Blocked connexions from opera/svchost

[Mortbise]

Hello,

After an incident with a file, and a cleanup using mbam, there are reports of attempts to connect to shady IPs originating from Opera and svchost.

For instance :

02:05:17 Mortbise IP-BLOCK 91.212.226.6 (Type: outgoing, Port: 49169, Process: svchost.exe)

02:05:17 Mortbise IP-BLOCK 83.233.165.42 (Type: outgoing, Port: 49196, Process: opera.exe)

02:05:25 Mortbise IP-BLOCK 95.64.9.213 (Type: outgoing, Port: 49250, Process: opera.exe)

02:11:09 Mortbise IP-BLOCK 95.143.193.138 (Type: outgoing, Port: 49328, Process: opera.exe)

02:11:09 Mortbise IP-BLOCK 188.95.52.161 (Type: outgoing, Port: 49329, Process: opera.exe)

02:11:09 Mortbise IP-BLOCK 91.213.29.63 (Type: outgoing, Port: 49330, Process: opera.exe)

02:11:09 Mortbise IP-BLOCK 95.143.193.138 (Type: outgoing, Port: 49331, Process: opera.exe)

02:35:39 Mortbise IP-BLOCK 91.212.226.6 (Type: outgoing, Port: 55493, Process: svchost.exe)

02:45:41 Mortbise IP-BLOCK 91.212.226.6 (Type: outgoing, Port: 55494, Process: svchost.exe)

03:00:32 Mortbise IP-BLOCK 95.64.9.213 (Type: outgoing, Port: 55557, Process: opera.exe)

03:01:20 Mortbise IP-BLOCK 208.73.210.29 (Type: outgoing, Port: 55582, Process: opera.exe)

03:01:20 Mortbise IP-BLOCK 208.73.210.29 (Type: outgoing, Port: 55583, Process: opera.exe)

03:05:21 Mortbise IP-BLOCK 83.233.165.42 (Type: outgoing, Port: 55594, Process: opera.exe)

Here are the relevant logs; Ark.txt not included, since it's absolutely empty.

- - - - -

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6792

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

07/06/2011 03:08:27

mbam-log-2011-06-07 (03-08-27).txt

Scan type: Quick scan

Objects scanned: 159569

Time elapsed: 1 minute(s), 57 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

- - - - -

.

DDS (Ver_2011-06-03.01) - NTFSAMD64

Internet Explorer: 8.0.7600.16385

Run by Mortbise at 3:11:14 on 2011-06-07

Microsoft Windows

Attach.txt

[screen317]

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

[Mortbise]

Hello, and thanks for answering.

I should start first with a couple info. First I noticed redirection attempts when I search something on google, that is, do a search, click a result, page tries briefly to open then goes to lakyclktolakylock.com (with a hash-like following). I had not noticed 3 days ago but it was blocked anyway. Second, while combofix ran, it did a reboot after the phases, and both antivir and mbam won't display their interface when double-clicked. Mbam, nothing happens, AV says "onDblclick() failed". They won't do anything when left-clicked and issued a command either.

Logs following :

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6822

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

09/06/2011 23:50:12

mbam-log-2011-06-09 (23-50-12).txt

Scan type: Quick scan

Objects scanned: 160362

Time elapsed: 2 minute(s), 17 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\3XQZ6EO4AP (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

- - - - - - - - -

ComboFix 11-06-09.04 - Mortbise 10/06/2011 0:07.1.2 - x64

Microsoft Windows

[Mortbise]

Adding some more info.

The protection from Mbam expired, so I'm left with windows FW to block those connexions, which doesn't exactly makes me feel safe (windows defender failed pretty hard finding anything suspicious when I updated/ran it before Mbam). Wondering if I could proceed to install a real firewall (the windows FW itself says if you fiddle with system process it may not do it after all so...). I used to have Jetico on my previous system, but was thinking about Comodo.

If that could be any help, I have of course the log of the first disinfection that Mbam performed (and that removed quite a number of unwanted files/reg keys). Gonna attach it just in case.

mbam-log-2011-06-07 (00-01-28).txt

[screen317]

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the box below into Notepad:

NetSvc::
lxlkcvnb
Driver::
lxlkcvnb

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

-screen317

[Mortbise]

All went smoothly, here are reports :

ComboFix 11-06-11.01 - Mortbise 12/06/2011 8:14.2.2 - x64

Microsoft Windows

[screen317]

Hi,

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

1. Tick the box next to YES, I accept the Terms of Use.
   
2. Click Start
   
3. When asked, allow the ActiveX control to install
   
4. Click Start
   
5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
   
6. Click Scan
   Wait for the scan to finish
   
7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
   
8. Copy and paste that log as a reply to this topic
   

Next, download my Security Check from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  

Let me know how things are running now and what issues remain.

-screen317

[Mortbise]

There was an odd detection from ESET about Unlocker, but that was about the installation file, not the utility itself. I had it scanned at jotti.org and there just was a warning from F-Prot about it being a riskware. Else, nothing apparently.

Yet, it seems the hijacking of google searches links to that lakyclktolakylock.com domain is gone. I opened a few random searches, and it's not happening anymore, so something must have been cleaned.

But, I'm sometimes getting a tab that opens itself and tries to go to some adresses. It happened a few times since the first scans, as far as I remember, but with pretty long periods between attempts, and apparently only when I'm actively surfing. I dind't notice that immediatly, since there can be a really long time between two of those, and at first I thought I had clicked on a link by mistake while browsing something. After these two scans I had one pop out, trying to open

http://dropinmall.net/?xurl=http://refresh-ccash.com/Izo4eJlx6Z7Mbco33799f1cb298a3a98484668775c17276127g&xref=http://dropinmall.net/default.pk?tsearch=jotti&search_button.x=0&search_button.y=0

after I thought about submitting Unlocker ot a scan. I add them to my urlfilter as they pop but haven't gotten the same twice so far.

I'd like to repeat my question about putting a real firewall to work, since the only unwanted activity I noticed at first was connexions being blocked by Mbam, and I can't monitor that at all now.

Logs coming right up :

ESETSmartInstaller@High as CAB hook log:

OnlineScanner64.ocx - registred OK

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.7600.16385 (win7_rtm.090713-1255)

# OnlineScanner.ocx=1.0.0.6526

# api_version=3.0.2

# EOSSerial=

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-06-14 09:31:43

# local_time=2011-06-14 11:31:43 )

# country="France"

# lang=9

# osver=6.1.7600 NT

# compatibility_mode=1797 16775165 100 94 0 42248245 499332 0

# compatibility_mode=5893 16776574 100 94 750447 59715048 0 0

# compatibility_mode=8192 67108863 100 0 279 279 0 0

# scanned=141421

# found=2

# cleaned=2

# scan_time=1906

D:\Applis\Softs\Unlocker1.9.0-x64.exe Win32/Adware.ADON application (deleted - quarantined) 00000000000000000000000000000000 C

D:\Raptor\D\Drivers\unlocker1.8.7.exe Win32/Adware.ADON application (deleted - quarantined) 00000000000000000000000000000000 C

- - - - - - - - -

Results of screen317's Security Check version 0.99.13

Windows 7 (UAC is disabled!)

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Avira AntiVir Personal - Free Antivirus

ESET Online Scanner v3

WMI entry may not exist for antivirus; attempting automatic update.

Avira successfully updated!

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 23

Out of date Java installed!

Flash Player Out of Date!

Adobe Flash Player 10.1.102.64

Mozilla Firefox (3.6.13) Firefox Out of Date!

Mozilla Thunderbird (3.1.10) Thunderbird Out of Date!

````````````````````````````````

Process Check:

objlist.exe by Laurent

Malwarebytes' Anti-Malware mbamservice.exe

Avira Antivir avgnt.exe

Avira Antivir avguard.exe

``````````End of Log````````````

[Mortbise]

Urgh... This morning the hijacking of searches is back again. Nothing changed from yesterday evening though, didn't reboot, didn't even relaunch Opera and despite not happening at all yesterday... there it goes again. Had 2 pages open themselves (and getting promptly added to filter) also.

[screen317]

Hmm.

Grab a fresh copy of ComboFix, run it, and post its log. Also post a fresh DDS.txt log.

[Mortbise]

Scanning's done, just have to add some info I gathered since my last answer. The search hijack through ladysomething popped once, and never came back again. But I saw another search hijack through another domain (blocked as well so it opens nothing now). Still getting occasional tabs opening themselves here and there, but not sure what triggers them. I'm darn sure one popped as I was waiting for a video to buffer, so not touching anything. Those self-opening tabs sometimes include what I last submitted to a search but not necessarily.

Got more while manipulating logs... trying to open files, I'm getting a message telling about an unauthorized operation attempt on a registry key marked for deletion. Got the feeling the reboot from combofix allowed for something nasty to finish install itself.

Fresh CF + DDS :

ComboFix 11-06-16.02 - Mortbise 17/06/2011 16:11:33.3.2 - x64

Microsoft Windows

[Mortbise]

Quick googling told me what there's to know about that error message upon opening files, it's gone now. Should've done that before deciding posting the logs should be done first.

[screen317]

Hi,

Do you still need help?

[Mortbise]

'Lo.

Should've been more specific, it's just the side effect of combofix that went away after a quick reboot. Just checked, there's still hijacking going on (well at least, being blocked, it can't do anything except piss me when I do searches). Self-opening tabs should still be floating around but I haven't pinpointed how those trigger so...

On another note, when I reboot sometimes mbam agrees to re-enter protection mode, and still shows attempts to connect to potentially harmfull IPs, from svchost and opera.

[LDTate]

techiegirlwithsearchresvir

Please refrain from suggesting fixes in the HJT forums

Groups authorized to help with HJT logs

http://forums.malwarebytes.org/index.php?showtopic=12264

[screen317]

Hi,

Sorry for the delay; LDTate's reply threw me off a bit.

Please grab a fresh copy of ComboFix, run it, and post its log. Also post a fresh DDS log and we'll take it from there.

[Mortbise]

Here goes.

Oh great, just why did steam.exe get this treatment ?

- - - - - - - - -

ComboFix 11-06-22.03 - Mortbise 23/06/2011 12:16:49.4.2 - x64

Microsoft Windows 7 Édition Intégrale 6.1.7600.0.1252.33.1036.18.2047.1305 [GMT 2:00]

Lancé depuis: c:\users\Mortbise\Desktop\ComboFix.exe

AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}

SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Un nouveau point de restauration a été créé

.

.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))

.

.

d:\steam\Steam.exe

.

.

((((((((((((((((((((((((((((( Fichiers créés du 2011-05-23 au 2011-06-23 ))))))))))))))))))))))))))))))))))))

.

.

2011-06-23 10:20 . 2011-06-23 10:20 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-06-21 21:47 . 2011-06-22 15:14 -------- d-----w- c:\program files (x86)\Common Files\Steam

2011-06-21 19:56 . 2011-06-21 21:46 -------- d-----w- c:\users\Mortbise\AppData\Roaming\ImgBurn

2011-06-21 19:41 . 2011-06-21 19:41 -------- d-----w- c:\program files (x86)\ImgBurn

2011-06-17 14:17 . 2011-06-17 14:17 -------- d-----w- c:\users\Mortbise\AppData\Roaming\Locktime

2011-06-15 15:26 . 2011-06-15 15:26 -------- d-----w- c:\programdata\Locktime

2011-06-15 15:26 . 2011-06-15 15:26 -------- d-----w- c:\program files\NetLimiter 2 Monitor

2011-06-14 20:55 . 2011-06-14 20:55 -------- d-----w- c:\program files (x86)\ESET

2011-06-07 00:19 . 2011-06-07 00:19 -------- d-----w- c:\users\Mortbise\AppData\Roaming\Avira

2011-06-07 00:16 . 2011-06-07 00:16 -------- d-----w- c:\programdata\Avira

2011-06-07 00:16 . 2011-06-07 00:16 -------- d-----w- c:\program files (x86)\Avira

2011-06-07 00:16 . 2011-02-04 10:09 83120 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-06-07 00:16 . 2011-02-04 10:09 116568 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-06-06 21:56 . 2011-06-06 21:56 -------- d-----w- c:\users\Mortbise\AppData\Roaming\Malwarebytes

2011-06-06 21:39 . 2011-06-06 21:39 -------- d-----w- c:\programdata\Malwarebytes

2011-06-06 21:39 . 2011-05-29 07:11 39984 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys

2011-06-06 21:39 . 2011-06-06 21:39 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2011-06-06 21:39 . 2011-05-29 07:11 25912 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-06-06 04:32 . 2011-05-24 17:12 8718160 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C0B8511F-8641-464D-9F37-4734AAF79515}\mpengine.dll

2011-06-03 13:37 . 2011-06-03 13:37 -------- d-----w- c:\users\Mortbise\AppData\Roaming\Braid

2011-06-01 22:13 . 2011-06-01 22:13 -------- d-----w- c:\users\Mortbise\AppData\Roaming\RenPy

2011-05-29 22:40 . 2011-05-29 22:40 -------- d-----w- c:\program files (x86)\Real Alternative

2011-05-29 22:40 . 2004-01-11 22:00 348160 ----a-w- c:\windows\SysWow64\msvcr71.dll

2011-05-29 22:40 . 2003-03-19 03:14 499712 ----a-w- c:\windows\SysWow64\msvcp71.dll

2011-05-26 15:46 . 2011-05-26 15:46 -------- d-----w- c:\program files (x86)\AC3Filter

2011-05-26 15:46 . 2009-08-11 19:22 580096 ----a-w- c:\windows\system32\ac3filter64.acm

2011-05-26 15:46 . 2009-08-11 19:18 497664 ----a-w- c:\windows\SysWow64\ac3filter.acm

2011-05-25 20:09 . 2011-05-25 20:09 -------- d-----w- c:\users\Mortbise\AppData\Local\Broad Intelligence

2011-05-24 21:34 . 2011-06-06 22:12 -------- d-----w- c:\users\Mortbise\AppData\Roaming\Downloaded Installations

.

.

.

(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-05-24 17:14 . 2011-01-24 00:31 270720 ------w- c:\windows\system32\MpSigStub.exe

2011-04-02 01:20 . 2011-04-02 01:20 254528 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys

.

.

((((((((((((((((((((((((((((( SnapShot@2011-06-09_22.12.18 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-07-14 04:54 . 2011-06-22 15:03 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

- 2009-07-14 04:54 . 2011-06-09 00:17 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

- 2009-07-14 04:54 . 2011-06-09 00:17 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

+ 2009-07-14 04:54 . 2011-06-22 15:03 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

+ 2011-01-24 10:34 . 2011-06-17 15:04 22294 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin

+ 2009-07-14 05:10 . 2011-06-17 15:04 36276 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin

+ 2010-03-25 08:49 . 2010-03-25 08:49 89224 c:\windows\system32\drivers\nltdi.sys

- 2011-01-23 23:35 . 2011-06-07 00:15 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

+ 2011-01-23 23:35 . 2011-06-23 10:22 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

- 2011-01-23 23:35 . 2011-06-07 00:15 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

+ 2011-01-23 23:35 . 2011-06-23 10:22 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

+ 2011-06-23 10:22 . 2011-06-23 10:22 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012011062320110624\index.dat

+ 2011-06-18 08:59 . 2011-06-17 15:03 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012011061820110619\index.dat

+ 2011-06-17 14:17 . 2011-06-17 15:03 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012011061720110618\index.dat

+ 2009-07-14 04:54 . 2011-06-23 10:22 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

+ 2011-06-17 14:22 . 2011-06-17 14:22 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT

+ 2009-07-14 04:46 . 2011-06-12 14:59 76432 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat

+ 2011-06-15 15:23 . 2011-06-15 15:23 88064 c:\windows\assembly\tmp\RQT89W9N\NLStatsIo.dll

+ 2011-01-24 09:07 . 2011-06-17 15:04 6410 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2488476480-2681069432-202012409-1000_UserData.bin

- 2011-06-09 22:11 . 2011-06-09 22:11 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

+ 2011-06-23 10:22 . 2011-06-23 10:22 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

+ 2009-07-14 04:54 . 2011-06-22 15:03 376832 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

- 2009-07-14 04:54 . 2011-06-09 00:17 376832 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

+ 2009-07-14 15:24 . 2011-06-18 17:51 744568 c:\windows\system32\perfh00C.dat

- 2009-07-14 15:24 . 2011-06-07 00:06 744568 c:\windows\system32\perfh00C.dat

+ 2009-07-14 02:36 . 2011-06-18 17:51 651450 c:\windows\system32\perfh009.dat

- 2009-07-14 02:36 . 2011-06-07 00:06 651450 c:\windows\system32\perfh009.dat

- 2009-07-14 15:24 . 2011-06-07 00:06 148086 c:\windows\system32\perfc00C.dat

+ 2009-07-14 15:24 . 2011-06-18 17:51 148086 c:\windows\system32\perfc00C.dat

+ 2009-07-14 02:36 . 2011-06-18 17:51 120382 c:\windows\system32\perfc009.dat

- 2009-07-14 02:36 . 2011-06-07 00:06 120382 c:\windows\system32\perfc009.dat

- 2009-07-14 05:01 . 2011-05-26 17:11 280508 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat

+ 2009-07-14 05:01 . 2011-06-23 10:20 280508 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat

+ 2011-02-02 18:08 . 2011-06-23 10:20 1068144 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2488476480-2681069432-202012409-1000-12288.dat

+ 2011-04-15 12:19 . 2011-04-15 12:19 1606656 c:\windows\Installer\160c3a39.msi

.

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2011-01-20 1305408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"CTxfiHlp"="CTXFIHLP.EXE" [2010-05-05 25600]

"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2011-02-04 281768]

"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2011-5-18 1207312]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

R2 AMService;AMService;c:\windows\TEMP\dujn.tmp\setup.exe run [x]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-05-29 366640]

R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-01-24 79360]

R3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.SYS [x]

R3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.SYS [x]

R3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.SYS [x]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]

R4 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-01-07 378984]

S1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [x]

S2 AntiVirSchedulerService;Avira AntiVir Planificateur;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2011-06-08 136360]

S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\l160x64.sys [x]

S3 CorsairCAHS1;CA-HS1 Interface;c:\windows\system32\drivers\CAHS164.sys [x]

S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\System32\drivers\CT20XUT.SYS [x]

S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\System32\drivers\CTEXFIFX.SYS [x]

S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\System32\drivers\CTHWIUT.SYS [x]

S3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]

.

.

.

--------- x86-64 -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Bluetooth Connection Assistant"="LBTWIZ.EXE -silent" [X]

"CAHS1Sound"="c:\windows\Syswow64\CAHS1.dll" [2010-08-18 8724480]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 130576]

.

------- Examen supplémentaire -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://home.sweetim.com

mLocal Page = c:\windows\SysWOW64\blank.htm

TCP: Interfaces\{148A4B94-F0C7-43AC-8593-63BB2B89E5D1}: NameServer = 208.67.222.222 208.67.220.220

TCP: Interfaces\{791BD3EA-E531-40C9-80F3-7B8002471D1F}: NameServer = 212.27.40.240,212.27.40.241

FF - ProfilePath - c:\users\Mortbise\AppData\Roaming\Mozilla\Firefox\Profiles\goonw3lv.default\

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

.

- - - - ORPHELINS SUPPRIMES - - - -

.

Wow6432Node-HKCU-Run-Steam - d:\steam\steam.exe

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

AddRemove-Steam App 440 - d:\steam\steam.exe

.

.

.

--------------------- CLES DE REGISTRE BLOQUEES ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Autres processus actifs ------------------------

.

c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe

c:\program files (x86)\Creative\Shared Files\CTAudSvc.exe

c:\windows\SysWOW64\rundll32.exe

c:\program files\Logitech\SetPoint\x86\SetPoint32.exe

.

**************************************************************************

.

Heure de fin: 2011-06-23 12:24:55 - La machine a redémarré

ComboFix-quarantined-files.txt 2011-06-23 10:24

ComboFix2.txt 2011-06-17 14:20

.

Avant-CF: 20 083 367 936 octets libres

Après-CF: 19 735 920 640 octets libres

.

- - End Of File - - 353DE0FDA80E4EEA32BC3D7CC12F0D48

- - - - - - - - -

.

DDS (Ver_2011-06-03.01) - NTFSAMD64

Internet Explorer: 8.0.7600.16385

Run by Mortbise at 12:26:57 on 2011-06-23

Microsoft Windows 7 Édition Intégrale 6.1.7600.0.1252.33.1036.18.2047.1164 [GMT 2:00]

.

AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe

C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe

C:\Windows\system32\nvvsvc.exe

C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\NetLimiter 2 Monitor\nlsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\NetLimiter 2 Monitor\NLClient.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Program Files\Logitech\SetPoint\LBTWiz.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

D:\IRC\NisScript\mirc.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\explorer.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://home.sweetim.com

mURLSearchHooks: H - No File

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun

mRun: [CTxfiHlp] CTXFIHLP.EXE

mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\LOGITE~1.LNK - C:\Program Files\Logitech\SetPoint\SetPoint.exe

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

TCP: Interfaces\{148A4B94-F0C7-43AC-8593-63BB2B89E5D1} : NameServer = 208.67.222.222 208.67.220.220

TCP: Interfaces\{791BD3EA-E531-40C9-80F3-7B8002471D1F} : NameServer = 212.27.40.240,212.27.40.241

{DBC80044-A445-435b-BC74-9C25C1C588A9}

TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

mRun-x64: [CTxfiHlp] CTXFIHLP.EXE

mRun-x64: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Mortbise\AppData\Roaming\Mozilla\Firefox\Profiles\goonw3lv.default\

FF - plugin: C:\Program Files (x86)\Foxit Reader\plugins\npFoxitReaderPlugin.dll

FF - plugin: C:\Program Files (x86)\Foxit Reader\plugins\nppl3260.dll

FF - plugin: C:\Program Files (x86)\Foxit Reader\plugins\nprpjplug.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll

FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

.

============= SERVICES / DRIVERS ===============

.

R1 nltdi;nltdi;\??\C:\Windows\system32\drivers\nltdi.sys --> C:\Windows\system32\drivers\nltdi.sys [?]

R2 AntiVirSchedulerService;Avira AntiVir Planificateur;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2011-6-7 136360]

R2 AntiVirService;Avira AntiVir Guard;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2011-6-7 269480]

R2 avgntflt;avgntflt;C:\Windows\system32\DRIVERS\avgntflt.sys --> C:\Windows\system32\DRIVERS\avgntflt.sys [?]

R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;C:\Windows\system32\DRIVERS\l160x64.sys --> C:\Windows\system32\DRIVERS\l160x64.sys [?]

R3 CorsairCAHS1;CA-HS1 Interface;C:\Windows\system32\drivers\CAHS164.sys --> C:\Windows\system32\drivers\CAHS164.sys [?]

R3 CT20XUT.SYS;CT20XUT.SYS;C:\Windows\system32\drivers\CT20XUT.SYS --> C:\Windows\system32\drivers\CT20XUT.SYS [?]

R3 CTEXFIFX.SYS;CTEXFIFX.SYS;C:\Windows\system32\drivers\CTEXFIFX.SYS --> C:\Windows\system32\drivers\CTEXFIFX.SYS [?]

R3 CTHWIUT.SYS;CTHWIUT.SYS;C:\Windows\system32\drivers\CTHWIUT.SYS --> C:\Windows\system32\drivers\CTHWIUT.SYS [?]

R3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\system32\DRIVERS\dtsoftbus01.sys --> C:\Windows\system32\DRIVERS\dtsoftbus01.sys [?]

R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]

R4 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-6-6 366640]

S2 AMService;AMService;C:\Windows\TEMP\dujn.tmp\setup.exe run --> C:\Windows\TEMP\dujn.tmp\setup.exe run [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-1-24 79360]

S3 CT20XUT;CT20XUT;C:\Windows\system32\drivers\CT20XUT.SYS --> C:\Windows\system32\drivers\CT20XUT.SYS [?]

S3 CTEXFIFX;CTEXFIFX;C:\Windows\system32\drivers\CTEXFIFX.SYS --> C:\Windows\system32\drivers\CTEXFIFX.SYS [?]

S3 CTHWIUT;CTHWIUT;C:\Windows\system32\drivers\CTHWIUT.SYS --> C:\Windows\system32\drivers\CTHWIUT.SYS [?]

S4 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-1-7 378984]

.

=============== Created Last 30 ================

.

2011-06-23 10:15:22 98816 ----a-w- C:\Windows\sed.exe

2011-06-23 10:15:22 518144 ----a-w- C:\Windows\SWREG.exe

2011-06-23 10:15:22 256512 ----a-w- C:\Windows\PEV.exe

2011-06-23 10:15:22 208896 ----a-w- C:\Windows\MBR.exe

2011-06-21 21:47:44 -------- d-----w- C:\Program Files (x86)\Common Files\Steam

2011-06-17 14:17:45 -------- d-----w- C:\Users\Mortbise\AppData\Roaming\Locktime

2011-06-15 15:26:26 -------- d-----w- C:\ProgramData\Locktime

2011-06-15 15:26:23 -------- d-----w- C:\Program Files\NetLimiter 2 Monitor

2011-06-14 20:55:19 -------- d-----w- C:\Program Files (x86)\ESET

2011-06-07 00:19:51 -------- d-----w- C:\Users\Mortbise\AppData\Roaming\Avira

2011-06-07 00:16:09 83120 ----a-w- C:\Windows\System32\drivers\avgntflt.sys

2011-06-07 00:16:09 -------- d-----w- C:\ProgramData\Avira

2011-06-07 00:16:09 -------- d-----w- C:\Program Files (x86)\Avira

2011-06-06 21:56:03 -------- d-----w- C:\Users\Mortbise\AppData\Roaming\Malwarebytes

2011-06-06 21:39:56 39984 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys

2011-06-06 21:39:56 -------- d-----w- C:\ProgramData\Malwarebytes

2011-06-06 21:39:52 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys

2011-06-06 21:39:52 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2011-06-06 04:32:31 8718160 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{C0B8511F-8641-464D-9F37-4734AAF79515}\mpengine.dll

2011-06-03 13:37:13 -------- d-----w- C:\Users\Mortbise\AppData\Roaming\Braid

2011-06-01 22:13:45 -------- d-----w- C:\Users\Mortbise\AppData\Roaming\RenPy

2011-05-29 22:40:48 499712 ----a-w- C:\Windows\SysWow64\msvcp71.dll

2011-05-29 22:40:48 348160 ----a-w- C:\Windows\SysWow64\msvcr71.dll

2011-05-29 22:40:48 -------- d-----w- C:\Program Files (x86)\Real Alternative

2011-05-26 15:46:17 580096 ----a-w- C:\Windows\System32\ac3filter64.acm

2011-05-26 15:46:17 497664 ----a-w- C:\Windows\SysWow64\ac3filter.acm

2011-05-26 15:46:17 -------- d-----w- C:\Program Files (x86)\AC3Filter

2011-05-25 20:09:01 -------- d-----w- C:\Users\Mortbise\AppData\Local\Broad Intelligence

2011-05-24 21:34:06 -------- d-----w- C:\Users\Mortbise\AppData\Roaming\Downloaded Installations

.

==================== Find3M ====================

.

2011-05-24 17:14:10 270720 ------w- C:\Windows\System32\MpSigStub.exe

2011-04-02 01:20:47 254528 ----a-w- C:\Windows\System32\drivers\dtsoftbus01.sys

.

============= FINISH: 12:27:13,75 ===============

[screen317]

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the box below into Notepad:

Dequarantine::
d:\steam\Steam.exe

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

What issues are you currently experiencing?

-screen317

[Mortbise]

Hello,

I've already dequarantined Steam.exe, it didn't take me long to locate it. Combofix doesn't particularly hide its folder at the root of C:. I restored it to its place after a quick scan through Mbam and antivir, then a scan at http://virusscan.jotti.org/

Symptoms, still the same. Just, a lot less often. Still, I've seen one direct search hijack to ladysomething.com in the last... week, at least, if I remember well. Never seen again a hijack with that other domain I've had at some point.

Here and there, I get those self-opening tabs trying to open weird urls.

http://campus.org/?xurl=http://refresh-ccash.com/qks2mkKp5O3mlhc1691304f8f698aa2e3579689a9174830105g&xref=http://campus.org/result.php?Keywords=image+mallet&r=1fb30fb6aff980a45f81e70f192882b17f55f3fae631304fbff124bf4b2e1e19f0e0f785fd990a0bbae36704da1c6f36&Submit=Go

This tried its luck today, after a friend told me he was seeking a tool to flash the bios of an old laptop and I suggested him a big mallet. I'm telling this because it's linked to the fact I did a search previously, the keywords appear in the url. But for some reason, it takes some time before the tabs opens, and I'm talking minutes, not just a few seconds. Since refresh-cash.com is blocked it cannot do anything, and I add the domains invoked every time (so I blocked campus.org today, might be why I see them less and less as time passes).

[screen317]

Hi,

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) ( 511KB ) to your desktop. Double click the aswMBR.exe to run it

• Click the "Scan" button to start scan.
  
• Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time)
  
• Please post the contents of that log in your next reply.
  

There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

-screen317

[Mortbise]

'Lo.

Apparently, you've hit the mark. AswMBR mentioned right away finding TDL4 in the MBR. Problem is, the scan then went to files, and triggered a bsod after fifteen-ish minutes, about AswMBR.sys trying to write in read-only memory. I re-scanned, same warnings popped, and I grabbed a partial log just in case. Which was a good idea, the scan triggered the same bsod 30s after I saved it (a lot faster than on the first attempt).

Here is it :

aswMBR version 0.9.7.675 Copyright© 2011 AVAST Software

Run date: 2011-07-01 14:32:21

-----------------------------

14:32:21.288 OS Version: Windows x64 6.1.7600

14:32:21.288 Number of processors: 2 586 0xF0B

14:32:21.288 ComputerName: MALIKA UserName:

14:32:21.824 Initialize success

14:32:25.691 AVAST engine defs: 11070101

14:32:53.561 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2

14:32:53.563 Disk 0 Vendor: WDC_WD1500HLFS-01G6U4 04.04V06 Size: 143089MB BusType: 3

14:32:53.564 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-3

14:32:53.567 Disk 1 Vendor: WDC_WD10EACS-00D6B0 01.01A01 Size: 953869MB BusType: 3

14:32:53.569 Disk 2 \Device\Harddisk2\DR2 -> \Device\Ide\IdeDeviceP4T0L0-4

14:32:53.572 Disk 2 Vendor: WDC_WD5000AAKS-00TMA0 12.01C01 Size: 476940MB BusType: 3

14:32:53.574 Device \Driver\atapi -> MajorFunction fffffa80027dd6c0

14:32:55.578 Disk 0 MBR read successfully

14:32:55.582 Disk 0 MBR scan

14:32:55.584 Disk 0 TDL4@MBR code has been found

14:32:55.588 Disk 0 Windows 7 default MBR code found via API

14:32:55.591 Disk 0 MBR hidden

14:32:55.594 Disk 0 MBR [TDL4] **ROOTKIT**

14:32:55.599 Disk 0 trace - called modules:

14:32:55.606 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80027dd6c0]<<

14:32:55.611 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80027ca410]

14:32:55.614 3 CLASSPNP.SYS[fffff880018f143f] -> nt!IofCallDriver -> [0xfffffa800269f520]

14:32:55.618 5 ACPI.sys[fffff88000efd781] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0xfffffa800269b680]

14:32:55.622 \Driver\atapi[0xfffffa80027d2af0] -> IRP_MJ_CREATE -> 0xfffffa80027dd6c0

14:32:55.998 AVAST engine scan C:\Windows

14:34:34.652 Disk 0 MBR has been saved successfully to "C:\MBR.dat"

14:34:34.652 The log file has been saved successfully to "C:\aswMBR.txt"

- - - - - - - - -

I'll try running it again a third time, see if it manages to finish.

[Mortbise]

BSoD again, after a couple minutes...

[screen317]

• Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  
• Execute the file TDSSKiller.exe by double-clicking on it.
  
• Wait for the scan and disinfection process to be over.
  
• When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

[Mortbise]

I am tempted to say "success".

TDSSkiller ran smoothly, prompted TDSS/TDL4 would be nuked upon reboot, and a re-scan didn't find anything.

I ran aswMBR as well, which didn't find anything either.

Apparently no attempt to hijack searches, and no self-opening tab (well time will tell to be sure of those, one popped this morning about a search from yesterday but that was before cleaning).

Many thanks, it's been a long way.

TDSSkiller log incoming :

2011/07/05 11:30:35.0700 3776 TDSS rootkit removing tool 2.5.9.0 Jul 1 2011 18:45:21

2011/07/05 11:30:36.0198 3776 ================================================================================

2011/07/05 11:30:36.0198 3776 SystemInfo:

2011/07/05 11:30:36.0198 3776

2011/07/05 11:30:36.0198 3776 OS Version: 6.1.7600 ServicePack: 0.0

2011/07/05 11:30:36.0198 3776 Product type: Workstation

2011/07/05 11:30:36.0198 3776 ComputerName: MALIKA

2011/07/05 11:30:36.0198 3776 UserName: Mortbise

2011/07/05 11:30:36.0198 3776 Windows directory: C:\Windows

2011/07/05 11:30:36.0198 3776 System windows directory: C:\Windows

2011/07/05 11:30:36.0198 3776 Running under WOW64

2011/07/05 11:30:36.0198 3776 Processor architecture: Intel x64

2011/07/05 11:30:36.0198 3776 Number of processors: 2

2011/07/05 11:30:36.0198 3776 Page size: 0x1000

2011/07/05 11:30:36.0198 3776 Boot type: Normal boot

2011/07/05 11:30:36.0198 3776 ================================================================================

2011/07/05 11:30:38.0004 3776 Initialize success

2011/07/05 11:30:50.0163 3668 ================================================================================

2011/07/05 11:30:50.0163 3668 Scan started

2011/07/05 11:30:50.0163 3668 Mode: Manual;

2011/07/05 11:30:50.0163 3668 ================================================================================

2011/07/05 11:30:53.0148 3668 1394ohci (1b00662092f9f9568b995902f0cc40d5) C:\Windows\system32\DRIVERS\1394ohci.sys

2011/07/05 11:30:53.0182 3668 ACPI (6f11e88748cdefd2f76aa215f97ddfe5) C:\Windows\system32\DRIVERS\ACPI.sys

2011/07/05 11:30:53.0200 3668 AcpiPmi (63b05a0420ce4bf0e4af6dcc7cada254) C:\Windows\system32\DRIVERS\acpipmi.sys

2011/07/05 11:30:53.0229 3668 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\DRIVERS\adp94xx.sys

2011/07/05 11:30:53.0262 3668 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\DRIVERS\adpahci.sys

2011/07/05 11:30:53.0295 3668 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\DRIVERS\adpu320.sys

2011/07/05 11:30:53.0349 3668 AFD (b9384e03479d2506bc924c16a3db87bc) C:\Windows\system32\drivers\afd.sys

2011/07/05 11:30:53.0369 3668 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\DRIVERS\agp440.sys

2011/07/05 11:30:53.0388 3668 aliide (5812713a477a3ad7363c7438ca2ee038) C:\Windows\system32\DRIVERS\aliide.sys

2011/07/05 11:30:53.0398 3668 amdide (1ff8b4431c353ce385c875f194924c0c) C:\Windows\system32\DRIVERS\amdide.sys

2011/07/05 11:30:53.0412 3668 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\Windows\system32\DRIVERS\amdk8.sys

2011/07/05 11:30:53.0423 3668 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\Windows\system32\DRIVERS\amdppm.sys

2011/07/05 11:30:53.0449 3668 amdsata (7a4b413614c055935567cf88a9734d38) C:\Windows\system32\DRIVERS\amdsata.sys

2011/07/05 11:30:53.0472 3668 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\Windows\system32\DRIVERS\amdsbs.sys

2011/07/05 11:30:53.0492 3668 amdxata (b4ad0cacbab298671dd6f6ef7e20679d) C:\Windows\system32\DRIVERS\amdxata.sys

2011/07/05 11:30:53.0539 3668 AppID (42fd751b27fa0e9c69bb39f39e409594) C:\Windows\system32\drivers\appid.sys

2011/07/05 11:30:53.0569 3668 arc (c484f8ceb1717c540242531db7845c4e) C:\Windows\system32\DRIVERS\arc.sys

2011/07/05 11:30:53.0585 3668 arcsas (019af6924aefe7839f61c830227fe79c) C:\Windows\system32\DRIVERS\arcsas.sys

2011/07/05 11:30:53.0647 3668 AsyncMac (769765ce2cc62867468cea93969b2242) C:\Windows\system32\DRIVERS\asyncmac.sys

2011/07/05 11:30:53.0678 3668 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\Windows\system32\DRIVERS\atapi.sys

2011/07/05 11:30:53.0704 3668 AtcL001 (940e5b876251e04fffe058ad71fe0f1c) C:\Windows\system32\DRIVERS\l160x64.sys

2011/07/05 11:30:53.0750 3668 avgntflt (39c2e2870fc0c2ae0595b883cbe716b4) C:\Windows\system32\DRIVERS\avgntflt.sys

2011/07/05 11:30:53.0764 3668 avipbb (c98fa6e5ad0e857d22716bd2b8b1f399) C:\Windows\system32\DRIVERS\avipbb.sys

2011/07/05 11:30:53.0797 3668 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\Windows\system32\DRIVERS\bxvbda.sys

2011/07/05 11:30:53.0833 3668 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\Windows\system32\DRIVERS\b57nd60a.sys

2011/07/05 11:30:53.0859 3668 Beep (16a47ce2decc9b099349a5f840654746) C:\Windows\system32\drivers\Beep.sys

2011/07/05 11:30:53.0895 3668 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\Windows\system32\DRIVERS\blbdrive.sys

2011/07/05 11:30:53.0910 3668 bowser (91ce0d3dc57dd377e690a2d324022b08) C:\Windows\system32\DRIVERS\bowser.sys

2011/07/05 11:30:53.0927 3668 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\DRIVERS\BrFiltLo.sys

2011/07/05 11:30:53.0939 3668 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\DRIVERS\BrFiltUp.sys

2011/07/05 11:30:53.0960 3668 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\Windows\System32\Drivers\Brserid.sys

2011/07/05 11:30:53.0973 3668 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\System32\Drivers\BrSerWdm.sys

2011/07/05 11:30:53.0985 3668 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\System32\Drivers\BrUsbMdm.sys

2011/07/05 11:30:53.0998 3668 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\System32\Drivers\BrUsbSer.sys

2011/07/05 11:30:54.0068 3668 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\Windows\system32\DRIVERS\bthmodem.sys

2011/07/05 11:30:54.0125 3668 cdfs (b8bd2bb284668c84865658c77574381a) C:\Windows\system32\DRIVERS\cdfs.sys

2011/07/05 11:30:54.0158 3668 cdrom (83d2d75e1efb81b3450c18131443f7db) C:\Windows\system32\DRIVERS\cdrom.sys

2011/07/05 11:30:54.0183 3668 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\Windows\system32\DRIVERS\circlass.sys

2011/07/05 11:30:54.0213 3668 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\Windows\system32\CLFS.sys

2011/07/05 11:30:54.0249 3668 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\Windows\system32\DRIVERS\CmBatt.sys

2011/07/05 11:30:54.0270 3668 cmdide (e19d3f095812725d88f9001985b94edd) C:\Windows\system32\DRIVERS\cmdide.sys

2011/07/05 11:30:54.0293 3668 CNG (f95fd4cb7da00ba2a63ce9f6b5c053e1) C:\Windows\system32\Drivers\cng.sys

2011/07/05 11:30:54.0314 3668 Compbatt (102de219c3f61415f964c88e9085ad14) C:\Windows\system32\DRIVERS\compbatt.sys

2011/07/05 11:30:54.0377 3668 CompositeBus (f26b3a86f6fa87ca360b879581ab4123) C:\Windows\system32\DRIVERS\CompositeBus.sys

2011/07/05 11:30:54.0420 3668 CorsairCAHS1 (8d114f5d11eec8b75b7206235f045eee) C:\Windows\system32\drivers\CAHS164.sys

2011/07/05 11:30:54.0469 3668 crcdisk (1c827878a998c18847245fe1f34ee597) C:\Windows\system32\DRIVERS\crcdisk.sys

2011/07/05 11:30:54.0538 3668 CrystalSysInfo (5228b7a738dc90a06ae4f4a7412cb1e9) C:\Program Files\MediaCoder\SysInfoX64.sys

2011/07/05 11:30:54.0569 3668 CSC (4a6173c2279b498cd8f57cae504564cb) C:\Windows\system32\drivers\csc.sys

2011/07/05 11:30:54.0613 3668 CT20XUT (229e3b8f266abdafd54e4a372b9d5ddc) C:\Windows\system32\drivers\CT20XUT.SYS

2011/07/05 11:30:54.0632 3668 CT20XUT.SYS (229e3b8f266abdafd54e4a372b9d5ddc) C:\Windows\System32\drivers\CT20XUT.SYS

2011/07/05 11:30:54.0663 3668 ctac32k (eb3843a91a10150c9e05607cbcb44090) C:\Windows\system32\drivers\ctac32k.sys

2011/07/05 11:30:54.0688 3668 ctaud2k (bc06efb59a2316537765462dfe40f764) C:\Windows\system32\drivers\ctaud2k.sys

2011/07/05 11:30:54.0729 3668 CTEXFIFX (63b2b6ce9d3ef182981fb64bd5433da4) C:\Windows\system32\drivers\CTEXFIFX.SYS

2011/07/05 11:30:54.0827 3668 CTEXFIFX.SYS (63b2b6ce9d3ef182981fb64bd5433da4) C:\Windows\System32\drivers\CTEXFIFX.SYS

2011/07/05 11:30:54.0854 3668 CTHWIUT (6d115cc80873b85fd80dda1c41f75a2c) C:\Windows\system32\drivers\CTHWIUT.SYS

2011/07/05 11:30:54.0865 3668 CTHWIUT.SYS (6d115cc80873b85fd80dda1c41f75a2c) C:\Windows\System32\drivers\CTHWIUT.SYS

2011/07/05 11:30:54.0883 3668 ctprxy2k (ebc9548ef5838cb5aa8f18b3ac28af12) C:\Windows\system32\drivers\ctprxy2k.sys

2011/07/05 11:30:54.0902 3668 ctsfm2k (459bee1682121842285c162e2d98d81a) C:\Windows\system32\drivers\ctsfm2k.sys

2011/07/05 11:30:54.0935 3668 DfsC (3f1dc527070acb87e40afe46ef6da749) C:\Windows\system32\Drivers\dfsc.sys

2011/07/05 11:30:54.0955 3668 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\Windows\system32\drivers\discache.sys

2011/07/05 11:30:54.0982 3668 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\Windows\system32\DRIVERS\disk.sys

2011/07/05 11:30:55.0029 3668 drmkaud (9b19f34400d24df84c858a421c205754) C:\Windows\system32\drivers\drmkaud.sys

2011/07/05 11:30:55.0065 3668 dtsoftbus01 (fb9bef3401ee5ecc2603311b9c64f44a) C:\Windows\system32\DRIVERS\dtsoftbus01.sys

2011/07/05 11:30:55.0103 3668 DXGKrnl (ebce0b0924835f635f620d19f0529dce) C:\Windows\System32\drivers\dxgkrnl.sys

2011/07/05 11:30:55.0230 3668 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\Windows\system32\DRIVERS\evbda.sys

2011/07/05 11:30:55.0319 3668 elxstor (0e5da5369a0fcaea12456dd852545184) C:\Windows\system32\DRIVERS\elxstor.sys

2011/07/05 11:30:55.0348 3668 emupia (c26133b6165928fbd156c6fe570f9ed2) C:\Windows\system32\drivers\emupia2k.sys

2011/07/05 11:30:55.0364 3668 ErrDev (34a3c54752046e79a126e15c51db409b) C:\Windows\system32\DRIVERS\errdev.sys

2011/07/05 11:30:55.0395 3668 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\Windows\system32\drivers\exfat.sys

2011/07/05 11:30:55.0415 3668 fastfat (0adc83218b66a6db380c330836f3e36d) C:\Windows\system32\drivers\fastfat.sys

2011/07/05 11:30:55.0442 3668 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\Windows\system32\DRIVERS\fdc.sys

2011/07/05 11:30:55.0462 3668 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\Windows\system32\drivers\fileinfo.sys

2011/07/05 11:30:55.0484 3668 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\Windows\system32\drivers\filetrace.sys

2011/07/05 11:30:55.0498 3668 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\Windows\system32\DRIVERS\flpydisk.sys

2011/07/05 11:30:55.0522 3668 FltMgr (f7866af72abbaf84b1fa5aa195378c59) C:\Windows\system32\drivers\fltmgr.sys

2011/07/05 11:30:55.0544 3668 FsDepends (d43703496149971890703b4b1b723eac) C:\Windows\system32\drivers\FsDepends.sys

2011/07/05 11:30:55.0558 3668 Fs_Rec (e95ef8547de20cf0603557c0cf7a9462) C:\Windows\system32\drivers\Fs_Rec.sys

2011/07/05 11:30:55.0605 3668 fvevol (ae87ba80d0ec3b57126ed2cdc15b24ed) C:\Windows\system32\DRIVERS\fvevol.sys

2011/07/05 11:30:55.0660 3668 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\Windows\system32\DRIVERS\gagp30kx.sys

2011/07/05 11:30:55.0720 3668 ha20x2k (a3f010d5dbfb589a3b3288c05c2ea3f9) C:\Windows\system32\drivers\ha20x2k.sys

2011/07/05 11:30:55.0772 3668 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\Windows\system32\drivers\hcw85cir.sys

2011/07/05 11:30:55.0807 3668 HdAudAddService (6410f6f415b2a5a9037224c41da8bf12) C:\Windows\system32\drivers\HdAudio.sys

2011/07/05 11:30:55.0824 3668 HDAudBus (0a49913402747a0b67de940fb42cbdbb) C:\Windows\system32\DRIVERS\HDAudBus.sys

2011/07/05 11:30:55.0835 3668 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\Windows\system32\DRIVERS\HidBatt.sys

2011/07/05 11:30:55.0848 3668 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\Windows\system32\DRIVERS\hidbth.sys

2011/07/05 11:30:55.0867 3668 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\Windows\system32\DRIVERS\hidir.sys

2011/07/05 11:30:55.0898 3668 HidUsb (b3bf6b5b50006def50b66306d99fcf6f) C:\Windows\system32\DRIVERS\hidusb.sys

2011/07/05 11:30:55.0940 3668 HpSAMD (0886d440058f203eba0e1825e4355914) C:\Windows\system32\DRIVERS\HpSAMD.sys

2011/07/05 11:30:55.0974 3668 HTTP (cee049cac4efa7f4e1e4ad014414a5d4) C:\Windows\system32\drivers\HTTP.sys

2011/07/05 11:30:56.0002 3668 hwpolicy (f17766a19145f111856378df337a5d79) C:\Windows\system32\drivers\hwpolicy.sys

2011/07/05 11:30:56.0063 3668 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\Windows\system32\DRIVERS\i8042prt.sys

2011/07/05 11:30:56.0088 3668 iaStorV (d83efb6fd45df9d55e9a1afc63640d50) C:\Windows\system32\DRIVERS\iaStorV.sys

2011/07/05 11:30:56.0108 3668 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\Windows\system32\DRIVERS\iirsp.sys

2011/07/05 11:30:56.0128 3668 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\Windows\system32\DRIVERS\intelide.sys

2011/07/05 11:30:56.0142 3668 intelppm (ada036632c664caa754079041cf1f8c1) C:\Windows\system32\DRIVERS\intelppm.sys

2011/07/05 11:30:56.0168 3668 IpFilterDriver (722dd294df62483cecaae6e094b4d695) C:\Windows\system32\DRIVERS\ipfltdrv.sys

2011/07/05 11:30:56.0184 3668 IPMIDRV (e2b4a4494db7cb9b89b55ca268c337c5) C:\Windows\system32\DRIVERS\IPMIDrv.sys

2011/07/05 11:30:56.0197 3668 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\Windows\system32\drivers\ipnat.sys

2011/07/05 11:30:56.0222 3668 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\Windows\system32\drivers\irenum.sys

2011/07/05 11:30:56.0238 3668 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\Windows\system32\DRIVERS\isapnp.sys

2011/07/05 11:30:56.0257 3668 iScsiPrt (fa4d2557de56d45b0a346f93564be6e1) C:\Windows\system32\DRIVERS\msiscsi.sys

2011/07/05 11:30:56.0278 3668 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\Windows\system32\DRIVERS\kbdclass.sys

2011/07/05 11:30:56.0300 3668 kbdhid (6def98f8541e1b5dceb2c822a11f7323) C:\Windows\system32\DRIVERS\kbdhid.sys

2011/07/05 11:30:56.0320 3668 KSecDD (e8b6fcc9c83535c67f835d407620bd27) C:\Windows\system32\Drivers\ksecdd.sys

2011/07/05 11:30:56.0347 3668 KSecPkg (a8c63880ef6f4d3fec7b616b9c060215) C:\Windows\system32\Drivers\ksecpkg.sys

2011/07/05 11:30:56.0372 3668 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\Windows\system32\drivers\ksthunk.sys

2011/07/05 11:30:56.0454 3668 L8042Kbd (f33c5d79d3273530e1892a0922283a7b) C:\Windows\system32\DRIVERS\L8042Kbd.sys

2011/07/05 11:30:56.0507 3668 LHidFilt (b6552d382ff070b4ed34cbd6737277c0) C:\Windows\system32\DRIVERS\LHidFilt.Sys

2011/07/05 11:30:56.0547 3668 lltdio (1538831cf8ad2979a04c423779465827) C:\Windows\system32\DRIVERS\lltdio.sys

2011/07/05 11:30:56.0567 3668 LMouFilt (73c1f563ab73d459dffe682d66476558) C:\Windows\system32\DRIVERS\LMouFilt.Sys

2011/07/05 11:30:56.0597 3668 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\Windows\system32\DRIVERS\lsi_fc.sys

2011/07/05 11:30:56.0618 3668 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\Windows\system32\DRIVERS\lsi_sas.sys

2011/07/05 11:30:56.0629 3668 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\Windows\system32\DRIVERS\lsi_sas2.sys

2011/07/05 11:30:56.0643 3668 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\Windows\system32\DRIVERS\lsi_scsi.sys

2011/07/05 11:30:56.0679 3668 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\Windows\system32\drivers\luafv.sys

2011/07/05 11:30:56.0697 3668 LUsbFilt (9d9714e78eac9e5368208649489c920e) C:\Windows\system32\Drivers\LUsbFilt.Sys

2011/07/05 11:30:56.0733 3668 MBAMProtector (ed49fd1373de93617a1f6d128d98fe4d) C:\Windows\system32\drivers\mbam.sys

2011/07/05 11:30:56.0767 3668 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\Windows\system32\DRIVERS\megasas.sys

2011/07/05 11:30:56.0811 3668 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\Windows\system32\DRIVERS\MegaSR.sys

2011/07/05 11:30:56.0842 3668 Modem (800ba92f7010378b09f9ed9270f07137) C:\Windows\system32\drivers\modem.sys

2011/07/05 11:30:56.0872 3668 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\Windows\system32\DRIVERS\monitor.sys

2011/07/05 11:30:56.0889 3668 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\Windows\system32\DRIVERS\mouclass.sys

2011/07/05 11:30:56.0914 3668 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\Windows\system32\DRIVERS\mouhid.sys

2011/07/05 11:30:56.0933 3668 mountmgr (791af66c4d0e7c90a3646066386fb571) C:\Windows\system32\drivers\mountmgr.sys

2011/07/05 11:30:56.0952 3668 mpio (609d1d87649ecc19796f4d76d4c15cea) C:\Windows\system32\DRIVERS\mpio.sys

2011/07/05 11:30:56.0983 3668 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\Windows\system32\drivers\mpsdrv.sys

2011/07/05 11:30:57.0006 3668 MRxDAV (30524261bb51d96d6fcbac20c810183c) C:\Windows\system32\drivers\mrxdav.sys

2011/07/05 11:30:57.0033 3668 mrxsmb (767a4c3bcf9410c286ced15a2db17108) C:\Windows\system32\DRIVERS\mrxsmb.sys

2011/07/05 11:30:57.0051 3668 mrxsmb10 (920ee0ff995fcfdeb08c41605a959e1c) C:\Windows\system32\DRIVERS\mrxsmb10.sys

2011/07/05 11:30:57.0077 3668 mrxsmb20 (740d7ea9d72c981510a5292cf6adc941) C:\Windows\system32\DRIVERS\mrxsmb20.sys

2011/07/05 11:30:57.0093 3668 msahci (5c37497276e3b3a5488b23a326a754b7) C:\Windows\system32\DRIVERS\msahci.sys

2011/07/05 11:30:57.0109 3668 msdsm (8d27b597229aed79430fb9db3bcbfbd0) C:\Windows\system32\DRIVERS\msdsm.sys

2011/07/05 11:30:57.0143 3668 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\Windows\system32\drivers\Msfs.sys

2011/07/05 11:30:57.0212 3668 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\Windows\System32\drivers\mshidkmdf.sys

2011/07/05 11:30:57.0229 3668 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\Windows\system32\DRIVERS\msisadrv.sys

2011/07/05 11:30:57.0264 3668 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\Windows\system32\drivers\MSKSSRV.sys

2011/07/05 11:30:57.0274 3668 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\Windows\system32\drivers\MSPCLOCK.sys

2011/07/05 11:30:57.0287 3668 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\Windows\system32\drivers\MSPQM.sys

2011/07/05 11:30:57.0309 3668 MsRPC (89cb141aa8616d8c6a4610fa26c60964) C:\Windows\system32\drivers\MsRPC.sys

2011/07/05 11:30:57.0326 3668 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\Windows\system32\DRIVERS\mssmbios.sys

2011/07/05 11:30:57.0344 3668 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\Windows\system32\drivers\MSTEE.sys

2011/07/05 11:30:57.0367 3668 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\Windows\system32\DRIVERS\MTConfig.sys

2011/07/05 11:30:57.0406 3668 MTsensor (03b7145c889603537e9ffeabb1ad1089) C:\Windows\system32\DRIVERS\ASACPI.sys

2011/07/05 11:30:57.0428 3668 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\Windows\system32\Drivers\mup.sys

2011/07/05 11:30:57.0461 3668 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\Windows\system32\DRIVERS\nwifi.sys

2011/07/05 11:30:57.0506 3668 NDIS (cad515dbd07d082bb317d9928ce8962c) C:\Windows\system32\drivers\ndis.sys

2011/07/05 11:30:57.0532 3668 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\Windows\system32\DRIVERS\ndiscap.sys

2011/07/05 11:30:57.0581 3668 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\Windows\system32\DRIVERS\ndistapi.sys

2011/07/05 11:30:57.0601 3668 Ndisuio (f105ba1e22bf1f2ee8f005d4305e4bec) C:\Windows\system32\DRIVERS\ndisuio.sys

2011/07/05 11:30:57.0623 3668 NdisWan (557dfab9ca1fcb036ac77564c010dad3) C:\Windows\system32\DRIVERS\ndiswan.sys

2011/07/05 11:30:57.0639 3668 NDProxy (659b74fb74b86228d6338d643cd3e3cf) C:\Windows\system32\drivers\NDProxy.sys

2011/07/05 11:30:57.0668 3668 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\Windows\system32\DRIVERS\netbios.sys

2011/07/05 11:30:57.0684 3668 NetBT (9162b273a44ab9dce5b44362731d062a) C:\Windows\system32\DRIVERS\netbt.sys

2011/07/05 11:30:57.0749 3668 nfrd960 (77889813be4d166cdab78ddba990da92) C:\Windows\system32\DRIVERS\nfrd960.sys

2011/07/05 11:30:57.0792 3668 nltdi (d4e38bf6563c88445fbdfdffe0308baf) C:\Windows\system32\drivers\nltdi.sys

2011/07/05 11:30:57.0807 3668 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\Windows\system32\drivers\Npfs.sys

2011/07/05 11:30:57.0824 3668 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\Windows\system32\drivers\nsiproxy.sys

2011/07/05 11:30:57.0864 3668 Ntfs (356698a13c4630d5b31c37378d469196) C:\Windows\system32\drivers\Ntfs.sys

2011/07/05 11:30:57.0954 3668 Null (9899284589f75fa8724ff3d16aed75c1) C:\Windows\system32\drivers\Null.sys

2011/07/05 11:30:58.0166 3668 nvlddmkm (f12c5f17d48d9f5c70e4408b3ccb5443) C:\Windows\system32\DRIVERS\nvlddmkm.sys

2011/07/05 11:30:58.0377 3668 nvraid (3e38712941e9bb4ddbee00affe3fed3d) C:\Windows\system32\DRIVERS\nvraid.sys

2011/07/05 11:30:58.0398 3668 nvstor (477dc4d6deb99be37084c9ac6d013da1) C:\Windows\system32\DRIVERS\nvstor.sys

2011/07/05 11:30:58.0429 3668 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\Windows\system32\DRIVERS\nv_agp.sys

2011/07/05 11:30:58.0446 3668 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\Windows\system32\DRIVERS\ohci1394.sys

2011/07/05 11:30:58.0474 3668 ossrv (0e2de427ebe106e7e5b52869d5c99f68) C:\Windows\system32\drivers\ctoss2k.sys

2011/07/05 11:30:58.0558 3668 Parport (0086431c29c35be1dbc43f52cc273887) C:\Windows\system32\DRIVERS\parport.sys

2011/07/05 11:30:58.0577 3668 partmgr (7daa117143316c4a1537e074a5a9eaf0) C:\Windows\system32\drivers\partmgr.sys

2011/07/05 11:30:58.0604 3668 pci (f36f6504009f2fb0dfd1b17a116ad74b) C:\Windows\system32\DRIVERS\pci.sys

2011/07/05 11:30:58.0633 3668 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\Windows\system32\DRIVERS\pciide.sys

2011/07/05 11:30:58.0651 3668 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\Windows\system32\DRIVERS\pcmcia.sys

2011/07/05 11:30:58.0668 3668 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\Windows\system32\drivers\pcw.sys

2011/07/05 11:30:58.0691 3668 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\Windows\system32\drivers\peauth.sys

2011/07/05 11:30:58.0766 3668 PptpMiniport (27cc19e81ba5e3403c48302127bda717) C:\Windows\system32\DRIVERS\raspptp.sys

2011/07/05 11:30:58.0784 3668 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\Windows\system32\DRIVERS\processr.sys

2011/07/05 11:30:58.0812 3668 Psched (ee992183bd8eaefd9973f352e587a299) C:\Windows\system32\DRIVERS\pacer.sys

2011/07/05 11:30:58.0852 3668 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\Windows\system32\DRIVERS\ql2300.sys

2011/07/05 11:30:58.0929 3668 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\Windows\system32\DRIVERS\ql40xx.sys

2011/07/05 11:30:58.0946 3668 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\Windows\system32\drivers\qwavedrv.sys

2011/07/05 11:30:58.0963 3668 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\Windows\system32\DRIVERS\rasacd.sys

2011/07/05 11:30:58.0999 3668 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\Windows\system32\DRIVERS\AgileVpn.sys

2011/07/05 11:30:59.0018 3668 Rasl2tp (87a6e852a22991580d6d39adc4790463) C:\Windows\system32\DRIVERS\rasl2tp.sys

2011/07/05 11:30:59.0038 3668 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\Windows\system32\DRIVERS\raspppoe.sys

2011/07/05 11:30:59.0066 3668 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\Windows\system32\DRIVERS\rassstp.sys

2011/07/05 11:30:59.0083 3668 rdbss (3bac8142102c15d59a87757c1d41dce5) C:\Windows\system32\DRIVERS\rdbss.sys

2011/07/05 11:30:59.0099 3668 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\Windows\system32\DRIVERS\rdpbus.sys

2011/07/05 11:30:59.0116 3668 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\Windows\system32\DRIVERS\RDPCDD.sys

2011/07/05 11:30:59.0152 3668 RDPDR (9706b84dbabfc4b4ca46c5a82b14dfa3) C:\Windows\system32\drivers\rdpdr.sys

2011/07/05 11:30:59.0176 3668 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\Windows\system32\drivers\rdpencdd.sys

2011/07/05 11:30:59.0192 3668 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\Windows\system32\drivers\rdprefmp.sys

2011/07/05 11:30:59.0212 3668 RDPWD (8a3e6bea1c53ea6177fe2b6eba2c80d7) C:\Windows\system32\drivers\RDPWD.sys

2011/07/05 11:30:59.0249 3668 rdyboost (634b9a2181d98f15941236886164ec8b) C:\Windows\system32\drivers\rdyboost.sys

2011/07/05 11:30:59.0323 3668 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\Windows\system32\DRIVERS\rspndr.sys

2011/07/05 11:30:59.0346 3668 s3cap (88af6e02ab19df7fd07ecdf9c91e9af6) C:\Windows\system32\DRIVERS\vms3cap.sys

2011/07/05 11:30:59.0371 3668 sbp2port (e3bbb89983daf5622c1d50cf49f28227) C:\Windows\system32\DRIVERS\sbp2port.sys

2011/07/05 11:30:59.0393 3668 scfilter (c94da20c7e3ba1dca269bc8460d98387) C:\Windows\system32\DRIVERS\scfilter.sys

2011/07/05 11:30:59.0417 3668 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys

2011/07/05 11:30:59.0443 3668 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\Windows\system32\DRIVERS\serenum.sys

2011/07/05 11:30:59.0459 3668 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\Windows\system32\DRIVERS\serial.sys

2011/07/05 11:30:59.0478 3668 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\Windows\system32\DRIVERS\sermouse.sys

2011/07/05 11:30:59.0512 3668 sffdisk (a554811bcd09279536440c964ae35bbf) C:\Windows\system32\DRIVERS\sffdisk.sys

2011/07/05 11:30:59.0532 3668 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\Windows\system32\DRIVERS\sffp_mmc.sys

2011/07/05 11:30:59.0547 3668 sffp_sd (178298f767fe638c9fedcbdef58bb5e4) C:\Windows\system32\DRIVERS\sffp_sd.sys

2011/07/05 11:30:59.0557 3668 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\Windows\system32\DRIVERS\sfloppy.sys

2011/07/05 11:30:59.0586 3668 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\Windows\system32\DRIVERS\SiSRaid2.sys

2011/07/05 11:30:59.0604 3668 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\Windows\system32\DRIVERS\sisraid4.sys

2011/07/05 11:30:59.0617 3668 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\Windows\system32\DRIVERS\smb.sys

2011/07/05 11:30:59.0646 3668 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\Windows\system32\drivers\spldr.sys

2011/07/05 11:30:59.0682 3668 srv (de6f5658da951c4bc8e498570b5b0d5f) C:\Windows\system32\DRIVERS\srv.sys

2011/07/05 11:30:59.0712 3668 srv2 (4d33d59c0b930c523d29f9bd40cda9d2) C:\Windows\system32\DRIVERS\srv2.sys

2011/07/05 11:30:59.0733 3668 srvnet (5a663fd67049267bc5c3f3279e631ffb) C:\Windows\system32\DRIVERS\srvnet.sys

2011/07/05 11:30:59.0823 3668 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\Windows\system32\DRIVERS\stexstor.sys

2011/07/05 11:30:59.0859 3668 storflt (ffd7a6f15b14234b5b0e5d49e7961895) C:\Windows\system32\DRIVERS\vmstorfl.sys

2011/07/05 11:30:59.0877 3668 storvsc (8fccbefc5c440b3c23454656e551b09a) C:\Windows\system32\DRIVERS\storvsc.sys

2011/07/05 11:30:59.0891 3668 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\Windows\system32\DRIVERS\swenum.sys

2011/07/05 11:30:59.0956 3668 Tcpip (90a2d722cf64d911879d6c4a4f802a4d) C:\Windows\system32\drivers\tcpip.sys

2011/07/05 11:31:00.0021 3668 TCPIP6 (90a2d722cf64d911879d6c4a4f802a4d) C:\Windows\system32\DRIVERS\tcpip.sys

2011/07/05 11:31:00.0041 3668 tcpipreg (76d078af6f587b162d50210f761eb9ed) C:\Windows\system32\drivers\tcpipreg.sys

2011/07/05 11:31:00.0064 3668 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\Windows\system32\drivers\tdpipe.sys

2011/07/05 11:31:00.0076 3668 TDTCP (e4245bda3190a582d55ed09e137401a9) C:\Windows\system32\drivers\tdtcp.sys

2011/07/05 11:31:00.0093 3668 tdx (079125c4b17b01fcaeebce0bcb290c0f) C:\Windows\system32\DRIVERS\tdx.sys

2011/07/05 11:31:00.0112 3668 TermDD (c448651339196c0e869a355171875522) C:\Windows\system32\DRIVERS\termdd.sys

2011/07/05 11:31:00.0164 3668 tssecsrv (61b96c26131e37b24e93327a0bd1fb95) C:\Windows\system32\DRIVERS\tssecsrv.sys

2011/07/05 11:31:00.0188 3668 tunnel (3836171a2cdf3af8ef10856db9835a70) C:\Windows\system32\DRIVERS\tunnel.sys

2011/07/05 11:31:00.0203 3668 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\Windows\system32\DRIVERS\uagp35.sys

2011/07/05 11:31:00.0222 3668 udfs (d47baead86c65d4f4069d7ce0a4edceb) C:\Windows\system32\DRIVERS\udfs.sys

2011/07/05 11:31:00.0298 3668 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\Windows\system32\DRIVERS\uliagpkx.sys

2011/07/05 11:31:00.0334 3668 umbus (eab6c35e62b1b0db0d1b48b671d3a117) C:\Windows\system32\DRIVERS\umbus.sys

2011/07/05 11:31:00.0347 3668 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\Windows\system32\DRIVERS\umpass.sys

2011/07/05 11:31:00.0394 3668 usbaudio (77b01bc848298223a95d4ec23e1785a1) C:\Windows\system32\drivers\usbaudio.sys

2011/07/05 11:31:00.0411 3668 usbccgp (b26afb54a534d634523c4fb66765b026) C:\Windows\system32\DRIVERS\usbccgp.sys

2011/07/05 11:31:00.0431 3668 usbcir (af0892a803fdda7492f595368e3b68e7) C:\Windows\system32\DRIVERS\usbcir.sys

2011/07/05 11:31:00.0451 3668 usbehci (2ea4aff7be7eb4632e3aa8595b0803b5) C:\Windows\system32\DRIVERS\usbehci.sys

2011/07/05 11:31:00.0472 3668 usbhub (4c9042b8df86c1e8e6240c218b99b39b) C:\Windows\system32\DRIVERS\usbhub.sys

2011/07/05 11:31:00.0492 3668 usbohci (58e546bbaf87664fc57e0f6081e4f609) C:\Windows\system32\DRIVERS\usbohci.sys

2011/07/05 11:31:00.0511 3668 usbprint (73188f58fb384e75c4063d29413cee3d) C:\Windows\system32\DRIVERS\usbprint.sys

2011/07/05 11:31:00.0531 3668 USBSTOR (080d3820da6c046be82fc8b45a893e83) C:\Windows\system32\DRIVERS\USBSTOR.SYS

2011/07/05 11:31:00.0547 3668 usbuhci (81fb2216d3a60d1284455d511797db3d) C:\Windows\system32\DRIVERS\usbuhci.sys

2011/07/05 11:31:00.0567 3668 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\Windows\system32\DRIVERS\vdrvroot.sys

2011/07/05 11:31:00.0589 3668 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\Windows\system32\DRIVERS\vgapnp.sys

2011/07/05 11:31:00.0611 3668 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\Windows\System32\drivers\vga.sys

2011/07/05 11:31:00.0669 3668 vhdmp (c82e748660f62a242b2dfac1442f22a4) C:\Windows\system32\DRIVERS\vhdmp.sys

2011/07/05 11:31:00.0688 3668 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\Windows\system32\DRIVERS\viaide.sys

2011/07/05 11:31:00.0716 3668 vmbus (1501699d7eda984abc4155a7da5738d1) C:\Windows\system32\DRIVERS\vmbus.sys

2011/07/05 11:31:00.0733 3668 VMBusHID (ae10c35761889e65a6f7176937c5592c) C:\Windows\system32\DRIVERS\VMBusHID.sys

2011/07/05 11:31:00.0751 3668 volmgr (2b1a3dae2b4e70dbba822b7a03fbd4a3) C:\Windows\system32\DRIVERS\volmgr.sys

2011/07/05 11:31:00.0769 3668 volmgrx (99b0cbb569ca79acaed8c91461d765fb) C:\Windows\system32\drivers\volmgrx.sys

2011/07/05 11:31:00.0791 3668 volsnap (58f82eed8ca24b461441f9c3e4f0bf5c) C:\Windows\system32\DRIVERS\volsnap.sys

2011/07/05 11:31:00.0819 3668 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\Windows\system32\DRIVERS\vsmraid.sys

2011/07/05 11:31:00.0839 3668 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\Windows\System32\drivers\vwifibus.sys

2011/07/05 11:31:00.0862 3668 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\Windows\system32\DRIVERS\wacompen.sys

2011/07/05 11:31:00.0883 3668 WANARP (47ca49400643effd3f1c9a27e1d69324) C:\Windows\system32\DRIVERS\wanarp.sys

2011/07/05 11:31:00.0897 3668 Wanarpv6 (47ca49400643effd3f1c9a27e1d69324) C:\Windows\system32\DRIVERS\wanarp.sys

2011/07/05 11:31:00.0926 3668 Wd (72889e16ff12ba0f235467d6091b17dc) C:\Windows\system32\DRIVERS\wd.sys

2011/07/05 11:31:00.0948 3668 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys

2011/07/05 11:31:00.0992 3668 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\Windows\system32\DRIVERS\wfplwf.sys

2011/07/05 11:31:01.0009 3668 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows\system32\drivers\wimmount.sys

2011/07/05 11:31:01.0102 3668 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows\system32\DRIVERS\wmiacpi.sys

2011/07/05 11:31:01.0147 3668 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows\system32\drivers\ws2ifsl.sys

2011/07/05 11:31:01.0186 3668 WudfPf (7cadc74271dd6461c452c271b30bd378) C:\Windows\system32\drivers\WudfPf.sys

2011/07/05 11:31:01.0217 3668 WUDFRd (3b197af0fff08aa66b6b2241ca538d64) C:\Windows\system32\DRIVERS\WUDFRd.sys

2011/07/05 11:31:01.0239 3668 MBR (0x1B8) (de1996b5390bac8242e23168f828c750) \Device\Harddisk0\DR0

2011/07/05 11:31:01.0246 3668 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)

2011/07/05 11:31:01.0266 3668 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1

2011/07/05 11:31:01.0288 3668 MBR (0x1B8) (c99c3199cfaa4cbdcd91493f6d113a50) \Device\Harddisk2\DR2

2011/07/05 11:31:01.0302 3668 Boot (0x1200) (26dde283986bb7d28d6016f9b260786a) \Device\Harddisk0\DR0\Partition0

2011/07/05 11:31:01.0311 3668 Boot (0x1200) (ddc2d694f3dee5e91566a39918a4c5d0) \Device\Harddisk0\DR0\Partition1

2011/07/05 11:31:01.0326 3668 Boot (0x1200) (f6f1bd1f3c41048af8c399c39fb2c99e) \Device\Harddisk0\DR0\Partition2

2011/07/05 11:31:01.0339 3668 Boot (0x1200) (ad865e1f722e2f51d4819d8280150c6f) \Device\Harddisk1\DR1\Partition0

2011/07/05 11:31:01.0363 3668 Boot (0x1200) (c0d0ae3671c344841ae02bfdc9859f77) \Device\Harddisk1\DR1\Partition1

2011/07/05 11:31:01.0382 3668 Boot (0x1200) (b97e3e43f2cac22116fa984419330430) \Device\Harddisk1\DR1\Partition2

2011/07/05 11:31:01.0392 3668 Boot (0x1200) (953b5402aba24ac4e292be3f2b0c7297) \Device\Harddisk2\DR2\Partition0

2011/07/05 11:31:01.0409 3668 Boot (0x1200) (cbd325493ee6887ddcd96347f5c079c4) \Device\Harddisk2\DR2\Partition1

2011/07/05 11:31:01.0429 3668 Boot (0x1200) (07079a21eabfdd77272a0787c4f1b72c) \Device\Harddisk2\DR2\Partition2

2011/07/05 11:31:01.0433 3668 ================================================================================

2011/07/05 11:31:01.0433 3668 Scan finished

2011/07/05 11:31:01.0433 3668 ================================================================================

2011/07/05 11:31:01.0444 2256 Detected object count: 1

2011/07/05 11:31:01.0444 2256 Actual detected object count: 1

2011/07/05 11:31:20.0086 2256 \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot

2011/07/05 11:31:20.0087 2256 \Device\Harddisk0\DR0 - ok

2011/07/05 11:31:20.0130 2256 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure

2011/07/05 11:31:29.0657 0576 Deinitialize success

[screen317]

Hi,

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

1. Tick the box next to YES, I accept the Terms of Use.
   
2. Click Start
   
3. When asked, allow the ActiveX control to install
   
4. Click Start
   
5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
   
6. Click Scan
   Wait for the scan to finish
   
7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
   
8. Copy and paste that log as a reply to this topic
   

Next, download my Security Check from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  

Let me know how things are running now and what issues remain.

-screen317