Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Rootkit - tough to remove

Started by ferrux , Dec 24 2011 05:04 PM

  • Please log in to reply

#1
ferrux
Posted 24 December 2011 - 05:04 PM

ferrux

    Member

  • Member
  • PipPip
  • 25 posts
Hi there,
I am stuck with a nasty rootkit, hope someone can help me to disinfest this annoying pest :-)

Compaq notebook - 4gb ram - Windows 7 home premium.

I use Norton 360, after 10, 20 sec the system has logged in I always get the screenshot reporting
'boot.tidserv' NORTON cannot remove it but clicking on the helping button, the rootkit seeems to be quarantined but only ... till next boostrap :-(

I tried to scan the system with GMER 1.0.15.15641 and I got the following log:
---
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-12-24 20:28:38
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3200826AS rev.3.03
Running: gmer.exe; Driver: C:\DOCUME~1\HP_PRO~1\IMPOST~1\Temp\kfliaaod.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 malicious Win32:MBRoot code @ sector 61

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\2187075drv.sys ZwEnumerateKey [0xB72F400A]
SSDT \SystemRoot\system32\DRIVERS\2187075drv.sys ZwEnumerateValueKey [0xB72F40A2]

Code \SystemRoot\system32\DRIVERS\2187075drv.sys FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\2187075drv.sys IoIsOperationSynchronous

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.15 ----
---
it seems there is some pest on sector 61.

Tests I have already done with no success:
TDSSKiller
FixTDSS
Karspersky virus removal tool
NPE
NORTON recovery boot cd and full pc scan

I really hope you guys have some magic advice and more tests to carry on,
please help, this is the first time in my life I get a so big scary beast,
it seems very hard to remove but I am sure there is somewherea magic tool
or a smart procedure that can solve apart from the...re-formatting hd.

Thank you :-)
Ferrux

Edited by ferrux, 25 December 2011 - 05:16 PM.

  • 0

Advertisements

#2
RKinner
Posted 24 December 2011 - 06:48 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Download aswMBR.exe ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
uncheck trace disk IO calls
Click the "Scan" button to start scan
On completion of the scan (Note if the Fix button is enabled (not the FixMBR button) and tell me) click save log, save it to your desktop and post in your next reply

ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on ComboFix to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Run TDSSKiller again but this time:
before you hit the Scan hit Change Parameters and check the two items under Additional Options. OK then Scan.
In this mode it is prone to false positives so do not change the SKIP option to DELETE unless it says TDSS.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.


Do the following:
Start -> Run
type diskmgmt.msc
Click "OK"

Disk Management will open.

Click and hold the right side of the Disk Management Window and drag it to the right until you can see all the columns.

Take a screen Shot of the Disk Management Window and attach the screen shot to your reply.
http://graphicssoft....nscreenshot.htm Save the file as a .jpg or the forum won't allow it.


Ron
  • 0

#3
ferrux
Posted 25 December 2011 - 12:58 PM

ferrux

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Hi RKinner,
thanks for your email, usually when I boot the pc the virus loads memory and seconds after comes up the Norton 360 message saying to click the button
to try to remove the virus, if I click the button it says the computer is safe ( it is... till next boot ) but Norton actually cannot remove it definitevely, at next boot it will happen the same.

For sure I will follow you procedure, one doubt only:

1 should I keep the virus active in memory or freeze it via Norton ?
2 shoud I disable the virus in memory and disable the antivirus too prior to go on with your directions ?

Sorry for all these questions, but I want to make sure to follow your procedure correctly in order to produce the best logs possible :-)

Thanks a lot for your precious help.
Ferrux :-)

Edited by ferrux, 25 December 2011 - 01:30 PM.

  • 0

#4
RKinner
Posted 25 December 2011 - 01:45 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
You can have Norton kill the virus then you will need to pause Norton while Combofix is being downloaded or run.

Usually what we see is a separate hidden partition that is causing the virus to be reinstalled each time it boots. If that is the case we may need one or two blank CDs to remove the partition. With XP we can get by with one if Combofix is able to install the Recovery Console.
  • 0

#5
ferrux
Posted 25 December 2011 - 01:49 PM

ferrux

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Hi there
thanxxx for reply, I was working on the infected pc yesterday, tomorrow will be there again
and will get the logs as you directed.

Yesterday with a Linux live distro I managed to capture the screenshots with partition information, here they are:

https://picasaweb.go...feat=directlink

Hope that helps.

Bye
Ferrux

p.s. just to know in advance,
after the analysis of cmbofix might I need a copy of Windows XP ?

My HP Pavillon came with preinstalled XP and so far I never created the XP installation disk.

Edited by ferrux, 25 December 2011 - 05:18 PM.

  • 0

#6
ferrux
Posted 26 December 2011 - 12:07 PM

ferrux

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Hi there
I am gathering all requested info, at the moment I have a problem with Combofix, followed the directions and diabled the Norton 360, however it says there is 'Antivir Desktop' active, actually avira premium was uninstalled a long time ago, also its windows service is disabled, I will try to have it working.

Meanwhile I post the other requested infos:

aswMBR.exe LOG - at the end the FIX BUTTON was ON but I did not click it
in case you need it I also have the MBR.DAT file
-----------------------------------------------------------------------------------

aswMBR version 0.9.9.1120 Copyright© 2011 AVAST Software
Run date: 2011-12-26 15:33:08
-----------------------------
15:33:08.109 OS Version: Windows 5.1.2600 Service Pack 3
15:33:08.109 Number of processors: 1 586 0x2F02
15:33:08.109 ComputerName: NOME-80B5784770 UserName: HP_Proprietario
15:33:11.843 Initialize success
15:33:39.484 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
15:33:39.484 Disk 0 Vendor: ST3200826AS 3.03 Size: 190782MB BusType: 3
15:33:41.500 Disk 0 MBR read successfully
15:33:41.500 Disk 0 MBR scan
15:33:41.500 Disk 0 unknown MBR code
15:33:41.500 Disk 0 Partition 1 00 0C FAT32 LBA RECOVERY 6142 MB offset 63
15:33:41.515 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 184629 MB offset 12579840
15:33:41.531 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 10 MB offset 390700800
15:33:41.546 Disk 0 malicious Win32:MBRoot code @ sector 61 !
15:33:42.015 Disk 0 scanning C:\WINDOWS\system32\drivers
15:33:51.468 Service scanning
15:33:52.968 Modules scanning
15:34:07.046 Scan finished successfully
15:35:39.812 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\HP_Proprietario\Desktop\MBR.dat"
15:35:39.812 The log file has been saved successfully to "C:\Documents and Settings\HP_Proprietario\Desktop\aswMBR.txt"


TDSSKiller LOG
-----------------------------------
18:43:21.0343 2680 TDSS rootkit removing tool 2.6.25.0 Dec 23 2011 14:51:16
18:43:21.0593 2680 ============================================================
18:43:21.0593 2680 Current date / time: 2011/12/26 18:43:21.0593
18:43:21.0609 2680 SystemInfo:
18:43:21.0609 2680
18:43:21.0609 2680 OS Version: 5.1.2600 ServicePack: 3.0
18:43:21.0609 2680 Product type: Workstation
18:43:21.0609 2680 ComputerName: NOME-80B5784770
18:43:21.0609 2680 UserName: HP_Proprietario
18:43:21.0609 2680 Windows directory: C:\WINDOWS
18:43:21.0609 2680 System windows directory: C:\WINDOWS
18:43:21.0609 2680 Processor architecture: Intel x86
18:43:21.0609 2680 Number of processors: 1
18:43:21.0609 2680 Page size: 0x1000
18:43:21.0609 2680 Boot type: Normal boot
18:43:21.0609 2680 ============================================================
18:43:22.0671 2680 Initialize success
18:43:27.0953 2764 ============================================================
18:43:27.0953 2764 Scan started
18:43:27.0953 2764 Mode: Manual; SigCheck; TDLFS;
18:43:27.0953 2764 ============================================================
18:43:28.0437 2764 3xHybrid (e093e7c346313a14fd53b2681b2930cb) C:\WINDOWS\system32\DRIVERS\3xHybrid.sys
18:43:28.0718 2764 3xHybrid - ok
18:43:28.0828 2764 Abiosdsk - ok
18:43:28.0843 2764 abp480n5 - ok
18:43:28.0921 2764 ACPI (d766e636187b8f240bbfbabcd51eb2c6) C:\WINDOWS\system32\DRIVERS\ACPI.sys
18:43:29.0062 2764 ACPI - ok
18:43:29.0093 2764 ACPIEC (49ac5cd87fbdda62f3e25190019e7627) C:\WINDOWS\system32\drivers\ACPIEC.sys
18:43:29.0250 2764 ACPIEC - ok
18:43:29.0265 2764 adpu160m - ok
18:43:29.0328 2764 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
18:43:29.0484 2764 aec - ok
18:43:29.0515 2764 Afc (fe3ea6e9afc1a78e6edca121e006afb7) C:\WINDOWS\system32\drivers\Afc.sys
18:43:29.0546 2764 Afc - ok
18:43:29.0609 2764 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
18:43:29.0640 2764 AFD - ok
18:43:29.0703 2764 AFS2K (b34b1ab0a7690a0e2301fec6d17b2fc1) C:\WINDOWS\system32\drivers\AFS2K.sys
18:43:29.0718 2764 AFS2K ( UnsignedFile.Multi.Generic ) - warning
18:43:29.0718 2764 AFS2K - detected UnsignedFile.Multi.Generic (1)
18:43:29.0781 2764 AgereSoftModem (34f27c7d71f1c49c7d3857f28b42f544) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
18:43:29.0812 2764 AgereSoftModem - ok
18:43:29.0843 2764 Aha154x - ok
18:43:29.0859 2764 aic78u2 - ok
18:43:29.0875 2764 aic78xx - ok
18:43:30.0000 2764 ALCXWDM (781c5ec517c53f5214b61253b20c13c4) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
18:43:30.0125 2764 ALCXWDM - ok
18:43:30.0156 2764 AliIde - ok
18:43:30.0187 2764 AmdK8 (899f7c468b2bfd1561765c413d40a8bd) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
18:43:30.0203 2764 AmdK8 - ok
18:43:30.0218 2764 amsint - ok
18:43:30.0234 2764 APL531 - ok
18:43:30.0328 2764 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
18:43:30.0468 2764 Arp1394 - ok
18:43:30.0484 2764 asc - ok
18:43:30.0500 2764 asc3350p - ok
18:43:30.0515 2764 asc3550 - ok
18:43:30.0562 2764 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
18:43:30.0734 2764 AsyncMac - ok
18:43:30.0765 2764 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
18:43:30.0921 2764 atapi - ok
18:43:30.0937 2764 Atdisk - ok
18:43:31.0000 2764 ati2mtag (b8142104502f794689c1c0bcbfb53b98) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
18:43:31.0046 2764 ati2mtag - ok
18:43:31.0093 2764 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
18:43:31.0250 2764 Atmarpc - ok
18:43:31.0281 2764 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
18:43:31.0437 2764 audstub - ok
18:43:31.0500 2764 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
18:43:31.0671 2764 Beep - ok
18:43:31.0921 2764 BHDrvx86 (9d14d76e4e7b9b2ead17149011db2b11) C:\Documents and Settings\All Users\Dati applicazioni\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20111221.003\BHDrvx86.sys
18:43:31.0953 2764 BHDrvx86 - ok
18:43:32.0171 2764 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
18:43:32.0406 2764 cbidf2k - ok
18:43:32.0468 2764 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
18:43:32.0609 2764 CCDECODE - ok
18:43:32.0656 2764 cd20xrnt - ok
18:43:32.0734 2764 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
18:43:32.0906 2764 Cdaudio - ok
18:43:32.0937 2764 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
18:43:33.0078 2764 Cdfs - ok
18:43:33.0093 2764 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
18:43:33.0234 2764 Cdrom - ok
18:43:33.0265 2764 Changer - ok
18:43:33.0281 2764 CmdIde - ok
18:43:33.0328 2764 CnxTrLan (3d57d2bb7e5a5bdf15117f6e07230c0b) C:\WINDOWS\system32\DRIVERS\CnxTrLan.sys
18:43:33.0359 2764 CnxTrLan - ok
18:43:33.0406 2764 CnxTrUsb (4750258ec7fda6518bc53c0598aece7a) C:\WINDOWS\system32\DRIVERS\CnxTrUsb.sys
18:43:33.0453 2764 CnxTrUsb - ok
18:43:33.0468 2764 Cpqarray - ok
18:43:33.0500 2764 dac2w2k - ok
18:43:33.0515 2764 dac960nt - ok
18:43:33.0593 2764 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
18:43:33.0750 2764 Disk - ok
18:43:33.0796 2764 dmboot (82bc125a8ed33f5f0e75f2aac1065323) C:\WINDOWS\system32\drivers\dmboot.sys
18:43:33.0953 2764 dmboot - ok
18:43:34.0000 2764 dmio (e959ddc0ea7ac11ee5e5602e2a364310) C:\WINDOWS\system32\drivers\dmio.sys
18:43:34.0187 2764 dmio - ok
18:43:34.0234 2764 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
18:43:34.0406 2764 dmload - ok
18:43:34.0468 2764 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
18:43:34.0593 2764 DMusic - ok
18:43:34.0625 2764 dpti2o - ok
18:43:34.0656 2764 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
18:43:34.0781 2764 drmkaud - ok
18:43:34.0953 2764 eeCtrl (75e8b69f28c813675b16db357f20720f) C:\Programmi\File comuni\Symantec Shared\EENGINE\eeCtrl.sys
18:43:34.0968 2764 eeCtrl - ok
18:43:35.0015 2764 EraserUtilRebootDrv (720b18d76de9e603b626dfcd6f1fca7c) C:\Programmi\File comuni\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
18:43:35.0031 2764 EraserUtilRebootDrv - ok
18:43:35.0281 2764 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
18:43:35.0421 2764 Fastfat - ok
18:43:35.0484 2764 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
18:43:35.0609 2764 Fdc - ok
18:43:35.0640 2764 Fips (2cfea3326981a18c6baf2bd9be76225b) C:\WINDOWS\system32\drivers\Fips.sys
18:43:35.0796 2764 Fips - ok
18:43:35.0828 2764 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
18:43:35.0968 2764 Flpydisk - ok
18:43:36.0000 2764 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
18:43:36.0187 2764 FltMgr - ok
18:43:36.0250 2764 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
18:43:36.0390 2764 Fs_Rec - ok
18:43:36.0406 2764 Ftdisk (f3269a6ee547ea87b949a1cea4816b38) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
18:43:36.0578 2764 Ftdisk - ok
18:43:36.0625 2764 GEARAspiWDM (5ae3a887ece5bbb72cfab273c2fd1cfa) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
18:43:36.0640 2764 GEARAspiWDM - ok
18:43:36.0703 2764 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
18:43:36.0828 2764 Gpc - ok
18:43:36.0875 2764 hpn - ok
18:43:36.0906 2764 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
18:43:36.0953 2764 HPZid412 - ok
18:43:37.0000 2764 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
18:43:37.0031 2764 HPZipr12 - ok
18:43:37.0093 2764 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
18:43:37.0140 2764 HPZius12 - ok
18:43:37.0203 2764 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
18:43:37.0234 2764 HTTP - ok
18:43:37.0250 2764 i2omgmt - ok
18:43:37.0265 2764 i2omp - ok
18:43:37.0328 2764 i8042prt (610726e28af55b95043c5c35a727e320) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
18:43:37.0468 2764 i8042prt - ok
18:43:37.0703 2764 IDSxpx86 (e72d3894d42355e9cd5fd77e1e4fea11) C:\Documents and Settings\All Users\Dati applicazioni\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20111223.001\IDSxpx86.sys
18:43:37.0718 2764 IDSxpx86 - ok
18:43:37.0937 2764 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
18:43:38.0125 2764 Imapi - ok
18:43:38.0171 2764 InCDFs - ok
18:43:38.0203 2764 InCDPass - ok
18:43:38.0218 2764 InCDRm - ok
18:43:38.0250 2764 ini910u - ok
18:43:38.0265 2764 IntelIde (027fe9b28fb0f861c181d25923b31e78) C:\WINDOWS\system32\DRIVERS\intelide.sys
18:43:38.0390 2764 IntelIde - ok
18:43:38.0421 2764 intelppm (ebd830a0970c438047006a49c23e287f) C:\WINDOWS\system32\DRIVERS\intelppm.sys
18:43:38.0578 2764 intelppm - ok
18:43:38.0609 2764 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
18:43:38.0750 2764 Ip6Fw - ok
18:43:38.0796 2764 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
18:43:38.0968 2764 IpFilterDriver - ok
18:43:39.0031 2764 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
18:43:39.0140 2764 IpInIp - ok
18:43:39.0187 2764 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
18:43:39.0328 2764 IpNat - ok
18:43:39.0375 2764 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
18:43:39.0500 2764 IPSec - ok
18:43:39.0531 2764 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
18:43:39.0671 2764 IRENUM - ok
18:43:39.0718 2764 isapnp (0953594beb81cc72fcc62d37921b25a6) C:\WINDOWS\system32\DRIVERS\isapnp.sys
18:43:39.0890 2764 isapnp - ok
18:43:39.0906 2764 Kbdclass (28b6eace513ca7eaba3b809ad4bc274d) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
18:43:40.0046 2764 Kbdclass - ok
18:43:40.0062 2764 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
18:43:40.0187 2764 kmixer - ok
18:43:40.0250 2764 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
18:43:40.0296 2764 KSecDD - ok
18:43:40.0312 2764 lbrtfdc - ok
18:43:40.0390 2764 ltmodem5 (e767a3a04088c9172b6355b14496dcd0) C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys
18:43:40.0531 2764 ltmodem5 - ok
18:43:40.0593 2764 massfilter (112db6314bb175ba5f27a66e11c01d77) C:\WINDOWS\system32\DRIVERS\massfilter.sys
18:43:40.0625 2764 massfilter - ok
18:43:40.0640 2764 MBAMSwissArmy - ok
18:43:40.0703 2764 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
18:43:40.0859 2764 mnmdd - ok
18:43:40.0906 2764 Modem (8cb6636806d76b85fafaee94d75f5129) C:\WINDOWS\system32\drivers\Modem.sys
18:43:41.0031 2764 Modem - ok
18:43:41.0062 2764 Mouclass (e904ebed608055a2bfb824c07f59766c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
18:43:41.0203 2764 Mouclass - ok
18:43:41.0218 2764 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
18:43:41.0343 2764 MountMgr - ok
18:43:41.0390 2764 MPE (c0f8e0c2c3c0437cf37c6781896dc3ec) C:\WINDOWS\system32\DRIVERS\MPE.sys
18:43:41.0531 2764 MPE - ok
18:43:41.0546 2764 mraid35x - ok
18:43:41.0609 2764 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
18:43:41.0781 2764 MRxDAV - ok
18:43:41.0859 2764 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
18:43:41.0890 2764 MRxSmb - ok
18:43:41.0953 2764 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
18:43:42.0078 2764 Msfs - ok
18:43:42.0187 2764 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
18:43:42.0328 2764 MSKSSRV - ok
18:43:42.0359 2764 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
18:43:42.0515 2764 MSPCLOCK - ok
18:43:42.0562 2764 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
18:43:42.0703 2764 MSPQM - ok
18:43:42.0750 2764 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
18:43:42.0875 2764 mssmbios - ok
18:43:42.0921 2764 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
18:43:43.0062 2764 MSTEE - ok
18:43:43.0125 2764 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
18:43:43.0140 2764 Mup - ok
18:43:43.0203 2764 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
18:43:43.0343 2764 NABTSFEC - ok
18:43:43.0546 2764 NAVENG (862f55824ac81295837b0ab63f91071f) C:\Documents and Settings\All Users\Dati applicazioni\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\VirusDefs\20111225.024\NAVENG.SYS
18:43:43.0562 2764 NAVENG - ok
18:43:43.0640 2764 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\Documents and Settings\All Users\Dati applicazioni\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\VirusDefs\20111225.024\NAVEX15.SYS
18:43:43.0734 2764 NAVEX15 - ok
18:43:43.0937 2764 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
18:43:44.0078 2764 NDIS - ok
18:43:44.0140 2764 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
18:43:44.0281 2764 NdisIP - ok
18:43:44.0328 2764 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
18:43:44.0359 2764 NdisTapi - ok
18:43:44.0406 2764 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
18:43:44.0546 2764 Ndisuio - ok
18:43:44.0578 2764 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
18:43:44.0718 2764 NdisWan - ok
18:43:44.0765 2764 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
18:43:44.0796 2764 NDProxy - ok
18:43:44.0859 2764 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
18:43:44.0984 2764 NetBIOS - ok
18:43:45.0015 2764 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
18:43:45.0140 2764 NetBT - ok
18:43:45.0171 2764 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
18:43:45.0296 2764 NIC1394 - ok
18:43:45.0359 2764 Nokia USB Generic (503dec557e6ebf889268715e04752b53) C:\WINDOWS\system32\drivers\nmwcdc.sys
18:43:45.0390 2764 Nokia USB Generic - ok
18:43:45.0437 2764 Nokia USB Modem (b322b22f4e34342ed173212e918ce4a3) C:\WINDOWS\system32\drivers\nmwcdcm.sys
18:43:45.0468 2764 Nokia USB Modem - ok
18:43:45.0515 2764 Nokia USB Phone Parent (77e0a732a47926a223704ef1fe322a42) C:\WINDOWS\system32\drivers\nmwcd.sys
18:43:45.0546 2764 Nokia USB Phone Parent - ok
18:43:45.0640 2764 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
18:43:45.0765 2764 Npfs - ok
18:43:45.0828 2764 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
18:43:45.0953 2764 Ntfs - ok
18:43:46.0000 2764 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
18:43:46.0140 2764 Null - ok
18:43:46.0187 2764 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
18:43:46.0359 2764 NwlnkFlt - ok
18:43:46.0390 2764 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
18:43:46.0546 2764 NwlnkFwd - ok
18:43:46.0609 2764 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
18:43:46.0734 2764 ohci1394 - ok
18:43:46.0781 2764 Parport (4e9408a178b2d955871c2cdd278de3c3) C:\WINDOWS\system32\DRIVERS\parport.sys
18:43:46.0921 2764 Parport - ok
18:43:46.0937 2764 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
18:43:47.0062 2764 PartMgr - ok
18:43:47.0109 2764 ParVdm (0dabef655a444cb1e193626fb1d24b9f) C:\WINDOWS\system32\drivers\ParVdm.sys
18:43:47.0281 2764 ParVdm - ok
18:43:47.0343 2764 PCI (f40a46892afebb0314536b849d57c11e) C:\WINDOWS\system32\DRIVERS\pci.sys
18:43:47.0468 2764 PCI - ok
18:43:47.0515 2764 PCIDump - ok
18:43:47.0546 2764 PCIIde (b2df00d650fd6c4ee781740ed3c8e67f) C:\WINDOWS\system32\DRIVERS\pciide.sys
18:43:47.0703 2764 PCIIde - ok
18:43:47.0750 2764 Pcmcia (815c50f2b1d1562800bdce8be895000e) C:\WINDOWS\system32\drivers\Pcmcia.sys
18:43:47.0890 2764 Pcmcia - ok
18:43:47.0906 2764 PDCOMP - ok
18:43:47.0921 2764 PDFRAME - ok
18:43:47.0937 2764 PDRELI - ok
18:43:47.0953 2764 PDRFRAME - ok
18:43:47.0984 2764 perc2 - ok
18:43:48.0000 2764 perc2hib - ok
18:43:48.0031 2764 pfc - ok
18:43:48.0078 2764 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
18:43:48.0187 2764 PptpMiniport - ok
18:43:48.0218 2764 Processor (b479f50e883b2297a5f7f212aaee6f6c) C:\WINDOWS\system32\DRIVERS\processr.sys
18:43:48.0343 2764 Processor - ok
18:43:48.0421 2764 Ps2 (0e2eb30605ca6ed2509d59af6a7362b4) C:\WINDOWS\system32\DRIVERS\PS2.sys
18:43:48.0437 2764 Ps2 - ok
18:43:48.0500 2764 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
18:43:48.0640 2764 PSched - ok
18:43:48.0656 2764 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
18:43:48.0843 2764 Ptilink - ok
18:43:48.0906 2764 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
18:43:48.0906 2764 PxHelp20 - ok
18:43:48.0921 2764 ql1080 - ok
18:43:48.0953 2764 Ql10wnt - ok
18:43:48.0968 2764 ql12160 - ok
18:43:48.0984 2764 ql1240 - ok
18:43:49.0000 2764 ql1280 - ok
18:43:49.0015 2764 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
18:43:49.0187 2764 RasAcd - ok
18:43:49.0250 2764 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
18:43:49.0375 2764 Rasl2tp - ok
18:43:49.0437 2764 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
18:43:49.0562 2764 RasPppoe - ok
18:43:49.0609 2764 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
18:43:49.0765 2764 Raspti - ok
18:43:49.0812 2764 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
18:43:49.0937 2764 Rdbss - ok
18:43:49.0953 2764 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
18:43:50.0109 2764 RDPCDD - ok
18:43:50.0171 2764 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
18:43:50.0203 2764 RDPWD - ok
18:43:50.0265 2764 redbook (393fc252593323b624b230eca6b85e63) C:\WINDOWS\system32\DRIVERS\redbook.sys
18:43:50.0390 2764 redbook - ok
18:43:50.0484 2764 RTL8023xp (7f0413bdd7d53eb4c7a371e7f6f84df1) C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys
18:43:50.0515 2764 RTL8023xp - ok
18:43:50.0546 2764 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
18:43:50.0671 2764 rtl8139 - ok
18:43:50.0734 2764 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
18:43:50.0859 2764 Secdrv - ok
18:43:50.0937 2764 Serial (fdbd9d64e2e03270021d424f0dccf79d) C:\WINDOWS\system32\drivers\Serial.sys
18:43:51.0062 2764 Serial - ok
18:43:51.0093 2764 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
18:43:51.0218 2764 Sfloppy - ok
18:43:51.0250 2764 Simbad - ok
18:43:51.0281 2764 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
18:43:51.0437 2764 SLIP - ok
18:43:51.0453 2764 Sparrow - ok
18:43:51.0484 2764 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
18:43:51.0609 2764 splitter - ok
18:43:51.0656 2764 sr (618718cae288bf7cbd8fcbab2577d932) C:\WINDOWS\system32\DRIVERS\sr.sys
18:43:51.0781 2764 sr - ok
18:43:51.0875 2764 SRTSP (83726cf02eced69138948083e06b6eac) C:\WINDOWS\System32\Drivers\N360\0501000.01D\SRTSP.SYS
18:43:51.0890 2764 SRTSP - ok
18:43:51.0937 2764 SRTSPX (4e7eab2e5615d39cf1f1df9c71e5e225) C:\WINDOWS\system32\drivers\N360\0501000.01D\SRTSPX.SYS
18:43:51.0953 2764 SRTSPX - ok
18:43:52.0015 2764 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
18:43:52.0046 2764 Srv - ok
18:43:52.0093 2764 sscdbus (d6870895fe46a464a19141440eb6cc1e) C:\WINDOWS\system32\DRIVERS\sscdbus.sys
18:43:52.0140 2764 sscdbus - ok
18:43:52.0187 2764 sscdmdfl (0fe167362e4689b716cdc8d93adedda8) C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys
18:43:52.0234 2764 sscdmdfl - ok
18:43:52.0421 2764 sscdmdm (55a15707e32b6709242ad127e62ca55a) C:\WINDOWS\system32\DRIVERS\sscdmdm.sys
18:43:52.0453 2764 sscdmdm - ok
18:43:52.0546 2764 StarOpen (306521935042fc0a6988d528643619b3) C:\WINDOWS\system32\drivers\StarOpen.sys
18:43:52.0546 2764 StarOpen ( UnsignedFile.Multi.Generic ) - warning
18:43:52.0546 2764 StarOpen - detected UnsignedFile.Multi.Generic (1)
18:43:52.0593 2764 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
18:43:52.0734 2764 streamip - ok
18:43:52.0781 2764 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
18:43:52.0906 2764 swenum - ok
18:43:52.0937 2764 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
18:43:53.0062 2764 swmidi - ok
18:43:53.0093 2764 symc810 - ok
18:43:53.0109 2764 symc8xx - ok
18:43:53.0234 2764 SymDS (9bbeb8c6258e72d62e7560e6667aad39) C:\WINDOWS\system32\drivers\N360\0501000.01D\SYMDS.SYS
18:43:53.0250 2764 SymDS - ok
18:43:53.0343 2764 SymEFA (d5c02629c02a820a7e71bca3d44294a3) C:\WINDOWS\system32\drivers\N360\0501000.01D\SYMEFA.SYS
18:43:53.0375 2764 SymEFA - ok
18:43:53.0484 2764 SymEvent (ab33c3b196197ca467cbdda717860dba) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
18:43:53.0500 2764 SymEvent - ok
18:43:53.0562 2764 SymIRON (a73399804d5d4a8b20ba60fcf70c9f1f) C:\WINDOWS\system32\drivers\N360\0501000.01D\Ironx86.SYS
18:43:53.0578 2764 SymIRON - ok
18:43:53.0656 2764 SYMTDI (dec35ccaf7a222df918306cd2fdfbd39) C:\WINDOWS\System32\Drivers\N360\0501000.01D\SYMTDI.SYS
18:43:53.0671 2764 SYMTDI - ok
18:43:53.0687 2764 sym_hi - ok
18:43:53.0718 2764 sym_u3 - ok
18:43:53.0765 2764 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
18:43:53.0890 2764 sysaudio - ok
18:43:53.0953 2764 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
18:43:53.0968 2764 Tcpip - ok
18:43:54.0015 2764 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
18:43:54.0171 2764 TDPIPE - ok
18:43:54.0203 2764 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
18:43:54.0343 2764 TDTCP - ok
18:43:54.0375 2764 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
18:43:54.0500 2764 TermDD - ok
18:43:54.0546 2764 TosIde - ok
18:43:54.0578 2764 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
18:43:54.0718 2764 Udfs - ok
18:43:54.0734 2764 ultra - ok
18:43:54.0765 2764 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
18:43:54.0906 2764 Update - ok
18:43:54.0968 2764 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
18:43:55.0093 2764 usbccgp - ok
18:43:55.0203 2764 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
18:43:55.0328 2764 usbehci - ok
18:43:55.0390 2764 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
18:43:55.0515 2764 usbhub - ok
18:43:55.0531 2764 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
18:43:55.0656 2764 usbohci - ok
18:43:55.0687 2764 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
18:43:55.0812 2764 usbprint - ok
18:43:55.0875 2764 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
18:43:56.0000 2764 usbscan - ok
18:43:56.0015 2764 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:43:56.0140 2764 USBSTOR - ok
18:43:56.0187 2764 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
18:43:56.0312 2764 usbuhci - ok
18:43:56.0343 2764 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
18:43:56.0453 2764 VgaSave - ok
18:43:56.0484 2764 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
18:43:56.0609 2764 ViaIde - ok
18:43:56.0625 2764 VolSnap (e46c1b5a56da7da603d09dfcc79ec59e) C:\WINDOWS\system32\drivers\VolSnap.sys
18:43:56.0765 2764 VolSnap - ok
18:43:56.0796 2764 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
18:43:56.0921 2764 Wanarp - ok
18:43:56.0937 2764 WDICA - ok
18:43:56.0968 2764 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
18:43:57.0140 2764 wdmaud - ok
18:43:57.0234 2764 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
18:43:57.0390 2764 WS2IFSL - ok
18:43:57.0421 2764 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
18:43:57.0546 2764 WSTCODEC - ok
18:43:57.0593 2764 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
18:43:57.0625 2764 WudfPf - ok
18:43:57.0656 2764 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
18:43:57.0671 2764 WudfRd - ok
18:43:57.0718 2764 ZTEusbmdm6k (d169ecbde1291b7d720441550d15d104) C:\WINDOWS\system32\DRIVERS\ZTEusbmdm6k.sys
18:43:57.0765 2764 ZTEusbmdm6k - ok
18:43:57.0796 2764 ZTEusbnet (d788e7d89cc491644d7a45b227f9b25e) C:\WINDOWS\system32\DRIVERS\ZTEusbnet.sys
18:43:57.0843 2764 ZTEusbnet - ok
18:43:57.0875 2764 ZTEusbnmea (d169ecbde1291b7d720441550d15d104) C:\WINDOWS\system32\DRIVERS\ZTEusbnmea.sys
18:43:57.0890 2764 ZTEusbnmea - ok
18:43:57.0921 2764 ZTEusbser6k (d169ecbde1291b7d720441550d15d104) C:\WINDOWS\system32\DRIVERS\ZTEusbser6k.sys
18:43:57.0937 2764 ZTEusbser6k - ok
18:43:57.0953 2764 ZTEusbvoice (d169ecbde1291b7d720441550d15d104) C:\WINDOWS\system32\DRIVERS\ZTEusbvoice.sys
18:43:57.0968 2764 ZTEusbvoice - ok
18:43:58.0015 2764 MBR (0x1B8) (0ac6d996bce152aed9600e6d6b797e2e) \Device\Harddisk0\DR0
18:43:58.0125 2764 \Device\Harddisk0\DR0 - ok
18:43:58.0125 2764 Boot (0x1200) (2ace0eb7c5ee6f61602982a06317d927) \Device\Harddisk0\DR0\Partition0
18:43:58.0125 2764 \Device\Harddisk0\DR0\Partition0 - ok
18:43:58.0140 2764 Boot (0x1200) (3a30bf24a3e1dfa74627ead26b95acb9) \Device\Harddisk0\DR0\Partition1
18:43:58.0140 2764 \Device\Harddisk0\DR0\Partition1 - ok
18:43:58.0140 2764 ============================================================
18:43:58.0140 2764 Scan finished
18:43:58.0140 2764 ============================================================
18:43:58.0250 3676 Detected object count: 2
18:43:58.0250 3676 Actual detected object count: 2
18:44:01.0218 3676 AFS2K ( UnsignedFile.Multi.Generic ) - skipped by user
18:44:01.0218 3676 AFS2K ( UnsignedFile.Multi.Generic ) - User select action: Skip
18:44:01.0218 3676 StarOpen ( UnsignedFile.Multi.Generic ) - skipped by user
18:44:01.0218 3676 StarOpen ( UnsignedFile.Multi.Generic ) - User select action: Skip
18:44:03.0171 0340 Deinitialize success


The Disk Management picture is here:
https://picasaweb.go...feat=directlink

Hope this helps,
regards :-)

Ferrux

Edited by ferrux, 26 December 2011 - 12:24 PM.

  • 0

#7
RKinner
Posted 26 December 2011 - 12:19 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
IF combofix thinks avira is still there and you know it is not you can tell it to go ahead and run.
  • 0

#8
ferrux
Posted 26 December 2011 - 01:44 PM

ferrux

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
HI Ron,
I disabled Norton 360 and switched the router off to avoid that the pc is unprotected over the internet, however running combofix it hangs even after more than 30 mins nothing happens and no activity on hd, initally Combofix says it is ready to go on then it halts, maybe the 'ghost' antivir is halting it, at last running combofix in windows safe mode would help ?

Meanwhile I was wondering if other logs could give a hint, just a curiosity what could have happened if I had clicked on the fix button ?

THANK YOU for your help, it is very professional and appreciated.

REGARD
Ferrux

Edited by ferrux, 26 December 2011 - 02:49 PM.

  • 0

#9
RKinner
Posted 26 December 2011 - 03:48 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Turning off the router may be why Combofix is hanging. Combofix likes to check for updates and with XP it likes to download the Recovery Console. As long as you are not using the PC to surf you should be OK since you are behind a router. Sometimes Combofix will run better in Safe mode with networking.
(Reboot and when you see the maker's logo, hear a beep or it talks about F8, start tapping the F8 key slowly. Keep tapping until the Safe Mode Menu appears and choose Safe Mode with Networking. Login with your usual login.)

Run aswMBR again and after the scan runs, click on the Fix button. Then reboot. run aswmbr again and see if it comes up clean this time.
  • 0

#10
ferrux
Posted 26 December 2011 - 05:44 PM

ferrux

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Hi
I will do it on the affected computer hopefully tomorrow afternoon (gmt+1).

Ron, thank you for all the help, I will be very happy to donate, your efforts deserve it.

Regards,
Ferrux

----
Just a personal thought for Norton people, in case they read this.
I am a bit surprised that Norton 360 cannot fix all this mess, it detects it and cannot help.
I am paying for a worthless subscription.

Edited by ferrux, 27 December 2011 - 07:41 AM.

  • 0

Advertisements

#11
ferrux
Posted 28 December 2011 - 08:39 AM

ferrux

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Hi Ron
here is the aswMBR log
---
aswMBR version 0.9.9.1120 Copyright© 2011 AVAST Software
Run date: 2011-12-28 15:35:47
-----------------------------
15:35:47.812 OS Version: Windows 5.1.2600 Service Pack 3
15:35:47.812 Number of processors: 1 586 0x2F02
15:35:47.828 ComputerName: NOME-80B5784770 UserName: HP_Proprietario
15:35:49.218 Initialize success
15:36:00.609 AVAST engine defs: 11122800
15:36:22.578 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
15:36:22.578 Disk 0 Vendor: ST3200826AS 3.03 Size: 190782MB BusType: 3
15:36:24.640 Disk 0 MBR read successfully
15:36:24.640 Disk 0 MBR scan
15:36:24.734 Disk 0 unknown MBR code
15:36:24.734 Disk 0 Partition 1 00 0C FAT32 LBA RECOVERY 6142 MB offset 63
15:36:24.765 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 184629 MB offset 12579840
15:36:24.796 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 10 MB offset 390700800
15:36:24.796 Disk 0 Partition 3 **INFECTED** MBR:Alureon-K [Rtk]
15:36:24.828 Disk 0 malicious Win32:MBRoot code @ sector 61 !
15:36:25.312 Disk 0 scanning C:\WINDOWS\system32\drivers
15:36:48.562 Service scanning
15:36:49.859 Modules scanning
15:37:13.593 Scan finished successfully
15:37:22.484 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\HP_Proprietario\Desktop\MBR.dat"
15:37:22.484 The log file has been saved successfully to "C:\Documents and Settings\HP_Proprietario\Desktop\aswMBR.txt"

---
the fix button is enabled, now I click it then reboot the pc , I will be back shortly, hope... :-)

Regards.
Ferrux
  • 0

#12
ferrux
Posted 28 December 2011 - 08:53 AM

ferrux

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Hi
I am back from the pc reboot, I run the aswMBR here is the new log:
this time the FIX button is disabled (grayed) while the FIXMBR is enabled like in previous test (POST #11),
hope this help, thank you.

aswMBR version 0.9.9.1120 Copyright© 2011 AVAST Software
Run date: 2011-12-28 15:35:47
-----------------------------
15:35:47.812 OS Version: Windows 5.1.2600 Service Pack 3
15:35:47.812 Number of processors: 1 586 0x2F02
15:35:47.828 ComputerName: NOME-80B5784770 UserName: HP_Proprietario
15:35:49.218 Initialize success
15:36:00.609 AVAST engine defs: 11122800
15:36:22.578 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
15:36:22.578 Disk 0 Vendor: ST3200826AS 3.03 Size: 190782MB BusType: 3
15:36:24.640 Disk 0 MBR read successfully
15:36:24.640 Disk 0 MBR scan
15:36:24.734 Disk 0 unknown MBR code
15:36:24.734 Disk 0 Partition 1 00 0C FAT32 LBA RECOVERY 6142 MB offset 63
15:36:24.765 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 184629 MB offset 12579840
15:36:24.796 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 10 MB offset 390700800
15:36:24.796 Disk 0 Partition 3 **INFECTED** MBR:Alureon-K [Rtk]
15:36:24.828 Disk 0 malicious Win32:MBRoot code @ sector 61 !
15:36:25.312 Disk 0 scanning C:\WINDOWS\system32\drivers
15:36:48.562 Service scanning
15:36:49.859 Modules scanning
15:37:13.593 Scan finished successfully
15:37:22.484 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\HP_Proprietario\Desktop\MBR.dat"
15:37:22.484 The log file has been saved successfully to "C:\Documents and Settings\HP_Proprietario\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1120 Copyright© 2011 AVAST Software
Run date: 2011-12-28 15:46:44
-----------------------------
15:46:44.015 OS Version: Windows 5.1.2600 Service Pack 3
15:46:44.015 Number of processors: 1 586 0x2F02
15:46:44.015 ComputerName: NOME-80B5784770 UserName: HP_Proprietario
15:46:51.656 Initialize success
15:47:05.203 AVAST engine defs: 11122800
15:47:22.281 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
15:47:22.281 Disk 0 Vendor: ST3200826AS 3.03 Size: 190782MB BusType: 3
15:47:24.312 Disk 0 MBR read successfully
15:47:24.312 Disk 0 MBR scan
15:47:24.343 Disk 0 unknown MBR code
15:47:24.343 Disk 0 Partition 1 00 0C FAT32 LBA RECOVERY 6142 MB offset 63
15:47:24.359 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 184629 MB offset 12579840
15:47:24.390 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 10 MB offset 390700800
15:47:24.390 Disk 0 Partition 3 **INFECTED** MBR:Alureon-K [Rtk]
15:47:24.390 Disk 0 scanning sectors +390721952
15:47:25.703 Disk 0 scanning C:\WINDOWS\system32\drivers
15:47:41.515 Service scanning
15:47:43.281 Modules scanning
15:47:54.921 Scan finished successfully
15:48:21.718 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\HP_Proprietario\Desktop\x ron\MBR.dat"
15:48:21.718 The log file has been saved successfully to "C:\Documents and Settings\HP_Proprietario\Desktop\x ron\aswMBR.txt"
  • 0

#13
ferrux
Posted 28 December 2011 - 09:40 AM

ferrux

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Hi Ron
I mannaged to run Combofix in safe mode, here is the log, hope it helps, Norton keep on displaying the
Boot.tidserv notification and requires action during the boot phase.
---
ComboFix 11-12-28.03 - HP_Proprietario 28/12/2011 16.20.54.1.1 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.39.1040.18.1022.769 [GMT 1:00]
Eseguito da: c:\temp\combofix.exe
Opzioni usate :: /nombr
AV: AntiVir Desktop *Disabled/Outdated* {0013F2B4-5C49-7C92-0300-000000000000}
AV: AntiVir Desktop *Disabled/Updated* {0013F2B4-5CE9-7C92-0300-000000000000}
AV: AntiVir Desktop *Enabled/Updated* {00000002-0002-0000-6C25-9E7C08000A00}
AV: AntiVir Desktop *Enabled/Updated* {00000002-0002-0000-7C25-9E7C08000A00}
AV: AntiVir Desktop *Enabled/Updated* {0012F2B4-5CE9-7C92-0300-000000000000}
AV: Avira Desktop *Enabled/Updated* {00000000-0715-0000-08F2-12007ACF917C}
AV: Norton 360 *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Dati applicazioni\TEMP
c:\documents and settings\Anna\Dati applicazioni\Microsoft\Internet Explorer\Quick Launch\System Fix.lnk
c:\documents and settings\Anna\Desktop\System Fix.lnk
c:\documents and settings\Anna\Menu Avvio\Programmi\System Fix
c:\documents and settings\Anna\Menu Avvio\Programmi\System Fix\System Fix.lnk
c:\documents and settings\Anna\Menu Avvio\Programmi\System Fix\Uninstall System Fix.lnk
c:\documents and settings\Anna\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\HP_Proprietario\Menu Avvio\Programmi\System Fix
c:\documents and settings\HP_Proprietario\Menu Avvio\Programmi\System Fix\System Fix.lnk
c:\documents and settings\HP_Proprietario\Menu Avvio\Programmi\System Fix\Uninstall System Fix.lnk
c:\documents and settings\HP_Proprietario\WINDOWS
c:\windows\IsUn0410.exe
c:\windows\ST6UNST.000
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\ps2.bat
c:\windows\system32\SET254.tmp
c:\windows\system32\SET259.tmp
D:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Creati Da 2011-11-28 al 2011-12-28 )))))))))))))))))))))))))))))))))))
.
.
2011-12-28 13:56 . 2011-12-28 13:56 -------- d-----w- c:\documents and settings\HP_Proprietario\Impostazioni locali\Dati applicazioni\Secunia PSI
2011-12-28 13:53 . 2011-12-28 13:53 -------- d-----w- c:\documents and settings\HP_Proprietario\Dati applicazioni\SUPERAntiSpyware.com
2011-12-28 13:52 . 2011-08-31 16:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-28 13:52 . 2011-12-28 13:53 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2011-12-28 13:50 . 2011-12-28 13:50 -------- d-----w- c:\programmi\Secunia
2011-12-28 13:50 . 2011-12-28 13:52 -------- d-----w- c:\programmi\SUPERAntiSpyware
2011-12-28 13:50 . 2011-12-28 13:50 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\SUPERAntiSpyware.com
2011-12-28 13:48 . 2011-12-28 13:48 -------- d-----w- c:\programmi\VS Revo Group
2011-12-26 17:13 . 2011-12-26 17:29 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Avira
2011-12-26 14:26 . 2011-12-26 14:26 626688 ----a-w- c:\programmi\Mozilla Firefox\msvcr80.dll
2011-12-26 14:26 . 2011-12-26 14:26 548864 ----a-w- c:\programmi\Mozilla Firefox\msvcp80.dll
2011-12-26 14:26 . 2011-12-26 14:26 479232 ----a-w- c:\programmi\Mozilla Firefox\msvcm80.dll
2011-12-26 14:26 . 2011-12-26 14:26 43992 ----a-w- c:\programmi\Mozilla Firefox\mozutils.dll
2011-12-22 03:47 . 2011-12-22 03:52 -------- d-----w- C:\NBRT
2011-12-17 17:00 . 2011-12-18 18:43 -------- d-----w- c:\documents and settings\HP_Proprietario\Impostazioni locali\Dati applicazioni\NPE
2011-12-17 14:47 . 2011-12-17 15:56 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-12-17 14:47 . 2011-12-17 15:56 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-12-17 14:46 . 2011-12-17 17:07 -------- d-----w- c:\windows\system32\drivers\N360
2011-12-17 14:46 . 2011-12-17 14:46 -------- d-----w- c:\programmi\Norton 360
2011-12-17 14:46 . 2011-12-17 14:46 -------- d-----w- c:\programmi\Windows Sidebar
2011-12-17 14:44 . 2011-12-17 17:00 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Norton
2011-12-17 14:43 . 2011-12-17 14:43 -------- d-----w- c:\programmi\NortonInstaller
2011-12-09 17:01 . 2011-12-17 14:41 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2011-12-03 18:25 . 2011-12-03 18:25 -------- d-----w- c:\programmi\Microsoft CAPICOM 2.1.0.2
2011-12-03 13:56 . 2009-08-06 18:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-12-03 13:56 . 2009-08-06 18:23 215920 ----a-w- c:\windows\system32\muweb.dll
2011-12-03 08:40 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-11-28 21:37 . 2011-12-23 21:32 -------- d-----w- c:\programmi\SkyTeam TravelDesk
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-05 20:06 . 2011-05-15 15:43 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 14:40 . 2004-08-19 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:13 . 2004-08-19 11:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:13 . 2004-08-19 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:13 . 2004-08-19 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:24 . 2004-08-19 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2004-08-19 12:00 1288192 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2004-08-19 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-26 10:50 . 2004-08-19 18:00 2073088 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-26 10:50 . 2004-08-19 12:00 2196480 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-18 11:13 . 2004-08-19 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2004-08-19 12:00 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-12-26 14:26 . 2011-05-29 20:22 121816 ----a-w- c:\programmi\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"ATIPTA"="c:\programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-15 344064]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2005-05-11 253952]
"HP Software Update"="c:\programmi\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"Share-to-Web Namespace Daemon"="c:\programmi\HP\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 69632]
"ISUSPM Startup"="c:\progra~1\FILECO~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"SunJavaUpdateSched"="c:\programmi\File comuni\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\documents and settings\Administrator\Menu Avvio\Programmi\Esecuzione automatica\
_uninst_.lnk - c:\documents and settings\Administrator\Impostazioni locali\Temp\_uninst_.bat [N/A]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\programmi\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\programmi\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Alice ti aiuta.lnk]
path=c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Alice ti aiuta.lnk
backup=c:\windows\pss\Alice ti aiuta.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Avvio veloce di Adobe Reader.lnk]
path=c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Avvio veloce di Adobe Reader.lnk
backup=c:\windows\pss\Avvio veloce di Adobe Reader.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Google Updater.lnk]
path=c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Secunia PSI Tray.lnk]
path=c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Secunia PSI Tray.lnk
backup=c:\windows\pss\Secunia PSI Tray.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^TotalMedia Backup Monitor.lnk]
path=c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\TotalMedia Backup Monitor.lnk
backup=c:\windows\pss\TotalMedia Backup Monitor.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2005-09-25 18:11 94208 ----a-w- c:\programmi\File comuni\Ahead\Lib\NMBgMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Home Theater SchSvr]
2005-07-18 18:12 106496 ----a-w- c:\programmi\File comuni\InterVideo\SchSvr\SchSvr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
2005-06-02 06:35 49152 ----a-w- c:\programmi\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 22:50 81920 ----a-w- c:\programmi\File comuni\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2011-08-31 16:00 449608 ----a-w- c:\programmi\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MobileConnect]
2010-01-19 13:24 2499584 ---ha-w- c:\programmi\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 02:14 1695232 ----a-w- c:\programmi\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2005-09-25 18:11 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
2004-10-25 22:17 90112 ----a-w- c:\windows\system32\ps2.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2004-12-14 00:23 663552 ----a-w- c:\windows\CREATOR\Remind_XP.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-12-09 00:44 4616064 ----a-w- c:\programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2006-01-03 16:43 180269 ----a-w- c:\programmi\File comuni\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 14:45 313472 ----a-r- c:\programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINREMOTE]
2005-07-18 17:05 262144 ----a-w- c:\programmi\InterVideo\Common\Bin\WinRemote.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Programmi\\MSN Messenger\\msnmsgr.exe"=
"c:\\Programmi\\MSN Messenger\\msncall.exe"=
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0501000.01D\symds.sys [17/12/2011 16.56.04 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0501000.01D\symefa.sys [17/12/2011 16.56.04 744568]
R2 !SASCORE;SAS Core Service;c:\programmi\SUPERAntiSpyware\SASCore.exe [12/08/2011 0.38.07 116608]
S1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Dati applicazioni\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20111221.003\BHDrvx86.sys [22/12/2011 20.04.29 819320]
S1 SASDIFSV;SASDIFSV;c:\programmi\SUPERAntiSpyware\sasdifsv.sys [22/07/2011 17.27.02 12880]
S1 SASKUTIL;SASKUTIL;c:\programmi\SUPERAntiSpyware\SASKUTIL.SYS [12/07/2011 22.55.22 67664]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0501000.01D\ironx86.sys [17/12/2011 16.56.04 136312]
S2 gupdate1c9d0ad2b4c0cf6;Servizio di Google Update (gupdate1c9d0ad2b4c0cf6);c:\programmi\Google\Update\GoogleUpdate.exe [09/05/2009 14.50.52 133104]
S2 MBAMService;MBAMService;c:\programmi\Malwarebytes' Anti-Malware\mbamservice.exe [28/12/2011 14.52.31 366152]
S2 N360;Norton 360;c:\programmi\Norton 360\Engine\5.1.0.29\ccsvchst.exe [17/12/2011 16.55.50 130008]
S2 Secunia PSI Agent;Secunia PSI Agent;c:\programmi\Secunia\PSI\PSIA.exe --start-service --> c:\programmi\Secunia\PSI\PSIA.exe --start-service [?]
S2 Secunia Update Agent;Secunia Update Agent;c:\programmi\Secunia\PSI\sua.exe --start-service --> c:\programmi\Secunia\PSI\sua.exe --start-service [?]
S2 VMCService;Vodafone Mobile Connect Service;c:\programmi\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [19/01/2010 14.24.08 9216]
S3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [02/01/2005 14.07.39 2786176]
S3 APL531;OVT Scanner;c:\windows\system32\Drivers\ov550i.sys --> c:\windows\system32\Drivers\ov550i.sys [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\programmi\File comuni\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [17/12/2011 18.31.53 106104]
S3 gupdatem;Servizio Google Update (gupdatem);c:\programmi\Google\Update\GoogleUpdate.exe [09/05/2009 14.50.52 133104]
S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Dati applicazioni\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20111226.001\IDSXpx86.sys [27/12/2011 21.15.02 356280]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [05/03/2011 19.43.42 9728]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [28/12/2011 14.52.02 22216]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [01/09/2010 9.30.58 15544]
S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\ZTEusbnet.sys [06/03/2011 15.21.48 114688]
S3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\drivers\zteusbvoice.sys [06/03/2011 15.21.40 105088]
.
--- Altri Servizi/Drivers In Memoria ---
.
*Deregistered* - aswMBR
.
Contenuto della cartella 'Scheduled Tasks'
.
2011-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-05-09 13:50]
.
2011-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-05-09 13:50]
.
.
------- Scansione supplementare -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = 127.0.0.1
TCP: DhcpNameServer = 212.216.112.112 212.216.172.62
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\HP_Proprietario\Dati applicazioni\Mozilla\Firefox\Profiles\zz1604ly.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.it/|http://www.airliners.net/|http://mail.tiscali.it/cp/sso/Login.jsp?d=tiscali.it&l=it&service=null&errorCode=null&isReAuthenticate=true|https://www.google.com/calendar/render?tab=mc&pli=1
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - CHIAVI ORFANE RIMOSSE - - - -
.
Toolbar-Locked - (no file)
SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard
MSConfigStartUp-DataLayer - c:\programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
MSConfigStartUp-EssentialPIM - c:\programmi\EssentialPIM\EssentialPIM.exe
MSConfigStartUp-iTunesHelper - c:\programmi\iTunes\iTunesHelper.exe
MSConfigStartUp-NBJ - c:\programmi\Ahead\Nero BackItUp\NBJ.exe
MSConfigStartUp-PCSuiteTrayApplication - c:\programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe
MSConfigStartUp-PcSync - c:\programmi\Nokia\Nokia PC Suite 6\PcSync2.exe
MSConfigStartUp-QuickTime Task - c:\programmi\QuickTime\qttask.exe
MSConfigStartUp-RemoteControl - c:\programmi\ASUS\ASUS Remote\RemoteControlAppl.exe
MSConfigStartUp-Skype - c:\programmi\Skype\Phone\Skype.exe
MSConfigStartUp-SpybotSD TeaTimer - c:\programmi\Spybot - Search & Destroy\TeaTimer.exe
MSConfigStartUp-SpySweeper - c:\programmi\Webroot\Spy Sweeper\SpySweeperUI.exe
MSConfigStartUp-zzzHPSETUP - E:\Setup.exe
AddRemove-Microsoft Interactive Training - c:\windows\IsUn0410.exe
AddRemove-ONEWORLD - c:\progra~2\ONEWOR~1\Unwise32.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-28 16:27
Windows 5.1.2600 Service Pack 3 NTFS
.
scansione processi nascosti ...
.
scansione entrate autostart nascoste ...
.
Scansione files nascosti ...
.
Scansione completata con successo
Files nascosti: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N360]
"ImagePath"="\"c:\programmi\Norton 360\Engine\5.1.0.29\ccSvcHst.exe\" /s \"N360\" /m \"c:\programmi\Norton 360\Engine\5.1.0.29\diMaster.dll\" /prefetch:1"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
.
- - - - - - - > 'winlogon.exe'(440)
c:\programmi\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
Ora fine scansione: 2011-12-28 16:29:17
ComboFix-quarantined-files.txt 2011-12-28 15:29
.
Pre-Run: 97.049.534.464 byte disponibili
Post-Run: 97.489.965.056 byte disponibili
.
- - End Of File - - 9164ED3DC4A39031AB5963FB85FCEE21

Edited by ferrux, 28 December 2011 - 09:42 AM.

  • 0

#14
RKinner
Posted 28 December 2011 - 10:15 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
See this line:

15:36:24.796 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 10 MB offset 390700800

This is a hidden partition created by the malware.

It needs to be removed. Our usual procedure is something akin to open heart surgery. You have to be very careful to do each step exactly or you wind up with an unbootable system:

Preferably from a clean computer, I need you to download: gparted-live-0.10.0-3.iso (115.1 MB)
Windows XP Recovery Console rc.iso

Create a bootable CD, 1 for Gparted and 1 for the Windows XP Recovery Console, from the ISO images. You can use ImgBurn do this.

Now boot off of the newly created Gparted CD.

Posted Image
You should be here...
Press ENTER

Posted Image
By default, "do not touch keymap" is highlighted. Leave this setting alone and just press ENTER.

Posted Image
Choose your language and press ENTER. English is default [33]

Posted Image
Once again, at this prompt, press ENTER

You will now be taken to the main GUI screen below
Posted Image
According to your logs, the partition that you want to delete is 10 MB. Only delete this partition!
Click the trash can icon to delete and then click Apply.

You should now be here confirming your actions:
Posted Image

Now you should be here:
Posted Image

Posted Image
Is "boot" next to your OS drive?

If "boot" is not next to your OS drive under "Flags", right-mouse click the OS drive while in Gparted and select Manage Flags

In the menu that pops up, place a checkmark in boot like the picture below:
Posted Image

Now double-click the Posted Image button.

You should receive a small pop up like this:
Posted Image
Choose reboot and then press OK.

Now reboot from the Windows XP Recovery Console CD and execute the following commands:

  • fixmbr \Device\HardDisk0
  • fixboot c:
  • exit

Once back in Windows.

Download MBRCheck.exe to your desktop.
  • Be sure to disable your security programs
  • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
  • A window will open on your desktop
  • if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
  • Attach that file.

Ron
  • 0

#15
ferrux
Posted 28 December 2011 - 10:19 AM

ferrux

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Ok the NASTY partition has gone,
now I try:

fixmbr \Device\HardDisk0
fixboot c:
exit



Thank you :-)

Edited by ferrux, 28 December 2011 - 10:39 AM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP