAPIP.SYS
    2011/05/09 10:15:18.0437 3804 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/05/09 10:15:18.0484 3804 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/05/09 10:15:18.0562 3804 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2011/05/09 10:15:18.0656 3804 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2011/05/09 10:15:18.0703 3804 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/05/09 10:15:18.0750 3804 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2011/05/09 10:15:18.0828 3804 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/05/09 10:15:18.0859 3804 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2011/05/09 10:15:18.0921 3804 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
    2011/05/09 10:15:19.0031 3804 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2011/05/09 10:15:19.0109 3804 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/05/09 10:15:19.0171 3804 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/05/09 10:15:19.0281 3804 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/05/09 10:15:19.0359 3804 winachsf (307d248f97835b6879bdd361086924fe) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
    2011/05/09 10:15:19.0609 3804 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
    2011/05/09 10:15:19.0656 3804 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
    2011/05/09 10:15:19.0656 3804 ================================================================================
    2011/05/09 10:15:19.0656 3804 Scan finished
    2011/05/09 10:15:19.0656 3804 ================================================================================
    2011/05/09 10:15:19.0671 3964 Detected object count: 1
    2011/05/09 10:15:37.0921 3964 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
    2011/05/09 10:15:37.0921 3964 \HardDisk0 - ok
    2011/05/09 10:15:37.0921 3964 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
    2011/05/09 10:16:41.0593 3604 Deinitialize success

Page 1 of 3 123 LastLast