Jump to content

Infected: *tssd, Trojan.Vundo, Search Assistant


Recommended Posts

Windows XP SP3

I think I have a few separate issues. They may be related, but I'm not an expert, so I don't know. This is all the information that I can gather.

Symptoms:

  • -Get an error that the program I am running (e.g. Lotus Notes, explorer.exe, etc.). I have no option other than to close the program and restart it. However, I have found that I can just push the error message aside and just continue what I was doing.
  • This Malware keeps adding folders to my C:\Documents and Settings\NetworkService\Local Settings\Application Data\ and C:\Documents and Settings\(username)\Local Settings\Application Data and then an exe file with what seems like random letters then "tssd" at the end of them. (e.g. \ygdktpcsgtssd\gudcfhytssd.exe). It will delete the .exe file before I can get to it, but I know it's doing this because of what I found in the registry.
  • It keeps adding to the registry the following keys
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\(random letters it seems)
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\(random letters)+tssd
    I delete them manually, but they come back every time I restrt my computer.
  • I randomly get errors that a program has to close due to some error, but it's somewhat fake. What I mean by that, the program is responding fine, but if I ignore the error and push it off to the side, it keeps running. However, if I do hit "close" on the error, the program will actually close.
    I usually get "CTFMon" "Run as DLL" errors when I start up. The rest seem to be random.
  • It constantly changes my security settings on IE to do some really unsecure things.
  • The HDD will go under a high amount of processing and just not stop. According to some information I read about Vundo, it's trying to get away from whatever program is trying to erase it by creating hundreds of files.
  • Google search URLs get redirected to some stupid spam site
  • Random websites will also pop up as I am on the internet.
    MBAM keeps finding the Trojan.Vundo, but it never goes away. It will find 3 infections, quaranteen and delete them, but they come back in a few hours.
    I have tried using Symantec's "fixvundo" application, but that did not get rid of it.
    I run the licensed version of Spyware Doctor, and that usually finds nothing but some low risk cookies.
    I have attached my HijackThis log.
    Thank you very much for your time and help. I hope someone can fix my problem.
    ==============================================
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:53:28 AM, on 7/27/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.17055)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Symantec\SPA\snac.exe
    C:\Program Files\Symantec\SPA\smc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\SCardSvr.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Altiris\AClient\AClient.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Lotus\Notes\nsd.exe
    C:\Program Files\Lotus\Notes\nslsvice.exe
    C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    C:\WINDOWS\system32\mfevtps.exe
    C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
    C:\Program Files\ohwhat\pctsAuxs.exe
    C:\Program Files\ohwhat\pctsSvc.exe
    C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
    C:\Program Files\ohwhat\pctsTray.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Symantec\SPA\SmcGui.exe
    C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\DellTPad\Apoint.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Altiris\AClient\AClntUsr.EXE
    C:\Program Files\McAfee\Common Framework\udaterui.exe
    C:\WINDOWS\system32\dwwin.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\DellTPad\ApMsgFwd.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\bdeqjhinr\ljmaelctssd.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\DellTPad\Apntex.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\dwwin.exe
    C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe
    C:\WINDOWS\system32\dwwin.exe
    C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
    C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Printkey.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\dwwin.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\dwwin.exe
    C:\WINDOWS\system32\dwwin.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\japmds\HijackThis.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.lvs.dupont.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL =
    http://www1.lvs.dupont.com/home/proxy.auto
    O1 - Hosts: 52.99.2.54 csdux90
    O1 - Hosts: 52.99.88.83 csdux92
    O1 - Hosts: 52.99.240.4 gsdda01
    O1 - Hosts: 52.99.240.142 rsdix01
    O1 - Hosts: 52.99.240.143 rsdix02
    O1 - Hosts: 52.99.240.144 rsdix03
    O2 - BHO: Street-Ads Browser Enhancer qbugp - {F3149B6E-96B9-427E-9CC1-36EF2A090F22} - C:\WINDOWS\system32\qbugp.dll
    O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program
    Files\ohwhat\BDT\PCTBrowserDefender.dll
    O4 - HKLM\..\Run: [sigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
    O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
    O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [iSTray] "C:\Program Files\ohwhat\pctsTray.exe"
    O4 - HKLM\..\Run: [Tgujibiduke] rundll32.exe "C:\WINDOWS\ehevidif.dll",Startup
    O4 - HKLM\..\Run: [sta] rundll32 "ubugp.dll",,Run
    O4 - HKLM\..\Run: [MChk] C:\WINDOWS\system32\lbugp.exe
    O4 - HKLM\..\Run: [khigedsys] rundll32.exe "fccddc.dll",DllRegisterServer
    O4 - HKLM\..\Run: [lkwkwmpf] C:\Documents and Settings\f(user name)\Local Settings\Application Data\uniatilqf\jyanmnqtssd.exe
    O4 - HKLM\..\Run: [lebkjwdq] C:\Documents and Settings\NetworkService\Local Settings\Application Data\bdeqjhinr\ljmaelctssd.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\(user name)\Local Settings\Application
    Data\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [070700Setup.exe] C:\Documents and Settings\(user name)\Application
    Data\DA29E9CE908923FB00642FC401886F2C\070700Setup.exe
    O4 - HKCU\..\Run: [Ohigo] rundll32.exe "C:\WINDOWS\w3dicd.dll",Startup
    O4 - HKCU\..\Run: [iSUSPM] "C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe"
    -scheduler
    O4 - HKCU\..\Run: [lkwkwmpf] C:\Documents and Settings\(user name)\Local Settings\Application Data\uniatilqf\jyanmnqtssd.exe
    O4 - HKUS\S-1-5-18\..\Run: [efcyvusys] rundll32.exe "fccddc.dll",DllRegisterServer (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [lebkjwdq] C:\Documents and Settings\NetworkService\Local Settings\Application
    Data\bdeqjhinr\ljmaelctssd.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [sSAWrapper] C:\WINDOWS\TEMP\sg_rd.bat (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [efcyvusys] rundll32.exe "fccddc.dll",DllRegisterServer (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [sSAWrapper] C:\WINDOWS\TEMP\sg_rd.bat (User 'Default user')
    O4 - Global Startup: Audible Download Manager.lnk = C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
    O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
    O4 - Global Startup: Printkey.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
    C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network
    Diagnostic\xpnetdiag.exe
    O16 - DPF: {D09FD7B8-ED84-11D5-B755-00001C3AC034} (EtQOfficeInt.General) -
    http://cdcln47.lvs.dupont.com/40cpm//EtQOfficeInt.CAB
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dupontnet.net
    O17 - HKLM\Software\..\Telephony: DomainName = dupontnet.net
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dupontnet.net
    O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device
    Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\ohwhat\BDT\BDTUpdateService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lotus Notes Diagnostics - IBM - C:\Program Files\Lotus\Notes\nsd.exe
    O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\Program Files\Lotus\Notes\nslsvice.exe
    O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan
    Enterprise\EngineServer.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common
    Framework\FrameworkService.exe
    O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program
    Files\McAfee Security Scan\2.0.181\McCHSvc.exe
    O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan
    Enterprise\VsTskMgr.exe
    O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
    O23 - Service: Reflection Servers - WRQ, Inc. - C:\Program Files\Reflection\rninetd.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\ohwhat\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\ohwhat\pctsSvc.exe
    O23 - Service: Symantec Protection Agent 5.1 (SmcService) - Symantec Corporation - C:\Program Files\Symantec\SPA\smc.exe
    O23 - Service: Symantec NAC Service (SNAC) - Symantec Corporation - C:\Program Files\Symantec\SPA\snac.exe
    O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major
    Audio\DellXPM_5515v131\WDM\StacSV.exe
    O23 - Service: VTingWinIe - Unknown owner - C:\WINDOWS\system32\drivers\svchost.exe (file missing)
    --
    End of file - 10702 bytes

Link to post
Share on other sites

Hi waitaminute And Welcome to Malwarebytes Forum!

Appears you have a bad case of Vundo with a rookit.

Download TDSSKiller and save it to your Desktop.

  • Right click on the file and choose extract all extract the file to your desktop then run it.
  • If prompted to restart the computer type in Y then it will restart.
  • Or if you are prompted with a hidden service warning do go ahead and delete it.
  • Once completed it will create a log in your C:\ drive
  • Please post the contents of that log

Link to post
Share on other sites

Hi Kenny94

Thank you very much for your quick response.

Just to let you know, I think this malware is already wise to the fixer program you posted to me. When I tried to extract the files to my system, it only copied the text file. It was when I renamed the file to something unrelated that I was able to extract them.

Ok, that said, I ran the file you suggested and I think it found the malware you are talking about. It told me to reboot my computer as it will remove something else when I do so, and I did that. After my computer came back on, it still has errors that say it needs to close random programs. Some of the other symptoms are also there still like my hard drive is constantly accessing something and random other webpages will open. So, I'm not sure that this removed my problem here. It seems like this infection has taken measures to block things that try to remove it.

I ran MBAM again and that also still finds the Vundo Trojan. I will post my MBAM log in separate reply to this thread.

Once again, thank you very much for your support.

==================

2010/07/27 13:51:32.0457 TDSS rootkit removing tool 2.4.0.0 Jul 22 2010 16:09:49

2010/07/27 13:51:32.0457 ================================================================================

2010/07/27 13:51:32.0457 SystemInfo:

2010/07/27 13:51:32.0457

2010/07/27 13:51:32.0457 OS Version: 5.1.2600 ServicePack: 3.0

2010/07/27 13:51:32.0457 Product type: Workstation

2010/07/27 13:51:32.0457 ComputerName: (omitted)

2010/07/27 13:51:32.0457 UserName: (omitted)

2010/07/27 13:51:32.0457 Windows directory: C:\WINDOWS

2010/07/27 13:51:32.0457 System windows directory: C:\WINDOWS

2010/07/27 13:51:32.0457 Processor architecture: Intel x86

2010/07/27 13:51:32.0457 Number of processors: 2

2010/07/27 13:51:32.0457 Page size: 0x1000

2010/07/27 13:51:32.0457 Boot type: Normal boot

2010/07/27 13:51:32.0457 ================================================================================

2010/07/27 13:51:32.0848 Initialize success

2010/07/27 13:51:36.0004 ================================================================================

2010/07/27 13:51:36.0004 Scan started

2010/07/27 13:51:36.0004 Mode: Manual;

2010/07/27 13:51:36.0004 ================================================================================

2010/07/27 13:51:36.0661 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/07/27 13:51:36.0801 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/07/27 13:51:36.0911 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/07/27 13:51:36.0989 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/07/27 13:51:37.0176 AlKernel (06112696a1b06692939cf087d1f1c84e) C:\WINDOWS\system32\Drivers\AlKernel.sys

2010/07/27 13:51:37.0301 ApfiltrService (350f19eb5fe4ec37a2414df56cde1aa8) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys

2010/07/27 13:51:37.0379 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2010/07/27 13:51:37.0489 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/07/27 13:51:37.0598 atapi (9674f1315474f821e35d46e941e784f6) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/07/27 13:51:37.0598 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\atapi.sys. Real md5: 9674f1315474f821e35d46e941e784f6, Fake md5: 9f3a2f5aa6875c72bf062c712cfa2674

2010/07/27 13:51:37.0598 atapi - detected Rootkit.Win32.TDSS.tdl3 (0)

2010/07/27 13:51:37.0661 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/07/27 13:51:37.0708 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/07/27 13:51:37.0770 b57w2k (71509c9db1a4b2c05141563fbe3e18a0) C:\WINDOWS\system32\DRIVERS\b57xp32.sys

2010/07/27 13:51:37.0801 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/07/27 13:51:37.0848 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/07/27 13:51:37.0958 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/07/27 13:51:38.0020 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/07/27 13:51:38.0098 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/07/27 13:51:38.0239 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2010/07/27 13:51:38.0286 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2010/07/27 13:51:38.0411 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/07/27 13:51:38.0473 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/07/27 13:51:38.0551 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/07/27 13:51:38.0583 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/07/27 13:51:38.0645 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/07/27 13:51:38.0692 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/07/27 13:51:38.0755 e1express (34aaa3b298a852b3663e6e0d94d12945) C:\WINDOWS\system32\DRIVERS\e1e5132.sys

2010/07/27 13:51:38.0817 egxfilter (4643ef38587894b18e6bb73e7fbcf644) C:\WINDOWS\system32\DRIVERS\egxfilter.sys

2010/07/27 13:51:38.0880 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/07/27 13:51:38.0911 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2010/07/27 13:51:38.0942 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/07/27 13:51:38.0973 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2010/07/27 13:51:39.0083 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys

2010/07/27 13:51:39.0114 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/07/27 13:51:39.0145 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/07/27 13:51:39.0208 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

2010/07/27 13:51:39.0270 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/07/27 13:51:39.0333 guardian2 (c0bdab85f3e8b2138c513255e2bcc4d8) C:\WINDOWS\system32\Drivers\oz776.sys

2010/07/27 13:51:39.0411 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2010/07/27 13:51:39.0505 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/07/27 13:51:39.0645 HSFHWAZL (290cdbb05903742ea06b7203c5a662f5) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys

2010/07/27 13:51:39.0708 HSF_DPV (7ab812355f98858b9ecdd46e6fcc221f) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys

2010/07/27 13:51:39.0817 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/07/27 13:51:39.0880 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/07/27 13:51:40.0098 ialm (48846b31be5a4fa662ccfde7a1ba86b9) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys

2010/07/27 13:51:40.0348 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/07/27 13:51:40.0458 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2010/07/27 13:51:40.0520 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/07/27 13:51:40.0583 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys

2010/07/27 13:51:40.0661 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/07/27 13:51:40.0817 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/07/27 13:51:40.0942 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/07/27 13:51:41.0083 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/07/27 13:51:41.0145 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/07/27 13:51:41.0177 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/07/27 13:51:41.0239 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/07/27 13:51:41.0255 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2010/07/27 13:51:41.0317 klmd24 (6485ad0a17a0d6286b4d44c652adabb2) C:\WINDOWS\system32\drivers\klmd.sys

2010/07/27 13:51:41.0364 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/07/27 13:51:41.0473 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/07/27 13:51:41.0567 kuijhpg (914a3e13590c120fdd8edfc91790ba90) C:\WINDOWS\system32\drivers\kuijhpg.sys

2010/07/27 13:51:41.0567 Suspicious file (Forged): C:\WINDOWS\system32\drivers\kuijhpg.sys. Real md5: 914a3e13590c120fdd8edfc91790ba90, Fake md5: 7d5bc2f1f5d13b0f8fcf64679958a1f9

2010/07/27 13:51:41.0583 kuijhpg - detected Forged file (1)

2010/07/27 13:51:41.0848 MBAMSwissArmy (c7dd7d9739785bd3a6b8499eec1dee7e) C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2010/07/27 13:51:42.0098 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

2010/07/27 13:51:42.0192 mfeapfk (4d81c0e4ed846e9a70b881891a5598ab) C:\WINDOWS\system32\drivers\mfeapfk.sys

2010/07/27 13:51:42.0255 mfeavfk (ff75f47ec2a9ea3e780a9d08daba1276) C:\WINDOWS\system32\drivers\mfeavfk.sys

2010/07/27 13:51:42.0270 mfebopk (5a3b000fdccf826ffb74e76b0474c856) C:\WINDOWS\system32\drivers\mfebopk.sys

2010/07/27 13:51:42.0302 mfehidk (8e6b4e55d3a33b92693f7081ec018c39) C:\WINDOWS\system32\drivers\mfehidk.sys

2010/07/27 13:51:42.0380 mferkdet (fa097d72a439c3a387fe38a654df44c5) C:\WINDOWS\system32\drivers\mferkdet.sys

2010/07/27 13:51:42.0411 mfetdik (a45d0c099a478de5cbd0d6e8466becd5) C:\WINDOWS\system32\drivers\mfetdik.sys

2010/07/27 13:51:42.0473 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/07/27 13:51:42.0505 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/07/27 13:51:42.0567 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/07/27 13:51:42.0598 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/07/27 13:51:42.0614 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/07/27 13:51:42.0677 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/07/27 13:51:42.0755 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/07/27 13:51:42.0833 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/07/27 13:51:42.0927 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/07/27 13:51:43.0020 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/07/27 13:51:43.0083 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/07/27 13:51:43.0145 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/07/27 13:51:43.0223 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/07/27 13:51:43.0317 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/07/27 13:51:43.0348 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/07/27 13:51:43.0411 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/07/27 13:51:43.0427 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/07/27 13:51:43.0458 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/07/27 13:51:43.0473 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/07/27 13:51:43.0489 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/07/27 13:51:43.0708 NETw5x32 (90f7fad201e62732cbe6625b07e4c8f1) C:\WINDOWS\system32\DRIVERS\NETw5x32.sys

2010/07/27 13:51:43.0911 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2010/07/27 13:51:43.0958 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/07/27 13:51:44.0052 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/07/27 13:51:44.0130 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/07/27 13:51:44.0208 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/07/27 13:51:44.0239 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/07/27 13:51:44.0286 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2010/07/27 13:51:44.0349 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/07/27 13:51:44.0364 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/07/27 13:51:44.0395 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/07/27 13:51:44.0411 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/07/27 13:51:44.0458 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/07/27 13:51:44.0474 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

2010/07/27 13:51:44.0552 PCTCore (807ff1dd6e1bdf8e7d2062fca0daecaf) C:\WINDOWS\system32\drivers\PCTCore.sys

2010/07/27 13:51:44.0802 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/07/27 13:51:44.0911 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/07/27 13:51:44.0958 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/07/27 13:51:45.0114 Suspicious service (NoAccess): qxfcul

2010/07/27 13:51:45.0270 qxfcul (b7e2234d097b9fdc827eaa8a8b559090) C:\WINDOWS\system32\drivers\qxfcul.sys

2010/07/27 13:51:45.0270 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\qxfcul.sys. md5: b7e2234d097b9fdc827eaa8a8b559090

2010/07/27 13:51:45.0286 qxfcul - detected Locked service (1)

2010/07/27 13:51:45.0489 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/07/27 13:51:45.0630 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/07/27 13:51:45.0661 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/07/27 13:51:45.0692 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/07/27 13:51:45.0724 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/07/27 13:51:46.0067 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/07/27 13:51:46.0130 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2010/07/27 13:51:46.0192 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/07/27 13:51:46.0224 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/07/27 13:51:46.0302 rsdakmg (4c627d292132e68f6371d9ccce2be7d8) C:\WINDOWS\system32\drivers\rsdakmg.sys

2010/07/27 13:51:46.0317 Suspicious file (Forged): C:\WINDOWS\system32\drivers\rsdakmg.sys. Real md5: 4c627d292132e68f6371d9ccce2be7d8, Fake md5: c45314e2e022a35ab09aecad1f96da51

2010/07/27 13:51:46.0317 rsdakmg - detected Forged file (1)

2010/07/27 13:51:46.0380 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/07/27 13:51:46.0427 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/07/27 13:51:46.0442 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2010/07/27 13:51:46.0521 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/07/27 13:51:46.0614 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/07/27 13:51:46.0786 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/07/27 13:51:46.0958 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/07/27 13:51:47.0083 STHDA (951801dfb54d86f611f0af47825476f9) C:\WINDOWS\system32\drivers\sthda.sys

2010/07/27 13:51:47.0161 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/07/27 13:51:47.0192 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/07/27 13:51:47.0302 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/07/27 13:51:47.0364 SysGuard (d4cfc5532b0b4987c27d6b4d91e6f2f2) C:\WINDOWS\System32\Drivers\Sysguard.sys

2010/07/27 13:51:47.0380 SysPlant (a8dd2353083237cd5782f2eff1544647) C:\WINDOWS\system32\Drivers\SysPlant.sys

2010/07/27 13:51:47.0458 Tcpip (93ea8d04ec73a85db02eb8805988f733) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/07/27 13:51:47.0583 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/07/27 13:51:47.0646 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/07/27 13:51:47.0677 Teefer (0bcc1dca0d80dc8e38c6fc5755e5c412) C:\WINDOWS\system32\Drivers\Teefer.sys

2010/07/27 13:51:47.0708 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/07/27 13:51:47.0849 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/07/27 13:51:47.0911 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/07/27 13:51:47.0958 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys

2010/07/27 13:51:48.0021 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/07/27 13:51:48.0067 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/07/27 13:51:48.0083 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/07/27 13:51:48.0114 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/07/27 13:51:48.0239 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/07/27 13:51:48.0271 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/07/27 13:51:48.0317 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/07/27 13:51:48.0349 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/07/27 13:51:48.0411 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/07/27 13:51:48.0474 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys

2010/07/27 13:51:48.0505 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/07/27 13:51:48.0583 wg3n (b077c30f31259a3daf425d54a88ea4b6) C:\WINDOWS\SYSTEM32\Drivers\wg3n.sys

2010/07/27 13:51:48.0599 wg4n (4659b414e20e17472aed71ad589e5235) C:\WINDOWS\SYSTEM32\Drivers\wg4n.sys

2010/07/27 13:51:48.0614 wg5n (3fce778d1ad5a40572553eff8c0c9dd2) C:\WINDOWS\SYSTEM32\Drivers\wg5n.sys

2010/07/27 13:51:48.0630 wg6n (6f7127c97b4da7db6fa744ca847ff161) C:\WINDOWS\SYSTEM32\Drivers\wg6n.sys

2010/07/27 13:51:48.0646 WGX (eb6f4402694d02f5994f062d53611f47) C:\WINDOWS\SYSTEM32\Drivers\WGX.sys

2010/07/27 13:51:48.0786 winachsf (a8596cf86d445269a42ecc08b7066a4c) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys

2010/07/27 13:51:48.0927 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys

2010/07/27 13:51:48.0974 wpsdrvnt (59507030604ea3fc131e6c14d4df8bb3) C:\WINDOWS\system32\drivers\wpsdrvnt.sys

2010/07/27 13:51:49.0067 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2010/07/27 13:51:49.0146 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2010/07/27 13:51:49.0224 ================================================================================

2010/07/27 13:51:49.0224 Scan finished

2010/07/27 13:51:49.0224 ================================================================================

2010/07/27 13:51:49.0239 Detected object count: 4

2010/07/27 13:52:01.0865 atapi (9674f1315474f821e35d46e941e784f6) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/07/27 13:52:01.0865 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\atapi.sys. Real md5: 9674f1315474f821e35d46e941e784f6, Fake md5: 9f3a2f5aa6875c72bf062c712cfa2674

2010/07/27 13:52:02.0802 Backup copy found, using it..

2010/07/27 13:52:03.0021 C:\WINDOWS\system32\DRIVERS\atapi.sys - will be cured after reboot

2010/07/27 13:52:03.0021 Rootkit.Win32.TDSS.tdl3(atapi) - User select action: Cure

2010/07/27 13:52:03.0021 Forged file(kuijhpg) - User select action: Skip

2010/07/27 13:52:03.0037 Locked service(qxfcul) - User select action: Skip

2010/07/27 13:52:03.0037 Forged file(rsdakmg) - User select action: Skip

2010/07/27 13:52:11.0303 Deinitialize success

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

7/27/2010 2:14:08 PM

mbam-log-2010-07-27 (14-14-08).txt

Scan type: Quick scan

Objects scanned: 130755

Time elapsed: 10 minute(s), 42 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 5

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ddddaxdrv (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nnooppdrv (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\khigedsys (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\efcyvusys (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\efcyvusys (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

The search redirections should have stopped now. We still have some work to do.

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

Link to post
Share on other sites

  • 1 month later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.