Jump to content

User infected, please help

Longshot9

By Longshot9
in Resolved Malware Removal Logs

 Share

Recommended Posts

Longshot9

Longshot9

Posted
Posted

Hi everyone,

New here... trying to fix a users computer in my office. She's got something that just keeps coming back and I can't get rid of it. Malwarebytes always detects it when I run the scan but it just keeps coming back. I'm trying to follow the instructions in the "I'm infected - What do I do now" post, but everytime I try to run the GMER rootkit her computer reboots in the middle of the scan and I can't save the file i'm supposed to post here.

Here's the most recent malwarebytes log (this was run before Defogger, DDS, and GMER). I don't know why it says "no action taken", I told it to clean them after it found them and it asked me to reboot which I did.

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5593

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18999

1/24/2011 9:07:08 PM

mbam-log-2011-01-24 (21-07-04).txt

Scan type: Full scan (C:\|)

Objects scanned: 420579

Time elapsed: 1 hour(s), 3 minute(s), 32 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\Software\ndo8thb2ikwe (Malware.Trace) -> No action taken.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ikhrclsv (Trojan.Downloader) -> Value: ikhrclsv -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Users\mrichm\AppData\Local\Temp\eohenclai\xendxrasjmo.exe (Trojan.Downloader) -> No action taken.

c:\Users\mrichm\AppData\Local\Temp\a1.exe (Trojan.Downloader) -> No action taken.

c:\Users\mrichm\local settings\application data\syssvc.exe (Trojan.FakeAlert) -> No action taken.

DDS.txt

DDS (Ver_10-12-12.02) - NTFSx86

Run by mrichm at 22:29:00.42 on Mon 01/24/2011

Internet Explorer: 8.0.6001.18999

============== Running Processes ===============

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\SLsvc.exe

C:\Windows\System32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\NetSupport\NetSupport Manager\client32.exe

C:\Program Files\Citrix\GoToMyPC\g2svc.exe

C:\Program Files\NetSupport\NetSupport Manager\client32.exe

C:\Program Files\Citrix\GoToMyPC\g2comm.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\Program Files\NetSupport\NetSupport Notify\NotificationAgent.exe

C:\Program Files\Citrix\GoToMyPC\g2pre.exe

C:\Program Files\Webroot\Client\commagent.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Citrix\GoToMyPC\g2tray.exe

C:\Program Files\Webroot\Client\spysweeper.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Nuance\PaperPort\pptd40nt.exe

C:\Program Files\Nuance\OmniPage15\OpWare15.exe

C:\Program Files\Webroot\Client\SpySweeperUI.exe

C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Nuance\PaperPort\xdcla.exe

C:\Windows\System32\mobsync.exe

C:\Program Files\iTunes\iTunes.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe

C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe

C:\Windows\system32\NOTEPAD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Users\mrichm\Desktop\dds.scr

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\System32\svchost.exe -k LPDService

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k regsvc

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\svchost.exe -k netsvcs

============== Pseudo HJT Report ===============

uSearch Bar = Preserve

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:8592

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [sidebar] "c:\program files\windows sidebar\sidebar.exe" /autoRun

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"

mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot

mRun: [PaperPort PTD] "c:\program files\nuance\paperport\pptd40nt.exe"

mRun: [indexSearch] "c:\program files\nuance\paperport\IndexSearch.exe"

mRun: [PPort11reminder] "c:\program files\nuance\paperport\ereg\ereg.exe" -r "c:\programdata\scansoft\paperport\11\config\ereg\Ereg.ini

mRun: [Opware15] "c:\program files\nuance\omnipage15\Opware15.exe"

mRun: [PDF4 Registry Controller] "c:\program files\nuance\pdf converter 4\RegistryController.exe"

mRun: [WebrootClientUI] "c:\program files\webroot\client\SpySweeperUI.exe"

mRun: [blackBerryAutoUpdate] "c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe" /background

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

uExplorerRun: [1] c:\program files\microsoft office\office12\Outlook.exe

uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: SoftwareSASGeneration = 3 (0x3)

dPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)

IE: Open with ScanSoft PDF Converter 4.1 - c:\program files\nuance\pdf converter 4\cnvres_eng.dll /100

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://sdlc-esd.sun.com/ESD42/JSCDL/jre/6u6-b90/jinstall-6u6-windows-i586-jc.cab?AuthParam=1211498961_fc5e75fc6a7590ba350e80c7fd11b410&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD42/JSCDL/jre/6u6-b90/jinstall-6u6-windows-i586-jc.cab&File=jinstall-6u6-windows-i586-jc.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {9E472D58-F10C-11CF-B7A9-0020AFD6A362} - hxxps://vault.netvoyage.com/neWeb2/neWebCl.cab

DPF: {9E472D6A-F10C-11CF-B7A9-0020AFD6A362} - hxxps://vault.netvoyage.com/neWeb2/neCrypto.cab

DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab

DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab

DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://lexisnexisevents.webex.com/client/T27L10NSP11EP5/event/ieatgpc1.cab

Notify: WRNotifier - WRLogonNtf.DLL

Hosts: 207.41.18.63 www.cacd.uscourts.gov

Hosts: 207.41.18.70 ecf.cacd.uscourts.gov

Hosts: 207.41.19.145 www.casd.uscourts.gov

Hosts: 207.41.19.127 www.caed.uscourts.gov

Hosts: 207.41.18.159 ecf.caed.uscourts.gov

============= SERVICES / DRIVERS ===============

R? gupdate;Google Update Service (gupdate)

S? AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller

S? NotificationAgent;NotificationAgent

S? nskbfltr;nskbfltr

S? WebrootCommAgentService;Webroot CommAgent Service

S? WebrootSpySweeperService;Webroot Spy Sweeper Engine

=============== Created Last 30 ================

2011-01-25 06:24:46 54016 ----a-w- c:\windows\system32\drivers\djaoast.sys

2011-01-21 06:56:59 98816 ----a-w- c:\windows\sed.exe

2011-01-21 06:56:59 89088 ----a-w- c:\windows\MBR.exe

2011-01-21 06:56:59 256512 ----a-w- c:\windows\PEV.exe

2011-01-21 06:56:59 161792 ----a-w- c:\windows\SWREG.exe

2011-01-21 06:56:21 -------- d-s---w- C:\ComboFix

2011-01-21 06:37:54 388096 ----a-r- c:\users\mrichm\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-01-21 06:37:53 -------- d-----w- c:\program files\Trend Micro

2011-01-20 18:13:59 -------- d-----w- c:\users\mrichm\appdata\roaming\Tuzof

2011-01-20 18:13:59 -------- d-----w- c:\users\mrichm\appdata\roaming\Sotaso

2011-01-12 07:32:26 708608 ----a-w- c:\program files\common files\system\ado\msado15.dll

2011-01-12 07:32:26 57344 ----a-w- c:\program files\common files\system\msadc\msadcs.dll

2011-01-12 07:32:26 413696 ----a-w- c:\windows\system32\odbc32.dll

2011-01-12 07:32:26 253952 ----a-w- c:\program files\common files\system\ado\msadox.dll

2011-01-12 07:32:26 241664 ----a-w- c:\program files\common files\system\ado\msadomd.dll

2011-01-12 07:32:26 180224 ----a-w- c:\program files\common files\system\msadc\msadco.dll

2011-01-12 07:32:24 1169408 ----a-w- c:\windows\system32\sdclt.exe

2011-01-05 20:35:32 -------- d-----w- c:\users\mrichm\appdata\roaming\Malwarebytes

2011-01-05 19:09:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-01-05 19:09:17 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-01-05 19:09:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-01-05 19:09:17 -------- d-----w- c:\progra~2\Malwarebytes

2010-12-27 18:02:12 -------- d-----w- c:\program files\iPod

2010-12-27 18:02:11 -------- d-----w- c:\program files\iTunes

==================== Find3M ====================

2010-11-30 01:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2010-11-30 01:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts

2010-11-04 18:56:07 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll

2010-11-04 18:55:38 352768 ----a-w- c:\windows\system32\taskschd.dll

2010-11-04 18:55:38 270336 ----a-w- c:\windows\system32\taskcomp.dll

2010-11-04 18:55:12 601600 ----a-w- c:\windows\system32\schedsvc.dll

2010-11-04 16:34:06 171520 ----a-w- c:\windows\system32\taskeng.exe

2010-11-02 06:01:54 916480 ----a-w- c:\windows\system32\wininet.dll

2010-11-02 05:57:41 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-11-02 05:57:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2010-11-02 05:57:11 71680 ----a-w- c:\windows\system32\iesetup.dll

2010-11-02 05:57:11 109056 ----a-w- c:\windows\system32\iesysprep.dll

2010-11-02 05:01:31 385024 ----a-w- c:\windows\system32\html.iec

2010-11-02 04:26:10 133632 ----a-w- c:\windows\system32\ieUnatt.exe

2010-11-02 04:24:44 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2010-10-28 15:44:56 34304 ----a-w- c:\windows\system32\atmlib.dll

2010-10-28 13:27:47 292352 ----a-w- c:\windows\system32\atmfd.dll

2010-10-28 13:20:12 2048 ----a-w- c:\windows\system32\tzres.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 6.0.6002

CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.

device: opened successfully

user: error reading MBR

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x85B93555]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x85b997b0]; MOV EAX, [0x85b9982c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 ntkrnlpa!IofCallDriver[0x81E62962] -> \Device\Harddisk0\DR0[0x854F6AC8]

3 CLASSPNP[0x87FA88B3] -> ntkrnlpa!IofCallDriver[0x81E62962] -> [0x84E9C918]

5 acpi[0x806916BC] -> ntkrnlpa!IofCallDriver[0x81E62962] -> [0x8448C8A0]

\Driver\atapi[0x85BCEC40] -> IRP_MJ_CREATE -> 0x85B93555

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [bP+0x0], 0x0; }

user != kernel MBR !!!

Warning: possible TDL4 rootkit infection !

TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 22:30:04.66 ===============

I've attached attach.zip

If I need to run GMER, please let me know what I can do to keep it from crashing her computer. I have to remote into it (she's in LA, i'm in SF), so I don't know if that has anything to do with it.

Thanks for the help!! This has been driving me nuts for a week.

Attach.zip

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Hello Longshot9! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, choose it.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • Click the Report button and copy/paste the contents of it into your next reply

Note:It will also create a log in the C:\ directory.

In your next reply, please include these log(s):

  1. TDSSKiller log
  2. a new fresh DDS log only

Link to post
Share on other sites
Longshot9

Longshot9

Posted
  • Author
Posted

Here you go, sorry for the delay... I have to work around the users work day.

2011/01/25 21:50:56.0517 TDSS rootkit removing tool 2.4.15.0 Jan 22 2011 19:37:53

2011/01/25 21:50:56.0517 ================================================================================

2011/01/25 21:50:56.0517 SystemInfo:

2011/01/25 21:50:56.0517

2011/01/25 21:50:56.0517 OS Version: 6.0.6002 ServicePack: 2.0

2011/01/25 21:50:56.0517 Product type: Workstation

2011/01/25 21:50:56.0517 ComputerName: V-MRICHM

2011/01/25 21:50:56.0517 UserName: mrichm

2011/01/25 21:50:56.0517 Windows directory: C:\Windows

2011/01/25 21:50:56.0517 System windows directory: C:\Windows

2011/01/25 21:50:56.0517 Processor architecture: Intel x86

2011/01/25 21:50:56.0517 Number of processors: 2

2011/01/25 21:50:56.0517 Page size: 0x1000

2011/01/25 21:50:56.0517 Boot type: Normal boot

2011/01/25 21:50:56.0517 ================================================================================

2011/01/25 21:50:56.0705 Initialize success

2011/01/25 21:51:04.0661 ================================================================================

2011/01/25 21:51:04.0661 Scan started

2011/01/25 21:51:04.0661 Mode: Manual;

2011/01/25 21:51:04.0661 ================================================================================

2011/01/25 21:51:06.0002 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys

2011/01/25 21:51:06.0080 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys

2011/01/25 21:51:06.0127 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys

2011/01/25 21:51:06.0174 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys

2011/01/25 21:51:06.0361 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys

2011/01/25 21:51:06.0470 AFD (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys

2011/01/25 21:51:06.0564 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys

2011/01/25 21:51:06.0595 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys

2011/01/25 21:51:06.0642 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys

2011/01/25 21:51:06.0845 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys

2011/01/25 21:51:06.0876 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys

2011/01/25 21:51:06.0907 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys

2011/01/25 21:51:07.0203 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys

2011/01/25 21:51:07.0297 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys

2011/01/25 21:51:07.0515 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys

2011/01/25 21:51:07.0562 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys

2011/01/25 21:51:07.0765 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys

2011/01/25 21:51:07.0812 AtcL001 (bf8e0694001107bcc82670ccb500921e) C:\Windows\system32\DRIVERS\l160x86.sys

2011/01/25 21:51:08.0077 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys

2011/01/25 21:51:08.0202 bowser (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys

2011/01/25 21:51:08.0373 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys

2011/01/25 21:51:08.0420 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys

2011/01/25 21:51:08.0467 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys

2011/01/25 21:51:08.0654 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys

2011/01/25 21:51:08.0685 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys

2011/01/25 21:51:08.0732 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys

2011/01/25 21:51:08.0966 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys

2011/01/25 21:51:09.0169 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys

2011/01/25 21:51:09.0263 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys

2011/01/25 21:51:09.0309 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys

2011/01/25 21:51:09.0387 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys

2011/01/25 21:51:09.0575 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys

2011/01/25 21:51:09.0621 Compbatt (82b8c91d327cfecf76cb58716f7d4997) C:\Windows\system32\drivers\compbatt.sys

2011/01/25 21:51:09.0809 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys

2011/01/25 21:51:09.0855 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys

2011/01/25 21:51:10.0074 CSC (9bdb2e89be8d0ef37b1f25c3d3fc192c) C:\Windows\system32\drivers\csc.sys

2011/01/25 21:51:10.0167 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys

2011/01/25 21:51:10.0292 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys

2011/01/25 21:51:10.0386 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys

2011/01/25 21:51:10.0464 DXGKrnl (fb85f7f69e9b109820409243f578cc4d) C:\Windows\System32\drivers\dxgkrnl.sys

2011/01/25 21:51:10.0651 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys

2011/01/25 21:51:10.0745 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys

2011/01/25 21:51:10.0869 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys

2011/01/25 21:51:11.0166 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys

2011/01/25 21:51:11.0228 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys

2011/01/25 21:51:11.0322 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys

2011/01/25 21:51:11.0400 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys

2011/01/25 21:51:11.0478 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys

2011/01/25 21:51:11.0540 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys

2011/01/25 21:51:11.0618 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys

2011/01/25 21:51:11.0805 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys

2011/01/25 21:51:11.0852 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys

2011/01/25 21:51:11.0899 gdihook5 (1bf51689fca97d7198d9948e0f50ec2c) C:\Windows\system32\DRIVERS\gdihook5.sys

2011/01/25 21:51:12.0071 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys

2011/01/25 21:51:12.0211 HdAudAddService (3f90e001369a07243763bd5a523d8722) C:\Windows\system32\drivers\HdAudio.sys

2011/01/25 21:51:12.0336 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys

2011/01/25 21:51:12.0383 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys

2011/01/25 21:51:12.0539 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys

2011/01/25 21:51:12.0788 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys

2011/01/25 21:51:12.0835 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys

2011/01/25 21:51:12.0991 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys

2011/01/25 21:51:13.0038 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys

2011/01/25 21:51:13.0100 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys

2011/01/25 21:51:13.0256 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys

2011/01/25 21:51:13.0334 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys

2011/01/25 21:51:13.0537 intelide (97469037714070e45194ed318d636401) C:\Windows\system32\drivers\intelide.sys

2011/01/25 21:51:13.0584 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys

2011/01/25 21:51:13.0802 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys

2011/01/25 21:51:13.0943 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys

2011/01/25 21:51:13.0989 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys

2011/01/25 21:51:14.0177 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys

2011/01/25 21:51:14.0223 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys

2011/01/25 21:51:14.0442 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys

2011/01/25 21:51:14.0489 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys

2011/01/25 21:51:14.0520 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys

2011/01/25 21:51:14.0582 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys

2011/01/25 21:51:14.0816 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys

2011/01/25 21:51:14.0957 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys

2011/01/25 21:51:15.0066 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys

2011/01/25 21:51:15.0425 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys

2011/01/25 21:51:15.0487 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys

2011/01/25 21:51:15.0534 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys

2011/01/25 21:51:15.0674 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys

2011/01/25 21:51:15.0768 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys

2011/01/25 21:51:15.0861 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys

2011/01/25 21:51:15.0924 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys

2011/01/25 21:51:15.0955 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys

2011/01/25 21:51:16.0127 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys

2011/01/25 21:51:16.0189 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys

2011/01/25 21:51:16.0439 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys

2011/01/25 21:51:16.0470 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys

2011/01/25 21:51:16.0517 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys

2011/01/25 21:51:16.0579 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys

2011/01/25 21:51:16.0751 mrxsmb (454341e652bdf5e01b0f2140232b073e) C:\Windows\system32\DRIVERS\mrxsmb.sys

2011/01/25 21:51:16.0797 mrxsmb10 (2a4901aff069944fa945ed5bbf4dcde3) C:\Windows\system32\DRIVERS\mrxsmb10.sys

2011/01/25 21:51:16.0844 mrxsmb20 (28b3f1ab44bdd4432c041581412f17d9) C:\Windows\system32\DRIVERS\mrxsmb20.sys

2011/01/25 21:51:17.0000 msahci (742aed7939e734c36b7e8d6228ce26b7) C:\Windows\system32\drivers\msahci.sys

2011/01/25 21:51:17.0047 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys

2011/01/25 21:51:17.0234 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys

2011/01/25 21:51:17.0343 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys

2011/01/25 21:51:17.0453 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys

2011/01/25 21:51:17.0531 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys

2011/01/25 21:51:17.0593 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys

2011/01/25 21:51:17.0687 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys

2011/01/25 21:51:17.0874 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys

2011/01/25 21:51:17.0905 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys

2011/01/25 21:51:17.0967 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\Windows\system32\DRIVERS\ASACPI.sys

2011/01/25 21:51:18.0233 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys

2011/01/25 21:51:18.0326 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys

2011/01/25 21:51:18.0435 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys

2011/01/25 21:51:18.0482 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys

2011/01/25 21:51:18.0513 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys

2011/01/25 21:51:18.0747 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys

2011/01/25 21:51:18.0779 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys

2011/01/25 21:51:18.0841 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys

2011/01/25 21:51:19.0091 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys

2011/01/25 21:51:19.0200 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys

2011/01/25 21:51:19.0340 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys

2011/01/25 21:51:19.0387 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys

2011/01/25 21:51:19.0574 nskbfltr (ff08ed0fff6fab1c36f48f682379484c) C:\Windows\system32\drivers\nskbfltr.sys

2011/01/25 21:51:19.0683 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys

2011/01/25 21:51:19.0761 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys

2011/01/25 21:51:19.0824 NuidFltr (20623a75f3c6c1076ebba64dd8c4bc02) C:\Windows\system32\DRIVERS\NuidFltr.sys

2011/01/25 21:51:19.0949 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys

2011/01/25 21:51:20.0167 nvlddmkm (170d59b88f7c124204ca4e5f22c80480) C:\Windows\system32\DRIVERS\nvlddmkm.sys

2011/01/25 21:51:20.0261 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys

2011/01/25 21:51:20.0292 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys

2011/01/25 21:51:20.0339 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys

2011/01/25 21:51:20.0635 ohci1394 (6f310e890d46e246e0e261a63d9b36b4) C:\Windows\system32\DRIVERS\ohci1394.sys

2011/01/25 21:51:20.0729 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys

2011/01/25 21:51:20.0947 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys

2011/01/25 21:51:20.0978 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys

2011/01/25 21:51:21.0212 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys

2011/01/25 21:51:21.0259 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\drivers\pciide.sys

2011/01/25 21:51:21.0306 PCISys (181a85951e49ff9970ff8f4412853889) C:\Windows\system32\drivers\pcisys.sys

2011/01/25 21:51:21.0524 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys

2011/01/25 21:51:21.0587 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys

2011/01/25 21:51:21.0930 Point32 (d82ac5b7da8fdccda1323836516405ec) C:\Windows\system32\DRIVERS\point32k.sys

2011/01/25 21:51:22.0008 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys

2011/01/25 21:51:22.0195 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys

2011/01/25 21:51:22.0289 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys

2011/01/25 21:51:22.0460 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys

2011/01/25 21:51:22.0492 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys

2011/01/25 21:51:22.0694 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys

2011/01/25 21:51:22.0757 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys

2011/01/25 21:51:22.0944 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys

2011/01/25 21:51:23.0053 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys

2011/01/25 21:51:23.0225 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys

2011/01/25 21:51:23.0318 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys

2011/01/25 21:51:23.0381 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys

2011/01/25 21:51:23.0490 rdpdr (943b18305eae3935598a9b4a3d560b4c) C:\Windows\system32\DRIVERS\rdpdr.sys

2011/01/25 21:51:23.0568 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys

2011/01/25 21:51:23.0646 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys

2011/01/25 21:51:23.0880 RimUsb (f17713d108aca124a139fde877eef68a) C:\Windows\system32\Drivers\RimUsb.sys

2011/01/25 21:51:23.0958 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\Windows\system32\DRIVERS\RimSerial.sys

2011/01/25 21:51:24.0098 ROOTMODEM (75e8a6bfa7374aba833ae92bf41ae4e6) C:\Windows\system32\Drivers\RootMdm.sys

2011/01/25 21:51:24.0161 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys

2011/01/25 21:51:24.0332 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys

2011/01/25 21:51:24.0410 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys

2011/01/25 21:51:24.0598 Serenum (ce9ec966638ef0b10b864ddedf62a099) C:\Windows\system32\DRIVERS\serenum.sys

2011/01/25 21:51:24.0660 Serial (6d663022db3e7058907784ae14b69898) C:\Windows\system32\DRIVERS\serial.sys

2011/01/25 21:51:24.0707 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys

2011/01/25 21:51:24.0956 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys

2011/01/25 21:51:25.0097 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys

2011/01/25 21:51:25.0144 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys

2011/01/25 21:51:25.0362 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\DRIVERS\sfloppy.sys

2011/01/25 21:51:25.0409 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys

2011/01/25 21:51:25.0456 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys

2011/01/25 21:51:25.0690 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys

2011/01/25 21:51:25.0768 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys

2011/01/25 21:51:25.0830 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys

2011/01/25 21:51:25.0986 srv (ff3cbc13db84d81f56931bc922cc37c4) C:\Windows\system32\DRIVERS\srv.sys

2011/01/25 21:51:26.0017 srv2 (d15959d9f69f0d39a0153e9c244f20dd) C:\Windows\system32\DRIVERS\srv2.sys

2011/01/25 21:51:26.0251 srvnet (faa0d553a49e85008c6bb3781987c574) C:\Windows\system32\DRIVERS\srvnet.sys

2011/01/25 21:51:26.0314 SSFS0BB9 (29fb5b5a8fb7d1f6bec12e12751263ac) C:\Windows\system32\Drivers\SSFS0BB9.SYS

2011/01/25 21:51:26.0345 SSHRMD (9304b0be1c09aa876be200761a50be65) C:\Windows\system32\Drivers\SSHRMD.SYS

2011/01/25 21:51:26.0407 SSIDRV (d9b7d9e7802706ca624b6953e128aa59) C:\Windows\system32\Drivers\SSIDRV.SYS

2011/01/25 21:51:26.0579 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys

2011/01/25 21:51:26.0688 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys

2011/01/25 21:51:26.0766 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys

2011/01/25 21:51:26.0922 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys

2011/01/25 21:51:27.0047 Tcpip (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\drivers\tcpip.sys

2011/01/25 21:51:27.0218 Tcpip6 (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\DRIVERS\tcpip.sys

2011/01/25 21:51:27.0296 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys

2011/01/25 21:51:27.0328 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys

2011/01/25 21:51:27.0374 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys

2011/01/25 21:51:27.0593 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys

2011/01/25 21:51:27.0655 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys

2011/01/25 21:51:27.0749 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys

2011/01/25 21:51:27.0858 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys

2011/01/25 21:51:27.0920 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys

2011/01/25 21:51:28.0123 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys

2011/01/25 21:51:28.0186 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys

2011/01/25 21:51:28.0248 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys

2011/01/25 21:51:28.0373 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys

2011/01/25 21:51:28.0420 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys

2011/01/25 21:51:28.0638 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys

2011/01/25 21:51:28.0685 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys

2011/01/25 21:51:28.0794 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\Windows\system32\Drivers\usbaapl.sys

2011/01/25 21:51:28.0966 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys

2011/01/25 21:51:29.0012 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys

2011/01/25 21:51:29.0168 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys

2011/01/25 21:51:29.0231 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys

2011/01/25 21:51:29.0278 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys

2011/01/25 21:51:29.0434 usbprint (b51e52acf758be00ef3a58ea452fe360) C:\Windows\system32\drivers\usbprint.sys

2011/01/25 21:51:29.0465 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS

2011/01/25 21:51:29.0527 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys

2011/01/25 21:51:29.0746 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys

2011/01/25 21:51:29.0948 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys

2011/01/25 21:51:29.0980 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys

2011/01/25 21:51:30.0011 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys

2011/01/25 21:51:30.0229 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys

2011/01/25 21:51:30.0276 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys

2011/01/25 21:51:30.0354 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys

2011/01/25 21:51:30.0494 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys

2011/01/25 21:51:30.0541 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys

2011/01/25 21:51:30.0791 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys

2011/01/25 21:51:30.0822 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys

2011/01/25 21:51:30.0869 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys

2011/01/25 21:51:31.0056 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys

2011/01/25 21:51:31.0118 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys

2011/01/25 21:51:31.0321 WimFltr (f9ad3a5e3fd7e0bdb18b8202b0fdd4e4) C:\Windows\system32\DRIVERS\wimfltr.sys

2011/01/25 21:51:31.0524 WmiAcpi (701a9f884a294327e9141d73746ee279) C:\Windows\system32\drivers\wmiacpi.sys

2011/01/25 21:51:31.0711 WpdUsb (0cec23084b51b8288099eb710224e955) C:\Windows\system32\DRIVERS\wpdusb.sys

2011/01/25 21:51:31.0742 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys

2011/01/25 21:51:31.0992 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys

2011/01/25 21:51:32.0179 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)

2011/01/25 21:51:32.0195 ================================================================================

2011/01/25 21:51:32.0195 Scan finished

2011/01/25 21:51:32.0195 ================================================================================

2011/01/25 21:51:32.0226 Detected object count: 1

2011/01/25 21:51:44.0332 \HardDisk0 - will be cured after reboot

2011/01/25 21:51:44.0363 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure

2011/01/25 21:51:56.0703 Deinitialize success

DDS (Ver_10-12-12.02) - NTFSx86

Run by mrichm at 22:02:41.69 on Tue 01/25/2011

Internet Explorer: 8.0.6001.18999

Microsoft

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Do you still have ComboFix and what exactly is the filename?

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

In your next reply, please include these log(s):

  1. Malwarebytes' Anti-Malware log
  2. a new fresh DDS log only

Link to post
Share on other sites
Longshot9

Longshot9

Posted
  • Author
Posted

Yes, I do have combofix on it. The filename is phs8yv4w.exe

Here's the MBAM log:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5609

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18999

1/26/2011 9:28:07 AM

mbam-log-2011-01-26 (09-28-07).txt

Scan type: Quick scan

Objects scanned: 296628

Time elapsed: 13 minute(s), 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Here's the DDS log:

DDS (Ver_10-12-12.02) - NTFSx86

Run by mrichm at 9:28:38.63 on Wed 01/26/2011

Internet Explorer: 8.0.6001.18999

Microsoft

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

  1. Go to Start => Run... and copy & paste next command in the field:
    phs8yv4w /uninstall


  2. Then hit Enter button.

This procedure will do the following:

  • Uninstall ComboFix
  • Delete its related folders and files
  • Reset your clock settings
  • Hide file extensions
  • Hide the system/hidden files
  • Resets System Restore again

P.S.: Make sure there's a space between phs8yv4w and /uninstall

Link to post
Share on other sites
Longshot9

Longshot9

Posted
  • Author
Posted

I did that and it said that it was an unrecognized command. I typed it, and tried pasting it exactly as you saw.

She was working on it today and it locked up and rebooted itself. Now she's getting all kinds of pop ups saying she has critical hard drive errors. Whatever it was isn't gone. I ran a DDS again, it locked up and would never finish. HiJack this showed a few random slkdjflskjd.exe things in it so i removed those. TDSS reported this, cured it and rebooted.

2011/01/26 16:07:39.0218 TDSS rootkit removing tool 2.4.15.0 Jan 22 2011 19:37:53

2011/01/26 16:07:39.0218 ================================================================================

2011/01/26 16:07:39.0218 SystemInfo:

2011/01/26 16:07:39.0218

2011/01/26 16:07:39.0218 OS Version: 6.0.6002 ServicePack: 2.0

2011/01/26 16:07:39.0218 Product type: Workstation

2011/01/26 16:07:39.0218 ComputerName: V-MRICHM

2011/01/26 16:07:39.0223 UserName: mrichm

2011/01/26 16:07:39.0223 Windows directory: C:\Windows

2011/01/26 16:07:39.0223 System windows directory: C:\Windows

2011/01/26 16:07:39.0223 Processor architecture: Intel x86

2011/01/26 16:07:39.0223 Number of processors: 2

2011/01/26 16:07:39.0223 Page size: 0x1000

2011/01/26 16:07:39.0223 Boot type: Normal boot

2011/01/26 16:07:39.0223 ================================================================================

2011/01/26 16:07:39.0655 Initialize success

2011/01/26 16:07:42.0525 ================================================================================

2011/01/26 16:07:42.0525 Scan started

2011/01/26 16:07:42.0525 Mode: Manual;

2011/01/26 16:07:42.0525 ================================================================================

2011/01/26 16:07:45.0730 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys

2011/01/26 16:07:46.0183 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys

2011/01/26 16:07:46.0455 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys

2011/01/26 16:07:46.0612 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys

2011/01/26 16:07:46.0704 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys

2011/01/26 16:07:46.0880 AFD (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys

2011/01/26 16:07:46.0919 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys

2011/01/26 16:07:46.0980 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys

2011/01/26 16:07:47.0166 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys

2011/01/26 16:07:47.0233 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys

2011/01/26 16:07:47.0685 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys

2011/01/26 16:07:47.0888 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys

2011/01/26 16:07:47.0997 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys

2011/01/26 16:07:48.0309 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys

2011/01/26 16:07:48.0542 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys

2011/01/26 16:07:48.0870 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys

2011/01/26 16:07:49.0010 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys

2011/01/26 16:07:49.0088 AtcL001 (bf8e0694001107bcc82670ccb500921e) C:\Windows\system32\DRIVERS\l160x86.sys

2011/01/26 16:07:49.0446 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys

2011/01/26 16:07:49.0634 bowser (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys

2011/01/26 16:07:49.0805 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys

2011/01/26 16:07:49.0867 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys

2011/01/26 16:07:50.0117 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys

2011/01/26 16:07:50.0164 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys

2011/01/26 16:07:50.0771 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys

2011/01/26 16:07:50.0927 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys

2011/01/26 16:07:50.0990 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys

2011/01/26 16:07:51.0348 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys

2011/01/26 16:07:51.0457 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys

2011/01/26 16:07:51.0504 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys

2011/01/26 16:07:51.0613 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys

2011/01/26 16:07:51.0863 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys

2011/01/26 16:07:52.0065 Compbatt (82b8c91d327cfecf76cb58716f7d4997) C:\Windows\system32\drivers\compbatt.sys

2011/01/26 16:07:52.0112 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys

2011/01/26 16:07:52.0221 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys

2011/01/26 16:07:52.0548 CSC (9bdb2e89be8d0ef37b1f25c3d3fc192c) C:\Windows\system32\drivers\csc.sys

2011/01/26 16:07:52.0689 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys

2011/01/26 16:07:52.0813 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys

2011/01/26 16:07:52.0922 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys

2011/01/26 16:07:53.0297 DXGKrnl (fb85f7f69e9b109820409243f578cc4d) C:\Windows\System32\drivers\dxgkrnl.sys

2011/01/26 16:07:53.0437 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys

2011/01/26 16:07:53.0530 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys

2011/01/26 16:07:53.0593 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys

2011/01/26 16:07:53.0920 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys

2011/01/26 16:07:54.0076 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys

2011/01/26 16:07:54.0201 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys

2011/01/26 16:07:54.0294 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys

2011/01/26 16:07:54.0637 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys

2011/01/26 16:07:54.0715 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys

2011/01/26 16:07:55.0058 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys

2011/01/26 16:07:55.0151 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys

2011/01/26 16:07:55.0276 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys

2011/01/26 16:07:55.0401 gdihook5 (1bf51689fca97d7198d9948e0f50ec2c) C:\Windows\system32\DRIVERS\gdihook5.sys

2011/01/26 16:07:55.0479 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys

2011/01/26 16:07:55.0713 HdAudAddService (3f90e001369a07243763bd5a523d8722) C:\Windows\system32\drivers\HdAudio.sys

2011/01/26 16:07:55.0946 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys

2011/01/26 16:07:56.0414 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys

2011/01/26 16:07:56.0554 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys

2011/01/26 16:07:56.0710 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys

2011/01/26 16:07:56.0788 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys

2011/01/26 16:07:56.0991 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys

2011/01/26 16:07:57.0053 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys

2011/01/26 16:07:57.0115 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys

2011/01/26 16:07:57.0256 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys

2011/01/26 16:07:57.0380 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys

2011/01/26 16:07:57.0427 intelide (97469037714070e45194ed318d636401) C:\Windows\system32\drivers\intelide.sys

2011/01/26 16:07:57.0708 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys

2011/01/26 16:07:57.0895 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys

2011/01/26 16:07:58.0066 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys

2011/01/26 16:07:58.0284 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys

2011/01/26 16:07:58.0456 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys

2011/01/26 16:07:58.0518 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys

2011/01/26 16:07:58.0736 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys

2011/01/26 16:07:58.0892 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys

2011/01/26 16:07:59.0266 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys

2011/01/26 16:07:59.0376 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys

2011/01/26 16:07:59.0578 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys

2011/01/26 16:07:59.0874 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys

2011/01/26 16:08:00.0155 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys

2011/01/26 16:08:00.0264 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys

2011/01/26 16:08:00.0919 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys

2011/01/26 16:08:00.0981 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys

2011/01/26 16:08:01.0028 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys

2011/01/26 16:08:01.0075 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys

2011/01/26 16:08:01.0495 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys

2011/01/26 16:08:01.0620 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys

2011/01/26 16:08:01.0714 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys

2011/01/26 16:08:01.0869 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys

2011/01/26 16:08:01.0979 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys

2011/01/26 16:08:02.0072 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys

2011/01/26 16:08:02.0166 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys

2011/01/26 16:08:02.0463 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys

2011/01/26 16:08:02.0583 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys

2011/01/26 16:08:02.0656 mrxsmb (454341e652bdf5e01b0f2140232b073e) C:\Windows\system32\DRIVERS\mrxsmb.sys

2011/01/26 16:08:02.0867 mrxsmb10 (2a4901aff069944fa945ed5bbf4dcde3) C:\Windows\system32\DRIVERS\mrxsmb10.sys

2011/01/26 16:08:02.0978 mrxsmb20 (28b3f1ab44bdd4432c041581412f17d9) C:\Windows\system32\DRIVERS\mrxsmb20.sys

2011/01/26 16:08:03.0067 msahci (742aed7939e734c36b7e8d6228ce26b7) C:\Windows\system32\drivers\msahci.sys

2011/01/26 16:08:03.0217 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys

2011/01/26 16:08:03.0567 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys

2011/01/26 16:08:03.0669 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys

2011/01/26 16:08:03.0752 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys

2011/01/26 16:08:03.0839 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys

2011/01/26 16:08:04.0404 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys

2011/01/26 16:08:04.0604 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys

2011/01/26 16:08:04.0846 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys

2011/01/26 16:08:05.0073 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys

2011/01/26 16:08:05.0138 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\Windows\system32\DRIVERS\ASACPI.sys

2011/01/26 16:08:05.0420 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys

2011/01/26 16:08:05.0529 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys

2011/01/26 16:08:05.0688 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys

2011/01/26 16:08:05.0743 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys

2011/01/26 16:08:05.0803 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys

2011/01/26 16:08:06.0362 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys

2011/01/26 16:08:06.0682 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys

2011/01/26 16:08:06.0835 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys

2011/01/26 16:08:07.0183 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys

2011/01/26 16:08:07.0513 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys

2011/01/26 16:08:07.0643 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys

2011/01/26 16:08:07.0808 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys

2011/01/26 16:08:07.0895 nskbfltr (ff08ed0fff6fab1c36f48f682379484c) C:\Windows\system32\drivers\nskbfltr.sys

2011/01/26 16:08:08.0230 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys

2011/01/26 16:08:08.0581 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys

2011/01/26 16:08:08.0650 NuidFltr (20623a75f3c6c1076ebba64dd8c4bc02) C:\Windows\system32\DRIVERS\NuidFltr.sys

2011/01/26 16:08:08.0702 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys

2011/01/26 16:08:09.0578 nvlddmkm (170d59b88f7c124204ca4e5f22c80480) C:\Windows\system32\DRIVERS\nvlddmkm.sys

2011/01/26 16:08:10.0134 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys

2011/01/26 16:08:10.0252 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys

2011/01/26 16:08:10.0295 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys

2011/01/26 16:08:10.0615 ohci1394 (6f310e890d46e246e0e261a63d9b36b4) C:\Windows\system32\DRIVERS\ohci1394.sys

2011/01/26 16:08:11.0086 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys

2011/01/26 16:08:11.0339 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys

2011/01/26 16:08:11.0517 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys

2011/01/26 16:08:11.0601 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys

2011/01/26 16:08:11.0674 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\drivers\pciide.sys

2011/01/26 16:08:11.0882 PCISys (181a85951e49ff9970ff8f4412853889) C:\Windows\system32\drivers\pcisys.sys

2011/01/26 16:08:12.0069 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys

2011/01/26 16:08:12.0201 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys

2011/01/26 16:08:12.0676 Point32 (d82ac5b7da8fdccda1323836516405ec) C:\Windows\system32\DRIVERS\point32k.sys

2011/01/26 16:08:12.0783 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys

2011/01/26 16:08:13.0219 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys

2011/01/26 16:08:13.0405 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys

2011/01/26 16:08:13.0540 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys

2011/01/26 16:08:13.0781 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys

2011/01/26 16:08:13.0994 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys

2011/01/26 16:08:14.0104 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys

2011/01/26 16:08:14.0507 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys

2011/01/26 16:08:14.0683 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys

2011/01/26 16:08:14.0760 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys

2011/01/26 16:08:14.0887 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys

2011/01/26 16:08:14.0993 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys

2011/01/26 16:08:15.0236 rdpdr (943b18305eae3935598a9b4a3d560b4c) C:\Windows\system32\DRIVERS\rdpdr.sys

2011/01/26 16:08:15.0264 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys

2011/01/26 16:08:15.0548 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys

2011/01/26 16:08:15.0708 RimUsb (f17713d108aca124a139fde877eef68a) C:\Windows\system32\Drivers\RimUsb.sys

2011/01/26 16:08:15.0925 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\Windows\system32\DRIVERS\RimSerial.sys

2011/01/26 16:08:15.0981 ROOTMODEM (75e8a6bfa7374aba833ae92bf41ae4e6) C:\Windows\system32\Drivers\RootMdm.sys

2011/01/26 16:08:16.0301 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys

2011/01/26 16:08:16.0442 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys

2011/01/26 16:08:16.0557 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys

2011/01/26 16:08:16.0715 Serenum (ce9ec966638ef0b10b864ddedf62a099) C:\Windows\system32\DRIVERS\serenum.sys

2011/01/26 16:08:16.0771 Serial (6d663022db3e7058907784ae14b69898) C:\Windows\system32\DRIVERS\serial.sys

2011/01/26 16:08:17.0259 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys

2011/01/26 16:08:17.0387 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys

2011/01/26 16:08:17.0439 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys

2011/01/26 16:08:17.0714 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys

2011/01/26 16:08:17.0775 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\DRIVERS\sfloppy.sys

2011/01/26 16:08:17.0950 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys

2011/01/26 16:08:18.0008 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys

2011/01/26 16:08:18.0087 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys

2011/01/26 16:08:18.0590 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys

2011/01/26 16:08:18.0722 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys

2011/01/26 16:08:18.0829 srv (ff3cbc13db84d81f56931bc922cc37c4) C:\Windows\system32\DRIVERS\srv.sys

2011/01/26 16:08:19.0177 srv2 (d15959d9f69f0d39a0153e9c244f20dd) C:\Windows\system32\DRIVERS\srv2.sys

2011/01/26 16:08:19.0301 srvnet (faa0d553a49e85008c6bb3781987c574) C:\Windows\system32\DRIVERS\srvnet.sys

2011/01/26 16:08:19.0378 SSFS0BB9 (29fb5b5a8fb7d1f6bec12e12751263ac) C:\Windows\system32\Drivers\SSFS0BB9.SYS

2011/01/26 16:08:19.0428 SSHRMD (9304b0be1c09aa876be200761a50be65) C:\Windows\system32\Drivers\SSHRMD.SYS

2011/01/26 16:08:19.0472 SSIDRV (d9b7d9e7802706ca624b6953e128aa59) C:\Windows\system32\Drivers\SSIDRV.SYS

2011/01/26 16:08:19.0553 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys

2011/01/26 16:08:19.0885 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys

2011/01/26 16:08:20.0139 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys

2011/01/26 16:08:20.0306 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys

2011/01/26 16:08:20.0581 Tcpip (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\drivers\tcpip.sys

2011/01/26 16:08:21.0014 Tcpip6 (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\DRIVERS\tcpip.sys

2011/01/26 16:08:21.0239 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys

2011/01/26 16:08:21.0320 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys

2011/01/26 16:08:21.0396 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys

2011/01/26 16:08:21.0646 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys

2011/01/26 16:08:21.0862 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys

2011/01/26 16:08:22.0148 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys

2011/01/26 16:08:22.0223 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys

2011/01/26 16:08:22.0299 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys

2011/01/26 16:08:22.0359 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys

2011/01/26 16:08:22.0425 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys

2011/01/26 16:08:22.0824 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys

2011/01/26 16:08:22.0964 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys

2011/01/26 16:08:23.0035 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys

2011/01/26 16:08:23.0110 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys

2011/01/26 16:08:23.0157 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys

2011/01/26 16:08:23.0559 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\Windows\system32\Drivers\usbaapl.sys

2011/01/26 16:08:23.0795 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys

2011/01/26 16:08:23.0943 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys

2011/01/26 16:08:24.0023 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys

2011/01/26 16:08:24.0073 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys

2011/01/26 16:08:24.0111 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys

2011/01/26 16:08:24.0223 usbprint (b51e52acf758be00ef3a58ea452fe360) C:\Windows\system32\drivers\usbprint.sys

2011/01/26 16:08:24.0578 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS

2011/01/26 16:08:24.0920 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys

2011/01/26 16:08:25.0139 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys

2011/01/26 16:08:25.0189 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys

2011/01/26 16:08:25.0225 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys

2011/01/26 16:08:25.0265 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys

2011/01/26 16:08:25.0538 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys

2011/01/26 16:08:25.0946 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys

2011/01/26 16:08:26.0267 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys

2011/01/26 16:08:26.0358 volsnap (006074d0c17c12a93b11e2777d4d4033) C:\Windows\system32\drivers\volsnap.sys

2011/01/26 16:08:26.0360 Suspicious file (Forged): C:\Windows\system32\drivers\volsnap.sys. Real md5: 006074d0c17c12a93b11e2777d4d4033, Fake md5: 147281c01fcb1df9252de2a10d5e7093

2011/01/26 16:08:26.0378 volsnap - detected Rootkit.Win32.TDSS.tdl3 (0)

2011/01/26 16:08:26.0445 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys

2011/01/26 16:08:26.0556 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys

2011/01/26 16:08:26.0991 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys

2011/01/26 16:08:27.0034 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys

2011/01/26 16:08:27.0376 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys

2011/01/26 16:08:27.0451 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys

2011/01/26 16:08:27.0728 WimFltr (f9ad3a5e3fd7e0bdb18b8202b0fdd4e4) C:\Windows\system32\DRIVERS\wimfltr.sys

2011/01/26 16:08:28.0292 WmiAcpi (701a9f884a294327e9141d73746ee279) C:\Windows\system32\drivers\wmiacpi.sys

2011/01/26 16:08:28.0475 WpdUsb (0cec23084b51b8288099eb710224e955) C:\Windows\system32\DRIVERS\wpdusb.sys

2011/01/26 16:08:28.0540 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys

2011/01/26 16:08:28.0652 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys

2011/01/26 16:08:29.0083 ================================================================================

2011/01/26 16:08:29.0083 Scan finished

2011/01/26 16:08:29.0083 ================================================================================

2011/01/26 16:08:29.0123 Detected object count: 1

2011/01/26 16:08:35.0495 volsnap (006074d0c17c12a93b11e2777d4d4033) C:\Windows\system32\drivers\volsnap.sys

2011/01/26 16:08:35.0497 Suspicious file (Forged): C:\Windows\system32\drivers\volsnap.sys. Real md5: 006074d0c17c12a93b11e2777d4d4033, Fake md5: 147281c01fcb1df9252de2a10d5e7093

2011/01/26 16:08:39.0339 Backup copy found, using it..

2011/01/26 16:08:39.0650 C:\Windows\system32\drivers\volsnap.sys - will be cured after reboot

2011/01/26 16:08:39.0650 Rootkit.Win32.TDSS.tdl3(volsnap) - User select action: Cure

2011/01/26 16:08:47.0893 Deinitialize success

After rebooting it, it found nothing.

She's got an icon on her desktop called "Windows Scan"

After running TDSS, DDS ran, here's the results:

DDS (Ver_10-12-12.02) - NTFSx86

Run by mrichm at 16:13:52.36 on Wed 01/26/2011

Internet Explorer: 8.0.6001.18999

Microsoft

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

I did not want the log file again from TDSSKiller, so please follow my instructions strictly, so I can help you!

Manually delete your copy of ComboFix and then:

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites
Longshot9

Longshot9

Posted
  • Author
Posted

I will run this as soon as possible. I apologize for running other things before responding but I had to do whatever I could to get her computer able to get on the internet. Lawyers don't care that "i have to wait for this guy on a forum to respond" so they can work. I'll respond as soon as I do this. Thanks again for your help

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Open Notepad and copy and paste the text in the code box below into it:

http://forums.malwarebytes.org/index.php?showtopic=73592

Collect::[8]
c:\programdata\dIIJPTvpZbZ.exe
c:\programdata\kISsAWRDoQIq.dll
c:\programdata\JesaaUOruapG.exe

DirLook::
c:\users\mrichm\AppData\Roaming\Tuzof
c:\users\mrichm\AppData\Roaming\Sotaso

DDS::
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:8992

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Please locate and manually delete the following folders:

c:\users\mrichm\AppData\Roaming\Tuzof

c:\users\mrichm\AppData\Roaming\Sotaso

Next:

  1. Please visit this website: Submit Malware Sample
  2. Against the inscription: "Link to topic where this file was requested:", insert links pointing to this topic.
  3. Against the inscription: "Browse to the file you want to submit:", click on the Choose... button.
  4. Navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
  5. Against the inscription: "Leave any comments, further information about this file, or contact information:" should be written as follows:
    Sent at the request of Borislav.
  6. Once you're ready, click the Send File button.

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

If you want:

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Now click on Advanced Settings and select the following:

    • Remove found threats
    • Scan archives
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.