Solved

HP printer won't print, Dell printer will - This is after being attacked by TDSS

Posted on 2010-08-18
25
960 Views
Last Modified: 2013-12-15
About two weeks ago about 10 of my computers were attacked by TDSS.  I used the Kapersky removal tool and thought everything was fine.  Now I have the following problem:

HP 2055 dn printer will not print -  This is only from the machines that were attacked by TDSS.  The other non-infected machines print just fine.  

Dell printer - still works just fine.  (Even on the machines that were attacked with TDSS).

My first thought was to uninstall / reinstall software and drives for the HP 2055 dn.  Did that, no go.  During installation the printer is detected by nothing ever prints.  Test page, notepad, wordpad, Office everything fails.  I'm including the scan logs from TDSSkiller, and the Combo Fix log.  I have run Malwarebytes and Ccleaner with no additional detections.  Any help would be appreciated!!  Much thanks!

Combo Fix log
ComboFix 10-08-17.03 - Hulk 08/18/2010  10:54:40.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1023.576 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\dfinstall.log

.
(((((((((((((((((((((((((   Files Created from 2010-07-18 to 2010-08-18  )))))))))))))))))))))))))))))))
.

2010-08-13 22:42 . 2010-08-13 22:42      --------      d-sh--w-      c:\documents and settings\LocalService\IETldCache
2010-08-09 13:13 . 2010-08-09 13:13      --------      d-----w-      c:\program files\ACW
2010-08-06 20:21 . 2010-06-14 14:31      744448      -c----w-      c:\windows\system32\dllcache\helpsvc.exe
2010-08-06 20:21 . 2010-06-24 12:21      743424      -c----w-      c:\windows\system32\dllcache\iedvtool.dll
2010-08-05 19:57 . 2010-08-05 19:57      --------      d-----w-      c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-08-05 19:56 . 2010-08-05 19:56      --------      d-----w-      c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-05 14:13 . 2010-08-05 14:13      --------      d-----w-      c:\program files\Common Files\Java
2010-08-04 21:40 . 2010-08-04 21:40      503808      ----a-w-      c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4dc3b1a5-n\msvcp71.dll
2010-08-04 21:40 . 2010-08-04 21:40      499712      ----a-w-      c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4dc3b1a5-n\jmc.dll
2010-08-04 21:40 . 2010-08-04 21:40      348160      ----a-w-      c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4dc3b1a5-n\msvcr71.dll
2010-08-04 21:40 . 2010-08-04 21:40      61440      ----a-w-      c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-50e45845-n\decora-sse.dll
2010-08-04 21:40 . 2010-08-04 21:40      12800      ----a-w-      c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-50e45845-n\decora-d3d.dll
2010-08-04 21:24 . 2010-08-04 21:24      --------      d-----w-      c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-08-04 21:24 . 2010-08-04 21:24      --------      d-----w-      c:\documents and settings\Administrator\Application Data\Office Genuine Advantage

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-09 13:09 . 2009-09-16 19:22      64368      ----a-w-      c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-06 19:20 . 2004-08-04 12:00      75264      ----a-w-      c:\windows\system32\drivers\ipsec.sys
2010-08-05 14:13 . 2009-09-22 21:04      --------      d-----w-      c:\program files\Java
2010-08-04 18:29 . 2009-10-04 05:21      --------      d-----w-      c:\documents and settings\Administrator\Application Data\U3
2010-07-17 09:00 . 2010-06-20 00:01      423656      ----a-w-      c:\windows\system32\deployJava1.dll
2010-06-30 12:31 . 2004-08-04 12:00      149504      ----a-w-      c:\windows\system32\schannel.dll
2010-06-28 01:17 . 2010-06-28 01:17      16336546      ------w-      C:\Persi0.sys
2010-06-28 01:16 . 2009-09-15 21:43      2048      --s-a-w-      c:\windows\bootstet.dat
2010-06-28 01:13 . 2010-06-28 01:13      --------      d-----w-      c:\documents and settings\Administrator\Application Data\TeamViewer
2010-06-28 01:13 . 2010-06-28 01:13      --------      d-----w-      c:\program files\TeamViewer
2010-06-24 12:22 . 2004-08-04 12:00      916480      ----a-w-      c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2004-08-04 12:00      1851904      ----a-w-      c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-04 12:00      354304      ----a-w-      c:\windows\system32\drivers\srv.sys
2010-06-19 23:51 . 2010-06-19 23:51      503808      ----a-w-      c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1de01dff-n\msvcp71.dll
2010-06-19 23:51 . 2010-06-19 23:51      499712      ----a-w-      c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1de01dff-n\jmc.dll
2010-06-19 23:51 . 2010-06-19 23:51      348160      ----a-w-      c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1de01dff-n\msvcr71.dll
2010-06-19 23:51 . 2010-06-19 23:51      61440      ----a-w-      c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-584e2f9e-n\decora-sse.dll
2010-06-19 23:51 . 2010-06-19 23:51      12800      ----a-w-      c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-584e2f9e-n\decora-d3d.dll
2010-06-19 17:33 . 2010-06-19 17:33      764288      ----a-w-      c:\windows\system32\DFC.exe
2010-06-19 17:33 . 2010-06-19 17:33      748928      ----a-w-      c:\windows\system32\LDK.exe
2010-06-17 14:03 . 2004-08-04 12:00      80384      ----a-w-      c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2009-09-15 21:36      744448      ----a-w-      c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-04 12:00      1172480      ----a-w-      c:\windows\system32\msxml3.dll
2010-05-20 15:19 . 2010-05-20 15:19      76312      ----a-w-      c:\windows\system32\drivers\ThwSpace.sys
2010-05-20 15:19 . 2010-05-20 15:19      153240      ----a-w-      c:\windows\system32\drivers\DeepFrz.sys
2010-05-20 15:17 . 2010-06-28 01:17      65536      ----a-w-      c:\windows\system32\LogonDll.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
PCReservation Client Module.LNK - c:\pcres\PCRes_Client.exe [2009-10-4 614400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DfLogon]
2010-05-20 15:17      65536      ----a-w-      c:\windows\system32\LogonDll.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute      REG_MULTI_SZ         autocheck autochk /k:C *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 21:10      35696      ----a-w-      c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2009-06-26 14:09      57344      ----a-w-      c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS Easy Update]
2008-10-16 20:07      188416      ----a-w-      c:\program files\ASUS\ASUS Easy Update\ALU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12      15360      ----a-w-      c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-06-26 14:09      18084864      ----a-w-      c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2009-02-25 19:38      61440      ----a-w-      c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\HP_P2055_Network_Express_Install\\setup\\hppnet01.exe"=
"c:\\PCRes\\PCRes_Client.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:DCOM_TCP135

R0 DeepFrz;DeepFrz;c:\windows\system32\drivers\DeepFrz.sys [5/20/2010 11:19 AM 153240]
R2 DFServ;DFServ;c:\program files\Faronics\Deep Freeze\Install C-0\DFServ.exe [6/19/2010 1:33 PM 1074048]
R2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [5/21/2010 7:27 AM 173352]
R3 genmcmnUSB;USB Scroll Mouse Driver;c:\windows\system32\drivers\gflmouhid.sys [4/19/2004 3:01 PM 6656]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [9/16/2009 2:50 PM 157696]

--- Other Services/Drivers In Memory ---

*Deregistered* - klmd24

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12      REG_MULTI_SZ         Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {215ABC43-EE40-40EE-AE87-9D154CC84B2A} = 131.144.4.10,205.152.0.5
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\QTTask.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-18 10:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-220523388-117609710-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,eb,d8,53,7e,f7,b9,13,48,bc,2c,fd,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,eb,d8,53,7e,f7,b9,13,48,bc,2c,fd,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(868)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LogonDll.dll
c:\program files\TeamViewer\Version5\tv.dll
.
Completion time: 2010-08-18  11:00:55
ComboFix-quarantined-files.txt  2010-08-18 15:00

Pre-Run: 151,265,144,832 bytes free
Post-Run: 151,345,844,224 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - E218D1037D7E4718661E49A3AA090369

First TDSS Killer log file where it cleaned
2010/08/06 15:18:34.0140      TDSS rootkit removing tool 2.4.1.0 Aug  4 2010 15:06:41
2010/08/06 15:18:34.0140      ================================================================================
2010/08/06 15:18:34.0140      SystemInfo:
2010/08/06 15:18:34.0140      
2010/08/06 15:18:34.0140      OS Version: 5.1.2600 ServicePack: 3.0
2010/08/06 15:18:34.0140      Product type: Workstation
2010/08/06 15:18:34.0140      ComputerName: HULK
2010/08/06 15:18:34.0140      UserName: Hulk
2010/08/06 15:18:34.0140      Windows directory: C:\WINDOWS
2010/08/06 15:18:34.0140      System windows directory: C:\WINDOWS
2010/08/06 15:18:34.0140      Processor architecture: Intel x86
2010/08/06 15:18:34.0140      Number of processors: 2
2010/08/06 15:18:34.0140      Page size: 0x1000
2010/08/06 15:18:34.0140      Boot type: Normal boot
2010/08/06 15:18:34.0140      ================================================================================
2010/08/06 15:18:34.0515      Initialize success
2010/08/06 15:18:36.0984      ================================================================================
2010/08/06 15:18:36.0984      Scan started
2010/08/06 15:18:36.0984      Mode: Manual;
2010/08/06 15:18:36.0984      ================================================================================
2010/08/06 15:18:38.0984      ACPI            (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/08/06 15:18:39.0031      ACPIEC          (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2010/08/06 15:18:39.0093      aec             (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/08/06 15:18:39.0187      AFD             (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/08/06 15:18:39.0687      AR5416          (7d53e5646ba23fd51296f7ef8979a000) C:\WINDOWS\system32\DRIVERS\athw.sys
2010/08/06 15:18:39.0968      AsyncMac        (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/08/06 15:18:40.0046      atapi           (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/08/06 15:18:40.0250      ati2mtag        (8763ede3e0cd40f5c3450571ac57f205) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/08/06 15:18:40.0312      Atmarpc         (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/08/06 15:18:40.0390      audstub         (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/08/06 15:18:40.0421      Beep            (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/08/06 15:18:40.0500      cbidf2k         (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/08/06 15:18:40.0578      Cdaudio         (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/08/06 15:18:40.0671      Cdfs            (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/08/06 15:18:40.0687      Cdrom           (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/08/06 15:18:40.0750      cercsr6         (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
2010/08/06 15:18:41.0000      DeepFrz         (4e81e22588a6cd946a1f4378c791a336) C:\WINDOWS\system32\drivers\DeepFrz.sys
2010/08/06 15:18:41.0062      Disk            (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/08/06 15:18:41.0125      dmboot          (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/08/06 15:18:41.0140      dmio            (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/08/06 15:18:41.0156      dmload          (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/08/06 15:18:41.0203      DMusic          (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/08/06 15:18:41.0281      drmkaud         (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/08/06 15:18:41.0437      Fastfat         (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/08/06 15:18:41.0468      Fdc             (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/08/06 15:18:41.0500      Fips            (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/08/06 15:18:41.0515      Flpydisk        (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/08/06 15:18:41.0578      FltMgr          (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/08/06 15:18:41.0625      Fs_Rec          (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/08/06 15:18:41.0640      Ftdisk          (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/08/06 15:18:41.0718      genmcmnUSB      (86f732d2995ada73fd307539ec266d3a) C:\WINDOWS\system32\DRIVERS\gflmouhid.sys
2010/08/06 15:18:41.0796      Gpc             (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/08/06 15:18:41.0890      HDAudBus        (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/08/06 15:18:41.0953      hidusb          (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/08/06 15:18:42.0062      HTTP            (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/08/06 15:18:42.0109      i8042prt        (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/08/06 15:18:42.0156      Imapi           (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/08/06 15:18:42.0421      IntcAzAudAddService (2b7ce5e35c5e279b77cc10a4c70f24df) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2010/08/06 15:18:42.0531      intelppm        (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/08/06 15:18:42.0593      Ip6Fw           (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/08/06 15:18:42.0687      IpFilterDriver  (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/08/06 15:18:42.0765      IpInIp          (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/08/06 15:18:42.0828      IpNat           (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/08/06 15:18:42.0859      IPSec           (dfab325d623a1952d00182b193c9940a) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/08/06 15:18:42.0859      Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ipsec.sys. Real md5: dfab325d623a1952d00182b193c9940a, Fake md5: 23c74d75e36e7158768dd63d92789a91
2010/08/06 15:18:42.0859      IPSec - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/08/06 15:18:42.0906      IRENUM          (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/08/06 15:18:42.0953      isapnp          (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/08/06 15:18:42.0984      Kbdclass        (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/08/06 15:18:43.0015      kbdhid          (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/08/06 15:18:43.0046      kmixer          (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/08/06 15:18:43.0125      KSecDD          (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/08/06 15:18:43.0343      mnmdd           (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/08/06 15:18:43.0406      Modem           (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/08/06 15:18:43.0453      Mouclass        (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/08/06 15:18:43.0468      mouhid          (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/08/06 15:18:43.0578      MountMgr        (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/08/06 15:18:43.0609      MRxDAV          (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/08/06 15:18:43.0671      MRxSmb          (421f7b922cec5a5f340e7574a98f7b7c) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/08/06 15:18:43.0718      Msfs            (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/08/06 15:18:43.0750      MSKSSRV         (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/08/06 15:18:43.0781      MSPCLOCK        (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/08/06 15:18:43.0796      MSPQM           (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/08/06 15:18:43.0859      mssmbios        (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/08/06 15:18:43.0937      MTsensor        (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
2010/08/06 15:18:43.0968      Mup             (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/08/06 15:18:44.0000      NDIS            (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/08/06 15:18:44.0015      NdisTapi        (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/08/06 15:18:44.0031      Ndisuio         (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/08/06 15:18:44.0062      NdisWan         (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/08/06 15:18:44.0078      NDProxy         (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/08/06 15:18:44.0125      NetBIOS         (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/08/06 15:18:44.0140      NetBT           (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/08/06 15:18:44.0218      Npfs            (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/08/06 15:18:44.0250      Ntfs            (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/08/06 15:18:44.0359      Null            (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/08/06 15:18:44.0406      NwlnkFlt        (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/08/06 15:18:44.0421      NwlnkFwd        (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/08/06 15:18:44.0500      Parport         (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2010/08/06 15:18:44.0515      PartMgr         (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/08/06 15:18:44.0578      ParVdm          (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/08/06 15:18:44.0640      PCI             (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/08/06 15:18:44.0750      PCIIde          (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/08/06 15:18:44.0796      Pcmcia          (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/08/06 15:18:45.0031      PptpMiniport    (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/08/06 15:18:45.0046      PSched          (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/08/06 15:18:45.0062      Ptilink         (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/08/06 15:18:45.0156      RasAcd          (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/08/06 15:18:45.0187      Rasl2tp         (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/08/06 15:18:45.0250      RasPppoe        (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/08/06 15:18:45.0328      Raspti          (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/08/06 15:18:45.0343      Rdbss           (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/08/06 15:18:45.0390      RDPCDD          (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/08/06 15:18:45.0406      rdpdr           (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/08/06 15:18:45.0484      RDPWD           (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/08/06 15:18:45.0531      redbook         (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/08/06 15:18:45.0671      RSUSBSTOR       (2cb299f6cc04bac8889a52b0ff48a9d7) C:\WINDOWS\system32\Drivers\RTS5121.sys
2010/08/06 15:18:45.0859      RTHDMIAzAudService (a5a9f4b77d7ff2b02633999ff71a7e9b) C:\WINDOWS\system32\drivers\RtKHDMI.sys
2010/08/06 15:18:45.0984      RTLE8023xp      (185641ad7e80bfce0aa545d3ec79d557) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2010/08/06 15:18:46.0078      Secdrv          (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/08/06 15:18:46.0156      Serial          (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2010/08/06 15:18:46.0203      Sfloppy         (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/08/06 15:18:46.0328      splitter        (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/08/06 15:18:46.0359      sr              (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/08/06 15:18:46.0453      Srv             (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/08/06 15:18:46.0484      swenum          (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/08/06 15:18:46.0531      swmidi          (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/08/06 15:18:46.0656      sysaudio        (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/08/06 15:18:46.0781      Tcpip           (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/08/06 15:18:46.0843      TDPIPE          (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/08/06 15:18:46.0859      TDTCP           (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/08/06 15:18:46.0921      TermDD          (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/08/06 15:18:47.0031      tosporte        (8d624d3bd1f2d78bd1c01a2d4e954b4e) C:\WINDOWS\system32\DRIVERS\tosporte.sys
2010/08/06 15:18:47.0093      tosrfbd         (73abec184a36239ca0a7dc96c7e74c44) C:\WINDOWS\system32\DRIVERS\tosrfbd.sys
2010/08/06 15:18:47.0109      tosrfbnp        (181e217a7a326817d97946d045b3cb46) C:\WINDOWS\system32\Drivers\tosrfbnp.sys
2010/08/06 15:18:47.0125      Tosrfcom        (e90ace3b4fa7a85f992bc21eb779c407) C:\WINDOWS\system32\Drivers\tosrfcom.sys
2010/08/06 15:18:47.0156      Tosrfhid        (87700714f25131ed21901d617b8b321f) C:\WINDOWS\system32\DRIVERS\Tosrfhid.sys
2010/08/06 15:18:47.0187      tosrfnds        (c52fd27b9adf3a1f22cb90e6bcf9b0cb) C:\WINDOWS\system32\DRIVERS\tosrfnds.sys
2010/08/06 15:18:47.0234      TosRfSnd        (156d63f6898e4d95f2962f2b72862868) C:\WINDOWS\system32\drivers\tosrfsnd.sys
2010/08/06 15:18:47.0281      tosrfusb        (01c90086cd37e7e8d9a827e24167fcb7) C:\WINDOWS\system32\DRIVERS\tosrfusb.sys
2010/08/06 15:18:47.0359      Udfs            (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/08/06 15:18:47.0421      Update          (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/08/06 15:18:47.0531      usbccgp         (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/08/06 15:18:47.0562      usbehci         (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/08/06 15:18:47.0578      usbhub          (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/08/06 15:18:47.0609      usbstor         (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/08/06 15:18:47.0625      usbuhci         (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/08/06 15:18:47.0656      VgaSave         (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/08/06 15:18:47.0703      VolSnap         (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/08/06 15:18:47.0765      Wanarp          (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/08/06 15:18:47.0796      wdmaud          (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/08/06 15:18:48.0078      WudfPf          (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/08/06 15:18:48.0109      WudfRd          (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/08/06 15:18:48.0187      ================================================================================
2010/08/06 15:18:48.0187      Scan finished
2010/08/06 15:18:48.0187      ================================================================================
2010/08/06 15:18:48.0250      Detected object count: 1
2010/08/06 15:18:58.0765      IPSec           (dfab325d623a1952d00182b193c9940a) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/08/06 15:18:58.0765      Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ipsec.sys. Real md5: dfab325d623a1952d00182b193c9940a, Fake md5: 23c74d75e36e7158768dd63d92789a91
2010/08/06 15:19:01.0656      Backup copy found, using it..
2010/08/06 15:19:01.0671      C:\WINDOWS\system32\DRIVERS\ipsec.sys - will be cured after reboot
2010/08/06 15:19:01.0671      Rootkit.Win32.TDSS.tdl3(IPSec) - User select action: Cure
2010/08/06 15:19:06.0234      Deinitialize success

2nd TDSSKiller log file where it did not detect anything
2010/08/18 09:27:35.0531      TDSS rootkit removing tool 2.4.1.0 Aug  4 2010 15:06:41
2010/08/18 09:27:35.0531      ================================================================================
2010/08/18 09:27:35.0531      SystemInfo:
2010/08/18 09:27:35.0531      
2010/08/18 09:27:35.0531      OS Version: 5.1.2600 ServicePack: 3.0
2010/08/18 09:27:35.0531      Product type: Workstation
2010/08/18 09:27:35.0531      ComputerName: HULK
2010/08/18 09:27:35.0531      UserName: Hulk
2010/08/18 09:27:35.0531      Windows directory: C:\WINDOWS
2010/08/18 09:27:35.0531      System windows directory: C:\WINDOWS
2010/08/18 09:27:35.0546      Processor architecture: Intel x86
2010/08/18 09:27:35.0546      Number of processors: 2
2010/08/18 09:27:35.0546      Page size: 0x1000
2010/08/18 09:27:35.0546      Boot type: Normal boot
2010/08/18 09:27:35.0546      ================================================================================
2010/08/18 09:27:36.0109      Initialize success
2010/08/18 09:27:37.0515      ================================================================================
2010/08/18 09:27:37.0515      Scan started
2010/08/18 09:27:37.0515      Mode: Manual;
2010/08/18 09:27:37.0515      ================================================================================
2010/08/18 09:27:39.0078      ACPI            (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/08/18 09:27:39.0125      ACPIEC          (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2010/08/18 09:27:39.0203      aec             (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/08/18 09:27:39.0281      AFD             (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/08/18 09:27:39.0515      AR5416          (7d53e5646ba23fd51296f7ef8979a000) C:\WINDOWS\system32\DRIVERS\athw.sys
2010/08/18 09:27:39.0703      AsyncMac        (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/08/18 09:27:39.0750      atapi           (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/08/18 09:27:39.0937      ati2mtag        (8763ede3e0cd40f5c3450571ac57f205) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/08/18 09:27:40.0031      Atmarpc         (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/08/18 09:27:40.0062      audstub         (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/08/18 09:27:40.0140      Beep            (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/08/18 09:27:40.0218      cbidf2k         (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/08/18 09:27:40.0281      Cdaudio         (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/08/18 09:27:40.0359      Cdfs            (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/08/18 09:27:40.0390      Cdrom           (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/08/18 09:27:40.0453      cercsr6         (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
2010/08/18 09:27:40.0703      DeepFrz         (4e81e22588a6cd946a1f4378c791a336) C:\WINDOWS\system32\drivers\DeepFrz.sys
2010/08/18 09:27:40.0828      Disk            (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/08/18 09:27:41.0062      dmboot          (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/08/18 09:27:41.0296      dmio            (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/08/18 09:27:41.0312      dmload          (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/08/18 09:27:41.0359      DMusic          (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/08/18 09:27:41.0468      drmkaud         (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/08/18 09:27:41.0640      Fastfat         (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/08/18 09:27:41.0687      Fdc             (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/08/18 09:27:41.0703      Fips            (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/08/18 09:27:41.0734      Flpydisk        (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/08/18 09:27:41.0765      FltMgr          (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/08/18 09:27:41.0843      Fs_Rec          (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/08/18 09:27:41.0859      Ftdisk          (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/08/18 09:27:41.0937      genmcmnUSB      (86f732d2995ada73fd307539ec266d3a) C:\WINDOWS\system32\DRIVERS\gflmouhid.sys
2010/08/18 09:27:41.0968      Gpc             (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/08/18 09:27:42.0000      HDAudBus        (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/08/18 09:27:42.0046      hidusb          (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/08/18 09:27:42.0140      HTTP            (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/08/18 09:27:42.0203      i8042prt        (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/08/18 09:27:42.0265      Imapi           (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/08/18 09:27:42.0546      IntcAzAudAddService (2b7ce5e35c5e279b77cc10a4c70f24df) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2010/08/18 09:27:42.0640      intelppm        (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/08/18 09:27:42.0703      Ip6Fw           (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/08/18 09:27:42.0734      IpFilterDriver  (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/08/18 09:27:42.0765      IpInIp          (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/08/18 09:27:42.0812      IpNat           (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/08/18 09:27:42.0843      IPSec           (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/08/18 09:27:42.0890      IRENUM          (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/08/18 09:27:42.0953      isapnp          (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/08/18 09:27:42.0968      Kbdclass        (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/08/18 09:27:43.0000      kbdhid          (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/08/18 09:27:43.0031      kmixer          (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/08/18 09:27:43.0109      KSecDD          (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/08/18 09:27:43.0250      mnmdd           (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/08/18 09:27:43.0296      Modem           (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/08/18 09:27:43.0343      Mouclass        (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/08/18 09:27:43.0421      mouhid          (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/08/18 09:27:43.0453      MountMgr        (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/08/18 09:27:43.0500      MRxDAV          (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/08/18 09:27:43.0593      MRxSmb          (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/08/18 09:27:43.0734      Msfs            (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/08/18 09:27:43.0796      MSKSSRV         (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/08/18 09:27:43.0890      MSPCLOCK        (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/08/18 09:27:43.0906      MSPQM           (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/08/18 09:27:43.0968      mssmbios        (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/08/18 09:27:44.0046      MTsensor        (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
2010/08/18 09:27:44.0078      Mup             (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/08/18 09:27:44.0125      NDIS            (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/08/18 09:27:44.0156      NdisTapi        (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/08/18 09:27:44.0187      Ndisuio         (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/08/18 09:27:44.0218      NdisWan         (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/08/18 09:27:44.0250      NDProxy         (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/08/18 09:27:44.0296      NetBIOS         (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/08/18 09:27:44.0328      NetBT           (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/08/18 09:27:44.0421      Npfs            (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/08/18 09:27:44.0484      Ntfs            (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/08/18 09:27:44.0546      Null            (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/08/18 09:27:44.0656      NwlnkFlt        (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/08/18 09:27:44.0687      NwlnkFwd        (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/08/18 09:27:44.0796      Parport         (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2010/08/18 09:27:44.0875      PartMgr         (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/08/18 09:27:44.0921      ParVdm          (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/08/18 09:27:44.0937      PCI             (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/08/18 09:27:44.0984      PCIIde          (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/08/18 09:27:45.0015      Pcmcia          (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/08/18 09:27:45.0250      PptpMiniport    (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/08/18 09:27:45.0281      PSched          (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/08/18 09:27:45.0312      Ptilink         (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/08/18 09:27:45.0421      RasAcd          (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/08/18 09:27:45.0453      Rasl2tp         (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/08/18 09:27:45.0484      RasPppoe        (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/08/18 09:27:45.0515      Raspti          (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/08/18 09:27:45.0546      Rdbss           (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/08/18 09:27:45.0578      RDPCDD          (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/08/18 09:27:45.0640      rdpdr           (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/08/18 09:27:45.0703      RDPWD           (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/08/18 09:27:45.0765      redbook         (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/08/18 09:27:46.0000      RSUSBSTOR       (2cb299f6cc04bac8889a52b0ff48a9d7) C:\WINDOWS\system32\Drivers\RTS5121.sys
2010/08/18 09:27:46.0218      RTHDMIAzAudService (a5a9f4b77d7ff2b02633999ff71a7e9b) C:\WINDOWS\system32\drivers\RtKHDMI.sys
2010/08/18 09:27:46.0421      RTLE8023xp      (185641ad7e80bfce0aa545d3ec79d557) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2010/08/18 09:27:46.0625      Secdrv          (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/08/18 09:27:46.0703      Serial          (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2010/08/18 09:27:46.0750      Sfloppy         (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/08/18 09:27:46.0875      splitter        (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/08/18 09:27:46.0906      sr              (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/08/18 09:27:46.0984      Srv             (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/08/18 09:27:47.0062      swenum          (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/08/18 09:27:47.0093      swmidi          (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/08/18 09:27:47.0218      sysaudio        (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/08/18 09:27:47.0328      Tcpip           (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/08/18 09:27:47.0406      TDPIPE          (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/08/18 09:27:47.0437      TDTCP           (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/08/18 09:27:47.0468      TermDD          (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/08/18 09:27:47.0656      tosporte        (8d624d3bd1f2d78bd1c01a2d4e954b4e) C:\WINDOWS\system32\DRIVERS\tosporte.sys
2010/08/18 09:27:47.0734      tosrfbd         (73abec184a36239ca0a7dc96c7e74c44) C:\WINDOWS\system32\DRIVERS\tosrfbd.sys
2010/08/18 09:27:47.0750      tosrfbnp        (181e217a7a326817d97946d045b3cb46) C:\WINDOWS\system32\Drivers\tosrfbnp.sys
2010/08/18 09:27:47.0828      Tosrfcom        (e90ace3b4fa7a85f992bc21eb779c407) C:\WINDOWS\system32\Drivers\tosrfcom.sys
2010/08/18 09:27:47.0859      Tosrfhid        (87700714f25131ed21901d617b8b321f) C:\WINDOWS\system32\DRIVERS\Tosrfhid.sys
2010/08/18 09:27:47.0890      tosrfnds        (c52fd27b9adf3a1f22cb90e6bcf9b0cb) C:\WINDOWS\system32\DRIVERS\tosrfnds.sys
2010/08/18 09:27:47.0937      TosRfSnd        (156d63f6898e4d95f2962f2b72862868) C:\WINDOWS\system32\drivers\tosrfsnd.sys
2010/08/18 09:27:48.0000      tosrfusb        (01c90086cd37e7e8d9a827e24167fcb7) C:\WINDOWS\system32\DRIVERS\tosrfusb.sys
2010/08/18 09:27:48.0062      Udfs            (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/08/18 09:27:48.0156      Update          (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/08/18 09:27:48.0250      usbccgp         (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/08/18 09:27:48.0296      usbehci         (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/08/18 09:27:48.0328      usbhub          (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/08/18 09:27:48.0359      usbstor         (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/08/18 09:27:48.0375      usbuhci         (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/08/18 09:27:48.0421      VgaSave         (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/08/18 09:27:48.0468      VolSnap         (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/08/18 09:27:48.0531      Wanarp          (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/08/18 09:27:48.0593      wdmaud          (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/08/18 09:27:48.0843      WudfPf          (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/08/18 09:27:48.0859      WudfRd          (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/08/18 09:27:48.0953      ================================================================================
2010/08/18 09:27:48.0953      Scan finished
2010/08/18 09:27:48.0953      ================================================================================
2010/08/18 09:27:54.0218      Deinitialize success

Thanks again!!
0
Comment
Question by:Sean-SSIT
  • 10
  • 6
  • 6
  • +2
25 Comments
 
LVL 11

Expert Comment

by:Snibborg
Comment Utility
When you say the HP will not print, in what way?  Does it spit out a blank page, or does it think that its printing but never arrives?  When you lookat the printer queue does it show a print job passing through?

Snibborg
0
 

Author Comment

by:Sean-SSIT
Comment Utility
The job is "sent" off to the printer, it shows in the Windows XP printer queue, and then eventually it gets a fail error.  Nothing comes out of the HP printer and the job shows in the printer queue with the customary red X.  The job remains in the print queue (it doesn't go away as normal when a job is processed).

I'm baffled because the print service (from Windows standpoint) is working because the Dell printer still works just fine, but the HP refuses to process.  I've uninstalled the software / drivers, ran ccleaner, then reinstalled and the same error persists.

Thanks!
0
 
LVL 3

Expert Comment

by:insightcomputing
Comment Utility
Stop the printer spooler service . Browse over to C:\Windows\system32\spool\printers

Delete all the files in that folder, restart your computer. Let us know if this helps.
0
 

Author Comment

by:Sean-SSIT
Comment Utility
@Insightcomputing

I have nothing in the C:\Windows\system32\spool\printers folder. It's empty.

0
 
LVL 11

Expert Comment

by:Snibborg
Comment Utility
Is the HP a network printer or attached to one of the workstations?  If it's on the network can you ping it?  If not you have a communications problem.  Check the port IP address in the printer properties.  Is it pointed to the right port?

Snibborg
0
 

Author Comment

by:Sean-SSIT
Comment Utility
@Snibborg

I can ping it both from machines that can print to it and the ones that cannot.

The HP 2055dn is a network based printer for us.

The port is correctly mapped from the workstations and has the correct IP address.

It's good to know I've thought of and tried most everything because this one has me completely baffled.
0
 
LVL 22

Expert Comment

by:optoma
Comment Utility
Can you check this file out at virustotal. Maybe part of deep freeze but unsure

 C:\Persi0.sys

http://www.virustotal.com/
0
 
LVL 11

Expert Comment

by:Snibborg
Comment Utility
It certainly seems like you've covered most of the bases.  Can you connect to the printing ports from an affected PC using Telnet?

The ports that are used for printing are 515, 631 and 9100.  I'm wondering whether the remnants of the infection has either closed or redirected these ports.

To telnet to the ports, go to a command prompt, type telnet xxx.xxx.xxx.xxx 515, if you get a response of OK then you know it's connecting.  I suspect I'm teaching my granny to suck eggs with this bit, but hey ho be thorough.

If all three of those work it at least proves that you are connecting directly to the printer without interruption.  If not you at least know where the problem lies.

Snibborg
0
 

Author Comment

by:Sean-SSIT
Comment Utility
@optoma

Unless I have a trojan masquerading as that file it's part of Deep Freeze.  The scans aren't revealing it as a trojan or malware.
0
 

Author Comment

by:Sean-SSIT
Comment Utility
@Snibborg

Well.  I can't telnet on 515, 631 or 9100.  I have tried turning the Windows Firewall off as well with the same result.  So now the question is what has been corrupted or rewritten in Windows for the ports?  

I can ping the printer just fine, but I cannot telnet to it.  I haven't done port analysis in a long time or manually looked at mappings.  Got any handy dandy tools for that?
0
 

Author Comment

by:Sean-SSIT
Comment Utility
@Snibborg

I tried an easier tactic and just did a telnet session.  I asked it to open the printer and I got that from my working office computer.

From one of the affected computers I was able to replicate the same thing and the HP JetDirect telnet prompt answered just fine and let me browse the menu etc.  

The more I keep messing with this the more baffled I'm becoming.  It's almost like a case where network cable A won't work in computer A but will work just fine in computer B and computer B's network cable works just fine in A or B.  

o.O  
0
 
LVL 22

Expert Comment

by:optoma
Comment Utility
On one of the affected machines, uninstall the dell printer and try the Hp.
Create a restore point first
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 11

Expert Comment

by:Snibborg
Comment Utility
The only problem with just doing a telnet session is that it only tests port 23, not the ports you are actually using for printing, hence my comments about specific port addresses.

You might want to examine the registry of a working computer, searching on the model number and see if there are different entries, or missing entries on the problematic machines.  If there are overwrit the keys with a working set.

The final option is to backup the data from one of the problem machines  and rebuild it.  My suggestion for this is that you are getting into the area of diminishing returns now and this might be the more efficient solution.

Let us know how you get on.

Snibborg
0
 

Author Comment

by:Sean-SSIT
Comment Utility
@optoma
I tried removing the Dell and then printing, still no go

@Snibborg
I tried looking at the registry - there are so many entries it's almost impossible to compare.  

I agree I think I'm at the point of just redoing the machines.  Also, I called HP Tech Support man has that gone way down in value since the last time I used it a few years ago.  It was a massive waste of time I'm sorry to say.
0
 
LVL 11

Expert Comment

by:Snibborg
Comment Utility
I'm wondering, as you are considering rebuilding the machines anyway, it might be worth backing up the printer registry entries on a good machine and pasting them into a bad one and see what happens.

Snibborg
0
 
LVL 22

Accepted Solution

by:
optoma earned 500 total points
Comment Utility
Try this on one affected machines as well(if above fails).
Dunno if it may help but worth a shot since rebuild is looming

>Copy c:\windows\system32\drivers\ipsec.sys from a "working" machine and place it in C:\ on affected machine

1. Open Notepad
2. Copy + paste all bolded text only between lines below into Notepad window
==================================================
FCopy::
C:\ipsec.sys | C:\WINDOWS\system32\DRIVERS\ipsec.sys



==================================================
3. Now Save as CFScript.txt on your desktop/same location as Combofix.exe
4. Then drag the CFScript.txt into ComboFix.exe
0
 
LVL 3

Expert Comment

by:VBDotNetCoder
Comment Utility
try SFC / scannow
printer subsystem is using the driver files along with some windows system files.

you might have some system files damaged.
0
 

Author Comment

by:Sean-SSIT
Comment Utility
@VBDotNetCoder

I still have one machine that is scanning.  I do not yet know if that will work.  I will post after it completes.

@Optoma

Home Run!!! Combofix + the file = WIN!!!  I restarted and printed and it ran with no problems.  Excellent debugging my friend.  
0
 

Author Closing Comment

by:Sean-SSIT
Comment Utility
Excellent work by Optoma!!!
0
 
LVL 22

Expert Comment

by:optoma
Comment Utility
Hi.
That's great news!

Let us know if it works on all :)
0
 

Author Comment

by:Sean-SSIT
Comment Utility
@VBDotNetCoder

SFC /scannow did not pan out.  I applied Optoma's solution to another infected machine and it fixed the issues.  

Thanks for all the help everyone!!!
0
 
LVL 22

Expert Comment

by:optoma
Comment Utility
You're welcome :)
0
 
LVL 3

Expert Comment

by:VBDotNetCoder
Comment Utility
That is nice, thanks for sharing Optoma! :)
0
 
LVL 11

Expert Comment

by:Snibborg
Comment Utility
Great result.  Good work Optoma.  Victory from the jaws of defeat.

Snibborg
0
 
LVL 22

Expert Comment

by:optoma
Comment Utility
;)  !!
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

We have adopted the strategy to use Computers in Student Labs as the bulletin boards. The same target can be achieved by using a Login Notice feature in Group policy but it’s not as attractive as graphical wallpapers with message which grabs the att…
Step by step guide to Clean and Sort your windows registry! Introduction: Always remember: A Clean registry = Better performance = Save your invaluable time In this article we're going to clear our registry manually! Yes, manually! The e…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now