Jump to content

Recommended Posts

Hello,

I have been trying to get rid of Antivirus 2010 on a PC without success.

I was able to get to the desktop (outside of Safe Mode) by using the "XP clean boot" manual method; msconfig is still set up that way.

MBAM will not run (dies instantly after clicking the "scan" button), and RKill can't seem to stop "\\.\globalroot\Device\svchost.exe\svchost.exe" from running despite using numerous instances/iterations of it as suggested.

TDSSKiller will keep finding a hidden service called "vbma6291" but is unable to stop it.

I was able to get DDS.scr to run, but GMER will not, and every time it's run I have to use the "cacls" command line exe on it to be able to open it again. I've had to use that same command line exe on MBAM (as well as the handful of copies of it that I've renamed) after each attempt of running them.

This is one nasty piece of malware! Any suggestions as to what else I can try before I tell the PC's owner that "format C:" is in her immediate future?

The OS is XP MCE. The DDS.txt follows, and I've attached "Attach.txt" in Windows ZIP format as requested, but I have no "ark.txt" in it since GMER won't run.

DDS (Ver_10-11-27.01) - NTFSx86

Run by Owner at 10:22:47.10 on Thu 12/02/2010

Internet Explorer: 7.0.5730.11

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.894.621 [GMT -6:00]

AV: Norton AntiVirus *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}

============== Running Processes ===============

"\\.\globalroot\Device\svchost.exe\svchost.exe"

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Common Files\SupportSoft\bin\bcont.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Owner.YOUR-34EFF17BD0\Desktop\DDS.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT4022

uStart Page = hxxp://www.google.com/

uWindow Title = Windows Internet Explorer provided by Comcast

mWindow Title = Windows Internet Explorer provided by Comcast

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT4022

uURLSearchHooks: N/A: {0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL

BHO: Ask Search Assistant BHO: {0579b4b1-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\18.1.0.37\IPSBHO.DLL

BHO: Comcast Toolbar: {79ceea4e-c231-4614-9e3b-53b2a02f39b7} - c:\program files\comcasttb\comcastdx.dll

BHO: Ask Toolbar BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL

TB: Ask Toolbar: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL

TB: {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - No File

TB: Comcast Toolbar: {79ceea4e-c231-4614-9e3b-53b2a02f39b7} - c:\program files\comcasttb\comcastdx.dll

TB: {5D4831E0-5A7C-4A46-AFD5-A79AB8CE36C2} - No File

TB: {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - No File

TB: {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - No File

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

EB: {7C2FC77A-AF76-4A75-AC16-B02A13829F34} - No File

uRun: [Desktop Software] "c:\program files\common files\supportsoft\bin\bcont.exe" /ini "c:\program files\comcastui\desktop software\uinstaller.ini" /fromrun /starthidden

dRun: [Power2GoExpress] NA

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - c:\program files\ultimatebet\UltimateBet.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1201000.025\SymDS.sys [2010-10-27 339504]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1201000.025\SymEFA.sys [2010-10-27 666672]

R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\bashdefs\20100810.004\BHDrvx86.sys [2010-10-27 692272]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1201000.025\Ironx86.sys [2010-10-27 134704]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-10-27 102448]

R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\ipsdefs\20100706.002\IDSxpx86.sys [2010-10-27 331640]

S2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\18.1.0.37\ccSvcHst.exe [2010-10-27 126904]

S3 EraserUtilDrv11010;EraserUtilDrv11010;\??\c:\program files\common files\symantec shared\eengine\eraserutildrv11010.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrv11010.sys [?]

S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\virusdefs\20101027.007\naveng.sys [2010-10-27 86064]

S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\virusdefs\20101027.007\navex15.sys [2010-10-27 1371184]

S4 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\comcastspywarescan\ComcastAntiSpyService.exe [2009-6-17 616408]

=============== Created Last 30 ================

2010-12-01 22:47:16 364032 ----a-w- C:\CC_svchost.exe

2010-12-01 22:37:20 52432 ----a-w- c:\windows\system32\drivers\klmdb.sys

2010-12-01 21:50:59 190 ----a-w- C:\CC_own_mb.bat

2010-12-01 21:45:02 364032 ----a-w- C:\CC_rkill.com

2010-12-01 20:53:10 -------- d--h--w- c:\windows\PIF

2010-12-01 20:40:51 -------- d-----w- c:\docume~1\owner~1.you\applic~1\Malwarebytes

2010-12-01 20:40:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-01 20:40:40 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-12-01 20:40:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-12-01 20:40:40 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-12-01 13:24:31 -------- d-----w- c:\windows\pss

==================== Find3M ====================

2010-10-27 16:28:42 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: WDC_WD2000BB-22RDA0 rev.20.00K20 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully

user: MBR read successfully

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xF5AA411B]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; PUSH EBX; PUSH ESI; PUSH EDI; CMP EAX, [0xf5aa7888]; JNZ 0x1f; MOV EBX, [EBP+0xc]; CALL 0xfffffffffffffd3b; }

1 ntkrnlpa!IofCallDriver[0x804EE136] -> \Device\Harddisk0\DR0[0x84F58030]

3 CLASSPNP[0xF770405B] -> ntkrnlpa!IofCallDriver[0x804EE136] -> [0x84B9F030]

\Driver\Disk[0x84B29C60] -> IRP_MJ_CREATE -> 0xF5AA411B

error: Read The system cannot find the file specified.

kernel: MBR read successfully

_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5f; }

detected disk devices:

\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD2000BB-22RDA0_____________________20.00K20#5&60ba549&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

\Driver\atapi DriverStartIo -> 0x84F5F292

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

============= FINISH: 10:24:05.21 ===============

Attach.zip

Link to post
Share on other sites

  • Replies 74
  • Created
  • Last Reply

Top Posters In This Topic

Hello agent! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

Step 1

I see the Ask Toolbar in your log.

I strongly recommend you remove Ask Toolbar from your computer because:

  • It promotes its toolbars on sites targeted at kids.
  • It promotes its toolbars through ads that appear to be part of other companies' sites.
  • It promotes its toolbars through other companies' spyware.
  • It is Installed without any disclosure whatsoever and without any consent from the user whatsoever.
  • It Solicits installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.
  • It makes confusing changes to user's browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit.

You can read more about Ask.com here

To remove it:

Click Start-->Control Panel-->Programs and Features

Click on the program name AskBarDis to highlight it

From the menu at the top, select Uninstall or Remove.

Please reboot the computer.

Step 2

I also see you have Viewpoint installed...

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.


  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player

Step 3

Go into C:\Program Files\Malwarebytes' Anti-Malware and you will see a file called mbam.exe Right click on it and drop down to Rename change the name to firefox.com From mbam.exe to firefox.com . Please, restart your computer.

Step 4

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

In your next reply, please include these log(s):

  1. Malwarebytes' Anti-Malware log
  2. a new fresh DDS log only

Link to post
Share on other sites

Hi Borislav,

Many thanks for the speedy reply.

Per your steps above, I have uninstalled both the Ask toolbar and the Viewpoint Media Player using Add/Remove, with a reboot after the Ask toolbar uninstallation.

When updating MBAM it needed the PC to restart, so I did that. After that reboot I got a blank desktop, though Ctrl+Alt+Del allowed me to pull up Task Manager. I tried to execute explorer.exe from File > New Task..., but it didn't help. So I did a soft shutdown from Task Manager and rebooted, this time with the ethernet cable unplugged and was able to get to the desktop.

Once there I navigated to the MBAM Program Files folder, deleted the old "firefox.com" from it, and renamed the newly created MBAM exe to "firefox.com" (I made an assumption here, I hope it was not incorrect...). Now trying to execute it I am presented (again) with "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." I know I can take it back over using the cacls command, but will wait for confirmation and/or further instructions before doing so.

Link to post
Share on other sites

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

Step 1

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click and choose Run as Admin

You only need to get one of them to run, not all of them.

  1. rkill.exe
  2. rkill.com
  3. rkill.scr
  4. WiNlOgOn.exe
  5. uSeRiNiT.exe
  6. iExplore.exe

Please post the log in your next reply.

Note: The log can be found at the root of your installed hard drive entitled rkill.log

Step 2

Try again with ComboFix.

Link to post
Share on other sites

I have tried all the above versions of RKill numerous (40? 50?) times and still cannot get Combo-Fix.exe to run.

Just about every time I run it, the log will say:

Processes terminated by RKill or while it was running:

\\.\globalroot\Device\svchost.exe\svchost.exe

Only a handful of times has the list of processes been blank, and even trying to run Combo-Fix.exe immediately after the log comes back clean I get the same result.

Link to post
Share on other sites

exehelperlog.txt:

exeHelper by Raktor

Build 20100414

Run at 16:27:11 on 12/02/10

Now searching...

Checking for numerical processes...

Checking for sysguard processes...

Checking for bad processes...

Checking for bad files...

Checking for bad registry entries...

Resetting filetype association for .exe

Resetting filetype association for .com

Resetting userinit and shell values...

Resetting policies...

--Finished--

Link to post
Share on other sites

I tried both; neither will run. Specifically:

ComboFix produces the same result as described above - small progress dialog, then when that disappears it dies.

MBAM (renamed to "firefox.com" and executed directly from its Program Files folder) gave me the permissions error, so I took it back over with the CACLS command. It ran for about 8 seconds, then died.

Link to post
Share on other sites

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, change it to Cure and then click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • Click the Report button and copy/paste the contents of it into your next reply

Note:It will also create a log in the C:\ directory.

Link to post
Share on other sites

Borislav,

I'm on the TDSSKiller Scan Results screen, which reads:

Malicious objects:

Rootkit.Win32.TDSS.tdl4

Suspicious objects:

Locked Service

Service

Service name: vbma6291

Service type: Kernel driver (0x1)

Service start: Demand (0x3)

File: C:\WINDOWS\system32\drivers\vbma6291.sys

MD5: 6e8327c9b5f76e22d712b62c982c444c

"Cure" is the default selection for the malicious objects section, but I do not have that as an option in the suspicious objects section. My only choices there are Skip (default), Copy to Quarantine and Delete. I have not clicked continue yet.

Link to post
Share on other sites

Thanks Borislav. Here's the TDSSKiller log:

2010/12/06 08:50:35.0375 TDSS rootkit removing tool 2.4.10.1 Dec 2 2010 12:28:01

2010/12/06 08:50:35.0375 ================================================================================

2010/12/06 08:50:35.0375 SystemInfo:

2010/12/06 08:50:35.0375

2010/12/06 08:50:35.0375 OS Version: 5.1.2600 ServicePack: 2.0

2010/12/06 08:50:35.0375 Product type: Workstation

2010/12/06 08:50:35.0375 ComputerName: YOUR-34EFF17BD0

2010/12/06 08:50:35.0375 UserName: Owner

2010/12/06 08:50:35.0375 Windows directory: C:\WINDOWS

2010/12/06 08:50:35.0375 System windows directory: C:\WINDOWS

2010/12/06 08:50:35.0375 Processor architecture: Intel x86

2010/12/06 08:50:35.0375 Number of processors: 1

2010/12/06 08:50:35.0375 Page size: 0x1000

2010/12/06 08:50:35.0375 Boot type: Normal boot

2010/12/06 08:50:35.0375 ================================================================================

2010/12/06 08:50:35.0546 Initialize success

2010/12/06 08:50:43.0171 ================================================================================

2010/12/06 08:50:43.0171 Scan started

2010/12/06 08:50:43.0171 Mode: Manual;

2010/12/06 08:50:43.0171 ================================================================================

2010/12/06 08:50:43.0515 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS

2010/12/06 08:50:43.0546 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/12/06 08:50:43.0671 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/12/06 08:50:43.0718 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys

2010/12/06 08:50:43.0875 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys

2010/12/06 08:50:43.0937 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys

2010/12/06 08:50:44.0125 AgereSoftModem (b7d2103eb2ecb765b2b7106bad089ab1) C:\WINDOWS\system32\DRIVERS\AGRSM.sys

2010/12/06 08:50:44.0265 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys

2010/12/06 08:50:44.0312 agpCPQ (67288b07d6aba6c1267b626e67bc56fd) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys

2010/12/06 08:50:44.0328 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys

2010/12/06 08:50:44.0359 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys

2010/12/06 08:50:44.0406 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys

2010/12/06 08:50:44.0546 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys

2010/12/06 08:50:44.0578 alim1541 (f312b7cef21eff52fa23056b9d815fad) C:\WINDOWS\system32\DRIVERS\alim1541.sys

2010/12/06 08:50:44.0593 amdagp (675c16a3c1f8482f85ee4a97fc0dde3d) C:\WINDOWS\system32\DRIVERS\amdagp.sys

2010/12/06 08:50:44.0640 AmdK8 (59301936898ae62245a6f09c0aba9475) C:\WINDOWS\system32\DRIVERS\AmdK8.sys

2010/12/06 08:50:44.0781 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys

2010/12/06 08:50:44.0828 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2010/12/06 08:50:44.0968 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys

2010/12/06 08:50:45.0031 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys

2010/12/06 08:50:45.0156 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys

2010/12/06 08:50:45.0203 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys

2010/12/06 08:50:45.0250 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/12/06 08:50:45.0390 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/12/06 08:50:45.0468 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/12/06 08:50:45.0625 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/12/06 08:50:45.0656 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/12/06 08:50:45.0812 BHDrvx86 (8f6d9ce8af24f09de6b020b2c09e27d9) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\BASHDefs\20100810.004\BHDrvx86.sys

2010/12/06 08:50:45.0984 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys

2010/12/06 08:50:46.0046 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/12/06 08:50:46.0187 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

2010/12/06 08:50:46.0234 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys

2010/12/06 08:50:46.0281 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/12/06 08:50:46.0406 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/12/06 08:50:46.0500 Cdr4_xp (2552670e5fbcfdb540eeb426af39704d) C:\WINDOWS\system32\drivers\Cdr4_xp.sys

2010/12/06 08:50:46.0640 Cdralw2k (b761b10d6a541be69ea448a8429d30b0) C:\WINDOWS\system32\drivers\Cdralw2k.sys

2010/12/06 08:50:46.0703 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/12/06 08:50:46.0859 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys

2010/12/06 08:50:46.0921 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys

2010/12/06 08:50:47.0062 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys

2010/12/06 08:50:47.0109 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys

2010/12/06 08:50:47.0250 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/12/06 08:50:47.0312 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys

2010/12/06 08:50:47.0484 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys

2010/12/06 08:50:47.0515 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/12/06 08:50:47.0578 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys

2010/12/06 08:50:47.0718 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys

2010/12/06 08:50:47.0812 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/12/06 08:50:47.0906 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys

2010/12/06 08:50:47.0984 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys

2010/12/06 08:50:48.0156 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/12/06 08:50:48.0218 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys

2010/12/06 08:50:48.0343 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys

2010/12/06 08:50:48.0390 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2010/12/06 08:50:48.0546 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys

2010/12/06 08:50:48.0640 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/12/06 08:50:48.0796 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/12/06 08:50:48.0843 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys

2010/12/06 08:50:48.0984 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/12/06 08:50:49.0031 HdAudAddService (2a013e7530beab6e569faa83f517e836) C:\WINDOWS\system32\drivers\HdAudio.sys

2010/12/06 08:50:49.0203 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2010/12/06 08:50:49.0265 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/12/06 08:50:49.0421 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys

2010/12/06 08:50:49.0500 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/12/06 08:50:49.0656 i2omgmt (8f09f91b5c91363b77bcd15599570f2c) C:\WINDOWS\system32\drivers\i2omgmt.sys

2010/12/06 08:50:49.0765 i2omp (ed6bf9e441fdea13292a6d30a64a24c3) C:\WINDOWS\system32\DRIVERS\i2omp.sys

2010/12/06 08:50:49.0859 i8042prt (059d020295e69044e11d183ffb10b600) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/12/06 08:50:50.0031 IDSxpx86 (231c3f6d5c520e99924e1e37401a90c4) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\IPSDefs\20100706.002\IDSxpx86.sys

2010/12/06 08:50:50.0203 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/12/06 08:50:50.0250 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys

2010/12/06 08:50:50.0515 IntcAzAudAddService (98b7fab86755a42fe8eb04538a4cd6c8) C:\WINDOWS\system32\drivers\RtkHDAud.sys

2010/12/06 08:50:50.0750 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys

2010/12/06 08:50:50.0796 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys

2010/12/06 08:50:50.0828 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/12/06 08:50:50.0953 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/12/06 08:50:51.0031 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/12/06 08:50:51.0187 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/12/06 08:50:51.0234 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/12/06 08:50:51.0375 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/12/06 08:50:51.0421 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/12/06 08:50:51.0578 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2010/12/06 08:50:51.0640 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys

2010/12/06 08:50:51.0781 KSecDD (1be7cc2535d760ae4d481576eb789f24) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/12/06 08:50:51.0890 MBAMSwissArmy (e74dc2f3f9675a6025a4aa020edd4341) C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2010/12/06 08:50:52.0046 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys

2010/12/06 08:50:52.0093 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/12/06 08:50:52.0250 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys

2010/12/06 08:50:52.0281 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/12/06 08:50:52.0437 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/12/06 08:50:52.0500 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/12/06 08:50:52.0656 MR97310_USB_DUAL_CAMERA (1aae79a4176a957bf2bb679812f04655) C:\WINDOWS\system32\DRIVERS\mr97310c.sys

2010/12/06 08:50:52.0750 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys

2010/12/06 08:50:52.0859 MREMP50 (80b2ec735495823ae5771a5f603e73bd) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS

2010/12/06 08:50:52.0906 MRESP50 (37d7c22f7e26da90e2d2d260e5d27846) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS

2010/12/06 08:50:53.0046 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/12/06 08:50:53.0156 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/12/06 08:50:53.0328 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys

2010/12/06 08:50:53.0406 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/12/06 08:50:53.0515 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/12/06 08:50:53.0593 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/12/06 08:50:53.0718 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/12/06 08:50:53.0781 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys

2010/12/06 08:50:53.0921 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys

2010/12/06 08:50:53.0968 mxnic (e1cdf20697d992cf83ff86dd04df1285) C:\WINDOWS\system32\DRIVERS\mxnic.sys

2010/12/06 08:50:54.0093 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

2010/12/06 08:50:54.0281 NAVENG (49d802531e5984cf1fe028c6c129b9d8) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\VirusDefs\20101027.007\NAVENG.SYS

2010/12/06 08:50:54.0359 NAVEX15 (158676a5758c1fa519563b3e72fbf256) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\VirusDefs\20101027.007\NAVEX15.SYS

2010/12/06 08:50:54.0562 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys

2010/12/06 08:50:54.0656 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

2010/12/06 08:50:54.0796 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/12/06 08:50:54.0843 Ndisuio (eefa1ce63805d2145978621be5c6d955) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/12/06 08:50:54.0984 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/12/06 08:50:55.0015 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/12/06 08:50:55.0156 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/12/06 08:50:55.0218 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/12/06 08:50:55.0390 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2010/12/06 08:50:55.0437 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys

2010/12/06 08:50:55.0593 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/12/06 08:50:55.0765 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/12/06 08:50:55.0921 nv (84c65aa58ae1ede93716439267a23d40) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2010/12/06 08:50:56.0156 NVENETFD (2a7a2c6ab9631028b6e3a4159aa65705) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys

2010/12/06 08:50:56.0218 nvnetbus (20526a8827dc0956b5526aebcb6751a0) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys

2010/12/06 08:50:56.0359 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/12/06 08:50:56.0406 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/12/06 08:50:56.0468 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2010/12/06 08:50:56.0609 P3 (3e16eff2a6fed2d8d7f5a66dfe65d183) C:\WINDOWS\system32\DRIVERS\p3.sys

2010/12/06 08:50:56.0656 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/12/06 08:50:56.0796 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/12/06 08:50:56.0843 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/12/06 08:50:56.0859 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/12/06 08:50:56.0906 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/12/06 08:50:56.0937 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys

2010/12/06 08:50:57.0171 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys

2010/12/06 08:50:57.0187 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys

2010/12/06 08:50:57.0265 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/12/06 08:50:57.0406 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys

2010/12/06 08:50:57.0500 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/12/06 08:50:57.0640 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/12/06 08:50:57.0703 PxHelp20 (617accada2e0a0f43ec6030bbac49513) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2010/12/06 08:50:57.0734 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys

2010/12/06 08:50:57.0750 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys

2010/12/06 08:50:57.0781 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys

2010/12/06 08:50:57.0812 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys

2010/12/06 08:50:57.0968 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys

2010/12/06 08:50:58.0000 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/12/06 08:50:58.0156 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/12/06 08:50:58.0187 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/12/06 08:50:58.0343 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/12/06 08:50:58.0484 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/12/06 08:50:58.0578 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/12/06 08:50:58.0703 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2010/12/06 08:50:58.0765 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/12/06 08:50:58.0906 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/12/06 08:50:58.0984 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/12/06 08:50:59.0140 Serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/12/06 08:50:59.0171 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys

2010/12/06 08:50:59.0218 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/12/06 08:50:59.0375 sisagp (732d859b286da692119f286b21a2a114) C:\WINDOWS\system32\DRIVERS\sisagp.sys

2010/12/06 08:50:59.0562 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys

2010/12/06 08:50:59.0718 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys

2010/12/06 08:50:59.0875 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys

2010/12/06 08:51:00.0031 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/12/06 08:51:00.0203 SRTSP (d0ab8e989935d895f1bed8f607fa0948) C:\WINDOWS\system32\drivers\NAV\1201000.025\SRTSP.SYS

2010/12/06 08:51:00.0406 SRTSPX (fae9f5558a1f53670e579f9ffb4a67cc) C:\WINDOWS\system32\drivers\NAV\1201000.025\SRTSPX.SYS

2010/12/06 08:51:00.0546 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/12/06 08:51:00.0703 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

2010/12/06 08:51:00.0843 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/12/06 08:51:01.0015 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys

2010/12/06 08:51:01.0171 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys

2010/12/06 08:51:01.0328 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys

2010/12/06 08:51:01.0453 SymDS (67e83f8c7e80dc898a1d73b38412ba7a) C:\WINDOWS\system32\drivers\NAV\1201000.025\SYMDS.SYS

2010/12/06 08:51:01.0640 SymEFA (3986a8de371e985ba6c82eb8da3b1e98) C:\WINDOWS\system32\drivers\NAV\1201000.025\SYMEFA.SYS

2010/12/06 08:51:01.0812 SymEvent (5c76a63fac8a5580c5a1c4a4ed827782) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

2010/12/06 08:51:01.0921 SymIRON (8ae632773b5192dce48f4ec8de753863) C:\WINDOWS\system32\drivers\NAV\1201000.025\Ironx86.SYS

2010/12/06 08:51:02.0078 SYMTDI (34ff2368b7914d1b29d16aba865e982d) C:\WINDOWS\system32\drivers\NAV\1201000.025\SYMTDI.SYS

2010/12/06 08:51:02.0250 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys

2010/12/06 08:51:02.0296 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys

2010/12/06 08:51:02.0437 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/12/06 08:51:02.0546 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/12/06 08:51:02.0703 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/12/06 08:51:02.0734 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/12/06 08:51:02.0890 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/12/06 08:51:02.0921 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys

2010/12/06 08:51:02.0984 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys

2010/12/06 08:51:03.0125 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys

2010/12/06 08:51:03.0156 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys

2010/12/06 08:51:03.0296 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys

2010/12/06 08:51:03.0375 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/12/06 08:51:03.0531 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/12/06 08:51:03.0578 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/12/06 08:51:03.0703 usbohci (bdfe799a8531bad8a5a985821fe78760) C:\WINDOWS\system32\DRIVERS\usbohci.sys

2010/12/06 08:51:03.0765 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2010/12/06 08:51:03.0921 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/12/06 08:51:03.0984 usbstor (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/12/06 08:51:04.0125 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/12/06 08:51:04.0156 Suspicious service (NoAccess): vbma6291

2010/12/06 08:51:04.0203 vbma6291 (6e8327c9b5f76e22d712b62c982c444c) C:\WINDOWS\system32\drivers\vbma6291.sys

2010/12/06 08:51:04.0203 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\vbma6291.sys. md5: 6e8327c9b5f76e22d712b62c982c444c

2010/12/06 08:51:04.0218 vbma6291 - detected Locked service (1)

2010/12/06 08:51:04.0359 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys

2010/12/06 08:51:04.0421 viaagp (d92e7c8a30cfd14d8e15b5f7f032151b) C:\WINDOWS\system32\DRIVERS\viaagp.sys

2010/12/06 08:51:04.0546 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys

2010/12/06 08:51:04.0593 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/12/06 08:51:04.0640 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/12/06 08:51:04.0687 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys

2010/12/06 08:51:04.0859 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/12/06 08:51:05.0031 WmBEnum (1abfd1399436e81c9d857f5fc76eaf98) C:\WINDOWS\system32\drivers\WmBEnum.sys

2010/12/06 08:51:05.0093 WmFilter (b3cfcbcc91ff61ef82fc693b8b57e7f0) C:\WINDOWS\system32\drivers\WmFilter.sys

2010/12/06 08:51:05.0250 WmVirHid (a40d2dd0f019423ef6c363f1295eb38d) C:\WINDOWS\system32\drivers\WmVirHid.sys

2010/12/06 08:51:05.0328 WmXlCore (2bf505424f469155cd90d7b3301d7adc) C:\WINDOWS\system32\drivers\WmXlCore.sys

2010/12/06 08:51:05.0515 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

2010/12/06 08:51:05.0593 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2010/12/06 08:51:05.0734 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2010/12/06 08:51:05.0796 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)

2010/12/06 08:51:05.0812 ================================================================================

2010/12/06 08:51:05.0812 Scan finished

2010/12/06 08:51:05.0812 ================================================================================

2010/12/06 08:51:05.0828 Detected object count: 2

2010/12/06 12:40:56.0765 HKLM\SYSTEM\ControlSet001\services\vbma6291 - will be deleted after reboot

2010/12/06 12:40:56.0765 HKLM\SYSTEM\ControlSet002\services\vbma6291 - will be deleted after reboot

2010/12/06 12:40:56.0781 C:\WINDOWS\system32\drivers\vbma6291.sys - will be deleted after reboot

2010/12/06 12:40:56.0781 Locked service(vbma6291) - User select action: Delete

2010/12/06 12:40:56.0781 \HardDisk0 - will be cured after reboot

2010/12/06 12:40:56.0781 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure

2010/12/06 12:41:22.0781 Deinitialize success

Link to post
Share on other sites

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

I experienced the no permission issue again trying to execute MBAM (which I am still doing directly from its Program Files folder; it was still named "firefox.com"), so I used the CACLS command from a prompt to take it back over, then renamed it to "svchost.exe." I was able to update MBAM, but I have to use CACLS on it after each time it is executed, regardless of what it's named.

After doing that, MBAM will not run for more than a couple of seconds, regardless of whether or not the PC is connected to the internet.

Link to post
Share on other sites

Step 1

Please, download exehelper from here save it to your desktop.

1. Run exehelper.

2. Press any key to close a black window which should pop-up.

3. A log named exehelperlog.txt should open.

4. Post the contents of exehelperlog.txt in your next reply.

Step 2

Try again with MBAM, if not try with ComboFix.

Link to post
Share on other sites

exeHelper log:

exeHelper by Raktor

Build 20100414

Run at 14:58:04 on 12/06/10

Now searching...

Checking for numerical processes...

Checking for sysguard processes...

Checking for bad processes...

Checking for bad files...

Checking for bad registry entries...

Resetting filetype association for .exe

Resetting filetype association for .com

Resetting userinit and shell values...

Resetting policies...

--Finished--

I had to run CACLS again on MBAM (svchost.exe) to even be allowed to double-click it. Same result with MBAM: runs for 1-2 seconds then vanishes.

Same result as before with ComboFix (Combo-Fix.exe): I get the small progress dialog, then once that finishes the program terminates.

Link to post
Share on other sites

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Once OTL has completed its first scan it will save notepad copies of the scans in the folder that OTL was started from. Unless set to produce an Extras log it will only produce OTL.txt in subsequent scans.

A copy of an OTL fix log is saved in a text file at

  • :\_OTL\Moved Files
    • in most cases this will be C:\_OTL\Moved Files

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.