Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Constant MS RPCSS Attack (2) & (3)


  • This topic is locked This topic is locked
29 replies to this topic

#1 Makino

Makino

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 01 August 2010 - 12:33 AM

Hello,
I recently installed Norton Antivirus 2010 and I've been getting these intrusion attempt messages.

Network traffic from 74.13.97.23 matches the signature of a known attack. The attaack was resulted from \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SVCHOST.EXE.

Before it was only periodically, so I didn't thought much of it but the past few days it has become more frequent, almsot every 10 minutes. I am running on Windows 7 Ultimate. I did a full system scan and such before but to no avail, any help would be much appreciated/. Thanks in advance. Here is my log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Wendell at 1:15:55.73 on Sun 08/01/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_21
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3326.2258 [GMT -4:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Norton AntiVirus\Engine\17.7.0.12\ccSvcHst.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Norton AntiVirus\Engine\17.7.0.12\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Wendell\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.4.6.22.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\17.7.0.12\IPSBHO.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
{555d4d79-4bd2-4094-a395-cfc534424a05}
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"
StartupFolder: c:\users\wendell\appdata\roaming\micros~1\windows\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.4.6.22.dll/206
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} - hxxp://service.futuremark.com/openapi/receivers/FMSI.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {5C5A58AC-CFC1-4EDA-9165-870DBAE6F34E} = 207.164.234.193 207.164.234.129

================= FIREFOX ===================

FF - ProfilePath - c:\users\wendell\appdata\roaming\mozilla\firefox\profiles\yupog7gk.default\
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: XULRunner: {8DADF901-1F40-4644-BBDF-7FFBF70E3A36} - c:\windows\system32\config\systemprofile\appdata\local\{8dadf901-1f40-4644-bbdf-7ffbf70e3a36}\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1107000.00c\symds.sys [2010-7-19 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1107000.00c\symefa.sys [2010-7-19 173104]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\bashdefs\20100709.001\BHDrvx86.sys [2010-7-9 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1107000.00c\cchpx86.sys [2010-7-19 501888]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\ipsdefs\20100730.001\IDSvix86.sys [2010-7-30 344112]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1107000.00c\ironx86.sys [2010-7-19 116784]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nav\1107000.00c\symtdiv.sys [2010-7-19 339504]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-7-6 176128]
R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\17.7.0.12\ccsvchst.exe [2010-7-19 126392]
R2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt60.sys [2010-6-6 33056]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2010-7-6 5882368]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2010-7-6 210944]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-7-19 102448]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-6-6 277536]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 RTTEAMPT;Realtek Teaming Protocol Driver (NDIS 6.2);c:\windows\system32\drivers\RtTeam60.sys [2010-6-6 40736]
S3 RTVLANPT;Realtek Vlan Protocol Driver (NDIS 6.2);c:\windows\system32\drivers\RtVlan60.sys [2010-6-6 25376]
S3 TEAM;Realtek Virtual Miniport Driver for Teaming (NDIS 6.2);c:\windows\system32\drivers\RtTeam60.sys [2010-6-6 40736]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-6-6 1343400]

=============== Created Last 30 ================

2010-07-30 14:41:28 0 d-----w- c:\programdata\Electronic Arts
2010-07-30 14:26:09 0 d-----w- c:\program files\Microsoft WSE
2010-07-30 14:06:44 116736 ----a-w- c:\windows\system32\drivers\mcdbus.sys
2010-07-30 14:06:43 0 d-----w- c:\program files\MagicDisc
2010-07-30 12:32:49 0 d-----w- c:\program files\Microsoft
2010-07-30 05:50:13 0 d-----w- c:\program files\LG Electronics
2010-07-30 00:35:12 0 d-----w- c:\programdata\Blizzard Entertainment
2010-07-30 00:35:12 0 d-----w- c:\program files\StarCraft II
2010-07-30 00:35:12 0 d-----w- c:\program files\common files\Blizzard Entertainment
2010-07-28 13:25:45 0 d-----w- c:\programdata\ATI
2010-07-28 13:24:14 0 d-----w- c:\program files\common files\ATI Technologies
2010-07-28 13:23:07 0 d-----w- c:\program files\ATI
2010-07-28 13:22:34 0 d-----w- c:\program files\ATI Technologies
2010-07-28 04:54:21 0 d-----w- c:\program files\SystemRequirementsLab
2010-07-26 15:39:41 0 d-----w- c:\programdata\Sun
2010-07-26 15:39:20 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-25 23:07:40 0 d-----w- c:\users\wendell\appdata\roaming\VitySoft
2010-07-22 03:57:32 0 d-----w- c:\program files\Gathering of Developers
2010-07-19 22:11:11 0 d---a-w- c:\programdata\TEMP
2010-07-19 22:00:40 0 d-sh--w- C:\$RECYCLE.BIN
2010-07-19 20:55:39 0 d-----w- c:\users\wendell\appdata\roaming\Malwarebytes
2010-07-19 20:55:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-19 20:55:34 0 d-----w- c:\programdata\Malwarebytes
2010-07-19 20:55:33 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-19 20:55:33 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-19 15:32:49 0 d-----w- c:\program files\MagicISO
2010-07-19 13:51:04 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-07-19 13:51:04 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-07-19 13:51:04 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-07-19 13:51:00 0 d-----w- c:\program files\Symantec
2010-07-19 13:51:00 0 d-----w- c:\program files\common files\Symantec Shared
2010-07-19 13:50:17 0 d-----w- c:\windows\system32\drivers\NAV
2010-07-19 13:50:15 0 d-----w- c:\programdata\Norton
2010-07-19 13:50:15 0 d-----w- c:\program files\Norton AntiVirus
2010-07-19 13:50:07 0 d-----w- c:\programdata\NortonInstaller
2010-07-19 13:50:07 0 d-----w- c:\program files\NortonInstaller
2010-07-19 06:08:32 65536 --sha-w- c:\users\wendell\ntuser.dat{03fa861e-92fc-11df-9319-b11fb27a7592}.TM.blf
2010-07-19 06:08:32 524288 --sha-w- c:\users\wendell\ntuser.dat{03fa861e-92fc-11df-9319-b11fb27a7592}.TMContainer00000000000000000002.regtrans-ms
2010-07-19 06:08:32 524288 --sha-w- c:\users\wendell\ntuser.dat{03fa861e-92fc-11df-9319-b11fb27a7592}.TMContainer00000000000000000001.regtrans-ms
2010-07-19 03:18:00 0 d-----w- c:\programdata\Lavasoft
2010-07-18 12:46:54 0 d-----w- c:\program files\EASEUS
2010-07-17 23:02:26 0 d-----w- c:\program files\Windows Resource Kits
2010-07-16 20:11:22 0 d-----w- c:\program files\WBFS
2010-07-14 13:04:05 292864 ----a-w- c:\windows\system32\apphelp.dll
2010-07-11 21:02:17 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-07-11 21:02:17 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-07-11 21:02:17 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-07-11 21:02:17 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-07-11 21:02:17 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-07-07 02:29:16 5882368 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2010-07-07 01:55:08 15461888 ----a-w- c:\windows\system32\atioglxx.dll
2010-07-07 01:54:32 63416 ----a-w- c:\windows\system32\atiapfxx.blb
2010-07-07 01:54:16 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2010-07-07 01:51:30 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-07-07 01:51:10 380928 ----a-w- c:\windows\system32\atieclxx.exe
2010-07-07 01:50:42 176128 ----a-w- c:\windows\system32\atiesrxx.exe
2010-07-07 01:49:42 159744 ----a-w- c:\windows\system32\atitmmxx.dll
2010-07-07 01:49:28 356352 ----a-w- c:\windows\system32\atipdlxx.dll
2010-07-07 01:49:18 278528 ----a-w- c:\windows\system32\Oemdspif.dll
2010-07-07 01:49:12 11776 ----a-w- c:\windows\system32\atimuixx.dll
2010-07-07 01:49:06 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2010-07-07 01:29:24 46080 ----a-w- c:\windows\system32\aticalrt.dll
2010-07-07 01:29:14 44032 ----a-w- c:\windows\system32\aticalcl.dll
2010-07-07 01:28:20 3975680 ----a-w- c:\windows\system32\atiumdag.dll
2010-07-07 01:27:58 4323840 ----a-w- c:\windows\system32\aticaldd.dll
2010-07-07 01:23:14 3058688 ----a-w- c:\windows\system32\atiumdva.dll
2010-07-07 01:22:52 543664 ----a-w- c:\windows\system32\atiumdva.cap
2010-07-07 01:16:00 237568 ----a-w- c:\windows\system32\atiadlxx.dll
2010-07-07 01:15:50 12800 ----a-w- c:\windows\system32\atiglpxx.dll
2010-07-07 01:15:46 16896 ----a-w- c:\windows\system32\atigktxx.dll
2010-07-07 01:15:24 210944 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2010-07-07 01:14:16 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2010-07-07 01:11:06 52736 ----a-w- c:\windows\system32\atimpc32.dll
2010-07-07 01:11:06 52736 ----a-w- c:\windows\system32\amdpcom32.dll
2010-07-05 21:46:01 0 d-----w- c:\program files\VideoLAN

==================== Find3M ====================

2010-07-19 10:02:42 133720 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2010-07-07 01:54:08 513024 ----a-w- c:\windows\system32\aticfx32.dll
2010-07-07 01:46:26 3826688 ----a-w- c:\windows\system32\atidxx32.dll
2010-07-07 01:24:32 50176 ----a-w- c:\windows\system32\coinst.dll
2010-07-07 01:14:58 30208 ----a-w- c:\windows\system32\atiuxpag.dll
2010-07-07 01:14:44 22528 ----a-w- c:\windows\system32\atiu9pag.dll
2010-06-15 22:28:58 2857 ----a-w- c:\windows\system32\atipblag.dat
2010-06-08 04:12:04 165697 ----a-w- c:\windows\hpoins28.dat
2010-06-06 20:42:56 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-06-02 08:55:30 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2010-06-02 08:55:30 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2010-06-02 08:55:30 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2010-06-02 08:00:00 108032 ----a-w- c:\windows\system32\ff_vfw.dll
2010-05-27 07:24:13 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-27 03:49:37 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-05-26 15:41:02 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2010-05-26 15:41:02 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2010-05-26 15:41:02 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2010-05-26 15:41:02 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2010-05-26 15:41:02 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2010-05-21 18:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-21 05:18:06 977920 ----a-w- c:\windows\system32\wininet.dll
2010-05-11 20:42:08 205156 ----a-w- c:\windows\system32\atiicdxx.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 1:16:30.00 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:09 PM

Posted 09 August 2010 - 12:10 PM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Makino

Makino
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 09 August 2010 - 12:48 PM

Hi, Elise. Thank you for helping me, much appreciated. Here are the results of the GMER scan.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-09 13:42:11
Windows 6.1.7600
Running: e468rdcu.exe; Driver: C:\Users\Wendell\AppData\Local\Temp\uwldyfob.sys


---- System - GMER 1.0.15 ----

SSDT 870A0D90 ZwAlertResumeThread
SSDT 870E8210 ZwAlertThread
SSDT 87221A00 ZwAllocateVirtualMemory
SSDT 868351C8 ZwAlpcConnectPort
SSDT 87169048 ZwAssignProcessToJobObject
SSDT 87228B00 ZwCreateMutant
SSDT 8722C558 ZwCreateSymbolicLinkObject
SSDT 871F5428 ZwCreateThread
SSDT 8722C9A8 ZwCreateThreadEx
SSDT 8714E048 ZwDebugActiveProcess
SSDT 87221C18 ZwDuplicateObject
SSDT 87221420 ZwFreeVirtualMemory
SSDT 870A8B90 ZwImpersonateAnonymousToken
SSDT 87111130 ZwImpersonateThread
SSDT 8688FCF8 ZwLoadDriver
SSDT 87221308 ZwMapViewOfSection
SSDT 870A81D8 ZwOpenEvent
SSDT 87221EB8 ZwOpenProcess
SSDT 87047BB8 ZwOpenProcessToken
SSDT 870ED048 ZwOpenSection
SSDT 87221D68 ZwOpenThread
SSDT 8722B0F0 ZwProtectVirtualMemory
SSDT 870A2048 ZwResumeThread
SSDT 870C8670 ZwSetContextThread
SSDT 872210B0 ZwSetInformationProcess
SSDT 87140BA0 ZwSetSystemInformation
SSDT 87119590 ZwSuspendProcess
SSDT 870B1550 ZwSuspendThread
SSDT 8695B718 ZwTerminateProcess
SSDT 87037590 ZwTerminateThread
SSDT 87099048 ZwUnmapViewOfSection
SSDT 872216F0 ZwWriteVirtualMemory

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8302DAF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8302D104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8302D3F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830162D8
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83015898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8302D1DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8302D958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8302D6F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8302DF2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8302E1A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82C46599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82C6AF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 224 82C72734 8 Bytes [90, 0D, 0A, 87, 10, 82, 0E, ...]
.text ntkrnlpa.exe!RtlSidHashLookup + 23C 82C7274C 4 Bytes [00, 1A, 22, 87]
.text ntkrnlpa.exe!RtlSidHashLookup + 248 82C72758 4 Bytes [C8, 51, 83, 86] {ENTER 0x8351, 0x86}
.text ntkrnlpa.exe!RtlSidHashLookup + 29C 82C727AC 4 Bytes [48, 90, 16, 87]
.text ntkrnlpa.exe!RtlSidHashLookup + 318 82C72828 4 Bytes [00, 8B, 22, 87]
.text ...
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x98001000, 0x31BA76, 0xE8000020]
.text peauth.sys A7217C9D 28 Bytes [15, B0, B9, 7B, FD, EF, 7B, ...]
.text peauth.sys A7217CC1 28 Bytes [15, B0, B9, 7B, FD, EF, 7B, ...]
PAGE peauth.sys A721DB9B 72 Bytes [8E, 6A, 3E, 26, 10, 14, 70, ...]
PAGE peauth.sys A721DBEC 111 Bytes [E7, BB, D1, 52, A5, 6D, DF, ...]
PAGE peauth.sys A721DE20 101 Bytes [CB, 00, CA, 62, 64, 2F, DA, ...]
PAGE ...
PAGE spsys.sys!?SPRevision@@3PADA + 4F90 A72F1000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 50B3 A72F1123 32 Bytes [C5, 2E, A7, FE, 05, 34, C5, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 50D4 A72F1144 596 Bytes [2E, A7, A0, 34, C5, 2E, A7, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 5329 A72F1399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 538F A72F13FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...]
PAGE ...

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[2004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [745F2494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [745D5624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [745D56E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [745F250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [745E8573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [745E4D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [745E50CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [745E51A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [745E66D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [745E82CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [745E8819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [745E907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [745EE21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [745E4C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2996] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75985E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2996] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75985E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2996] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75985E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2996] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75985E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2996] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [75985E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2996] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [75985E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2996] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [75985E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000072 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Linkage@Export ????F7??? ??????????????????? ???????C?????18E??????????????????nettun.inf:Microsoft.NTx86:6to4mp.ndi:6.1.7600.16385:*6to4mp?m????(??????M???e??PCI\VEN_1002&DEV_9715&REV_00?PCI\VEN_1002&DEV_9715?PCI\VEN_1002&CC_030000?PCI\VEN_1002&CC_0300?PCI\VEN_1002?PCI\CC_030000?PCI\CC_0300??851????N??????v???????v??@nettun.inf,%6to4mp.displayname%;Microsoft 6to4 Adapter??????????????????????B????.??????????????????????????????????????????????????????l?????s02??????????????????????????????????????{4d36e972-e325-11ce-bfc1-08002be10318}\0021?????? ???p???v???????v??Microsoft 6to4 Adapter???????t?{???|??????????????????????????????????6???????????????????????????????????????????????????????6?????? ??????da??PCI\VEN_1043&DEV_9602&REV_00?PCI\VEN_1043&DEV_9602?PCI\VEN_1043&CC_060400?PCI\VEN_1043&CC_0604?PCI\VEN_1043?PCI\CC_060400?PCI\CC_0604??API??? p?????????????????Microsoft 6to4 Adapter??????Microsoft 6to4 Adapter #18?FFF??????????????????storage\volume???????????????}??"N??@nettun.inf,%6to4mp.displayname%;Microsoft 6to4 Ada
Reg HKLM\SYSTEM\ControlSet002\services\LanmanWorkstation\Linkage@Export ?????s???s???????????.???????????????s???????????????o???????????????????????????????;??????bl??v2.10|Action=Allow|Active=FALSE|Dir=In|Protocol=17|Profile=Domain|Profile=Public|LPort=3702|RA4=LocalSubnet|RA6=LocalSubnet|App=%SystemRoot%\system32\svchost.exe|Svc=fdrespub|Name=@FirewallAPI.dll,-32809|Desc=@FirewallAPI.dll,-32810|EmbedCtxt=@FirewallAPI.dll,-32752|???????????????????????????????????????????????????????????????????????????P???????????????????????P????????? ?????????????????????????????????????????e??????????j???????????e???????????????????????|?|?????????????3???9?????????????????????????????????????????????????????e??????F?????????RO??????????of???????z????????????????e???????????????????????P??????i?j?n?n?j?o?k?z?z????????????????????????6??z????????h??????????y??????????RpcSs?????????????????????N??????}??????????tunnel???????????????a??im??????????????????v2.10|Action=Allow|Active=FALSE|Dir=Out|Protocol=17|Profile=Domain|Profile=Public|RPort=3702|RA4=LocalSubnet|RA6=LocalSubnet|App=%SystemRoo
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Superfetch@VirtualStoreSize 904

---- EOF - GMER 1.0.15 ----

Attached Files



#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:09 PM

Posted 09 August 2010 - 01:01 PM

Hello,

COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Makino

Makino
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 09 August 2010 - 02:24 PM

Hello,
I ran the scan and I've attached the log with this post.

Attached Files



#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:09 PM

Posted 09 August 2010 - 02:41 PM

Please let me know how things are running after the following fix:

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
CODE
Firefox::
FF - ProfilePath - c:\users\Wendell\AppData\Roaming\Mozilla\Firefox\Profiles\yupog7gk.default\
FF - HiddenExtension: XULRunner: {8DADF901-1F40-4644-BBDF-7FFBF70E3A36} - c:\windows\system32\config\systemprofile\AppData\Local\{8DADF901-1F40-4644-BBDF-7FFBF70E3A36}\

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Makino

Makino
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 09 August 2010 - 03:15 PM

Hello,
It would be hard for me to tell if that fix did the trick or not yet since those attacks happen periodically. Sometimes it happens at 10 minute intervals while sometimes it won't happen for hours. I'll post again if either an attack happens again or if nothing happens in the next 24 hours. Attached is my log, thanks.

Attached Files



#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:09 PM

Posted 09 August 2010 - 03:24 PM

Okay, please keep me posted. smile.gif

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Makino

Makino
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 09 August 2010 - 05:57 PM

Ok yeah, I don't think that did it. Got another intrusion message.

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:09 PM

Posted 10 August 2010 - 02:16 AM

Please run the following steps:

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Makino

Makino
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 10 August 2010 - 09:22 AM

Hi Elise,
TDSSKiller didn't find any malicious objects. Here's the log:

2010/08/10 10:20:07.0453 TDSS rootkit removing tool 2.4.1.1 Aug 10 2010 14:48:09
2010/08/10 10:20:07.0453 ================================================================================
2010/08/10 10:20:07.0453 SystemInfo:
2010/08/10 10:20:07.0453
2010/08/10 10:20:07.0453 OS Version: 6.1.7600 ServicePack: 0.0
2010/08/10 10:20:07.0453 Product type: Workstation
2010/08/10 10:20:07.0453 ComputerName: WENDELL-PC
2010/08/10 10:20:07.0453 UserName: Wendell
2010/08/10 10:20:07.0453 Windows directory: C:\Windows
2010/08/10 10:20:07.0453 System windows directory: C:\Windows
2010/08/10 10:20:07.0453 Processor architecture: Intel x86
2010/08/10 10:20:07.0453 Number of processors: 6
2010/08/10 10:20:07.0453 Page size: 0x1000
2010/08/10 10:20:07.0453 Boot type: Normal boot
2010/08/10 10:20:07.0453 ================================================================================
2010/08/10 10:20:11.0743 Initialize success
2010/08/10 10:20:20.0666 ================================================================================
2010/08/10 10:20:20.0666 Scan started
2010/08/10 10:20:20.0666 Mode: Manual;
2010/08/10 10:20:20.0666 ================================================================================
2010/08/10 10:20:22.0179 1394ohci (6d2aca41739bfe8cb86ee8e85f29697d) C:\Windows\system32\DRIVERS\1394ohci.sys
2010/08/10 10:20:22.0241 ACPI (f0e07d144c8685b8774bc32fc8da4df0) C:\Windows\system32\DRIVERS\ACPI.sys
2010/08/10 10:20:22.0273 AcpiPmi (98d81ca942d19f7d9153b095162ac013) C:\Windows\system32\DRIVERS\acpipmi.sys
2010/08/10 10:20:22.0304 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\DRIVERS\adp94xx.sys
2010/08/10 10:20:22.0335 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\DRIVERS\adpahci.sys
2010/08/10 10:20:22.0366 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\DRIVERS\adpu320.sys
2010/08/10 10:20:22.0413 AFD (ddc040fdb01ef1712a6b13e52afb104c) C:\Windows\system32\drivers\afd.sys
2010/08/10 10:20:22.0429 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\DRIVERS\agp440.sys
2010/08/10 10:20:22.0444 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\DRIVERS\djsvs.sys
2010/08/10 10:20:22.0507 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\DRIVERS\aliide.sys
2010/08/10 10:20:22.0553 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\DRIVERS\amdagp.sys
2010/08/10 10:20:22.0585 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\DRIVERS\amdide.sys
2010/08/10 10:20:22.0585 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\DRIVERS\amdk8.sys
2010/08/10 10:20:22.0741 amdkmdag (71edf946145d2bead3c16f4fd2fa3773) C:\Windows\system32\DRIVERS\atikmdag.sys
2010/08/10 10:20:22.0881 amdkmdap (41876830a043176f7902e781238f95ef) C:\Windows\system32\DRIVERS\atikmpag.sys
2010/08/10 10:20:22.0897 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\DRIVERS\amdppm.sys
2010/08/10 10:20:22.0928 amdsata (2101a86c25c154f8314b24ef49d7fbc2) C:\Windows\system32\DRIVERS\amdsata.sys
2010/08/10 10:20:22.0943 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\DRIVERS\amdsbs.sys
2010/08/10 10:20:22.0975 amdxata (b81c2b5616f6420a9941ea093a92b150) C:\Windows\system32\DRIVERS\amdxata.sys
2010/08/10 10:20:22.0975 AppID (feb834c02ce1e84b6a38f953ca067706) C:\Windows\system32\drivers\appid.sys
2010/08/10 10:20:23.0021 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\DRIVERS\arc.sys
2010/08/10 10:20:23.0053 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\DRIVERS\arcsas.sys
2010/08/10 10:20:23.0084 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
2010/08/10 10:20:23.0099 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\DRIVERS\atapi.sys
2010/08/10 10:20:23.0271 AtiHdmiService (8df873d0587596c1d35a9cececc61da1) C:\Windows\system32\drivers\AtiHdmi.sys
2010/08/10 10:20:23.0365 atikmdag (71edf946145d2bead3c16f4fd2fa3773) C:\Windows\system32\DRIVERS\atikmdag.sys
2010/08/10 10:20:23.0411 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\DRIVERS\bxvbdx.sys
2010/08/10 10:20:23.0458 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys
2010/08/10 10:20:23.0489 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
2010/08/10 10:20:23.0645 BHDrvx86 (3da27ed4d83f7b47e057c36f72644b04) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20100719.001\BHDrvx86.sys
2010/08/10 10:20:23.0833 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys
2010/08/10 10:20:23.0864 bowser (fcafaef6798d7b51ff029f99a9898961) C:\Windows\system32\DRIVERS\bowser.sys
2010/08/10 10:20:23.0864 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\DRIVERS\BrFiltLo.sys
2010/08/10 10:20:23.0879 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\DRIVERS\BrFiltUp.sys
2010/08/10 10:20:23.0911 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys
2010/08/10 10:20:23.0926 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys
2010/08/10 10:20:23.0957 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys
2010/08/10 10:20:23.0973 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys
2010/08/10 10:20:23.0989 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\DRIVERS\bthmodem.sys
2010/08/10 10:20:24.0082 ccHP (e941e709847fa00e0dd6d58d2b8fb5e1) C:\Windows\system32\drivers\NAV\1107000.00C\ccHPx86.sys
2010/08/10 10:20:24.0098 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
2010/08/10 10:20:24.0113 cdrom (ba6e70aa0e6091bc39de29477d866a77) C:\Windows\system32\DRIVERS\cdrom.sys
2010/08/10 10:20:24.0160 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\DRIVERS\circlass.sys
2010/08/10 10:20:24.0191 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
2010/08/10 10:20:24.0223 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys
2010/08/10 10:20:24.0238 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\DRIVERS\cmdide.sys
2010/08/10 10:20:24.0254 CNG (1b675691ed940766149c93e8f4488d68) C:\Windows\system32\Drivers\cng.sys
2010/08/10 10:20:24.0269 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys
2010/08/10 10:20:24.0301 CompositeBus (f1724ba27e97d627f808fb0ba77a28a6) C:\Windows\system32\DRIVERS\CompositeBus.sys
2010/08/10 10:20:24.0347 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys
2010/08/10 10:20:24.0379 CSC (27c9490bdd0ae48911ab8cf1932591ed) C:\Windows\system32\drivers\csc.sys
2010/08/10 10:20:24.0394 DfsC (8e09e52ee2e3ceb199ef3dd99cf9e3fb) C:\Windows\system32\Drivers\dfsc.sys
2010/08/10 10:20:24.0425 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
2010/08/10 10:20:24.0441 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys
2010/08/10 10:20:24.0503 Dot4 (b5e479eb83707dd698f66953e922042c) C:\Windows\system32\DRIVERS\Dot4.sys
2010/08/10 10:20:24.0550 Dot4Print (c25fea07a8e7767e8b89ab96a3b96519) C:\Windows\system32\DRIVERS\Dot4Prt.sys
2010/08/10 10:20:24.0613 dot4usb (cf491ff38d62143203c065260567e2f7) C:\Windows\system32\DRIVERS\dot4usb.sys
2010/08/10 10:20:24.0644 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys
2010/08/10 10:20:24.0706 DXGKrnl (8b6c3464d7fac176500061dbfff42ad4) C:\Windows\System32\drivers\dxgkrnl.sys
2010/08/10 10:20:24.0800 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\DRIVERS\evbdx.sys
2010/08/10 10:20:24.0909 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2010/08/10 10:20:24.0940 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\DRIVERS\elxstor.sys
2010/08/10 10:20:25.0003 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2010/08/10 10:20:25.0018 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\DRIVERS\errdev.sys
2010/08/10 10:20:25.0049 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys
2010/08/10 10:20:25.0065 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys
2010/08/10 10:20:25.0081 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\DRIVERS\fdc.sys
2010/08/10 10:20:25.0112 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys
2010/08/10 10:20:25.0127 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys
2010/08/10 10:20:25.0143 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\DRIVERS\flpydisk.sys
2010/08/10 10:20:25.0159 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys
2010/08/10 10:20:25.0190 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys
2010/08/10 10:20:25.0205 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\Windows\system32\drivers\Fs_Rec.sys
2010/08/10 10:20:25.0237 fvevol (dafbd9fe39197495aed6d51f3b85b5d2) C:\Windows\system32\DRIVERS\fvevol.sys
2010/08/10 10:20:25.0268 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\DRIVERS\gagp30kx.sys
2010/08/10 10:20:25.0299 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys
2010/08/10 10:20:25.0346 HdAudAddService (3530cad25deba7dc7de8bb51632cbc5f) C:\Windows\system32\drivers\HdAudio.sys
2010/08/10 10:20:25.0362 HDAudBus (717a2207fd6f13ad3e664c7d5a43c7bf) C:\Windows\system32\DRIVERS\HDAudBus.sys
2010/08/10 10:20:25.0393 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\DRIVERS\HidBatt.sys
2010/08/10 10:20:25.0408 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\DRIVERS\hidbth.sys
2010/08/10 10:20:25.0424 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\DRIVERS\hidir.sys
2010/08/10 10:20:25.0455 HidUsb (25072fb35ac90b25f9e4e3bacf774102) C:\Windows\system32\DRIVERS\hidusb.sys
2010/08/10 10:20:25.0502 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\DRIVERS\HpSAMD.sys
2010/08/10 10:20:25.0518 HTTP (c531c7fd9e8b62021112787c4e2c5a5a) C:\Windows\system32\drivers\HTTP.sys
2010/08/10 10:20:25.0549 hwpolicy (8305f33cde89ad6c7a0763ed0b5a8d42) C:\Windows\system32\drivers\hwpolicy.sys
2010/08/10 10:20:25.0564 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\DRIVERS\i8042prt.sys
2010/08/10 10:20:25.0580 iaStorV (934af4d7c5f457b9f0743f4299b77b67) C:\Windows\system32\DRIVERS\iaStorV.sys
2010/08/10 10:20:25.0720 IDSVix86 (2edd3504457691a10328079da011d0b8) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20100805.004\IDSvix86.sys
2010/08/10 10:20:25.0767 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\DRIVERS\iirsp.sys
2010/08/10 10:20:25.0830 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\DRIVERS\intelide.sys
2010/08/10 10:20:25.0876 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys
2010/08/10 10:20:25.0908 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2010/08/10 10:20:25.0923 IPMIDRV (e4454b6c37d7ffd5649611f6496308a7) C:\Windows\system32\DRIVERS\IPMIDrv.sys
2010/08/10 10:20:25.0939 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys
2010/08/10 10:20:25.0954 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys
2010/08/10 10:20:25.0970 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\DRIVERS\isapnp.sys
2010/08/10 10:20:26.0001 iScsiPrt (ed46c223ae46c6866ab77cdc41c404b7) C:\Windows\system32\DRIVERS\msiscsi.sys
2010/08/10 10:20:26.0032 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\DRIVERS\kbdclass.sys
2010/08/10 10:20:26.0048 kbdhid (3d9f0ebf350edcfd6498057301455964) C:\Windows\system32\DRIVERS\kbdhid.sys
2010/08/10 10:20:26.0079 KSecDD (e36a061ec11b373826905b21be10948f) C:\Windows\system32\Drivers\ksecdd.sys
2010/08/10 10:20:26.0110 KSecPkg (365c6154bbbc5377173f1ca7bfb6cc59) C:\Windows\system32\Drivers\ksecpkg.sys
2010/08/10 10:20:26.0157 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys
2010/08/10 10:20:26.0173 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\DRIVERS\lsi_fc.sys
2010/08/10 10:20:26.0204 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\DRIVERS\lsi_sas.sys
2010/08/10 10:20:26.0220 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\DRIVERS\lsi_sas2.sys
2010/08/10 10:20:26.0251 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\DRIVERS\lsi_scsi.sys
2010/08/10 10:20:26.0266 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys
2010/08/10 10:20:26.0298 mcdbus (8fd868e32459ece2a1bb0169f513d31e) C:\Windows\system32\DRIVERS\mcdbus.sys
2010/08/10 10:20:26.0313 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\DRIVERS\megasas.sys
2010/08/10 10:20:26.0329 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\DRIVERS\MegaSR.sys
2010/08/10 10:20:26.0360 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys
2010/08/10 10:20:26.0391 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys
2010/08/10 10:20:26.0454 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\DRIVERS\mouclass.sys
2010/08/10 10:20:26.0469 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys
2010/08/10 10:20:26.0485 mountmgr (921c18727c5920d6c0300736646931c2) C:\Windows\system32\drivers\mountmgr.sys
2010/08/10 10:20:26.0516 mpio (2af5997438c55fb79d33d015c30e1974) C:\Windows\system32\DRIVERS\mpio.sys
2010/08/10 10:20:26.0532 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys
2010/08/10 10:20:26.0563 MRxDAV (b1be47008d20e43da3adc37c24cdb89d) C:\Windows\system32\drivers\mrxdav.sys
2010/08/10 10:20:26.0594 mrxsmb (f1b6aa08497ea86ca6ef6f7a08b0bfb8) C:\Windows\system32\DRIVERS\mrxsmb.sys
2010/08/10 10:20:26.0641 mrxsmb10 (5613358b4050f46f5a9832da8050d6e4) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2010/08/10 10:20:26.0672 mrxsmb20 (25c9792778d80feb4c8201e62281bfdf) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2010/08/10 10:20:26.0688 msahci (4326d168944123f38dd3b2d9c37a0b12) C:\Windows\system32\DRIVERS\msahci.sys
2010/08/10 10:20:26.0719 msdsm (455029c7174a2dbb03dba8a0d8bddd9a) C:\Windows\system32\DRIVERS\msdsm.sys
2010/08/10 10:20:26.0734 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys
2010/08/10 10:20:26.0766 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys
2010/08/10 10:20:26.0781 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\DRIVERS\msisadrv.sys
2010/08/10 10:20:26.0797 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys
2010/08/10 10:20:26.0812 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys
2010/08/10 10:20:26.0844 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys
2010/08/10 10:20:26.0875 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys
2010/08/10 10:20:26.0890 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\DRIVERS\mssmbios.sys
2010/08/10 10:20:26.0906 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys
2010/08/10 10:20:26.0922 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\DRIVERS\MTConfig.sys
2010/08/10 10:20:26.0953 MTsensor (cbe71c122434805cb73ffb6619f60598) C:\Windows\system32\DRIVERS\ASACPI.sys
2010/08/10 10:20:26.0968 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys
2010/08/10 10:20:27.0000 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys
2010/08/10 10:20:27.0156 NAVENG (0953bb24c1e70a99c315f44f15993c17) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\20100809.040\NAVENG.SYS
2010/08/10 10:20:27.0218 NAVEX15 (3ddb0bef60b65df6b110c23e17cd67dc) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\20100809.040\NAVEX15.SYS
2010/08/10 10:20:27.0265 NDIS (23759d175a0a9baaf04d05047bc135a8) C:\Windows\system32\drivers\ndis.sys
2010/08/10 10:20:27.0296 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys
2010/08/10 10:20:27.0312 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys
2010/08/10 10:20:27.0343 Ndisuio (b30ae7f2b6d7e343b0df32e6c08fce75) C:\Windows\system32\DRIVERS\ndisuio.sys
2010/08/10 10:20:27.0358 NdisWan (267c415eadcbe53c9ca873dee39cf3a4) C:\Windows\system32\DRIVERS\ndiswan.sys
2010/08/10 10:20:27.0374 NDProxy (af7e7c63dcef3f8772726f86039d6eb4) C:\Windows\system32\drivers\NDProxy.sys
2010/08/10 10:20:27.0405 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys
2010/08/10 10:20:27.0421 NetBT (dd52a733bf4ca5af84562a5e2f963b91) C:\Windows\system32\DRIVERS\netbt.sys
2010/08/10 10:20:27.0452 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\DRIVERS\nfrd960.sys
2010/08/10 10:20:27.0483 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys
2010/08/10 10:20:27.0499 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys
2010/08/10 10:20:27.0514 Ntfs (3795dcd21f740ee799fb7223234215af) C:\Windows\system32\drivers\Ntfs.sys
2010/08/10 10:20:27.0546 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys
2010/08/10 10:20:27.0561 nvraid (3f3d04b1d08d43c16ea7963954ec768d) C:\Windows\system32\DRIVERS\nvraid.sys
2010/08/10 10:20:27.0577 nvstor (c99f251a5de63c6f129cf71933aced0f) C:\Windows\system32\DRIVERS\nvstor.sys
2010/08/10 10:20:27.0608 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\DRIVERS\nv_agp.sys
2010/08/10 10:20:27.0624 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\DRIVERS\ohci1394.sys
2010/08/10 10:20:27.0655 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys
2010/08/10 10:20:27.0686 partmgr (ff4218952b51de44fe910953a3e686b9) C:\Windows\system32\drivers\partmgr.sys
2010/08/10 10:20:27.0702 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys
2010/08/10 10:20:27.0717 pci (c858cb77c577780ecc456a892e7e7d0f) C:\Windows\system32\DRIVERS\pci.sys
2010/08/10 10:20:27.0733 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\DRIVERS\pciide.sys
2010/08/10 10:20:27.0764 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\DRIVERS\pcmcia.sys
2010/08/10 10:20:27.0780 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys
2010/08/10 10:20:27.0811 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys
2010/08/10 10:20:27.0904 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys
2010/08/10 10:20:27.0920 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\DRIVERS\processr.sys
2010/08/10 10:20:27.0967 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys
2010/08/10 10:20:27.0982 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\DRIVERS\ql2300.sys
2010/08/10 10:20:28.0014 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\DRIVERS\ql40xx.sys
2010/08/10 10:20:28.0045 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys
2010/08/10 10:20:28.0060 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys
2010/08/10 10:20:28.0076 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys
2010/08/10 10:20:28.0092 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys
2010/08/10 10:20:28.0123 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys
2010/08/10 10:20:28.0138 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys
2010/08/10 10:20:28.0154 rdbss (835d7e81bf517a3b72384bdcc85e1ce6) C:\Windows\system32\DRIVERS\rdbss.sys
2010/08/10 10:20:28.0170 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys
2010/08/10 10:20:28.0185 RDPCDD (1e016846895b15a99f9a176a05029075) C:\Windows\system32\DRIVERS\RDPCDD.sys
2010/08/10 10:20:28.0201 RDPDR (c5ff95883ffef704d50c40d21cfb3ab5) C:\Windows\system32\drivers\rdpdr.sys
2010/08/10 10:20:28.0232 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys
2010/08/10 10:20:28.0248 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys
2010/08/10 10:20:28.0263 RDPWD (801371ba9782282892d00aadb08ee367) C:\Windows\system32\drivers\RDPWD.sys
2010/08/10 10:20:28.0294 rdyboost (4ea225bf1cf05e158853f30a99ca29a7) C:\Windows\system32\drivers\rdyboost.sys
2010/08/10 10:20:28.0326 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys
2010/08/10 10:20:28.0372 RTL8167 (80b66a4181f782884a815e69d0afa743) C:\Windows\system32\DRIVERS\Rt86win7.sys
2010/08/10 10:20:28.0404 RtNdPt60 (32a7dbfac034dfedbb031e67bb886bf7) C:\Windows\system32\DRIVERS\RtNdPt60.sys
2010/08/10 10:20:28.0419 RTTEAMPT (f816662ab13a57f1ce4542336aa02694) C:\Windows\system32\DRIVERS\RtTeam60.sys
2010/08/10 10:20:28.0466 RTVLANPT (62e01f439c73fcfcca04f0e9d5255664) C:\Windows\system32\DRIVERS\RtVlan60.sys
2010/08/10 10:20:28.0497 s3cap (5423d8437051e89dd34749f242c98648) C:\Windows\system32\DRIVERS\vms3cap.sys
2010/08/10 10:20:28.0528 sbp2port (34ee0c44b724e3e4ce2eff29126de5b5) C:\Windows\system32\DRIVERS\sbp2port.sys
2010/08/10 10:20:28.0560 scfilter (a95c54b2ac3cc9c73fcdf9e51a1d6b51) C:\Windows\system32\DRIVERS\scfilter.sys
2010/08/10 10:20:28.0591 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2010/08/10 10:20:28.0622 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys
2010/08/10 10:20:28.0622 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\DRIVERS\serial.sys
2010/08/10 10:20:28.0653 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\DRIVERS\sermouse.sys
2010/08/10 10:20:28.0669 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\DRIVERS\sffdisk.sys
2010/08/10 10:20:28.0684 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\DRIVERS\sffp_mmc.sys
2010/08/10 10:20:28.0700 sffp_sd (4f1e5b0fe7c8050668dbfade8999aefb) C:\Windows\system32\DRIVERS\sffp_sd.sys
2010/08/10 10:20:28.0716 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\DRIVERS\sfloppy.sys
2010/08/10 10:20:28.0731 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\DRIVERS\sisagp.sys
2010/08/10 10:20:28.0778 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\DRIVERS\SiSRaid2.sys
2010/08/10 10:20:28.0794 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\DRIVERS\sisraid4.sys
2010/08/10 10:20:28.0809 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys
2010/08/10 10:20:28.0825 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys
2010/08/10 10:20:28.0934 SRTSP (ec5c3c6260f4019b03dfaa03ec8cbf6a) C:\Windows\System32\Drivers\NAV\1107000.00C\SRTSP.SYS
2010/08/10 10:20:28.0981 SRTSPX (55d5c37ed41231e3ac2063d16df50840) C:\Windows\system32\drivers\NAV\1107000.00C\SRTSPX.SYS
2010/08/10 10:20:29.0028 srv (50a83ca406c808bd35ac9141a0c7618f) C:\Windows\system32\DRIVERS\srv.sys
2010/08/10 10:20:29.0059 srv2 (dce7e10feaabd4cae95948b3de5340bb) C:\Windows\system32\DRIVERS\srv2.sys
2010/08/10 10:20:29.0106 srvnet (bd1433a32792fd0dc450479094fc435a) C:\Windows\system32\DRIVERS\srvnet.sys
2010/08/10 10:20:29.0137 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\DRIVERS\stexstor.sys
2010/08/10 10:20:29.0168 storflt (957e346ca948668f2496a6ccf6ff82cc) C:\Windows\system32\DRIVERS\vmstorfl.sys
2010/08/10 10:20:29.0184 storvsc (d5751969dc3e4b88bf482ac8ec9fe019) C:\Windows\system32\DRIVERS\storvsc.sys
2010/08/10 10:20:29.0215 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\DRIVERS\swenum.sys
2010/08/10 10:20:29.0246 SymDS (56890bf9d9204b93042089d4b45ae671) C:\Windows\system32\drivers\NAV\1107000.00C\SYMDS.SYS
2010/08/10 10:20:29.0262 SymEFA (1c91df5188150510a6f0cf78f7d94b69) C:\Windows\system32\drivers\NAV\1107000.00C\SYMEFA.SYS
2010/08/10 10:20:29.0293 SymEvent (961b48b86f94d4cc8ceb483f8aa89374) C:\Windows\system32\Drivers\SYMEVENT.SYS
2010/08/10 10:20:29.0324 SymIRON (dc80fbf0a348e54853ef82eed4e11e35) C:\Windows\system32\drivers\NAV\1107000.00C\Ironx86.SYS
2010/08/10 10:20:29.0371 SYMTDIv (bf610335eda8d9026e45b4ac73d0de58) C:\Windows\System32\Drivers\NAV\1107000.00C\SYMTDIV.SYS
2010/08/10 10:20:29.0418 Tcpip (2cc3d75488abd3ec628bbb9a4fc84efc) C:\Windows\system32\drivers\tcpip.sys
2010/08/10 10:20:29.0464 TCPIP6 (2cc3d75488abd3ec628bbb9a4fc84efc) C:\Windows\system32\DRIVERS\tcpip.sys
2010/08/10 10:20:29.0496 tcpipreg (e64444523add154f86567c469bc0b17f) C:\Windows\system32\drivers\tcpipreg.sys
2010/08/10 10:20:29.0511 TDPIPE (1875c1490d99e70e449e3afae9fcbadf) C:\Windows\system32\drivers\tdpipe.sys
2010/08/10 10:20:29.0542 TDTCP (7551e91ea999ee9a8e9c331d5a9c31f3) C:\Windows\system32\drivers\tdtcp.sys
2010/08/10 10:20:29.0558 tdx (cb39e896a2a83702d1737bfd402b3542) C:\Windows\system32\DRIVERS\tdx.sys
2010/08/10 10:20:29.0589 TEAM (f816662ab13a57f1ce4542336aa02694) C:\Windows\system32\DRIVERS\RtTeam60.sys
2010/08/10 10:20:29.0605 TermDD (c36f41ee20e6999dbf4b0425963268a5) C:\Windows\system32\DRIVERS\termdd.sys
2010/08/10 10:20:29.0652 tssecsrv (98ae6fa07d12cb4ec5cf4a9bfa5f4242) C:\Windows\system32\DRIVERS\tssecsrv.sys
2010/08/10 10:20:29.0683 tunnel (3e461d890a97f9d4c168f5fda36e1d00) C:\Windows\system32\DRIVERS\tunnel.sys
2010/08/10 10:20:29.0698 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\DRIVERS\uagp35.sys
2010/08/10 10:20:29.0714 udfs (09cc3e16f8e5ee7168e01cf8fcbe061a) C:\Windows\system32\DRIVERS\udfs.sys
2010/08/10 10:20:29.0745 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\DRIVERS\uliagpkx.sys
2010/08/10 10:20:29.0776 umbus (049b3a50b3d646baeeee9eec9b0668dc) C:\Windows\system32\DRIVERS\umbus.sys
2010/08/10 10:20:29.0792 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\DRIVERS\umpass.sys
2010/08/10 10:20:29.0823 usbccgp (8455c4ed038efd09e99327f9d2d48ffa) C:\Windows\system32\DRIVERS\usbccgp.sys
2010/08/10 10:20:29.0854 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\DRIVERS\usbcir.sys
2010/08/10 10:20:29.0886 usbehci (1c333bfd60f2fed2c7ad5daf533cb742) C:\Windows\system32\DRIVERS\usbehci.sys
2010/08/10 10:20:29.0917 usbhub (ee6ef93ccfa94fae8c6ab298273d8ae2) C:\Windows\system32\DRIVERS\usbhub.sys
2010/08/10 10:20:29.0948 usbohci (a6fb7957ea7afb1165991e54ce934b74) C:\Windows\system32\DRIVERS\usbohci.sys
2010/08/10 10:20:29.0979 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys
2010/08/10 10:20:29.0995 usbscan (576096ccbc07e7c4ea4f5e6686d6888f) C:\Windows\system32\DRIVERS\usbscan.sys
2010/08/10 10:20:30.0042 USBSTOR (d8889d56e0d27e57ed4591837fe71d27) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2010/08/10 10:20:30.0057 usbuhci (78780c3ebce17405b1ccd07a3a8a7d72) C:\Windows\system32\DRIVERS\usbuhci.sys
2010/08/10 10:20:30.0088 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\DRIVERS\vdrvroot.sys
2010/08/10 10:20:30.0104 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys
2010/08/10 10:20:30.0120 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys
2010/08/10 10:20:30.0151 vhdmp (3be6e1f3a4f1afec8cee0d7883f93583) C:\Windows\system32\DRIVERS\vhdmp.sys
2010/08/10 10:20:30.0166 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\DRIVERS\viaagp.sys
2010/08/10 10:20:30.0182 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\DRIVERS\viac7.sys
2010/08/10 10:20:30.0213 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\DRIVERS\viaide.sys
2010/08/10 10:20:30.0229 vmbus (379b349f65f453d2a6e75ea6b7448e49) C:\Windows\system32\DRIVERS\vmbus.sys
2010/08/10 10:20:30.0260 VMBusHID (ec2bbab4b84d0738c6c83d2234dc36fe) C:\Windows\system32\DRIVERS\VMBusHID.sys
2010/08/10 10:20:30.0276 volmgr (384e5a2aa49934295171e499f86ba6f3) C:\Windows\system32\DRIVERS\volmgr.sys
2010/08/10 10:20:30.0307 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys
2010/08/10 10:20:30.0322 volsnap (58df9d2481a56edde167e51b334d44fd) C:\Windows\system32\DRIVERS\volsnap.sys
2010/08/10 10:20:30.0354 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\DRIVERS\vsmraid.sys
2010/08/10 10:20:30.0385 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\System32\drivers\vwifibus.sys
2010/08/10 10:20:30.0400 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\DRIVERS\wacompen.sys
2010/08/10 10:20:30.0432 WANARP (692a712062146e96d28ba0b7d75de31b) C:\Windows\system32\DRIVERS\wanarp.sys
2010/08/10 10:20:30.0432 Wanarpv6 (692a712062146e96d28ba0b7d75de31b) C:\Windows\system32\DRIVERS\wanarp.sys
2010/08/10 10:20:30.0494 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\DRIVERS\wd.sys
2010/08/10 10:20:30.0525 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
2010/08/10 10:20:30.0556 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys
2010/08/10 10:20:30.0588 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys
2010/08/10 10:20:30.0634 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\DRIVERS\wmiacpi.sys
2010/08/10 10:20:30.0666 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys
2010/08/10 10:20:30.0697 WudfPf (6f9b6c0c93232cff47d0f72d6db1d21e) C:\Windows\system32\drivers\WudfPf.sys
2010/08/10 10:20:30.0728 WUDFRd (f91ff1e51fca30b3c3981db7d5924252) C:\Windows\system32\DRIVERS\WUDFRd.sys
2010/08/10 10:20:30.0790 ================================================================================
2010/08/10 10:20:30.0790 Scan finished
2010/08/10 10:20:30.0790 ================================================================================
2010/08/10 10:20:47.0467 Deinitialize success


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:09 PM

Posted 10 August 2010 - 09:39 AM

If you are connected to the internet through a router, please reset it. It should have a reset button on the backside.

Let me know if that fixes the problem.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Makino

Makino
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 10 August 2010 - 11:19 AM

I'm not connected to a router, I'm directly connected to my modem. However I did notice that when I click on my network icon on my taskbar it shows I'm connected to a Public Network and also my ISP, not sure if that is suppose to happen or if it is relevent to the intrusion issue.

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:09 PM

Posted 10 August 2010 - 11:24 AM

In that case, please make sure your Windows 7 firewall is turned on.

Also, click Start > Programs > Accessories, right click on Command Prompt and select "Run as Administrator".

Type ipconfig /flushdns and press enter.

Let me know if these steps take care of the problem.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 Makino

Makino
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 10 August 2010 - 07:31 PM

Still no luck.. still got the intrusion messages.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users