Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Recent Suspicious Activity

Started by Konsonum , Nov 07 2010 08:38 AM

  • This topic is locked This topic is locked

#16
Konsonum
Posted 18 November 2010 - 05:10 PM

Konsonum

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
No infections detected. Might just be a hardware problem.

2010/11/18 18:00:57.0867 TDSS rootkit removing tool 2.4.8.0 Nov 17 2010 07:23:12
2010/11/18 18:00:57.0867 ================================================================================
2010/11/18 18:00:57.0867 SystemInfo:
2010/11/18 18:00:57.0867
2010/11/18 18:00:57.0867 OS Version: 5.1.2600 ServicePack: 3.0
2010/11/18 18:00:57.0867 Product type: Workstation
2010/11/18 18:00:57.0867 ComputerName: KEVIN-564F8B989
2010/11/18 18:00:57.0867 UserName: Kevin J Wu
2010/11/18 18:00:57.0867 Windows directory: C:\WINDOWS
2010/11/18 18:00:57.0867 System windows directory: C:\WINDOWS
2010/11/18 18:00:57.0867 Processor architecture: Intel x86
2010/11/18 18:00:57.0867 Number of processors: 3
2010/11/18 18:00:57.0867 Page size: 0x1000
2010/11/18 18:00:57.0867 Boot type: Normal boot
2010/11/18 18:00:57.0867 ================================================================================
2010/11/18 18:00:59.0976 Initialize success
2010/11/18 18:01:01.0664 ================================================================================
2010/11/18 18:01:01.0664 Scan started
2010/11/18 18:01:01.0664 Mode: Manual;
2010/11/18 18:01:01.0664 ================================================================================
2010/11/18 18:01:04.0679 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/11/18 18:01:05.0117 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/11/18 18:01:06.0086 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/11/18 18:01:06.0961 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/11/18 18:01:09.0070 AmdPPM (033448d435e65c4bd72e70521fd05c76) C:\WINDOWS\system32\DRIVERS\AmdPPM.sys
2010/11/18 18:01:09.0914 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/11/18 18:01:11.0492 AsIO (2b4e66fac6503494a2c6f32bb6ab3826) C:\WINDOWS\system32\drivers\AsIO.sys
2010/11/18 18:01:11.0914 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/11/18 18:01:12.0367 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/11/18 18:01:15.0820 ati2mtag (1d99d1b43638e31ea5cf4a8fd199762b) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/11/18 18:01:16.0476 AtiHdmiService (dc6957811ff95f2dd3004361b20d8d3f) C:\WINDOWS\system32\drivers\AtiHdmi.sys
2010/11/18 18:01:16.0898 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/11/18 18:01:17.0382 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/11/18 18:01:17.0554 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
2010/11/18 18:01:18.0023 avgntflt (1eb7d72a82f94f7e9496d363fce00b68) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
2010/11/18 18:01:18.0726 avipbb (f8c56231ed5ecf7d1b46b0330880ccef) C:\WINDOWS\system32\DRIVERS\avipbb.sys
2010/11/18 18:01:19.0351 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/11/18 18:01:20.0257 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/11/18 18:01:21.0054 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/11/18 18:01:21.0507 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/11/18 18:01:21.0961 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/11/18 18:01:23.0570 cpuz133 (743c403d20a89db5ed84c874768b7119) C:\WINDOWS\system32\drivers\cpuz133_x32.sys
2010/11/18 18:01:24.0773 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/11/18 18:01:25.0586 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/11/18 18:01:26.0492 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/11/18 18:01:26.0882 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/11/18 18:01:27.0304 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/11/18 18:01:28.0070 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/11/18 18:01:28.0929 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/11/18 18:01:29.0429 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/11/18 18:01:29.0867 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/11/18 18:01:30.0257 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/11/18 18:01:30.0804 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/11/18 18:01:31.0257 FsVga (455f778ee14368468560bd7cb8c854d0) C:\WINDOWS\system32\DRIVERS\fsvga.sys
2010/11/18 18:01:31.0851 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/11/18 18:01:32.0492 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/11/18 18:01:33.0101 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/11/18 18:01:33.0945 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/11/18 18:01:34.0804 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/11/18 18:01:36.0820 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/11/18 18:01:39.0226 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
2010/11/18 18:01:40.0476 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/11/18 18:01:46.0039 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/11/18 18:01:46.0898 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/11/18 18:01:47.0914 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/11/18 18:01:48.0804 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/11/18 18:01:49.0617 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/11/18 18:01:50.0539 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/11/18 18:01:51.0320 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/11/18 18:01:51.0882 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/11/18 18:01:52.0711 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/11/18 18:01:53.0445 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/11/18 18:01:56.0648 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/11/18 18:01:57.0882 libusb0 (e2f1dcf4a68cc6cf694fbfba1842f4cd) C:\WINDOWS\system32\drivers\libusb0.sys
2010/11/18 18:01:58.0429 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/11/18 18:01:59.0117 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/11/18 18:01:59.0601 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/11/18 18:02:00.0273 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/11/18 18:02:00.0820 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/11/18 18:02:01.0664 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/11/18 18:02:02.0351 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/11/18 18:02:02.0882 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/11/18 18:02:03.0257 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/11/18 18:02:03.0632 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/11/18 18:02:04.0054 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/11/18 18:02:04.0492 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/11/18 18:02:04.0882 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
2010/11/18 18:02:05.0351 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/11/18 18:02:05.0914 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/11/18 18:02:06.0336 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/11/18 18:02:06.0726 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/11/18 18:02:07.0211 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/11/18 18:02:07.0695 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/11/18 18:02:08.0132 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/11/18 18:02:08.0601 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/11/18 18:02:09.0164 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/11/18 18:02:09.0632 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/11/18 18:02:10.0320 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/11/18 18:02:11.0242 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/11/18 18:02:11.0773 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/11/18 18:02:12.0351 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/11/18 18:02:12.0961 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/11/18 18:02:13.0398 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/11/18 18:02:13.0820 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/11/18 18:02:14.0336 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/11/18 18:02:14.0773 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/11/18 18:02:15.0507 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/11/18 18:02:15.0961 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/11/18 18:02:18.0695 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/11/18 18:02:19.0132 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/11/18 18:02:19.0601 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/11/18 18:02:20.0054 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/11/18 18:02:20.0554 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/11/18 18:02:22.0945 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/11/18 18:02:23.0414 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/11/18 18:02:23.0945 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/11/18 18:02:24.0414 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/11/18 18:02:25.0320 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/11/18 18:02:25.0992 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/11/18 18:02:26.0867 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/11/18 18:02:27.0929 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/11/18 18:02:28.0804 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/11/18 18:02:29.0523 RimUsb (f17713d108aca124a139fde877eef68a) C:\WINDOWS\system32\Drivers\RimUsb.sys
2010/11/18 18:02:30.0351 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
2010/11/18 18:02:31.0086 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2010/11/18 18:02:31.0757 RTLE8023xp (b0e1648aae1e59bdd0854af07a605399) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2010/11/18 18:02:32.0273 SCDEmu (20b2751cd4c8f3fd989739ca661b9f30) C:\WINDOWS\system32\drivers\SCDEmu.sys
2010/11/18 18:02:32.0711 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/11/18 18:02:33.0132 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/11/18 18:02:33.0539 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/11/18 18:02:33.0976 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/11/18 18:02:34.0664 Sftfs (14cb193ecd4e71a32446790f9ecf39dd) C:\WINDOWS\system32\DRIVERS\Sftfsxp.sys
2010/11/18 18:02:35.0148 Sftplay (1f05637831caf19b069aaf361d720bb9) C:\WINDOWS\system32\DRIVERS\Sftplayxp.sys
2010/11/18 18:02:35.0648 Sftredir (423628f17862593d7d43e02187f4c1b5) C:\WINDOWS\system32\DRIVERS\Sftredirxp.sys
2010/11/18 18:02:36.0289 Sftvol (258ab73a01fa1b8d1a2a053c6bba5544) C:\WINDOWS\system32\DRIVERS\Sftvolxp.sys
2010/11/18 18:02:37.0820 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/11/18 18:02:38.0601 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\system32\Drivers\sptd.sys
2010/11/18 18:02:38.0601 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
2010/11/18 18:02:38.0617 sptd - detected Locked file (1)
2010/11/18 18:02:39.0086 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/11/18 18:02:39.0648 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/11/18 18:02:40.0148 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
2010/11/18 18:02:40.0539 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/11/18 18:02:40.0961 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/11/18 18:02:42.0882 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/11/18 18:02:43.0507 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/11/18 18:02:43.0961 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/11/18 18:02:44.0429 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/11/18 18:02:44.0836 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/11/18 18:02:45.0664 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/11/18 18:02:46.0664 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/11/18 18:02:47.0304 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2010/11/18 18:02:47.0711 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/11/18 18:02:48.0164 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/11/18 18:02:48.0679 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/11/18 18:02:49.0132 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/11/18 18:02:49.0539 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/11/18 18:02:49.0945 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/11/18 18:02:50.0570 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/11/18 18:02:51.0179 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/11/18 18:02:52.0320 VIAHdAudAddService (8586d10602ff4994e0f56a13a47d2b28) C:\WINDOWS\system32\drivers\viahduaa.sys
2010/11/18 18:02:53.0726 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/11/18 18:02:54.0132 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/11/18 18:02:54.0929 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/11/18 18:02:55.0398 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2010/11/18 18:02:56.0226 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/11/18 18:02:56.0695 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/11/18 18:02:57.0101 ================================================================================
2010/11/18 18:02:57.0101 Scan finished
2010/11/18 18:02:57.0101 ================================================================================
2010/11/18 18:02:57.0101 Detected object count: 1
2010/11/18 18:03:21.0273 Locked file(sptd) - User select action: Skip
  • 0

Advertisements

#17
emeraldnzl
Posted 18 November 2010 - 06:13 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts

No infections detected. Might just be a hardware problem.


Hmm... I am two minds about that. While a step in the right direction, the TDSSKiller one is not definitive i.e. there could still be infection there that it hasn't seen. Also those goings on with ComboFix seem odd to me... but you could be right.

Why don't we try a two pronged approach.

It is a pretty big download but is very useful at detecting\cleaning rootkits or whatever it finds.

Please click here to download VRT Tool by Kaspersky.
  • Save it to your desktop
  • Double click the setup file to run it
  • Choose your language and click OK
  • A Virus Removal Tool Wizard will appear. Click Next
  • Accept the agreement and click Next
  • Click Next to install
  • When installed a pop up window will appear.
  • On the Autoscan panel check all items
  • Click on Start Scan
  • When finished (this can take some time... just be patient and let it do its job) click the Report button
  • Click the top right button Save.
  • Save to your desktop as Kaspersky report.txt
Copy and past the report back here.

Click Exit and Yes to uninstall Kaspersky VRT. Click yes to the prompts to complete the process.

Note: This tool will self uninstall when you click Exit so please save the log before closing it.



After that

Please run chkdsk.

Go to Windows XP chkdsk for some helpful instructions.

When you return please post the Kaspersky VRT report.
  • 0

#18
Konsonum
Posted 20 November 2010 - 05:18 PM

Konsonum

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Scan is taking a LONG while (several hours) but it has detected many trojans.

Seems my hardware isn't to blame. Yet.
  • 0

#19
emeraldnzl
Posted 20 November 2010 - 05:26 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Yes it does take a long time but it seems from what you say that there is progress.

Look forward to hearing from you when it is finished. :D
  • 0

#20
Konsonum
Posted 21 November 2010 - 09:38 AM

Konsonum

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Chkdsk came out with the volume being clean.

Autoscan: completed 4 hours ago (events: 43, objects: 869846, time: 12:16:38)
11/21/2010 3:50:08 Task completed
11/21/2010 1:49:31 Deleted: Trojan.Win32.FraudPack.awnu C:\System Volume Information\_restore{A97AA0C6-D594-4DF8-A163-6E0FED7C40D9}\RP147\A0042058.exe
11/21/2010 1:45:56 Detected: Trojan.Win32.FraudPack.awnu C:\System Volume Information\_restore{A97AA0C6-D594-4DF8-A163-6E0FED7C40D9}\RP147\A0042058.exe
11/20/2010 21:22:49 Deleted: Exploit.JS.Pdfka.cni C:\Documents and Settings\Kevin J. Wu\Local Settings\Temp\plugtmp-44\plugin-v_adn.pdf
11/20/2010 21:22:45 Detected: Exploit.JS.Pdfka.cni C:\Documents and Settings\Kevin J. Wu\Local Settings\Temp\plugtmp-44\plugin-v_adn.pdf/data0000
11/20/2010 20:42:34 Deleted: Exploit.Java.Agent.f C:\Documents and Settings\Kevin J. Wu\Application Data\Sun\Java\Deployment\cache\6.0\11\454f42cb-285021d4/Gp4ldtX.class
11/20/2010 20:42:31 Detected: Exploit.Java.Agent.f C:\Documents and Settings\Kevin J. Wu\Application Data\Sun\Java\Deployment\cache\6.0\11\454f42cb-285021d4/Gp4ldtX.class
11/20/2010 19:02:18 Deleted: Exploit.JS.Pdfka.cus C:\Documents and Settings\Kevin J Wu\Local Settings\Temp\plugtmp-13\plugin-zsmsmy.pdf
11/20/2010 19:02:18 Detected: Exploit.JS.Pdfka.cus C:\Documents and Settings\Kevin J Wu\Local Settings\Temp\plugtmp-13\plugin-zsmsmy.pdf/data0010
11/20/2010 18:55:03 Deleted: Exploit.Java.Agent.ck C:\Documents and Settings\Kevin J Wu\Local Settings\Temp\jar_cache5860771966510260286.tmp/yahoo/PlayMgr.class
11/20/2010 18:55:03 Detected: Exploit.Java.Agent.ck C:\Documents and Settings\Kevin J Wu\Local Settings\Temp\jar_cache5860771966510260286.tmp/yahoo/PlayMgr.class
11/20/2010 18:55:02 Deleted: Exploit.Java.Agent.ch C:\Documents and Settings\Kevin J Wu\Local Settings\Temp\jar_cache5860771966510260286.tmp/yahoo/Informer.class
11/20/2010 18:55:02 Deleted: Exploit.Java.Agent.ci C:\Documents and Settings\Kevin J Wu\Local Settings\Temp\jar_cache4980068009891899185.tmp/JavaUpdateManager.class
11/20/2010 18:55:02 Detected: Exploit.Java.Agent.ci C:\Documents and Settings\Kevin J Wu\Local Settings\Temp\jar_cache4980068009891899185.tmp/JavaUpdateManager.class
11/20/2010 18:55:02 Detected: Exploit.Java.Agent.ch C:\Documents and Settings\Kevin J Wu\Local Settings\Temp\jar_cache5860771966510260286.tmp/yahoo/Informer.class
11/20/2010 18:55:01 Deleted: Exploit.Java.Agent.cf C:\Documents and Settings\Kevin J Wu\Local Settings\Temp\jar_cache5860771966510260286.tmp/yahoo/InfoCtrl.class
11/20/2010 18:55:01 Deleted: Exploit.Java.Agent.cj C:\Documents and Settings\Kevin J Wu\Local Settings\Temp\jar_cache4980068009891899185.tmp/JavaUpdateApplication.class
11/20/2010 18:55:01 Detected: Exploit.Java.Agent.cf C:\Documents and Settings\Kevin J Wu\Local Settings\Temp\jar_cache5860771966510260286.tmp/yahoo/InfoCtrl.class
11/20/2010 18:55:00 Deleted: Exploit.Java.Agent.cg C:\Documents and Settings\Kevin J Wu\Local Settings\Temp\jar_cache5860771966510260286.tmp/yahoo/ConfMgr.class
11/20/2010 18:50:52 Detected: Exploit.JS.Pdfka.cus C:\Documents and Settings\Kevin J Wu\Local Settings\Temp\plugtmp-13\plugin-zsmsmy.pdf/data0002
11/20/2010 18:37:05 Detected: Exploit.Java.Agent.cg C:\Documents and Settings\Kevin J Wu\Local Settings\Temp\jar_cache5860771966510260286.tmp/yahoo/ConfMgr.class
11/20/2010 18:37:04 Detected: Exploit.Java.Agent.cj C:\Documents and Settings\Kevin J Wu\Local Settings\Temp\jar_cache4980068009891899185.tmp/JavaUpdateApplication.class
11/20/2010 18:17:33 Deleted: Exploit.Java.Agent.du C:\Documents and Settings\Kevin J Wu\Application Data\Sun\Java\Deployment\cache\6.0\4\25b32d04-7ca8b8a9/vmain.class
11/20/2010 18:17:33 Deleted: Trojan-Downloader.Java.Agent.hx C:\Documents and Settings\Kevin J Wu\Application Data\Sun\Java\Deployment\cache\6.0\33\6d038ce1-622be211/bpac/a.class
11/20/2010 18:17:31 Detected: Exploit.Java.Agent.du C:\Documents and Settings\Kevin J Wu\Application Data\Sun\Java\Deployment\cache\6.0\4\25b32d04-7ca8b8a9/vmain.class
11/20/2010 18:17:31 Detected: Trojan-Downloader.Java.Agent.hx C:\Documents and Settings\Kevin J Wu\Application Data\Sun\Java\Deployment\cache\6.0\33\6d038ce1-622be211/bpac/a.class
11/20/2010 18:17:29 Deleted: Trojan-Downloader.Java.Agent.gt C:\Documents and Settings\Kevin J Wu\Application Data\Sun\Java\Deployment\cache\6.0\23\f34b057-40868434/dev/s/LoaderX.class
11/20/2010 18:17:28 Detected: Trojan-Downloader.Java.Agent.gt C:\Documents and Settings\Kevin J Wu\Application Data\Sun\Java\Deployment\cache\6.0\23\f34b057-40868434/dev/s/LoaderX.class
11/20/2010 18:17:28 Deleted: Trojan-Downloader.Java.Agent.gs C:\Documents and Settings\Kevin J Wu\Application Data\Sun\Java\Deployment\cache\6.0\23\f34b057-40868434/dev/s/DyesyasZ.class
11/20/2010 18:17:27 Detected: Trojan-Downloader.Java.Agent.gs C:\Documents and Settings\Kevin J Wu\Application Data\Sun\Java\Deployment\cache\6.0\23\f34b057-40868434/dev/s/DyesyasZ.class
11/20/2010 18:17:26 Deleted: Trojan-Downloader.Java.Agent.gr C:\Documents and Settings\Kevin J Wu\Application Data\Sun\Java\Deployment\cache\6.0\23\f34b057-40868434/dev/s/AdgredY.class
11/20/2010 18:17:26 Deleted: Trojan-Downloader.Java.OpenStream.aq C:\Documents and Settings\Kevin J Wu\Application Data\Sun\Java\Deployment\cache\6.0\2\2b024502-1df411c2/bpac/Bombapack.class
11/20/2010 18:17:23 Deleted: Exploit.Java.Agent.dy C:\Documents and Settings\Kevin J Wu\Application Data\Sun\Java\Deployment\cache\6.0\1\46bcf501-74190516/JavaUpdateManager.class
11/20/2010 18:17:22 Detected: Trojan-Downloader.Java.Agent.gr C:\Documents and Settings\Kevin J Wu\Application Data\Sun\Java\Deployment\cache\6.0\23\f34b057-40868434/dev/s/AdgredY.class
11/20/2010 18:17:22 Deleted: Exploit.Java.Agent.du C:\Documents and Settings\Kevin J Wu\Application Data\Sun\Java\Deployment\cache\6.0\13\7efe204d-50d4f357/vmain.class
11/20/2010 18:17:22 Detected: Trojan-Downloader.Java.OpenStream.aq C:\Documents and Settings\Kevin J Wu\Application Data\Sun\Java\Deployment\cache\6.0\2\2b024502-1df411c2/bpac/Bombapack.class
11/20/2010 18:17:22 Deleted: Trojan-Downloader.Java.Agent.hx C:\Documents and Settings\Kevin J Wu\Application Data\Sun\Java\Deployment\cache\6.0\18\46ad3112-1506a36a/bpac/a.class
11/20/2010 18:17:22 Detected: Exploit.Java.Agent.dy C:\Documents and Settings\Kevin J Wu\Application Data\Sun\Java\Deployment\cache\6.0\1\46bcf501-74190516/JavaUpdateManager.class
11/20/2010 18:17:22 Deleted: Exploit.Java.Agent.dx C:\Documents and Settings\Kevin J Wu\Application Data\Sun\Java\Deployment\cache\6.0\1\46bcf501-74190516/JavaUpdateApplication.class
11/20/2010 15:46:20 Detected: Trojan-Downloader.Java.Agent.hx C:\Documents and Settings\Kevin J Wu\Application Data\Sun\Java\Deployment\cache\6.0\18\46ad3112-1506a36a/bpac/a.class
11/20/2010 15:46:19 Detected: Exploit.Java.Agent.du C:\Documents and Settings\Kevin J Wu\Application Data\Sun\Java\Deployment\cache\6.0\13\7efe204d-50d4f357/vmain.class
11/20/2010 15:46:19 Detected: Exploit.Java.Agent.dx C:\Documents and Settings\Kevin J Wu\Application Data\Sun\Java\Deployment\cache\6.0\1\46bcf501-74190516/JavaUpdateApplication.class
11/20/2010 15:33:29 Task started
  • 0

#21
emeraldnzl
Posted 21 November 2010 - 11:46 AM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello Konsonum,

You have used Malwarebytes before. If you still have it on your machine please update and run. Post the scan report back here.

If you no-longer have Malwarebytes please download from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply and tell me how your machine is now.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
  • 0

#22
Konsonum
Posted 21 November 2010 - 04:06 PM

Konsonum

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Everything seems okay, but the computer is still a bit laggy. Also, Avira recently discovered a virus and quarantined it, after the MBAM scan.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5164

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

11/21/2010 14:02:55
mbam-log-2010-11-21 (14-02-55).txt

Scan type: Quick scan
Objects scanned: 181686
Time elapsed: 51 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#23
emeraldnzl
Posted 21 November 2010 - 04:27 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts

Everything seems okay, but the computer is still a bit laggy. Also, Avira recently discovered a virus and quarantined it, after the MBAM scan.


There is a version of a rootkit infection that TDSSKiller doesn't see and which interferes with a range of our tools including ComboFix and another rootkit scanner we tried to use earlier. I am still feeling that we may not have removed it with the VRT scan. I wonder though whether we have neutralised it enough to get a ComboFix run now.

Please delete your version of ComboFix, including the folders C:\Qoobox and C:\Combofix, and download a new version of Combofix.

Download ComboFix from one of these locations:

Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • 0

#24
Konsonum
Posted 21 November 2010 - 05:35 PM

Konsonum

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
It was still in Chinese, so I just kept on clicking Yes. It worked without Error the second time, but there was an Error the first time.

ComboFix 10-11-21.01 - Kevin J Wu 1/2010 Sun 18:24:22.1.3 - x86
Microsoft Windows XP Professional 5.1.2600.3.936.86.1033.18.3327.2643 [GMT -5:00]
执行位置: c:\documents and settings\Kevin J Wu\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( 2010-10-21 至 2010-11-21 的新的档案 )))))))))))))))))))))))))))))))
.

2010-11-11 15:48 . 2010-11-11 15:48 -------- d-----w- c:\documents and settings\Kevin J Wu\Local Settings\Application Data\Activision
2010-11-11 14:48 . 2010-11-11 14:48 -------- d-----w- c:\program files\Activision
2010-11-04 22:28 . 2010-11-04 22:28 1409 ----a-w- c:\windows\QTFont.for
2010-11-02 18:42 . 2008-11-10 15:41 32656 ----a-w- c:\windows\system32\msonpmon.dll
2010-11-02 18:42 . 2006-10-26 23:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
2010-11-02 18:41 . 2010-11-03 07:04 -------- d-----w- c:\program files\Microsoft Works
2010-11-02 18:38 . 2010-11-02 18:38 -------- d-----w- c:\documents and settings\Kevin J Wu\Application Data\Unity
2010-11-02 18:37 . 2010-11-02 18:37 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-11-02 18:34 . 2010-11-02 18:34 -------- d-----w- c:\documents and settings\Kevin J Wu\Local Settings\Application Data\Unity
2010-10-25 01:15 . 2010-10-26 23:19 -------- d-----w- c:\documents and settings\Kevin J Wu\Local Settings\Application Data\VirtuaTennis2009
2010-10-24 23:54 . 2010-10-24 23:54 -------- d-----w- c:\program files\SEGA
2010-10-24 20:56 . 2010-10-24 21:05 -------- d-----w- c:\documents and settings\Kevin J Wu\Application Data\Notepad++
2010-10-24 20:56 . 2010-10-24 20:57 -------- d-----w- c:\program files\Notepad++

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-04 07:25 . 2010-07-07 17:14 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-11-04 07:25 . 2010-07-07 17:14 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-09-18 16:23 . 2004-08-12 13:21 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-12 13:21 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-12 13:21 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-12 13:21 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-17 00:38 . 2010-09-17 00:38 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-17 00:38 . 2010-07-07 17:32 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-12 16:31 . 2010-09-12 16:31 445016 ----a-w- c:\windows\system32\wrap_oal.dll
2010-09-12 16:31 . 2010-09-12 16:31 109144 ----a-w- c:\windows\system32\OpenAL32.dll
2010-09-09 14:16 . 2004-08-12 13:33 667136 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 14:16 . 2004-08-12 13:30 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-09-09 14:16 . 2004-08-12 13:19 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-09-08 16:49 . 2004-08-12 13:19 369664 ----a-w- c:\windows\system32\html.iec
2010-09-01 11:51 . 2004-08-12 13:17 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-08-12 13:33 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-08-12 13:30 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-08-12 13:30 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2004-08-12 13:30 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2010-07-30 18:57 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-03 04:15 . 2010-08-03 04:16 728858 ----a-w- c:\program files\Common Files\unins000.exe
2010-07-08 12:00 . 2010-07-08 11:48 1113444896 ----a-w- c:\program files\CombatArmsSetupV47.exe
.

((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-03-28 3325952]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"Steam"="c:\program files\Steam\Steam.exe" [2010-11-16 1242448]
"Aim"="c:\program files\AIM7\aim.exe" [2010-09-16 4425048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Six Engine"="c:\program files\ASUS\EPU-4 Engine\FourEngine.exe" [2009-08-21 5782528]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2009-08-28 33673216]
"BCU"="c:\program files\DeviceVM\Browser Configuration Utility\BCU.exe" [2009-10-26 375000]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-04 281768]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2010-04-12 180224]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-12 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-12 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-07-07 98304]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-03-04 311296]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-08-21 77824]
"LifeChat"="c:\program files\Microsoft LifeChat\LifeChat.exe" [2009-09-28 264040]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-01 1164584]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

c:\documents and settings\Kevin J Wu\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Documents and Settings\\All Users.WINDOWS\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\AIM7\\aim.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/7/2010 17:44 691696]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/25/2010 16:23 135336]
R2 BCUService;Browser Configuration Utility Service;c:\program files\DeviceVM\Browser Configuration Utility\BCUService.exe [10/26/2009 12:16 223464]
R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [8/6/2010 13:40 20072]
R2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2/28/2010 1:33 821664]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [4/24/2010 0:10 483688]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [8/14/2010 9:12 33792]
R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfsxp.sys [12/2/2009 21:23 554344]
R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplayxp.sys [12/2/2009 21:23 211432]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirxp.sys [12/2/2009 21:23 20584]
R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvolxp.sys [12/2/2009 21:23 18280]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [4/24/2010 0:10 209768]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [7/7/2010 10:58 1390976]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 130384]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [9/26/2009 4:28 4639136]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 753504]
S3 WPRO_40_1340;WinPcap Packet Driver (WPRO_40_1340);c:\windows\system32\drivers\WPRO_40_1340.sys --> c:\windows\system32\drivers\WPRO_40_1340.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
‘计划任务’ 文件夹 里的内容

2010-09-11 c:\windows\Tasks\LifeChatTask.job
- c:\program files\Microsoft LifeChat\LifeChat.exe [2009-09-28 16:48]
.
.
------- 而外的扫描 -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Kevin J Wu\Application Data\Mozilla\Firefox\Profiles\gznhkn7i.default\
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - component: c:\documents and settings\Kevin J Wu\Application Data\Mozilla\Firefox\Profiles\gznhkn7i.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\All Users.WINDOWS\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Kevin J Wu\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\documents and settings\Kevin J Wu\Local Settings\Application Data\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\progra~1\MICROS~3\Office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\MICROS~3\Office14\NPSPWRAP.DLL
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- 火狐配置文件 ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Call of Duty: Black Ops_is1 - c:\program files\Activision\Call of Duty - Black Ops\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-21 18:31
Windows 5.1.2600 Service Pack 3 NTFS

扫描被隐藏的进程 。。。

扫描被隐藏的启动组 。。。

扫描被隐藏的文件 。。。

扫描完成
被隐藏的档案: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1409082233-884357618-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:49,c8,d3,cd,c8,60,09,61,f7,75,a4,ec,40,72,91,48,7e,62,85,02,4d,
d1,fa,fb,99,35,98,bb,95,d4,83,6b,cd,7a,e4,f3,75,f3,86,5e,f9,ad,2f,91,88,7d,\
"rkeysecu"=hex:d6,69,1e,a1,65,a1,06,79,6e,14,43,43,cc,01,a7,d9
.
--------------------- 运行进程下的动态链接库 ---------------------

- - - - - - - > 'winlogon.exe'(804)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll

- - - - - - - > 'explorer.exe'(648)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Microsoft Office\Office12\1033\GrooveIntlResource.dll
.
完成时间: 2010-11-21 18:34:28
ComboFix-quarantined-files.txt 2010-11-21 23:34

Pre-Run: 121,699,885,056 bytes free
Post-Run: 132,712,554,496 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-CHS.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - 66C27A882A2923A84FE9732A48C73983
  • 0

#25
emeraldnzl
Posted 21 November 2010 - 06:21 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
There are a couple of drivers there that can cause problems on some machines but nothing malicious leaping out at me.

Also, Avira recently discovered a virus and quarantined it, after the MBAM scan.


Are you able to tell me what that one was? Tell me when you return.

Meantime do this:

Download bootkit remover to your desktop.

  • Extract Remover.exe to your desktop
  • Double click Remover.exe to run it
  • It will show a Black screen with some data on it
  • Right click on the screen and select > Select All
  • Press Control+C
  • Open notepad and press Control+V
  • Post the log back here

  • 0

Advertisements

#26
Konsonum
Posted 21 November 2010 - 07:21 PM

Konsonum

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Nearly no idea. I think it ran along the lines of EA40, but I may be reaching too far back.

© 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...
  • 0

#27
emeraldnzl
Posted 21 November 2010 - 08:20 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello Konsonum,

I think your machine is clean.

We have a couple of last steps to perform and then you're all set.Posted Image

Follow these steps to uninstall Combofix and tools used in the removal of malware. This will also clean out and reset your Restore Points.
  • Click START then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

    Posted Image
Step 2
  • Double-click OTL.exe to run it. (Vista users, please right click on OTL.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

MBAM can be uninstalled via control panel add/remove but it may be a useful tool to keep. The Bootkit Remover folder/files can be deleted.

-------------------------------------------------------------------------------------------------------------------

A reminder: Remember to turn back on any anti-malware programs you may have turned off during the cleaning process.

-------------------------------------------------------------------------------------------------------------------

Now that your machine is clean here are some things that I think are worth having a look at if you don't already know about them:

---------------------------------------------------------------------------------------------------------------------

Regularly check that your Java is up to date. Older versions are vunerable to malicious attack.
  • Download from here Java Runtime Environment (JDK) Update
  • Scroll to where it says "Windows XP/Vista/2000/2003/2008 online" and download and follow the instructions to install.

    Reboot your computer.
    You also need to uininstall older versions of Java.
  • Click Start > Control Panel > Programs
  • Remove all Java updates except the latest one you have just installed.
--------------------------------------------------------------------------------------------------------------------

Be sure and give the Temp folders a cleaning out now and then. This helps with security and your computer will run more efficiently. I clean mine once a week.

For ease of use, you might consider the following free program:---------------------------------------------------------------------------------------------------------------------

To reduce the amount of fragmentation in your machines file system occasionally run a defragmenter utility. You can use your built in program (Start > Programs > Accessories > System Tools > Disk Defragmentor) or alternatively here is a program you can download and use: Puran Disc Defragmenter

---------------------------------------------------------------------------------------------------------------------

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
* Consider using an alternate browser.

Opera may be downloaded from here. It is one of the least targeted of all browers.

Avant may be downloaded from here. Another one that is less well known.

Firefox may be downloaded from Here. I use Firefox because I like it. Used to be one of the safest but now targeted probably as much as IE.

Adblock Plus is a good Add-on for Firefox that helps prevent those annoying pop ups.

-----------------------------------------------------------------------------------------------------------------------

To help protect your computer in the future here are some free programs you can look at:

  • If you do not already have automatic updates set then it is recommended that you do set Windows to check, download and install your updates automatically.

    * Click Start > Control Panel > System and Security > Windows Update
    * Under Windows Update click on Turn automatic updating on or off
    * Check items shown to ensure you receive updates automatically. Click OK.

    And to keep your system clean consider choosing from these free for home use malware scanners and updating and running weekly.
  • Malwarebytes
  • SuperAntiSpyWare
Be aware of what emails you open and websites you visit.

Go here for some good advice about how to prevent infection.

Have a safe and happy computing day!
  • 0

#28
Konsonum
Posted 25 November 2010 - 08:11 PM

Konsonum

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Still having problems. Computer is lagging randomly, and I can't so much as play a 3D game without the lag or random crashes.
  • 0

#29
emeraldnzl
Posted 25 November 2010 - 08:25 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello Konsonum,

Could be ongoing malware infection or residual issues left after malware.

We have had a pretty good look at the malware side so assuming Avira is coming up clean we might first have a look at possible left over damage.

Did I ask you if you had the Windows Installation Disk for this machine?

Tell me when you return; for now:

Please note that Dial-A-Fix is only for Windows 2000/XP.

Download Dial-a-fix and save it to your desktop.

Double click the Dial-a-fix zip file and extract it to a folder on your Desktop.

Follow the tutorial here
  • 0

#30
Konsonum
Posted 28 November 2010 - 07:21 AM

Konsonum

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
No, I don't have that disc. Defrag is taking over a day to finish, so I'm still waiting that to finish. (I started that shortly after my last post was submitted after I realized I have forgotten to defrag.)
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP