BleepingComputer.com: svchost.exe memory leak

Good Afternoon,

For the last week or so I have been running into a problem with one of the svchost.exe processes being an extreme resource hog. I ran process explorer to see what services were associated with the particular instance of svchost.exe and there are quite a few and I'm unsure which of them is causing the leak. If I end the process, my computer of course speeds up quickly but then starts to bog down a few minutes later.

I'm unsure exactly how much information you need right off the bat to help potentially diagnose my problem, so I'll just give you a cliff notes version of what I'm running.

Sony Viao
Microsoft Windows XP Home Edition V. 2002 SP3
2.8 Pentium 4
1.5 GB Ram
ESET NOD32 Virus Scanner
Only a handful of items running at Startup.

Let me know if you need more info - I'll be more than happy to elaborate
Thank you
Erin


Edit: Moved topic from XP to the more appropriate forum. Changed font size for easier staff readability ~ Animal

Welcome aboard

Download Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
Unzip ProcessExplorer.zip, and double click on procexp.exe to run the program.
Click on View > Select Colunms.
In addition to already pre-selected options, make sure, the Command Line is selected, and press OK.
Go File>Save As, and save the report as Procexp.txt.
Paste it into your next reply.

Process PID CPU Private Bytes Working Set Description Company Name Command Line
System Idle Process 0 1.30 0 K 16 K
System 4 0 K 216 K
Interrupts n/a 3.25 0 K 0 K Hardware Interrupts and DPCs
smss.exe 616 176 K 428 K Windows NT Session Manager Microsoft Corporation \SystemRoot\System32\smss.exe
csrss.exe 668 1.95 1,824 K 4,840 K Client Server Runtime Process Microsoft Corporation C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
winlogon.exe 700 6,012 K 2,020 K Windows NT Logon Application Microsoft Corporation winlogon.exe
services.exe 744 3,132 K 5,556 K Services and Controller app Microsoft Corporation C:\WINDOWS\system32\services.exe
svchost.exe 928 3,000 K 4,920 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost -k DcomLaunch
wmiprvse.exe 180 3,988 K 5,176 K WMI Microsoft Corporation C:\WINDOWS\system32\wbem\wmiprvse.exe
svchost.exe 996 2,984 K 4,792 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost -k rpcss
MsMpEng.exe 1092 170,432 K 85,024 K Antimalware Service Executable Microsoft Corporation "C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe"
svchost.exe 1332 3,000 K 4,424 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\System32\svchost.exe -k NetworkService
svchost.exe 1436 5,436 K 7,048 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\System32\svchost.exe -k LocalService
spoolsv.exe 1548 3,388 K 5,420 K Spooler SubSystem App Microsoft Corporation C:\WINDOWS\system32\spoolsv.exe
UMVPFSrv.exe 1592 1,796 K 2,764 K Logitech User mode UMVPF service Logitech Inc. "C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe"
svchost.exe 1668 3,056 K 4,664 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\System32\svchost.exe -k LocalService
AppleMobileDeviceService.exe 1696 2,200 K 3,904 K Apple Mobile Device Service Apple Inc. "C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe"
mDNSResponder.exe 1708 2,312 K 4,012 K Bonjour Service Apple Inc. "C:\Program Files\Bonjour\mDNSResponder.exe"
ekrn.exe 1740 70,244 K 68,800 K ESET Service ESET
jqs.exe 1904 3,252 K 1,832 K Java™ Quick Starter Service Sun Microsystems, Inc. "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"
nvsvc32.exe 1948 2,728 K 4,364 K NVIDIA Driver Helper Service, Version 178.24 NVIDIA Corporation C:\WINDOWS\system32\nvsvc32.exe
svchost.exe 1052 2,432 K 4,376 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\System32\svchost.exe -k imgsvc
wdfmgr.exe 1068 1,824 K 2,536 K Windows User Mode Driver Manager Microsoft Corporation C:\WINDOWS\system32\wdfmgr.exe
ViewpointService.exe 1200 1,728 K 2,784 K ViewMgr Viewpoint Corporation "C:\Program Files\Viewpoint\Common\ViewpointService.exe"
alg.exe 2020 2,256 K 3,880 K Application Layer Gateway Service Microsoft Corporation C:\WINDOWS\System32\alg.exe
svchost.exe 3676 2,636 K 3,612 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\System32\svchost.exe -k HTTPFilter
svchost.exe 2152 76.37 389,872 K 409,520 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\System32\svchost.exe -k netsvcs
msiexec.exe 3388 6,476 K 11,672 K Windows® installer Microsoft Corporation C:\WINDOWS\System32\msiexec.exe /V
msiexec.exe 924 2,152 K 3,652 K Windows® installer Microsoft Corporation C:\WINDOWS\System32\MsiExec.exe -Embedding D9C920241BC7B6ADDB29717D548E9EC0 M Global\MSI0000
lsass.exe 756 4,972 K 1,376 K LSA Shell (Export Version) Microsoft Corporation C:\WINDOWS\system32\lsass.exe
explorer.exe 2248 25,040 K 32,536 K Windows Explorer Microsoft Corporation C:\WINDOWS\Explorer.EXE
emMON.exe 2536 2,136 K 3,756 K BDA Monitor Application eMPIA Technology, Inc. "C:\WINDOWS\emMON.exe"
rundll32.exe 2544 2,516 K 3,912 K Run a DLL as an App Microsoft Corporation "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
egui.exe 2588 1.65 2,968 K 3,892 K ESET GUI ESET
ezSP_Px.exe 2652 1,816 K 3,060 K ezSP_Px MFC Application Easy Systems Japan Ltd. "C:\WINDOWS\system32\ezSP_Px.exe"
QTTask.exe 2660 1,732 K 2,796 K QuickTime Task Apple Inc. "C:\Program Files\QuickTime\qttask.exe" -atboottime
msseces.exe 2668 5,104 K 10,464 K Microsoft Security Client User Interface Microsoft Corporation "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
firefox.exe 3852 3.30 188,308 K 207,188 K Firefox Mozilla Corporation "D:\firefox\firefox.exe"
plugin-container.exe 1020 0.55 52,212 K 58,696 K Plugin Container for Firefox Mozilla Corporation "D:\firefox\plugin-container.exe" --channel=3852.7c65580.164043513 "C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll" - -omnijar D:\firefox\omni.jar 3852 \\.\pipe\gecko-crash-server-pipe.3852 plugin
winamp.exe 3876 9.89 29,280 K 11,744 K Winamp Nullsoft "D:\Winamp\winamp.exe"
LastFM.exe 4088 29,200 K 20,076 K Last.fm Last.fm "C:\Program Files\Last.fm\LastFM.exe" --tray
procexp.exe 3552 0.55 9,528 K 13,692 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com "C:\Documents and Settings\Erin\My Documents\Downloads\ProcessExplorer\procexp.exe"

This seems to be the main issue:

Quote

I suspect, your computer may be infected.

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:

• Report IE Proxy Settings
  
• Report FF Proxy Settings
  
• List content of Hosts
  
• List IP configuration
  
• List last 10 Event Viewer log
  
• List Users, Partitions and Memory size

Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
  
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

• Disconnect from the Internet and close all running programs.
  
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  
• Now click the Scan button. If you see a rootkit warning window, click OK.
  
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  
• Click the Copy button and paste the results into your next reply.
  
• Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Security Center service is not running! This report may not be accurate!
ESET NOD32 Antivirus
Microsoft Security Essentials
```````````````````````````````
Anti-malware/Other Utilities Check:
Spybot - Search & Destroy
CCleaner
Java™ 6 Update 26
Out of date Java installed!
Adobe Flash Player 9 (Out of date Flash Player installed!)
Adobe Flash Player 10.3.181.26
Adobe Reader 7.0
Out of date Adobe Reader installed!
Mozilla Firefox (x86 en-US..) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSMpEng.exe
Microsoft Security Essentials msseces.exe
Microsoft Security Client Antimalware MsMpEng.exe
``````````End of Log````````````

when i try and post the minitoolbox results, it crashes my browser - how odd.

attached the txt file it created

This post has been edited by pyropixie: 13 July 2011 - 10:31 PM

Upload the file(s) here: http://www.filedropper.com/
Post download link (copy URL: link):

http://www.filedropper.com/minitoolbox

im running malwarebytes right now and will run the other in a few

This post has been edited by pyropixie: 13 July 2011 - 10:33 PM

OK.

MiniToolBox by Farbar
Ran by Erin (administrator) on 13-07-2011 at 20:13:38
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

== End of IE Proxy Settings ==

========================= FF Proxy Settings: ==============================


== End of FF Proxy Settings ==
Hosts file not detected in the default diroctory
================= IP Configuration: =======================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : Pixie

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : hsd1.ca.comcast.net.



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . : hsd1.ca.comcast.net.

Description . . . . . . . . . . . : Intel® PRO/100 VE Network Connection

Physical Address. . . . . . . . . : 00-0C-6E-FC-3A-71

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.0.100

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.0.1

DHCP Server . . . . . . . . . . . : 192.168.0.1

DNS Servers . . . . . . . . . . . : 192.168.0.1

Lease Obtained. . . . . . . . . . : Wednesday, July 13, 2011 5:46:54 PM

Lease Expires . . . . . . . . . . : Wednesday, July 20, 2011 5:46:54 PM

Server: UnKnown
Address: 192.168.0.1

Name: google.com
Addresses: 74.125.224.145, 74.125.224.146, 74.125.224.144, 74.125.224.148
74.125.224.147



Pinging google.com [74.125.224.83] with 32 bytes of data:



Reply from 74.125.224.83: bytes=32 time=13ms TTL=55

Reply from 74.125.224.83: bytes=32 time=19ms TTL=55



Ping statistics for 74.125.224.83:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 13ms, Maximum = 19ms, Average = 16ms

Server: UnKnown
Address: 192.168.0.1

Name: yahoo.com
Addresses: 98.137.149.56, 209.191.122.70, 67.195.160.76, 69.147.125.65
72.30.2.43



Pinging yahoo.com [72.30.2.43] with 32 bytes of data:



Reply from 72.30.2.43: bytes=32 time=17ms TTL=52

Reply from 72.30.2.43: bytes=32 time=20ms TTL=52



Ping statistics for 72.30.2.43:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 17ms, Maximum = 20ms, Average = 18ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=64

Reply from 127.0.0.1: bytes=32 time<1ms TTL=64



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0c 6e fc 3a 71 ...... Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.100 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 192.168.0.100 192.168.0.100 20
192.168.0.0 255.255.255.0 192.168.0.100 192.168.0.100 20
192.168.0.100 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.0.255 255.255.255.255 192.168.0.100 192.168.0.100 20
224.0.0.0 240.0.0.0 192.168.0.100 192.168.0.100 20
255.255.255.255 255.255.255.255 192.168.0.100 192.168.0.100 1
Default Gateway: 192.168.0.1
===========================================================================
Persistent Routes:
None

== End of IP Configuration ==

========================= Event log errors: ===============================

Application errors:
==================
Error: (07/13/2011 08:02:12 PM) (Source: MsiInstaller) (User: SYSTEM)SYSTEM
Description: Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium. The Windows installer cannot continue.

Error: (07/13/2011 07:37:50 PM) (Source: MsiInstaller) (User: SYSTEM)SYSTEM
Description: Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium. The Windows installer cannot continue.

Error: (07/13/2011 07:08:29 PM) (Source: MsiInstaller) (User: SYSTEM)SYSTEM
Description: Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium. The Windows installer cannot continue.

Error: (07/13/2011 06:45:15 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Error: (07/13/2011 06:45:14 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The connection with the server was terminated abnormally

Error: (07/13/2011 06:44:41 PM) (Source: MsiInstaller) (User: SYSTEM)SYSTEM
Description: Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium. The Windows installer cannot continue.

Error: (07/13/2011 06:42:05 PM) (Source: MsiInstaller) (User: SYSTEM)SYSTEM
Description: Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium. The Windows installer cannot continue.

Error: (07/13/2011 06:40:58 PM) (Source: MsiInstaller) (User: SYSTEM)SYSTEM
Description: Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium. The Windows installer cannot continue.

Error: (07/13/2011 06:29:01 PM) (Source: MsiInstaller) (User: SYSTEM)SYSTEM
Description: Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium. The Windows installer cannot continue.

Error: (07/13/2011 04:13:37 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.


System errors:
=============
Error: (07/13/2011 07:43:00 PM) (Source: Service Control Manager) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error:
%%1056

Error: (07/13/2011 05:47:14 PM) (Source: Service Control Manager) (User: )
Description: The MSCamSvc service failed to start due to the following error:
%%3


Microsoft Office Sessions:
=========================
Error: (07/13/2011 08:02:12 PM) (Source: MsiInstaller)(User: SYSTEM)SYSTEM
Description: Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium. The Windows installer cannot continue.(NULL)(NULL)(NULL)

Error: (07/13/2011 07:37:50 PM) (Source: MsiInstaller)(User: SYSTEM)SYSTEM
Description: Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium. The Windows installer cannot continue.(NULL)(NULL)(NULL)

Error: (07/13/2011 07:08:29 PM) (Source: MsiInstaller)(User: SYSTEM)SYSTEM
Description: Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium. The Windows installer cannot continue.(NULL)(NULL)(NULL)

Error: (07/13/2011 06:45:15 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis network connection does not exist.

Error: (07/13/2011 06:45:14 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThe connection with the server was terminated abnormally

Error: (07/13/2011 06:44:41 PM) (Source: MsiInstaller)(User: SYSTEM)SYSTEM
Description: Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium. The Windows installer cannot continue.(NULL)(NULL)(NULL)

Error: (07/13/2011 06:42:05 PM) (Source: MsiInstaller)(User: SYSTEM)SYSTEM
Description: Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium. The Windows installer cannot continue.(NULL)(NULL)(NULL)

Error: (07/13/2011 06:40:58 PM) (Source: MsiInstaller)(User: SYSTEM)SYSTEM
Description: Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium. The Windows installer cannot continue.(NULL)(NULL)(NULL)

Error: (07/13/2011 06:29:01 PM) (Source: MsiInstaller)(User: SYSTEM)SYSTEM
Description: Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium. The Windows installer cannot continue.(NULL)(NULL)(NULL)

Error: (07/13/2011 04:13:37 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis network connection does not exist.


== End of Event log errors ==

========================= Memory info: ====================================

Percentage of memory in use: 58%
Total physical RAM: 1535.36 MB
Available physical RAM: 631.71 MB
Total Pagefile: 3434.92 MB
Available Pagefile: 2624.08 MB
Total Virtual: 2047.88 MB
Available Virtual: 2003.71 MB

======================= Partitions: =======================================

2 Drive c: () (Fixed) (Total:36.49 GB) (Free:10.04 GB) NTFS
3 Drive d: () (Fixed) (Total:58.35 GB) (Free:10.97 GB) NTFS
6 Drive h: (My Book) (Fixed) (Total:931.28 GB) (Free:572.72 GB) FAT32

================= Users: ==================================================

User accounts for \\

-------------------------------------------------------------------------------
Administrator ASPNET Erin
Guest HelpAssistant SUPPORT_388945a0
The command completed with one or more errors.

== End of Users ==

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7122

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

7/13/2011 8:38:13 PM
mbam-log-2011-07-13 (20-38-13).txt

Scan type: Quick scan
Objects scanned: 170911
Time elapsed: 18 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\AntivirusPro2009 (Rogue.AntiVirus2008) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\program files\antiviruspro2009 (Rogue.AntiVirus2008) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\Erin\local settings\Temp\wrdwn5 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Erin\local settings\Temp\wrdwn8 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Cool.
...and GMER...

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-07-13 21:00:32
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 Maxtor_6Y120P0 rev.YAR41BW0
Running: jcd52gm4.exe; Driver: C:\DOCUME~1\Erin\LOCALS~1\Temp\uxtdapod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwAssignProcessToJobObject [0xAA13E610]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDebugActiveProcess [0xAA13EC10]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDuplicateObject [0xAA13E730]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenProcess [0xAA13E4B0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenThread [0xAA13E570]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwProtectVirtualMemory [0xAA13E6D0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwQueueApcThread [0xAA13E790]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetContextThread [0xAA13E690]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetInformationThread [0xAA13E650]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSecurityObject [0xAA13E7D0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendProcess [0xAA13E510]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendThread [0xAA13E590]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateProcess [0xAA13E4D0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateThread [0xAA13E5D0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwWriteVirtualMemory [0xAA13E750]

---- Kernel code sections - GMER 1.0.15 ----

? nwmgwu.sys The system cannot find the file specified. !
.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xB8531360, 0x32E00D, 0xE8000020]

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----

Download TDSSKiller and save it to your desktop.

• Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  
• If an infected file is detected, the default action will be Cure, click on Continue.
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

2011/07/13 21:05:23.0781 4040 TDSS rootkit removing tool 2.5.11.0 Jul 11 2011 16:56:56
2011/07/13 21:05:24.0421 4040 ================================================================================
2011/07/13 21:05:24.0421 4040 SystemInfo:
2011/07/13 21:05:24.0421 4040
2011/07/13 21:05:24.0421 4040 OS Version: 5.1.2600 ServicePack: 3.0
2011/07/13 21:05:24.0421 4040 Product type: Workstation
2011/07/13 21:05:24.0421 4040 ComputerName: PIXIE
2011/07/13 21:05:24.0421 4040 UserName: Erin
2011/07/13 21:05:24.0421 4040 Windows directory: C:\WINDOWS
2011/07/13 21:05:24.0421 4040 System windows directory: C:\WINDOWS
2011/07/13 21:05:24.0421 4040 Processor architecture: Intel x86
2011/07/13 21:05:24.0421 4040 Number of processors: 2
2011/07/13 21:05:24.0421 4040 Page size: 0x1000
2011/07/13 21:05:24.0421 4040 Boot type: Normal boot
2011/07/13 21:05:24.0421 4040 ================================================================================
2011/07/13 21:05:26.0921 4040 Initialize success
2011/07/13 21:05:36.0359 1020 ================================================================================
2011/07/13 21:05:36.0359 1020 Scan started
2011/07/13 21:05:36.0359 1020 Mode: Manual;
2011/07/13 21:05:36.0359 1020 ================================================================================
2011/07/13 21:05:37.0625 1020 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/07/13 21:05:37.0750 1020 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/07/13 21:05:37.0921 1020 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
2011/07/13 21:05:37.0984 1020 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/07/13 21:05:38.0078 1020 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/07/13 21:05:38.0187 1020 AgereSoftModem (f1a97570ea402493bcc22246e8141ae6) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
2011/07/13 21:05:38.0281 1020 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/07/13 21:05:38.0609 1020 ALCXWDM (18d0ae5bc1d09d55bd6837a409bb2ffc) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2011/07/13 21:05:38.0906 1020 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/07/13 21:05:39.0187 1020 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/07/13 21:05:39.0265 1020 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/07/13 21:05:39.0437 1020 ati2mtag (5c14ed10c8f55968ad87e2ed0df5a745) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/07/13 21:05:39.0578 1020 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/07/13 21:05:39.0687 1020 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/07/13 21:05:39.0781 1020 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/07/13 21:05:39.0906 1020 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/07/13 21:05:40.0000 1020 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/07/13 21:05:40.0156 1020 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/07/13 21:05:40.0250 1020 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/07/13 21:05:40.0328 1020 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/07/13 21:05:40.0734 1020 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/07/13 21:05:40.0890 1020 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/07/13 21:05:41.0015 1020 DMICall (526192bf7696f72e29777bf4a180513a) C:\WINDOWS\system32\DRIVERS\DMICall.sys
2011/07/13 21:05:41.0109 1020 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/07/13 21:05:41.0218 1020 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/07/13 21:05:41.0312 1020 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/07/13 21:05:41.0453 1020 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/07/13 21:05:41.0546 1020 E1000 (2476936f4994e9084ccfe75ed4f6226a) C:\WINDOWS\system32\DRIVERS\e1000325.sys
2011/07/13 21:05:41.0671 1020 E100B (98b46b331404a951cabad8b4877e1276) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/07/13 21:05:41.0812 1020 eamon (d42dd9021acd47683b33adf21bca49aa) C:\WINDOWS\system32\DRIVERS\eamon.sys
2011/07/13 21:05:41.0921 1020 ehdrv (fe7824239d132ad9ebd8645fe1199b30) C:\WINDOWS\system32\DRIVERS\ehdrv.sys
2011/07/13 21:05:42.0031 1020 EL90X (653394706ff5634f4b5180b8294badb1) C:\WINDOWS\system32\DRIVERS\el90xnd5.sys
2011/07/13 21:05:42.0109 1020 epfwtdir (aa0667eb9a92414abb784c101a6c7fec) C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
2011/07/13 21:05:42.0234 1020 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/07/13 21:05:42.0312 1020 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/07/13 21:05:42.0390 1020 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/07/13 21:05:42.0484 1020 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/07/13 21:05:42.0562 1020 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/07/13 21:05:42.0671 1020 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/07/13 21:05:42.0781 1020 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/07/13 21:05:42.0906 1020 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/07/13 21:05:43.0015 1020 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/07/13 21:05:43.0140 1020 hamachi (7929a161f9951d173ca9900fe7067391) C:\WINDOWS\system32\DRIVERS\hamachi.sys
2011/07/13 21:05:43.0218 1020 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/07/13 21:05:43.0390 1020 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/07/13 21:05:43.0562 1020 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/07/13 21:05:43.0656 1020 ialm (1406d6ef4436aee970efe13193123965) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/07/13 21:05:43.0765 1020 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/07/13 21:05:43.0875 1020 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/07/13 21:05:43.0937 1020 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/07/13 21:05:44.0000 1020 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/07/13 21:05:44.0093 1020 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/07/13 21:05:44.0187 1020 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/07/13 21:05:44.0250 1020 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/07/13 21:05:44.0328 1020 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/07/13 21:05:44.0375 1020 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/07/13 21:05:44.0437 1020 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/07/13 21:05:44.0515 1020 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/07/13 21:05:44.0593 1020 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/07/13 21:05:44.0640 1020 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/07/13 21:05:44.0687 1020 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/07/13 21:05:44.0937 1020 MBAMProtector (3d2c13377763eeac0ca6fb46f57217ed) C:\WINDOWS\system32\drivers\mbam.sys
2011/07/13 21:05:45.0015 1020 MBAMSwissArmy (b309912717c29fc67e1ba4730a82b6dd) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2011/07/13 21:05:45.0125 1020 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/07/13 21:05:45.0187 1020 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/07/13 21:05:45.0250 1020 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/07/13 21:05:45.0328 1020 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/07/13 21:05:45.0390 1020 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/07/13 21:05:45.0468 1020 MPE (c0f8e0c2c3c0437cf37c6781896dc3ec) C:\WINDOWS\system32\DRIVERS\MPE.sys
2011/07/13 21:05:45.0562 1020 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
2011/07/13 21:05:45.0828 1020 MpKsl5215fbf4 (5f53edfead46fa7adb78eee9ecce8fdf) C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2F58C9D9-0996-47AE-AD4C-6C555BD4090B}\MpKsl5215fbf4.sys
2011/07/13 21:05:45.0921 1020 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/07/13 21:05:46.0078 1020 MRxSmb (0dc719e9b15e902346e87e9dcd5751fa) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/07/13 21:05:46.0203 1020 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/07/13 21:05:46.0296 1020 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/07/13 21:05:46.0390 1020 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/07/13 21:05:46.0468 1020 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/07/13 21:05:46.0546 1020 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/07/13 21:05:46.0656 1020 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/07/13 21:05:46.0750 1020 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/07/13 21:05:46.0859 1020 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/07/13 21:05:46.0953 1020 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/07/13 21:05:46.0984 1020 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/07/13 21:05:47.0062 1020 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/07/13 21:05:47.0140 1020 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/07/13 21:05:47.0218 1020 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/07/13 21:05:47.0328 1020 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/07/13 21:05:47.0437 1020 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/07/13 21:05:47.0531 1020 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/07/13 21:05:47.0671 1020 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/07/13 21:05:47.0750 1020 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/07/13 21:05:47.0843 1020 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/07/13 21:05:47.0984 1020 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/07/13 21:05:48.0593 1020 nv (83780f3a86d2804912f22f6e37cd2254) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/07/13 21:05:48.0765 1020 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/07/13 21:05:48.0921 1020 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/07/13 21:05:49.0015 1020 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/07/13 21:05:49.0140 1020 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/07/13 21:05:49.0203 1020 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/07/13 21:05:49.0312 1020 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/07/13 21:05:49.0406 1020 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/07/13 21:05:49.0531 1020 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/07/13 21:05:49.0625 1020 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/07/13 21:05:50.0031 1020 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/07/13 21:05:50.0125 1020 PQNTDrv (4228630829c0e521c43d882a00533374) C:\WINDOWS\system32\drivers\PQNTDrv.sys
2011/07/13 21:05:50.0171 1020 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/07/13 21:05:50.0234 1020 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/07/13 21:05:50.0375 1020 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/07/13 21:05:50.0500 1020 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys
2011/07/13 21:05:50.0625 1020 QCMerced (d8ec7e2fbf3b8d66ff8f435338be41fe) C:\WINDOWS\system32\DRIVERS\LVCM.sys
2011/07/13 21:05:51.0078 1020 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/07/13 21:05:51.0140 1020 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/07/13 21:05:51.0234 1020 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/07/13 21:05:51.0312 1020 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/07/13 21:05:51.0421 1020 Razerlow (116c340acf37602d12cac6de6b8107cd) C:\WINDOWS\system32\Drivers\Razerlow.sys
2011/07/13 21:05:51.0468 1020 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/07/13 21:05:51.0593 1020 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/07/13 21:05:51.0671 1020 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/07/13 21:05:51.0796 1020 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/07/13 21:05:51.0906 1020 RimVSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
2011/07/13 21:05:51.0937 1020 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2011/07/13 21:05:52.0078 1020 rtl8139 (d0ac0b0355a3ffb85eb77b083cd0627c) C:\WINDOWS\system32\DRIVERS\R8139n51.SYS
2011/07/13 21:05:52.0187 1020 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/07/13 21:05:52.0296 1020 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/07/13 21:05:52.0390 1020 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/07/13 21:05:52.0500 1020 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/07/13 21:05:52.0625 1020 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/07/13 21:05:52.0718 1020 smrt (b9b97c295f65a84b62ecf68882823a15) C:\WINDOWS\system32\DRIVERS\smrt.sys
2011/07/13 21:05:52.0843 1020 smwdm (22f5db6724fea2f330e1f5ee44af93ea) C:\WINDOWS\system32\drivers\smwdm.sys
2011/07/13 21:05:52.0937 1020 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/07/13 21:05:53.0015 1020 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/07/13 21:05:53.0109 1020 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/07/13 21:05:53.0187 1020 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/07/13 21:05:53.0234 1020 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/07/13 21:05:53.0312 1020 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/07/13 21:05:53.0562 1020 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/07/13 21:05:53.0640 1020 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/07/13 21:05:53.0718 1020 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/07/13 21:05:53.0781 1020 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/07/13 21:05:53.0859 1020 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/07/13 21:05:54.0031 1020 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/07/13 21:05:54.0171 1020 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/07/13 21:05:54.0328 1020 USB28xxBGA (68a00f7bd18bc3af2d98a75142e1c74e) C:\WINDOWS\system32\DRIVERS\emBDA.sys
2011/07/13 21:05:54.0421 1020 USB28xxOEM (d52f4fc7788d670a78b2c253717b5330) C:\WINDOWS\system32\DRIVERS\emOEM.sys
2011/07/13 21:05:54.0484 1020 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/07/13 21:05:54.0625 1020 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/07/13 21:05:54.0781 1020 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/07/13 21:05:54.0906 1020 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/07/13 21:05:54.0984 1020 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/07/13 21:05:55.0062 1020 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/07/13 21:05:55.0187 1020 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/07/13 21:05:55.0281 1020 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/07/13 21:05:55.0328 1020 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/07/13 21:05:55.0406 1020 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2011/07/13 21:05:55.0578 1020 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/07/13 21:05:55.0718 1020 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/07/13 21:05:56.0312 1020 VX1000 (21a4ce7973727f84338a0137571b9937) C:\WINDOWS\system32\DRIVERS\VX1000.sys
2011/07/13 21:05:56.0640 1020 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/07/13 21:05:56.0859 1020 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/07/13 21:05:57.0031 1020 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/07/13 21:05:57.0171 1020 {6080A529-897E-4629-A488-ABA0C29B635E} (fd1f4e9cf06c71c8d73a24acf18d8296) C:\WINDOWS\system32\drivers\ialmsbw.sys
2011/07/13 21:05:57.0296 1020 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (d4d7331d33d1fa73e588e5ce0d90a4c1) C:\WINDOWS\system32\drivers\ialmkchw.sys
2011/07/13 21:05:57.0343 1020 MBR (0x1B8) (2839639fa37b8353e792a2a30a12ced3) \Device\Harddisk0\DR0
2011/07/13 21:05:57.0343 1020 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/07/13 21:05:57.0359 1020 MBR (0x1B8) (8ff255184f078c9c04e6a2ce66117c5c) \Device\Harddisk1\DR4
2011/07/13 21:05:57.0406 1020 Boot (0x1200) (5926137c8adb6c091906c245c4df3d57) \Device\Harddisk0\DR0\Partition0
2011/07/13 21:05:57.0437 1020 Boot (0x1200) (90524acabee663e4ac6d86ace4acf799) \Device\Harddisk0\DR0\Partition1
2011/07/13 21:05:57.0453 1020 Boot (0x1200) (141528bf5d25e2041b74aa4789ed03c2) \Device\Harddisk1\DR4\Partition0
2011/07/13 21:05:57.0468 1020 ================================================================================
2011/07/13 21:05:57.0468 1020 Scan finished
2011/07/13 21:05:57.0468 1020 ================================================================================
2011/07/13 21:05:57.0515 2040 Detected object count: 1
2011/07/13 21:05:57.0515 2040 Actual detected object count: 1
2011/07/13 21:06:08.0203 2040 \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/07/13 21:06:08.0203 2040 \Device\Harddisk0\DR0 - ok
2011/07/13 21:06:08.0203 2040 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure
2011/07/13 21:06:52.0750 3768 Deinitialize success