Jump to content

Undetected Redirect Malware


Recommended Posts

My Dell XPS running Windows XP SP2 crashed this week and would not boot. Windows was hanging after loading mup.sys. I ran the Windows Recovery Console from CD, checked the harddrive with CHKDSK and did a Windows repair installation which was successful. However IE6 immediately began showing symptoms of a redirect virus infection. Tried Firefox and it had the same problem. I'm running Trend PC-cillin Internet Security 14. Besides not protecting from this infection it also has been unable to find and clean it. I've also ran malwarebytes, ad-aware and spybot, none of which have been able to locate the infection. Following the instructions on your "I'm infected! What do I do now!" thread I've posted the Malwarebytes log and DDS logs below. Attached are the 2 requested zipped GMR files.

Thanks in advance for your help,

Robert

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5533

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

1/16/2011 4:30:06 PM

mbam-log-2011-01-16 (16-30-06).txt

Scan type: Quick scan

Objects scanned: 234511

Time elapsed: 31 minute(s), 26 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS TEXT FILE

DDS (Ver_10-12-12.01) - NTFSx86

Run by Dad at 20:30:43.03 on Sun 01/16/2011

Internet Explorer: 6.0.2900.2180

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1259 [GMT -6:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

AV: PC-cillin Internet Security - Virus Protection *Enabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}

FW: PC-cillin Internet Security - Firewall *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

C:\Program Files\Nero\Nero 9\InCD\NBHRegInCDSrv.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

C:\Program Files\Microsoft Forefront UAG\Endpoint Components\3.1.0\uagqecsvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\WINDOWS\system32\CTXFIHLP.EXE

C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE

C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe

C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe

C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

C:\WINDOWS\stsystra.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Dad\Desktop\dds.pif

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us

uStart Page = hxxp://www.google.com/

mDefault_Search_URL = hxxp://www.google.com/ie

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

mWinlogon: Userinit=c:\windows\system32\userinit.exe

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll

BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\masterwriter 2.0\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [OE_OEM] "c:\program files\trend micro\internet security 14\tmas_oe\TMAS_OEMon.exe"

uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe

mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [CTHelper] CTHELPER.EXE

mRun: [CTxfiHlp] CTXFIHLP.EXE

mRun: [CTDVDDET] "c:\program files\creative\sound blaster x-fi\dvdaudio\CTDVDDET.EXE"

mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"

mRun: [updReg] c:\windows\UpdReg.EXE

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 6.0\apdproxy.exe"

mRun: [pccguide.exe] "c:\program files\trend micro\internet security 14\pccguide.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [inCD] "c:\program files\nero\nero 9\incd\InCD.exe"

mRun: [NBHGui] "c:\program files\nero\nero 9\incd\NBHGui.exe"

mRun: [Nikon Message Center 2] c:\program files\nikon\nikon message center 2\NkMC2.exe -s

mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe

mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

dRunOnce: [setDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy'

dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: $talisma_url$

Trusted Zone: intuit.com\ttlc

DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab

DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/viewers/ipixx.cab

DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab

DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - hxxp://www.passalong.com/Music/install/network/install.exe

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://sdlc-esd.sun.com/ESD7/JSCDL/jdk/6u12-b04/jinstall-6u12-windows-i586-jc.cab?AuthParam=1237698058_7340c3da97c4fb14d515fecd96897c99&GroupName=JSC&FilePath=/ESD7/JSCDL/jdk/6u12-b04/jinstall-6u12-windows-i586-jc.cab&File=jinstall-6u12-windows-i586-jc.cab&BHost=javadl.sun.com

DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} - hxxps://mysteamaccount.coned.com/InternalSite/WhlCompMgr.cab

DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Notification Packages = scecli ocnt32.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dad\applic~1\mozilla\firefox\profiles\2yytj0zu.default\

FF - prefs.js: browser.startup.homepage - hxxp://apod.nasa.gov/apod/

FF - plugin: c:\documents and settings\dad\application data\move networks\plugins\npqmp071503000010.dll

FF - plugin: c:\documents and settings\dad\application data\move networks\plugins\npqmp071701000002.dll

FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - HiddenExtension: XUL Cache: {D6F3B5F0-AFB1-443D-B7AA-495EB42350A8} - c:\documents and settings\dad\local settings\application data\{D6F3B5F0-AFB1-443D-B7AA-495EB42350A8}

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Extension: XUL Cache: {D6F3B5F0-AFB1-443D-B7AA-495EB42350A8} - c:\documents and settings\dad\local settings\application data\{D6F3B5F0-AFB1-443D-B7AA-495EB42350A8}

FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Extension: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\dad\application data\Move Networks

FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\docume~1\dad\applic~1\mozilla\firefox\profiles\2yytj0zu.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-1-14 64288]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\nero\nero 9\incd\NBHRegInCDSrv.exe [2009-5-8 109080]

R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2006-9-18 345696]

R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2006-8-29 923216]

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2006-9-11 36368]

R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2006-8-29 566872]

R2 uagqecsvc;Microsoft Forefront UAG Quarantine Enforcement Client;c:\program files\microsoft forefront uag\endpoint components\3.1.0\uagqecsvc.exe [2010-11-5 149904]

R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2006-11-22 344800]

R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2010-7-10 57248]

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2006-8-29 280392]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-6 135664]

S3 DMService;Microsoft Forefront UAG Endpoint Component Manager;c:\windows\downlo~1\DMService.exe [2010-11-5 468368]

S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-12-3 1389400]

S3 papycpu;papycpu;c:\windows\system32\drivers\papycpu.sys [2007-12-24 1984]

S3 pmxscan;USB ScanModule V5.1 Driver;c:\windows\system32\drivers\usbscan.sys [2006-11-22 15104]

S3 SBRE;SBRE;\??\c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]

=============== Created Last 30 ================

2011-01-16 00:51:59 44544 -c--a-w- c:\windows\system32\dllcache\nsepm.dll

2011-01-16 00:50:59 45568 -c--a-w- c:\windows\system32\dllcache\browscap.dll

2011-01-16 00:40:43 81920 ----a-r- c:\windows\system32\SETCF.tmp

2011-01-16 00:40:43 134656 ----a-r- c:\windows\system32\SETD0.tmp

2011-01-16 00:34:33 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll

2011-01-16 00:34:33 24661 ----a-w- c:\windows\system32\spxcoins.dll

2011-01-16 00:34:33 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll

2011-01-16 00:34:33 13312 ----a-w- c:\windows\system32\irclass.dll

2011-01-16 00:34:26 22339 ----a-r- c:\windows\SETCA.tmp

2011-01-16 00:34:26 10559 ----a-r- c:\windows\SETCB.tmp

2011-01-16 00:34:23 13753 ----a-r- c:\windows\SET86.tmp

2011-01-16 00:34:20 1086058 ----a-r- c:\windows\SET7A.tmp

2011-01-16 00:34:20 106147 ----a-r- c:\windows\SET77.tmp

2011-01-16 00:10:13 22339 ----a-r- c:\windows\SETCD.tmp

2011-01-16 00:10:13 10559 ----a-r- c:\windows\SETCE.tmp

2011-01-16 00:10:05 13753 ----a-r- c:\windows\SET8A.tmp

2011-01-16 00:10:03 1086058 ----a-r- c:\windows\SET7E.tmp

2011-01-16 00:10:02 106147 ----a-r- c:\windows\SET7B.tmp

2011-01-15 23:28:53 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-01-15 23:28:53 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2011-01-15 22:52:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\Caphyon

2011-01-15 22:52:06 -------- d-----w- c:\docume~1\dad\locals~1\applic~1\Mozilla

2011-01-15 22:52:01 553696 ----a-w- c:\program files\mozilla firefox\uninstall\helper.exe

2011-01-15 22:52:01 25048 ----a-w- c:\program files\mozilla firefox\components\browserdirprovider.dll

2011-01-15 22:52:01 140248 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll

2011-01-15 22:52:00 66520 ----a-w- c:\program files\mozilla firefox\plugins\npnul32.dll

2011-01-15 13:13:20 15880 ----a-w- c:\windows\system32\lsdelete.exe

2011-01-15 04:26:54 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2011-01-15 04:25:44 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}

2011-01-15 04:25:26 -------- d-----w- c:\program files\Lavasoft

2011-01-14 03:57:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-01-14 03:56:59 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-01-14 03:56:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-01-13 22:15:13 -------- d-----w- c:\documents and settings\all users\Downloads

2011-01-13 21:24:16 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe

2011-01-13 21:24:16 16384 ----a-w- c:\program files\internet explorer\connection wizard\isignup.exe

2011-01-13 21:06:26 81920 ----a-r- c:\windows\system32\SETE5.tmp

2011-01-13 21:06:26 134656 ----a-r- c:\windows\system32\SETE6.tmp

2011-01-13 20:55:36 22339 ----a-r- c:\windows\SETC8.tmp

2011-01-13 20:55:36 10559 ----a-r- c:\windows\SETC9.tmp

2011-01-13 20:55:33 13753 ----a-r- c:\windows\SET85.tmp

2011-01-13 20:55:29 1086058 ----a-r- c:\windows\SET79.tmp

2011-01-13 20:55:29 106147 ----a-r- c:\windows\SET76.tmp

2011-01-13 20:11:10 22339 ----a-r- c:\windows\SET197.tmp

2011-01-13 20:11:10 10559 ----a-r- c:\windows\SET198.tmp

2011-01-13 20:11:06 13753 ----a-r- c:\windows\SET154.tmp

2011-01-13 20:11:04 1086058 ----a-r- c:\windows\SET148.tmp

2011-01-13 20:11:04 106147 ----a-r- c:\windows\SET145.tmp

2011-01-13 14:02:08 -------- d-----w- c:\windows\dell

2010-12-25 16:36:41 -------- d-----w- c:\docume~1\dad\locals~1\applic~1\ArcSoft

2010-12-25 16:35:51 -------- d-----w- c:\program files\ABBYY FineReader 6.0 Sprint

2010-12-25 16:35:40 -------- d-----w- c:\docume~1\alluse~1\applic~1\ArcSoft

2010-12-25 16:35:30 18688 ----a-w- c:\windows\system32\drivers\afc.sys

2010-12-25 16:35:29 245408 ----a-w- c:\windows\system32\unicows.dll

2010-12-25 16:33:55 80024 ----a-w- c:\windows\system32\PICSDK.dll

2010-12-25 16:33:55 51360 ----a-w- c:\windows\system32\EpPicPrt.dll

2010-12-25 16:33:55 51360 ----a-w- c:\windows\system32\EpPicMgr.dll

2010-12-25 16:33:55 501912 ----a-w- c:\windows\system32\PICSDK2.dll

2010-12-25 16:33:55 108704 ----a-w- c:\windows\system32\PICEntry.dll

2010-12-25 16:33:00 -------- d-----w- c:\program files\Epson Software

2010-12-25 16:32:03 73216 ----a-w- c:\windows\system32\eswia8b.dll

2010-12-25 16:32:03 65793 ----a-w- c:\windows\system32\esfw8b.bin

2010-12-25 16:32:03 3584 ----a-w- c:\windows\system32\eswiaml.dll

2010-12-25 16:32:03 204800 ----a-w- c:\windows\system32\esint8b.dll

2010-12-25 16:32:03 15872 ----a-w- c:\windows\system32\escdev.dll

2010-12-25 16:32:03 128392 ----a-w- c:\windows\system32\esdevapp.exe

2010-12-25 16:32:01 -------- d-----w- c:\program files\epson

==================== Find3M ====================

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: ST3500641AS rev.3.ADG -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-4

device: opened successfully

user: MBR read successfully

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A6C4555]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a6ca7b0]; MOV EAX, [0x8a6ca82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 ntkrnlpa!IofCallDriver[0x804EEECC] -> \Device\Harddisk0\DR0[0x8A798030]

3 CLASSPNP[0xB810905B] -> ntkrnlpa!IofCallDriver[0x804EEECC] -> [0x8A68EF18]

\Driver\atapi[0x8A70D3F8] -> IRP_MJ_CREATE -> 0x8A6C4555

kernel: MBR read successfully

_asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62d; }

detected disk devices:

\Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskST3500641AS_____________________________3.ADG___#5&11df0e00&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

\Driver\atapi DriverStartIo -> 0x8A6C439B

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

============= FINISH: 20:32:33.37 ===============

ark.zip

Link to post
Share on other sites

Hello Robert! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

Step 1

Please disable Ad-Watch module (part of Ad-Aware):

http://www.bleepingcomputer.com/forums/top...post__p__649847

Step 2

I see you are running Teatimer.

I suggest you to disable it because it can interfere with the changes you'll make on your system.

When everything is done and your log is clean again, you can enable it again.

If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

How to disable TeaTimer <== click me for instructions.A0-

After you disabled Teatimer, download ResetTeaTimer.exe to your desktop.

Then run ResetTeaTimer.exe.

This will only take a few seconds.

Step 3

I see the Ask Toolbar in your log.

I strongly recommend you remove Ask Toolbar from your computer because:

  • It promotes its toolbars on sites targeted at kids.
  • It promotes its toolbars through ads that appear to be part of other companies' sites.
  • It promotes its toolbars through other companies' spyware.
  • It is Installed without any disclosure whatsoever and without any consent from the user whatsoever.
  • It Solicits installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.
  • It makes confusing changes to user's browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit.
    -

You can read more about Ask.com here

To remove it:

Click Start-->Control Panel-->Programs and Features

Click on the program name AskBarDis to highlight it

From the menu at the top, select Uninstall or Remove.

Please reboot the computer.

Step 4

I also see you have Viewpoint installed...

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.


  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player

Step 5

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on on it.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • Click the Report button and copy/paste the contents of it into your next reply

Note:It will also create a log in the C:\ directory.

In your next reply, please include these log(s):

  1. TDSSKiller log
  2. a new fresh DDS log only

Link to post
Share on other sites

Hi Borislav!

It was good to hear from you so promptly. Thank you for taking the time to help with this problem. I followed your instructions as closely as possible. My progress and comments on each step are listed below. The TDSSKiller report and both DDS logs are attached.

Step 1

Attach.txt

DDS.txt

TDSSKiller.2.4.13.0_17.01.2011_10.49.13_log.txt

Link to post
Share on other sites

Borislav - Just noticed that the TDSS report I sent was after the "cure" so that probabaly doesn't help you a lot. Here is the "pre-cure" report.

Sorry for the error,

Robert

2011/01/17 10:36:51.0656 TDSS rootkit removing tool 2.4.13.0 Jan 12 2011 09:51:11

2011/01/17 10:36:51.0656 ================================================================================

2011/01/17 10:36:51.0656 SystemInfo:

2011/01/17 10:36:51.0656

2011/01/17 10:36:51.0656 OS Version: 5.1.2600 ServicePack: 2.0

2011/01/17 10:36:51.0656 Product type: Workstation

2011/01/17 10:36:51.0656 ComputerName: FAMILYDESKTOP

2011/01/17 10:36:51.0656 UserName: Dad

2011/01/17 10:36:51.0656 Windows directory: C:\WINDOWS

2011/01/17 10:36:51.0656 System windows directory: C:\WINDOWS

2011/01/17 10:36:51.0656 Processor architecture: Intel x86

2011/01/17 10:36:51.0656 Number of processors: 2

2011/01/17 10:36:51.0656 Page size: 0x1000

2011/01/17 10:36:51.0656 Boot type: Normal boot

2011/01/17 10:36:51.0656 ================================================================================

2011/01/17 10:36:52.0140 Initialize success

2011/01/17 10:36:56.0031 ================================================================================

2011/01/17 10:36:56.0031 Scan started

2011/01/17 10:36:56.0031 Mode: Manual;

2011/01/17 10:36:56.0031 ================================================================================

2011/01/17 10:36:56.0578 A3AB (b5f0db0a8f1c656302e42d180c461fee) C:\WINDOWS\system32\DRIVERS\A3AB.sys

2011/01/17 10:36:56.0656 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS

2011/01/17 10:36:56.0718 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/01/17 10:36:56.0750 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2011/01/17 10:36:56.0828 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys

2011/01/17 10:36:56.0890 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys

2011/01/17 10:36:56.0921 Afc (fe3ea6e9afc1a78e6edca121e006afb7) C:\WINDOWS\system32\drivers\Afc.sys

2011/01/17 10:36:56.0984 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys

2011/01/17 10:36:57.0078 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys

2011/01/17 10:36:57.0140 agpCPQ (67288b07d6aba6c1267b626e67bc56fd) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys

2011/01/17 10:36:57.0171 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys

2011/01/17 10:36:57.0218 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys

2011/01/17 10:36:57.0234 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys

2011/01/17 10:36:57.0281 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys

2011/01/17 10:36:57.0296 alim1541 (f312b7cef21eff52fa23056b9d815fad) C:\WINDOWS\system32\DRIVERS\alim1541.sys

2011/01/17 10:36:57.0328 amdagp (675c16a3c1f8482f85ee4a97fc0dde3d) C:\WINDOWS\system32\DRIVERS\amdagp.sys

2011/01/17 10:36:57.0359 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys

2011/01/17 10:36:57.0406 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2011/01/17 10:36:57.0468 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys

2011/01/17 10:36:57.0562 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys

2011/01/17 10:36:57.0640 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys

2011/01/17 10:36:57.0781 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys

2011/01/17 10:36:57.0828 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/01/17 10:36:57.0843 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/01/17 10:36:57.0875 ATIAVPCI (b27fec21c1125bab7d3c8cdf872e627b) C:\WINDOWS\system32\DRIVERS\atinavrr.sys

2011/01/17 10:36:57.0968 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/01/17 10:36:58.0000 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/01/17 10:36:58.0062 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/01/17 10:36:58.0109 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys

2011/01/17 10:36:58.0125 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/01/17 10:36:58.0187 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

2011/01/17 10:36:58.0250 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys

2011/01/17 10:36:58.0328 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/01/17 10:36:58.0421 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/01/17 10:36:58.0468 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/01/17 10:36:58.0546 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys

2011/01/17 10:36:58.0593 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys

2011/01/17 10:36:58.0625 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys

2011/01/17 10:36:58.0750 ctac32k (8a9c65ce4fe6e8cb24ce06ba28d951a0) C:\WINDOWS\system32\drivers\ctac32k.sys

2011/01/17 10:36:58.0875 ctaud2k (47236971dfb3e03690b98e41665d0924) C:\WINDOWS\system32\drivers\ctaud2k.sys

2011/01/17 10:36:58.0953 ctdvda2k (5a0eeb00b02fc78605aa9d3590b24978) C:\WINDOWS\system32\drivers\ctdvda2k.sys

2011/01/17 10:36:59.0000 ctprxy2k (2381cf056c15271f6b8dab50ff82cf3a) C:\WINDOWS\system32\drivers\ctprxy2k.sys

2011/01/17 10:36:59.0031 ctsfm2k (da1c530de86c85a701138b30fb145af3) C:\WINDOWS\system32\drivers\ctsfm2k.sys

2011/01/17 10:36:59.0203 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys

2011/01/17 10:36:59.0296 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys

2011/01/17 10:36:59.0406 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/01/17 10:36:59.0468 DLABOIOM (e2d0de31442390c35e3163c87cb6a9eb) C:\WINDOWS\system32\DLA\DLABOIOM.SYS

2011/01/17 10:36:59.0484 DLACDBHM (d979bebcf7edcc9c9ee1857d1a68c67b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS

2011/01/17 10:36:59.0531 DLADResN (83545593e297f50a8e2524b4c071a153) C:\WINDOWS\system32\DLA\DLADResN.SYS

2011/01/17 10:36:59.0546 DLAIFS_M (96e01d901cdc98c7817155cc057001bf) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS

2011/01/17 10:36:59.0656 DLAOPIOM (0a60a39cc5e767980a31ca5d7238dfa9) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS

2011/01/17 10:36:59.0703 DLAPoolM (9fe2b72558fc808357f427fd83314375) C:\WINDOWS\system32\DLA\DLAPoolM.SYS

2011/01/17 10:36:59.0750 DLARTL_N (7ee0852ae8907689df25049dcd2342e8) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS

2011/01/17 10:36:59.0796 DLAUDFAM (f08e1dafac457893399e03430a6a1397) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS

2011/01/17 10:36:59.0843 DLAUDF_M (e7d105ed1e694449d444a9933df8e060) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS

2011/01/17 10:37:00.0031 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys

2011/01/17 10:37:00.0140 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\DRIVERS\dmio.sys

2011/01/17 10:37:00.0218 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/01/17 10:37:00.0328 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys

2011/01/17 10:37:00.0406 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys

2011/01/17 10:37:00.0484 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/01/17 10:37:00.0531 DRVMCDB (fd0f95981fef9073659d8ec58e40aa3c) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS

2011/01/17 10:37:00.0562 DRVNDDM (b4869d320428cdc5ec4d7f5e808e99b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS

2011/01/17 10:37:00.0734 DSproct (2ac2372ffad9adc85672cc8e8ae14be9) C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys

2011/01/17 10:37:01.0031 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys

2011/01/17 10:37:01.0125 e1express (6f7ccd3c02b26d530900f06d98171a69) C:\WINDOWS\system32\DRIVERS\e1e5132.sys

2011/01/17 10:37:01.0312 ELacpi (0923aec043f5d355b4ef0c2b29a362de) C:\WINDOWS\system32\DRIVERS\ELacpi.sys

2011/01/17 10:37:01.0406 ELhid (cbd71e7772f92bfb85ccc302b2deefba) C:\WINDOWS\System32\Drivers\Elhid.sys

2011/01/17 10:37:01.0421 ELkbd (ac75b576c45d144e146fd1f0576a1f53) C:\WINDOWS\System32\Drivers\Elkbd.sys

2011/01/17 10:37:01.0453 ELmon (483cce5e40137d4e437f4def55c80007) C:\WINDOWS\System32\Drivers\Elmon.sys

2011/01/17 10:37:01.0531 ELmou (8e88cafeac0812bf2d15beeedfcce8bd) C:\WINDOWS\System32\Drivers\Elmou.sys

2011/01/17 10:37:01.0656 emupia (661cf27263f3e0b553be050a42d357db) C:\WINDOWS\system32\drivers\emupia2k.sys

2011/01/17 10:37:01.0843 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/01/17 10:37:01.0968 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys

2011/01/17 10:37:02.0046 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys

2011/01/17 10:37:02.0281 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2011/01/17 10:37:02.0421 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\drivers\fltmgr.sys

2011/01/17 10:37:02.0562 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/01/17 10:37:02.0703 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/01/17 10:37:02.0796 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/01/17 10:37:03.0109 ha20x2k (e9d519905fd5b7b0269793f95c5ff630) C:\WINDOWS\system32\drivers\ha20x2k.sys

2011/01/17 10:37:03.0531 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2011/01/17 10:37:03.0750 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/01/17 10:37:03.0921 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys

2011/01/17 10:37:04.0062 HSFHWBS2 (77e4ff0b73bc0aeaaf39bf0c8104231f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys

2011/01/17 10:37:04.0421 HSF_DP (60e1604729a15ef4a3b05f298427b3b1) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys

2011/01/17 10:37:05.0015 HTTP (c19b522a9ae0bbc3293397f3055e80a1) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/01/17 10:37:05.0156 i2omgmt (8f09f91b5c91363b77bcd15599570f2c) C:\WINDOWS\system32\drivers\i2omgmt.sys

2011/01/17 10:37:05.0281 i2omp (ed6bf9e441fdea13292a6d30a64a24c3) C:\WINDOWS\system32\DRIVERS\i2omp.sys

2011/01/17 10:37:05.0359 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/01/17 10:37:05.0781 iastor (1c77a81756d4777ccb0425ae8107fe96) C:\WINDOWS\system32\drivers\iastor.sys

2011/01/17 10:37:06.0031 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/01/17 10:37:06.0171 InCDFs (76abfdda65f55c748251113f0384f284) C:\WINDOWS\system32\DRIVERS\InCDFs.sys

2011/01/17 10:37:06.0218 InCDPass (57bb1728fa4c4d11e446c35c554a4f71) C:\WINDOWS\system32\DRIVERS\InCDPass.sys

2011/01/17 10:37:06.0265 InCDRec (d480fc3bd1ba022ad78f867f59464a4e) C:\WINDOWS\system32\DRIVERS\InCDRec.sys

2011/01/17 10:37:06.0312 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys

2011/01/17 10:37:06.0343 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys

2011/01/17 10:37:06.0437 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/01/17 10:37:06.0546 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys

2011/01/17 10:37:06.0593 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/01/17 10:37:06.0640 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/01/17 10:37:06.0718 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/01/17 10:37:06.0828 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/01/17 10:37:06.0906 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/01/17 10:37:06.0968 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/01/17 10:37:07.0062 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/01/17 10:37:07.0156 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2011/01/17 10:37:07.0296 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys

2011/01/17 10:37:07.0375 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/01/17 10:37:07.0468 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys

2011/01/17 10:37:07.0578 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

2011/01/17 10:37:07.0640 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys

2011/01/17 10:37:07.0687 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/01/17 10:37:07.0718 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys

2011/01/17 10:37:07.0750 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys

2011/01/17 10:37:07.0796 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/01/17 10:37:07.0859 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/01/17 10:37:07.0890 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/01/17 10:37:07.0937 MPE (55a9a7e6bb297bf0f5b144029dcb79cc) C:\WINDOWS\system32\DRIVERS\MPE.sys

2011/01/17 10:37:08.0062 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys

2011/01/17 10:37:08.0187 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS

2011/01/17 10:37:08.0234 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS

2011/01/17 10:37:08.0312 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/01/17 10:37:08.0359 MRxSmb (1fd607fc67f7f7c633c3da65bfc53d18) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/01/17 10:37:08.0453 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys

2011/01/17 10:37:08.0515 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/01/17 10:37:08.0562 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/01/17 10:37:08.0578 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/01/17 10:37:08.0656 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/01/17 10:37:08.0734 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys

2011/01/17 10:37:08.0812 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys

2011/01/17 10:37:08.0921 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

2011/01/17 10:37:09.0015 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys

2011/01/17 10:37:09.0187 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

2011/01/17 10:37:09.0343 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/01/17 10:37:09.0484 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/01/17 10:37:09.0562 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/01/17 10:37:09.0671 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/01/17 10:37:09.0859 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/01/17 10:37:10.0156 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/01/17 10:37:10.0265 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2011/01/17 10:37:10.0484 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys

2011/01/17 10:37:10.0640 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/01/17 10:37:10.0796 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/01/17 10:37:11.0812 nv (4c3696c1ed1a36629ebb348bf745a328) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2011/01/17 10:37:14.0343 NVHDA (cf68bcac297b4c98c1d25b81e4011de4) C:\WINDOWS\system32\drivers\nvhda32.sys

2011/01/17 10:37:14.0578 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/01/17 10:37:14.0734 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/01/17 10:37:14.0875 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2011/01/17 10:37:15.0000 ossrv (99f877a7bb6feb5af1184eafe937c208) C:\WINDOWS\system32\drivers\ctoss2k.sys

2011/01/17 10:37:15.0203 papycpu (2f886a56d520f872e7e4ba9423a9b07b) C:\WINDOWS\system32\drivers\papycpu.sys

2011/01/17 10:37:15.0390 papycpu2 (b2fce3df242eaaa317fa2e4946d26a03) C:\WINDOWS\system32\drivers\papycpu2.sys

2011/01/17 10:37:15.0593 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys

2011/01/17 10:37:15.0812 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/01/17 10:37:16.0000 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/01/17 10:37:16.0156 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/01/17 10:37:16.0343 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/01/17 10:37:16.0625 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys

2011/01/17 10:37:16.0984 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys

2011/01/17 10:37:17.0203 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys

2011/01/17 10:37:17.0406 pmxscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2011/01/17 10:37:17.0546 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/01/17 10:37:17.0609 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/01/17 10:37:17.0640 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/01/17 10:37:17.0703 PxHelp20 (40f2031bd9148d3194353ea7dec97a07) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2011/01/17 10:37:17.0750 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys

2011/01/17 10:37:17.0843 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys

2011/01/17 10:37:18.0031 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys

2011/01/17 10:37:18.0109 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys

2011/01/17 10:37:18.0218 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys

2011/01/17 10:37:18.0468 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/01/17 10:37:18.0640 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/01/17 10:37:18.0687 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/01/17 10:37:18.0734 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/01/17 10:37:18.0843 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/01/17 10:37:18.0890 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/01/17 10:37:18.0937 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2011/01/17 10:37:19.0078 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/01/17 10:37:19.0171 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/01/17 10:37:19.0281 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/01/17 10:37:19.0375 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys

2011/01/17 10:37:19.0437 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys

2011/01/17 10:37:19.0546 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/01/17 10:37:19.0671 sisagp (732d859b286da692119f286b21a2a114) C:\WINDOWS\system32\DRIVERS\sisagp.sys

2011/01/17 10:37:19.0796 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys

2011/01/17 10:37:19.0890 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys

2011/01/17 10:37:20.0000 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys

2011/01/17 10:37:20.0046 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/01/17 10:37:20.0125 Srv (20b7e396720353e4117d64d9dcb926ca) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/01/17 10:37:20.0312 STHDA (797fcc1d859b203958e915bb82528da9) C:\WINDOWS\system32\drivers\sthda.sys

2011/01/17 10:37:20.0437 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

2011/01/17 10:37:20.0546 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/01/17 10:37:20.0687 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys

2011/01/17 10:37:20.0796 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys

2011/01/17 10:37:20.0890 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys

2011/01/17 10:37:20.0968 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys

2011/01/17 10:37:21.0031 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys

2011/01/17 10:37:21.0140 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/01/17 10:37:21.0250 Tcpip (9f4b36614a0fc234525ba224957de55c) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/01/17 10:37:21.0359 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/01/17 10:37:21.0437 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/01/17 10:37:21.0531 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/01/17 10:37:21.0578 tmcfw (3929c6784db38788d76a88d9c4043dee) C:\WINDOWS\system32\DRIVERS\TM_CFW.sys

2011/01/17 10:37:21.0656 tmpreflt (0c89809f1df614bd42093a446b222a32) C:\WINDOWS\system32\DRIVERS\tmpreflt.sys

2011/01/17 10:37:21.0734 tmtdi (264ea39fdebd0b5e9d49d79923ed91ad) C:\WINDOWS\system32\DRIVERS\tmtdi.sys

2011/01/17 10:37:21.0812 tmxpflt (3d473e97ff805dab903aa66f08286c90) C:\WINDOWS\system32\drivers\TmXPFlt.sys

2011/01/17 10:37:21.0890 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys

2011/01/17 10:37:21.0937 TPkd (5815ae5ef8519066f19e575d67f6f191) C:\WINDOWS\system32\drivers\TPkd.sys

2011/01/17 10:37:22.0031 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys

2011/01/17 10:37:22.0109 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys

2011/01/17 10:37:22.0140 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys

2011/01/17 10:37:22.0250 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/01/17 10:37:22.0359 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/01/17 10:37:22.0406 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/01/17 10:37:22.0468 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2011/01/17 10:37:22.0515 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2011/01/17 10:37:22.0546 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/01/17 10:37:22.0562 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/01/17 10:37:22.0640 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys

2011/01/17 10:37:22.0687 viaagp (d92e7c8a30cfd14d8e15b5f7f032151b) C:\WINDOWS\system32\DRIVERS\viaagp.sys

2011/01/17 10:37:22.0750 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys

2011/01/17 10:37:22.0843 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/01/17 10:37:22.0937 vsapint (50e1ea1dd3ea74919d7a1c5d6c9c0b56) C:\WINDOWS\system32\DRIVERS\vsapint.sys

2011/01/17 10:37:23.0000 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/01/17 10:37:23.0109 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/01/17 10:37:23.0218 winachsf (f59ed5a43b988a18ef582bb07b2327a7) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys

2011/01/17 10:37:23.0343 WmBEnum (bc3ecbcb40147bdae3ad2fd0b4b346d8) C:\WINDOWS\system32\drivers\WmBEnum.sys

2011/01/17 10:37:23.0375 WmFilter (19f9881d8b3484fedb605d0216876898) C:\WINDOWS\system32\drivers\WmFilter.sys

2011/01/17 10:37:23.0421 WmVirHid (7a51545a6409a25eedbdbd97d019e8cc) C:\WINDOWS\system32\drivers\WmVirHid.sys

2011/01/17 10:37:23.0437 WmXlCore (1f083b3bc73017e60c3ca85cf4a70753) C:\WINDOWS\system32\drivers\WmXlCore.sys

2011/01/17 10:37:23.0500 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

2011/01/17 10:37:23.0546 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2011/01/17 10:37:23.0562 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2011/01/17 10:37:23.0625 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)

2011/01/17 10:37:24.0281 ================================================================================

2011/01/17 10:37:24.0281 Scan finished

2011/01/17 10:37:24.0281 ================================================================================

2011/01/17 10:37:24.0281 Detected object count: 1

2011/01/17 10:38:30.0015 \HardDisk0 - will be cured after reboot

2011/01/17 10:38:30.0015 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure

2011/01/17 10:38:47.0687 Deinitialize success

Link to post
Share on other sites

Thanks Robert and sorry about that with instructions for Windows 7!

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

AFsAKgBd-Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

Good! :huh:

Open Notepad and copy and paste the text in the code box below into it:

File::
c:\windows\SETCA.tmp
c:\windows\SETCB.tmp
c:\windows\SET86.tmp
c:\windows\SET7A.tmp
c:\windows\SET77.tmp
c:\windows\SETCD.tmp
c:\windows\SETCE.tmp
c:\windows\SET8A.tmp
c:\windows\SET7E.tmp
c:\windows\SET7B.tmp
c:\windows\system32\SETE5.tmp
c:\windows\system32\SETE6.tmp
c:\windows\SETC8.tmp
c:\windows\SETC9.tmp
c:\windows\SET85.tmp
c:\windows\SET79.tmp
c:\windows\SET76.tmp
c:\windows\SET197.tmp
c:\windows\SET198.tmp
c:\windows\SET154.tmp
c:\windows\SET148.tmp
c:\windows\SET145.tmp

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Please post and a new fresh DDS log file only.

Link to post
Share on other sites

Good morning, Borislav!

I hadn't really tried using my PC unitl I heard back from you but now that I check it it seems to be running clean. Looks great! Should I reable my real time protection now? Also, Windows wants to install an update which I presume is OK to proceed with now?

Thanks,

Robert

Link to post
Share on other sites

Thanks Robert!

Now, we'll clean some things, suggest some thing and will back the things as is should. Update your Windows, work with your system, try some things and come back to let me know.

Step 1

  1. Go to Start => Run... and copy & paste next command in the field:
    ComboFix /uninstall


  2. Then hit Enter button.

This procedure will do the following:

  • Uninstall ComboFix
  • Delete its related folders and files
  • Reset your clock settings
  • Hide file extensions
  • Hide the system/hidden files
  • Resets System Restore again

P.S.: Make sure there's a space between ComboFix and /uninstall

Step 2

Please manually delete DDS, GMER, TDSSKiller and ResetTeaTimer.

Step 3

Keep your software up-to-date:

www.bleepingcomputer.com/tutorials/tutorial174.html

Some malware preventions:

http://forums.malwarebytes.org/index.php?showtopic=9365

Safe surfing! :)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.