Jump to content

Virus/Malware not fixed by Avast and MBAM


SanderZ
 Share

Recommended Posts

I've got something that has hijacked search results and may be preventing Windows updates and even posting to this forum. I'm posting this from a non-infected computer. On the infected computer I can create the post but when i go to save i get a page not found error. Anyway ...

Please note the ARK.zip attachment contains the ARK and Attach txt files

DDS log

DDS (Ver_10-12-12.01) - FAT32x86

Run by Sander at 20:58:52.10 on Tue 02/22/2011

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.767.230 [GMT -5:00]

AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\System32\ibmpmsvc.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

SVCHOST.EXE

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\WINDOWS\system32\S24EvMon.exe

C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe

C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe

SVCHOST.EXE

SVCHOST.EXE

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe

SVCHOST.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\New Boundary\PrismXL\ChannelDeploy.sys

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\WINDOWS\System32\QCONSVC.EXE

C:\WINDOWS\system32\RegSrvc.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\system32\TpKmpSVC.exe

C:\Program Files\CheckPoint\Endpoint Connect\TracSrvWrapper.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\WINDOWS\System32\TpScrLk.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\VERITAS Software\Update Manager\sgtray.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\SKDAEMON.EXE

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

C:\Program Files\Ahead\InCD\InCD.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\Program Files\Logitech\QuickCam10\QuickCam10.exe

C:\Program Files\Alwil Software\Avast5\avastUI.exe

C:\Program Files\Prism Deploy\Client\PTClient.exe

C:\Program Files\CheckPoint\Endpoint Connect\TrGUI.exe

C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Sander\Desktop\dds.pif

============== Pseudo HJT Report ===============

uWindow Title = Windows Internet Explorer provided by MSN & Bing

uInternet Settings,ProxyOverride = *.local

mSearchAssistant = hxxp://www.google.com

uURLSearchHooks: H - No File

BHO: {9D425283-D487-4337-BAB6-AB8354A81457} - No File

BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\drop down deals\YontooIEClient.dll

TB: Yahoo! Companion: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\ycomp5_5_7_0.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [TrackPointSrv] tp4serv.exe

mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe

mRun: [TPKBDLED] c:\windows\system32\TpScrLk.exe

mRun: [bMMLREF] c:\program files\thinkpad\utilities\BMMLREF.EXE

mRun: [AGRSMMSG] AGRSMMSG.exe

mRun: [TP4EX] tp4ex.exe

mRun: [ATIModeChange] Ati2mdxx.exe

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper

mRun: [tgcmd]

mRun: [storageGuard] "c:\program files\veritas software\update manager\sgtray.exe" /r

mRun: [Prism Deploy Client] "c:\program files\prism deploy\client\PTClient.exe" /Subscriber

mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [Hot Key Kbd Daemon] SKDAEMON.EXE

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [RemoteControl] "c:\program files\cyberlink dvd solution\powerdvd\PDVDServ.exe"

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [inCD] c:\program files\ahead\incd\InCD.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"

mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam10\QuickCam10.exe" /hide

mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui

mRun: [Check Point Endpoint Security] "c:\program files\checkpoint\endpoint connect\TrGUI.exe"

mRun: [QCWLIcon] c:\program files\thinkpad\connectutilities\QCWLICON.EXE

mExplorerRun: [wininet.dll] dfrgsrv.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL

Trusted Zone: ameritrade.com

Trusted Zone: ameritrade.com\wwws

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1279371672830

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1289654353177

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37944.3708333333

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: ckpNotify - ckpNotify.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-10-17 207280]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-11-3 294608]

R1 Tb2Device;TB2 Remote Control Driver;NetopiaRC\Tb2Device.sys --> NetopiaRC\Tb2Device.sys [?]

R1 Tb2MirrorSys;TB2 Remote Control Mirror Driver;NetopiaRC\Tb2MirrorSys.sys --> NetopiaRC\Tb2MirrorSys.sys [?]

R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2003-11-19 15360]

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-1-1 535328]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-11-3 17744]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-3 40384]

R2 Channel Deployer;Channel Deployer;c:\program files\common files\new boundary\prismxl\channeldeploy.sys [2004-2-3 65536]

R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2009-12-15 47504]

R2 TracSrvWrapper;Check Point Endpoint Security;c:\program files\checkpoint\endpoint connect\TracSrvWrapper.exe [2010-9-26 4142608]

R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [2009-12-15 126680]

R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2009-12-15 684280]

R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2009-12-15 2245624]

R3 vna_ap;Check Point Virtual Network Adapter - Apollo;c:\windows\system32\drivers\vnaap.sys [2010-9-26 129304]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-10-17 358600]

S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-10-17 1141200]

=============== Created Last 30 ================

2011-02-22 13:58:24 -------- d-----w- c:\program files\Drop Down Deals

2011-02-22 13:58:22 -------- d-----w- c:\docume~1\alluse~1\applic~1\Tarma Installer

2011-02-22 04:36:44 -------- d-sh--w- c:\documents and settings\sander\PrivacIE

2011-02-22 04:33:46 -------- d-sh--w- c:\documents and settings\sander\IETldCache

2011-02-22 04:23:40 -------- d--h--w- c:\windows\msdownld.tmp

2011-02-22 04:19:25 -------- d--h--w- c:\windows\ie8

2011-02-20 15:30:57 -------- d-----w- c:\program files\Yontoo Layers Client

==================== Find3M ====================

2011-01-15 03:16:16 90112 ----a-w- c:\windows\DUMP4543.tmp

2011-01-13 08:47:36 38848 ----a-w- c:\windows\avastSS.scr

2010-12-18 01:51:52 90112 ----a-w- c:\windows\DUMP73a2.tmp

2010-12-09 03:35:34 90112 ----a-w- c:\windows\DUMP9c8d.tmp

2010-12-09 03:01:24 90112 ----a-w- c:\windows\DUMP9d23.tmp

2004-10-01 20:00:16 40960 ----a-w- c:\program files\Uninstall_CDS.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: IC25N030ATMR04-0 rev.MOAOAD4A -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully

user: MBR read successfully

Disk trace:

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys PCTCore.sys ACPI.sys hal.dll >>UNKNOWN [0x84315439]<<

c:\windows\system32\drivers\PCTCore.sys PC Tools Kernel Driver Suite

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8431b7b8]; MOV EAX, [0x8431b834]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x84304AB8]

3 CLASSPNP[0xF76A105B] -> nt!IofCallDriver[0x804E37D5] -> [0x8434DE50]

5 PCTCore[0xF747188F] -> nt!IofCallDriver[0x804E37D5] -> \Device\000000ae[0x843609E8]

7 ACPI[0xF7577620] -> nt!IofCallDriver[0x804E37D5] -> [0x84308940]

\Driver\atapi[0x84369BB8] -> IRP_MJ_CREATE -> 0x84315439

kernel: MBR read successfully

_asm { CLI ; XOR AX, AX; MOV ES, AX; MOV DS, AX; MOV SS, AX; MOV SP, 0x7c00; MOV SI, SP; STI ; CLD ; MOV DI, 0x600; MOV CX, 0x100; REP MOVSW ; MOV AX, 0x6df; PUSH AX; RET ; ADD [bX], CL; ADD [bX+DI], AL; OR AL, [DI+0x72]; JB 0x95; JB 0x48; }

detected disk devices:

\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskIC25N030ATMR04-0________________________MOAOAD4A#5&2cae0b77&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

\Driver\atapi DriverStartIo -> 0x8431527F

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

============= FINISH: 21:02:41.06 ===============

ark.zip

mbam-log-2011-02-22 (21-23-28).txt

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Next, please update MBAM, run a Quick Scan, and post its log. Also post a fresh DDS.txt log.

Link to post
Share on other sites

Here are the logs requested

I've also attached a zip of the DDs attach.txt file

TDSKiller log

2011/02/23 18:04:33.0415 0336 TDSS rootkit removing tool 2.4.18.0 Feb 21 2011 11:08:08

2011/02/23 18:04:33.0535 0336 ================================================================================

2011/02/23 18:04:33.0535 0336 SystemInfo:

2011/02/23 18:04:33.0535 0336

2011/02/23 18:04:33.0535 0336 OS Version: 5.1.2600 ServicePack: 2.0

2011/02/23 18:04:33.0535 0336 Product type: Workstation

2011/02/23 18:04:33.0535 0336 ComputerName: ANNSZABENXP

2011/02/23 18:04:33.0535 0336 UserName: Sander

2011/02/23 18:04:33.0535 0336 Windows directory: C:\WINDOWS

2011/02/23 18:04:33.0535 0336 System windows directory: C:\WINDOWS

2011/02/23 18:04:33.0535 0336 Processor architecture: Intel x86

2011/02/23 18:04:33.0535 0336 Number of processors: 1

2011/02/23 18:04:33.0535 0336 Page size: 0x1000

2011/02/23 18:04:33.0535 0336 Boot type: Normal boot

2011/02/23 18:04:33.0535 0336 ================================================================================

2011/02/23 18:04:34.0727 0336 Initialize success

2011/02/23 18:05:08.0335 4112 ================================================================================

2011/02/23 18:05:08.0335 4112 Scan started

2011/02/23 18:05:08.0335 4112 Mode: Manual;

2011/02/23 18:05:08.0335 4112 ================================================================================

2011/02/23 18:05:09.0297 4112 Aavmker4 (479c9835b91147be1a92cb76fad9c6de) C:\WINDOWS\system32\drivers\Aavmker4.sys

2011/02/23 18:05:09.0737 4112 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS

2011/02/23 18:05:09.0927 4112 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/02/23 18:05:10.0028 4112 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys

2011/02/23 18:05:10.0248 4112 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys

2011/02/23 18:05:10.0378 4112 aeaudio (2c5b1f8142a96233c07c93328b5ea635) C:\WINDOWS\system32\drivers\aeaudio.sys

2011/02/23 18:05:10.0618 4112 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys

2011/02/23 18:05:10.0769 4112 AegisP (2c5c22990156a1063e19ad162191dc1d) C:\WINDOWS\system32\DRIVERS\AegisP.sys

2011/02/23 18:05:10.0949 4112 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys

2011/02/23 18:05:11.0159 4112 AgereSoftModem (aff071b6290776e1fa162837c35eac78) C:\WINDOWS\system32\DRIVERS\AGRSM.sys

2011/02/23 18:05:11.0530 4112 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys

2011/02/23 18:05:11.0700 4112 agpCPQ (67288b07d6aba6c1267b626e67bc56fd) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys

2011/02/23 18:05:11.0870 4112 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys

2011/02/23 18:05:12.0061 4112 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys

2011/02/23 18:05:12.0241 4112 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys

2011/02/23 18:05:12.0331 4112 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys

2011/02/23 18:05:12.0461 4112 alim1541 (f312b7cef21eff52fa23056b9d815fad) C:\WINDOWS\system32\DRIVERS\alim1541.sys

2011/02/23 18:05:13.0082 4112 amdagp (675c16a3c1f8482f85ee4a97fc0dde3d) C:\WINDOWS\system32\DRIVERS\amdagp.sys

2011/02/23 18:05:13.0262 4112 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys

2011/02/23 18:05:13.0332 4112 ANC (59def31547e31923e4679b866744d99c) C:\WINDOWS\system32\drivers\ANC.SYS

2011/02/23 18:05:13.0533 4112 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys

2011/02/23 18:05:13.0693 4112 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys

2011/02/23 18:05:13.0853 4112 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys

2011/02/23 18:05:14.0184 4112 aswFsBlk (cba53c5e29ae0a0ce76f9a2be3a40d9e) C:\WINDOWS\system32\drivers\aswFsBlk.sys

2011/02/23 18:05:14.0314 4112 aswMon2 (a1c52b822b7b8a5c2162d38f579f97b7) C:\WINDOWS\system32\drivers\aswMon2.sys

2011/02/23 18:05:14.0544 4112 aswRdr (b6e8c5874377a42756c282fac2e20836) C:\WINDOWS\system32\drivers\aswRdr.sys

2011/02/23 18:05:14.0855 4112 aswSP (b93a553c9b0f14263c8f016a44c3258c) C:\WINDOWS\system32\drivers\aswSP.sys

2011/02/23 18:05:15.0185 4112 aswTdi (1408421505257846eb336feeef33352d) C:\WINDOWS\system32\drivers\aswTdi.sys

2011/02/23 18:05:15.0295 4112 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/02/23 18:05:15.0405 4112 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/02/23 18:05:15.0786 4112 ati2mtag (8759322ffc1a50569c1e5528ee8026b7) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

2011/02/23 18:05:16.0136 4112 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/02/23 18:05:16.0227 4112 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/02/23 18:05:16.0307 4112 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/02/23 18:05:16.0437 4112 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys

2011/02/23 18:05:16.0527 4112 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/02/23 18:05:16.0797 4112 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

2011/02/23 18:05:16.0958 4112 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys

2011/02/23 18:05:17.0118 4112 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/02/23 18:05:17.0268 4112 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/02/23 18:05:17.0408 4112 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/02/23 18:05:17.0719 4112 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2011/02/23 18:05:17.0879 4112 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys

2011/02/23 18:05:18.0079 4112 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2011/02/23 18:05:18.0279 4112 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys

2011/02/23 18:05:18.0560 4112 CP_OMDRV (a690ebaffffb0d46e2a39f105b61e92f) C:\WINDOWS\system32\drivers\omdrv.sys

2011/02/23 18:05:18.0710 4112 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys

2011/02/23 18:05:19.0051 4112 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys

2011/02/23 18:05:19.0241 4112 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/02/23 18:05:19.0431 4112 DLABOIOM (a14524d3f130a57163e0b3e057fc85d5) C:\WINDOWS\system32\DLA\DLABOIOM.SYS

2011/02/23 18:05:19.0621 4112 DLACDBHM (7581407a6a3c56860ae31e6e423fe824) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS

2011/02/23 18:05:19.0822 4112 DLADResN (7c4cdf8a684b63d7482e0bf7440dc3b5) C:\WINDOWS\system32\DLA\DLADResN.SYS

2011/02/23 18:05:19.0972 4112 DLAIFS_M (97bca2aac06a9fea56615b4b15bdb9b8) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS

2011/02/23 18:05:20.0162 4112 DLAOPIOM (be8d558cf749424f0de612813f7c6725) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS

2011/02/23 18:05:20.0252 4112 DLAPoolM (7e5277cb45dc5e2a86af8ce093c7ef31) C:\WINDOWS\system32\DLA\DLAPoolM.SYS

2011/02/23 18:05:20.0413 4112 DLARTL_N (693dfd92d41a3d270053cd97834e4960) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS

2011/02/23 18:05:20.0573 4112 DLAUDFAM (d886b6d02b51e5bd61b8a571a16d5ca2) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS

2011/02/23 18:05:20.0763 4112 DLAUDF_M (2c0ecf7a9d5162d87c64e2ae868b5039) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS

2011/02/23 18:05:20.0943 4112 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys

2011/02/23 18:05:21.0214 4112 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys

2011/02/23 18:05:21.0294 4112 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/02/23 18:05:21.0464 4112 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys

2011/02/23 18:05:21.0634 4112 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys

2011/02/23 18:05:21.0845 4112 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/02/23 18:05:22.0065 4112 DRVMCDB (73623d89faef4d1aa600edee8b490bc5) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS

2011/02/23 18:05:22.0265 4112 DRVNDDM (2aeee1600d0f14ba535f90a1f4411b54) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS

2011/02/23 18:05:22.0415 4112 E1000 (2e2f6f46f4d297471a4e015bdb75399d) C:\WINDOWS\system32\DRIVERS\e1000325.sys

2011/02/23 18:05:22.0656 4112 E100B (01e9cbf441800228391bdeaa41449430) C:\WINDOWS\system32\DRIVERS\e100b325.sys

2011/02/23 18:05:22.0816 4112 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/02/23 18:05:23.0046 4112 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys

2011/02/23 18:05:23.0257 4112 FilterService (5c329e2ab8dd62310213cbfac0178539) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys

2011/02/23 18:05:23.0387 4112 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys

2011/02/23 18:05:23.0527 4112 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys

2011/02/23 18:05:23.0657 4112 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\drivers\fltmgr.sys

2011/02/23 18:05:23.0727 4112 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/02/23 18:05:23.0938 4112 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/02/23 18:05:24.0418 4112 FW1 (6c55e8e5ee49c504da31df7652a70375) C:\WINDOWS\system32\DRIVERS\fw.sys

2011/02/23 18:05:24.0759 4112 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

2011/02/23 18:05:24.0879 4112 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/02/23 18:05:25.0239 4112 gv3 (01cdb5b4649fae249e787a83be22916a) C:\WINDOWS\system32\DRIVERS\gv3.sys

2011/02/23 18:05:25.0430 4112 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/02/23 18:05:25.0630 4112 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys

2011/02/23 18:05:26.0261 4112 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/02/23 18:05:26.0401 4112 i2omgmt (8f09f91b5c91363b77bcd15599570f2c) C:\WINDOWS\system32\drivers\i2omgmt.sys

2011/02/23 18:05:26.0531 4112 i2omp (ed6bf9e441fdea13292a6d30a64a24c3) C:\WINDOWS\system32\DRIVERS\i2omp.sys

2011/02/23 18:05:26.0652 4112 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/02/23 18:05:26.0812 4112 IBMPMDRV (293131c1da5f53cb05f75d637739d79c) C:\WINDOWS\system32\DRIVERS\ibmpmdrv.sys

2011/02/23 18:05:26.0952 4112 IBMTPCHK (28deeba2e29cb0e91b641ca95f7740fd) C:\WINDOWS\system32\drivers\IBMBLDID.SYS

2011/02/23 18:05:27.0202 4112 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/02/23 18:05:27.0423 4112 InCDfs (b87fc7c71632240dac8f4d20e9ce8377) C:\WINDOWS\system32\drivers\InCDfs.sys

2011/02/23 18:05:27.0703 4112 InCDPass (2e878405128ec98886eb9c2216ac7bd6) C:\WINDOWS\system32\DRIVERS\InCDPass.sys

2011/02/23 18:05:27.0893 4112 InCDrec (ddf078917a42f105385d7eb6debb3433) C:\WINDOWS\system32\drivers\InCDrec.sys

2011/02/23 18:05:28.0194 4112 incdrm (7f352360e947ad2cd4ba60de27b1a299) C:\WINDOWS\system32\drivers\incdrm.sys

2011/02/23 18:05:28.0344 4112 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys

2011/02/23 18:05:28.0444 4112 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys

2011/02/23 18:05:28.0634 4112 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/02/23 18:05:28.0895 4112 ip6fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys

2011/02/23 18:05:29.0075 4112 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/02/23 18:05:29.0185 4112 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/02/23 18:05:29.0375 4112 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/02/23 18:05:29.0486 4112 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/02/23 18:05:29.0616 4112 irda (86c204836feec22510d434982d4221b8) C:\WINDOWS\system32\DRIVERS\irda.sys

2011/02/23 18:05:29.0726 4112 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/02/23 18:05:29.0936 4112 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/02/23 18:05:30.0106 4112 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/02/23 18:05:30.0327 4112 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2011/02/23 18:05:30.0517 4112 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys

2011/02/23 18:05:30.0717 4112 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/02/23 18:05:31.0278 4112 LVcKap (9a3d4fc6b86e7e36473079ab76ac703d) C:\WINDOWS\system32\DRIVERS\LVcKap.sys

2011/02/23 18:05:31.0739 4112 LVMVDrv (0acbc11f19320af6c19f2e20013d9095) C:\WINDOWS\system32\DRIVERS\LVMVDrv.sys

2011/02/23 18:05:32.0230 4112 lvpopflt (e8acf6dd83956fb63ceb058d5f51b18a) C:\WINDOWS\system32\DRIVERS\lvpopflt.sys

2011/02/23 18:05:32.0490 4112 LVPr2Mon (12866641284ebb41e627bb53c04da959) C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys

2011/02/23 18:05:32.0740 4112 LVUSBSta (64bc29c3a0388bfc580bb8b1346f7659) C:\WINDOWS\system32\drivers\LVUSBSta.sys

2011/02/23 18:05:33.0171 4112 LVUVC (922be6770499220dc27b529ca236815a) C:\WINDOWS\system32\DRIVERS\lvuvc.sys

2011/02/23 18:05:33.0391 4112 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/02/23 18:05:33.0511 4112 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys

2011/02/23 18:05:33.0632 4112 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/02/23 18:05:33.0802 4112 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/02/23 18:05:33.0872 4112 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/02/23 18:05:34.0082 4112 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys

2011/02/23 18:05:34.0262 4112 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/02/23 18:05:34.0563 4112 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/02/23 18:05:34.0743 4112 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys

2011/02/23 18:05:35.0074 4112 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/02/23 18:05:35.0254 4112 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/02/23 18:05:35.0514 4112 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/02/23 18:05:35.0664 4112 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/02/23 18:05:35.0885 4112 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys

2011/02/23 18:05:36.0165 4112 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys

2011/02/23 18:05:36.0385 4112 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

2011/02/23 18:05:36.0556 4112 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys

2011/02/23 18:05:36.0746 4112 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

2011/02/23 18:05:36.0866 4112 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/02/23 18:05:37.0026 4112 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/02/23 18:05:37.0127 4112 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/02/23 18:05:37.0197 4112 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/02/23 18:05:37.0277 4112 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/02/23 18:05:37.0407 4112 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/02/23 18:05:37.0517 4112 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys

2011/02/23 18:05:37.0657 4112 NSCIRDA (6216798d29c3ba9d0d6f40bbbab694a5) C:\WINDOWS\system32\DRIVERS\nscirda.sys

2011/02/23 18:05:37.0878 4112 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/02/23 18:05:38.0048 4112 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/02/23 18:05:38.0118 4112 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/02/23 18:05:38.0188 4112 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/02/23 18:05:38.0298 4112 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys

2011/02/23 18:05:38.0358 4112 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/02/23 18:05:38.0468 4112 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/02/23 18:05:38.0609 4112 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/02/23 18:05:38.0919 4112 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/02/23 18:05:39.0109 4112 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

2011/02/23 18:05:39.0330 4112 PCTCore (167b2fea66dde6925766d1a81a1affc0) C:\WINDOWS\system32\drivers\PCTCore.sys

2011/02/23 18:05:40.0241 4112 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys

2011/02/23 18:05:40.0421 4112 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys

2011/02/23 18:05:40.0511 4112 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/02/23 18:05:40.0612 4112 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys

2011/02/23 18:05:40.0662 4112 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/02/23 18:05:40.0872 4112 PxHelp20 (1962166e0ceb740704f30fa55ad3d509) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys

2011/02/23 18:05:41.0022 4112 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys

2011/02/23 18:05:41.0202 4112 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys

2011/02/23 18:05:41.0293 4112 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys

2011/02/23 18:05:41.0473 4112 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys

2011/02/23 18:05:41.0633 4112 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys

2011/02/23 18:05:41.0703 4112 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/02/23 18:05:41.0803 4112 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys

2011/02/23 18:05:41.0893 4112 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/02/23 18:05:41.0974 4112 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/02/23 18:05:42.0074 4112 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/02/23 18:05:42.0224 4112 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/02/23 18:05:42.0314 4112 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/02/23 18:05:42.0524 4112 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2011/02/23 18:05:42.0755 4112 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/02/23 18:05:42.0985 4112 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/02/23 18:05:43.0205 4112 s24trans (d40f1e33d9153df7f5e2881b1f9c56e9) C:\WINDOWS\system32\DRIVERS\s24trans.sys

2011/02/23 18:05:43.0416 4112 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/02/23 18:05:43.0656 4112 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys

2011/02/23 18:05:43.0856 4112 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys

2011/02/23 18:05:44.0127 4112 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\DRIVERS\sfloppy.sys

2011/02/23 18:05:44.0417 4112 sisagp (732d859b286da692119f286b21a2a114) C:\WINDOWS\system32\DRIVERS\sisagp.sys

2011/02/23 18:05:44.0627 4112 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys

2011/02/23 18:05:44.0758 4112 Smapint (26341d0dd225d19fd50e0ee3c3c77502) C:\WINDOWS\system32\drivers\Smapint.sys

2011/02/23 18:05:45.0088 4112 smwdm (fa3368a7039f5abaa4b933703ac34763) C:\WINDOWS\system32\drivers\smwdm.sys

2011/02/23 18:05:45.0328 4112 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys

2011/02/23 18:05:45.0509 4112 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys

2011/02/23 18:05:45.0739 4112 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/02/23 18:05:45.0899 4112 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/02/23 18:05:46.0160 4112 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

2011/02/23 18:05:46.0370 4112 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/02/23 18:05:46.0460 4112 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys

2011/02/23 18:05:46.0640 4112 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys

2011/02/23 18:05:46.0800 4112 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys

2011/02/23 18:05:46.0971 4112 SymEvent (083fe6483dc16a02af2434d04b7d7aea) C:\Program Files\Symantec\SYMEVENT.SYS

2011/02/23 18:05:47.0161 4112 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys

2011/02/23 18:05:47.0261 4112 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys

2011/02/23 18:05:47.0481 4112 SynTP (1cde0a5c0416187b9b89e03980c6e8de) C:\WINDOWS\system32\DRIVERS\SynTP.sys

2011/02/23 18:05:47.0762 4112 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/02/23 18:05:48.0042 4112 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/02/23 18:05:48.0283 4112 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/02/23 18:05:48.0393 4112 TDSMAPI (e64da7318acaddf0a4400baa921e8ac1) C:\WINDOWS\system32\drivers\TDSMAPI.SYS

2011/02/23 18:05:48.0593 4112 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/02/23 18:05:48.0783 4112 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/02/23 18:05:48.0974 4112 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys

2011/02/23 18:05:49.0064 4112 TPPWR (970ab1aef38db6f5e1aae277a6843d54) C:\WINDOWS\system32\drivers\Tppwr.sys

2011/02/23 18:05:49.0334 4112 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys

2011/02/23 18:05:49.0484 4112 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys

2011/02/23 18:05:49.0695 4112 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys

2011/02/23 18:05:49.0915 4112 USBAAPL (e8c1b9ebac65288e1b51e8a987d98af6) C:\WINDOWS\system32\Drivers\usbaapl.sys

2011/02/23 18:05:50.0145 4112 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys

2011/02/23 18:05:50.0386 4112 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/02/23 18:05:50.0536 4112 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/02/23 18:05:50.0997 4112 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/02/23 18:05:51.0287 4112 usbohci (bdfe799a8531bad8a5a985821fe78760) C:\WINDOWS\system32\DRIVERS\usbohci.sys

2011/02/23 18:05:51.0467 4112 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2011/02/23 18:05:52.0048 4112 usbstor (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/02/23 18:05:52.0288 4112 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/02/23 18:05:52.0479 4112 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys

2011/02/23 18:05:52.0629 4112 viaagp (d92e7c8a30cfd14d8e15b5f7f032151b) C:\WINDOWS\system32\DRIVERS\viaagp.sys

2011/02/23 18:05:52.0809 4112 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys

2011/02/23 18:05:53.0059 4112 VNASC (405df0b2f8d0616353ecc829622d77ac) C:\WINDOWS\system32\DRIVERS\vnasc.sys

2011/02/23 18:05:53.0190 4112 vna_ap (48007916b1d0dab3e6c0d701de7c4afb) C:\WINDOWS\system32\DRIVERS\vnaap.sys

2011/02/23 18:05:53.0440 4112 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/02/23 18:05:53.0650 4112 VPN-1 (002014fc59eee5e11bf7d6a555b11227) C:\WINDOWS\System32\drivers\vpn.sys

2011/02/23 18:05:54.0932 4112 vsdatant (09ad6bcf7d55ef8e8d81f2ba56dcddc1) C:\WINDOWS\system32\vsdatant.sys

2011/02/23 18:05:55.0353 4112 w70n51 (8e5cf571c00c806ed7c08dbb74356646) C:\WINDOWS\system32\DRIVERS\w70n51.sys

2011/02/23 18:05:55.0583 4112 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/02/23 18:05:55.0974 4112 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/02/23 18:05:56.0364 4112 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

2011/02/23 18:05:56.0645 4112 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2011/02/23 18:05:56.0855 4112 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2011/02/23 18:05:56.0985 4112 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)

2011/02/23 18:05:56.0995 4112 ================================================================================

2011/02/23 18:05:56.0995 4112 Scan finished

2011/02/23 18:05:56.0995 4112 ================================================================================

2011/02/23 18:05:57.0015 4108 Detected object count: 1

2011/02/23 18:19:02.0995 4108 \HardDisk0 - will be cured after reboot

2011/02/23 18:19:02.0995 4108 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure

2011/02/23 18:19:15.0493 2860 Deinitialize success

DDS LOG

DDS (Ver_10-12-12.01) - FAT32x86

Run by Sander at 19:04:02.04 on Wed 02/23/2011

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.767.337 [GMT -5:00]

AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\System32\ibmpmsvc.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

SVCHOST.EXE

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\WINDOWS\system32\S24EvMon.exe

C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe

C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe

SVCHOST.EXE

SVCHOST.EXE

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe

SVCHOST.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\New Boundary\PrismXL\ChannelDeploy.sys

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\WINDOWS\System32\QCONSVC.EXE

C:\WINDOWS\system32\RegSrvc.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\system32\TpKmpSVC.exe

C:\Program Files\CheckPoint\Endpoint Connect\TracSrvWrapper.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\WINDOWS\System32\TpScrLk.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\VERITAS Software\Update Manager\sgtray.exe

C:\Program Files\Prism Deploy\Client\PTClient.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\SKDAEMON.EXE

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

C:\Program Files\Ahead\InCD\InCD.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\Program Files\Logitech\QuickCam10\QuickCam10.exe

C:\Program Files\Alwil Software\Avast5\avastUI.exe

C:\Program Files\CheckPoint\Endpoint Connect\TrGUI.exe

C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe

C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Sander\Desktop\dds.pif

============== Pseudo HJT Report ===============

uWindow Title = Windows Internet Explorer provided by MSN & Bing

uInternet Settings,ProxyOverride = *.local

mSearchAssistant = hxxp://www.google.com

uURLSearchHooks: H - No File

BHO: {9D425283-D487-4337-BAB6-AB8354A81457} - No File

BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\drop down deals\YontooIEClient.dll

TB: Yahoo! Companion: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\ycomp5_5_7_0.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [TrackPointSrv] tp4serv.exe

mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe

mRun: [TPKBDLED] c:\windows\system32\TpScrLk.exe

mRun: [bMMLREF] c:\program files\thinkpad\utilities\BMMLREF.EXE

mRun: [AGRSMMSG] AGRSMMSG.exe

mRun: [TP4EX] tp4ex.exe

mRun: [ATIModeChange] Ati2mdxx.exe

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper

mRun: [tgcmd]

mRun: [storageGuard] "c:\program files\veritas software\update manager\sgtray.exe" /r

mRun: [Prism Deploy Client] "c:\program files\prism deploy\client\PTClient.exe" /Subscriber

mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [Hot Key Kbd Daemon] SKDAEMON.EXE

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [RemoteControl] "c:\program files\cyberlink dvd solution\powerdvd\PDVDServ.exe"

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [inCD] c:\program files\ahead\incd\InCD.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"

mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam10\QuickCam10.exe" /hide

mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui

mRun: [Check Point Endpoint Security] "c:\program files\checkpoint\endpoint connect\TrGUI.exe"

mRun: [QCWLIcon] c:\program files\thinkpad\connectutilities\QCWLICON.EXE

mExplorerRun: [wininet.dll] dfrgsrv.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL

Trusted Zone: ameritrade.com

Trusted Zone: ameritrade.com\wwws

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1279371672830

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1289654353177

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37944.3708333333

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: ckpNotify - ckpNotify.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-10-17 207280]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-11-3 294608]

R1 Tb2Device;TB2 Remote Control Driver;NetopiaRC\Tb2Device.sys --> NetopiaRC\Tb2Device.sys [?]

R1 Tb2MirrorSys;TB2 Remote Control Mirror Driver;NetopiaRC\Tb2MirrorSys.sys --> NetopiaRC\Tb2MirrorSys.sys [?]

R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2003-11-19 15360]

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-1-1 535328]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-11-3 17744]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-3 40384]

R2 Channel Deployer;Channel Deployer;c:\program files\common files\new boundary\prismxl\channeldeploy.sys [2004-2-3 65536]

R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2009-12-15 47504]

R2 TracSrvWrapper;Check Point Endpoint Security;c:\program files\checkpoint\endpoint connect\TracSrvWrapper.exe [2010-9-26 4142608]

R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [2009-12-15 126680]

R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2009-12-15 684280]

R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2009-12-15 2245624]

R3 vna_ap;Check Point Virtual Network Adapter - Apollo;c:\windows\system32\drivers\vnaap.sys [2010-9-26 129304]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-10-17 358600]

S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-10-17 1141200]

=============== Created Last 30 ================

2011-02-23 23:07:10 -------- d-----w- c:\program files\Drop Down Deals

2011-02-23 23:07:09 -------- d-----w- c:\docume~1\alluse~1\applic~1\Tarma Installer

2011-02-23 02:01:08 -------- d-----w- c:\documents and settings\sander\.jpi_cache

2011-02-23 02:01:05 -------- d-----w- c:\documents and settings\sander\.java

2011-02-22 04:36:44 -------- d-sh--w- c:\documents and settings\sander\PrivacIE

2011-02-22 04:33:46 -------- d-sh--w- c:\documents and settings\sander\IETldCache

2011-02-22 04:23:40 -------- d--h--w- c:\windows\msdownld.tmp

2011-02-22 04:19:25 -------- d--h--w- c:\windows\ie8

2011-02-20 15:30:57 -------- d-----w- c:\program files\Yontoo Layers Client

==================== Find3M ====================

2011-01-15 03:16:16 90112 ----a-w- c:\windows\DUMP4543.tmp

2011-01-13 08:47:36 38848 ----a-w- c:\windows\avastSS.scr

2010-12-18 01:51:52 90112 ----a-w- c:\windows\DUMP73a2.tmp

2010-12-09 03:35:34 90112 ----a-w- c:\windows\DUMP9c8d.tmp

2010-12-09 03:01:24 90112 ----a-w- c:\windows\DUMP9d23.tmp

2004-10-01 20:00:16 40960 ----a-w- c:\program files\Uninstall_CDS.exe

============= FINISH: 19:05:12.22 ===============

MBAM log

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5858

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18702

2/23/2011 6:55:06 PM

mbam-log-2011-02-23 (18-55-06).txt

Scan type: Quick scan

Objects scanned: 193876

Time elapsed: 16 minute(s), 35 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\Temp\5901360 (PUP.BHO) -> Quarantined and deleted successfully.

c:\WINDOWS\Temp\explorer.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Attach.2txt.zip

Link to post
Share on other sites

Here you go, Combo fix and DDS logs below. I did not attach a zip of the DDS attach file, please let me know if that is needed

Thanks !!!!

COMBOFIX LOG

ComboFix 11-02-23.05 - Sander 02/24/2011 0:20.1.1 - FAT32x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.767.371 [GMT -5:00]

Running from: c:\documents and settings\Sander\Desktop\ComboFix.exe

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

* Created a new restore point

.

/wow section - STAGE 25

The system cannot find the path specified.

@DO was unexpected at this time.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\michele\Local Settings\Application Data\{E22BB3E3-F1FD-412D-BA7E-5B006EC6DB6A}

c:\documents and settings\michele\Local Settings\Application Data\{E22BB3E3-F1FD-412D-BA7E-5B006EC6DB6A}\chrome.manifest

c:\documents and settings\michele\Local Settings\Application Data\{E22BB3E3-F1FD-412D-BA7E-5B006EC6DB6A}\chrome\content\_cfg.js

c:\documents and settings\michele\Local Settings\Application Data\{E22BB3E3-F1FD-412D-BA7E-5B006EC6DB6A}\chrome\content\overlay.xul

c:\documents and settings\michele\Local Settings\Application Data\{E22BB3E3-F1FD-412D-BA7E-5B006EC6DB6A}\install.rdf

c:\documents and settings\Sander\Local Settings\Application Data\{06FC0A05-2836-41A3-9377-3D71D075F49B}

c:\documents and settings\Sander\Local Settings\Application Data\{06FC0A05-2836-41A3-9377-3D71D075F49B}\chrome.manifest

c:\documents and settings\Sander\Local Settings\Application Data\{06FC0A05-2836-41A3-9377-3D71D075F49B}\chrome\content\_cfg.js

c:\documents and settings\Sander\Local Settings\Application Data\{06FC0A05-2836-41A3-9377-3D71D075F49B}\chrome\content\overlay.xul

c:\documents and settings\Sander\Local Settings\Application Data\{06FC0A05-2836-41A3-9377-3D71D075F49B}\install.rdf

c:\program files\security toolbar

c:\program files\security toolbar\Uninstall.bat

c:\program files\Shared

c:\windows\system\VI30AUT.DLL

c:\windows\system32\Cache

c:\windows\system32\midas.dll

.

((((((((((((((((((((((((( Files Created from 2011-01-24 to 2011-02-24 )))))))))))))))))))))))))))))))

.

2011-02-23 23:07 . 2011-02-23 23:07 -------- d-----w- c:\program files\Drop Down Deals

2011-02-23 23:07 . 2011-02-23 23:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Tarma Installer

2011-02-23 02:01 . 2011-02-23 02:01 -------- d-----w- c:\documents and settings\Sander\.jpi_cache

2011-02-23 02:01 . 2011-02-23 02:01 -------- d-----w- c:\documents and settings\Sander\.java

2011-02-23 00:31 . 2011-02-23 00:31 -------- d-sh--w- c:\documents and settings\michele\PrivacIE

2011-02-22 13:47 . 2011-02-22 13:47 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2011-02-22 13:46 . 2011-02-22 13:46 -------- d-sh--w- c:\documents and settings\michele\IETldCache

2011-02-22 04:36 . 2011-02-22 04:36 -------- d-sh--w- c:\documents and settings\Sander\PrivacIE

2011-02-22 04:33 . 2011-02-22 04:33 -------- d-sh--w- c:\documents and settings\Sander\IETldCache

2011-02-22 04:23 . 2011-02-22 04:23 -------- d--h--w- c:\windows\msdownld.tmp

2011-02-22 04:19 . 2011-02-22 04:19 -------- d--h--w- c:\windows\ie8

2011-02-20 15:30 . 2011-02-20 15:30 -------- d-----w- c:\program files\Yontoo Layers Client

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-01-19 04:26 . 2011-01-19 04:26 17801 ----a-w- c:\windows\system32\drivers\AegisP.sys

2011-01-15 03:16 . 2004-02-04 06:02 90112 ----a-w- c:\windows\DUMP4543.tmp

2011-01-13 08:47 . 2010-11-04 00:48 38848 ----a-w- c:\windows\avastSS.scr

2011-01-13 08:47 . 2010-11-04 00:48 188216 ----a-w- c:\windows\system32\aswBoot.exe

2011-01-13 08:41 . 2010-11-04 00:49 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys

2011-01-13 08:40 . 2010-11-04 00:49 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2011-01-13 08:40 . 2010-11-04 00:49 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2011-01-13 08:39 . 2010-11-04 00:49 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys

2011-01-13 08:37 . 2010-11-04 00:49 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2011-01-13 08:37 . 2010-11-04 00:49 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2011-01-13 08:37 . 2010-11-04 00:49 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2010-12-20 23:09 . 2009-10-18 03:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-20 23:08 . 2009-10-18 03:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-12-18 01:51 . 2004-02-04 06:02 90112 ----a-w- c:\windows\DUMP73a2.tmp

2010-12-09 03:35 . 2004-02-04 06:02 90112 ----a-w- c:\windows\DUMP9c8d.tmp

2010-12-09 03:01 . 2004-02-04 06:02 90112 ----a-w- c:\windows\DUMP9d23.tmp

2004-10-01 20:00 . 2008-11-21 00:15 40960 ----a-w- c:\program files\Uninstall_CDS.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]

2011-02-17 20:49 191488 ------w- c:\program files\Drop Down Deals\YontooIEClient.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TrackPointSrv"="tp4serv.exe" [2002-12-03 87552]

"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2003-09-30 204800]

"TPKBDLED"="c:\windows\System32\TpScrLk.exe" [2002-10-09 40960]

"BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2003-07-11 20480]

"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 88363]

"TP4EX"="tp4ex.exe" [2002-09-04 53248]

"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 28672]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-02 335872]

"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2003-09-02 897024]

"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]

"Prism Deploy Client"="c:\program files\Prism Deploy\Client\PTClient.exe" [2006-12-05 2117632]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-06-24 126976]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-06-24 561152]

"Hot Key Kbd Daemon"="SKDAEMON.EXE" [2004-03-05 40960]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-06-13 127036]

"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-03 32768]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2005-07-08 1397760]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 488984]

"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-08 774168]

"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-01-13 3396624]

"Check Point Endpoint Security"="c:\program files\CheckPoint\Endpoint Connect\TrGUI.exe" [2010-09-26 738824]

"QCWLIcon"="c:\program files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2003-11-04 53248]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]

2009-12-15 18:40 30104 ----a-w- c:\windows\system32\ckpNotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SERVICE.EXE"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.EXE"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SCC.EXE"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.EXE"=

"c:\\Program Files\\CheckPoint\\Endpoint Connect\\TracSrvWrapper.exe"=

"c:\\Program Files\\CheckPoint\\Endpoint Connect\\TrGUI.exe"=

R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-09-23 358600]

S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-09-23 207280]

S1 aswSP;aswSP; [x]

S1 Tb2Device;TB2 Remote Control Driver;NetopiaRC\Tb2Device.sys [x]

S1 Tb2MirrorSys;TB2 Remote Control Mirror Driver;NetopiaRC\Tb2MirrorSys.sys [x]

S1 TPPWR;TPPWR;c:\windows\system32\drivers\Tppwr.sys [2003-07-11 15360]

S2 aswFsBlk;aswFsBlk; [x]

S2 Channel Deployer;Channel Deployer;c:\program files\Common Files\New Boundary\PrismXL\ChannelDeploy.sys [2006-06-02 65536]

S2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2009-12-15 47504]

S2 TracSrvWrapper;Check Point Endpoint Security;c:\program files\CheckPoint\Endpoint Connect\TracSrvWrapper.exe [2010-09-26 4142608]

S2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\DRIVERS\vnasc.sys [2009-12-15 126680]

S2 VPN-1;VPN-1 Module;c:\windows\System32\drivers\vpn.sys [2009-12-15 684280]

S3 FW1;SecuRemote Miniport;c:\windows\system32\DRIVERS\fw.sys [2009-12-15 2245624]

S3 vna_ap;Check Point Virtual Network Adapter - Apollo;c:\windows\system32\DRIVERS\vnaap.sys [2010-09-26 129304]

.

Contents of the 'Scheduled Tasks' folder

2003-11-19 c:\windows\Tasks\BMMTask.job

- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2003-11-19 06:34]

2010-11-13 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2011-01-14 c:\windows\Tasks\RegCure.job

- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

2011-02-09 c:\windows\Tasks\RegCure Program Check.job

- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

Trusted Zone: ameritrade.com

Trusted Zone: ameritrade.com\wwws

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

HKLM-Run-tgcmd - (no file)

SafeBoot-mcmscsvc

SafeBoot-MCODS

AddRemove-Security Toolbar - c:\program files\Security Toolbar\Uninstall.bat

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-02-24 00:27

Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2911765694-2805738209-4071888707-1010\

Link to post
Share on other sites

  • Staff

Hi,

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Thanks ... thinks are vastly improved overall ... search results are no longer hijacked and Microsoft updates ran and installed (don't know if they were blocked previously, but good toknow updates are running)

here is the ESET scan log .. i'll be running the Security check next, but waned to post this as ESET did find and quarantine some files

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6425

# api_version=3.0.2

# EOSSerial=02f62f01a11c8b4c84fbe75d6d0e80af

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2011-02-26 01:22:35

# local_time=2011-02-25 08:22:35 (-0500, Eastern Standard Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 2

# compatibility_mode=768 16777215 100 0 8925469 8925469 0 0

# compatibility_mode=1024 16777215 100 0 18335681 18335681 0 0

# compatibility_mode=2560 16777215 100 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=83070

# found=7

# cleaned=7

# scan_time=4602

C:\WINDOWS\Downloaded Program Files\WebEx\324\webexmgr.dll probably a variant of Win32/Genetik trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\Downloaded Program Files\WebEx\424\atpdmod.dll probably a variant of Win32/Genetik trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Program Files\Registry Patrol\RegistryPatrol.exe a variant of Win32/Adware.RegistryPatrol application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{989C1DF8-9154-46E2-A20E-217350DF1BAB}\RP383\A0116450.exe a variant of Win32/Adware.RegistryPatrol application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\install\Netopia\NetOctopus\Test Bed\nant.exe probably unknown NewHeur_PE virus (deleted - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\michele\Local Settings\Application Data\{E22BB3E3-F1FD-412D-BA7E-5B006EC6DB6A}\chrome\content\overlay.xul.vir probably a variant of Win32/Agent.NVQFFQI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\Sander\Local Settings\Application Data\{06FC0A05-2836-41A3-9377-3D71D075F49B}\chrome\content\overlay.xul.vir probably a variant of Win32/Agent.NVQFFQI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Link to post
Share on other sites

here are the results of the security check, as i said in previous post ... thinks seem to be fine

Results of screen317's Security Check version 0.99.7

Windows XP Service Pack 2

Out of date service pack!!

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!

Windows Firewall Enabled!

avast! Free Antivirus

ESET Online Scanner v3

Antivirus up to date!

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

CCleaner (remove only)

Java Web Start

Java 2 Runtime Environment, SE v1.4.1_01

Java 2 Runtime Environment, SE v1.4.1_07

Adobe Flash Player

````````````````````````````````

Process Check:

objlist.exe by Laurent

Alwil Software Avast5 AvastSvc.exe

Alwil Software Avast5 avastUI.exe

``````````End of Log````````````

Link to post
Share on other sites

  • Staff

Hi,

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):

Java Web Start

Java 2 Runtime Environment, SE v1.4.1_01

Java 2 Runtime Environment, SE v1.4.1_07

Adobe Flash Player

Restart your computer.

Get the latest version of Java and Adobe Flash Player.

Next, it is absolutely essential that you upgrade to Windows XP Service Pack 3. Service Pack 2, which is what you currently have, has vulnerabilities that leave you wide open for re-infection. To upgrade, please visit Windows Update and download all critical updates.

Let me know if the update was successful.

-screen317

Link to post
Share on other sites

Thanks

Things are running fine now

I removed the apps listed above, upgraded to SP3 and am now installing the 15-20 post XP3 updates.

YOU ALL ROCK !!!!!

What is the best way to financialy express my gratitude?

Purchase the MBAM upgrade (i have the feee version)

Contribute via payPal to the author of Combo fix (I think that was the one with the paypal link)

Just contirubte to MBAM?

other?

Thanks Again !!!!!

Link to post
Share on other sites

  • 4 weeks later...
Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.