Need help with unremovable Trojan.Bubnix

[Jenfa]

Yesterday, I was using my netbook (Windows 7 Starter) when I suddenly had windows popping up from AntiMalware Doctor stating that I had infections on my computer. I recognized it immediately as malware and set out to clear it using MBAM as directed on multiple forums. I also performed a system restore to what I believed to be a clean point 2 weeks ago. Everything seemed fine, until approximately 30 minutes later, when another program showed up with desktop shortcuts and popup windows: Whitesmoke Translator. I updated my MBAM and used that to clear it off as well, and found some TEMP folders containing files named with variants of "whitesmoke installer_silent". I deleted those files.

Since my Chrome browser still wasn't working, I found suggestions to run TDSSKiller, with which I found a malicious item (cured) and supicious item (skipped -- this item had the ollyahphg.sys listed ). This resolved my issues with running Chrome. I rescanned with MBAM and found an infected file listed as a Trojan.Bubnix. I cleared this, and rebooted as directed. Upon another scan, the Trojan.Bubnix was found again. I can't seem to find a way to remove the system32\drivers\ollyahphg.sys file.

During scanning, Gmer detected a rootkit. I appreciate any help that anyone can give me to make sure my system is clean. Below is my current DDS log+MBAM log, and attached is the Gmer log.

DDS (Ver_10-12-12.02) - NTFSx86

Run by Jenfa at 8:48:44.35 on Wed 12/15/2010

Internet Explorer: 8.0.7600.16385

Microsoft Windows 7 Starter 6.1.7600.0.1252.1.1033.18.1014.300 [GMT -8:00]

AV: McAfee VirusScan *Enabled/Outdated* {86355677-4064-3EA7-ABB3-1B136EB04637}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: McAfee VirusScan *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}

FW: McAfee Personal Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}

============== Running Processes ===============

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Program Files\Dell\DellDock\DockLogin.exe

C:\Program Files\Tablet\Pen\Pen_TouchService.exe

C:\Windows\SYSTEM32\WISPTIS.EXE

C:\Windows\system32\svchost.exe -k NetworkService

C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRYSVC.EXE

C:\Windows\system32\WLANExt.exe

C:\Windows\system32\conhost.exe

C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Realtek\Audio\HDA\AERTSrv.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Windows\system32\taskhost.exe

C:\Program Files\McAfee\MSK\MskSrver.exe

C:\Windows\SYSTEM32\WISPTIS.EXE

C:\Program Files\Tablet\Pen\Pen_TouchUser.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Tablet\Pen\Pen_Tablet.exe

"C:\Windows\System32\svchost.exe"

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe

C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRAY.EXE

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

"C:\Windows\System32\svchost.exe"

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\spool\DRIVERS\W32X86\3\HP1006MC.EXE

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files\WSED\WSED.exe

C:\Program Files\Battery Meter\BTMeter.exe

C:\Program Files\CapsLKNotify\CapsLKNotify.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\igfxpers.exe

C:\Windows\system32\igfxsrvc.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Users\Jenfa\AppData\Local\Google\Chrome\Application\chrome.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Common Files\mcafee\mna\mcnasvc.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\Users\Jenfa\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Program Files\Pidgin\pidgin.exe

C:\Users\Jenfa\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Jenfa\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\system32\NOTEPAD.EXE

C:\Users\Jenfa\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Jenfa\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Jenfa\Desktop\dds.scr

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uURLSearchHooks: Playdom Toolbar: {69d1a568-ffdf-4ef5-8919-7003582e0ee8} - c:\program files\playdom\tbPla1.dll

mURLSearchHooks: Playdom Toolbar: {69d1a568-ffdf-4ef5-8919-7003582e0ee8} - c:\program files\playdom\tbPla1.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Playdom Toolbar: {69d1a568-ffdf-4ef5-8919-7003582e0ee8} - c:\program files\playdom\tbPla1.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office12\GR469A~1.DLL

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java

ark.txt

Attach.txt

[LDTate]

Please ask that your topic at bleepingcomputer be closed.

http://www.bleepingcomputer.com/forums/topic367481.html

Please don't attach the scan results, use Copy/Paste

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

[Jenfa]

Thanks for the response, and I'm sorry for my late one. I had my account set to notify me via e-mail immediately for any replies, but did not receive any notification (I just happened to check the thread this morning). I've also requested that my topic at bleepingcomputer be closed as well.

I ran all of the programs as advised. The TDSS Killer scan found the same suspicious file as MBAM did. Here is my log from TDSSKiller:

2010/12/17 11:50:41.0275 TDSS rootkit removing tool 2.4.11.0 Dec 8 2010 14:46:40

2010/12/17 11:50:41.0275 ================================================================================

2010/12/17 11:50:41.0275 SystemInfo:

2010/12/17 11:50:41.0275

2010/12/17 11:50:41.0275 OS Version: 6.1.7600 ServicePack: 0.0

2010/12/17 11:50:41.0275 Product type: Workstation

2010/12/17 11:50:41.0275 ComputerName: JENFA-LAPPY

2010/12/17 11:50:41.0290 UserName: Jenfa

2010/12/17 11:50:41.0290 Windows directory: C:\Windows

2010/12/17 11:50:41.0290 System windows directory: C:\Windows

2010/12/17 11:50:41.0290 Processor architecture: Intel x86

2010/12/17 11:50:41.0290 Number of processors: 2

2010/12/17 11:50:41.0290 Page size: 0x1000

2010/12/17 11:50:41.0290 Boot type: Normal boot

2010/12/17 11:50:41.0290 ================================================================================

2010/12/17 11:50:43.0162 Initialize success

2010/12/17 11:50:45.0892 ================================================================================

2010/12/17 11:50:45.0892 Scan started

2010/12/17 11:50:45.0892 Mode: Manual;

2010/12/17 11:50:45.0892 ================================================================================

2010/12/17 11:50:48.0622 1394ohci (6d2aca41739bfe8cb86ee8e85f29697d) C:\Windows\system32\DRIVERS\1394ohci.sys

2010/12/17 11:50:48.0731 ACPI (f0e07d144c8685b8774bc32fc8da4df0) C:\Windows\system32\DRIVERS\ACPI.sys

2010/12/17 11:50:48.0778 AcpiPmi (98d81ca942d19f7d9153b095162ac013) C:\Windows\system32\DRIVERS\acpipmi.sys

2010/12/17 11:50:48.0887 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\DRIVERS\adp94xx.sys

2010/12/17 11:50:48.0950 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\DRIVERS\adpahci.sys

2010/12/17 11:50:49.0012 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\DRIVERS\adpu320.sys

2010/12/17 11:50:49.0121 AFD (ddc040fdb01ef1712a6b13e52afb104c) C:\Windows\system32\drivers\afd.sys

2010/12/17 11:50:49.0184 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\DRIVERS\agp440.sys

2010/12/17 11:50:49.0433 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\DRIVERS\djsvs.sys

2010/12/17 11:50:49.0527 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\DRIVERS\aliide.sys

2010/12/17 11:50:49.0558 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\DRIVERS\amdagp.sys

2010/12/17 11:50:49.0621 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\DRIVERS\amdide.sys

2010/12/17 11:50:49.0683 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\DRIVERS\amdk8.sys

2010/12/17 11:50:49.0761 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\DRIVERS\amdppm.sys

2010/12/17 11:50:49.0808 amdsata (2101a86c25c154f8314b24ef49d7fbc2) C:\Windows\system32\DRIVERS\amdsata.sys

2010/12/17 11:50:49.0870 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\DRIVERS\amdsbs.sys

2010/12/17 11:50:49.0917 amdxata (b81c2b5616f6420a9941ea093a92b150) C:\Windows\system32\DRIVERS\amdxata.sys

2010/12/17 11:50:49.0995 AppID (feb834c02ce1e84b6a38f953ca067706) C:\Windows\system32\drivers\appid.sys

2010/12/17 11:50:50.0089 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\DRIVERS\arc.sys

2010/12/17 11:50:50.0135 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\DRIVERS\arcsas.sys

2010/12/17 11:50:50.0198 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys

2010/12/17 11:50:50.0245 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\DRIVERS\atapi.sys

2010/12/17 11:50:50.0354 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\DRIVERS\bxvbdx.sys

2010/12/17 11:50:50.0432 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys

2010/12/17 11:50:50.0541 BCM42RLY (eb4434444e2721d721a8ac8d5d2ad26b) C:\Windows\system32\drivers\BCM42RLY.sys

2010/12/17 11:50:50.0666 BCM43XX (5245ebbe39ed9010240c20d21f5a26a9) C:\Windows\system32\DRIVERS\bcmwl6.sys

2010/12/17 11:50:50.0884 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys

2010/12/17 11:50:50.0962 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys

2010/12/17 11:50:51.0025 bowser (fcafaef6798d7b51ff029f99a9898961) C:\Windows\system32\DRIVERS\bowser.sys

2010/12/17 11:50:51.0071 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\DRIVERS\BrFiltLo.sys

2010/12/17 11:50:51.0134 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\DRIVERS\BrFiltUp.sys

2010/12/17 11:50:51.0212 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys

2010/12/17 11:50:51.0274 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys

2010/12/17 11:50:51.0321 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys

2010/12/17 11:50:51.0368 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys

2010/12/17 11:50:51.0446 BthEnum (2865a5c8e98c70c605f417908cebb3a4) C:\Windows\system32\DRIVERS\BthEnum.sys

2010/12/17 11:50:51.0508 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\DRIVERS\bthmodem.sys

2010/12/17 11:50:51.0617 BthPan (ad1872e5829e8a2c3b5b4b641c3eab0e) C:\Windows\system32\DRIVERS\bthpan.sys

2010/12/17 11:50:51.0711 BTHPORT (4a34888e13224678dd062466afec4240) C:\Windows\system32\Drivers\BTHport.sys

2010/12/17 11:50:51.0789 BTHUSB (fa04c63916fa221dbb91fce153d07a55) C:\Windows\system32\Drivers\BTHUSB.sys

2010/12/17 11:50:51.0883 btwavdt (d282c14a69357d0e1bafaecc2ca98c3a) C:\Windows\system32\DRIVERS\btwavdt.sys

2010/12/17 11:50:51.0961 btwrchid (02eb4d2b05967df2d32f29c84ab1fb17) C:\Windows\system32\DRIVERS\btwrchid.sys

2010/12/17 11:50:52.0054 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys

2010/12/17 11:50:52.0132 cdrom (ba6e70aa0e6091bc39de29477d866a77) C:\Windows\system32\DRIVERS\cdrom.sys

2010/12/17 11:50:52.0195 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\DRIVERS\circlass.sys

2010/12/17 11:50:52.0273 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys

2010/12/17 11:50:52.0366 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys

2010/12/17 11:50:52.0413 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\DRIVERS\cmdide.sys

2010/12/17 11:50:52.0475 CNG (1b675691ed940766149c93e8f4488d68) C:\Windows\system32\Drivers\cng.sys

2010/12/17 11:50:52.0553 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys

2010/12/17 11:50:52.0631 CompositeBus (f1724ba27e97d627f808fb0ba77a28a6) C:\Windows\system32\DRIVERS\CompositeBus.sys

2010/12/17 11:50:52.0709 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys

2010/12/17 11:50:52.0819 CtClsFlt (b27d15c551a6678137c6b751b160756d) C:\Windows\system32\DRIVERS\CtClsFlt.sys

2010/12/17 11:50:52.0928 DfsC (8e09e52ee2e3ceb199ef3dd99cf9e3fb) C:\Windows\system32\Drivers\dfsc.sys

2010/12/17 11:50:52.0990 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys

2010/12/17 11:50:53.0068 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys

2010/12/17 11:50:53.0209 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys

2010/12/17 11:50:53.0287 DXGKrnl (8b6c3464d7fac176500061dbfff42ad4) C:\Windows\System32\drivers\dxgkrnl.sys

2010/12/17 11:50:53.0739 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\DRIVERS\evbdx.sys

2010/12/17 11:50:54.0035 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\DRIVERS\elxstor.sys

2010/12/17 11:50:54.0191 EMSC (cf460f454a0473e6c7ad846b94d8382a) C:\Windows\system32\DRIVERS\EMSC.SYS

2010/12/17 11:50:54.0285 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\DRIVERS\errdev.sys

2010/12/17 11:50:54.0394 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys

2010/12/17 11:50:54.0441 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys

2010/12/17 11:50:54.0519 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\DRIVERS\fdc.sys

2010/12/17 11:50:54.0613 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys

2010/12/17 11:50:54.0675 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys

2010/12/17 11:50:54.0722 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\DRIVERS\flpydisk.sys

2010/12/17 11:50:54.0800 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys

2010/12/17 11:50:54.0878 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys

2010/12/17 11:50:54.0956 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\Windows\system32\drivers\Fs_Rec.sys

2010/12/17 11:50:55.0034 fvevol (dafbd9fe39197495aed6d51f3b85b5d2) C:\Windows\system32\DRIVERS\fvevol.sys

2010/12/17 11:50:55.0127 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\DRIVERS\gagp30kx.sys

2010/12/17 11:50:55.0221 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys

2010/12/17 11:50:55.0283 HDAudBus (717a2207fd6f13ad3e664c7d5a43c7bf) C:\Windows\system32\DRIVERS\HDAudBus.sys

2010/12/17 11:50:55.0346 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\DRIVERS\HidBatt.sys

2010/12/17 11:50:55.0408 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\DRIVERS\hidbth.sys

2010/12/17 11:50:55.0471 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\DRIVERS\hidir.sys

2010/12/17 11:50:55.0564 HidUsb (25072fb35ac90b25f9e4e3bacf774102) C:\Windows\system32\DRIVERS\hidusb.sys

2010/12/17 11:50:55.0923 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\DRIVERS\HpSAMD.sys

2010/12/17 11:50:56.0001 HTTP (c531c7fd9e8b62021112787c4e2c5a5a) C:\Windows\system32\drivers\HTTP.sys

2010/12/17 11:50:56.0079 hwpolicy (8305f33cde89ad6c7a0763ed0b5a8d42) C:\Windows\system32\drivers\hwpolicy.sys

2010/12/17 11:50:56.0157 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\DRIVERS\i8042prt.sys

2010/12/17 11:50:56.0594 iaStorV (934af4d7c5f457b9f0743f4299b77b67) C:\Windows\system32\DRIVERS\iaStorV.sys

2010/12/17 11:50:56.0875 igfx (9467514ea189475a6e7fdc5d7bde9d3f) C:\Windows\system32\DRIVERS\igdkmd32.sys

2010/12/17 11:50:57.0109 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\DRIVERS\iirsp.sys

2010/12/17 11:50:57.0296 IntcAzAudAddService (15d839bb1bd1bde95aae98b10ad88d8c) C:\Windows\system32\drivers\RTKVHDA.sys

2010/12/17 11:50:57.0452 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\DRIVERS\intelide.sys

2010/12/17 11:50:57.0530 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys

2010/12/17 11:50:57.0623 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys

2010/12/17 11:50:57.0686 IPMIDRV (e4454b6c37d7ffd5649611f6496308a7) C:\Windows\system32\DRIVERS\IPMIDrv.sys

2010/12/17 11:50:57.0748 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys

2010/12/17 11:50:57.0811 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys

2010/12/17 11:50:57.0857 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\DRIVERS\isapnp.sys

2010/12/17 11:50:57.0920 iScsiPrt (ed46c223ae46c6866ab77cdc41c404b7) C:\Windows\system32\DRIVERS\msiscsi.sys

2010/12/17 11:50:57.0982 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\DRIVERS\kbdclass.sys

2010/12/17 11:50:58.0279 kbdhid (3d9f0ebf350edcfd6498057301455964) C:\Windows\system32\DRIVERS\kbdhid.sys

2010/12/17 11:50:58.0357 KSecDD (e36a061ec11b373826905b21be10948f) C:\Windows\system32\Drivers\ksecdd.sys

2010/12/17 11:50:58.0419 KSecPkg (365c6154bbbc5377173f1ca7bfb6cc59) C:\Windows\system32\Drivers\ksecpkg.sys

2010/12/17 11:50:58.0903 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys

2010/12/17 11:50:59.0059 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\DRIVERS\lsi_fc.sys

2010/12/17 11:50:59.0121 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\DRIVERS\lsi_sas.sys

2010/12/17 11:50:59.0183 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\DRIVERS\lsi_sas2.sys

2010/12/17 11:50:59.0230 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\DRIVERS\lsi_scsi.sys

2010/12/17 11:50:59.0324 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys

2010/12/17 11:50:59.0558 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\DRIVERS\megasas.sys

2010/12/17 11:50:59.0620 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\DRIVERS\MegaSR.sys

2010/12/17 11:50:59.0698 mfeavfk (bafdd5e28baea99d7f4772af2f5ec7ee) C:\Windows\system32\drivers\mfeavfk.sys

2010/12/17 11:50:59.0745 mfebopk (1d003e3056a43d881597d6763e83b943) C:\Windows\system32\drivers\mfebopk.sys

2010/12/17 11:50:59.0823 mfehidk (3f138a1c8a0659f329f242d1e389b2cf) C:\Windows\system32\drivers\mfehidk.sys

2010/12/17 11:50:59.0917 mferkdk (41fe2f288e05a6c8ab85dd56770ffbad) C:\Windows\system32\drivers\mferkdk.sys

2010/12/17 11:50:59.0964 mfesmfk (096b52ea918aa909ba5903d79e129005) C:\Windows\system32\drivers\mfesmfk.sys

2010/12/17 11:51:00.0088 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys

2010/12/17 11:51:00.0151 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys

2010/12/17 11:51:00.0213 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\DRIVERS\mouclass.sys

2010/12/17 11:51:00.0291 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys

2010/12/17 11:51:00.0354 mountmgr (921c18727c5920d6c0300736646931c2) C:\Windows\system32\drivers\mountmgr.sys

2010/12/17 11:51:00.0432 MPFP (95675c3398dcc084c8d1dc35cc4e9e01) C:\Windows\system32\Drivers\Mpfp.sys

2010/12/17 11:51:00.0510 mpio (2af5997438c55fb79d33d015c30e1974) C:\Windows\system32\DRIVERS\mpio.sys

2010/12/17 11:51:00.0588 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys

2010/12/17 11:51:00.0666 MRxDAV (b1be47008d20e43da3adc37c24cdb89d) C:\Windows\system32\drivers\mrxdav.sys

2010/12/17 11:51:00.0744 mrxsmb (f1b6aa08497ea86ca6ef6f7a08b0bfb8) C:\Windows\system32\DRIVERS\mrxsmb.sys

2010/12/17 11:51:00.0806 mrxsmb10 (5613358b4050f46f5a9832da8050d6e4) C:\Windows\system32\DRIVERS\mrxsmb10.sys

2010/12/17 11:51:00.0884 mrxsmb20 (25c9792778d80feb4c8201e62281bfdf) C:\Windows\system32\DRIVERS\mrxsmb20.sys

2010/12/17 11:51:00.0931 msahci (4326d168944123f38dd3b2d9c37a0b12) C:\Windows\system32\DRIVERS\msahci.sys

2010/12/17 11:51:00.0993 msdsm (455029c7174a2dbb03dba8a0d8bddd9a) C:\Windows\system32\DRIVERS\msdsm.sys

2010/12/17 11:51:01.0102 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys

2010/12/17 11:51:01.0165 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys

2010/12/17 11:51:01.0227 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\DRIVERS\msisadrv.sys

2010/12/17 11:51:01.0368 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys

2010/12/17 11:51:01.0414 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys

2010/12/17 11:51:01.0461 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys

2010/12/17 11:51:01.0539 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys

2010/12/17 11:51:01.0602 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\DRIVERS\mssmbios.sys

2010/12/17 11:51:01.0648 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys

2010/12/17 11:51:01.0711 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\DRIVERS\MTConfig.sys

2010/12/17 11:51:01.0789 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys

2010/12/17 11:51:01.0867 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys

2010/12/17 11:51:01.0960 NDIS (23759d175a0a9baaf04d05047bc135a8) C:\Windows\system32\drivers\ndis.sys

2010/12/17 11:51:02.0023 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys

2010/12/17 11:51:02.0101 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys

2010/12/17 11:51:02.0148 Ndisuio (b30ae7f2b6d7e343b0df32e6c08fce75) C:\Windows\system32\DRIVERS\ndisuio.sys

2010/12/17 11:51:02.0210 NdisWan (267c415eadcbe53c9ca873dee39cf3a4) C:\Windows\system32\DRIVERS\ndiswan.sys

2010/12/17 11:51:02.0272 NDProxy (af7e7c63dcef3f8772726f86039d6eb4) C:\Windows\system32\drivers\NDProxy.sys

2010/12/17 11:51:02.0335 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys

2010/12/17 11:51:02.0397 NetBT (dd52a733bf4ca5af84562a5e2f963b91) C:\Windows\system32\DRIVERS\netbt.sys

2010/12/17 11:51:02.0538 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\DRIVERS\nfrd960.sys

2010/12/17 11:51:02.0600 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys

2010/12/17 11:51:02.0678 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys

2010/12/17 11:51:02.0803 Ntfs (3795dcd21f740ee799fb7223234215af) C:\Windows\system32\drivers\Ntfs.sys

2010/12/17 11:51:02.0912 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys

2010/12/17 11:51:02.0959 nvraid (3f3d04b1d08d43c16ea7963954ec768d) C:\Windows\system32\DRIVERS\nvraid.sys

2010/12/17 11:51:03.0021 nvstor (c99f251a5de63c6f129cf71933aced0f) C:\Windows\system32\DRIVERS\nvstor.sys

2010/12/17 11:51:03.0084 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\DRIVERS\nv_agp.sys

2010/12/17 11:51:03.0162 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\DRIVERS\ohci1394.sys

2010/12/17 11:51:03.0193 Suspicious service (NoAccess): ollyahphg

2010/12/17 11:51:03.0286 ollyahphg (ce26d4d29e1d87f30a21527527e964e5) C:\Windows\system32\drivers\ollyahphg.sys

2010/12/17 11:51:03.0286 Suspicious file (NoAccess): C:\Windows\system32\drivers\ollyahphg.sys. md5: ce26d4d29e1d87f30a21527527e964e5

2010/12/17 11:51:03.0318 ollyahphg - detected Locked service (1)

2010/12/17 11:51:03.0474 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys

2010/12/17 11:51:03.0536 partmgr (ff4218952b51de44fe910953a3e686b9) C:\Windows\system32\drivers\partmgr.sys

2010/12/17 11:51:03.0583 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys

2010/12/17 11:51:03.0801 pci (c858cb77c577780ecc456a892e7e7d0f) C:\Windows\system32\DRIVERS\pci.sys

2010/12/17 11:51:03.0879 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\DRIVERS\pciide.sys

2010/12/17 11:51:03.0942 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\DRIVERS\pcmcia.sys

2010/12/17 11:51:03.0988 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys

2010/12/17 11:51:04.0082 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys

2010/12/17 11:51:04.0410 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys

2010/12/17 11:51:04.0472 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\DRIVERS\processr.sys

2010/12/17 11:51:04.0581 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys

2010/12/17 11:51:04.0690 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\DRIVERS\ql2300.sys

2010/12/17 11:51:04.0784 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\DRIVERS\ql40xx.sys

2010/12/17 11:51:04.0862 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys

2010/12/17 11:51:04.0909 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys

2010/12/17 11:51:04.0987 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys

2010/12/17 11:51:05.0065 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys

2010/12/17 11:51:05.0158 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys

2010/12/17 11:51:05.0221 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys

2010/12/17 11:51:05.0299 rdbss (835d7e81bf517a3b72384bdcc85e1ce6) C:\Windows\system32\DRIVERS\rdbss.sys

2010/12/17 11:51:05.0361 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys

2010/12/17 11:51:05.0439 RDPCDD (1e016846895b15a99f9a176a05029075) C:\Windows\system32\DRIVERS\RDPCDD.sys

2010/12/17 11:51:05.0533 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys

2010/12/17 11:51:05.0611 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys

2010/12/17 11:51:05.0689 RDPWD (801371ba9782282892d00aadb08ee367) C:\Windows\system32\drivers\RDPWD.sys

2010/12/17 11:51:05.0782 rdyboost (4ea225bf1cf05e158853f30a99ca29a7) C:\Windows\system32\drivers\rdyboost.sys

2010/12/17 11:51:05.0907 RFCOMM (cb928d9e6daf51879dd6ba8d02f01321) C:\Windows\system32\DRIVERS\rfcomm.sys

2010/12/17 11:51:06.0032 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys

2010/12/17 11:51:06.0126 RSUSBSTOR (96f8dd546677aa5102150acc140377b3) C:\Windows\system32\Drivers\RtsUStor.sys

2010/12/17 11:51:06.0204 RTL8167 (26a9d6227d12b9d9da5a81bb9b55d810) C:\Windows\system32\DRIVERS\Rt86win7.sys

2010/12/17 11:51:06.0297 sbp2port (34ee0c44b724e3e4ce2eff29126de5b5) C:\Windows\system32\DRIVERS\sbp2port.sys

2010/12/17 11:51:06.0375 scfilter (a95c54b2ac3cc9c73fcdf9e51a1d6b51) C:\Windows\system32\DRIVERS\scfilter.sys

2010/12/17 11:51:06.0531 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys

2010/12/17 11:51:06.0625 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys

2010/12/17 11:51:06.0703 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\DRIVERS\serial.sys

2010/12/17 11:51:06.0765 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\DRIVERS\sermouse.sys

2010/12/17 11:51:06.0921 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\DRIVERS\sffdisk.sys

2010/12/17 11:51:06.0968 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\DRIVERS\sffp_mmc.sys

2010/12/17 11:51:07.0030 sffp_sd (a0708bbd07d245c06ff9de549ca47185) C:\Windows\system32\DRIVERS\sffp_sd.sys

2010/12/17 11:51:07.0077 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\DRIVERS\sfloppy.sys

2010/12/17 11:51:07.0202 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\DRIVERS\sisagp.sys

2010/12/17 11:51:07.0264 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\DRIVERS\SiSRaid2.sys

2010/12/17 11:51:07.0327 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\DRIVERS\sisraid4.sys

2010/12/17 11:51:07.0405 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys

2010/12/17 11:51:07.0514 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys

2010/12/17 11:51:07.0701 srv (2dbedfb1853f06110ec2aa7f3213c89f) C:\Windows\system32\DRIVERS\srv.sys

2010/12/17 11:51:07.0779 srv2 (db37131d1027c50ea7ee21c8bb4536aa) C:\Windows\system32\DRIVERS\srv2.sys

2010/12/17 11:51:07.0857 srvnet (f5980b74124db9233b33f86fc5ebbb4f) C:\Windows\system32\DRIVERS\srvnet.sys

2010/12/17 11:51:07.0966 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\DRIVERS\stexstor.sys

2010/12/17 11:51:08.0044 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\DRIVERS\swenum.sys

2010/12/17 11:51:08.0138 SynTP (b5d9bca58c9f50a6683ddbf5945c8f5e) C:\Windows\system32\DRIVERS\SynTP.sys

2010/12/17 11:51:08.0372 Tcpip (bb7f39c31c4a4417fd318e7cd184e225) C:\Windows\system32\drivers\tcpip.sys

2010/12/17 11:51:08.0559 TCPIP6 (bb7f39c31c4a4417fd318e7cd184e225) C:\Windows\system32\DRIVERS\tcpip.sys

2010/12/17 11:51:08.0637 tcpipreg (e64444523add154f86567c469bc0b17f) C:\Windows\system32\drivers\tcpipreg.sys

2010/12/17 11:51:08.0731 TDPIPE (1875c1490d99e70e449e3afae9fcbadf) C:\Windows\system32\drivers\tdpipe.sys

2010/12/17 11:51:08.0840 TDTCP (7551e91ea999ee9a8e9c331d5a9c31f3) C:\Windows\system32\drivers\tdtcp.sys

2010/12/17 11:51:08.0902 tdx (cb39e896a2a83702d1737bfd402b3542) C:\Windows\system32\DRIVERS\tdx.sys

2010/12/17 11:51:08.0965 TermDD (c36f41ee20e6999dbf4b0425963268a5) C:\Windows\system32\DRIVERS\termdd.sys

2010/12/17 11:51:09.0199 tssecsrv (98ae6fa07d12cb4ec5cf4a9bfa5f4242) C:\Windows\system32\DRIVERS\tssecsrv.sys

2010/12/17 11:51:09.0277 tunnel (3e461d890a97f9d4c168f5fda36e1d00) C:\Windows\system32\DRIVERS\tunnel.sys

2010/12/17 11:51:09.0511 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\DRIVERS\uagp35.sys

2010/12/17 11:51:09.0620 udfs (09cc3e16f8e5ee7168e01cf8fcbe061a) C:\Windows\system32\DRIVERS\udfs.sys

2010/12/17 11:51:09.0776 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\DRIVERS\uliagpkx.sys

2010/12/17 11:51:09.0854 umbus (049b3a50b3d646baeeee9eec9b0668dc) C:\Windows\system32\DRIVERS\umbus.sys

2010/12/17 11:51:09.0916 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\DRIVERS\umpass.sys

2010/12/17 11:51:10.0010 usbccgp (8455c4ed038efd09e99327f9d2d48ffa) C:\Windows\system32\DRIVERS\usbccgp.sys

2010/12/17 11:51:10.0072 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\DRIVERS\usbcir.sys

2010/12/17 11:51:10.0135 usbehci (1c333bfd60f2fed2c7ad5daf533cb742) C:\Windows\system32\DRIVERS\usbehci.sys

2010/12/17 11:51:10.0213 usbhub (ee6ef93ccfa94fae8c6ab298273d8ae2) C:\Windows\system32\DRIVERS\usbhub.sys

2010/12/17 11:51:10.0275 usbohci (a6fb7957ea7afb1165991e54ce934b74) C:\Windows\system32\DRIVERS\usbohci.sys

2010/12/17 11:51:10.0353 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys

2010/12/17 11:51:10.0416 USBSTOR (d8889d56e0d27e57ed4591837fe71d27) C:\Windows\system32\DRIVERS\USBSTOR.SYS

2010/12/17 11:51:10.0478 usbuhci (78780c3ebce17405b1ccd07a3a8a7d72) C:\Windows\system32\DRIVERS\usbuhci.sys

2010/12/17 11:51:10.0572 usbvideo (f642a7e4bf78cfa359cca0a3557c28d7) C:\Windows\system32\Drivers\usbvideo.sys

2010/12/17 11:51:10.0696 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\DRIVERS\vdrvroot.sys

2010/12/17 11:51:10.0774 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys

2010/12/17 11:51:10.0837 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys

2010/12/17 11:51:10.0899 vhdmp (3be6e1f3a4f1afec8cee0d7883f93583) C:\Windows\system32\DRIVERS\vhdmp.sys

2010/12/17 11:51:10.0977 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\DRIVERS\viaagp.sys

2010/12/17 11:51:11.0040 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\DRIVERS\viac7.sys

2010/12/17 11:51:11.0102 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\DRIVERS\viaide.sys

2010/12/17 11:51:11.0164 volmgr (384e5a2aa49934295171e499f86ba6f3) C:\Windows\system32\DRIVERS\volmgr.sys

2010/12/17 11:51:11.0242 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys

2010/12/17 11:51:11.0367 volsnap (58df9d2481a56edde167e51b334d44fd) C:\Windows\system32\DRIVERS\volsnap.sys

2010/12/17 11:51:11.0461 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\DRIVERS\vsmraid.sys

2010/12/17 11:51:11.0570 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\system32\DRIVERS\vwifibus.sys

2010/12/17 11:51:11.0648 vwififlt (7090d3436eeb4e7da3373090a23448f7) C:\Windows\system32\DRIVERS\vwififlt.sys

2010/12/17 11:51:11.0788 wacmoumonitor (026d58e9d7701f6b26b0b499f1705334) C:\Windows\system32\DRIVERS\wacmoumonitor.sys

2010/12/17 11:51:11.0851 wacommousefilter (427a8bc96f16c40df81c2d2f4edd32dd) C:\Windows\system32\DRIVERS\wacommousefilter.sys

2010/12/17 11:51:11.0913 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\DRIVERS\wacompen.sys

2010/12/17 11:51:11.0991 wacomvhid (846b58ea44bf8c92e4b59f4e2252c4c0) C:\Windows\system32\DRIVERS\wacomvhid.sys

2010/12/17 11:51:12.0085 WANARP (692a712062146e96d28ba0b7d75de31b) C:\Windows\system32\DRIVERS\wanarp.sys

2010/12/17 11:51:12.0132 Wanarpv6 (692a712062146e96d28ba0b7d75de31b) C:\Windows\system32\DRIVERS\wanarp.sys

2010/12/17 11:51:12.0272 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\DRIVERS\wd.sys

2010/12/17 11:51:12.0350 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys

2010/12/17 11:51:12.0568 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys

2010/12/17 11:51:12.0615 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys

2010/12/17 11:51:12.0896 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\DRIVERS\wmiacpi.sys

2010/12/17 11:51:13.0083 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys

2010/12/17 11:51:13.0224 WudfPf (6f9b6c0c93232cff47d0f72d6db1d21e) C:\Windows\system32\drivers\WudfPf.sys

2010/12/17 11:51:13.0317 WUDFRd (f91ff1e51fca30b3c3981db7d5924252) C:\Windows\system32\DRIVERS\WUDFRd.sys

2010/12/17 11:51:13.0489 ynqgkkwh (e6d35f3aa51a65eb35c1f2340154a25e) C:\Windows\system32\drivers\rpcqes.sys

2010/12/17 11:51:13.0676 ================================================================================

2010/12/17 11:51:13.0676 Scan finished

2010/12/17 11:51:13.0676 ================================================================================

2010/12/17 11:51:13.0723 Detected object count: 1

2010/12/17 11:51:38.0418 Locked service(ollyahphg) - User select action: Skip

2010/12/17 11:51:45.0141 Deinitialize success

[LDTate]

Please go to , http://www.virustotal.com/en/indexf.html click on Browse, and upload the following file for analysis:

C:\Windows\system32\drivers\ollyahphg.sys

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

If virscan.org is too busy you can try these.

http://virscan.org/

http://www.kaspersky.com/scanforvirus.html

[Jenfa]

I tried to upload it to virustotal.com and virscan.org, but after selecting it and pressing "Open" in the upload menu, it popped up with a window saying:

ollyahphg.sys

A device attached to the system is not functioning

[LDTate]

Looking at your topic at BC, I see this

Files Infected:

c:\windows\system32\drivers\ollyahphg.sys (Trojan.Bubnix) -> Quarantined and deleted successfully.

Run the scan again and select Quarantine or delete.

Reboot and run the scan again as we want to be sure it's gone

[Jenfa]

I reran TDSSKiller and selected "Delete" instead of "Skip". I then rebooted the system, and re-scanned with both TDSSKiller and MBAM. Nothing was found!

[LDTate]

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  
• Double click on ComboFix.exe & follow the prompts.
  Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
  Note: If you have SP3, use the SP2 package.
  If Vista or Windows 7, skip the Recovery Console part
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

[Jenfa]

I had to uninstall McAfee since disabling (as per instructions) didn't work and it kept removing Combofix. My computer seems to be running okay, though it seemed okay with the very occasional bluescreen before I replied earlier today.

Below is the ComboFix report:

ComboFix 10-12-16.05 - Jenfa 12/17/2010 14:28:59.1.2 - x86

Microsoft Windows 7 Starter 6.1.7600.0.1252.1.1033.18.1014.383 [GMT -8:00]

Running from: c:\users\Jenfa\Desktop\ComboFix.exe

SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\users\Jenfa\AppData\Local\{D9A631DC-7168-458E-B2C7-E0EF3977FFFD}

c:\users\Jenfa\AppData\Local\{D9A631DC-7168-458E-B2C7-E0EF3977FFFD}\chrome\content\overlay.xul

c:\users\Jenfa\AppData\Local\{D9A631DC-7168-458E-B2C7-E0EF3977FFFD}\install.rdf

c:\users\Jenfa\AppData\Roaming\9B88561868902568A6856C7EB198A7A8

c:\users\Jenfa\AppData\Roaming\9B88561868902568A6856C7EB198A7A8\enemies-names.txt

c:\users\Jenfa\AppData\Roaming\Install.dat

c:\users\Jenfa\AppData\Roaming\Local

.

((((((((((((((((((((((((( Files Created from 2010-11-17 to 2010-12-17 )))))))))))))))))))))))))))))))

.

2010-12-17 22:44 . 2010-12-17 22:45 -------- d-----w- c:\users\Jenfa\AppData\Local\temp

2010-12-17 22:44 . 2010-12-17 22:44 -------- d-----w- c:\users\Default\AppData\Local\temp

2010-12-17 22:24 . 2010-12-17 22:25 -------- d-----w- C:\32788R22FWJFW

2010-12-12 23:09 . 2010-12-15 02:14 -------- d-----w- c:\users\Jenfa\AppData\Roaming\vlc

2010-12-12 23:08 . 2010-12-12 23:08 -------- d-----w- c:\program files\VideoLAN

2010-12-12 23:04 . 2010-12-12 23:06 -------- d-----w- c:\users\Jenfa\AppData\Roaming\DivX

2010-12-12 23:02 . 2010-12-15 02:14 -------- d-----w- c:\program files\Common Files\DivX Shared

2010-12-12 23:00 . 2010-12-15 02:14 -------- d-----w- c:\program files\DivX

2010-12-12 22:59 . 2010-12-15 02:14 -------- d-----w- c:\programdata\DivX

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-11-30 01:42 . 2010-08-05 19:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-30 01:42 . 2010-08-05 19:47 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-16 20:01 . 2010-12-17 22:50 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4A9F775A-2FB1-4CE4-B6F2-21994022727E}\mpengine.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{69d1a568-ffdf-4ef5-8919-7003582e0ee8}"= "c:\program files\Playdom\tbPla1.dll" [2010-09-14 2735200]

[HKEY_CLASSES_ROOT\clsid\{69d1a568-ffdf-4ef5-8919-7003582e0ee8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69d1a568-ffdf-4ef5-8919-7003582e0ee8}]

2010-09-14 01:00 2735200 ----a-w- c:\program files\Playdom\tbPla1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{69d1a568-ffdf-4ef5-8919-7003582e0ee8}"= "c:\program files\Playdom\tbPla1.dll" [2010-09-14 2735200]

[HKEY_CLASSES_ROOT\clsid\{69d1a568-ffdf-4ef5-8919-7003582e0ee8}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{69D1A568-FFDF-4EF5-8919-7003582E0EE8}"= "c:\program files\Playdom\tbPla1.dll" [2010-09-14 2735200]

[HKEY_CLASSES_ROOT\clsid\{69d1a568-ffdf-4ef5-8919-7003582e0ee8}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\users\Jenfa\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-12-17 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-05-30 1529128]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-06-17 7547424]

"Broadcom Wireless Manager UI"="c:\program files\Dell\Dell Wireless WLAN Card\WLTRAY.exe" [2009-07-17 4562944]

"WSED"="c:\program files\WSED\WSED.exe" [2009-05-27 247080]

"BTMeter"="c:\program files\Battery Meter\BTMeter.exe" [2009-07-22 623984]

"CapsLKNotify"="c:\program files\CapsLKNotify\CapsLKNotify.exe" [2009-06-09 320880]

"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-11-30 963976]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-24 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-24 173592]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-24 150552]

"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-11-30 963976]

c:\users\Jenfa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-9-21 1316192]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2009-12-01 08:01 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2009-12-11 22:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2009-12-22 08:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]

2007-01-01 21:22 3739648 ----a-w- c:\users\Jenfa\AppData\Roaming\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-11-11 07:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

2010-01-13 22:44 37888 ----a-w- c:\program files\Winamp\winampa.exe

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-06-24 167424]

R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [2010-05-19 16240]

S0 EMSC;COMPAL Embedded System Control;c:\windows\system32\DRIVERS\EMSC.SYS [2009-06-26 13680]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]

S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSrv.exe [2009-03-31 81920]

S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]

S2 TabletServicePen;TabletServicePen;c:\program files\Tablet\Pen\Pen_Tablet.exe [2010-07-13 6076272]

S2 TouchServicePen;Wacom Consumer Touch Service;c:\program files\Tablet\Pen\Pen_TouchService.exe [2010-07-13 616816]

S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2009-03-12 143840]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-05-23 167936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc

.

Contents of the 'Scheduled Tasks' folder

2010-12-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4144882594-1295703853-52161789-1000Core.job

- c:\users\Jenfa\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-17 22:59]

2010-12-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4144882594-1295703853-52161789-1000UA.job

- c:\users\Jenfa\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-17 22:59]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

.

- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)

SafeBoot-klmdb.sys

SafeBoot-mcmscsvc

SafeBoot-MCODS

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2010-12-17 15:03:41

ComboFix-quarantined-files.txt 2010-12-17 23:03

Pre-Run: 108,951,584,768 bytes free

Post-Run: 108,892,835,840 bytes free

- - End Of File - - 3E9D50D7A157012750C5DC0457495FCE

[LDTate]

Good job

After uninstalling combofix you can reinstall McAfee.

The following will implement some cleanup procedures as well as reset System Restore points:

For XP:

• Click START run
  
• Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  

For Vista / Windows 7

• Click START Search
  
• Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  

If you used DeFogger

To re-enable your Emulation drivers, double click DeFogger to run the tool.

• The application window will appear
  
• Click the Re-enable button to re-enable your CD Emulation drivers
  
• Click Yes to continue
  
• A 'Finished!' message will appear
  
• Click OK
  
• DeFogger will now ask to reboot the machine - click OK
  

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

Here's my usual all clean post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

Log looks good

• Make your Internet Explorer more secure - This can be done by following these simple instructions:
  1. From within Internet Explorer click on the Tools menu and then click on Options.
     
  2. Click once on the Security tab
     
  3. Click once on the Internet icon so it becomes highlighted.
     
  4. Click once on the Custom Level button.
     
  5. Change the Download signed ActiveX controls to Prompt
     
  6. Change the Download unsigned ActiveX controls to Disable
     
  7. Change the Initialize and script ActiveX controls not marked as safe to Disable
     
  8. Change the Installation of desktop items to Prompt
     
  9. Change the Launching programs and files in an IFRAME to Prompt
     
  10. Change the Navigate sub-frames across different domains to Prompt
      
  11. When all these settings have been made, click on the OK button.
      
  12. If it prompts you as to whether or not you want to save the settings, press the Yes button.
      
  13. Next press the Apply button and then the OK to exit the Internet Properties page.
      

  [*]Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week

  (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  [*]Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.

  Without a firewall your computer is succeptible to being hacked and taken over.

  I am very serious about this and see it happen almost every day with my clients.

  Simply using a Firewall in its default configuration can lower your risk greatly.

  [*] WOT , Web of Trust, As 'Googling' is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  Green to go

  Yellow for caution

  Red to stop

  WOT has an addon available for both Firefox and IE.

  [*]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.

  This will ensure your computer has always the latest security updates available installed on your computer.

  If there are new updates to install, install them immediately, reboot your computer, and revisit the site

  until there are no more critical updates.

Only run one Anti-Virus and Firewall program.

I would suggest you read:

PC Safety and Security--What Do I Need?.

How to Prevent Malware:

[Jenfa]

Thank you for all of your help!

Are there any special/particular instructions for removing DDS or Gmer?

[LDTate]

Use Add/Remove Programs if they're listed. If not, Just delete them.

I'll leave your topic open for a few days so you can post back if the issues return.

[Jenfa]

Thanks again. Happy holidays!

[LDTate]

You're more than welcome.

Glad we were able to help

Peace be with you

[LDTate]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.