Jump to content

New rootkit, not detected, symptom search redirects


Bigger
 Share

Recommended Posts

Hi folks,

I have a tough one for you here.

Symptom is the prevalent (Google) search redirects.

Malwarebytes' Anti-Malware did not find anything. Log is attached.

An ESET Online Scan removed a handful of Java trojans from the Java 6 cache, probably the droppers of the rootkit. ESET log is attached. I have now removed Java from my machine.

I don't see anything suspicious in both attached GMER logs, neither in the attached TDSSKiller logs. What do you think?

I also attach a VBA32 AntiRootKid Log. There are some issues but I'm hard pressed to properly interpret all of them. Can you help?

Regards,

--

Marcel

Vba32ArkitLog.html

GMERScan19022011.log

mbr.log

mbam-log-2011-02-21 (23-40-52).txt

ESET Result.txt

TDSSKiller.2.4.18.0_22.02.2011_21.14.12_log.txt

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

In the future, please post all logs directly into your reply instead of attaching them.

With that said, please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post DDS.txt directly into your reply.

Also, are you currently connected through a router?

Link to post
Share on other sites

Thanks for the welcome.

(A) Here the MBAM Quick Scan log. I've cleaned the 4 alerts. Please be aware that I have Norton Internet Security 2006 running.

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5902

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.11

02.28.2011 12:13:10 PM

mbam-log-2011-02-28 (12-13-01).txt

Scan type: Quick scan

Objects scanned: 198109

Time elapsed: 7 minute(s), 58 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} (Rogue.WinAntiVirus) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

***********************************************************************

***********************************************************************

(B) Here the DDS.txt log:

DDS (Ver_10-12-12.02) - NTFSx86

Run by Marcel Bigger at 12:20:29.50 on 02.28.2011

Internet Explorer: 7.0.5730.11

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.313 [GMT 1:00]

AV: Norton Internet Security 2006 *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Internet Worm Protection *Disabled*

FW: Norton Internet Security 2006 *Disabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Saitek\Software\SaiSmart.exe

C:\Program Files\Saitek\Software\Profiler.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\Brownie\BrstsWnd.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\APOD\apod.exe

C:\Program Files\Microsoft ActiveSync\Wcescomm.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\Extensis\Portfolio 8.5\Portfolio Express.exe

C:\Program Files\Opdicom\OpdiTracker\OptT3STA.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\Marcel Bigger\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank

mStart Page = hxxp://www.euro.dell.com/

uInternet Connection Wizard,ShellNext = hxxp://www.euro.dell.com/

uInternet Settings,ProxyOverride = *.local

uInternet Settings,ProxyServer = proxy.uzh.ch:3128

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: CNisExtBho Class: {9ecb9560-04f9-4bbc-943d-298ddf1699e1} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll

BHO: CNavExtBho Class: {a8f38d8d-e480-4d52-b7a2-731bb6995fdd} - c:\program files\norton internet security\norton antivirus\NavShExt.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: Norton Internet Security 2006: {0b53eac3-8d69-4b9e-9b19-a37c9a5676a7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll

TB: Norton AntiVirus: {c4069e3a-68f1-403e-b40e-20066696354b} - c:\program files\norton internet security\norton antivirus\NavShExt.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [apod] c:\progra~1\apod\apod.exe

uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"

mRun: [saiSmart] c:\program files\saitek\software\SaiSmart.exe

mRun: [Profiler] c:\program files\saitek\software\Profiler.exe

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [CTSysVol] c:\program files\creative\sbaudigy2\surround mixer\CTSysVol.exe

mRun: [CTHelper] CTHELPER.EXE

mRun: [CTDVDDet] c:\program files\creative\sbaudigy2\dvdaudio\CTDVDDet.EXE

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"

mRun: [AsioReg] REGSVR32.EXE /S CTASIO.DLL

mRun: [Acronis

Link to post
Share on other sites

c:\program files\brownie\BrstsWnd.exe

File name: BrstsWnd.exe

Submission date: 2011-03-02 17:05:50 (UTC)

Current status: queued queued analysing finished

Result: 0/ 43 (0.0%)

AhnLab-V3 2011.03.03.00 2011.03.02 -

AntiVir 7.11.4.30 2011.03.02 -

Antiy-AVL 2.0.3.7 2011.03.02 -

Avast 4.8.1351.0 2011.02.23 -

Avast5 5.0.677.0 2011.02.23 -

AVG 10.0.0.1190 2011.03.02 -

BitDefender 7.2 2011.03.02 -

CAT-QuickHeal 11.00 2011.03.01 -

ClamAV 0.96.4.0 2011.03.02 -

Commtouch 5.2.11.5 2011.03.02 -

Comodo 7852 2011.03.02 -

DrWeb 5.0.2.03300 2011.03.02 -

Emsisoft 5.1.0.2 2011.03.02 -

eSafe 7.0.17.0 2011.03.02 -

eTrust-Vet 36.1.8192 2011.03.02 -

F-Prot 4.6.2.117 2011.03.02 -

F-Secure 9.0.16160.0 2011.03.02 -

Fortinet 4.2.254.0 2011.03.02 -

GData 21 2011.03.02 -

Ikarus T3.1.1.97.0 2011.03.02 -

Jiangmin 13.0.900 2011.03.02 -

K7AntiVirus 9.91.4006 2011.03.02 -

Kaspersky 7.0.0.125 2011.03.02 -

McAfee 5.400.0.1158 2011.03.02 -

McAfee-GW-Edition 2010.1C 2011.03.02 -

Microsoft 1.6603 2011.03.02 -

NOD32 5920 2011.03.02 -

Norman 6.07.03 2011.03.01 -

nProtect 2011-02-10.01 2011.02.15 -

Panda 10.0.3.5 2011.03.01 -

PCTools 7.0.3.5 2011.03.02 -

Prevx 3.0 2011.03.02 -

Rising 23.47.02.06 2011.03.02 -

Sophos 4.61.0 2011.03.02 -

SUPERAntiSpyware 4.40.0.1006 2011.03.02 -

Symantec 20101.3.0.103 2011.03.02 -

TheHacker 6.7.0.1.143 2011.03.02 -

TrendMicro 9.200.0.1012 2011.03.02 -

TrendMicro-HouseCall 9.200.0.1012 2011.03.02 -

VBA32 3.12.14.3 2011.03.02 -

VIPRE 8585 2011.03.02 -

ViRobot 2011.3.2.4335 2011.03.02 -

VirusBuster 13.6.231.0 2011.03.02 -

c:\program files\apod\apod.exe

Please note that APOD is Astronomy Picture of the Day, a popular NASA app (http://apod.nasa.gov/).

File name: apod.exe

Submission date: 2011-03-02 17:12:05 (UTC)

Current status: queued (#26) queued analysing finished

Result: 1/ 43 (2.3%)

AhnLab-V3 2011.03.03.00 2011.03.02 -

AntiVir 7.11.4.30 2011.03.02 -

Antiy-AVL 2.0.3.7 2011.03.02 -

Avast 4.8.1351.0 2011.02.23 -

Avast5 5.0.677.0 2011.02.23 -

AVG 10.0.0.1190 2011.03.02 -

BitDefender 7.2 2011.03.02 -

CAT-QuickHeal 11.00 2011.03.01 -

ClamAV 0.96.4.0 2011.03.02 -

Commtouch 5.2.11.5 2011.03.02 -

Comodo 7852 2011.03.02 -

DrWeb 5.0.2.03300 2011.03.02 -

Emsisoft 5.1.0.2 2011.03.02 -

eSafe 7.0.17.0 2011.03.02 -

eTrust-Vet 36.1.8192 2011.03.02 -

F-Prot 4.6.2.117 2011.03.02 -

F-Secure 9.0.16160.0 2011.03.02 -

Fortinet 4.2.254.0 2011.03.02 -

GData 21 2011.03.02 -

Ikarus T3.1.1.97.0 2011.03.02 -

Jiangmin 13.0.900 2011.03.02 -

K7AntiVirus 9.91.4006 2011.03.02 -

Kaspersky 7.0.0.125 2011.03.02 -

McAfee 5.400.0.1158 2011.03.02 -

McAfee-GW-Edition 2010.1C 2011.03.02 -

Microsoft 1.6603 2011.03.02 -

NOD32 5920 2011.03.02 -

Norman 6.07.03 2011.03.01 -

nProtect 2011-02-10.01 2011.02.15 -

Panda 10.0.3.5 2011.03.02 -

PCTools 7.0.3.5 2011.03.02 -

Prevx 3.0 2011.03.02 -

Rising 23.47.02.06 2011.03.02 -

Sophos 4.61.0 2011.03.02 -

SUPERAntiSpyware 4.40.0.1006 2011.03.02 -

Symantec 20101.3.0.103 2011.03.02 -

TheHacker 6.7.0.1.143 2011.03.02 -

TrendMicro 9.200.0.1012 2011.03.02 -

TrendMicro-HouseCall 9.200.0.1012 2011.03.02 -

VBA32 3.12.14.3 2011.03.02 suspected of Trojan.Downloader.gen.h

VIPRE 8585 2011.03.02 -

ViRobot 2011.3.2.4335 2011.03.02 -

VirusBuster 13.6.231.0 2011.03.02 -

Regards,

--

Marcel

Link to post
Share on other sites

ComboFix 11-03-05.02 - Marcel Bigger 03.06.2011 21:32:43.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.517 [GMT 1:00]

Running from: c:\documents and settings\Marcel Bigger\Desktop\ComboFix.exe

AV: Norton Internet Security 2006 *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Internet Security 2006 *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\install.exe

c:\windows\My.ini

c:\windows\system32\scvideo.dll

c:\windows\system32\twunk_32.exe

d:\\DPE.DUS

.

.

((((((((((((((((((((((((( Files Created from 2011-02-06 to 2011-03-06 )))))))))))))))))))))))))))))))

.

.

2011-02-26 14:15 . 2011-02-26 14:15 35904 ----a-w- c:\windows\system32\drivers\fc0dp3bw.sys

2011-02-25 15:44 . 2011-02-25 15:44 -------- d-----w- c:\program files\ESET

2011-02-21 19:41 . 2011-02-21 19:41 -------- d-----w- c:\documents and settings\Marcel Bigger\Application Data\Malwarebytes

2011-02-21 19:41 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-02-21 19:41 . 2011-02-21 19:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-02-21 19:41 . 2011-02-21 19:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-02-21 19:41 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-02-05 23:11 . 2011-02-05 23:11 -------- d-----w- c:\program files\iPod

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-02-11 00:48 . 2009-05-14 18:49 66 ----a-w- c:\documents and settings\Marcel Bigger\Application Data\isfree4_0.tmp

2006-05-03 09:06 163328 --sh--r- c:\windows\SYSTEM32\flvDX.dll

2007-02-21 10:47 31232 --sh--r- c:\windows\SYSTEM32\msfDX.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"apod"="c:\progra~1\APOD\apod.exe" [2008-03-07 500736]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SaiSmart"="c:\program files\Saitek\Software\SaiSmart.exe" [2003-04-10 86016]

"Profiler"="c:\program files\Saitek\Software\Profiler.exe" [2003-04-10 151552]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]

"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152]

"CTHelper"="CTHELPER.EXE" [2003-02-20 28672]

"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-01-08 53096]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-08-24 335872]

"AsioReg"="CTASIO.DLL" [2003-02-20 110592]

"Acronis

Link to post
Share on other sites

  • Staff

Hi,

1. Very important: First disconnect your computer from the internet.

2. Router Reset: Next you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).

3. Reset the IP/DNS settings of your interent connection:

  • Go to Start -> Control Panel -> Double click on Network Connections.
  • Right click on your default connection (usually Local Area Connection or Wireless Network Connection) and select Properties.
  • Select the General tab.
  • Double click on Internet Protocol (TCP/IP).
    • Under General tab:
      • Select "Obtain an IP address automatically".
      • Select "Obtain DNS server address automatically".

    [*]Click OK twice to save the settings.

    [*]Reboot if you had to change any setting.

4. Flush the DNS cache:

  • Click the Start logo in the bottom left corner of the screen
  • Click on Run
  • In the command window copy/paste the following:
    ipconfig /flushdns


  • Then hit enter.
  • Exit the command window.

5. Reconnect: Once you have followed all the above steps you can reconnect your computer to the internet.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

Are you still getting redirected?

Link to post
Share on other sites

# version=7

# iexplore.exe=7.00.6000.17055 (vista_gdr.100414-0533)

# OnlineScanner.ocx=1.0.0.6425

# api_version=3.0.2

# EOSSerial=9f640cc4bf0f274ba365d0ff0af1a009

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-03-10 10:10:22

# local_time=2011-03-10 11:10:22 (+0100, W. Europe Standard Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 2

# compatibility_mode=3586 16764885 100 88 3920 303121050 0 0

# compatibility_mode=8192 67108863 100 0 1137046 1137046 0 0

# scanned=347193

# found=0

# cleaned=0

# scan_time=9299

Results of screen317's Security Check version 0.99.9

Windows XP Service Pack 2

Out of date service pack!!

Internet Explorer 7 Out of date!

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

ESET Online Scanner v3

Adobe After Effects CS3 Presets

Norton AntiVirus 2006

Norton Internet Security 2006 (Symantec Corporation)

Norton Internet Security

Airscanner Mobile Antivirus

Antivirus up to date!

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Adobe Flash Player 9 (Out of date Flash Player installed!)

Adobe Flash Player

````````````````````````````````

Process Check:

objlist.exe by Laurent

Norton Internet Security Norton AntiVirus navapsvc.exe

``````````End of Log````````````

I will observe for the next 24 hours if I still have redirects and report back.

Link to post
Share on other sites

  • Staff

Delete your copy of TDSSKiller.

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Next, download MBRCheck.exe by a_d_13 and save it to your Desktop.

Run it; when it completes, a log will be available on your Desktop (MBRCheck xxxxxx .txt) where xxxxxx is the time it ran.

Link to post
Share on other sites

2011/03/13 10:15:11.0312 5960 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28

2011/03/13 10:15:11.0687 5960 ================================================================================

2011/03/13 10:15:11.0687 5960 SystemInfo:

2011/03/13 10:15:11.0687 5960

2011/03/13 10:15:11.0687 5960 OS Version: 5.1.2600 ServicePack: 2.0

2011/03/13 10:15:11.0687 5960 Product type: Workstation

2011/03/13 10:15:11.0687 5960 ComputerName: MARCEL

2011/03/13 10:15:11.0687 5960 UserName: Marcel Bigger

2011/03/13 10:15:11.0687 5960 Windows directory: C:\WINDOWS

2011/03/13 10:15:11.0687 5960 System windows directory: C:\WINDOWS

2011/03/13 10:15:11.0687 5960 Processor architecture: Intel x86

2011/03/13 10:15:11.0687 5960 Number of processors: 2

2011/03/13 10:15:11.0687 5960 Page size: 0x1000

2011/03/13 10:15:11.0687 5960 Boot type: Normal boot

2011/03/13 10:15:11.0687 5960 ================================================================================

2011/03/13 10:15:11.0968 5960 Initialize success

2011/03/13 10:15:16.0296 6004 ================================================================================

2011/03/13 10:15:16.0296 6004 Scan started

2011/03/13 10:15:16.0296 6004 Mode: Manual;

2011/03/13 10:15:16.0296 6004 ================================================================================

2011/03/13 10:15:18.0093 6004 61883 (86d7b1e70661d754685b9ac6d749aae5) C:\WINDOWS\system32\DRIVERS\61883.sys

2011/03/13 10:15:18.0187 6004 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\System32\DRIVERS\ABP480N5.SYS

2011/03/13 10:15:18.0234 6004 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/03/13 10:15:18.0281 6004 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2011/03/13 10:15:18.0343 6004 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\System32\DRIVERS\adpu160m.sys

2011/03/13 10:15:18.0406 6004 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys

2011/03/13 10:15:18.0453 6004 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys

2011/03/13 10:15:18.0515 6004 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys

2011/03/13 10:15:18.0562 6004 AFS2K (0ebb674888cbdefd5773341c16dd6a07) C:\WINDOWS\system32\drivers\AFS2K.sys

2011/03/13 10:15:18.0593 6004 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\System32\DRIVERS\agp440.sys

2011/03/13 10:15:18.0640 6004 agpCPQ (67288b07d6aba6c1267b626e67bc56fd) C:\WINDOWS\System32\DRIVERS\agpCPQ.sys

2011/03/13 10:15:18.0671 6004 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\System32\DRIVERS\aha154x.sys

2011/03/13 10:15:18.0718 6004 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\System32\DRIVERS\aic78u2.sys

2011/03/13 10:15:18.0781 6004 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\System32\DRIVERS\aic78xx.sys

2011/03/13 10:15:18.0843 6004 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\System32\DRIVERS\aliide.sys

2011/03/13 10:15:18.0906 6004 alim1541 (f312b7cef21eff52fa23056b9d815fad) C:\WINDOWS\System32\DRIVERS\alim1541.sys

2011/03/13 10:15:18.0937 6004 amdagp (675c16a3c1f8482f85ee4a97fc0dde3d) C:\WINDOWS\System32\DRIVERS\amdagp.sys

2011/03/13 10:15:19.0000 6004 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\System32\DRIVERS\amsint.sys

2011/03/13 10:15:19.0062 6004 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2011/03/13 10:15:19.0093 6004 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\System32\DRIVERS\asc.sys

2011/03/13 10:15:19.0140 6004 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\System32\DRIVERS\asc3350p.sys

2011/03/13 10:15:19.0171 6004 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\System32\DRIVERS\asc3550.sys

2011/03/13 10:15:19.0250 6004 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/03/13 10:15:19.0296 6004 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/03/13 10:15:19.0468 6004 ati2mtag (b70ecb6bd20e13f0ce3c0bc95f5c3a9a) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

2011/03/13 10:15:19.0578 6004 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/03/13 10:15:19.0625 6004 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/03/13 10:15:19.0687 6004 Avc (87c223adb8f7596b31caae3c67b16ddd) C:\WINDOWS\system32\DRIVERS\avc.sys

2011/03/13 10:15:19.0734 6004 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/03/13 10:15:19.0875 6004 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\System32\DRIVERS\cbidf2k.sys

2011/03/13 10:15:19.0906 6004 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/03/13 10:15:19.0953 6004 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

2011/03/13 10:15:20.0031 6004 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\System32\DRIVERS\cd20xrnt.sys

2011/03/13 10:15:20.0062 6004 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/03/13 10:15:20.0109 6004 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/03/13 10:15:20.0156 6004 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/03/13 10:15:20.0250 6004 CLBStor (3b15740f137b2b243fdae2e7b9c391f7) C:\WINDOWS\system32\drivers\CLBStor.sys

2011/03/13 10:15:20.0281 6004 CLBUDF (f5c65ca7c0d348820caf9b499d783243) C:\WINDOWS\system32\drivers\CLBUDF.sys

2011/03/13 10:15:20.0328 6004 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\System32\DRIVERS\cmdide.sys

2011/03/13 10:15:20.0406 6004 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\System32\DRIVERS\cpqarray.sys

2011/03/13 10:15:20.0484 6004 ctac32k (4c638290979600ae2ae329d1608ad2ec) C:\WINDOWS\system32\drivers\ctac32k.sys

2011/03/13 10:15:20.0531 6004 ctaud2k (cf5662375781f741513c169cd4094100) C:\WINDOWS\system32\drivers\ctaud2k.sys

2011/03/13 10:15:20.0593 6004 ctdvda2k (437f2b31ba8b6b264d38b4fe6682faec) C:\WINDOWS\system32\drivers\ctdvda2k.sys

2011/03/13 10:15:20.0640 6004 ctprxy2k (678849d1af0750f68dbdc185252d5926) C:\WINDOWS\system32\drivers\ctprxy2k.sys

2011/03/13 10:15:20.0671 6004 ctsfm2k (3a076ebfbbbd6879a78863944980da32) C:\WINDOWS\system32\drivers\ctsfm2k.sys

2011/03/13 10:15:20.0718 6004 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\System32\DRIVERS\dac2w2k.sys

2011/03/13 10:15:20.0781 6004 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\System32\DRIVERS\dac960nt.sys

2011/03/13 10:15:20.0843 6004 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/03/13 10:15:20.0906 6004 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys

2011/03/13 10:15:20.0968 6004 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys

2011/03/13 10:15:21.0015 6004 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/03/13 10:15:21.0062 6004 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys

2011/03/13 10:15:21.0109 6004 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\System32\DRIVERS\dpti2o.sys

2011/03/13 10:15:21.0140 6004 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/03/13 10:15:21.0187 6004 drvmcdb (7f056a52bcba3102d2d37a4a2646c807) C:\WINDOWS\system32\drivers\drvmcdb.sys

2011/03/13 10:15:21.0234 6004 drvnddm (d3c1e501ed42e77574b3095309dd4075) C:\WINDOWS\system32\drivers\drvnddm.sys

2011/03/13 10:15:21.0281 6004 E100B (98b46b331404a951cabad8b4877e1276) C:\WINDOWS\system32\DRIVERS\e100b325.sys

2011/03/13 10:15:21.0359 6004 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys

2011/03/13 10:15:21.0406 6004 EL90XBC (6e883bf518296a40959131c2304af714) C:\WINDOWS\system32\DRIVERS\el90xbc5.sys

2011/03/13 10:15:21.0468 6004 emupia (f7511cf63ef82f7227c03028a3abadb5) C:\WINDOWS\system32\drivers\emupia2k.sys

2011/03/13 10:15:21.0500 6004 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys

2011/03/13 10:15:21.0625 6004 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/03/13 10:15:21.0671 6004 fc0dp3bw (04f76bc3aff4dd42a0ff860c8e70acc8) C:\WINDOWS\system32\Drivers\fc0dp3bw.sys

2011/03/13 10:15:21.0734 6004 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys

2011/03/13 10:15:21.0781 6004 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys

2011/03/13 10:15:21.0812 6004 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2011/03/13 10:15:21.0859 6004 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\drivers\fltmgr.sys

2011/03/13 10:15:21.0906 6004 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/03/13 10:15:21.0953 6004 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/03/13 10:15:22.0000 6004 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys

2011/03/13 10:15:22.0031 6004 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/03/13 10:15:22.0109 6004 ha10kx2k (f24dd43adc784177b28984043bc022ab) C:\WINDOWS\system32\drivers\ha10kx2k.sys

2011/03/13 10:15:22.0156 6004 hap16v2k (ff65c807ea641ff7310a61be4dec6479) C:\WINDOWS\system32\drivers\hap16v2k.sys

2011/03/13 10:15:22.0218 6004 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/03/13 10:15:22.0281 6004 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\System32\DRIVERS\hpn.sys

2011/03/13 10:15:22.0328 6004 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/03/13 10:15:22.0375 6004 i2omgmt (8f09f91b5c91363b77bcd15599570f2c) C:\WINDOWS\system32\drivers\i2omgmt.sys

2011/03/13 10:15:22.0421 6004 i2omp (ed6bf9e441fdea13292a6d30a64a24c3) C:\WINDOWS\System32\DRIVERS\i2omp.sys

2011/03/13 10:15:22.0468 6004 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/03/13 10:15:22.0515 6004 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys

2011/03/13 10:15:22.0562 6004 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys

2011/03/13 10:15:22.0593 6004 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys

2011/03/13 10:15:22.0640 6004 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys

2011/03/13 10:15:22.0671 6004 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys

2011/03/13 10:15:22.0734 6004 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys

2011/03/13 10:15:22.0781 6004 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys

2011/03/13 10:15:22.0812 6004 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys

2011/03/13 10:15:22.0890 6004 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys

2011/03/13 10:15:22.0921 6004 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys

2011/03/13 10:15:22.0984 6004 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/03/13 10:15:23.0062 6004 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\System32\DRIVERS\ini910u.sys

2011/03/13 10:15:23.0140 6004 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\System32\DRIVERS\intelide.sys

2011/03/13 10:15:23.0203 6004 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/03/13 10:15:23.0234 6004 ip6fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys

2011/03/13 10:15:23.0281 6004 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/03/13 10:15:23.0312 6004 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/03/13 10:15:23.0359 6004 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/03/13 10:15:23.0406 6004 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/03/13 10:15:23.0453 6004 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/03/13 10:15:23.0500 6004 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/03/13 10:15:23.0531 6004 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/03/13 10:15:23.0562 6004 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2011/03/13 10:15:23.0625 6004 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys

2011/03/13 10:15:23.0671 6004 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/03/13 10:15:23.0859 6004 LVcKap (fb548ff809634bfa866312b37d8a18ae) C:\WINDOWS\system32\DRIVERS\LVcKap.sys

2011/03/13 10:15:23.0984 6004 MaxImIO (d84fb8f14981f9ddc834dd143376e608) C:\WINDOWS\system32\Drivers\maximio.sys

2011/03/13 10:15:24.0062 6004 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/03/13 10:15:24.0109 6004 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys

2011/03/13 10:15:24.0140 6004 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/03/13 10:15:24.0203 6004 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/03/13 10:15:24.0234 6004 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/03/13 10:15:24.0281 6004 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\System32\DRIVERS\mraid35x.sys

2011/03/13 10:15:24.0343 6004 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/03/13 10:15:24.0421 6004 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/03/13 10:15:24.0484 6004 MSDV (6dd721dfd2648f3f6d5808b5ba6cb095) C:\WINDOWS\system32\DRIVERS\msdv.sys

2011/03/13 10:15:24.0531 6004 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys

2011/03/13 10:15:24.0578 6004 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/03/13 10:15:24.0609 6004 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/03/13 10:15:24.0640 6004 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/03/13 10:15:24.0687 6004 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/03/13 10:15:24.0750 6004 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys

2011/03/13 10:15:24.0796 6004 MTDVC2 (cd3c06f56104bac9268587bf1c25a84c) C:\WINDOWS\system32\DRIVERS\mtdv2ku2.sys

2011/03/13 10:15:24.0828 6004 MTDVC2_ENUM (a25b4cec85388f2e88567b4d629aa6e4) C:\WINDOWS\system32\DRIVERS\mtdv2ks2.sys

2011/03/13 10:15:24.0859 6004 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys

2011/03/13 10:15:24.0906 6004 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

2011/03/13 10:15:25.0015 6004 NAVENG (c8ef74e4d8105b1d02d58ea4734cf616) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110312.002\NAVENG.Sys

2011/03/13 10:15:25.0078 6004 NAVEX15 (94b3164055d821a62944d9fe84036470) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110312.002\NavEx15.Sys

2011/03/13 10:15:25.0140 6004 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys

2011/03/13 10:15:25.0171 6004 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

2011/03/13 10:15:25.0203 6004 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/03/13 10:15:25.0250 6004 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/03/13 10:15:25.0281 6004 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/03/13 10:15:25.0328 6004 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/03/13 10:15:25.0390 6004 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/03/13 10:15:25.0453 6004 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/03/13 10:15:25.0531 6004 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2011/03/13 10:15:25.0578 6004 nm (60cf8c7192b3614f240838ddbaa4a245) C:\WINDOWS\system32\DRIVERS\NMnt.sys

2011/03/13 10:15:25.0609 6004 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys

2011/03/13 10:15:25.0687 6004 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/03/13 10:15:25.0765 6004 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/03/13 10:15:25.0859 6004 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2011/03/13 10:15:25.0953 6004 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/03/13 10:15:26.0000 6004 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/03/13 10:15:26.0031 6004 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2011/03/13 10:15:26.0109 6004 omci (53d5f1278d9edb21689bbbcecc09108d) C:\WINDOWS\system32\DRIVERS\omci.sys

2011/03/13 10:15:26.0171 6004 ossrv (f0184fe6069be1541a3d18c02a73d161) C:\WINDOWS\system32\drivers\ctoss2k.sys

2011/03/13 10:15:26.0218 6004 P3 (3e16eff2a6fed2d8d7f5a66dfe65d183) C:\WINDOWS\system32\DRIVERS\p3.sys

2011/03/13 10:15:26.0250 6004 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys

2011/03/13 10:15:26.0281 6004 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/03/13 10:15:26.0328 6004 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/03/13 10:15:26.0359 6004 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/03/13 10:15:26.0437 6004 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/03/13 10:15:26.0500 6004 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys

2011/03/13 10:15:26.0750 6004 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\System32\DRIVERS\perc2.sys

2011/03/13 10:15:26.0796 6004 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\System32\DRIVERS\perc2hib.sys

2011/03/13 10:15:26.0875 6004 PfModNT (c8a2d6ff660ac601b7bb9a9b16a5c25e) C:\WINDOWS\System32\drivers\PfModNT.sys

2011/03/13 10:15:26.0953 6004 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/03/13 10:15:27.0000 6004 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys

2011/03/13 10:15:27.0046 6004 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/03/13 10:15:27.0093 6004 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/03/13 10:15:27.0140 6004 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys

2011/03/13 10:15:27.0187 6004 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\System32\DRIVERS\ql1080.sys

2011/03/13 10:15:27.0250 6004 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\System32\DRIVERS\ql10wnt.sys

2011/03/13 10:15:27.0296 6004 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\System32\DRIVERS\ql12160.sys

2011/03/13 10:15:27.0359 6004 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\System32\DRIVERS\ql1240.sys

2011/03/13 10:15:27.0390 6004 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\System32\DRIVERS\ql1280.sys

2011/03/13 10:15:27.0453 6004 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/03/13 10:15:27.0500 6004 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/03/13 10:15:27.0531 6004 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/03/13 10:15:27.0578 6004 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/03/13 10:15:27.0625 6004 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/03/13 10:15:27.0656 6004 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/03/13 10:15:27.0703 6004 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2011/03/13 10:15:27.0765 6004 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/03/13 10:15:27.0812 6004 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/03/13 10:15:27.0890 6004 SaiClass (dd3bba364c3b89ccb1fd8fd427c7b37f) C:\WINDOWS\system32\drivers\SaiNtBus.sys

2011/03/13 10:15:27.0937 6004 SaiMini (20a15c1468f8961aa5e62966c38cb9e8) C:\WINDOWS\system32\drivers\SaiMini.sys

2011/03/13 10:15:27.0984 6004 SaiNtHid (a007103ef0e50fb0e0ed08b511d721d7) C:\WINDOWS\system32\DRIVERS\SaiNtHid.sys

2011/03/13 10:15:28.0078 6004 SAVRT (cdb565c093b0105086cc630b32f9e6e6) C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVRT.SYS

2011/03/13 10:15:28.0109 6004 SAVRTPEL (1042cb5a003f9aed8d6cec56a0fc6c49) C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVRTPEL.SYS

2011/03/13 10:15:28.0171 6004 sbp2port (3e2c3b180872be4120f246d85560b734) C:\WINDOWS\system32\DRIVERS\sbp2port.sys

2011/03/13 10:15:28.0234 6004 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/03/13 10:15:28.0281 6004 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys

2011/03/13 10:15:28.0328 6004 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys

2011/03/13 10:15:28.0390 6004 sfdrv01 (56250672235bbe54ba8a4963b1ac997c) C:\WINDOWS\system32\drivers\sfdrv01.sys

2011/03/13 10:15:28.0421 6004 sfhlp02 (3ad2b15ccc03febfbaf5ff057822aa75) C:\WINDOWS\system32\drivers\sfhlp02.sys

2011/03/13 10:15:28.0468 6004 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/03/13 10:15:28.0500 6004 sfsync02 (798d918d8f20380008277ce3ce5319d1) C:\WINDOWS\system32\drivers\sfsync02.sys

2011/03/13 10:15:28.0609 6004 sisagp (732d859b286da692119f286b21a2a114) C:\WINDOWS\System32\DRIVERS\sisagp.sys

2011/03/13 10:15:28.0671 6004 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys

2011/03/13 10:15:28.0734 6004 smwdm (39f9595d2f6f7eb93f45a466789a6f49) C:\WINDOWS\system32\drivers\smwdm.sys

2011/03/13 10:15:28.0828 6004 snapman (e48716ca3b919f949b3ed6d79026997f) C:\WINDOWS\system32\DRIVERS\snapman.sys

2011/03/13 10:15:28.0890 6004 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\System32\DRIVERS\sparrow.sys

2011/03/13 10:15:28.0968 6004 SPBBCDrv (ad312daf605152576530dc916f7227b7) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys

2011/03/13 10:15:29.0031 6004 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys

2011/03/13 10:15:29.0093 6004 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/03/13 10:15:29.0171 6004 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/03/13 10:15:29.0234 6004 sscdbhk5 (328e8bb94ec58480f60458fb4b8437a7) C:\WINDOWS\system32\drivers\sscdbhk5.sys

2011/03/13 10:15:29.0265 6004 ssrtln (7ec8b427cee5c0cdac066320b93f1355) C:\WINDOWS\system32\drivers\ssrtln.sys

2011/03/13 10:15:29.0312 6004 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

2011/03/13 10:15:29.0343 6004 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/03/13 10:15:29.0406 6004 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys

2011/03/13 10:15:29.0484 6004 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\System32\DRIVERS\symc810.sys

2011/03/13 10:15:29.0515 6004 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\System32\DRIVERS\symc8xx.sys

2011/03/13 10:15:29.0578 6004 SYMDNS (61a932f6e04c1d125659ec5f9a158cc1) C:\WINDOWS\System32\Drivers\SYMDNS.SYS

2011/03/13 10:15:29.0625 6004 SymEvent (06b95820df51502099a8a15c93e87986) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

2011/03/13 10:15:29.0656 6004 SYMFW (033a6a91aa4162540c1e39a0d5c563c8) C:\WINDOWS\System32\Drivers\SYMFW.SYS

2011/03/13 10:15:29.0718 6004 SYMIDS (071f8c6c95d8b632e73dcdbf865d8e46) C:\WINDOWS\System32\Drivers\SYMIDS.SYS

2011/03/13 10:15:29.0828 6004 SYMIDSCO (2133d1f879b280121b0e6a7d34b24a02) C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\idsdefs\20110307.001\symidsco.sys

2011/03/13 10:15:29.0906 6004 symlcbrd (b226f8a4d780acdf76145b58bb791d5b) C:\WINDOWS\System32\drivers\symlcbrd.sys

2011/03/13 10:15:29.0953 6004 SYMNDIS (a6bbadd2472ffc5b6ce3198e13ee0e74) C:\WINDOWS\System32\Drivers\SYMNDIS.SYS

2011/03/13 10:15:30.0000 6004 SYMREDRV (df5514802a2e0a478e29be2e33360807) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS

2011/03/13 10:15:30.0031 6004 SYMTDI (9da226bc68389fbd6ec0e01286e7639c) C:\WINDOWS\System32\Drivers\SYMTDI.SYS

2011/03/13 10:15:30.0093 6004 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\System32\DRIVERS\sym_hi.sys

2011/03/13 10:15:30.0156 6004 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\System32\DRIVERS\sym_u3.sys

2011/03/13 10:15:30.0203 6004 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/03/13 10:15:30.0281 6004 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/03/13 10:15:30.0328 6004 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/03/13 10:15:30.0390 6004 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/03/13 10:15:30.0453 6004 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/03/13 10:15:30.0515 6004 tfsnboio (c229bf90443be8d3bd2b65d7f3ac0f35) C:\WINDOWS\system32\dla\tfsnboio.sys

2011/03/13 10:15:30.0562 6004 tfsncofs (79ee9fcd7728e54ab8fbc30962f0416f) C:\WINDOWS\system32\dla\tfsncofs.sys

2011/03/13 10:15:30.0593 6004 tfsndrct (9efb37e7de17d783a059b653f7e8afad) C:\WINDOWS\system32\dla\tfsndrct.sys

2011/03/13 10:15:30.0625 6004 tfsndres (130254995ebedcb34d62e8d78ec9dbd0) C:\WINDOWS\system32\dla\tfsndres.sys

2011/03/13 10:15:30.0656 6004 tfsnifs (9b40e1e4aeed849812a2e43a388a7e77) C:\WINDOWS\system32\dla\tfsnifs.sys

2011/03/13 10:15:30.0703 6004 tfsnopio (818047ad850b312705aa17ca96b9427d) C:\WINDOWS\system32\dla\tfsnopio.sys

2011/03/13 10:15:30.0750 6004 tfsnpool (4603e813bcc6dd465cd8d2afd37fa90d) C:\WINDOWS\system32\dla\tfsnpool.sys

2011/03/13 10:15:30.0796 6004 tfsnudf (6fc2cd904a9a55acfdfc780a611a75ed) C:\WINDOWS\system32\dla\tfsnudf.sys

2011/03/13 10:15:30.0828 6004 tfsnudfa (d4afa4d00f8db3fd1c15b3fe49c3a96c) C:\WINDOWS\system32\dla\tfsnudfa.sys

2011/03/13 10:15:30.0890 6004 tifsfilter (8090576bda8aaa5973004fa9c78d8fb7) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys

2011/03/13 10:15:30.0937 6004 timounter (c0e598520f825b946eccb7e1d4c0ce32) C:\WINDOWS\system32\DRIVERS\timntr.sys

2011/03/13 10:15:30.0984 6004 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\System32\DRIVERS\toside.sys

2011/03/13 10:15:31.0046 6004 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys

2011/03/13 10:15:31.0109 6004 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\System32\DRIVERS\ultra.sys

2011/03/13 10:15:31.0156 6004 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys

2011/03/13 10:15:31.0218 6004 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys

2011/03/13 10:15:31.0265 6004 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys

2011/03/13 10:15:31.0328 6004 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/03/13 10:15:31.0359 6004 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/03/13 10:15:31.0406 6004 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/03/13 10:15:31.0437 6004 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2011/03/13 10:15:31.0484 6004 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/03/13 10:15:31.0531 6004 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/03/13 10:15:31.0562 6004 usbvideo (8968ff3973a883c49e8b564200f565b9) C:\WINDOWS\system32\Drivers\usbvideo.sys

2011/03/13 10:15:31.0609 6004 usb_rndisx (ae4df3b7d1db9373b08db4ed224e26b6) C:\WINDOWS\system32\DRIVERS\usb8023x.sys

2011/03/13 10:15:31.0640 6004 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys

2011/03/13 10:15:31.0687 6004 viaagp (d92e7c8a30cfd14d8e15b5f7f032151b) C:\WINDOWS\System32\DRIVERS\viaagp.sys

2011/03/13 10:15:31.0718 6004 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\System32\DRIVERS\viaide.sys

2011/03/13 10:15:31.0781 6004 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/03/13 10:15:31.0859 6004 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/03/13 10:15:31.0937 6004 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/03/13 10:15:32.0078 6004 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

2011/03/13 10:15:32.0187 6004 {95808DC4-FA4A-4C74-92FE-5B863F82066B} (4d840c6af3c020ed3a35efba9025cf4a) C:\Program Files\CyberLink\PowerDVD\000.fcl

2011/03/13 10:15:32.0343 6004 ================================================================================

2011/03/13 10:15:32.0343 6004 Scan finished

2011/03/13 10:15:32.0343 6004 ================================================================================

MBRCheck, version 1.2.3

© 2010, AD

Command-line:

Windows Version: Windows XP Professional

Windows Information: Service Pack 2 (build 2600)

Logical Drives Mask: 0x0000007d

Kernel Drivers (total 177):

0x804D7000 \WINDOWS\system32\ntoskrnl.exe

0x806FD000 \WINDOWS\system32\hal.dll

0xF79E1000 \WINDOWS\system32\KDCOM.DLL

0xF78F1000 \WINDOWS\system32\BOOTVID.dll

0xF7761000 fc0dp3bw.sys

0xF7492000 ACPI.sys

0xF79E3000 \WINDOWS\System32\DRIVERS\WMILIB.SYS

0xF7481000 pci.sys

0xF74E1000 isapnp.sys

0xF7AA9000 pciide.sys

0xF7769000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS

0xF74F1000 MountMgr.sys

0xF7462000 ftdisk.sys

0xF79E5000 dmload.sys

0xF743C000 dmio.sys

0xF7771000 PartMgr.sys

0xF7779000 sfsync02.sys

0xF7501000 VolSnap.sys

0xF7424000 atapi.sys

0xF7511000 disk.sys

0xF7521000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS

0xF7404000 fltmgr.sys

0xF73F2000 sr.sys

0xF7531000 PxHelp20.sys

0xF73DD000 drvmcdb.sys

0xF73C6000 KSecDD.sys

0xF7339000 Ntfs.sys

0xF730C000 NDIS.sys

0xF72DA000 timntr.sys

0xF72C6000 snapman.sys

0xF7781000 sfhlp02.sys

0xF72B5000 sfdrv01.sys

0xF7551000 ohci1394.sys

0xF7561000 \WINDOWS\System32\DRIVERS\1394BUS.SYS

0xF729A000 Mup.sys

0xF7571000 agp440.sys

0xF7591000 \SystemRoot\System32\DRIVERS\nic1394.sys

0xF7691000 \SystemRoot\System32\DRIVERS\intelppm.sys

0xF6D9A000 \SystemRoot\System32\DRIVERS\ati2mtag.sys

0xF6D86000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS

0xF7801000 \SystemRoot\System32\DRIVERS\usbuhci.sys

0xF6D63000 \SystemRoot\System32\DRIVERS\USBPORT.SYS

0xF7809000 \SystemRoot\System32\DRIVERS\usbehci.sys

0xF6CF3000 \SystemRoot\system32\drivers\ctaud2k.sys

0xF6CCF000 \SystemRoot\system32\drivers\portcls.sys

0xF76D1000 \SystemRoot\system32\drivers\drmk.sys

0xF6CAC000 \SystemRoot\system32\drivers\ks.sys

0xF6C81000 \SystemRoot\system32\drivers\ctoss2k.sys

0xF79FD000 \SystemRoot\System32\drivers\ctprxy2k.sys

0xF6C5D000 \SystemRoot\System32\DRIVERS\e100b325.sys

0xF7811000 \SystemRoot\System32\DRIVERS\fdc.sys

0xF76E1000 \SystemRoot\System32\DRIVERS\i8042prt.sys

0xF7819000 \SystemRoot\System32\DRIVERS\kbdclass.sys

0xF76F1000 \SystemRoot\System32\DRIVERS\serial.sys

0xF725D000 \SystemRoot\System32\DRIVERS\serenum.sys

0xF6C49000 \SystemRoot\System32\DRIVERS\parport.sys

0xF7259000 \SystemRoot\System32\Drivers\CLBStor.SYS

0xF7701000 \SystemRoot\System32\Drivers\AFS2K.SYS

0xF79FF000 \SystemRoot\system32\drivers\sscdbhk5.sys

0xF7711000 \SystemRoot\System32\DRIVERS\cdrom.sys

0xF7721000 \SystemRoot\System32\DRIVERS\redbook.sys

0xF7821000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys

0xF7731000 \SystemRoot\System32\DRIVERS\imapi.sys

0xF7C2A000 \SystemRoot\System32\DRIVERS\audstub.sys

0xF7741000 \SystemRoot\System32\DRIVERS\rasl2tp.sys

0xF7251000 \SystemRoot\System32\DRIVERS\ndistapi.sys

0xF6C0A000 \SystemRoot\System32\DRIVERS\ndiswan.sys

0xF7751000 \SystemRoot\System32\DRIVERS\raspppoe.sys

0xF7541000 \SystemRoot\System32\DRIVERS\raspptp.sys

0xF7829000 \SystemRoot\System32\DRIVERS\TDI.SYS

0xF6B59000 \SystemRoot\System32\DRIVERS\psched.sys

0xF75A1000 \SystemRoot\System32\DRIVERS\msgpc.sys

0xF7831000 \SystemRoot\System32\DRIVERS\ptilink.sys

0xF7839000 \SystemRoot\System32\DRIVERS\raspti.sys

0xF6B28000 \SystemRoot\System32\DRIVERS\rdpdr.sys

0xF75B1000 \SystemRoot\System32\DRIVERS\termdd.sys

0xF7841000 \SystemRoot\System32\DRIVERS\mouclass.sys

0xF7849000 \SystemRoot\system32\drivers\SaiNtBus.sys

0xF7A01000 \SystemRoot\System32\DRIVERS\swenum.sys

0xF6ACF000 \SystemRoot\System32\DRIVERS\update.sys

0xF7851000 \SystemRoot\System32\DRIVERS\omci.sys

0xF7239000 \SystemRoot\System32\DRIVERS\mssmbios.sys

0xF75E1000 \SystemRoot\System32\Drivers\NDProxy.SYS

0xF721D000 \SystemRoot\system32\drivers\SaiMini.sys

0xF75F1000 \SystemRoot\system32\drivers\HIDCLASS.SYS

0xF7859000 \SystemRoot\system32\drivers\HIDPARSE.SYS

0xF7219000 \SystemRoot\System32\DRIVERS\mouhid.sys

0xF79A9000 \SystemRoot\System32\DRIVERS\kbdhid.sys

0xF7601000 \SystemRoot\System32\DRIVERS\usbhub.sys

0xF7A03000 \SystemRoot\System32\DRIVERS\USBD.SYS

0xBA71B000 \SystemRoot\System32\drivers\ha10kx2k.sys

0xBA700000 \SystemRoot\System32\drivers\emupia2k.sys

0xBA6E1000 \SystemRoot\System32\drivers\ctsfm2k.sys

0xBA6C1000 \SystemRoot\System32\drivers\ctac32k.sys

0xBA6A1000 \SystemRoot\System32\drivers\hap16v2k.sys

0xF7869000 \SystemRoot\System32\DRIVERS\flpydisk.sys

0xF79D5000 \SystemRoot\System32\DRIVERS\hidusb.sys

0xF7881000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS

0xF7A0D000 \SystemRoot\System32\Drivers\i2omgmt.SYS

0xBA581000 \??\C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVRT.SYS

0xBA55C000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

0xBA548000 \??\C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVRTPEL.SYS

0xBA3FD000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110312.002\NavEx15.Sys

0xBA3E9000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110312.002\NAVENG.Sys

0xF7A1D000 \SystemRoot\System32\Drivers\Fs_Rec.SYS

0xF7BA6000 \SystemRoot\System32\Drivers\Null.SYS

0xF7A27000 \SystemRoot\System32\Drivers\Beep.SYS

0xF78C9000 \SystemRoot\system32\drivers\ssrtln.sys

0xF78D1000 \SystemRoot\System32\drivers\vga.sys

0xF7A31000 \SystemRoot\System32\Drivers\mnmdd.SYS

0xF7A35000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0xF78D9000 \SystemRoot\System32\Drivers\Msfs.SYS

0xF78E1000 \SystemRoot\System32\Drivers\Npfs.SYS

0xBA7F8000 \SystemRoot\System32\DRIVERS\rasacd.sys

0xBA3B6000 \SystemRoot\System32\DRIVERS\ipsec.sys

0xBA35E000 \SystemRoot\System32\DRIVERS\tcpip.sys

0xBA325000 \SystemRoot\System32\Drivers\SYMTDI.SYS

0xBA304000 \SystemRoot\System32\DRIVERS\ipnat.sys

0xF7681000 \SystemRoot\System32\DRIVERS\wanarp.sys

0xF76B1000 \SystemRoot\System32\Drivers\SYMREDRV.SYS

0xF76A1000 \SystemRoot\System32\DRIVERS\arp1394.sys

0xF7791000 \SystemRoot\System32\Drivers\SYMDNS.SYS

0xF76C1000 \SystemRoot\System32\Drivers\SYMNDIS.SYS

0xBA2B6000 \SystemRoot\System32\Drivers\SYMFW.SYS

0xF6BFA000 \SystemRoot\System32\Drivers\SYMIDS.SYS

0xBA26F000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\idsdefs\20110307.001\symidsco.sys

0xBA247000 \SystemRoot\System32\DRIVERS\netbt.sys

0xBA225000 \SystemRoot\System32\drivers\afd.sys

0xF6BEA000 \SystemRoot\System32\DRIVERS\netbios.sys

0xBA1C2000 \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys

0xBA197000 \SystemRoot\System32\DRIVERS\rdbss.sys

0xBA128000 \SystemRoot\System32\DRIVERS\mrxsmb.sys

0xF6BBA000 \SystemRoot\System32\Drivers\Fips.SYS

0xBA0CA000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys

0xBA0AD000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys

0xF6B9A000 \SystemRoot\System32\Drivers\Cdfs.SYS

0xBA095000 \SystemRoot\System32\Drivers\dump_atapi.sys

0xF7A51000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS

0xBF800000 \SystemRoot\System32\win32k.sys

0xBA681000 \SystemRoot\System32\drivers\Dxapi.sys

0xF77D1000 \SystemRoot\System32\watchdog.sys

0xBF000000 \SystemRoot\System32\drivers\dxg.sys

0xF7BCE000 \SystemRoot\System32\drivers\dxgthk.sys

0xBF012000 \SystemRoot\System32\ati2dvag.dll

0xBF061000 \SystemRoot\System32\ati2cqag.dll

0xBF0E9000 \SystemRoot\System32\atikvmag.dll

0xBF14F000 \SystemRoot\System32\atiok3x2.dll

0xBF18F000 \SystemRoot\System32\ati3duag.dll

0xBF4E6000 \SystemRoot\System32\ativvaxx.dll

0xBA5D9000 \SystemRoot\system32\drivers\drvnddm.sys

0xF7861000 \SystemRoot\System32\DRIVERS\tifsfilt.sys

0xF7B66000 \SystemRoot\system32\dla\tfsndres.sys

0xB7F18000 \SystemRoot\system32\dla\tfsnifs.sys

0xBA2FC000 \SystemRoot\system32\dla\tfsnopio.sys

0xF7A77000 \SystemRoot\system32\dla\tfsnpool.sys

0xB7EA1000 \SystemRoot\System32\Drivers\CLBUDF.SYS

0xB7E90000 \SystemRoot\System32\Drivers\Udfs.SYS

0xF7891000 \SystemRoot\system32\dla\tfsnboio.sys

0xF7641000 \SystemRoot\system32\dla\tfsncofs.sys

0xF7B91000 \SystemRoot\system32\dla\tfsndrct.sys

0xB7E78000 \SystemRoot\system32\dla\tfsnudf.sys

0xB7E5F000 \SystemRoot\system32\dla\tfsnudfa.sys

0xBFFA0000 \SystemRoot\System32\ATMFD.DLL

0xB7DA7000 \SystemRoot\System32\DRIVERS\ndisuio.sys

0xB7B3B000 \SystemRoot\System32\DRIVERS\mrxdav.sys

0xF7A11000 \SystemRoot\System32\Drivers\ParVdm.SYS

0xF7A2B000 \SystemRoot\System32\Drivers\maximio.sys

0xB7954000 \SystemRoot\System32\DRIVERS\srv.sys

0xB7864000 \SystemRoot\system32\drivers\wdmaud.sys

0xB79F3000 \SystemRoot\system32\drivers\sysaudio.sys

0xB7939000 \??\C:\WINDOWS\System32\drivers\PfModNT.sys

0xB7AAB000 \SystemRoot\System32\DRIVERS\secdrv.sys

0xB7EE0000 \??\C:\WINDOWS\System32\drivers\symlcbrd.sys

0xB7665000 \??\C:\Program Files\CyberLink\PowerDVD\000.fcl

0xB5F36000 \SystemRoot\System32\Drivers\HTTP.sys

0xB551F000 \SystemRoot\System32\Drivers\Fastfat.SYS

0x7C900000 \WINDOWS\SYSTEM32\ntdll.dll

Processes (total 55):

0 System Idle Process

4 System

816 C:\WINDOWS\SYSTEM32\smss.exe

880 csrss.exe

912 C:\WINDOWS\SYSTEM32\winlogon.exe

964 C:\WINDOWS\SYSTEM32\services.exe

976 C:\WINDOWS\SYSTEM32\lsass.exe

1188 C:\WINDOWS\SYSTEM32\ati2evxx.exe

1208 C:\WINDOWS\SYSTEM32\svchost.exe

1308 svchost.exe

1420 C:\WINDOWS\SYSTEM32\svchost.exe

1472 C:\WINDOWS\SYSTEM32\ati2evxx.exe

1548 svchost.exe

1652 svchost.exe

1828 C:\WINDOWS\SYSTEM32\spoolsv.exe

600 svchost.exe

632 C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

656 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

696 C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

720 C:\Program Files\Bonjour\mDNSResponder.exe

736 C:\Program Files\Common Files\Symantec Shared\CCPROXY.EXE

1228 C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE

1240 C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE

1376 C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

1388 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

1592 C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe

1932 C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVAPSVC.EXE

280 C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

532 C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

568 C:\WINDOWS\SYSTEM32\svchost.exe

500 C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

788 C:\WINDOWS\SYSTEM32\MsPMSPSv.exe

1488 C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE

2408 alg.exe

2764 C:\WINDOWS\explorer.exe

2952 C:\Program Files\Saitek\Software\SaiSmart.exe

2964 C:\Program Files\Saitek\Software\Profiler.exe

2976 C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe

3076 C:\WINDOWS\SYSTEM32\CTHELPER.EXE

3088 C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe

3160 C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE

3464 C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe

3476 C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

3588 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

3664 C:\Program Files\iTunes\iTunesHelper.exe

3828 C:\Program Files\Microsoft ActiveSync\wcescomm.exe

3844 C:\WINDOWS\SYSTEM32\ctfmon.exe

3936 C:\PROGRA~1\MI3AA1~1\rapimgr.exe

2280 C:\Program Files\iPod\bin\iPodService.exe

1348 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

3356 C:\Program Files\Internet Explorer\iexplore.exe

4036 C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

464 C:\WINDOWS\SYSTEM32\notepad.exe

1584 C:\Program Files\Messenger\msmsgs.exe

4260 C:\Documents and Settings\Marcel Bigger\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`036e8e00 (NTFS)

\\.\D: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD740GD-75FLA0, Rev: 21.08U21

PhysicalDrive1 Model Number: WDCWD740GD-75FLA0, Rev: 21.08U21

Size Device Name MBR Status

--------------------------------------------

68 GB \\.\PhysicalDrive0 Windows XP MBR code detected

SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

68 GB \\.\PhysicalDrive1 Windows XP MBR code detected

SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Done!

Link to post
Share on other sites

  • Staff

Hi,

Download RootRepeal from one of the following locations and save it to your desktop:

Link 1 Link 2 Link 3

  • Double click rr_DesktopIcon.png to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the rr_Scan.png button
  • In the Select Scan dialog, check:
  • Drivers
  • Files
  • Processes
  • SSDT
  • Stealth Objects
  • Hidden Services
  • Shadow SSDT

[*]Click the OK button [*]In the next dialog, select all drives showing [*]Click OK to start the scan

Note: The scan can take some time.
DO NOT
run any other programs while the scan is running

[*]When the scan is complete, click the rr_SaveReport.png button and save the report to your Desktop as RootRepeal.txt [*]Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead. To attach a file, do the following:

  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on attach_add.png to insert the attachment into your post

Please download Rootkit Unhooker and save it to your Desktop.

  • Disable your security programs
  • Double click RKUnhookerLE.exe to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth Code, Files, and Code Hooks
  • Uncheck the rest, then click OK
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  • Wait till the scanner has finished then go File --> Save Report
  • Save the report somewhere you can find it. Click Close.
  • Copy the entire contents of the report and paste it in your next reply.

If you get the following warning, please ignore it:

"Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?"

Link to post
Share on other sites

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2011/03/17 21:54

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP2

==================================================

Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xB9F07000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF7A69000 Size: 8192 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xB58C7000 Size: 49152 File Visible: No Signed: -

Status: -

Hidden/Locked Files

-------------------

Path: C:\hiberfil.sys

Status: Locked to the Windows API!

SSDT

-------------------

#: 012 Function Name: NtAlertResumeThread

Status: Hooked by "<unknown>" at address 0x86a78170

#: 013 Function Name: NtAlertThread

Status: Hooked by "<unknown>" at address 0x86a78c78

#: 017 Function Name: NtAllocateVirtualMemory

Status: Hooked by "<unknown>" at address 0x86e98e80

#: 031 Function Name: NtConnectPort

Status: Hooked by "<unknown>" at address 0x86b932e0

#: 041 Function Name: NtCreateKey

Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xba3e4020

#: 043 Function Name: NtCreateMutant

Status: Hooked by "<unknown>" at address 0x86e9b3c0

#: 053 Function Name: NtCreateThread

Status: Hooked by "<unknown>" at address 0x86b31eb0

#: 063 Function Name: NtDeleteKey

Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xba3e42a0

#: 065 Function Name: NtDeleteValueKey

Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xba3e4800

#: 083 Function Name: NtFreeVirtualMemory

Status: Hooked by "<unknown>" at address 0x86e9ab58

#: 089 Function Name: NtImpersonateAnonymousToken

Status: Hooked by "<unknown>" at address 0x86e63c78

#: 091 Function Name: NtImpersonateThread

Status: Hooked by "<unknown>" at address 0x86edac78

#: 108 Function Name: NtMapViewOfSection

Status: Hooked by "<unknown>" at address 0x86e33fb0

#: 114 Function Name: NtOpenEvent

Status: Hooked by "<unknown>" at address 0x86ad5168

#: 123 Function Name: NtOpenProcessToken

Status: Hooked by "<unknown>" at address 0x86b92380

#: 129 Function Name: NtOpenThreadToken

Status: Hooked by "<unknown>" at address 0x86ed71b8

#: 177 Function Name: NtQueryValueKey

Status: Hooked by "<unknown>" at address 0x86ed9ad8

#: 206 Function Name: NtResumeThread

Status: Hooked by "<unknown>" at address 0x86b99e98

#: 213 Function Name: NtSetContextThread

Status: Hooked by "<unknown>" at address 0x86a18170

#: 228 Function Name: NtSetInformationProcess

Status: Hooked by "<unknown>" at address 0x86e9ada0

#: 229 Function Name: NtSetInformationThread

Status: Hooked by "<unknown>" at address 0x86d8ea08

#: 247 Function Name: NtSetValueKey

Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xba3e4a50

#: 253 Function Name: NtSuspendProcess

Status: Hooked by "<unknown>" at address 0x86e4b360

#: 254 Function Name: NtSuspendThread

Status: Hooked by "<unknown>" at address 0x86a82ae0

#: 257 Function Name: NtTerminateProcess

Status: Hooked by "<unknown>" at address 0x86b92348

#: 258 Function Name: NtTerminateThread

Status: Hooked by "<unknown>" at address 0x869dc170

#: 267 Function Name: NtUnmapViewOfSection

Status: Hooked by "<unknown>" at address 0x86a80c78

"Rootkit Unhooker" will follow tomorrow.

Link to post
Share on other sites

  • Staff

Hi,

Let's skip that for now.

Update MBAM, run a Quick Scan, and post its log.

Please reboot to Safe Mode with Networking (tap the F8 key just before Windows starts to load and select the Safe Mode with Network option from the menu).

Do the redirects persist there? Are they browser specific?

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6110

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.11

03.20.2011 2:01:34 PM

mbam-log-2011-03-20 (14-01-29).txt

Scan type: Quick scan

Objects scanned: 195948

Time elapsed: 6 minute(s), 40 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Under Safe Mode with Networking, the MSIE 7 Google redirects persist. I do not have and do not want to install another Web browser.

Link to post
Share on other sites

We have to review several topics here.

(1) IE8 is a security risk. XP SP2 is currently still under patch cover.

(2) What's the assessment of the RootRepeal log entries?

Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xB9F07000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF7A69000 Size: 8192 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xB58C7000 Size: 49152 File Visible: No Signed: -

Status: -

Hidden/Locked Files

-------------------

Path: C:\hiberfil.sys

Status: Locked to the Windows API!

(3) What's the assessment of the DDS log entries?

==================== Find3M ====================

2011-02-11 00:48:40 66 ----a-w- c:\docume~1\marcel~1\applic~1\isfree4_0.tmp

2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll

2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll

(4) What's the post-review of the following Combofix deletions?

C:\install.exe

c:\windows\My.ini

c:\windows\system32\scvideo.dll

c:\windows\system32\twunk_32.exe

d:\\DPE.DUS

(5) How do you assess the following redirects?

Search for large-sized face images of "Michele Bachmann" (a member of the U.S. Congress). In the first search page, you find several images listed with "malkevnia.com" and "friendsforlife.in" domains. Notice that all of these images have legitim "imgurl" parameters but malicious "imgrefurl" parameters added. I have replicated these phenomena on highly secure government systems.

Link to post
Share on other sites

  • 3 weeks later...
  • Root Admin

(1) IE8 is a security risk. XP SP2 is currently still under patch cover.

Not according to Microsoft it's not, but the reality is that is neither here nor there. I've been doing IT support for over 20 years with 15 years on a network of over 130,000 systems. Continuing to run SP2 is is not a prudent decision from a security stand point. If you have legacy applications that are in conflict with it then you really need to organize and work on a security project to bring the business up to newer standards as they are and will continue to be a weak link. Not that even Windows 7 is immune but it certainly is immune to dozens of attacks that XP SP2 is not.

From Microsoft Support

Important notice for users of Windows XP with Service Pack 2 (SP2):

The support for your product ended July 13, 2010! To ensure that you will receive all important security updates for Windows you need to upgrade to Windows XP with Service Pack 3 (SP3) or later versions such as Windows 7.

Internet Explorer 7 on Windows XP Professional Service Pack 2: Support ended - 13-Jul-2010

Internet Explorer 7 on Windows XP Professional Service Pack 3: Support ends 24 months after the next service pack releases or at the end of the product's support lifecycle, whichever comes first (21-Apr-08)

Both IE6 and IE7 will continue to be supported with Windows XP. They will continue to be supported until the end of support for Windows XP on April 8, 2014.

There is one other thing I should cover

Link to post
Share on other sites

Thanks for joining in.

Please also comment on my 5th point. I reappend it:

(5) How do you assess the following redirects?

Search for large-sized face images of "Michele Bachmann" (a member of the U.S. Congress). In the first search page, you find several images listed with "malkevnia.com" and "friendsforlife.in" domains. Notice that all of these images have legitim "imgurl" parameters but malicious "imgrefurl" parameters added. I have replicated these phenomena on highly secure government systems.

We and many others in this forum may be on a wild goose chase. Google might have a gigantic problem.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.