Jump to content

REM414

Honorary Members
 View Profile  See their activity

  • Posts

    21

  • Joined

  • Last visited

Reputation

0 Neutral
  1. REM414

    Hello. Not sure why is says I am a Member, I've fought a couple of battles with the Malwarebytes crew.

  2. REM414
    Hello. Not sure if this is the correct place. I had the Zero Access Rootkit, which of course caused redirects, no anti-virus or malware (including my go to Malwarebytes) to run, and just made the machine very unstable. I was able to get rid of it using combofix, then run Malwarebytes, but I have tried exevrything I can find to fix my networking, and it is dead. It says it can't renew IP (DCHP is running) at one time, says my winsock catalog is bad anothyer time (I thinkI fixed that) I'm at a loss. All I have is the combofix txt. Would that be of any help to you guys? This is for a person that does all of their work via web so they are despperate (therefore, so am I) any direction would be greatly appreciated. I have the machine here if you need anything else, and I can thumb drive off any other info (luckily I have one that works) REM
  3. REM414
    LD, Sorry it took so long to get back. I did fully get rid of the cox security suite (it was long ago disabled, not sure why it wasn't uninstalled, it was awful) Iwin games and Wild tangent are uninstalled. The askS bar was a different issue all together. I can't find it in any browser (IE, Firefox or Chrome) in the add ons, and it's not in add or remove programs. I was able to track down the directory and delete all but one dll file. It says it is in use. It may be a remnant of ie getting blocked by the rootkit/malware. I will go into safe mode and see what I can do to get rid of it completely. I deleted the empty file The two .sys files have disappeared! I did run registry mechanic to try and clean up the machine which was a bit of a mess as you can tell, and it must have found those and did away with them. I did a full machine search and they are indeed gone. I have since run a full malwarebytes scan again and all looks cleaned up. I am having a strange issue where parts of a web site aren't showing on ie8, but do on Firefox and ie8 on a different machine. I reinstalled ie8, compared all of the settings between the two ie8s and even did a reset on the one that is acting strange, then compared the setting again. No luck so far but I'm still working it. I'll find it at some point. Sorry I don't have the logs on those two files, I'm sure they shouldn't have been there and may have added additional clues to what I had. Should have waited on the registry cleanup, but it really DID need it. Thanks again for your help.
  4. REM414
    You CAN'T read that? Looks pretty clear to me ;-) Sorry, some of the stuff I attach "inserts" like the device manager pictures, and some rolls into an an attachment. Thought it would just come as a text file formatted as it looked to me. Here you go. ComboFix 11-01-04.01 - owner 01/04/2011 19:24:39.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.575 [GMT -5:00] Running from: c:\documents and settings\owner\Desktop\ComboFix.exe AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D} AV: Cox Security Suite Anti-Virus *Disabled/Outdated* {2565CEEE-6BDB-4A6D-AD6D-F682F2695014} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\.wtav c:\documents and settings\owner\Application Data\Adobe\AdobeUpdate .exe c:\documents and settings\owner\Application Data\Adobe\plugs c:\documents and settings\owner\Application Data\Adobe\plugs\KB40493859.exe c:\documents and settings\owner\Application Data\Adobe\plugs\KB40506921.exe c:\documents and settings\owner\Application Data\TMInc c:\documents and settings\owner\Application Data\TMInc\game.cfg c:\documents and settings\owner\Application Data\TMInc\user1.sav c:\program files\Hotbar c:\program files\iWin Games\iWinGamesHookIE.dll c:\program files\PlaySushi\PSTExt.dll c:\program files\Search Toolbar c:\program files\Search Toolbar\icon.ico c:\program files\Search Toolbar\SearchToolbar.dll c:\program files\Search Toolbar\SearchToolbarUninstall.exe c:\program files\Search Toolbar\SearchToolbarUpdater.exe c:\windows\assembly\GAC\__AssemblyInfo__.ini c:\windows\Downloaded Program Files\CpnMgr.dll c:\windows\system32\drivers\vbma01bf.sys c:\windows\WinSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\shsvcs.dll D:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2010-12-05 to 2011-01-05 ))))))))))))))))))))))))))))))) . 2011-01-04 02:45 . 2011-01-04 02:45 -------- d-----w- C:\TDSSKiller_Quarantine 2011-01-04 02:34 . 2011-01-04 02:34 75264 ----a-w- c:\windows\system32\ebbc.sys 2011-01-04 02:29 . 2011-01-04 21:10 75264 ----a-w- c:\windows\system32\bfcd.sys 2011-01-03 15:51 . 2011-01-03 15:49 89088 ----a-w- C:\mbr.exe 2011-01-01 18:11 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-01-01 18:11 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-01-01 18:06 . 2011-01-04 04:05 -------- d-----w- C:\MGtools 2010-12-31 19:17 . 2009-08-13 16:14 472064 ----a-w- c:\program files\RootRepeal.exe 2010-12-31 19:10 . 2010-11-22 15:59 4177272 ----a-w- c:\program files\pex.exe 2010-12-31 19:05 . 2010-12-31 19:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2 2010-12-31 00:13 . 2009-06-30 15:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys 2010-12-31 00:13 . 2010-12-31 00:13 -------- d-----w- c:\program files\Panda Security 2010-12-30 22:50 . 2010-12-30 22:50 -------- d-----w- C:\found.001 2010-12-30 22:17 . 2010-12-31 22:11 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys 2010-12-30 22:17 . 2010-12-30 22:17 -------- d-----w- c:\program files\Hitman Pro 3.5 2010-12-30 22:17 . 2010-12-30 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro 2010-12-30 00:51 . 2010-12-30 14:00 0 ----a-w- c:\windows\Wnafuhuhiqo.bin 2010-12-20 21:20 . 2010-12-20 21:20 -------- d-----w- c:\windows\system32\wbem\Repository 2010-12-17 02:36 . 2010-12-17 02:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Gogii 2010-12-17 02:32 . 2010-12-17 02:32 -------- d-----w- c:\program files\WildGames 2010-12-17 02:19 . 2010-12-17 02:19 -------- d-----w- c:\program files\WildTangent Games 2010-12-15 20:47 . 2010-11-02 15:17 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys 2010-12-15 20:47 . 2010-10-11 14:59 45568 ------w- c:\windows\system32\dllcache\wab.exe 2010-12-07 01:38 . 2010-12-07 01:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Fugazo . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-01-04 04:05 . 2011-01-01 18:06 233825 ----a-w- C:\MGlogs.zip 2010-11-18 18:12 . 2006-03-16 04:00 81920 ----a-w- c:\windows\system32\isign32.dll 2010-11-06 00:26 . 2006-03-16 04:00 916480 ----a-w- c:\windows\system32\wininet.dll 2010-11-06 00:26 . 2006-03-16 04:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-11-06 00:26 . 2006-03-16 04:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2010-11-03 12:25 . 2006-03-16 04:00 385024 ----a-w- c:\windows\system32\html.iec 2010-11-02 15:17 . 2006-03-16 04:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys 2010-10-28 13:13 . 2006-03-16 04:00 290048 ----a-w- c:\windows\system32\atmfd.dll 2010-10-26 13:25 . 2006-03-16 04:00 1853312 ----a-w- c:\windows\system32\win32k.sys 2008-06-30 17:44 . 2008-10-15 15:21 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll . ------- Sigcheck ------- [7] 2009-03-08 . B60DDDD2D63CE41CB8C487FCFBB6419E . 638816 . . [8.00.6001.18702] . . c:\windows\system32\dllcache\iexplore.exe [7] 2008-04-14 . 55794B97A7FAABD2910873C85274F409 . 93184 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\iexplore.exe [-] 2006-03-16 . E7484514C0464642BE7B4DC2689354C8 . 93184 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\iexplore.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2007-10-15 66912] [HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}] 2007-10-15 16:03 66912 ----a-w- c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-20 39408] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2008-04-10 2595792] "AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2008-04-10 909208] "Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2008-04-10 136472] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-01 761946] "Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072] "RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840] "QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-12 102400] "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840] "nwiz"="c:\windows\system32\nwiz.exe" [2006-08-18 1617920] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-18 86016] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-18 7585792] "MsmqIntCert"="mqrt.dll" [2008-04-14 177152] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920] "hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752] "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152] "High Definition Audio Property Page Shortcut"="c:\windows\system32\CHDAudPropShortcut.exe" [2006-06-02 61952] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512] "Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-05-30 40960] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] "avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912] "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856] c:\documents and settings\Default User\Start Menu\Programs\Startup\ Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [N/A] c:\documents and settings\Administrator\Start Menu\Programs\Startup\ Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [N/A] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2009-7-10 323584] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk] backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^owner^Start Menu^Programs^StartUp^Vongo Tray.lnk] backup=c:\windows\pss\Vongo Tray.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2010-09-21 03:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2010-09-23 08:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ctekijovapupi] 2008-04-14 00:12 221184 ----a-w- c:\windows\ipohirewapanuv.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Everything] 2008-09-29 01:54 459776 ----a-w- c:\program files\Everything\Everything.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup] 2005-08-11 23:30 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2008-03-30 14:36 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2008-03-29 03:37 413696 ----a-w- c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper] 2008-08-09 20:04 5418864 ----a-w- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Vongo Service"=2 (0x2) "comHost"=3 (0x3) "userinit"=2 (0x2) "WebrootSpySweeperService"=2 (0x2) "JavaQuickStarterService"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 "AntiSpywareOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\HP Rhapsody\\rhapsody.exe"= "c:\\Program Files\\TeamViewer3\\TeamViewer.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\iWin Games\\iWinGames.exe"= "c:\\Program Files\\iWin Games\\WebUpdater.exe"= "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "c:\\Program Files\\Rhapsody\\rhapsody.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "67:UDP"= 67:UDP:DHCP Discovery Service "1714:UDP"= 1714:UDP:Windows Media Format SDK (iexplore.exe) "1715:UDP"= 1715:UDP:Windows Media Format SDK (iexplore.exe) R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\DRIVERS\ssfs0bbc.sys [x] R1 bfcd;bfcd; [x] R2 gupdate1ca18377eee91f4;Google Update Service (gupdate1ca18377eee91f4);c:\program files\Google\Update\GoogleUpdate.exe [2009-08-08 133104] R3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\Drivers\5U870CAP.sys [2006-06-06 61952] R3 GamesAppService;GamesAppService;c:\program files\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072] R3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2010-12-31 16968] R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2008-08-22 18688] R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2008-08-22 8320] R3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [2007-06-19 23680] S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-06-30 28552] S1 aswSP;aswSP; [x] S2 aswFsBlk;aswFsBlk; [x] S2 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [2010-09-02 176408] S2 OKI OPHC DCS Loader;OKI OPHC DCS Loader;c:\windows\System32\spool\DRIVERS\W32X86\3\OPHCLDCS.EXE [2005-05-10 24576] . Contents of the 'Scheduled Tasks' folder 2011-01-05 c:\windows\Tasks\GlaryInitialize.job - c:\program files\Glary Utilities\initialize.exe [2008-10-15 15:47] 2011-01-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-08-08 14:49] 2011-01-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-08-08 14:49] 2011-01-05 c:\windows\Tasks\User_Feed_Synchronization-{E631721C-D077-4FEB-B0AA-9CA3322C6CD3}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 08:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab DPF: {F375116A-793C-11D2-BFE1-444553540001} - hxxp://realist2.firstamres.com/mapviewer/mapviewer.cab FF - ProfilePath - c:\documents and settings\owner\Application Data\Mozilla\Firefox\Profiles\oklcjtym.default\ FF - prefs.js: browser.search.selectedEngine - MyStart Search FF - prefs.js: browser.startup.homepage - hxxp://mystart.incredimail.com FF - prefs.js: keyword.URL - hxxp://mystart.incredimail.com/?loc=ff_address_bar&search= FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} FF - Ext: Firefox Universal Uploader (fireuploader): {0200c2a9-70da-4f6d-b527-f5f7d7877228} - %profile%\extensions\{0200c2a9-70da-4f6d-b527-f5f7d7877228} FF - Ext: Red Cats (blue flavor): {ff356687-aa08-463d-a46c-11c451824939} - %profile%\extensions\{ff356687-aa08-463d-a46c-11c451824939} FF - Ext: IE Tab: {77b819fa-95ad-4f2c-ac7c-486b356188a9} - %profile%\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9} FF - Ext: Flagfox: {1018e4d6-728f-4b20-ad56-37578a4de76b} - %profile%\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b} FF - Ext: Splash: splash@aldreneo.com - %profile%\extensions\splash@aldreneo.com FF - Ext: All-in-One Sidebar: {097d3191-e6fa-4728-9826-b533d755359d} - %profile%\extensions\{097d3191-e6fa-4728-9826-b533d755359d} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Search Toolbar: searchtoolbar@zugo.com - %profile%\extensions\searchtoolbar@zugo.com FF - Ext: IncrediMail MediaBar 2 Toolbar: {d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0} - %profile%\extensions\{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - Ext: iWinGames Plugin: {98e34367-8df7-42b4-837b-20b892ff0849} - c:\program files\iWin Games\firefox FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff . - - - - ORPHANS REMOVED - - - - SafeBoot-klmdb.sys AddRemove-Search Toolbar - c:\program files\Search Toolbar\SearchToolbarUninstall.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-01-04 19:40 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????<?@? ???xc??????Y?@?????<?@ scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net Windows 5.1.2600 CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process. device: opened successfully user: error reading MBR kernel: MBR read successfully user != kernel MBR !!! ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(2316) c:\windows\system32\WININET.dll c:\progra~1\WINDOW~1\wmpband.dll c:\windows\system32\ieframe.dll c:\windows\system32\msi.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\msdtc.exe c:\program files\Common Files\Acronis\Schedule2\schedul2.exe c:\windows\eHome\ehRecvr.exe c:\windows\eHome\ehSched.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\RUNDLL32.EXE c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe c:\windows\ehome\mcrdsvc.exe c:\windows\system32\mqsvc.exe c:\program files\Windows Media Player\WMPNetwk.exe c:\windows\system32\mqtgsvc.exe c:\windows\system32\dllhost.exe c:\windows\eHome\ehmsas.exe c:\windows\system32\msiexec.exe c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe . ************************************************************************** . Completion time: 2011-01-04 19:45:19 - machine was rebooted ComboFix-quarantined-files.txt 2011-01-05 00:45 Pre-Run: 24,223,866,880 bytes free Post-Run: 24,203,767,808 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect - - End Of File - - 8CD20F614A399B78A13A604580DDC810
  5. REM414
    I do have the combofix log which I am attaching. Unfortunately I deleted the TDSSkiller log (which is probably the better one) After I felt everything was running OK I cleaned up the leftover files and emptied the recycle bin. Just didn't want anything laying around......just in case. Paranoia I guess :-) combofix_log.txt
  6. REM414
    P.S. I have the combofix log from my last cleaning if that would be of any help if you run into this again. Let me know and I can attach it and send it to you. Just a thought.
  7. REM414
    LD, OK....well I guess we can stick a fork on it. Boy that was some challenge, I appreciate your help. I was able to run combofix after re downloading (it said my first copy was compromised) It went through and found wbma01bf (but not the other CMZ VMKD) I was then able to run malwarebytes, which was certainly a sight for sore eyes. It found 24 infections. Most were "relatively harmless" but a few were trojans that I'm sure were making my life miserable. After rebooting I ran it again just to make sure. As a side note/FYI, the files that I tried to run before (including Internet Explorer, and a bunch of others) were still in their non-working state. They still came up saying the file was either missing or didn't have access. After some head scratching, I though about the statement regarding permission. After having run into this on a previous machine, I booted into safe mode and checked the ownership of the files. The owner was the default administrator, and the permissions, ie. all, read, modify were blank. I went through each and made sure ownership and "inheritance/permissions" were correct and everything is working OK. Thank you again for the time and effort. REM
  8. REM414
    Well, I thought I had it! I deleted the two registry entries and then rebooted and there they were.....just as they were before I deleted them. Needless to say all of the exe files that were disabled are still locked. I checked all of the load* and Run* entries in the registry and nothing looks out of the ordinary. Not sure where and when this puppy is reloading, but it is certainly putting itself back in the registry somehow. I'm guessing it's lodged in the MBR. I was unable to get the log from MBR.EXE since it disabled that as well. HMMM
  9. REM414
    As far as the task manager, that is where I hoped to find it from the beginning. Unfortunately is has "disguised" itself as one of a number of Svchost entries. I was able to pin down the one that contains the bad guy, but when I went to end the process is did NOTHING. It refused to go away. Under the HKEY_LOCAL_MACHINE\Software section of the registry there in no W32 or any mention of vbma that I can find....and I looked pretty hard. What I do see is under HKEY_LOCAL_MACHINE\Software\system\controlset001\services\vbma01bf is this: NOT SURE IF I'M ATTACHING OR INSERTING THE IMAGE Under HKEY_LOCAL_MACHINE\Software\system\controlset003\services\vbma01bf there is a second entry under enum. It has an ominous mention of ROOT as you can see on my screen capture. All I can see maybe wacking these entries and see if things unlock. I may be way off base, just a thought. Thanks
  10. REM414
    LD. I'm really trying to NOT do anything that will make the machine inoperable, but do you think it would do any good to delete the two entries in the registry under controlset001 and controlset003 that point to the vbam01bf entry? Maybe it will then unlock the sys file in the windows\system32\drivers folder and allow me to delete it. I'm holding off till I hear back, but would seem to make some sense. Thanks
  11. REM414
    OK......Here it is! Once again it see's it and says it will take care of it after reboot, but no such luck 2011/01/04 13:45:45.0734 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46 2011/01/04 13:45:45.0734 ================================================================================ 2011/01/04 13:45:45.0734 SystemInfo: 2011/01/04 13:45:45.0734 2011/01/04 13:45:45.0734 OS Version: 5.1.2600 ServicePack: 3.0 2011/01/04 13:45:45.0734 Product type: Workstation 2011/01/04 13:45:45.0734 ComputerName: YOUR-0CDC4F5844 2011/01/04 13:45:45.0734 UserName: owner 2011/01/04 13:45:45.0734 Windows directory: C:\WINDOWS 2011/01/04 13:45:45.0734 System windows directory: C:\WINDOWS 2011/01/04 13:45:45.0734 Processor architecture: Intel x86 2011/01/04 13:45:45.0734 Number of processors: 2 2011/01/04 13:45:45.0734 Page size: 0x1000 2011/01/04 13:45:45.0734 Boot type: Normal boot 2011/01/04 13:45:45.0734 ================================================================================ 2011/01/04 13:45:45.0937 Initialize success 2011/01/04 13:47:47.0562 ================================================================================ 2011/01/04 13:47:47.0562 Scan started 2011/01/04 13:47:47.0562 Mode: Manual; 2011/01/04 13:47:47.0562 ================================================================================ 2011/01/04 13:47:48.0218 5U870CAP_VID_1262&PID_25FD (d2142fee659d97b2b05820f21594bfe2) C:\WINDOWS\system32\Drivers\5U870CAP.sys 2011/01/04 13:47:48.0296 Aavmker4 (8d488938e2f7048906f1fbd3af394887) C:\WINDOWS\system32\drivers\Aavmker4.sys 2011/01/04 13:47:48.0343 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS 2011/01/04 13:47:48.0390 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys 2011/01/04 13:47:48.0421 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys 2011/01/04 13:47:48.0468 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys 2011/01/04 13:47:48.0500 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys 2011/01/04 13:47:48.0546 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys 2011/01/04 13:47:48.0593 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys 2011/01/04 13:47:48.0609 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys 2011/01/04 13:47:48.0640 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys 2011/01/04 13:47:48.0671 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys 2011/01/04 13:47:48.0703 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys 2011/01/04 13:47:48.0750 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys 2011/01/04 13:47:48.0796 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys 2011/01/04 13:47:48.0812 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys 2011/01/04 13:47:48.0859 AmdK8 (0a4d13b388c814560bd69c3a496ecfa8) C:\WINDOWS\system32\DRIVERS\AmdK8.sys 2011/01/04 13:47:48.0906 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys 2011/01/04 13:47:48.0953 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys 2011/01/04 13:47:49.0000 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys 2011/01/04 13:47:49.0031 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys 2011/01/04 13:47:49.0046 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys 2011/01/04 13:47:49.0125 aswFsBlk (a0d86b8ac93ef95620420c7a24ac5344) C:\WINDOWS\system32\drivers\aswFsBlk.sys 2011/01/04 13:47:49.0156 aswMon2 (7d880c76a285a41284d862e2d798ec0d) C:\WINDOWS\system32\drivers\aswMon2.sys 2011/01/04 13:47:49.0187 aswRdr (69823954bbd461a73d69774928c9737e) C:\WINDOWS\system32\drivers\aswRdr.sys 2011/01/04 13:47:49.0234 aswSP (7ecc2776638b04553f9a85bd684c3abf) C:\WINDOWS\system32\drivers\aswSP.sys 2011/01/04 13:47:49.0281 aswTdi (095ed820a926aa8189180b305e1bcfc9) C:\WINDOWS\system32\drivers\aswTdi.sys 2011/01/04 13:47:49.0328 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys 2011/01/04 13:47:49.0375 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys 2011/01/04 13:47:49.0421 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys 2011/01/04 13:47:49.0468 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys 2011/01/04 13:47:49.0593 BCM43XX (37f385a93c620cbe0f89c17e45f697a1) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys 2011/01/04 13:47:49.0687 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys 2011/01/04 13:47:49.0765 BTWUSB (4272bab9291d26da5ac913bc79c3ce85) C:\WINDOWS\system32\Drivers\btwusb.sys 2011/01/04 13:47:49.0796 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys 2011/01/04 13:47:49.0812 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys 2011/01/04 13:47:49.0859 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys 2011/01/04 13:47:49.0890 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys 2011/01/04 13:47:49.0921 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys 2011/01/04 13:47:49.0968 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys 2011/01/04 13:47:50.0000 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys 2011/01/04 13:47:50.0078 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys 2011/01/04 13:47:50.0109 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys 2011/01/04 13:47:50.0140 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys 2011/01/04 13:47:50.0187 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys 2011/01/04 13:47:50.0234 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys 2011/01/04 13:47:50.0265 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys 2011/01/04 13:47:50.0328 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys 2011/01/04 13:47:50.0406 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys 2011/01/04 13:47:50.0453 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys 2011/01/04 13:47:50.0484 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys 2011/01/04 13:47:50.0515 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys 2011/01/04 13:47:50.0562 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys 2011/01/04 13:47:50.0609 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys 2011/01/04 13:47:50.0656 eabfiltr (b5cb3084046146fd2587d8c9b219feb4) C:\WINDOWS\system32\DRIVERS\eabfiltr.sys 2011/01/04 13:47:50.0687 eabusb (231f4547ae1e4b3e60eca66c3a96d218) C:\WINDOWS\system32\DRIVERS\eabusb.sys 2011/01/04 13:47:50.0750 elagopro (7ec42ec12a4bac14bcca99fb06f2d125) C:\WINDOWS\system32\DRIVERS\elagopro.sys 2011/01/04 13:47:50.0796 elaunidr (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\elaunidr.sys 2011/01/04 13:47:50.0843 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys 2011/01/04 13:47:50.0890 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys 2011/01/04 13:47:50.0921 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys 2011/01/04 13:47:50.0937 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys 2011/01/04 13:47:51.0000 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys 2011/01/04 13:47:51.0046 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys 2011/01/04 13:47:51.0078 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys 2011/01/04 13:47:51.0125 GEARAspiWDM (ab8a6a87d9d7255c3884d5b9541a6e80) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys 2011/01/04 13:47:51.0171 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys 2011/01/04 13:47:51.0234 HBtnKey (4d4d97671c63c3af869b3518e6054204) C:\WINDOWS\system32\DRIVERS\cpqbttn.sys 2011/01/04 13:47:51.0296 HdAudAddService (2a6e9a118da2dd0439551a7eb3a8f65e) C:\WINDOWS\system32\drivers\CHDAud.sys 2011/01/04 13:47:51.0359 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 2011/01/04 13:47:51.0406 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys 2011/01/04 13:47:51.0437 hitmanpro35 (30b90793a568281bef70fa57dde305a2) C:\WINDOWS\system32\drivers\hitmanpro35.sys 2011/01/04 13:47:51.0468 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys 2011/01/04 13:47:51.0515 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys 2011/01/04 13:47:51.0578 HSFHWAZL (8e60293c44e3f6f7f09defb60023a37d) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys 2011/01/04 13:47:51.0640 HSF_DPV (4c2aab15ad6229134f70e5c950e6185c) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys 2011/01/04 13:47:51.0750 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys 2011/01/04 13:47:51.0796 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys 2011/01/04 13:47:51.0828 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys 2011/01/04 13:47:51.0875 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys 2011/01/04 13:47:51.0953 iaStor (309c4d86d989fb1fcf64bd30dc81c51b) C:\WINDOWS\system32\DRIVERS\iaStor.sys 2011/01/04 13:47:52.0046 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys 2011/01/04 13:47:52.0093 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys 2011/01/04 13:47:52.0125 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys 2011/01/04 13:47:52.0171 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys 2011/01/04 13:47:52.0218 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 2011/01/04 13:47:52.0265 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys 2011/01/04 13:47:52.0312 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys 2011/01/04 13:47:52.0343 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys 2011/01/04 13:47:52.0390 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys 2011/01/04 13:47:52.0437 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys 2011/01/04 13:47:52.0500 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys 2011/01/04 13:47:52.0515 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys 2011/01/04 13:47:52.0562 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys 2011/01/04 13:47:52.0625 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys 2011/01/04 13:47:52.0734 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 2011/01/04 13:47:52.0796 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys 2011/01/04 13:47:52.0828 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys 2011/01/04 13:47:52.0890 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys 2011/01/04 13:47:52.0937 motccgp (201bfc4ef8b33d02d133fbf6535e515b) C:\WINDOWS\system32\DRIVERS\motccgp.sys 2011/01/04 13:47:52.0968 motccgpfl (d0242a3832eb7c97801bb25889561e23) C:\WINDOWS\system32\DRIVERS\motccgpfl.sys 2011/01/04 13:47:53.0015 motmodem (fe80c18ba448ddd76b7bead9eb203d37) C:\WINDOWS\system32\DRIVERS\motmodem.sys 2011/01/04 13:47:53.0062 motport (fe80c18ba448ddd76b7bead9eb203d37) C:\WINDOWS\system32\DRIVERS\motport.sys 2011/01/04 13:47:53.0109 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys 2011/01/04 13:47:53.0140 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys 2011/01/04 13:47:53.0187 MQAC (70c14f5cca5cf73f8a645c73a01d8726) C:\WINDOWS\system32\drivers\mqac.sys 2011/01/04 13:47:53.0234 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys 2011/01/04 13:47:53.0281 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys 2011/01/04 13:47:53.0343 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 2011/01/04 13:47:53.0390 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys 2011/01/04 13:47:53.0421 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys 2011/01/04 13:47:53.0468 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys 2011/01/04 13:47:53.0500 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys 2011/01/04 13:47:53.0531 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys 2011/01/04 13:47:53.0578 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys 2011/01/04 13:47:53.0625 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys 2011/01/04 13:47:53.0671 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys 2011/01/04 13:47:53.0718 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys 2011/01/04 13:47:53.0750 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys 2011/01/04 13:47:53.0781 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys 2011/01/04 13:47:53.0812 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys 2011/01/04 13:47:53.0828 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys 2011/01/04 13:47:53.0890 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys 2011/01/04 13:47:53.0921 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys 2011/01/04 13:47:53.0953 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys 2011/01/04 13:47:54.0015 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys 2011/01/04 13:47:54.0046 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys 2011/01/04 13:47:54.0078 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys 2011/01/04 13:47:54.0156 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys 2011/01/04 13:47:54.0328 nv (bbb8ab2ffd7a79cd9d7751008e3de579) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 2011/01/04 13:47:54.0500 nvata (3ac5eedd35b7437d53960f3998bfa462) C:\WINDOWS\system32\DRIVERS\nvata.sys 2011/01/04 13:47:54.0531 NVENETFD (22eedb34c4d7613a25b10c347c6c4c21) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys 2011/01/04 13:47:54.0546 nvnetbus (5e3f6ad5cad0f12d3cccd06fd964087a) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys 2011/01/04 13:47:54.0578 nvsmu (e0f76fab86fec98778047d0c7c39cbb9) C:\WINDOWS\system32\DRIVERS\nvsmu.sys 2011/01/04 13:47:54.0625 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys 2011/01/04 13:47:54.0656 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys 2011/01/04 13:47:54.0718 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys 2011/01/04 13:47:54.0765 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys 2011/01/04 13:47:54.0796 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys 2011/01/04 13:47:54.0843 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys 2011/01/04 13:47:54.0875 pavboot (3adb8bd6154a3ef87496e8fce9c22493) C:\WINDOWS\system32\drivers\pavboot.sys 2011/01/04 13:47:54.0906 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys 2011/01/04 13:47:54.0953 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys 2011/01/04 13:47:54.0968 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys 2011/01/04 13:47:55.0046 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys 2011/01/04 13:47:55.0078 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys 2011/01/04 13:47:55.0156 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys 2011/01/04 13:47:55.0187 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys 2011/01/04 13:47:55.0218 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys 2011/01/04 13:47:55.0265 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys 2011/01/04 13:47:55.0296 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys 2011/01/04 13:47:55.0312 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys 2011/01/04 13:47:55.0343 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys 2011/01/04 13:47:55.0375 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys 2011/01/04 13:47:55.0390 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys 2011/01/04 13:47:55.0421 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys 2011/01/04 13:47:55.0468 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 2011/01/04 13:47:55.0500 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys 2011/01/04 13:47:55.0531 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys 2011/01/04 13:47:55.0578 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys 2011/01/04 13:47:55.0609 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys 2011/01/04 13:47:55.0640 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys 2011/01/04 13:47:55.0687 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys 2011/01/04 13:47:55.0734 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys 2011/01/04 13:47:55.0781 rimmptsk (7a6648b61661b1421ffab762e391e33f) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys 2011/01/04 13:47:55.0812 rimsptsk (8f7012d1b6a71ee9c23ce93dcdbf9f4b) C:\WINDOWS\system32\DRIVERS\rimsptsk.sys 2011/01/04 13:47:55.0843 rismxdp (3ac17802740c3a4764dc9750e92e6233) C:\WINDOWS\system32\DRIVERS\rixdptsk.sys 2011/01/04 13:47:55.0890 RMCAST (96f7a9a7bf0c9c0440a967440065d33c) C:\WINDOWS\system32\drivers\RMCast.sys 2011/01/04 13:47:55.0968 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS 2011/01/04 13:47:56.0031 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys 2011/01/04 13:47:56.0078 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys 2011/01/04 13:47:56.0125 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys 2011/01/04 13:47:56.0203 sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys 2011/01/04 13:47:56.0218 sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys 2011/01/04 13:47:56.0250 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys 2011/01/04 13:47:56.0312 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys 2011/01/04 13:47:56.0343 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys 2011/01/04 13:47:56.0406 snapman (c3bf55189aa92b8f919108ef9e4accae) C:\WINDOWS\system32\DRIVERS\snapman.sys 2011/01/04 13:47:56.0453 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys 2011/01/04 13:47:56.0484 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys 2011/01/04 13:47:56.0515 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys 2011/01/04 13:47:56.0593 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys 2011/01/04 13:47:56.0640 SSHRMD (4d0e7a4befad963d3aecfac12fdeff16) C:\WINDOWS\system32\Drivers\SSHRMD.SYS 2011/01/04 13:47:56.0656 SSIDRV (43eeddc9b9b8accdb4a914ba893c73de) C:\WINDOWS\system32\Drivers\SSIDRV.SYS 2011/01/04 13:47:56.0703 SSKBFD (8564bc9598be1705477b7fa61d657c2b) C:\WINDOWS\system32\Drivers\sskbfd.sys 2011/01/04 13:47:56.0750 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys 2011/01/04 13:47:56.0796 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys 2011/01/04 13:47:56.0828 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys 2011/01/04 13:47:56.0890 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys 2011/01/04 13:47:56.0921 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys 2011/01/04 13:47:56.0984 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys 2011/01/04 13:47:57.0015 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys 2011/01/04 13:47:57.0062 SynTP (60cb9f7c95791fe56a6e86868f4467ba) C:\WINDOWS\system32\DRIVERS\SynTP.sys 2011/01/04 13:47:57.0093 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys 2011/01/04 13:47:57.0187 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys 2011/01/04 13:47:57.0218 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys 2011/01/04 13:47:57.0265 tdrpman (3b7b6779eb231f731bba8f9fe67aadfc) C:\WINDOWS\system32\DRIVERS\tdrpman.sys 2011/01/04 13:47:57.0312 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys 2011/01/04 13:47:57.0359 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys 2011/01/04 13:47:57.0421 tifsfilter (b0b3122bff3910e0ba97014045467778) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys 2011/01/04 13:47:57.0453 timounter (13bfe330880ac0ce8672d00aa5aff738) C:\WINDOWS\system32\DRIVERS\timntr.sys 2011/01/04 13:47:57.0484 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys 2011/01/04 13:47:57.0546 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys 2011/01/04 13:47:57.0593 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys 2011/01/04 13:47:57.0656 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys 2011/01/04 13:47:57.0718 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys 2011/01/04 13:47:57.0750 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys 2011/01/04 13:47:57.0781 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys 2011/01/04 13:47:57.0812 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys 2011/01/04 13:47:57.0859 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys 2011/01/04 13:47:57.0921 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys 2011/01/04 13:47:57.0953 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 2011/01/04 13:47:57.0984 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys 2011/01/04 13:47:58.0031 vbma01bf (e2ca93b65ea2a1a5db5585690e943fbd) C:\WINDOWS\system32\drivers\vbma01bf.sys 2011/01/04 13:47:58.0031 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\vbma01bf.sys. md5: e2ca93b65ea2a1a5db5585690e943fbd 2011/01/04 13:47:58.0031 vbma01bf - detected Locked file (1) 2011/01/04 13:47:58.0078 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys 2011/01/04 13:47:58.0125 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys 2011/01/04 13:47:58.0156 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys 2011/01/04 13:47:58.0171 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys 2011/01/04 13:47:58.0250 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys 2011/01/04 13:47:58.0312 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 2011/01/04 13:47:58.0375 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys 2011/01/04 13:47:58.0468 winachsf (e17d31cd52dcb7745ac5330eea062d0b) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 2011/01/04 13:47:58.0562 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys 2011/01/04 13:47:58.0625 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys 2011/01/04 13:47:58.0703 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS 2011/01/04 13:47:58.0750 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys 2011/01/04 13:47:58.0796 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys 2011/01/04 13:47:58.0875 ================================================================================ 2011/01/04 13:47:58.0875 Scan finished 2011/01/04 13:47:58.0875 ================================================================================ 2011/01/04 13:47:58.0890 Detected object count: 1 2011/01/04 13:48:07.0562 HKLM\SYSTEM\ControlSet001\services\vbma01bf - will be deleted after reboot 2011/01/04 13:48:07.0562 HKLM\SYSTEM\ControlSet003\services\vbma01bf - will be deleted after reboot 2011/01/04 13:48:07.0562 C:\WINDOWS\system32\drivers\vbma01bf.sys - will be deleted after reboot 2011/01/04 13:48:07.0562 Locked file(vbma01bf) - User select action: Delete 2011/01/04 13:50:08.0531 Deinitialize success
  12. REM414
    Hello LD, Well, no luck. I ran TDSSKiller and it says as it has before, that it found the culprit (Vbma01bf.sys and two "services") and that it would delete after reboot. It doesn't. I tried running it in safe and regular mode, I tried quarantine as well as delete. I even found the file in the C:\Windows\System32\Driver directory and tried to delete it manually. It came back saying the file was in use. One interesting thing I noticed in the properties of the file is that is has an entry in the security section for a user called "Power User" Maybe this is normal, just wondering if that is how it is hiding. Persistent bugger.
  13. REM414
    Sorry. Here are a few that didn't make the first screen capture.
  14. REM414
    LD, I don't have anything that looks like those entries under the hidden PNP devices. Everything look somewhat normal (the is a WDF01000 that looks suspicious) Attached is a "capture" of the hidden PNP devices. Maybe something sticks out.
  15. REM414
    Good Morning LDTate. You are correct, combo fix would not run. Like everything else it stated to then it just disappeared. I then ran the MBR command as you had in your post c:\mbr.exe -t >>"C:\mbr.log" It did "quickly" go back to the c prompt. I checked the MBR.LOG in the root directory of my drive and it was there but contained nothing, 0 bytes! Look like this root kit also caused MBR.EXE to start but terminate early. I really don't like this infection......it's damn stubborn. Thanks for you continued assistance.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.