AdamTurner9 Posted December 15, 2010 ID:361063 Share Posted December 15, 2010 Malwarebytes found a TDSS Rootkit infection on a previous scan of my computer, but I am still having unusual errors with services not starting, svchost.exe errors, DNS issues, etc... Below are the requested MalwareBytes and DDS log files and the attached ark.zip contains attach.txt and ark.txt files. Please let me know if I have left off any needed information.Malwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 5296Windows 5.1.2600 Service Pack 3Internet Explorer 7.0.5730.1312/12/2010 11:42:59 AMmbam-log-2010-12-12 (11-42-59).txtScan type: Full scan (C:\|)Objects scanned: 258599Time elapsed: 41 minute(s), 0 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)DDS (Ver_10-12-12.02) - NTFSx86 Run by Administrator at 15:36:04.56 on Tue 12/14/2010Internet Explorer: 7.0.5730.13============== Running Processes ============================= Pseudo HJT Report ===============uStart Page = hxxp://www.google.com/uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=usuSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=usuDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2070821mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=usBHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dllBHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dllBHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dlluRun: [ctfmon.exe] c:\windows\system32\ctfmon.exeuRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /cuRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /backgroundmRun: [Apoint] c:\program files\apoint\Apoint.exemRun: [igfxTray] c:\windows\system32\igfxtray.exemRun: [HotKeysCmds] c:\windows\system32\hkcmd.exemRun: [Persistence] c:\windows\system32\igfxpers.exemRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exemRun: [sigmatelSysTrayApp] stsystra.exemRun: [intelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"mRun: [intelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/WirelessmRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottimemRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /noguimRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostartStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exeIE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLLTrusted Zone: westaff.comDPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cabDPF: {2E687AA8-B276-4910-BBFB-4E412F685379} - hxxp://dc1msam-vs.westaff.com/WebsiteViewerRoot/WebsiteViewer.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cabDPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cabDPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://10.2.1.200/activex/AxisCamControl.ocxDPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cabDPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cabDPF: {EBC1356E-7D5E-44EC-831D-847882F06FE5} - hxxps://westnet.westaff.com/wstf/cds/CGC/en/CSGProxy.cabNotify: igfxcui - igfxdev.dllSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dllSEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dllHosts: 127.0.0.1 www.spywareinfo.com============= SERVICES / DRIVERS ============================== Created Last 30 ================2010-12-14 23:33:21 -------- d-----w- C:\Spy2010-12-12 18:58:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-12-12 18:58:20 20952 ----a-w- c:\windows\system32\drivers\mbam.sys2010-12-12 18:58:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2010-12-12 18:40:08 6153352 ----a-w- C:\mbam-setup-1.46.exe2010-12-01 03:09:42 -------- d-----w- c:\docume~1\admini~1\applic~1\Windows Search==================== Find3M ====================2010-11-07 00:52:53 0 ----a-w- c:\windows\system32\ConduitEngine.tmp2010-09-18 19:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll=================== ROOTKIT ====================Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.netWindows 5.1.2600 Disk: ST9120817AS rev.3.ADB -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-edevice: opened successfullyuser: MBR read successfullyDisk trace:called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A47FEC5]<< _asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x884af872; SUB DWORD [EBP-0x4], 0x884af12e; PUSH EDI; CALL 0xffffffffffffdf33; }1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A599AB8]3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A2FF968][0x8A60C838] -> IRP_MJ_CREATE -> 0x8A47FEC5kernel: MBR read successfully_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; }detected disk devices:\Device\Ide\IdeDeviceP1T0L0-e -> \??\IDE#DiskST9120817AS_____________________________3.ADB___#5&266ff5a6&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not founddetected hooks:\Driver\atapi DriverStartIo -> 0x8A47FAEAuser & kernel MBR OK sectors 234441646 (+255): user != kernelWarning: possible TDL3 rootkit infection !============= FINISH: 15:39:12.68 ===============ark.zip Link to post Share on other sites More sharing options...
negster22 Posted December 15, 2010 ID:361140 Share Posted December 15, 2010 Hi Adam and Welcome,You are running an outdated version of MBAM. This is the current version:Malwarebytes' Anti-Malware 1.50www.malwarebytes.orgDatabase version: 5316and this is your version:Malwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 5296Some background information on what we're planning to do can be found HEREPlease read carefully and follow these steps. Download TDSSKiller and save it to your Desktop.Extract its contents to your desktop.Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.If an infected file is detected, the default action will be Cure, click on Continue.If a suspicious file is detected, the default action will be Skip, click on Continue.It may ask you to reboot the computer to complete the process. Click on Reboot Now.If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. Please disable Avast and run DDS.scr again. The driver/services section of your log is empty and that is the most important one from my perspective. Then copy/paste DDS.txt into your next reply.Please Run ComboFix by following the steps provided in exactly this sequence:Here is a tutorial that describes how to download, install and run Combofix. Please thoroughly review it beofre proceeding:http://www.bleepingcomputer.com/combofix/how-to-use-combofixVery Important! BEFORE downloading Combofix, temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:http://www.bleepingcomputer.com/forums/topic114351.htmlNote: The above tutorial does not tell you to rename Combofix as I am about to instruct you to do in the following instructions, so make sure you complete the renaming step before launching Combofix.Using ComboFix ->Please download Combofix from one of these locations:HERE or HERE I want you to rename Combofix.exe as you download it to iexplore.exeNotes:It is very important that save the newly renamed EXE file to your desktop.You must rename Combofixe.exe as you download it and not after it is on your computer.You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:Open FirefoxClick Tools -> Options -> MainUnder the downloads section check the button that says "Always ask me where to save files".Click OK[*]For Internet Explorer:Choose to save, not open the fileWhen prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.Running CombofixIn the event you already have Combofix, please delete it as this is a new version.Close any open browsers and programs.Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.If You are running Windows XP, and Combofix asks to install the Recovery Console, please allow it to do so or it WILL NOT perform it's normal malware removal capabilities. This is for your safety !! 1. To Launch Combofix Click Start --> Run, and enter this command exactly as shown:"%userprofile%\desktop\iexplore.exe" /killall 2. When finished, it will produce a logfile located at C:\ComboFix.txt 3. Post the contents of that log in your next reply.Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang. Please post C:\ComboFix.txt in your next reply. Link to post Share on other sites More sharing options...
AdamTurner9 Posted December 15, 2010 Author ID:361144 Share Posted December 15, 2010 Will get to work on this. Do you need me to install the latest MBAM and scan again? Link to post Share on other sites More sharing options...
negster22 Posted December 15, 2010 ID:361146 Share Posted December 15, 2010 Yes, but do the MBAM scan last, and just make it a Quick Scan - then post the log. Link to post Share on other sites More sharing options...
AdamTurner9 Posted December 15, 2010 Author ID:361172 Share Posted December 15, 2010 got it. I made a mistake and did not run the DDS.scr before running combofix. Will this affect the results? Link to post Share on other sites More sharing options...
AdamTurner9 Posted December 15, 2010 Author ID:361183 Share Posted December 15, 2010 Here are the results. As I said, I ran the DDS.scr after the combofix by mistake.2010/12/14 21:04:12.0562 TDSS rootkit removing tool 2.4.11.0 Dec 8 2010 14:46:402010/12/14 21:04:12.0562 ================================================================================2010/12/14 21:04:12.0562 SystemInfo:2010/12/14 21:04:12.0562 2010/12/14 21:04:12.0562 OS Version: 5.1.2600 ServicePack: 3.02010/12/14 21:04:12.0562 Product type: Workstation2010/12/14 21:04:12.0562 ComputerName: KPALKONERLAP2010/12/14 21:04:12.0562 UserName: Administrator2010/12/14 21:04:12.0562 Windows directory: C:\WINDOWS2010/12/14 21:04:12.0562 System windows directory: C:\WINDOWS2010/12/14 21:04:12.0562 Processor architecture: Intel x862010/12/14 21:04:12.0562 Number of processors: 22010/12/14 21:04:12.0562 Page size: 0x10002010/12/14 21:04:12.0562 Boot type: Normal boot2010/12/14 21:04:12.0562 ================================================================================2010/12/14 21:04:12.0734 Initialize success2010/12/14 21:04:22.0390 ================================================================================2010/12/14 21:04:22.0390 Scan started2010/12/14 21:04:22.0390 Mode: Manual; 2010/12/14 21:04:22.0390 ================================================================================2010/12/14 21:04:24.0187 Aavmker4 (8d488938e2f7048906f1fbd3af394887) C:\WINDOWS\system32\drivers\Aavmker4.sys2010/12/14 21:04:24.0296 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS2010/12/14 21:04:24.0390 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys2010/12/14 21:04:24.0453 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys2010/12/14 21:04:24.0531 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys2010/12/14 21:04:24.0593 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys2010/12/14 21:04:24.0671 AegisP (023867b6606fbabcdd52e089c4a507da) C:\WINDOWS\system32\DRIVERS\AegisP.sys2010/12/14 21:04:24.0750 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys2010/12/14 21:04:24.0859 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys2010/12/14 21:04:24.0937 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys2010/12/14 21:04:25.0031 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys2010/12/14 21:04:25.0109 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys2010/12/14 21:04:25.0156 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys2010/12/14 21:04:25.0203 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys2010/12/14 21:04:25.0250 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys2010/12/14 21:04:25.0312 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys2010/12/14 21:04:25.0390 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys2010/12/14 21:04:25.0437 ApfiltrService (b8d65da679a4a8d048783ede2691b5d4) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys2010/12/14 21:04:25.0484 APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS2010/12/14 21:04:25.0546 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys2010/12/14 21:04:25.0578 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys2010/12/14 21:04:25.0609 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys2010/12/14 21:04:25.0625 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys2010/12/14 21:04:25.0703 aswFsBlk (a0d86b8ac93ef95620420c7a24ac5344) C:\WINDOWS\system32\drivers\aswFsBlk.sys2010/12/14 21:04:25.0718 aswMon2 (7d880c76a285a41284d862e2d798ec0d) C:\WINDOWS\system32\drivers\aswMon2.sys2010/12/14 21:04:25.0750 aswRdr (69823954bbd461a73d69774928c9737e) C:\WINDOWS\system32\drivers\aswRdr.sys2010/12/14 21:04:25.0796 aswSP (7ecc2776638b04553f9a85bd684c3abf) C:\WINDOWS\system32\drivers\aswSP.sys2010/12/14 21:04:25.0828 aswTdi (095ed820a926aa8189180b305e1bcfc9) C:\WINDOWS\system32\drivers\aswTdi.sys2010/12/14 21:04:25.0875 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys2010/12/14 21:04:25.0921 atapi (b4b9735a1cbf0381e357e53bc9670024) C:\WINDOWS\system32\DRIVERS\atapi.sys2010/12/14 21:04:25.0921 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\atapi.sys. Real md5: b4b9735a1cbf0381e357e53bc9670024, Fake md5: 9f3a2f5aa6875c72bf062c712cfa26742010/12/14 21:04:25.0937 atapi - detected Rootkit.Win32.TDSS.tdl3 (0)2010/12/14 21:04:26.0000 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys2010/12/14 21:04:26.0046 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys2010/12/14 21:04:26.0109 b57w2k (f96038aa1ec4013a93d2420fc689d1e9) C:\WINDOWS\system32\DRIVERS\b57xp32.sys2010/12/14 21:04:26.0203 BASFND (5c68ac6f3e5b3e6d6a78e97d05e42c3a) C:\Program Files\Broadcom\ASFIPMon\BASFND.sys2010/12/14 21:04:26.0234 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys2010/12/14 21:04:26.0296 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys2010/12/14 21:04:26.0312 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys2010/12/14 21:04:26.0328 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys2010/12/14 21:04:26.0375 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys2010/12/14 21:04:26.0437 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys2010/12/14 21:04:26.0453 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys2010/12/14 21:04:26.0562 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys2010/12/14 21:04:26.0593 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys2010/12/14 21:04:26.0640 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys2010/12/14 21:04:26.0718 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys2010/12/14 21:04:26.0812 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys2010/12/14 21:04:26.0890 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys2010/12/14 21:04:26.0937 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys2010/12/14 21:04:27.0015 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys2010/12/14 21:04:27.0046 DLABMFSM (a0500678a33802d8954153839301d539) C:\WINDOWS\system32\Drivers\DLABMFSM.SYS2010/12/14 21:04:27.0062 DLABOIOM (b8d2f68cac54d46281399f9092644794) C:\WINDOWS\system32\Drivers\DLABOIOM.SYS2010/12/14 21:04:27.0109 DLACDBHM (0ee93ab799d1cb4ec90b36f3612fe907) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS2010/12/14 21:04:27.0156 DLADResM (87413b94ae1fabc117c4e8ae6725134e) C:\WINDOWS\system32\Drivers\DLADResM.SYS2010/12/14 21:04:27.0218 DLAIFS_M (766a148235be1c0039c974446e4c0edc) C:\WINDOWS\system32\Drivers\DLAIFS_M.SYS2010/12/14 21:04:27.0250 DLAOPIOM (38267cca177354f1c64450a43a4f7627) C:\WINDOWS\system32\Drivers\DLAOPIOM.SYS2010/12/14 21:04:27.0312 DLAPoolM (fd363369fd313b46b5aeab1a688b52e9) C:\WINDOWS\system32\Drivers\DLAPoolM.SYS2010/12/14 21:04:27.0343 DLARTL_M (336ae18f0912ef4fbe5518849e004d74) C:\WINDOWS\system32\Drivers\DLARTL_M.SYS2010/12/14 21:04:27.0375 DLAUDFAM (fd85f682c1cc2a7ca878c7a448e6d87e) C:\WINDOWS\system32\Drivers\DLAUDFAM.SYS2010/12/14 21:04:27.0406 DLAUDF_M (af389ce587b6bf5bbdcd6f6abe5eabc0) C:\WINDOWS\system32\Drivers\DLAUDF_M.SYS2010/12/14 21:04:27.0500 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys2010/12/14 21:04:27.0593 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys2010/12/14 21:04:27.0671 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys2010/12/14 21:04:27.0750 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys2010/12/14 21:04:27.0812 DNE (86d52c32a308f84bbc626bff7c1fb710) C:\WINDOWS\system32\DRIVERS\dne2000.sys2010/12/14 21:04:27.0859 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys2010/12/14 21:04:27.0921 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys2010/12/14 21:04:27.0984 DRVMCDB (5d3b71bb2bb0009d65d290e2ef374bd3) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS2010/12/14 21:04:28.0015 DRVNDDM (c591ba9f96f40a1fd6494dafdcd17185) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS2010/12/14 21:04:28.0125 DSproct (2ac2372ffad9adc85672cc8e8ae14be9) C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys2010/12/14 21:04:28.0281 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys2010/12/14 21:04:28.0406 eeCtrl (70aeac5d481b2904b40f2173e280b1b5) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys2010/12/14 21:04:28.0500 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys2010/12/14 21:04:28.0562 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys2010/12/14 21:04:28.0593 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys2010/12/14 21:04:28.0625 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys2010/12/14 21:04:28.0671 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys2010/12/14 21:04:28.0718 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys2010/12/14 21:04:28.0734 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys2010/12/14 21:04:28.0781 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys2010/12/14 21:04:28.0843 guardian2 (7dadeb7f2215b1f883267cad67f091c1) C:\WINDOWS\system32\Drivers\oz776.sys2010/12/14 21:04:28.0906 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys2010/12/14 21:04:28.0937 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys2010/12/14 21:04:28.0968 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys2010/12/14 21:04:29.0031 HSFHWAZL (b1526810210980bed9d22315946c919d) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys2010/12/14 21:04:29.0093 HSF_DPV (ddbd528e60f5961c142a490dc4ea7780) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys2010/12/14 21:04:29.0156 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys2010/12/14 21:04:29.0203 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys2010/12/14 21:04:29.0265 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys2010/12/14 21:04:29.0328 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys2010/12/14 21:04:29.0562 ialm (200cca76cd0e0f7eec78fa56c29b4d67) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys2010/12/14 21:04:29.0828 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys2010/12/14 21:04:29.0875 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys2010/12/14 21:04:29.0968 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys2010/12/14 21:04:30.0062 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys2010/12/14 21:04:30.0109 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys2010/12/14 21:04:30.0171 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys2010/12/14 21:04:30.0234 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys2010/12/14 21:04:30.0281 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys2010/12/14 21:04:30.0312 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys2010/12/14 21:04:30.0343 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys2010/12/14 21:04:30.0390 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys2010/12/14 21:04:30.0421 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys2010/12/14 21:04:30.0453 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys2010/12/14 21:04:30.0484 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys2010/12/14 21:04:30.0546 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys2010/12/14 21:04:30.0671 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys2010/12/14 21:04:30.0687 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys2010/12/14 21:04:30.0750 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys2010/12/14 21:04:30.0796 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys2010/12/14 21:04:30.0843 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys2010/12/14 21:04:30.0875 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys2010/12/14 21:04:30.0921 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys2010/12/14 21:04:30.0937 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys2010/12/14 21:04:31.0015 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys2010/12/14 21:04:31.0093 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys2010/12/14 21:04:31.0140 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys2010/12/14 21:04:31.0156 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys2010/12/14 21:04:31.0187 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys2010/12/14 21:04:31.0250 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys2010/12/14 21:04:31.0312 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys2010/12/14 21:04:31.0375 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys2010/12/14 21:04:31.0421 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys2010/12/14 21:04:31.0468 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys2010/12/14 21:04:31.0515 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys2010/12/14 21:04:31.0562 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys2010/12/14 21:04:31.0625 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys2010/12/14 21:04:31.0671 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys2010/12/14 21:04:31.0843 NETw4x32 (88100ebdd10309fbd445ef8e42452eae) C:\WINDOWS\system32\DRIVERS\NETw4x32.sys2010/12/14 21:04:32.0000 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys2010/12/14 21:04:32.0062 Nmea (b0d5188e282dc4edae7020f333427bc8) C:\WINDOWS\system32\DRIVERS\pctnullport.sys2010/12/14 21:04:32.0140 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys2010/12/14 21:04:32.0203 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys2010/12/14 21:04:32.0296 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys2010/12/14 21:04:32.0421 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys2010/12/14 21:04:32.0609 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys2010/12/14 21:04:32.0671 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys2010/12/14 21:04:32.0765 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys2010/12/14 21:04:32.0875 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys2010/12/14 21:04:32.0937 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys2010/12/14 21:04:32.0984 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys2010/12/14 21:04:33.0031 PCASp50 (1961590aa191b6b7dcf18a6a693af7b8) C:\WINDOWS\system32\Drivers\PCASp50.sys2010/12/14 21:04:33.0093 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys2010/12/14 21:04:33.0171 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys2010/12/14 21:04:33.0234 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys2010/12/14 21:04:33.0437 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys2010/12/14 21:04:33.0500 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys2010/12/14 21:04:33.0609 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys2010/12/14 21:04:33.0656 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys2010/12/14 21:04:33.0703 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys2010/12/14 21:04:33.0812 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys2010/12/14 21:04:33.0859 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys2010/12/14 21:04:33.0906 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys2010/12/14 21:04:33.0921 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys2010/12/14 21:04:33.0953 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys2010/12/14 21:04:33.0968 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys2010/12/14 21:04:34.0015 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys2010/12/14 21:04:34.0109 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys2010/12/14 21:04:34.0156 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys2010/12/14 21:04:34.0171 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys2010/12/14 21:04:34.0234 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys2010/12/14 21:04:34.0281 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys2010/12/14 21:04:34.0343 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys2010/12/14 21:04:34.0421 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys2010/12/14 21:04:34.0484 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys2010/12/14 21:04:34.0578 RimVSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\WINDOWS\system32\DRIVERS\RimSerial.sys2010/12/14 21:04:34.0625 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys2010/12/14 21:04:34.0734 s24trans (c26a053e4db47f6cdd8653c83aaf22ee) C:\WINDOWS\system32\DRIVERS\s24trans.sys2010/12/14 21:04:34.0812 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys2010/12/14 21:04:34.0875 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys2010/12/14 21:04:34.0937 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys2010/12/14 21:04:35.0000 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys2010/12/14 21:04:35.0125 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys2010/12/14 21:04:35.0203 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys2010/12/14 21:04:35.0265 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys2010/12/14 21:04:35.0328 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys2010/12/14 21:04:35.0375 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys2010/12/14 21:04:35.0515 STHDA (31ba85e1cff39a57f702a2a0877bb8e1) C:\WINDOWS\system32\drivers\sthda.sys2010/12/14 21:04:35.0687 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys2010/12/14 21:04:35.0750 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys2010/12/14 21:04:35.0828 swmsflt (e6c797b33a454840245c0c96e7f08b0a) C:\WINDOWS\System32\drivers\swmsflt.sys2010/12/14 21:04:35.0921 swmx00 (a56848914c78093a1ec84a6ce424c7bf) C:\WINDOWS\system32\DRIVERS\swmx00.sys2010/12/14 21:04:35.0953 SWNC5E00 (f797787d579e1a9396d2e416240a2259) C:\WINDOWS\system32\DRIVERS\SWNC5E00.sys2010/12/14 21:04:36.0031 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys2010/12/14 21:04:36.0046 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys2010/12/14 21:04:36.0062 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys2010/12/14 21:04:36.0093 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys2010/12/14 21:04:36.0156 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys2010/12/14 21:04:36.0265 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys2010/12/14 21:04:36.0343 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys2010/12/14 21:04:36.0390 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys2010/12/14 21:04:36.0421 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys2010/12/14 21:04:36.0453 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys2010/12/14 21:04:36.0484 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys2010/12/14 21:04:36.0515 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys2010/12/14 21:04:36.0578 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys2010/12/14 21:04:36.0625 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys2010/12/14 21:04:36.0640 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys2010/12/14 21:04:36.0656 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys2010/12/14 21:04:36.0703 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS2010/12/14 21:04:36.0718 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys2010/12/14 21:04:36.0750 usb_rndisx (b6cc50279d6cd28e090a5d33244adc9a) C:\WINDOWS\system32\DRIVERS\usb8023x.sys2010/12/14 21:04:36.0781 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys2010/12/14 21:04:36.0812 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys2010/12/14 21:04:36.0828 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys2010/12/14 21:04:36.0859 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys2010/12/14 21:04:36.0921 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys2010/12/14 21:04:36.0968 wceusbsh (46a247f6617526afe38b6f12f5512120) C:\WINDOWS\system32\DRIVERS\wceusbsh.sys2010/12/14 21:04:37.0031 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys2010/12/14 21:04:37.0109 winachsf (96aff1738271755a39b52eef7e35f98f) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys2010/12/14 21:04:37.0250 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys2010/12/14 21:04:37.0312 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys2010/12/14 21:04:37.0406 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys2010/12/14 21:04:37.0453 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys2010/12/14 21:04:37.0703 ================================================================================2010/12/14 21:04:37.0703 Scan finished2010/12/14 21:04:37.0703 ================================================================================2010/12/14 21:04:37.0718 Detected object count: 12010/12/14 21:05:19.0281 atapi (b4b9735a1cbf0381e357e53bc9670024) C:\WINDOWS\system32\DRIVERS\atapi.sys2010/12/14 21:05:19.0281 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\atapi.sys. Real md5: b4b9735a1cbf0381e357e53bc9670024, Fake md5: 9f3a2f5aa6875c72bf062c712cfa26742010/12/14 21:05:20.0218 Backup copy found, using it..2010/12/14 21:05:20.0234 C:\WINDOWS\system32\DRIVERS\atapi.sys - will be cured after reboot2010/12/14 21:05:20.0234 Rootkit.Win32.TDSS.tdl3(atapi) - User select action: Cure 2010/12/14 21:05:37.0109 Deinitialize successComboFix 10-12-13.02 - Administrator 12/14/2010 21:32:07.1.2 - x86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1631 [GMT -8:00]Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exeCommand switches used :: /killallAV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\documents and settings\kpalkoner\Favorites\Thumbs.dbc:\windows\Downloaded Program Files\x64c:\windows\Downloaded Program Files\x64\racodec.axc:\windows\Downloaded Program Files\x86c:\windows\Downloaded Program Files\x86\racodec.ax.((((((((((((((((((((((((( Files Created from 2010-11-15 to 2010-12-15 ))))))))))))))))))))))))))))))).2010-12-15 05:00 . 2010-11-30 01:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-12-15 05:00 . 2010-11-30 01:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys2010-12-14 23:33 . 2010-12-14 23:55 -------- d-----w- C:\Spy2010-12-12 18:58 . 2010-12-15 05:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2010-12-12 18:40 . 2010-08-13 19:51 6153352 ----a-w- C:\mbam-setup-1.46.exe2010-12-01 03:09 . 2010-12-01 03:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2010-12-15 05:06 . 2004-08-04 03:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys2010-11-07 00:52 . 2010-11-07 00:52 0 ----a-w- c:\windows\system32\ConduitEngine.tmp2010-09-18 19:23 . 2004-08-11 22:00 974848 ----a-w- c:\windows\system32\mfc42u.dll2010-09-18 06:53 . 2004-08-11 22:00 974848 ----a-w- c:\windows\system32\mfc42.dll2010-09-18 06:53 . 2004-08-11 22:00 954368 ----a-w- c:\windows\system32\mfc40.dll2010-09-18 06:53 . 2004-08-11 22:00 953856 ----a-w- c:\windows\system32\mfc40u.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-09-01 136176][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-25 159744]"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-18 138008]"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-18 162584]"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-18 138008]"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-02-20 1191936]"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 303104]"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-8-21 50688]Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904][hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]2006-10-20 22:23 118784 ----a-w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009"1075:TCP"= 1075:TCP:LocalSubNet,10.1.0.0/255.255.248.0,10.2.0.0/255.255.248.0:Enabled:LNSS8"135:TCP"= 135:TCP:LocalSubNet,10.1.0.0/255.255.248.0,10.2.0.0/255.255.248.0:Enabled:WMI"139:TCP"= 139:TCP:LocalSubNet,10.1.0.0/255.255.248.0,10.2.0.0/255.255.248.0:Enabled:@xpsp2res.dll,-22004"445:TCP"= 445:TCP:LocalSubNet,10.1.0.0/255.255.248.0,10.2.0.0/255.255.248.0:Enabled:@xpsp2res.dll,-22005"137:UDP"= 137:UDP:LocalSubNet,10.1.0.0/255.255.248.0,10.2.0.0/255.255.248.0:Enabled:@xpsp2res.dll,-22001"138:UDP"= 138:UDP:LocalSubNet,10.1.0.0/255.255.248.0,10.2.0.0/255.255.248.0:Enabled:@xpsp2res.dll,-22002[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\RemoteAdminSettings]"RemoteAddresses"= LocalSubNet,10.1.0.0/255.255.248.0,10.2.0.0/255.255.248.0"Enabled"= 1 (0x1)R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/6/2010 9:42 PM 165584]R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [12/19/2006 11:21 AM 79432]R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/6/2010 9:42 PM 17744].Contents of the 'Scheduled Tasks' folder2010-12-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-821450780-168713865-2908271425-500Core.job- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-01 01:26]2010-12-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-821450780-168713865-2908271425-500UA.job- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-01 01:26]..------- Supplementary Scan -------.uStart Page = hxxp://www.google.com/IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000Trusted Zone: westaff.comDPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cabDPF: {2E687AA8-B276-4910-BBFB-4E412F685379} - hxxp://dc1msam-vs.westaff.com/WebsiteViewerRoot/WebsiteViewer.cabDPF: {EBC1356E-7D5E-44EC-831D-847882F06FE5} - hxxps://westnet.westaff.com/wstf/cds/CGC/en/CSGProxy.cab.- - - - ORPHANS REMOVED - - - -Notify-NavLogon - (no file)SafeBoot-klmdb.sysMSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exeMSConfigStartUp-vptray - c:\progra~1\SYMANT~1\VPTray.exe**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2010-12-14 21:38Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'explorer.exe'(3372)c:\windows\system32\WININET.dllc:\program files\Windows Desktop Search\deskbar.dllc:\program files\Windows Desktop Search\en-us\dbres.dll.muic:\program files\Windows Desktop Search\dbres.dllc:\program files\Windows Desktop Search\wordwheel.dllc:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.muic:\program files\Windows Desktop Search\msnlExtRes.dllc:\windows\system32\IEFRAME.dllc:\windows\system32\WPDShServiceObj.dllc:\program files\Roxio\Drag-to-Disc\Shellex.dllc:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLLc:\program files\Roxio\Drag-to-Disc\ShellRes.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dll.------------------------ Other Running Processes ------------------------.c:\program files\Intel\Wireless\Bin\S24EvMon.exec:\program files\Alwil Software\Avast5\AvastSvc.exec:\windows\System32\SCardSvr.exec:\program files\Intel\Wireless\Bin\EvtEng.exec:\program files\Java\jre6\bin\jqs.exec:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEc:\program files\Dell\QuickSet\NICCONFIGSVC.exec:\program files\Intel\Wireless\Bin\RegSrvc.exec:\windows\system32\tcpsvcs.exec:\windows\system32\StacSV.exec:\program files\Intel\Wireless\Bin\WLKeeper.exec:\windows\system32\SearchIndexer.exec:\windows\stsystra.exec:\windows\system32\igfxsrvc.exec:\program files\Apoint\ApMsgFwd.exec:\program files\Apoint\HidFind.exec:\program files\Apoint\Apntex.exec:\program files\Intel\Wireless\Bin\Dot1XCfg.exe.**************************************************************************.Completion time: 2010-12-14 21:43:22 - machine was rebootedComboFix-quarantined-files.txt 2010-12-15 05:43Pre-Run: 99,624,202,240 bytes freePost-Run: 100,321,083,392 bytes freeWindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsUnsupportedDebug="do not select this" /debugmulti(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect- - End Of File - - 6CDC7D570E01F84D41788ED4FD2105C3DDS (Ver_10-12-12.02) - NTFSx86 Run by Administrator at 21:47:34.51 on Tue 12/14/2010Internet Explorer: 7.0.5730.13Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1490 [GMT -8:00]AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchC:\WINDOWS\system32\svchost -k rpcssC:\WINDOWS\System32\svchost.exe -k netsvcsC:\Program Files\Intel\Wireless\Bin\S24EvMon.exesvchost.exesvchost.exeC:\Program Files\Alwil Software\Avast5\AvastSvc.exeC:\WINDOWS\system32\spoolsv.exesvchost.exeC:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Dell\QuickSet\NICCONFIGSVC.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\WINDOWS\system32\tcpsvcs.exeC:\WINDOWS\system32\StacSV.exeC:\Program Files\Intel\Wireless\Bin\WLKeeper.exeC:\WINDOWS\system32\SearchIndexer.exeC:\Program Files\Apoint\Apoint.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\Dell\QuickSet\quickset.exeC:\WINDOWS\stsystra.exeC:\WINDOWS\system32\igfxsrvc.exeC:\Program Files\Intel\Wireless\bin\ZCfgSvc.exeC:\Program Files\Intel\Wireless\Bin\ifrmewrk.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\Alwil Software\Avast5\avastUI.exeC:\Program Files\Digital Line Detect\DLG.exeC:\Program Files\Apoint\ApMsgFwd.exeC:\Program Files\Windows Desktop Search\WindowsSearch.exeC:\Program Files\Apoint\HidFind.exeC:\Program Files\Apoint\Apntex.exeC:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exeC:\WINDOWS\System32\svchost.exe -k HTTPFilterC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\explorer.exeC:\Spy\dds.scr============== Pseudo HJT Report ===============uStart Page = hxxp://www.google.com/BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dllBHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dllBHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dlluRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /cmRun: [Apoint] c:\program files\apoint\Apoint.exemRun: [igfxTray] c:\windows\system32\igfxtray.exemRun: [HotKeysCmds] c:\windows\system32\hkcmd.exemRun: [Persistence] c:\windows\system32\igfxpers.exemRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exemRun: [sigmatelSysTrayApp] stsystra.exemRun: [intelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"mRun: [intelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/WirelessmRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottimemRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /noguimRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostartStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exeIE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLLTrusted Zone: westaff.comDPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cabDPF: {2E687AA8-B276-4910-BBFB-4E412F685379} - hxxp://dc1msam-vs.westaff.com/WebsiteViewerRoot/WebsiteViewer.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cabDPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cabDPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://10.2.1.200/activex/AxisCamControl.ocxDPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cabDPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cabDPF: {EBC1356E-7D5E-44EC-831D-847882F06FE5} - hxxps://westnet.westaff.com/wstf/cds/CGC/en/CSGProxy.cabNotify: igfxcui - igfxdev.dllSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dllSEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll============= SERVICES / DRIVERS ===============R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-11-6 165584]R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-12-19 79432]R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-11-6 17744]R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-6 40384]S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-6 40384]S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-6 40384]S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]=============== Created Last 30 ================2010-12-15 05:25:24 -------- d-sha-r- C:\cmdcons2010-12-15 05:18:21 98816 ----a-w- c:\windows\sed.exe2010-12-15 05:18:21 89088 ----a-w- c:\windows\MBR.exe2010-12-15 05:18:21 256512 ----a-w- c:\windows\PEV.exe2010-12-15 05:18:21 161792 ----a-w- c:\windows\SWREG.exe2010-12-15 05:00:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-12-15 05:00:27 20952 ----a-w- c:\windows\system32\drivers\mbam.sys2010-12-14 23:33:21 -------- d-----w- C:\Spy2010-12-12 18:58:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2010-12-12 18:40:08 6153352 ----a-w- C:\mbam-setup-1.46.exe2010-12-01 03:09:42 -------- d-----w- c:\docume~1\admini~1\applic~1\Windows Search==================== Find3M ====================2010-11-07 00:52:53 0 ----a-w- c:\windows\system32\ConduitEngine.tmp2010-09-18 19:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll============= FINISH: 21:47:55.79 ===============Malwarebytes' Anti-Malware 1.50www.malwarebytes.orgDatabase version: 5316Windows 5.1.2600 Service Pack 3Internet Explorer 7.0.5730.1312/14/2010 9:56:50 PMmbam-log-2010-12-14 (21-56-26).txtScan type: Quick scanObjects scanned: 186317Time elapsed: 3 minute(s), 10 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 1Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> No action taken.Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Attach.zip Link to post Share on other sites More sharing options...
negster22 Posted December 15, 2010 ID:361359 Share Posted December 15, 2010 Good job! The TDSS should be gone now.Go to Control Panel - Add/Remove Programs and Remove(if present):Browser Address Error RedirectorJ2SE Runtime Environment 5.0 Update 6Java 6 Update 11Java 6 Update 2Java 6 Update 3Java 6 Update 7Now do the following:Go to Link to post Share on other sites More sharing options...
AdamTurner9 Posted December 15, 2010 Author ID:361413 Share Posted December 15, 2010 Here it is.ComboFix 10-12-14.07 - Administrator 12/15/2010 9:34.2.2 - x86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1433 [GMT -8:00]Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exeCommand switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txtAV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}FILE ::"C:\mbam-setup-1.46.exe".((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).C:\mbam-setup-1.46.exec:\program files\bae\c:\program files\bae\\BAE.dllc:\program files\bae\BAE.dll.((((((((((((((((((((((((( Files Created from 2010-11-15 to 2010-12-15 ))))))))))))))))))))))))))))))).2010-12-15 05:00 . 2010-11-30 01:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-12-15 05:00 . 2010-11-30 01:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys2010-12-14 23:33 . 2010-12-15 05:56 -------- d-----w- C:\Spy2010-12-12 18:58 . 2010-12-15 05:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2010-12-01 03:09 . 2010-12-01 03:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2010-12-15 05:06 . 2004-08-04 03:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys2010-11-07 00:52 . 2010-11-07 00:52 0 ----a-w- c:\windows\system32\ConduitEngine.tmp2010-09-18 19:23 . 2004-08-11 22:00 974848 ----a-w- c:\windows\system32\mfc42u.dll2010-09-18 06:53 . 2004-08-11 22:00 974848 ----a-w- c:\windows\system32\mfc42.dll2010-09-18 06:53 . 2004-08-11 22:00 954368 ----a-w- c:\windows\system32\mfc40.dll2010-09-18 06:53 . 2004-08-11 22:00 953856 ----a-w- c:\windows\system32\mfc40u.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-09-01 136176][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-25 159744]"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-18 138008]"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-18 162584]"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-18 138008]"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-02-20 1191936]"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 303104]"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-11-30 963976]c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-8-21 50688]Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904][hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]2006-10-20 22:23 118784 ----a-w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009"1075:TCP"= 1075:TCP:LocalSubNet,10.1.0.0/255.255.248.0,10.2.0.0/255.255.248.0:Enabled:LNSS8"135:TCP"= 135:TCP:LocalSubNet,10.1.0.0/255.255.248.0,10.2.0.0/255.255.248.0:Enabled:WMI"139:TCP"= 139:TCP:LocalSubNet,10.1.0.0/255.255.248.0,10.2.0.0/255.255.248.0:Enabled:@xpsp2res.dll,-22004"445:TCP"= 445:TCP:LocalSubNet,10.1.0.0/255.255.248.0,10.2.0.0/255.255.248.0:Enabled:@xpsp2res.dll,-22005"137:UDP"= 137:UDP:LocalSubNet,10.1.0.0/255.255.248.0,10.2.0.0/255.255.248.0:Enabled:@xpsp2res.dll,-22001"138:UDP"= 138:UDP:LocalSubNet,10.1.0.0/255.255.248.0,10.2.0.0/255.255.248.0:Enabled:@xpsp2res.dll,-22002[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\RemoteAdminSettings]"RemoteAddresses"= LocalSubNet,10.1.0.0/255.255.248.0,10.2.0.0/255.255.248.0"Enabled"= 1 (0x1)R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/6/2010 9:42 PM 165584]R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [12/19/2006 11:21 AM 79432]R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/6/2010 9:42 PM 17744].Contents of the 'Scheduled Tasks' folder2010-12-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-821450780-168713865-2908271425-500Core.job- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-01 01:26]2010-12-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-821450780-168713865-2908271425-500UA.job- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-01 01:26]..------- Supplementary Scan -------.uStart Page = hxxp://www.google.com/IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000Trusted Zone: westaff.comDPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cabDPF: {2E687AA8-B276-4910-BBFB-4E412F685379} - hxxp://dc1msam-vs.westaff.com/WebsiteViewerRoot/WebsiteViewer.cabDPF: {EBC1356E-7D5E-44EC-831D-847882F06FE5} - hxxps://westnet.westaff.com/wstf/cds/CGC/en/CSGProxy.cab.**************************************************************************scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: **************************************************************************.Completion time: 2010-12-15 09:38:54ComboFix-quarantined-files.txt 2010-12-15 17:38ComboFix2.txt 2010-12-15 05:43Pre-Run: 100,398,641,152 bytes freePost-Run: 100,376,489,984 bytes free- - End Of File - - 0CDAF9C0D5248CBC49ABF88A043A5FB1ESETSmartInstaller@High as CAB hook log:OnlineScanner.ocx - registred OK# version=7# iexplore.exe=7.00.6000.17091 (vista_gdr.100824-1500)# OnlineScanner.ocx=1.0.0.6415# api_version=3.0.2# EOSSerial=508b39a26ae917449dca5513cf4f11c2# end=finished# remove_checked=true# archives_checked=false# unwanted_checked=true# unsafe_checked=false# antistealth_checked=true# utc_time=2010-12-15 06:38:40# local_time=2010-12-15 10:38:40 (-0800, Pacific Standard Time)# country="United States"# lang=1033# osver=5.1.2600 NT Service Pack 3# compatibility_mode=770 16774141 100 100 2409999 68224799 0 0# compatibility_mode=8192 67108863 100 0 0 0 0 0# scanned=59482# found=1# cleaned=1# scan_time=1794C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP289\A0039732.dll Win32/Olmarik.ADF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C Link to post Share on other sites More sharing options...
negster22 Posted December 15, 2010 ID:361448 Share Posted December 15, 2010 That looks good! If everything appears to be normal - ie your PC is running without problems, then I'll give you some final clean-up instructions. Link to post Share on other sites More sharing options...
AdamTurner9 Posted December 15, 2010 Author ID:361462 Share Posted December 15, 2010 Please do. It is much better now.Thanks! Link to post Share on other sites More sharing options...
negster22 Posted December 15, 2010 ID:361524 Share Posted December 15, 2010 Great and Excellent job! We have a few steps to finish up now!!If I asked you to download and run an ARK (Antirootkit program) such as Gmer, Rootkit Unhooker, or Root Repeal, then please uninstall it by doing the following:Delete the contents of the C:\ARK folder (or whatever folder you chose to install the antirootkit in) Delete the C:\ARK folder(or whatever folder you chose to install the antirootkit in)If I asked You to download TDSSKiller, MBRCheck or mbr.exe, please delete these programs from your Desktop (or their download location). To remove Combofix and it's quarantine folder:Click Start -> Run, and copy/paste the following bolded text in the Open: box and select OK:"%userprofile%\desktop\combofix.exe" /uninstallThis will do the following:Uninstall Combofix and all its associated files and folders.Flush your system restore points and create a new restore point.Rehide your system files and foldersReset your system clock---Here are some additional measures you should take to keep your system in good working order and ensure your continued security.1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI) by clicking the Start Scanner button. This is very important because recent statistics confirm that an overwhelming majority of infections are aquired through application not Operating System flaws. Commonly used programs like Quicktime, Java, and Adobe Acrobat Reader, itunes, FlashPlayer and many others are frequently targeted today. You can make your computer much more secure if you update to the most current versions of these programs and any others that Secunia alerts you to.Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs. Note: If your firewall prompts you about access, please allow it.2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find and remove most active malware in minutes.3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer. You should visit the Windows Updates website, and obtain the most current Operating System updates/patches, and Internet Explorer released versions.The easiest and fastest way to obtain Windows Updates is by clicking Control Panel -> Windows Update. However, setting your computer to download and install updates automatically will relieve you of the responsibility of doing this on a continual basis. It is important to periodically check that Windows Updates is functioning properly because many threats disable it as part of their strategy to compromise your system. Windows Updates are released on the second Tuesday of every month.Finally, please review the additional suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment. Happy Surfing! Link to post Share on other sites More sharing options...
AdamTurner9 Posted December 15, 2010 Author ID:361548 Share Posted December 15, 2010 Thank you!! Do I re-enable the 'DeFogger' that I ran in the beginning? Link to post Share on other sites More sharing options...
negster22 Posted December 15, 2010 ID:361551 Share Posted December 15, 2010 You're very welcome and yes, re-enable the Defogger. Good luck to you! Link to post Share on other sites More sharing options...
Staff screen317 Posted February 8, 2011 Staff ID:386248 Share Posted February 8, 2011 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts