Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

search engine links redirecting


  • This topic is locked This topic is locked
4 replies to this topic

#1 petyc220

petyc220

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 18 July 2010 - 08:52 PM

Links on google.com and bing.com are redirecting to obvious spam and malware sites. Any ideas on how to fix this? Thanks in advance for your help.


DDS (Ver_10-03-17.01) - NTFSx86
Run by max at 18:16:41.31 on Sun 07/18/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2038.1323 [GMT -7:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\rpcnet.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\Macromed\Flash\FlashUtil10d.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\max\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_06\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {9FAFB576-6933-4CCC-AB3D-B988EC43D04E} - hxxp://rsdownload.rising.com.cn/rs2010/online/ravolctl.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL

============= SERVICES / DRIVERS ===============

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-7-13 311296]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-3-25 30969208]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 RsOlHost;Rising Online Scan Service;c:\program files\rising\ravol\rsolhost.exe [2010-3-17 146072]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-2-27 1343400]

=============== Created Last 30 ================

2010-07-10 04:31:43 0 d-----w- c:\program files\Garmin
2010-07-09 05:36:44 0 d-----w- c:\program files\Microsoft Synchronization Services
2010-07-09 05:35:57 0 d-----w- c:\windows\PCHEALTH
2010-07-09 05:35:57 0 d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-07-09 05:34:09 0 d-----w- c:\program files\Microsoft Visual Studio 8
2010-07-09 05:33:12 0 d-----w- c:\program files\Microsoft Analysis Services
2010-07-09 05:32:13 0 d-----w- c:\programdata\Microsoft Help
2010-07-09 03:38:52 0 d-----w- c:\program files\AVG

==================== Find3M ====================

2010-07-19 00:55:47 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2010-07-19 00:55:44 57752 ----a-w- c:\windows\system32\rpcnet.dll
2010-05-31 00:53:59 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2010-05-12 18:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-23 07:13:36 2048 ----a-w- c:\windows\system32\tzres.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2010-01-27 05:16:40 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-12-18 06:43:27 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-12-18 06:43:27 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-12-18 06:43:27 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 18:17:27.34 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:18 AM

Posted 18 July 2010 - 09:53 PM

Hi, petyc220 smile.gif

welcome.gif

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. (If Vista, click on the Vista Orb and copy and paste the following into the Search field. (make sure you include the quotation marks) Then press Ctrl+Shift+Enter.)


    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • It may ask you to reboot the computer to complete the process. Allow it to do so.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Please download Malwarebytes' Anti-Malware from Here. Never download Malwarebytes' Anti-Malware from other sources.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    -----------------------------------------------------------
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      -----------------------------------------------------------
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    -----------------------------------------------------------
  4. Double click on combofix.exe & follow the prompts.
  5. Install the Recovery Console if prompted.
  6. When finished, it will produce a report for you.
  7. Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 petyc220

petyc220
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 18 July 2010 - 11:34 PM

Thanks! Here's the info. It looked like TDSS and MBMA fixed some stuff, so I'm going to try things out after I post this.


20:38:19:545 3728 TDSS rootkit removing tool 2.3.2.2 Jun 30 2010 17:23:49
20:38:19:545 3728 ================================================================================
20:38:19:545 3728 SystemInfo:

20:38:19:545 3728 OS Version: 6.1.7600 ServicePack: 0.0
20:38:19:545 3728 Product type: Workstation
20:38:19:545 3728 ComputerName: JEN-PC
20:38:19:545 3728 UserName: jen
20:38:19:545 3728 Windows directory: C:\Windows
20:38:19:545 3728 System windows directory: C:\Windows
20:38:19:545 3728 Processor architecture: Intel x86
20:38:19:545 3728 Number of processors: 2
20:38:19:545 3728 Page size: 0x1000
20:38:19:545 3728 Boot type: Normal boot
20:38:19:545 3728 ================================================================================
20:38:19:857 3728 Initialize success
20:38:19:857 3728
20:38:19:857 3728 Scanning Services ...
20:38:21:448 3728 Raw services enum returned 446 services
20:38:21:448 3728
20:38:21:448 3728 Scanning Drivers ...
20:38:23:663 3728 1394ohci (6d2aca41739bfe8cb86ee8e85f29697d) C:\Windows\system32\DRIVERS\1394ohci.sys
20:38:23:741 3728 ACPI (f0e07d144c8685b8774bc32fc8da4df0) C:\Windows\system32\DRIVERS\ACPI.sys
20:38:23:772 3728 AcpiPmi (98d81ca942d19f7d9153b095162ac013) C:\Windows\system32\DRIVERS\acpipmi.sys
20:38:23:803 3728 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\DRIVERS\adp94xx.sys
20:38:23:866 3728 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\DRIVERS\adpahci.sys
20:38:23:944 3728 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\DRIVERS\adpu320.sys
20:38:24:006 3728 AFD (ddc040fdb01ef1712a6b13e52afb104c) C:\Windows\system32\drivers\afd.sys
20:38:24:022 3728 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\DRIVERS\agp440.sys
20:38:24:053 3728 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\DRIVERS\djsvs.sys
20:38:24:100 3728 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\DRIVERS\aliide.sys
20:38:24:115 3728 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\DRIVERS\amdagp.sys
20:38:24:147 3728 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\DRIVERS\amdide.sys
20:38:24:193 3728 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\DRIVERS\amdk8.sys
20:38:24:209 3728 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\DRIVERS\amdppm.sys
20:38:24:240 3728 amdsata (2101a86c25c154f8314b24ef49d7fbc2) C:\Windows\system32\DRIVERS\amdsata.sys
20:38:24:303 3728 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\DRIVERS\amdsbs.sys
20:38:24:318 3728 amdxata (b81c2b5616f6420a9941ea093a92b150) C:\Windows\system32\DRIVERS\amdxata.sys
20:38:24:334 3728 AppID (feb834c02ce1e84b6a38f953ca067706) C:\Windows\system32\drivers\appid.sys
20:38:24:349 3728 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\DRIVERS\arc.sys
20:38:24:381 3728 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\DRIVERS\arcsas.sys
20:38:24:412 3728 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
20:38:24:427 3728 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\DRIVERS\atapi.sys
20:38:24:459 3728 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\DRIVERS\bxvbdx.sys
20:38:24:505 3728 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys
20:38:24:568 3728 BCM43XX (eb7c2dadf52f50f69f198c14c3556dc1) C:\Windows\system32\DRIVERS\bcmwl6.sys
20:38:24:599 3728 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
20:38:24:630 3728 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys
20:38:24:646 3728 bowser (fcafaef6798d7b51ff029f99a9898961) C:\Windows\system32\DRIVERS\bowser.sys
20:38:24:677 3728 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\DRIVERS\BrFiltLo.sys
20:38:24:693 3728 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\DRIVERS\BrFiltUp.sys
20:38:24:739 3728 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys
20:38:24:771 3728 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys
20:38:24:786 3728 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys
20:38:24:802 3728 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys
20:38:24:817 3728 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\DRIVERS\bthmodem.sys
20:38:24:864 3728 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
20:38:24:895 3728 cdrom (ba6e70aa0e6091bc39de29477d866a77) C:\Windows\system32\DRIVERS\cdrom.sys
20:38:24:911 3728 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\DRIVERS\circlass.sys
20:38:24:958 3728 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
20:38:24:989 3728 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys
20:38:25:005 3728 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\DRIVERS\cmdide.sys
20:38:25:036 3728 CNG (1b675691ed940766149c93e8f4488d68) C:\Windows\system32\Drivers\cng.sys
20:38:25:067 3728 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys
20:38:25:083 3728 CompositeBus (f1724ba27e97d627f808fb0ba77a28a6) C:\Windows\system32\DRIVERS\CompositeBus.sys
20:38:25:098 3728 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys
20:38:25:161 3728 CSC (27c9490bdd0ae48911ab8cf1932591ed) C:\Windows\system32\drivers\csc.sys
20:38:25:192 3728 DfsC (8e09e52ee2e3ceb199ef3dd99cf9e3fb) C:\Windows\system32\Drivers\dfsc.sys
20:38:25:207 3728 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
20:38:25:239 3728 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys
20:38:25:270 3728 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys
20:38:25:317 3728 DXGKrnl (8b6c3464d7fac176500061dbfff42ad4) C:\Windows\System32\drivers\dxgkrnl.sys
20:38:25:441 3728 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\DRIVERS\evbdx.sys
20:38:25:566 3728 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\DRIVERS\elxstor.sys
20:38:25:597 3728 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\DRIVERS\errdev.sys
20:38:25:629 3728 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys
20:38:25:644 3728 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys
20:38:25:675 3728 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\DRIVERS\fdc.sys
20:38:25:707 3728 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys
20:38:25:738 3728 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys
20:38:25:753 3728 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\DRIVERS\flpydisk.sys
20:38:25:785 3728 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys
20:38:25:816 3728 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys
20:38:25:831 3728 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\Windows\system32\drivers\Fs_Rec.sys
20:38:25:878 3728 fvevol (dafbd9fe39197495aed6d51f3b85b5d2) C:\Windows\system32\DRIVERS\fvevol.sys
20:38:25:909 3728 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\DRIVERS\gagp30kx.sys
20:38:25:941 3728 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
20:38:25:972 3728 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys
20:38:26:019 3728 HdAudAddService (3530cad25deba7dc7de8bb51632cbc5f) C:\Windows\system32\drivers\HdAudio.sys
20:38:26:237 3728 HDAudBus (717a2207fd6f13ad3e664c7d5a43c7bf) C:\Windows\system32\DRIVERS\HDAudBus.sys
20:38:26:518 3728 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\DRIVERS\HidBatt.sys
20:38:26:533 3728 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\DRIVERS\hidbth.sys
20:38:26:549 3728 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\DRIVERS\hidir.sys
20:38:26:580 3728 HidUsb (25072fb35ac90b25f9e4e3bacf774102) C:\Windows\system32\DRIVERS\hidusb.sys
20:38:26:596 3728 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\DRIVERS\HpSAMD.sys
20:38:26:643 3728 HTTP (c531c7fd9e8b62021112787c4e2c5a5a) C:\Windows\system32\drivers\HTTP.sys
20:38:26:658 3728 hwpolicy (8305f33cde89ad6c7a0763ed0b5a8d42) C:\Windows\system32\drivers\hwpolicy.sys
20:38:26:689 3728 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\DRIVERS\i8042prt.sys
20:38:26:721 3728 iaStorV (934af4d7c5f457b9f0743f4299b77b67) C:\Windows\system32\DRIVERS\iaStorV.sys
20:38:26:908 3728 igfx (ad626f6964f4d364d226c39e06872dd3) C:\Windows\system32\DRIVERS\igdkmd32.sys
20:38:26:955 3728 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\DRIVERS\iirsp.sys
20:38:26:970 3728 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\DRIVERS\intelide.sys
20:38:27:001 3728 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys
20:38:27:017 3728 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys
20:38:27:048 3728 IPMIDRV (e4454b6c37d7ffd5649611f6496308a7) C:\Windows\system32\DRIVERS\IPMIDrv.sys
20:38:27:064 3728 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys
20:38:27:079 3728 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys
20:38:27:111 3728 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\DRIVERS\isapnp.sys
20:38:27:142 3728 iScsiPrt (ed46c223ae46c6866ab77cdc41c404b7) C:\Windows\system32\DRIVERS\msiscsi.sys
20:38:27:173 3728 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\DRIVERS\kbdclass.sys
20:38:27:189 3728 kbdhid (3d9f0ebf350edcfd6498057301455964) C:\Windows\system32\DRIVERS\kbdhid.sys
20:38:27:251 3728 klmd23 (316353165feba3d0538eaa9c2f60c5b7) C:\Windows\system32\drivers\klmd.sys
20:38:27:282 3728 KSecDD (e36a061ec11b373826905b21be10948f) C:\Windows\system32\Drivers\ksecdd.sys
20:38:27:329 3728 KSecPkg (365c6154bbbc5377173f1ca7bfb6cc59) C:\Windows\system32\Drivers\ksecpkg.sys
20:38:27:345 3728 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys
20:38:27:376 3728 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\DRIVERS\lsi_fc.sys
20:38:27:391 3728 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\DRIVERS\lsi_sas.sys
20:38:27:423 3728 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\DRIVERS\lsi_sas2.sys
20:38:27:438 3728 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\DRIVERS\lsi_scsi.sys
20:38:27:454 3728 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys
20:38:27:485 3728 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\DRIVERS\megasas.sys
20:38:27:516 3728 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\DRIVERS\MegaSR.sys
20:38:27:532 3728 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys
20:38:27:563 3728 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys
20:38:27:579 3728 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\DRIVERS\mouclass.sys
20:38:27:594 3728 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys
20:38:27:625 3728 mountmgr (921c18727c5920d6c0300736646931c2) C:\Windows\system32\drivers\mountmgr.sys
20:38:27:641 3728 mpio (2af5997438c55fb79d33d015c30e1974) C:\Windows\system32\DRIVERS\mpio.sys
20:38:27:672 3728 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys
20:38:27:688 3728 MRxDAV (b1be47008d20e43da3adc37c24cdb89d) C:\Windows\system32\drivers\mrxdav.sys
20:38:27:735 3728 mrxsmb (f1b6aa08497ea86ca6ef6f7a08b0bfb8) C:\Windows\system32\DRIVERS\mrxsmb.sys
20:38:27:766 3728 mrxsmb10 (5613358b4050f46f5a9832da8050d6e4) C:\Windows\system32\DRIVERS\mrxsmb10.sys
20:38:27:797 3728 mrxsmb20 (25c9792778d80feb4c8201e62281bfdf) C:\Windows\system32\DRIVERS\mrxsmb20.sys
20:38:27:828 3728 msahci (4326d168944123f38dd3b2d9c37a0b12) C:\Windows\system32\DRIVERS\msahci.sys
20:38:27:844 3728 msdsm (455029c7174a2dbb03dba8a0d8bddd9a) C:\Windows\system32\DRIVERS\msdsm.sys
20:38:27:875 3728 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys
20:38:27:891 3728 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys
20:38:27:922 3728 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\DRIVERS\msisadrv.sys
20:38:27:953 3728 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys
20:38:27:969 3728 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys
20:38:27:984 3728 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys
20:38:28:015 3728 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys
20:38:28:031 3728 mssmbios (442ed07a1e6e7745eb80b2681f608c12) C:\Windows\system32\DRIVERS\mssmbios.sys
20:38:28:031 3728 Suspicious file (Forged): C:\Windows\system32\DRIVERS\mssmbios.sys. Real md5: 442ed07a1e6e7745eb80b2681f608c12, Fake md5: fc6b9ff600cc585ea38b12589bd4e246
20:38:28:031 3728 File "C:\Windows\system32\DRIVERS\mssmbios.sys" infected by TDSS rootkit ... 20:38:28:265 3728 Backup copy found, using it..
20:38:28:312 3728 will be cured on next reboot
20:38:28:327 3728 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys
20:38:28:343 3728 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\DRIVERS\MTConfig.sys
20:38:28:390 3728 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys
20:38:28:421 3728 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys
20:38:28:515 3728 NDIS (23759d175a0a9baaf04d05047bc135a8) C:\Windows\system32\drivers\ndis.sys
20:38:28:546 3728 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys
20:38:28:561 3728 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys
20:38:28:593 3728 Ndisuio (b30ae7f2b6d7e343b0df32e6c08fce75) C:\Windows\system32\DRIVERS\ndisuio.sys
20:38:28:608 3728 NdisWan (267c415eadcbe53c9ca873dee39cf3a4) C:\Windows\system32\DRIVERS\ndiswan.sys
20:38:28:624 3728 NDProxy (af7e7c63dcef3f8772726f86039d6eb4) C:\Windows\system32\drivers\NDProxy.sys
20:38:28:639 3728 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys
20:38:28:671 3728 NetBT (dd52a733bf4ca5af84562a5e2f963b91) C:\Windows\system32\DRIVERS\netbt.sys
20:38:28:702 3728 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\DRIVERS\nfrd960.sys
20:38:28:717 3728 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys
20:38:28:733 3728 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys
20:38:28:795 3728 Ntfs (3795dcd21f740ee799fb7223234215af) C:\Windows\system32\drivers\Ntfs.sys
20:38:28:827 3728 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys
20:38:28:858 3728 nvraid (3f3d04b1d08d43c16ea7963954ec768d) C:\Windows\system32\DRIVERS\nvraid.sys
20:38:28:873 3728 nvstor (c99f251a5de63c6f129cf71933aced0f) C:\Windows\system32\DRIVERS\nvstor.sys
20:38:28:905 3728 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\DRIVERS\nv_agp.sys
20:38:28:920 3728 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\DRIVERS\ohci1394.sys
20:38:28:951 3728 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys
20:38:28:998 3728 partmgr (ff4218952b51de44fe910953a3e686b9) C:\Windows\system32\drivers\partmgr.sys
20:38:29:014 3728 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys
20:38:29:045 3728 pci (c858cb77c577780ecc456a892e7e7d0f) C:\Windows\system32\DRIVERS\pci.sys
20:38:29:076 3728 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\DRIVERS\pciide.sys
20:38:29:092 3728 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\DRIVERS\pcmcia.sys
20:38:29:123 3728 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys
20:38:29:170 3728 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys
20:38:29:201 3728 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys
20:38:29:217 3728 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\DRIVERS\processr.sys
20:38:29:248 3728 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys
20:38:29:310 3728 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\DRIVERS\ql2300.sys
20:38:29:373 3728 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\DRIVERS\ql40xx.sys
20:38:29:388 3728 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys
20:38:29:404 3728 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys
20:38:29:451 3728 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys
20:38:29:466 3728 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys
20:38:29:497 3728 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys
20:38:29:529 3728 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys
20:38:29:560 3728 rdbss (835d7e81bf517a3b72384bdcc85e1ce6) C:\Windows\system32\DRIVERS\rdbss.sys
20:38:29:575 3728 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys
20:38:29:591 3728 RDPCDD (1e016846895b15a99f9a176a05029075) C:\Windows\system32\DRIVERS\RDPCDD.sys
20:38:29:622 3728 RDPDR (c5ff95883ffef704d50c40d21cfb3ab5) C:\Windows\system32\drivers\rdpdr.sys
20:38:29:653 3728 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys
20:38:29:685 3728 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys
20:38:29:716 3728 RDPWD (801371ba9782282892d00aadb08ee367) C:\Windows\system32\drivers\RDPWD.sys
20:38:29:747 3728 rdyboost (4ea225bf1cf05e158853f30a99ca29a7) C:\Windows\system32\drivers\rdyboost.sys
20:38:29:794 3728 rismxdp (6c1f93c0760c9f79a1869d07233df39d) C:\Windows\system32\DRIVERS\rixdptsk.sys
20:38:29:809 3728 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys
20:38:29:841 3728 s3cap (5423d8437051e89dd34749f242c98648) C:\Windows\system32\DRIVERS\vms3cap.sys
20:38:29:872 3728 sbp2port (34ee0c44b724e3e4ce2eff29126de5b5) C:\Windows\system32\DRIVERS\sbp2port.sys
20:38:29:903 3728 scfilter (a95c54b2ac3cc9c73fcdf9e51a1d6b51) C:\Windows\system32\DRIVERS\scfilter.sys
20:38:29:934 3728 sdbus (7b48cff3a475fe849dea65ec4d35c425) C:\Windows\system32\DRIVERS\sdbus.sys
20:38:29:950 3728 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
20:38:29:981 3728 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys
20:38:30:028 3728 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\DRIVERS\serial.sys
20:38:30:075 3728 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\DRIVERS\sermouse.sys
20:38:30:121 3728 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\DRIVERS\sffdisk.sys
20:38:30:137 3728 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\DRIVERS\sffp_mmc.sys
20:38:30:153 3728 sffp_sd (4f1e5b0fe7c8050668dbfade8999aefb) C:\Windows\system32\DRIVERS\sffp_sd.sys
20:38:30:184 3728 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\DRIVERS\sfloppy.sys
20:38:30:215 3728 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\DRIVERS\sisagp.sys
20:38:30:231 3728 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\DRIVERS\SiSRaid2.sys
20:38:30:293 3728 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\DRIVERS\sisraid4.sys
20:38:30:309 3728 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys
20:38:30:340 3728 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys
20:38:30:371 3728 srv (50a83ca406c808bd35ac9141a0c7618f) C:\Windows\system32\DRIVERS\srv.sys
20:38:30:402 3728 srv2 (dce7e10feaabd4cae95948b3de5340bb) C:\Windows\system32\DRIVERS\srv2.sys
20:38:30:449 3728 SrvHsfHDA (e00fdfaff025e94f9821153750c35a6d) C:\Windows\system32\DRIVERS\VSTAZL3.SYS
20:38:30:511 3728 SrvHsfV92 (ceb4e3b6890e1e42dca6694d9e59e1a0) C:\Windows\system32\DRIVERS\VSTDPV3.SYS
20:38:30:574 3728 SrvHsfWinac (bc0c7ea89194c299f051c24119000e17) C:\Windows\system32\DRIVERS\VSTCNXT3.SYS
20:38:30:621 3728 srvnet (bd1433a32792fd0dc450479094fc435a) C:\Windows\system32\DRIVERS\srvnet.sys
20:38:30:636 3728 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\DRIVERS\stexstor.sys
20:38:30:683 3728 storflt (957e346ca948668f2496a6ccf6ff82cc) C:\Windows\system32\DRIVERS\vmstorfl.sys
20:38:30:699 3728 storvsc (d5751969dc3e4b88bf482ac8ec9fe019) C:\Windows\system32\DRIVERS\storvsc.sys
20:38:30:714 3728 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\DRIVERS\swenum.sys
20:38:30:777 3728 Tcpip (2cc3d75488abd3ec628bbb9a4fc84efc) C:\Windows\system32\drivers\tcpip.sys
20:38:30:839 3728 TCPIP6 (2cc3d75488abd3ec628bbb9a4fc84efc) C:\Windows\system32\DRIVERS\tcpip.sys
20:38:30:870 3728 tcpipreg (e64444523add154f86567c469bc0b17f) C:\Windows\system32\drivers\tcpipreg.sys
20:38:30:886 3728 TDPIPE (1875c1490d99e70e449e3afae9fcbadf) C:\Windows\system32\drivers\tdpipe.sys
20:38:30:901 3728 TDTCP (7551e91ea999ee9a8e9c331d5a9c31f3) C:\Windows\system32\drivers\tdtcp.sys
20:38:30:933 3728 tdx (cb39e896a2a83702d1737bfd402b3542) C:\Windows\system32\DRIVERS\tdx.sys
20:38:30:948 3728 TermDD (c36f41ee20e6999dbf4b0425963268a5) C:\Windows\system32\DRIVERS\termdd.sys
20:38:30:979 3728 tssecsrv (98ae6fa07d12cb4ec5cf4a9bfa5f4242) C:\Windows\system32\DRIVERS\tssecsrv.sys
20:38:31:011 3728 tunnel (3e461d890a97f9d4c168f5fda36e1d00) C:\Windows\system32\DRIVERS\tunnel.sys
20:38:31:026 3728 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\DRIVERS\uagp35.sys
20:38:31:073 3728 udfs (09cc3e16f8e5ee7168e01cf8fcbe061a) C:\Windows\system32\DRIVERS\udfs.sys
20:38:31:089 3728 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\DRIVERS\uliagpkx.sys
20:38:31:120 3728 umbus (049b3a50b3d646baeeee9eec9b0668dc) C:\Windows\system32\DRIVERS\umbus.sys
20:38:31:135 3728 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\DRIVERS\umpass.sys
20:38:31:182 3728 USBAAPL (e8c1b9ebac65288e1b51e8a987d98af6) C:\Windows\system32\Drivers\usbaapl.sys
20:38:31:213 3728 usbccgp (8455c4ed038efd09e99327f9d2d48ffa) C:\Windows\system32\DRIVERS\usbccgp.sys
20:38:31:245 3728 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\DRIVERS\usbcir.sys
20:38:31:276 3728 usbehci (1c333bfd60f2fed2c7ad5daf533cb742) C:\Windows\system32\DRIVERS\usbehci.sys
20:38:31:307 3728 usbhub (ee6ef93ccfa94fae8c6ab298273d8ae2) C:\Windows\system32\DRIVERS\usbhub.sys
20:38:31:323 3728 usbohci (a6fb7957ea7afb1165991e54ce934b74) C:\Windows\system32\DRIVERS\usbohci.sys
20:38:31:354 3728 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys
20:38:31:369 3728 USBSTOR (d8889d56e0d27e57ed4591837fe71d27) C:\Windows\system32\DRIVERS\USBSTOR.SYS
20:38:31:401 3728 usbuhci (78780c3ebce17405b1ccd07a3a8a7d72) C:\Windows\system32\DRIVERS\usbuhci.sys
20:38:31:432 3728 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\DRIVERS\vdrvroot.sys
20:38:31:447 3728 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys
20:38:31:479 3728 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys
20:38:31:494 3728 vhdmp (3be6e1f3a4f1afec8cee0d7883f93583) C:\Windows\system32\DRIVERS\vhdmp.sys
20:38:31:635 3728 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\DRIVERS\viaagp.sys
20:38:31:650 3728 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\DRIVERS\viac7.sys
20:38:31:681 3728 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\DRIVERS\viaide.sys
20:38:31:728 3728 vmbus (379b349f65f453d2a6e75ea6b7448e49) C:\Windows\system32\DRIVERS\vmbus.sys
20:38:31:759 3728 VMBusHID (ec2bbab4b84d0738c6c83d2234dc36fe) C:\Windows\system32\DRIVERS\VMBusHID.sys
20:38:31:775 3728 volmgr (384e5a2aa49934295171e499f86ba6f3) C:\Windows\system32\DRIVERS\volmgr.sys
20:38:31:822 3728 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys
20:38:31:853 3728 volsnap (58df9d2481a56edde167e51b334d44fd) C:\Windows\system32\DRIVERS\volsnap.sys
20:38:31:884 3728 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\DRIVERS\vsmraid.sys
20:38:31:915 3728 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\system32\DRIVERS\vwifibus.sys
20:38:31:931 3728 vwififlt (7090d3436eeb4e7da3373090a23448f7) C:\Windows\system32\DRIVERS\vwififlt.sys
20:38:31:947 3728 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\DRIVERS\wacompen.sys
20:38:31:978 3728 WANARP (692a712062146e96d28ba0b7d75de31b) C:\Windows\system32\DRIVERS\wanarp.sys
20:38:31:978 3728 Wanarpv6 (692a712062146e96d28ba0b7d75de31b) C:\Windows\system32\DRIVERS\wanarp.sys
20:38:32:009 3728 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\DRIVERS\wd.sys
20:38:32:056 3728 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
20:38:32:087 3728 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys
20:38:32:134 3728 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys
20:38:32:196 3728 WinUsb (30fc6e5448d0cbaaa95280eeef7fedae) C:\Windows\system32\DRIVERS\WinUSB.sys
20:38:32:259 3728 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\DRIVERS\wmiacpi.sys
20:38:32:290 3728 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys
20:38:32:305 3728 WudfPf (6f9b6c0c93232cff47d0f72d6db1d21e) C:\Windows\system32\drivers\WudfPf.sys
20:38:32:352 3728 WUDFRd (f91ff1e51fca30b3c3981db7d5924252) C:\Windows\system32\DRIVERS\WUDFRd.sys
20:38:32:399 3728 yukonw7 (b07c5b7efdf936ff93d4f540938725be) C:\Windows\system32\DRIVERS\yk62x86.sys
20:38:32:399 3728 Reboot required for cure complete..
20:38:32:727 3728 Cure on reboot scheduled successfully
20:38:32:727 3728
20:38:32:727 3728 Completed
20:38:32:727 3728
20:38:32:727 3728 Results:
20:38:32:727 3728 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
20:38:32:727 3728 File objects infected / cured / cured on reboot: 1 / 0 / 1
20:38:32:727 3728
20:38:32:727 3728 KLMD(ARK) unloaded successfully



Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4325

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

7/18/2010 9:04:49 PM
mbam-log-2010-07-18 (21-04-49).txt

Scan type: Quick scan
Objects scanned: 126886
Time elapsed: 5 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 116

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\max\AppData\Local\Temp\Low\win3A43.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win8347.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\winC53D.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\0.729161456827141.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win10B6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win10B8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win11DB.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win1406.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win180F.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win188B.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win1AC5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win2116.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win27D9.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win2933.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win29B3.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win2A03.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win2B44.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win2CDA.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win300D.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win303A.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win3132.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win319E.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win342C.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win34F.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win36C6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win3952.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win84AC.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win84E9.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win84FD.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win86F7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win8891.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win8C02.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win8FE7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win9029.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win91C6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win9410.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win943A.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win964A.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win9793.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win999F.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win9B73.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win9B97.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\winA1C0.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\winA527.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\winA5D4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\winA913.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\winACA1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\winAD13.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\winAD3A.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\winB37C.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\winB3BC.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\winB49B.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\winBC07.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\winBE1B.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\winC015.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\winC238.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\winC638.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\winCAB4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\winCC34.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\winCED7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\winD112.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\winD4FA.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\winD674.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\winD791.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\winD7E9.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\winDB8F.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\winDD99.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\winDDA7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\WindowsUpdate.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\winE027.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\winE098.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\winE4A5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\winE4F5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\winE673.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\winE770.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\winEA1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\winEA82.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\winEBB8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\winEC7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\winECD2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\winEE43.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\winF459.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\winF74B.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\winFBDD.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\winFC02.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\winFC51.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win3EF6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win3F0E.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win417F.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win44C5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win495C.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win495F.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win4B33.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win4DA.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win4ED1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win5277.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win5308.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win534.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win5536.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win56B1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win5D5F.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win60CA.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win6178.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win6292.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win632.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win6344.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win6986.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win6ADF.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win6E4F.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win711A.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win7424.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win7793.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win7931.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win7C75.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win7D51.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\max\AppData\Local\Temp\Low\win7E43.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.



ComboFix 10-07-16.02 - max 07/18/2010 21:19:54.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2038.1502 [GMT -7:00]
Running from: c:\users\max\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-06-19 to 2010-07-19 )))))))))))))))))))))))))))))))
.

2010-07-19 04:26 . 2010-07-19 04:26 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-07-19 03:55 . 2010-07-19 03:55 -------- d-----w- c:\users\max\AppData\Roaming\Malwarebytes
2010-07-19 03:55 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-19 03:55 . 2010-07-19 03:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-19 03:55 . 2010-07-19 03:55 -------- d-----w- c:\programdata\Malwarebytes
2010-07-19 03:55 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-11 03:19 . 2010-07-11 03:19 -------- d-----w- c:\windows\Sun
2010-07-10 04:31 . 2010-07-10 04:31 -------- d-----w- c:\program files\DIFX
2010-07-10 04:31 . 2010-07-10 04:31 -------- d-----w- c:\program files\Garmin
2010-07-09 05:36 . 2010-07-09 05:36 -------- d-----w- c:\program files\Microsoft Synchronization Services
2010-07-09 05:35 . 2010-07-09 05:35 -------- d-----w- c:\windows\PCHEALTH
2010-07-09 05:35 . 2010-07-09 05:35 -------- d-----w- c:\program files\Microsoft.NET
2010-07-09 05:35 . 2010-07-09 05:35 -------- d-----w- c:\program files\Microsoft Sync Framework
2010-07-09 05:35 . 2010-07-09 05:35 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-07-09 05:34 . 2010-07-09 05:34 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-07-09 05:33 . 2010-07-09 05:33 -------- d-----w- c:\program files\Microsoft Analysis Services
2010-07-09 05:32 . 2010-07-09 05:32 -------- d-----w- c:\users\max\AppData\Local\Microsoft Help
2010-07-09 05:32 . 2010-07-09 05:41 -------- d-----w- c:\programdata\Microsoft Help
2010-07-09 03:38 . 2010-07-09 03:38 -------- d-----w- c:\program files\AVG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-19 04:07 . 2009-12-18 05:52 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2010-07-19 04:07 . 2009-12-18 06:44 57752 ----a-w- c:\windows\system32\rpcnet.dll
2010-07-19 03:39 . 2009-07-13 23:19 28240 ----a-w- c:\windows\system32\drivers\mssmbios.sys
2010-07-13 05:04 . 2010-01-05 05:49 108824 ----a-w- c:\users\max\AppData\Local\GDIPFONTCACHEV1.DAT
2010-07-11 03:06 . 2009-12-30 03:37 -------- d-----w- c:\users\max\AppData\Roaming\BSW
2010-07-09 05:37 . 2009-07-14 04:52 -------- d-----w- c:\program files\MSBuild
2010-06-14 04:33 . 2010-06-14 02:08 -------- d-----w- c:\users\max\AppData\Roaming\Apple Computer
2010-06-14 02:08 . 2010-05-31 02:02 -------- d-----w- c:\program files\iTunes
2010-06-01 02:14 . 2010-06-01 02:09 -------- d-----w- c:\users\max\AppData\Roaming\GARMIN
2010-05-31 02:02 . 2010-05-31 02:02 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-31 02:02 . 2010-05-31 02:02 -------- d-----w- c:\program files\iPod
2010-05-31 02:02 . 2010-05-31 01:25 -------- d-----w- c:\programdata\Apple Computer
2010-05-31 02:02 . 2010-05-31 01:24 -------- d-----w- c:\program files\Common Files\Apple
2010-05-31 01:53 . 2010-05-31 01:53 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-31 01:25 . 2010-05-31 01:25 -------- d-----w- c:\program files\QuickTime
2010-05-31 01:24 . 2010-05-31 01:24 -------- d-----w- c:\program files\Apple Software Update
2010-05-31 01:24 . 2010-05-31 01:24 -------- d-----w- c:\programdata\Apple
2010-05-31 01:24 . 2010-05-31 01:24 -------- d-----w- c:\program files\Bonjour
2010-05-31 00:53 . 2010-05-31 00:53 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2010-05-12 18:21 . 2009-12-18 06:48 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-23 07:13 . 2010-05-26 05:42 2048 ----a-w- c:\windows\system32\tzres.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}]
2010-02-28 09:20 561552 ----a-w- c:\progra~1\MICROS~2\Office14\URLREDIR.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 30969208]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 RsOlHost;Rising Online Scan Service;c:\program files\Rising\RavOL\RsOLHost.exe [2010-03-18 146072]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-02-27 1343400]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-07-13 311296]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
DPF: {9FAFB576-6933-4CCC-AB3D-B988EC43D04E} - hxxp://rsdownload.rising.com.cn/rs2010/online/ravolctl.cab
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys
AddRemove-{E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\program files\NOS\bin\getPlus_Helper.dll


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-07-18 21:29:51
ComboFix-quarantined-files.txt 2010-07-19 04:29

Pre-Run: 70,126,477,312 bytes free
Post-Run: 70,781,345,792 bytes free

- - End Of File - - C820F1F65738ECDF5398655D1B32B5D8


#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:18 AM

Posted 18 July 2010 - 11:53 PM

Lets empty the temp folders:

Download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

I would like to take a look to the drivers.

First, you must verify that you can access the Windows 7 Recovery Environment.
To do so, restart your computer and begin tapping the F8 key to enable the Advanced Start menu.
If the option 'Repair your computer' is available, select it.

If not available, you will need to insert your Windows 7 installation dvd and restart, then press any key when prompted to boot from the cd.
At the Install Windows screen, select Repair your computer. (image below, similar to VISTA)



Next, please download maxlook, saving the file to your desktop.
Double click maxlook.exe to run it. Note - you must run it only once!
As instructed when the tool runs, restart the computer and logon to the Recovery Environment.
Once you get to the System Recovery Options screen, first take note of the drive letter assigned to the operating system, then select Command Prompt.



Type the following bolded command at the x:\sources> prompt (or x:\windows\system32>) then hit Enter.

x: <--- the red x represents your operating system drive letter, as shown in the image below
cd windows



At the x:\Windows> prompt type the following command then hit Enter

look.bat

You will see many files copied then return to the x:\windows> prompt.
Type Exit then restart your computer and logon in normal mode.
Once in Windows, obtain an Internet Connection. This program must download a tool to check files' signatures.
Then click on the Vista Orb, copy and paste the following command in the run Search box and press Ctrl+Shift+Enter.
"%Userprofile%\Desktop\maxlook.exe" -sig

It will produce looklog.txt in the C:\ folder.
Please post the results here.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:18 AM

Posted 25 July 2010 - 11:52 PM

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users