Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Possible attack by spy.Zbot.ZR trojan

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Possible attack by spy.Zbot.ZR trojan

Unread postby rickronn » November 3rd, 2011, 11:49 pm

Hello, sorry that this is the fourth post since I had not been able to read the forum rules as well as replies of the previous posts due to very slow opening of IE on my computer. I have finally read replies and the forum rules with help from another computer.

So I would re-post my problem and the DDS logs as below.

My problem is that my computer has become very slow couple weeks ago. I tried to scan it with NOD32 and was informed that my computer was attacked by spy.Zbot.ZR trojan. It stated that Operating memory was attacked and the trojan could not be cleaned. NOD32 also found couple other trojans but was able to clean them from computer. I have run the computer through with Malwarebytes' Anti-Malware and it found some other threats and cleaned them from system, too.

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by KYTANG at 13:19:56 on 2011-11-02
Microsoft Windows XP Professional 5.1.2600.3.950.886.1028.18.255.46 [GMT 8:00]
.
AV: ESET Smart Security 4.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Green Software\工作列管理大師-Visual Tooltip v2.2 繁體綠化版\VisualToolTip.exe
C:\Program Files\Green Software\讓XP擁有比Vista更炫的3D視窗特效-WinFlip v0.50 繁體綠色版\WinFlip.exe
C:\Program Files\Drive Space Indicator\DrvSpace.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Green Software\記憶體優化軟體-FreeRAM XP Pro v1.40 中文免安裝版\FreeRAM XP Pro.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\conime.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://hk.yahoo.com/
mWinlogon: SFCDisable=-99 (0xffffff9d)
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
TB: StylerToolBar: {d2f8f919-690b-4ea2-9fa7-a203d1e04f75} - c:\program files\green software\讓檔案總管變的更漂剋-styler v1.401 繁體綠色版\tb\StylerTB.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [FreeRAM XP] "c:\program files\green software\邕憶體優化軟體-freeram xp pro v1.40 中文吻安裝版\FreeRAM XP Pro.exe" -win
uRun: [{DFEFB883-ED91-7502-F445-755269A46367}] "c:\documents and settings\kytang\application data\idomfi\evnaabi.exe"
mRun: [Visual Tooltip] c:\program files\green software\工作圭管理大師-visual tooltip v2.2 繁體綠化版\VisualToolTip.exe
mRun: [WinFlip] c:\program files\green software\讓xp擁有比vista更炫的3d視窗盎效-winflip v0.50 繁體綠色版\WinFlip.exe
mRun: [DriveSpace] c:\program files\drive space indicator\DrvSpace.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Ulead AutoDetector v2] c:\program files\common files\ulead systems\autodetector\monitor.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [msdrm] msdrm.exe
IE: 匯出至 Microsoft Excel(&X) - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\program files\netlimiter\nl_lsp.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupda ... 0120334984
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/fl ... rashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{D3B04869-4614-4514-963B-B82D4FF63BC1} : NameServer = 203.198.23.208,218.102.32.208
Notify: WBSrv - c:\program files\green software\windowblinds\WBSrv.dll
AppInit_DLLs: wbsys.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {D58F39FF-953E-4F45-898F-59F243B9A523} - RUNDLL32 advpack.dll,LaunchINFSection Sidebar.inf,Register
.
============= SERVICES / DRIVERS ===============
.
R0 amdagp8p;AMD NB AGP Bus Filter;c:\windows\system32\drivers\amdagp8p.sys [2008-8-31 27648]
R0 dontgo;Promise Removable Disk Control Driver;c:\windows\system32\drivers\dontgo.sys [2008-8-31 7680]
R0 tmagp;Transmeta TM 8000 AGP Filter Driver;c:\windows\system32\drivers\TMAGP.SYS [2008-8-31 27648]
R0 ULiAGP;ULi AGP Controller Bus Filter Driver;c:\windows\system32\drivers\ULiAGP.SYS [2008-8-31 33408]
R0 uliagpkx;ULi AGP Bus Filter Driver;c:\windows\system32\drivers\AGPKX.SYS [2008-8-31 45056]
R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2008-8-31 17920]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-7-29 115008]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-1 22216]
S0 hptpro;hptpro;c:\windows\system32\drivers\hptpro.sys [2008-8-31 9809]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 s3m;s3m;c:\windows\system32\drivers\s3m.sys [2011-1-21 166720]
S3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [2008-8-6 63536]
.
=============== Created Last 30 ================
.
2011-11-01 09:44:12 -------- d-----w- c:\documents and settings\kytang\application data\Malwarebytes
2011-11-01 09:43:53 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-11-01 09:43:47 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-01 09:43:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-28 01:55:39 -------- d-----w- c:\documents and settings\kytang\application data\Omig
2011-10-28 01:55:39 -------- d-----w- c:\documents and settings\kytang\application data\Muuto
2011-10-27 09:03:03 -------- d-----w- c:\documents and settings\kytang\application data\Naly
2011-10-27 09:03:03 -------- d-----w- c:\documents and settings\kytang\application data\Enz
2011-10-27 02:23:21 -------- d-----w- c:\documents and settings\kytang\application data\Mure
2011-10-27 02:23:21 -------- d-----w- c:\documents and settings\kytang\application data\Dageku
2011-10-26 09:33:20 -------- d-----w- c:\documents and settings\kytang\application data\Okabomp
2011-10-26 09:33:20 -------- d-----w- c:\documents and settings\kytang\application data\Bie
2011-10-26 01:39:31 -------- d-----w- c:\documents and settings\kytang\application data\Idomfi
2011-10-26 01:39:31 -------- d-----w- c:\documents and settings\kytang\application data\Cie
.
==================== Find3M ====================
.
.
============= FINISH: 13:21:22.81 ==============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 2011/1/21 下午 04:36:26
System Uptime: 2011/11/2 下午 12:44:15 (1 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | A8N-E
Processor: AMD Athlon(tm) 64 Processor 3000+ | Socket 939 | 1944/216mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 14 GiB total, 7.655 GiB free.
E: is FIXED (NTFS) - 38 GiB total, 38.218 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1: 2011/1/21 下午 04:36:35 - 系統檢查點
.
==== Installed Programs ======================
.
Adobe Flash Player ActiveX
Adobe Reader X - Chinese Traditional
Alky for Applications (Windows XP)
ClearType Tuning Control Panel Applet
Drive Space Indicator
ESET Smart Security
HashTab 2.1.0
hkSFV (remove only)
Java(TM) 6 Update 7
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Chinese (Traditional) Lang. Pack
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 1 Language Pack - CHT
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1 Language Pack - CHT
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 Language Pack - cht
Microsoft .NET Framework 3.5 語言套件 - 繁體中文
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Internet Explorer 中文繁簡轉換
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (Chinese (Traditional)) 2007
Microsoft Office Excel MUI (Chinese (Traditional)) 2007
Microsoft Office IME (Chinese (Traditional)) 2007
Microsoft Office InfoPath MUI (Chinese (Traditional)) 2007
Microsoft Office Outlook MUI (Chinese (Traditional)) 2007
Microsoft Office PowerPoint MUI (Chinese (Traditional)) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (Chinese (Traditional)) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proofing (Chinese (Traditional)) 2007
Microsoft Office Publisher MUI (Chinese (Traditional)) 2007
Microsoft Office Shared MUI (Chinese (Traditional)) 2007
Microsoft Office Word MUI (Chinese (Traditional)) 2007
Microsoft Software Update for Web Folders (Chinese (Traditional)) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Windows Application Compatibility Database
Motion Clock
Motion Clock Circle
MSXML 6.0 Parser
NetLimiter 1.30 (remove only)
NVIDIA Drivers
NVIDIA Install Application
NVIDIA nView 135.50
NVIDIA nView Desktop Manager
NVIDIA PhysX
NVIDIA PhysX 系統軟體 9.10.0514
NVIDIA 控制面板 266.58
NVIDIA 圖形驅動程式 266.58
piaip AppLocale
Realtek AC'97 Audio
Ulead COOL 360 1.0
Ulead Photo Explorer 8.6
Ulead PhotoImpact 12
Unicode-At-on (BIG5 Extension) 2.50
Unlocker 1.8.7
Vista Icon Pack v3 System Patch
Vista Sound Package
WebFldrs XP
Windows Internet Explorer 7
Windows Internet Explorer 7 安全性更新 (KB938127-v2)
Windows Internet Explorer 7 安全性更新 (KB950759)
Windows Internet Explorer 7 安全性更新 (KB953838)
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media 編碼器 9 系列
Windows Sidebar
Windows Sidebar Styler
Windows XP 安全性更新 (KB951376-v2)
Windows XP 更新 (KB951072-v2)
WinRAR 壓縮工具
XML Paper Specification Shared Components Language Pack 1.0
XML Paper Specification Shared Components Pack 1.0
.
==== End Of File ===========================

Thanks in advance for your help to save my computer.
rickronn
Regular Member
 
Posts: 18
Joined: November 2nd, 2011, 1:15 am
Advertisement
Register to Remove

Re: Possible attack by spy.Zbot.ZR trojan

Unread postby Gary R » November 8th, 2011, 5:31 am

Hi rickronn,

Sorry we're late answering your request for help, it gets rather busy here sometimes and people sometimes get overlooked. If you still need help with your computer, please run a new scan with DDS and post me the new logs.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21863
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Possible attack by spy.Zbot.ZR trojan

Unread postby rickronn » November 9th, 2011, 2:15 am

Hello, Gary R,
Thanks for your help! Yes, I do need your asistance with my system. Please find below new scan logs from DDS.

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by KYTANG at 14:10:08 on 2011-11-09
Microsoft Windows XP Professional 5.1.2600.3.950.886.1028.18.255.27 [GMT 8:00]
.
AV: ESET Smart Security 4.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Green Software\工作列管理大師-Visual Tooltip v2.2 繁體綠化版\VisualToolTip.exe
C:\Program Files\Green Software\讓XP擁有比Vista更炫的3D視窗特效-WinFlip v0.50 繁體綠色版\WinFlip.exe
C:\Program Files\Drive Space Indicator\DrvSpace.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Green Software\記憶體優化軟體-FreeRAM XP Pro v1.40 中文免安裝版\FreeRAM XP Pro.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\conime.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://hk.yahoo.com/
mWinlogon: SFCDisable=-99 (0xffffff9d)
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
TB: StylerToolBar: {d2f8f919-690b-4ea2-9fa7-a203d1e04f75} - c:\program files\green software\讓檔案總管變的更漂剋-styler v1.401 繁體綠色版\tb\StylerTB.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [FreeRAM XP] "c:\program files\green software\邕憶體優化軟體-freeram xp pro v1.40 中文吻安裝版\FreeRAM XP Pro.exe" -win
uRun: [{DFEFB883-ED91-7502-F445-755269A46367}] "c:\documents and settings\kytang\application data\idomfi\evnaabi.exe"
mRun: [Visual Tooltip] c:\program files\green software\工作圭管理大師-visual tooltip v2.2 繁體綠化版\VisualToolTip.exe
mRun: [WinFlip] c:\program files\green software\讓xp擁有比vista更炫的3d視窗盎效-winflip v0.50 繁體綠色版\WinFlip.exe
mRun: [DriveSpace] c:\program files\drive space indicator\DrvSpace.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Ulead AutoDetector v2] c:\program files\common files\ulead systems\autodetector\monitor.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [msdrm] msdrm.exe
IE: 匯出至 Microsoft Excel(&X) - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\program files\netlimiter\nl_lsp.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupda ... 0120334984
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/fl ... rashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{D3B04869-4614-4514-963B-B82D4FF63BC1} : NameServer = 203.198.23.208,218.102.32.208
Notify: WBSrv - c:\program files\green software\windowblinds\WBSrv.dll
AppInit_DLLs: wbsys.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {D58F39FF-953E-4F45-898F-59F243B9A523} - RUNDLL32 advpack.dll,LaunchINFSection Sidebar.inf,Register
.
============= SERVICES / DRIVERS ===============
.
R0 amdagp8p;AMD NB AGP Bus Filter;c:\windows\system32\drivers\amdagp8p.sys [2008-8-31 27648]
R0 dontgo;Promise Removable Disk Control Driver;c:\windows\system32\drivers\dontgo.sys [2008-8-31 7680]
R0 tmagp;Transmeta TM 8000 AGP Filter Driver;c:\windows\system32\drivers\TMAGP.SYS [2008-8-31 27648]
R0 ULiAGP;ULi AGP Controller Bus Filter Driver;c:\windows\system32\drivers\ULiAGP.SYS [2008-8-31 33408]
R0 uliagpkx;ULi AGP Bus Filter Driver;c:\windows\system32\drivers\AGPKX.SYS [2008-8-31 45056]
R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2008-8-31 17920]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-7-29 115008]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2010-8-12 810144]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-1 366152]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-1 22216]
S0 hptpro;hptpro;c:\windows\system32\drivers\hptpro.sys [2008-8-31 9809]
S3 s3m;s3m;c:\windows\system32\drivers\s3m.sys [2011-1-21 166720]
S3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [2008-8-6 63536]
.
=============== Created Last 30 ================
.
2011-11-01 09:44:12 -------- d-----w- c:\documents and settings\kytang\application data\Malwarebytes
2011-11-01 09:43:53 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-11-01 09:43:47 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-01 09:43:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-28 01:55:39 -------- d-----w- c:\documents and settings\kytang\application data\Omig
2011-10-28 01:55:39 -------- d-----w- c:\documents and settings\kytang\application data\Muuto
2011-10-27 09:03:03 -------- d-----w- c:\documents and settings\kytang\application data\Naly
2011-10-27 09:03:03 -------- d-----w- c:\documents and settings\kytang\application data\Enz
2011-10-27 02:23:21 -------- d-----w- c:\documents and settings\kytang\application data\Mure
2011-10-27 02:23:21 -------- d-----w- c:\documents and settings\kytang\application data\Dageku
2011-10-26 09:33:20 -------- d-----w- c:\documents and settings\kytang\application data\Okabomp
2011-10-26 09:33:20 -------- d-----w- c:\documents and settings\kytang\application data\Bie
2011-10-26 01:39:31 -------- d-----w- c:\documents and settings\kytang\application data\Idomfi
2011-10-26 01:39:31 -------- d-----w- c:\documents and settings\kytang\application data\Cie
.
==================== Find3M ====================
.
.
============= FINISH: 14:11:53.07 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 2011/1/21 下午 04:36:26
System Uptime: 2011/11/9 上午 09:53:21 (5 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | A8N-E
Processor: AMD Athlon(tm) 64 Processor 3000+ | Socket 939 | 1813/216mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 14 GiB total, 7.541 GiB free.
E: is FIXED (NTFS) - 38 GiB total, 38.218 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1: 2011/1/21 下午 04:36:35 - 系統檢查點
.
==== Installed Programs ======================
.
Adobe Flash Player ActiveX
Adobe Reader X - Chinese Traditional
Alky for Applications (Windows XP)
ClearType Tuning Control Panel Applet
Drive Space Indicator
ESET Smart Security
HashTab 2.1.0
hkSFV (remove only)
Java(TM) 6 Update 7
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Chinese (Traditional) Lang. Pack
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 1 Language Pack - CHT
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1 Language Pack - CHT
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 Language Pack - cht
Microsoft .NET Framework 3.5 語言套件 - 繁體中文
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Internet Explorer 中文繁簡轉換
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (Chinese (Traditional)) 2007
Microsoft Office Excel MUI (Chinese (Traditional)) 2007
Microsoft Office IME (Chinese (Traditional)) 2007
Microsoft Office InfoPath MUI (Chinese (Traditional)) 2007
Microsoft Office Outlook MUI (Chinese (Traditional)) 2007
Microsoft Office PowerPoint MUI (Chinese (Traditional)) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (Chinese (Traditional)) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proofing (Chinese (Traditional)) 2007
Microsoft Office Publisher MUI (Chinese (Traditional)) 2007
Microsoft Office Shared MUI (Chinese (Traditional)) 2007
Microsoft Office Word MUI (Chinese (Traditional)) 2007
Microsoft Software Update for Web Folders (Chinese (Traditional)) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Windows Application Compatibility Database
Motion Clock
Motion Clock Circle
MSXML 6.0 Parser
NetLimiter 1.30 (remove only)
NVIDIA Drivers
NVIDIA Install Application
NVIDIA nView 135.50
NVIDIA nView Desktop Manager
NVIDIA PhysX
NVIDIA PhysX 系統軟體 9.10.0514
NVIDIA 控制面板 266.58
NVIDIA 圖形驅動程式 266.58
piaip AppLocale
Realtek AC'97 Audio
Ulead COOL 360 1.0
Ulead Photo Explorer 8.6
Ulead PhotoImpact 12
Unicode-At-on (BIG5 Extension) 2.50
Unlocker 1.8.7
Vista Icon Pack v3 System Patch
Vista Sound Package
WebFldrs XP
Windows Internet Explorer 7
Windows Internet Explorer 7 安全性更新 (KB938127-v2)
Windows Internet Explorer 7 安全性更新 (KB950759)
Windows Internet Explorer 7 安全性更新 (KB953838)
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media 編碼器 9 系列
Windows Sidebar
Windows Sidebar Styler
Windows XP 安全性更新 (KB951376-v2)
Windows XP 更新 (KB951072-v2)
WinRAR 壓縮工具
XML Paper Specification Shared Components Language Pack 1.0
XML Paper Specification Shared Components Pack 1.0
.
==== End Of File ===========================
rickronn
Regular Member
 
Posts: 18
Joined: November 2nd, 2011, 1:15 am

Re: Possible attack by spy.Zbot.ZR trojan

Unread postby Gary R » November 9th, 2011, 3:00 am

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the "malware removal" forum and wait for help.


Unless informed of in advance, failure to post replies within 3 days will result in this thread being closed.


Hi rickronn

I'm Gary R, I'll be glad to help you with your computer problems.

Before we start: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • Remember, absence of symptoms does not mean the infection is all gone.
  • Don't attempt to install any new software (other than those I ask you to) until we've got your computer clean.
  • Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process. If your defensive programmes warn you about any of those tools, be assured that they are not infected, and are safe to use.
If you can do these things, everything should go smoothly.
  • If you're using XP, you'll need Administrator privileges to perform the fixes. (XP accounts are Administrator by default)
It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


Download ComboFix from one of these locations and save it to your Desktop: (if you already have a copy of Combofix, delete it and use this version)

Link 1
Link 2

IMPORTANT !!! ComboFix.exe must be run from your Desktop

  • Disable your AntiVirus and AntiSpyware applications, they may otherwise interfere with Combofix. There are details for disabling many programmes here.
  • Double click on ComboFix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install Microsoft Windows Recovery Console.

**Please note: If Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Image

Once Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you.

Please include this log in your next reply. ......... (it can also be found at C:\ComboFix.txt)

IMPORTANT
  • Do not use your computer while Combofix is running.
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • If you've lost your Internet connection when Combofix has completely finished, re-start your computer to restore it.
If you have any problems with these instructions, a detailed Tutorial for how to use Combofix is available here.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21863
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Possible attack by spy.Zbot.ZR trojan

Unread postby rickronn » November 10th, 2011, 5:25 am

Hi, Gary R,

I ran ComboFix as per your advice and the system hanged right before the scan log was generated. It just froze there forever. What should I do?

Best regards,
Rickronn
rickronn
Regular Member
 
Posts: 18
Joined: November 2nd, 2011, 1:15 am

Re: Possible attack by spy.Zbot.ZR trojan

Unread postby Gary R » November 10th, 2011, 7:03 am

Reboot your computer and look to see if a log has been created at C:\Combofix.txt

If there is a log, please post it in your next reply.

If not, see if you can run Combofix in Safe Mode. To boot into Safe Mode ....

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
Note: if you cannot boot into safe mode using this method, DO NOT attempt to do so by using MSConfig, this could result in your computer becoming unbootable. Just let me know.

If Combofix creates a log, please post it.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21863
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Possible attack by spy.Zbot.ZR trojan

Unread postby rickronn » November 11th, 2011, 5:20 am

Hello, Gary R,
It didn't generate the scan log so I re-ran ComboFix in Safe Mode. Below is the log.

ComboFix 11-11-10.01 - KYTANG /11/11 星期五 16:46:20.2.1 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.950.886.1028.18.255.137 [GMT 8:00]
執行位置: c:\documents and settings\KYTANG\桌面\ComboFix.exe
AV: ESET Smart Security 4.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.
注意 - 這台電腦沒有安裝恢復控制台 !!
.
.
((((((((((((((((((((((((((((((((((((((( 被刪除的檔案 )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( 驅動/服務 )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MSUNATSERVICE
.
.
((((((((((((((((((((((((( 2011-10-11 至 2011-11-11 的新的檔案 )))))))))))))))))))))))))))))))
.
.
2011-11-10 08:35 . 2011-11-10 08:35 -------- d-----w- c:\windows\srchasst
2011-11-01 09:44 . 2011-11-01 09:44 -------- d-----w- c:\documents and settings\KYTANG\Application Data\Malwarebytes
2011-11-01 09:43 . 2011-11-01 09:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-11-01 09:43 . 2011-11-01 09:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-01 09:43 . 2011-08-31 09:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-28 01:55 . 2011-11-01 10:49 -------- d-----w- c:\documents and settings\KYTANG\Application Data\Muuto
2011-10-28 01:55 . 2011-10-28 01:55 -------- d-----w- c:\documents and settings\KYTANG\Application Data\Omig
2011-10-27 09:03 . 2011-11-01 10:49 -------- d-----w- c:\documents and settings\KYTANG\Application Data\Naly
2011-10-27 09:03 . 2011-10-27 09:03 -------- d-----w- c:\documents and settings\KYTANG\Application Data\Enz
2011-10-27 02:23 . 2011-11-01 10:49 -------- d-----w- c:\documents and settings\KYTANG\Application Data\Mure
2011-10-27 02:23 . 2011-10-27 02:23 -------- d-----w- c:\documents and settings\KYTANG\Application Data\Dageku
2011-10-26 09:33 . 2011-11-01 10:49 -------- d-----w- c:\documents and settings\KYTANG\Application Data\Bie
2011-10-26 09:33 . 2011-10-26 09:33 -------- d-----w- c:\documents and settings\KYTANG\Application Data\Okabomp
2011-10-26 01:39 . 2011-11-01 09:03 -------- d-----w- c:\documents and settings\KYTANG\Application Data\Cie
2011-10-26 01:39 . 2011-11-01 08:57 -------- d-----w- c:\documents and settings\KYTANG\Application Data\Idomfi
.
.
.
(((((((((((((((((((((((((((((((((((((((( 在三個月內被修改的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2003-01-13 03:31 . 2011-01-24 06:09 278528 ------w- c:\program files\internet explorer\plugins\PanoViewer.dll
1999-04-30 08:00 . 2011-01-24 06:09 98304 ------w- c:\program files\internet explorer\plugins\UPjpeg.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-06-20 . A9BDFBF69934912DD847632B2995A191 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . A9BDFBF69934912DD847632B2995A191 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
.
[-] 2008-04-15 . 51A410B26D822F0A8003F29BC7D6F73A . 1680384 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[7] 2008-04-15 . F7A2245D8BD832D1E7A01C26D5E6EFD0 . 978432 . . [6.00.2900.5512] . . c:\windows\VIPv3\backup\explorer.exe
.
[-] 2008-04-15 . D80CCBB7D6B4F3EE46AB44A22D993D42 . 209920 . . [5.1.2600.5512] . . c:\windows\regedit.exe
[-] 2008-04-15 . D80CCBB7D6B4F3EE46AB44A22D993D42 . 209920 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\regedit.exe
[7] 2008-04-15 . 7BD5023F3E2B0224679E9951C237B1DE . 132096 . . [5.1.2600.5512] . . c:\windows\VIPv3\backup\regedit.exe
.
[-] 2004-08-17 . 28046B6867800B3F12C652CE2C9EA340 . 11648 . . [5.1.2600.0] . . c:\windows\system32\drivers\acpiec.sys
.
[-] 2004-08-03 . 2C428FA0C3E3A01ED93C9B2A27D8D4BB . 42368 . . [5.1.2600.2180] . . c:\windows\system32\drivers\AGP440.SYS
.
((((((((((((((((((((((((((((((((((((( 重要登入點 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白與合法缺省登錄將不會被顯示
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeRAM XP"="c:\program files\Green Software\記憶體優化軟體-FreeRAM XP Pro v1.40 中文免安裝版\FreeRAM XP Pro.exe" [2003-11-03 1353728]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Visual Tooltip"="c:\program files\Green Software\工作列管理大師-Visual Tooltip v2.2 繁體綠化版\VisualToolTip.exe" [2007-04-25 956928]
"WinFlip"="c:\program files\Green Software\讓XP擁有比Vista更炫的3D視窗特效-WinFlip v0.50 繁體綠色版\WinFlip.exe" [2008-05-21 483328]
"DriveSpace"="c:\program files\Drive Space Indicator\DrvSpace.exe" [2008-07-19 395716]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-09 144784]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"Ulead AutoDetector v2"="c:\program files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2004-11-26 90112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-01-07 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-07 13880424]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-11-04 1753192]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2010-08-12 2215064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-15 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-15 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2008-08-27 12:24 210168 ----a-w- c:\program files\Green Software\WindowBlinds\wbsrv.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wbsys.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0080404]
IME File REG_SZ IMTCP12.IME
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0090404]
IME File REG_SZ IMTCC12.IME
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e00a0404]
IME File REG_SZ IMTCQ12.IME
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DrvSpace
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2382:TCP"= 2382:TCP:msdrm
"443:TCP"= 443:TCP:msdrm
"5225:TCP"= 5225:TCP:msdrm
"49152:TCP"= 49152:TCP:msdrm
"5222:TCP"= 5222:TCP:msdrm
.
R0 hptpro;hptpro;c:\windows\system32\DRIVERS\hptpro.sys [2002-12-10 9809]
R1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2010-07-29 115008]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2010-08-12 810144]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]
R3 s3m;s3m;c:\windows\system32\DRIVERS\s3m.sys [2001-08-17 166720]
R3 vmx_svga;vmx_svga;c:\windows\system32\DRIVERS\vmx_svga.sys [2008-05-06 63536]
S0 amdagp8p;AMD NB AGP Bus Filter;c:\windows\system32\DRIVERS\amdagp8p.sys [2006-02-26 27648]
S0 dontgo;Promise Removable Disk Control Driver;c:\windows\system32\DRIVERS\DontGo.sys [2004-06-29 7680]
S0 tmagp;Transmeta TM 8000 AGP Filter Driver;c:\windows\system32\DRIVERS\tmagp.sys [2004-10-18 27648]
S0 ULiAGP;ULi AGP Controller Bus Filter Driver;c:\windows\system32\DRIVERS\ULiAGP.sys [2005-03-28 33408]
S0 uliagpkx;ULi AGP Bus Filter Driver;c:\windows\system32\DRIVERS\agpkx.sys [2006-02-26 45056]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
2008-06-23 16:15 124928 ----a-w- c:\windows\system32\advpack.dll
.
.
------- 而外的掃描 -------
.
uStart Page = hxxp://hk.yahoo.com/
IE: 匯出至 Microsoft Excel(&X) - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\NetLimiter\nl_lsp.dll
TCP: Interfaces\{D3B04869-4614-4514-963B-B82D4FF63BC1}: NameServer = 203.198.23.208,218.102.32.208
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-{DFEFB883-ED91-7502-F445-755269A46367} - c:\documents and settings\KYTANG\Application Data\Idomfi\evnaabi.exe
HKU-Default-Run-msdrm - msdrm.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-11 16:56
Windows 5.1.2600 Service Pack 3 NTFS
.
掃描被隱藏的進程 ...
.
掃描被隱藏的啟動組 ...
.
掃描被隱藏的文件 ...
.
掃描完成
被隱藏的檔案: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CLSID]
@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"
.
[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CurVer]
@="BDATuner.元件.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Folder\shell\墣 *U*l*e*a*d* *P*h*o*t*o* *E*x*p*l*o*r*e*r* *?_U\command]
@="c:\\Program Files\\Ulead Systems\\Ulead Photo Explorer 8.6\\pex.exe \"%L\""
.
--------------------- 運行進程下的動態鏈接庫 ---------------------
.
- - - - - - - > 'winlogon.exe'(216)
c:\windows\system32\WINSTA.dll
c:\windows\system32\MSGINA.dll
c:\windows\system32\comdlg32.dll
c:\program files\Green Software\WindowBlinds\WBSrv.dll
.
- - - - - - - > 'lsass.exe'(272)
c:\windows\system32\SETUPAPI.dll
.
- - - - - - - > 'explorer.exe'(1256)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\credui.dll
.
完成時間: 2011-11-11 17:00:09
ComboFix-quarantined-files.txt 2011-11-11 09:00
.
Pre-Run: 8,006,230,016 位元組可用
Post-Run: 7,968,931,840 位元組可用
.
- - End Of File - - D1347AF6043A707A6E313A42DE09BD7B

Best regards.
rickronn
Regular Member
 
Posts: 18
Joined: November 2nd, 2011, 1:15 am

Re: Possible attack by spy.Zbot.ZR trojan

Unread postby Gary R » November 11th, 2011, 6:10 am

I'd like you to check some files for Viruses.
c:\windows\system32\drivers\tcpip.sys
c:\windows\regedit.exe

  • Browse to the first file in the quote box above.
  • Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
  • If it tells you this file has already been scanned, please opt for a re-scan.
  • After a while, a window will open, with details of what the scans found.
  • Note details of any viruses found.
  • Repeat for all files on the list, and post me the details please.

Next

Please download SystemLook from one of the links below and save it to your Desktop.

For 32 bit Systems
Download Mirror #1
Download Mirror #2


  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
Code: Select all
:filefind
tcpip.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Next

Download TDSSKiller.zip and extract it to your Desktop.
  • Double click on TDSSKiller.exe to launch it.
    • If using Vista or Windows7, when prompted by UAC allow the prompt.
  • Click on Start Scan
  • The scan will run.
  • When the scan has finished, if it finds anything please click on the drop down arrow next to Cure and select Skip
  • Now click on Report to open the log file created by TDSSKiller in your root directory C:\
  • Post the contents in your next reply please.
  • DO NOT TRY TO FIX ANYTHING AT THIS POINT

Summary of the logs I need from you in your next post:
  • Results from VirusTotal or Jotti's
  • TDSSKiller log


Please post each log separately to prevent it being cut off by the forum post size limiter. Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21863
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Possible attack by spy.Zbot.ZR trojan

Unread postby rickronn » November 14th, 2011, 2:30 am

Hello, Gary R,
These are the logs from VirusTotal.

File name: tcpip.sys
Submission date: 2011-11-14 05:40:16 (UTC)
Current status: queued queued analysing finished


Result: 1/ 42 (2.4%)

Antivirus Version Last Update Result
AhnLab-V3 2011.11.13.00 2011.11.13 -
AntiVir 7.11.17.148 2011.11.14 -
Antiy-AVL 2.0.3.7 2011.11.14 -
Avast 6.0.1289.0 2011.11.14 -
AVG 10.0.0.1190 2011.11.14 -
BitDefender 7.2 2011.11.14 -
ByteHero 1.0.0.1 2011.11.14 -
ClamAV 0.97.3.0 2011.11.14 -
Commtouch 5.3.2.6 2011.11.14 -
Comodo 10778 2011.11.14 -
DrWeb 5.0.2.03300 2011.11.14 -
Emsisoft 5.1.0.11 2011.11.14 -
eSafe 7.0.17.0 2011.11.13 -
eTrust-Vet 37.0.9564 2011.11.11 -
F-Prot 4.6.5.141 2011.11.14 -
F-Secure 9.0.16440.0 2011.11.14 -
Fortinet 4.3.370.0 2011.11.14 -
GData 22 2011.11.14 -
Ikarus T3.1.1.109.0 2011.11.14 -
Jiangmin 13.0.900 2011.11.13 -
K7AntiVirus 9.119.5447 2011.11.12 -
Kaspersky 9.0.0.837 2011.11.14 -
McAfee 5.400.0.1158 2011.11.14 -
McAfee-GW-Edition 2010.1D 2011.11.13
Microsoft 1.7801 2011.11.14 -
NOD32 6626 2011.11.14 -
Norman 6.07.13 2011.11.13 -
nProtect 2011-11-13.01 2011.11.13 -
Panda 10.0.3.5 2011.11.13 -
PCTools 8.0.0.5 2011.11.14 -
Prevx 3.0 2011.11.14 -
Rising 23.84.00.01 2011.11.14 -
Sophos 4.71.0 2011.11.14 -
SUPERAntiSpyware 4.40.0.1006 2011.11.12 -
Symantec 20111.2.0.82 2011.11.14 -
TheHacker 6.7.0.1.342 2011.11.14 -
TrendMicro 9.500.0.1008 2011.11.14 -
TrendMicro-HouseCall 9.500.0.1008 2011.11.14 -
VBA32 3.12.16.4 2011.11.11 -
VIPRE 11042 2011.11.14 -
ViRobot 2011.11.14.4771 2011.11.14 -
VirusBuster 14.1.61.0 2011.11.13 -

MD5 : a9bdfbf69934912dd847632b2995a191
SHA1 : 061edcb9fabeb2ca9510942d681e0ee563765516
SHA256: 28120df1ce2beeff50f28e78c76cb5988dafa12275c049bb72bd1b86a6dada39
ssdeep: 6144:fJVxTJMCOHOcecOeaVrith/CC/LxGh5wCQCzKLQ/xuczo:fDxTl2OzryZCAQ4CQDQ/
File size : 361600 bytes
First seen: 2010-01-09 05:25:33
Last seen : 2011-11-14 05:40:16
TrID:
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: TCP/IP Protocol Driver
original name: tcpip.sys
internal name: tcpip.sys
file version.: 5.1.2600.5625 (xpsp_sp3_gdr.080620-1249)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x50D23
timedatestamp....: 0x485B99AD (Fri Jun 20 11:51:09 2008)
machinetype......: 0x14c (I386)

[[ 10 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x380, 0x3F05A, 0x3F080, 6.58, 469827b02f4403f5236e017c0c4bc49a
.rdata, 0x3F400, 0x574, 0x580, 4.44, 0eb5bdbba26ed4d079a201f965266cb4
.data, 0x3F980, 0xA4A4, 0xA500, 0.06, ea0c5005c163289d0c29ae80301cb86f
PAGE, 0x49E80, 0x1F85, 0x2000, 6.38, 29223020b8202f58b61651e2099c84e8
PAGELK, 0x4BE80, 0x6F2, 0x700, 6.19, d82540f4886ebcffb849774114194524
PAGEIPMc, 0x4C580, 0x2781, 0x2800, 6.43, bb13276e642dee8cf0a818967e06b022
.edata, 0x4ED80, 0x341, 0x380, 5.23, 32781ababdbcd87358c1d1eb84509dd0
INIT, 0x4F100, 0x5936, 0x5980, 6.19, bb7028db1ccd9f85f27162dab19a473d
.rsrc, 0x54A80, 0x3F0, 0x400, 3.41, 3fd0d62483602aa6ce780c14866b4e39
.reloc, 0x54E80, 0x3590, 0x3600, 6.79, 1e3ca28ef6ff9cf6fa16149dbf4fe144

[[ 4 import(s) ]]
HAL.dll: KfLowerIrql, KeRaiseIrqlToDpcLevel, KfReleaseSpinLock, KfAcquireSpinLock, KfRaiseIrql, KeGetCurrentIrql, KeQueryPerformanceCounter, ExAcquireFastMutex, ExReleaseFastMutex
NDIS.SYS: NdisCloseAdapter, NdisCancelSendPackets, NdisFreePacket, NdisUnchainBufferAtFront, NdisCompletePnPEvent, NdisFreePacketPool, NdisRequest, NdisAllocatePacket, NdisFreeMemory, NdisQueryAdapterInstanceName, NdisGetDriverHandle, NdisOpenAdapter, NdisAllocatePacketPoolEx, NdisGetReceivedPacket, NdisRegisterProtocol, NdisAllocateBuffer, NdisSetPacketPoolProtocolId, NdisReturnPackets, NdisCopyBuffer, NdisAllocateBufferPool, NdisFreeBufferPool, NdisReEnumerateProtocolBindings, NdisCompleteBindAdapter
ntoskrnl.exe: IoCreateDevice, _wcsicmp, wcscpy, wcsncpy, wcschr, ZwSetInformationThread, KeLeaveCriticalRegion, KeEnterCriticalRegion, KeQueryTimeIncrement, KeSetEvent, IoDeleteSymbolicLink, ExDeleteNPagedLookasideList, KeDelayExecutionThread, ZwOpenKey, KeSetTimerEx, KeInitializeTimer, KeInitializeDpc, ExInitializeNPagedLookasideList, MmLockPagableSectionByHandle, ZwQueryValueKey, ZwSetValueKey, InterlockedPopEntrySList, InterlockedPushEntrySList, ExIsProcessorFeaturePresent, RtlAddAccessAllowedAce, RtlCreateAcl, RtlLengthSid, SeExports, RtlMapGenericMask, IoGetFileObjectGenericMapping, ObReleaseObjectSecurity, SeSetSecurityDescriptorInfo, RtlLengthSecurityDescriptor, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, ObGetObjectSecurity, IofCallDriver, IoBuildDeviceIoControlRequest, IoGetDeviceObjectPointer, ObfDereferenceObject, RtlAddAce, RtlGetAce, IoCreateSymbolicLink, RtlInitializeSid, RtlLengthRequiredSid, ObSetSecurityObjectByPointer, RtlSelfRelativeToAbsoluteSD, RtlGetSaclSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, RtlGetDaclSecurityDescriptor, RtlVerifyVersionInfo, VerSetConditionMask, IoWMIRegistrationControl, IoGetCurrentProcess, KeInitializeTimerEx, RtlExtendedIntegerMultiply, KeQueryInterruptTime, _aulldiv, DbgBreakPoint, KeSetTargetProcessorDpc, RtlSetBit, SeUnlockSubjectContext, SeAccessCheck, SeLockSubjectContext, ObDereferenceSecurityDescriptor, PsGetCurrentProcessId, RtlWalkFrameChain, ExNotifyCallback, ExCreateCallback, ObReferenceObjectByHandle, MmUnlockPages, SeFreePrivileges, SeAppendPrivileges, ObLogSecurityDescriptor, SeAssignSecurity, IoFileObjectType, MmProbeAndLockPages, IoAllocateMdl, _except_handler3, ProbeForWrite, ObfReferenceObject, PsGetCurrentProcess, RtlPrefetchMemoryNonTemporal, KeInitializeMutex, MmIsThisAnNtAsSystem, KeWaitForSingleObject, KeReleaseMutex, KeReadStateEvent, IoDeleteDevice, ZwEnumerateValueKey, RtlUnicodeStringToInteger, RtlIpv4StringToAddressW, RtlTimeToTimeFields, ExLocalTimeToSystemTime, RtlExtendedMagicDivide, RtlAppendUnicodeToString, ZwClose, _allmul, MmQuerySystemSize, RtlCompareUnicodeString, RtlInitializeBitMap, RtlClearAllBits, RtlSetBits, wcslen, RtlAreBitsSet, RtlClearBits, RtlFindClearBitsAndSet, RtlFindClearRuns, DbgPrint, memmove, RtlCopyUnicodeString, RtlAppendUnicodeStringToString, ZwLoadDriver, KeResetEvent, IoAcquireCancelSpinLock, IoReleaseCancelSpinLock, IofCompleteRequest, ExfInterlockedAddUlong, MmMapLockedPagesSpecifyCache, IoFreeMdl, ExfInterlockedInsertTailList, RtlInitUnicodeString, MmMapLockedPages, KeNumberProcessors, RtlUnicodeStringToAnsiString, MmLockPagableDataSection, MmUnlockPagableImageSection, RtlCompareMemory, ExAllocatePoolWithTag, KeCancelTimer, KeClearEvent, RtlAnsiStringToUnicodeString, IoRaiseInformationalHardError, KeInitializeEvent, ExFreePoolWithTag, ExAllocatePoolWithTagPriority, KeInitializeSpinLock, _alldiv, KeQuerySystemTime, KefAcquireSpinLockAtDpcLevel, KefReleaseSpinLockFromDpcLevel, KeBugCheckEx, RtlSubAuthoritySid, KeTickCount, MmBuildMdlForNonPagedPool, ZwDeviceIoControlFile, ZwCreateFile
TDI.SYS: CTESystemUpTime, CTEBlock, CTELogEvent, CTESignal, CTEBlockWithTracker, CTEStartTimer, CTEInitEvent, CTEScheduleDelayedEvent, CTEInitTimer, TdiProviderReady, CTEInitialize, TdiDeregisterNetAddress, TdiRegisterNetAddress, TdiDeregisterDeviceObject, TdiRegisterDeviceObject, TdiDeregisterProvider, TdiRegisterProvider, TdiPnPPowerRequest, TdiCopyMdlChainToMdlChain, TdiInitialize, TdiDeregisterPnPHandlers, TdiRegisterPnPHandlers, CTEScheduleEvent, TdiCopyBufferToMdl, CTERemoveBlockTracker, CTEInsertBlockTracker, TdiMapUserRequest, TdiCopyBufferToMdlWithReservedMappingAtDpcLevel

[[ 31 export(s) ]]
ARPRcv, ARPRcvPacket, FreeIprBuff, GetIFAndLink, IPAddInterface, IPAllocBuff, IPDelInterface, IPDelayedNdisReEnumerateBindings, IPDeregisterARP, IPDisableSniffer, IPEnableSniffer, IPFreeBuff, IPGetAddrType, IPGetBestInterface, IPGetInfo, IPInjectPkt, IPProxyNdisRequest, IPRcvComplete, IPRcvPacket, IPRegisterARP, IPRegisterProtocol, IPSetIPSecStatus, IPTransmit, LookupRoute, LookupRouteInformation, LookupRouteInformationWithBuffer, SendICMPErr, SetIPSecPtr, UnSetIPSecPtr, UnSetIPSecSendPtr, tcpxsum

ExifTool:
file metadata
CharacterSet: Unicode
CodeSize: 301312
CompanyName: Microsoft Corporation
EntryPoint: 0x50d23
FileDescription: TCP/IP Protocol Driver
FileFlagsMask: 0x003f
FileOS: Windows NT 32-bit
FileSize: 353 kB
FileSubtype: 7
FileType: Win32 EXE
FileVersion: 5.1.2600.5625 (xpsp_sp3_gdr.080620-1249)
FileVersionNumber: 5.1.2600.5625
ImageVersion: 5.1
InitializedDataSize: 59392
InternalName: tcpip.sys
LanguageCode: English (U.S.)
LegalCopyright: Microsoft Corporation. All rights reserved.
LinkerVersion: 7.1
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 5.1
ObjectFileType: Driver
OriginalFilename: tcpip.sys
PEType: PE32
ProductName: Microsoft Windows Operating System
ProductVersion: 5.1.2600.5625
ProductVersionNumber: 5.1.2600.5625
Subsystem: Native
SubsystemVersion: 5.1
TimeStamp: 2008:06:20 13:51:09+02:00
UninitializedDataSize: 0

File name: regedit.exe
Submission date: 2011-11-14 06:01:41 (UTC)
Current status: queued (#4) queued (#4) analysing finished


Result: 0/ 42 (0.0%)
rickronn
Regular Member
 
Posts: 18
Joined: November 2nd, 2011, 1:15 am

Re: Possible attack by spy.Zbot.ZR trojan

Unread postby rickronn » November 14th, 2011, 2:33 am

And these are the logs from TDSSKiller & SystemLook.

14:22:52.0968 2832 TDSS rootkit removing tool 2.6.18.0 Nov 11 2011 15:47:15
14:22:54.0062 2832 ============================================================
14:22:54.0062 2832 Current date / time: 2011/11/14 14:22:54.0062
14:22:54.0062 2832 SystemInfo:
14:22:54.0062 2832
14:22:54.0062 2832 OS Version: 5.1.2600 ServicePack: 3.0
14:22:54.0062 2832 Product type: Workstation
14:22:54.0062 2832 ComputerName: KYTANG
14:22:54.0062 2832 UserName: KYTANG
14:22:54.0062 2832 Windows directory: C:\WINDOWS
14:22:54.0062 2832 System windows directory: C:\WINDOWS
14:22:54.0062 2832 Processor architecture: Intel x86
14:22:54.0062 2832 Number of processors: 1
14:22:54.0062 2832 Page size: 0x1000
14:22:54.0062 2832 Boot type: Normal boot
14:22:54.0062 2832 ============================================================
14:22:54.0750 2832 Initialize success
14:22:58.0812 2812 ============================================================
14:22:58.0812 2812 Scan started
14:22:58.0812 2812 Mode: Manual;
14:22:58.0812 2812 ============================================================
14:23:01.0359 2812 Abiosdsk - ok
14:23:01.0531 2812 ACPI (f0f77b58315294b11a142425a31d2a91) C:\WINDOWS\system32\DRIVERS\ACPI.sys
14:23:01.0625 2812 ACPI - ok
14:23:01.0843 2812 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
14:23:01.0906 2812 aec - ok
14:23:02.0281 2812 AFD (e3049b90fe06f3f740b7cfda44995e2c) C:\WINDOWS\System32\drivers\afd.sys
14:23:02.0296 2812 AFD - ok
14:23:02.0484 2812 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
14:23:02.0546 2812 agpCPQ - ok
14:23:04.0359 2812 ALCXWDM (8a8909fdd548d84a3e02e04f699ee705) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
14:23:06.0203 2812 ALCXWDM - ok
14:23:06.0515 2812 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
14:23:06.0687 2812 alim1541 - ok
14:23:06.0843 2812 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
14:23:06.0921 2812 amdagp - ok
14:23:07.0140 2812 amdagp8p (d5bcc5dd747fdd6ad1a5b3fa2bdbb5fa) C:\WINDOWS\system32\DRIVERS\amdagp8p.sys
14:23:07.0234 2812 amdagp8p - ok
14:23:07.0468 2812 AmdK8 (1b0806a92432bf6e9def9fbf0494f67d) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
14:23:07.0640 2812 AmdK8 - ok
14:23:07.0859 2812 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
14:23:07.0937 2812 AsyncMac - ok
14:23:08.0093 2812 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
14:23:08.0187 2812 atapi - ok
14:23:08.0296 2812 Atdisk - ok
14:23:08.0359 2812 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
14:23:08.0453 2812 Atmarpc - ok
14:23:08.0765 2812 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
14:23:08.0875 2812 audstub - ok
14:23:09.0062 2812 bb-run (7270d070173b20ac9487ea16bb08b45f) C:\WINDOWS\system32\DRIVERS\bb-run.sys
14:23:09.0109 2812 bb-run - ok
14:23:09.0359 2812 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
14:23:09.0421 2812 Beep - ok
14:23:09.0812 2812 caboagp (3b0fed71f3ffb5a8ca6b710723dcad90) C:\WINDOWS\system32\DRIVERS\atisgkaf.sys
14:23:09.0859 2812 caboagp - ok
14:23:10.0015 2812 catchme - ok
14:23:10.0312 2812 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
14:23:10.0375 2812 Cdaudio - ok
14:23:10.0828 2812 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
14:23:10.0890 2812 Cdfs - ok
14:23:11.0093 2812 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
14:23:11.0156 2812 Cdrom - ok
14:23:11.0390 2812 Changer - ok
14:23:11.0765 2812 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
14:23:11.0828 2812 CmBatt - ok
14:23:12.0000 2812 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
14:23:12.0218 2812 Compbatt - ok
14:23:12.0421 2812 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
14:23:12.0625 2812 Disk - ok
14:23:12.0953 2812 dmboot (5f7cda0fb67900e82127a7249f08a8b0) C:\WINDOWS\system32\drivers\dmboot.sys
14:23:13.0187 2812 dmboot - ok
14:23:13.0375 2812 dmio (7f871791c3fc53b6e8e6c804820a8deb) C:\WINDOWS\system32\drivers\dmio.sys
14:23:13.0671 2812 dmio - ok
14:23:13.0875 2812 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
14:23:13.0953 2812 dmload - ok
14:23:14.0109 2812 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
14:23:14.0234 2812 DMusic - ok
14:23:14.0421 2812 dontgo (ee1cf616037552f4e75fd6592d0677b6) C:\WINDOWS\system32\DRIVERS\DontGo.sys
14:23:14.0609 2812 dontgo - ok
14:23:14.0750 2812 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
14:23:14.0843 2812 drmkaud - ok
14:23:15.0015 2812 eamon (1ceb779239965000b8f6adee17d4515b) C:\WINDOWS\system32\DRIVERS\eamon.sys
14:23:15.0109 2812 eamon - ok
14:23:15.0296 2812 ehdrv (7d300a43a7bd8769e0f901bf9e1ae367) C:\WINDOWS\system32\DRIVERS\ehdrv.sys
14:23:15.0375 2812 ehdrv - ok
14:23:15.0781 2812 epfw (15bfe00f030ea20955117bb0677e9668) C:\WINDOWS\system32\DRIVERS\epfw.sys
14:23:15.0875 2812 epfw - ok
14:23:16.0062 2812 Epfwndis (52310e0e603d7da79ecca7d764937a91) C:\WINDOWS\system32\DRIVERS\Epfwndis.sys
14:23:16.0156 2812 Epfwndis - ok
14:23:16.0328 2812 epfwtdi (bdde7dd8fcdb1de7e879bb320b0605c0) C:\WINDOWS\system32\DRIVERS\epfwtdi.sys
14:23:16.0406 2812 epfwtdi - ok
14:23:16.0703 2812 es1371 (a55dd7d8ced5d2624a9ee2dda7be0319) C:\WINDOWS\system32\drivers\es1371mp.sys
14:23:16.0781 2812 es1371 - ok
14:23:16.0984 2812 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
14:23:17.0078 2812 Fastfat - ok
14:23:17.0281 2812 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
14:23:17.0375 2812 Fdc - ok
14:23:17.0531 2812 Fips (9f124bb47b9a5973e4f025926af1be49) C:\WINDOWS\system32\drivers\Fips.sys
14:23:17.0593 2812 Fips - ok
14:23:17.0796 2812 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
14:23:17.0875 2812 Flpydisk - ok
14:23:18.0031 2812 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
14:23:18.0093 2812 FltMgr - ok
14:23:18.0281 2812 FsVga (10a80a866a41490a43fdcccfeef0dce4) C:\WINDOWS\system32\DRIVERS\fsvga.sys
14:23:18.0359 2812 FsVga - ok
14:23:18.0578 2812 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
14:23:18.0625 2812 Fs_Rec - ok
14:23:18.0875 2812 Ftdisk (38375a4d9582a08c14c928cc099b8836) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
14:23:18.0921 2812 Ftdisk - ok
14:23:19.0109 2812 gagp30kx (3a74c423cf6bcca6982715878f450a3b) C:\WINDOWS\system32\DRIVERS\gagp30kx.sys
14:23:19.0187 2812 gagp30kx - ok
14:23:19.0375 2812 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
14:23:19.0437 2812 gameenum - ok
14:23:19.0609 2812 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
14:23:19.0703 2812 Gpc - ok
14:23:19.0968 2812 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
14:23:20.0062 2812 HidUsb - ok
14:23:20.0296 2812 hptpro (2b5e16c0e3d0eaa699750e01aea82d90) C:\WINDOWS\system32\DRIVERS\hptpro.sys
14:23:20.0359 2812 hptpro - ok
14:23:20.0562 2812 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
14:23:20.0578 2812 HTTP - ok
14:23:20.0734 2812 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
14:23:20.0812 2812 i2omgmt - ok
14:23:20.0953 2812 i8042prt (5c97e366c9cae77205966f04f554406b) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
14:23:21.0000 2812 i8042prt - ok
14:23:21.0171 2812 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
14:23:21.0250 2812 Imapi - ok
14:23:21.0468 2812 intelppm (45cd166524915689bf0c24ff8507995d) C:\WINDOWS\system32\DRIVERS\intelppm.sys
14:23:21.0546 2812 intelppm - ok
14:23:21.0750 2812 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
14:23:21.0859 2812 Ip6Fw - ok
14:23:22.0046 2812 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
14:23:22.0093 2812 IpFilterDriver - ok
14:23:22.0328 2812 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
14:23:22.0390 2812 IpInIp - ok
14:23:22.0578 2812 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
14:23:22.0687 2812 IpNat - ok
14:23:22.0843 2812 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
14:23:22.0906 2812 IPSec - ok
14:23:23.0109 2812 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
14:23:23.0171 2812 IRENUM - ok
14:23:23.0328 2812 isapnp (0bc81e31075989c89e0328cf94e75d61) C:\WINDOWS\system32\DRIVERS\isapnp.sys
14:23:23.0421 2812 isapnp - ok
14:23:23.0562 2812 Kbdclass (781a83ee8d53443539e54d4743437196) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
14:23:23.0625 2812 Kbdclass - ok
14:23:23.0781 2812 kbdhid (7ac6d7729e83ab83165003609deeed3e) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
14:23:23.0843 2812 kbdhid - ok
14:23:24.0015 2812 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
14:23:24.0015 2812 kmixer - ok
14:23:24.0203 2812 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
14:23:24.0265 2812 KSecDD - ok
14:23:24.0453 2812 lbrtfdc - ok
14:23:24.0562 2812 MBAMProtector (69a6268d7f81e53d568ab4e7e991caf3) C:\WINDOWS\system32\drivers\mbam.sys
14:23:24.0593 2812 MBAMProtector - ok
14:23:24.0734 2812 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
14:23:24.0796 2812 mnmdd - ok
14:23:25.0000 2812 Modem (cf73e8aa9b3679a7dc456e12b4047e1a) C:\WINDOWS\system32\drivers\Modem.sys
14:23:25.0093 2812 Modem - ok
14:23:25.0281 2812 Mouclass (4f970d7b5ff265c830142c12d5164991) C:\WINDOWS\system32\DRIVERS\mouclass.sys
14:23:25.0359 2812 Mouclass - ok
14:23:25.0531 2812 mouhid (44cacbcea57a1a1dc44f1454d033178c) C:\WINDOWS\system32\DRIVERS\mouhid.sys
14:23:25.0562 2812 mouhid - ok
14:23:25.0765 2812 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
14:23:25.0828 2812 MountMgr - ok
14:23:25.0984 2812 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
14:23:26.0093 2812 MRxDAV - ok
14:23:26.0265 2812 MRxSmb (68755f0ff16070178b54674fe5b847b0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
14:23:26.0281 2812 MRxSmb - ok
14:23:26.0500 2812 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
14:23:26.0546 2812 Msfs - ok
14:23:26.0671 2812 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
14:23:26.0765 2812 MSKSSRV - ok
14:23:26.0953 2812 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
14:23:27.0062 2812 MSPCLOCK - ok
14:23:27.0265 2812 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
14:23:27.0359 2812 MSPQM - ok
14:23:27.0515 2812 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
14:23:27.0578 2812 mssmbios - ok
14:23:27.0750 2812 ms_mpu401 (ca3e22598f411199adc2dfee76cd0ae0) C:\WINDOWS\system32\drivers\msmpu401.sys
14:23:27.0812 2812 ms_mpu401 - ok
14:23:27.0984 2812 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
14:23:28.0015 2812 MTsensor - ok
14:23:28.0187 2812 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
14:23:28.0187 2812 Mup - ok
14:23:28.0375 2812 Nbf (c087dd7fa47c4a43683df764fbfa30a7) C:\WINDOWS\system32\DRIVERS\nbf.sys
14:23:28.0437 2812 Nbf - ok
14:23:28.0640 2812 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
14:23:28.0671 2812 NDIS - ok
14:23:28.0843 2812 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
14:23:28.0843 2812 NdisTapi - ok
14:23:28.0984 2812 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
14:23:29.0046 2812 Ndisuio - ok
14:23:29.0203 2812 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
14:23:29.0250 2812 NdisWan - ok
14:23:29.0468 2812 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
14:23:29.0468 2812 NDProxy - ok
14:23:29.0640 2812 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
14:23:29.0671 2812 NetBIOS - ok
14:23:29.0875 2812 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
14:23:29.0953 2812 NetBT - ok
14:23:30.0187 2812 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
14:23:30.0281 2812 Npfs - ok
14:23:30.0781 2812 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
14:23:31.0093 2812 Ntfs - ok
14:23:31.0375 2812 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
14:23:31.0546 2812 Null - ok
14:23:35.0593 2812 nv (18c9b152da7bea76b2f9e4b6412e0aaf) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
14:23:44.0171 2812 nv - ok
14:23:44.0531 2812 nvata (0344aa9113dc16eec379f4652020849d) C:\WINDOWS\system32\DRIVERS\nvata.sys
14:23:44.0765 2812 nvata - ok
14:23:45.0171 2812 NVENETFD (d314fe034d68c09d412727886e24f5fb) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
14:23:45.0281 2812 NVENETFD - ok
14:23:45.0796 2812 nvgts (a117466b0acb13288deee4f2e936e67f) C:\WINDOWS\system32\DRIVERS\nvgts.sys
14:23:46.0031 2812 nvgts - ok
14:23:46.0437 2812 nvnetbus (f99fbb623ed78367574ee461b5b32c2c) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
14:23:46.0765 2812 nvnetbus - ok
14:23:47.0109 2812 nv_agp (3194e2f6c9000c39dcf9d0580754f714) C:\WINDOWS\system32\DRIVERS\nv_agp.sys
14:23:47.0296 2812 nv_agp - ok
14:23:47.0968 2812 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
14:23:48.0093 2812 NwlnkFlt - ok
14:23:48.0640 2812 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
14:23:48.0781 2812 NwlnkFwd - ok
14:23:49.0343 2812 Parport (2665738bbc2167dac4f7624e91714034) C:\WINDOWS\system32\DRIVERS\parport.sys
14:23:49.0640 2812 Parport - ok
14:23:50.0218 2812 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
14:23:50.0406 2812 PartMgr - ok
14:23:50.0890 2812 ParVdm (3d531ced44f72ef076ff795c001aa9f8) C:\WINDOWS\system32\drivers\ParVdm.sys
14:23:51.0062 2812 ParVdm - ok
14:23:51.0453 2812 PCI (b60f8943711a08dc958f1b3795d7119b) C:\WINDOWS\system32\DRIVERS\pci.sys
14:23:51.0562 2812 PCI - ok
14:23:51.0906 2812 PCIDump - ok
14:23:52.0187 2812 Pcmcia (27be6ff1e22da3cffbff1ee3cddd89dd) C:\WINDOWS\system32\drivers\Pcmcia.sys
14:23:52.0406 2812 Pcmcia - ok
14:23:52.0796 2812 PCnet (7bc8027d56fab153a987c56ae9835664) C:\WINDOWS\system32\DRIVERS\pcntpci5.sys
14:23:52.0953 2812 PCnet - ok
14:23:53.0265 2812 PDCOMP - ok
14:23:53.0531 2812 PDFRAME - ok
14:23:53.0890 2812 PDRELI - ok
14:23:54.0453 2812 PDRFRAME - ok
14:23:55.0171 2812 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
14:23:55.0250 2812 perc2hib - ok
14:23:55.0765 2812 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
14:23:56.0093 2812 PptpMiniport - ok
14:23:56.0453 2812 Processor (8d486d267894855102194e4fe801b9a8) C:\WINDOWS\system32\DRIVERS\processr.sys
14:23:56.0593 2812 Processor - ok
14:23:57.0015 2812 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
14:23:57.0140 2812 PSched - ok
14:23:57.0609 2812 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
14:23:58.0015 2812 Ptilink - ok
14:23:59.0031 2812 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
14:23:59.0234 2812 RasAcd - ok
14:23:59.0531 2812 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
14:23:59.0687 2812 Rasl2tp - ok
14:24:00.0046 2812 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
14:24:00.0218 2812 RasPppoe - ok
14:24:00.0656 2812 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
14:24:00.0812 2812 Raspti - ok
14:24:01.0234 2812 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
14:24:01.0484 2812 Rdbss - ok
14:24:02.0109 2812 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
14:24:02.0281 2812 RDPCDD - ok
14:24:02.0812 2812 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
14:24:03.0375 2812 rdpdr - ok
14:24:03.0953 2812 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
14:24:04.0187 2812 RDPWD - ok
14:24:04.0890 2812 redbook (6f4819152b79b034d74355e0aec029fd) C:\WINDOWS\system32\DRIVERS\redbook.sys
14:24:05.0015 2812 redbook - ok
14:24:05.0703 2812 s3m (22098a69bddf00b6a88264bf0996ccaa) C:\WINDOWS\system32\DRIVERS\s3m.sys
14:24:06.0093 2812 s3m - ok
14:24:06.0671 2812 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
14:24:06.0984 2812 Secdrv - ok
14:24:07.0562 2812 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
14:24:07.0703 2812 serenum - ok
14:24:08.0203 2812 Serial (7bed99aa723319389c934447bcae93a1) C:\WINDOWS\system32\DRIVERS\serial.sys
14:24:08.0343 2812 Serial - ok
14:24:09.0046 2812 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
14:24:09.0187 2812 Sfloppy - ok
14:24:09.0671 2812 SiFilter (e853c341bbf4ac0007a8db0858dbb09d) C:\WINDOWS\system32\DRIVERS\SiWinAcc.sys
14:24:09.0718 2812 SiFilter - ok
14:24:09.0953 2812 Simbad - ok
14:24:10.0234 2812 SiRemFil (d80e6f142eb4963e82a8537dd745f51b) C:\WINDOWS\system32\DRIVERS\SiRemFil.sys
14:24:10.0328 2812 SiRemFil - ok
14:24:10.0656 2812 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
14:24:10.0765 2812 sisagp - ok
14:24:11.0406 2812 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
14:24:11.0656 2812 splitter - ok
14:24:12.0140 2812 sr (d9c8f57aa380fa3d2332847071be50f0) C:\WINDOWS\system32\DRIVERS\sr.sys
14:24:12.0296 2812 sr - ok
14:24:12.0734 2812 Srv (5252605079810904e31c332e241cd59b) C:\WINDOWS\system32\DRIVERS\srv.sys
14:24:12.0812 2812 Srv - ok
14:24:13.0203 2812 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
14:24:13.0281 2812 swenum - ok
14:24:13.0750 2812 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
14:24:13.0906 2812 swmidi - ok
14:24:14.0500 2812 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
14:24:14.0546 2812 sysaudio - ok
14:24:14.0781 2812 Tcpip (a9bdfbf69934912dd847632b2995a191) C:\WINDOWS\system32\DRIVERS\tcpip.sys
14:24:14.0781 2812 Tcpip - ok
14:24:14.0968 2812 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
14:24:15.0031 2812 TDPIPE - ok
14:24:15.0171 2812 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
14:24:15.0250 2812 TDTCP - ok
14:24:15.0406 2812 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
14:24:15.0500 2812 TermDD - ok
14:24:15.0750 2812 tmagp (2275ef7ca18a77268b527b926ab6d643) C:\WINDOWS\system32\DRIVERS\tmagp.sys
14:24:15.0765 2812 tmagp - ok
14:24:16.0046 2812 uagp35 (d85938f272d1bcf3db3a31fc0a048928) C:\WINDOWS\system32\DRIVERS\uagp35.sys
14:24:16.0109 2812 uagp35 - ok
14:24:16.0265 2812 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
14:24:16.0343 2812 Udfs - ok
14:24:16.0484 2812 ULiAGP (25ec7fd654641c4430646fde1f9971ab) C:\WINDOWS\system32\DRIVERS\ULiAGP.sys
14:24:16.0578 2812 ULiAGP - ok
14:24:16.0750 2812 uliagpkx (67ab641cc203081780e8483faa959549) C:\WINDOWS\system32\DRIVERS\agpkx.sys
14:24:16.0796 2812 uliagpkx - ok
14:24:17.0015 2812 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
14:24:17.0203 2812 Update - ok
14:24:17.0484 2812 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
14:24:17.0531 2812 usbccgp - ok
14:24:17.0734 2812 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
14:24:17.0796 2812 usbehci - ok
14:24:17.0984 2812 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
14:24:18.0062 2812 usbhub - ok
14:24:18.0265 2812 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
14:24:18.0312 2812 usbohci - ok
14:24:18.0625 2812 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
14:24:18.0687 2812 USBSTOR - ok
14:24:18.0968 2812 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
14:24:19.0125 2812 usbuhci - ok
14:24:19.0515 2812 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
14:24:19.0750 2812 VgaSave - ok
14:24:19.0953 2812 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
14:24:20.0078 2812 viaagp - ok
14:24:20.0265 2812 viaagp1 (4b039bbd037b01f5db5a144c837f283a) C:\WINDOWS\system32\DRIVERS\viaagp1.sys
14:24:20.0312 2812 viaagp1 - ok
14:24:20.0500 2812 vmx_svga (e125eab79c36e21252d29b73bd45b744) C:\WINDOWS\system32\DRIVERS\vmx_svga.sys
14:24:20.0531 2812 vmx_svga - ok
14:24:20.0734 2812 VolSnap (ea8669259fd8fa264c168b38741db8f3) C:\WINDOWS\system32\drivers\VolSnap.sys
14:24:20.0796 2812 VolSnap - ok
14:24:20.0984 2812 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
14:24:21.0093 2812 Wanarp - ok
14:24:21.0234 2812 WDICA - ok
14:24:21.0296 2812 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
14:24:21.0406 2812 wdmaud - ok
14:24:21.0640 2812 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
14:24:21.0671 2812 WS2IFSL - ok
14:24:21.0953 2812 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
14:24:21.0968 2812 WudfPf - ok
14:24:22.0156 2812 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
14:24:22.0234 2812 WudfRd - ok
14:24:22.0671 2812 xfilt (bec604cdc548a528ebd3d7aa1dd46a89) C:\WINDOWS\system32\DRIVERS\xfilt.sys
14:24:22.0750 2812 xfilt - ok
14:24:22.0781 2812 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
14:24:23.0015 2812 \Device\Harddisk0\DR0 - ok
14:24:23.0046 2812 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1
14:24:23.0187 2812 \Device\Harddisk1\DR1 - ok
14:24:23.0203 2812 Boot (0x1200) (702ae0e51e0838aceee73d24fd4787ff) \Device\Harddisk0\DR0\Partition0
14:24:23.0203 2812 \Device\Harddisk0\DR0\Partition0 - ok
14:24:23.0218 2812 Boot (0x1200) (2da48fc45c7efe0150dfaeeeb418acb9) \Device\Harddisk1\DR1\Partition0
14:24:23.0218 2812 \Device\Harddisk1\DR1\Partition0 - ok
14:24:23.0218 2812 ============================================================
14:24:23.0218 2812 Scan finished
14:24:23.0218 2812 ============================================================
14:24:23.0234 4008 Detected object count: 0
14:24:23.0234 4008 Actual detected object count: 0
14:27:07.0500 4024 Deinitialize success


SystemLook 30.07.11 by jpshortstuff
Log created at 14:15 on 14/11/2011 by KYTANG
Administrator - Elevation successful

========== filefind ==========

Searching for "tcpip.sys"
C:\WINDOWS\system32\dllcache\tcpip.sys --a--c- 361600 bytes [08:32 21/01/2011] [11:51 20/06/2008] A9BDFBF69934912DD847632B2995A191
C:\WINDOWS\system32\drivers\tcpip.sys --a---- 361600 bytes [12:00 15/04/2008] [11:51 20/06/2008] A9BDFBF69934912DD847632B2995A191

-= EOF =-

Best regards.
rickronn
Regular Member
 
Posts: 18
Joined: November 2nd, 2011, 1:15 am

Re: Possible attack by spy.Zbot.ZR trojan

Unread postby Gary R » November 14th, 2011, 6:09 am

I don't see any signs of infection in any of your logs so far.

You do have an old version of Java that needs replacing ....

Please go to Control Panel > Add/Remove Programs and Uninstall the following:

Java(TM) 6 Update 7


Now reboot your computer.

Now download and install JDK 6 Update 29 (JDK or JRE).

Next

Please run a scan with ESET Online Scanner (use this please, not your on-board version of e-set, since I'm more familiar with the logs it produces).

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.
  • Please go HERE then click on: Image
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed make sure you first copy the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Copy and paste that log in your next reply please.
  • Now click on: Image (Selecting Uninstall application on close if you so wish)

Please read .....


.... and work your way through the instructions there, then let me know if this improves your computer speed.

Your DDS log shows you only have 256M of RAM. Most modern software is memory intensive, and 256M is not really enough to run things efficiently. It is this more than anything else that is likely to be the cause of your speed problems. Adding memory is the most likely solution to your problems.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21863
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Possible attack by spy.Zbot.ZR trojan

Unread postby rickronn » November 15th, 2011, 3:20 am

Hello, Gary R,

I have updated the Java and ESET online scan log is as follow.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.16705 (vista_gdr.080618-1506)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=a1c8203a8b968748bc5f2f94a4842562
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-11-15 07:09:02
# local_time=2011-11-15 03:09:02 )
# country="Taiwan"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8201 39157157 100 100 0 38909527 0 0
# scanned=37515
# found=5
# cleaned=0
# scan_time=2591
# nod_component=V3 Build:0x30000000
C:\Program Files\Green Software\WindowBlinds\patch.exe a variant of Win32/HackTool.Patcher.J application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Green Software\超級工作管理員,再也沒有關不掉的程式-DTaskManager v2.0 繁體綠色版\DTaskManager.exe probably a variant of Win32/Spy.Agent.BDXNMYK trojan (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Unlocker\eBay_shortcuts_1016.exe Win32/Adware.ADON application (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\VIPv3\Process.exe Win32/PrcView application (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\VIPv3\resources\process.exe Win32/PrcView application (unable to clean) 0000000000000

I will follow your advise to increase RAM and let you know the result.

Best regards.
rickronn
Regular Member
 
Posts: 18
Joined: November 2nd, 2011, 1:15 am

Re: Possible attack by spy.Zbot.ZR trojan

Unread postby Gary R » November 15th, 2011, 7:04 am

Download OTM by Old Timer and save it to your Desktop.

Alternative Download
  • Double-click OTM.exe to run it.
  • Copy the lines in the codebox below.
Code: Select all
:Files
C:\Program Files\Green Software\WindowBlinds\patch.exe
C:\Program Files\Green Software\超級工作管理員,再也沒有關不掉的程式-DTaskManager v2.0 繁體綠色版\DTaskManager.exe
C:\Program Files\Unlocker\eBay_shortcuts_1016.exe
C:\WINDOWS\VIPv3\Process.exe
C:\WINDOWS\VIPv3\resources\process.exe

:Commands
[CreateRestorePoint]
[EmptyTemp]
[Purity]
[ResetHosts]

  • Return to OTM, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTM
User avatar
Gary R
Administrator
Administrator
 
Posts: 21863
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Possible attack by spy.Zbot.ZR trojan

Unread postby rickronn » November 17th, 2011, 2:46 am

Hi, Gary R,
Sorry for late reply. Please note that I tried to follow your instructions. However, OTM just froze and there was no response.

Best regards.
rickronn
Regular Member
 
Posts: 18
Joined: November 2nd, 2011, 1:15 am

Re: Possible attack by spy.Zbot.ZR trojan

Unread postby Gary R » November 17th, 2011, 3:14 am

OTM may have removed things before it locked up, if it has you should be able to find an OTM log in the following location .....

C:\_OTM\MovedFiles

There will be a file named ....

mmddyyyy_hhmmss.log (where mdyhms are replaced by numbers representing the date and time the log was created)

It can be opened using Notepad.

If there is one, please post it to me.

Only if there is no log present, please do the following ....

Download Avenger by Swandog and unzip it to your Desktop.

Note: This programme must be run from an account with Administrator priviledges.

  • Open the Avenger folder and double click Avenger.exe to launch the programme.
  • Copy the text in the code box below and Paste it into the Input script here: box.
Code: Select all
Files to delete:
C:\Program Files\Green Software\WindowBlinds\patch.exe
C:\Program Files\Green Software\超級工作管理員,再也沒有關不掉的程式-DTaskManager v2.0 繁體綠色版\DTaskManager.exe
C:\Program Files\Unlocker\eBay_shortcuts_1016.exe
C:\WINDOWS\VIPv3\Process.exe
C:\WINDOWS\VIPv3\resources\process.exe


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  • Ensure the following:
    • Scan for Rootkits is checked.
    • Automatically disable any rootkits found is Unchecked.
  • Press the Execute key.
  • Avenger will now process the script you've pasted (this may involve more than one re-boot), when finished it will produce a log file.
  • Post the log back here please. (it can also be found at C:\avenger.txt)
User avatar
Gary R
Administrator
Administrator
 
Posts: 21863
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 37 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware