Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC won't connect to Windows Update


  • This topic is locked This topic is locked
7 replies to this topic

#1 prdufresne

prdufresne

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:21 AM

Posted 22 August 2010 - 11:28 PM

As far as I can tell, I've exhausted all the options I could find on Google. While I've seen many descriptions of this very problem, I couldn't get any of the remedies to work.

I've recently encountered some odd behaviours in my browser (Firefox) and then Antimalware Doctor started running. I managed to get rid of Antimalware Doctor with MBAM along with some other suspicious bugs (see log below), but I still can't connect to Windows Update, and my browser is still getting some odd new tabs (presumably pop-ups) and the occasional Google search result redirected to other search sites.

I've checked my hosts file, ad it's clean. I have noticed, however, that when I run IPCONFIG it lists 3 Tunnel adapters (6, 7 and 12) and it shows me a link-local IPv6 address which I'm not sure should be there since I don't use IPv6. There are also some unusual route entries in my routing table all with the gateway set to On-Link. I tried removing these routing entries from the route table, but no joy.

Thoughts? I obviously still have some malware that's going undetected.

Here's some more data:

From ipconfig:

===========================================================================
Interface List
13 ...00 02 72 a0 8b b8 ...... Bluetooth Device (Personal Area Network)
8 ...00 1e 8c 6e 03 c7 ...... Realtek RTL8168C/8111C Family PCI-E Gigabit Ethe
rnet NIC (NDIS 6.0)
1 ........................... Software Loopback Interface 1
9 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
15 ...00 00 00 00 00 00 00 e0 isatap.phub.net.cable.rogers.com
14 ...00 00 00 00 00 00 00 e0 isatap.{3F9BE5D6-226A-4ACA-9841-092E17423F74}
===========================================================================


From MBAM Log:

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18943

20/08/2010 9:01:11 AM
mbam-log-2010-08-20 (09-01-11).txt

Scan type: Quick scan
Objects scanned: 134473
Time elapsed: 7 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\stadadiyurega (Trojan.Agent.U) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fbatiduraya (Trojan.Agent.U) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\...\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updpxe32.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
C:\Users\...\AppData\Local\Temp\C752.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Users\...\AppData\Local\Temp\C753.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Users\...\AppData\Local\Temp\C7BE.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Users\...\AppData\Roaming\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Users\...\AppData\Roaming\Microsoft\Windows\Start Menu\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
C:\Users\...\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antimalware Doctor.lnk (Rogue.AntiMalwareDoctor) -> Quarantined and deleted successfully.
C:\Users\...\AppData\Local\wsIR32.dll (Trojan.Agent.U) -> Delete on reboot.
C:\Users\...\Local\asekamodeta.dll (Trojan.Agent.U) -> Delete on reboot.

Edited by Blade Zephon, 23 August 2010 - 12:11 AM.
Moved from Vista to AII. ~BZ


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:21 AM

Posted 23 August 2010 - 12:01 PM

Please follow these instructions: How to remove Google Redirects or the TDSS, TDL3, Alureon rootkit using TDSSKiller
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If 'Suspicious' objects are detected, you will be given the option to Skip or Quarantine. Skip will be the default selection.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.3.2.2_20.07.2010.08.26.56_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
-- For any files detected as 'Suspicious', get a second opinion by submitting to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.

Now rescan again with Malwarebytes Anti-Malware, but this time perform a Full Scan in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 prdufresne

prdufresne
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:21 AM

Posted 23 August 2010 - 12:25 PM

Thank You for the prompt response. I ran TDSSkiller but while it detected the malware, it doesn't appear to have successfully "cured" it. There seems to be a file access rights issue. Here are the contents of the log file:

2010/08/23 13:07:16.0075 TDSS rootkit removing tool 2.4.1.2 Aug 16 2010 09:46:23
2010/08/23 13:07:16.0075 ================================================================================
2010/08/23 13:07:16.0075 SystemInfo:
2010/08/23 13:07:16.0075
2010/08/23 13:07:16.0075 OS Version: 6.0.6002 ServicePack: 2.0
2010/08/23 13:07:16.0075 Product type: Workstation
2010/08/23 13:07:16.0075 ComputerName:
2010/08/23 13:07:16.0075 UserName:
2010/08/23 13:07:16.0075 Windows directory: C:\Windows
2010/08/23 13:07:16.0075 System windows directory: C:\Windows
2010/08/23 13:07:16.0075 Processor architecture: Intel x86
2010/08/23 13:07:16.0075 Number of processors: 4
2010/08/23 13:07:16.0075 Page size: 0x1000
2010/08/23 13:07:16.0075 Boot type: Normal boot
2010/08/23 13:07:16.0075 ================================================================================
2010/08/23 13:07:39.0394 Initialize success
2010/08/23 13:07:45.0964 ================================================================================
2010/08/23 13:07:45.0964 Scan started
2010/08/23 13:07:45.0964 Mode: Manual;
2010/08/23 13:07:45.0964 ================================================================================
2010/08/23 13:08:21.0935 61883 (585e64bb6dfbc0a2f1f0b554ded012df) C:\Windows\system32\DRIVERS\61883.sys
2010/08/23 13:08:21.0999 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
2010/08/23 13:08:22.0079 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
2010/08/23 13:08:22.0259 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
2010/08/23 13:08:22.0298 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
2010/08/23 13:08:22.0529 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
2010/08/23 13:08:22.0657 AFD (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys
2010/08/23 13:08:22.0909 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
2010/08/23 13:08:23.0029 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2010/08/23 13:08:23.0090 aliide (9df16e31daa1591c538222eae00e07eb) C:\Windows\system32\drivers\aliide.sys
2010/08/23 13:08:23.0131 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
2010/08/23 13:08:23.0151 amdide (260c91345de01c3dfd364ee970a92b02) C:\Windows\system32\drivers\amdide.sys
2010/08/23 13:08:23.0185 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
2010/08/23 13:08:23.0217 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys
2010/08/23 13:08:23.0330 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
2010/08/23 13:08:23.0374 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
2010/08/23 13:08:23.0472 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2010/08/23 13:08:23.0517 atapi (b3f2c79318b9bbe87b2c51033682d912) C:\Windows\system32\drivers\atapi.sys
2010/08/23 13:08:23.0821 Avc (f4b56425a00beb32f5fa6603ff7b0ea2) C:\Windows\system32\DRIVERS\avc.sys
2010/08/23 13:08:24.0000 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2010/08/23 13:08:25.0124 bowser (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys
2010/08/23 13:08:25.0819 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2010/08/23 13:08:27.0037 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2010/08/23 13:08:27.0888 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2010/08/23 13:08:28.0559 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2010/08/23 13:08:29.0215 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2010/08/23 13:08:29.0630 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2010/08/23 13:08:30.0218 BthEnum (6d39c954799b63ba866910234cf7d726) C:\Windows\system32\DRIVERS\BthEnum.sys
2010/08/23 13:08:30.0916 BTHMODEM (9a966a8e86d1771911ae34a20d11bff3) C:\Windows\system32\DRIVERS\bthmodem.sys
2010/08/23 13:08:31.0934 BthPan (5904efa25f829bf84ea6fb045134a1d8) C:\Windows\system32\DRIVERS\bthpan.sys
2010/08/23 13:08:33.0196 BTHPORT (5a3abaa2f8eece7aefb942773766e3db) C:\Windows\system32\Drivers\BTHport.sys
2010/08/23 13:08:34.0101 BTHUSB (94e2941280e3756a5e0bcb467865c43a) C:\Windows\system32\Drivers\BTHUSB.sys
2010/08/23 13:08:34.0856 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2010/08/23 13:08:35.0940 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
2010/08/23 13:08:37.0728 cfwids (44e4a7dded054dd55ae995c3aed719ae) C:\Windows\system32\drivers\cfwids.sys
2010/08/23 13:08:39.0325 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
2010/08/23 13:08:40.0349 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
2010/08/23 13:08:41.0717 cmdide (55a247b547fb9da28bc492dee643ecdf) C:\Windows\system32\drivers\cmdide.sys
2010/08/23 13:08:42.0213 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
2010/08/23 13:08:42.0839 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
2010/08/23 13:08:43.0235 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
2010/08/23 13:08:44.0628 cvpopflt (906c2fc7bec427d35975d3e70f571cd2) C:\Windows\system32\DRIVERS\cvpopflt.sys
2010/08/23 13:08:46.0352 CVUVC (d0ca5d842b4821b68f578ba2146f7a49) C:\Windows\system32\DRIVERS\cvuvc.sys
2010/08/23 13:08:47.0281 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys
2010/08/23 13:08:48.0473 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
2010/08/23 13:08:49.0134 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2010/08/23 13:08:49.0765 DXGKrnl (5c7e2097b91d689ded7a6ff90f0f3a25) C:\Windows\System32\drivers\dxgkrnl.sys
2010/08/23 13:08:50.0783 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
2010/08/23 13:08:51.0773 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
2010/08/23 13:08:52.0720 ElbyCDIO (44996a2addd2db7454f2ca40b67d8941) C:\Windows\system32\Drivers\ElbyCDIO.sys
2010/08/23 13:08:53.0241 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
2010/08/23 13:08:54.0014 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
2010/08/23 13:08:54.0957 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
2010/08/23 13:08:55.0277 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
2010/08/23 13:08:56.0087 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2010/08/23 13:08:56.0442 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2010/08/23 13:08:57.0003 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
2010/08/23 13:08:57.0464 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
2010/08/23 13:08:58.0338 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2010/08/23 13:08:58.0683 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
2010/08/23 13:08:59.0378 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
2010/08/23 13:08:59.0893 grmnusb (d956358054e99e6ffac69cd87e893a89) C:\Windows\system32\drivers\grmnusb.sys
2010/08/23 13:09:00.0883 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
2010/08/23 13:09:01.0659 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
2010/08/23 13:09:02.0592 HidBatt (1eea61828eb0263b97252842c07e5a1c) C:\Windows\system32\DRIVERS\HidBatt.sys
2010/08/23 13:09:02.0759 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2010/08/23 13:09:03.0509 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2010/08/23 13:09:03.0741 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
2010/08/23 13:09:04.0666 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
2010/08/23 13:09:05.0583 HSF_DP (729ff797a69cd3e96bbaea1e35e56738) C:\Windows\system32\DRIVERS\HSX_DP.sys
2010/08/23 13:09:06.0603 HSXHWBS2 (e8eb7746002e2038345e6839503e3c4a) C:\Windows\system32\DRIVERS\HSXHWBS2.sys
2010/08/23 13:09:06.0745 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
2010/08/23 13:09:06.0808 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
2010/08/23 13:09:06.0875 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2010/08/23 13:09:06.0968 iaStor (2358c53f30cb9dcd1d3843c4e2f299b2) C:\Windows\system32\drivers\iastor.sys
2010/08/23 13:09:07.0039 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
2010/08/23 13:09:07.0116 igfx (eab68cd7e6efc727b9a3d7cad7a0577a) C:\Windows\system32\DRIVERS\igdkmd32.sys
2010/08/23 13:09:07.0190 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2010/08/23 13:09:07.0310 IntcAzAudAddService (ae3df3265781543b616e0a8830f6774b) C:\Windows\system32\drivers\RTKVHDA.sys
2010/08/23 13:09:07.0439 intelide (1fdf294ecca2addf84e8271d75abddb4) C:\Windows\system32\drivers\intelide.sys
2010/08/23 13:09:07.0475 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
2010/08/23 13:09:07.0556 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2010/08/23 13:09:07.0607 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
2010/08/23 13:09:07.0675 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2010/08/23 13:09:07.0797 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2010/08/23 13:09:07.0848 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
2010/08/23 13:09:07.0909 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
2010/08/23 13:09:07.0951 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2010/08/23 13:09:07.0998 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2010/08/23 13:09:08.0110 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
2010/08/23 13:09:08.0214 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
2010/08/23 13:09:08.0291 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
2010/08/23 13:09:08.0369 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2010/08/23 13:09:08.0507 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
2010/08/23 13:09:08.0696 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
2010/08/23 13:09:08.0829 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
2010/08/23 13:09:08.0902 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2010/08/23 13:09:08.0975 MarvinBus (a3e700d78eec390f1208098cdca5c6b6) C:\Windows\system32\DRIVERS\MarvinBus.sys
2010/08/23 13:09:09.0136 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
2010/08/23 13:09:09.0183 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
2010/08/23 13:09:09.0228 mfeapfk (b77e959e1c50d3e3a9d9ef423be62e09) C:\Windows\system32\drivers\mfeapfk.sys
2010/08/23 13:09:09.0264 mfeavfk (e84596fcb591117f5597498a5f82ad97) C:\Windows\system32\drivers\mfeavfk.sys
2010/08/23 13:09:09.0402 mfebopk (d40ce01e2d3fe0c079cd2d6b3e4b823b) C:\Windows\system32\drivers\mfebopk.sys
2010/08/23 13:09:09.0439 mfefirek (3962c6a9e35c4319dcdab0497614fd69) C:\Windows\system32\drivers\mfefirek.sys
2010/08/23 13:09:09.0480 mfehidk (e7ecf7872bf8f2897ae5a696d908c2f7) C:\Windows\system32\drivers\mfehidk.sys
2010/08/23 13:09:09.0528 mfenlfk (738ea065c00112c46a64ecf7f6d81902) C:\Windows\system32\DRIVERS\mfenlfk.sys
2010/08/23 13:09:09.0638 mferkdet (e411594ac94baef7f8ea991cc8f47fd1) C:\Windows\system32\drivers\mferkdet.sys
2010/08/23 13:09:09.0731 mferkdk (41fe2f288e05a6c8ab85dd56770ffbad) C:\Windows\system32\drivers\mferkdk.sys
2010/08/23 13:09:09.0767 mfesmfk (096b52ea918aa909ba5903d79e129005) C:\Windows\system32\drivers\mfesmfk.sys
2010/08/23 13:09:09.0889 mfewfpk (53ed75f57e87831d3651ff32cb3d5648) C:\Windows\system32\drivers\mfewfpk.sys
2010/08/23 13:09:10.0038 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2010/08/23 13:09:10.0221 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2010/08/23 13:09:11.0118 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
2010/08/23 13:09:11.0298 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
2010/08/23 13:09:12.0119 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2010/08/23 13:09:12.0538 MPFP (95675c3398dcc084c8d1dc35cc4e9e01) C:\Windows\system32\Drivers\Mpfp.sys
2010/08/23 13:09:13.0204 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
2010/08/23 13:09:13.0601 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2010/08/23 13:09:14.0316 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2010/08/23 13:09:14.0720 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
2010/08/23 13:09:15.0362 mrxsmb (454341e652bdf5e01b0f2140232b073e) C:\Windows\system32\DRIVERS\mrxsmb.sys
2010/08/23 13:09:15.0781 mrxsmb10 (2a4901aff069944fa945ed5bbf4dcde3) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2010/08/23 13:09:16.0483 mrxsmb20 (28b3f1ab44bdd4432c041581412f17d9) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2010/08/23 13:09:16.0905 msahci (60ec6885a269e13d5daaa0efe060127a) C:\Windows\system32\drivers\msahci.sys
2010/08/23 13:09:17.0485 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
2010/08/23 13:09:17.0956 MSDV (343291a4dfd7c923c3f71f550830ec1c) C:\Windows\system32\DRIVERS\msdv.sys
2010/08/23 13:09:18.0666 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2010/08/23 13:09:19.0136 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2010/08/23 13:09:19.0840 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2010/08/23 13:09:20.0224 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2010/08/23 13:09:20.0884 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2010/08/23 13:09:21.0768 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
2010/08/23 13:09:22.0318 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2010/08/23 13:09:23.0045 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2010/08/23 13:09:23.0391 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
2010/08/23 13:09:24.0245 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
2010/08/23 13:09:24.0868 NDIS (dd7acebcd3febe92889b503fbe83aa05) C:\Windows\system32\drivers\ndis.sys
2010/08/23 13:09:24.0873 Suspicious file (Forged): C:\Windows\system32\drivers\ndis.sys. Real md5: dd7acebcd3febe92889b503fbe83aa05, Fake md5: 1357274d1883f68300aeadd15d7bbb42
2010/08/23 13:09:24.0881 NDIS - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/08/23 13:09:25.0591 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2010/08/23 13:09:26.0002 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2010/08/23 13:09:26.0430 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
2010/08/23 13:09:27.0288 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2010/08/23 13:09:27.0999 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2010/08/23 13:09:28.0399 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
2010/08/23 13:09:29.0101 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2010/08/23 13:09:29.0508 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
2010/08/23 13:09:30.0134 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2010/08/23 13:09:30.0883 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
2010/08/23 13:09:31.0823 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2010/08/23 13:09:32.0276 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2010/08/23 13:09:37.0801 nvlddmkm (712d98d35e68d0006b121f4a3b8ee814) C:\Windows\system32\DRIVERS\nvlddmkm.sys
2010/08/23 13:09:47.0672 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
2010/08/23 13:09:48.0023 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
2010/08/23 13:09:48.0661 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
2010/08/23 13:09:49.0915 ohci1394 (6f310e890d46e246e0e261a63d9b36b4) C:\Windows\system32\DRIVERS\ohci1394.sys
2010/08/23 13:09:50.0513 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
2010/08/23 13:09:50.0874 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
2010/08/23 13:09:51.0585 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
2010/08/23 13:09:51.0876 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
2010/08/23 13:09:51.0924 pciide (64b8e559d285c7ef599edf6428e1366f) C:\Windows\system32\drivers\pciide.sys
2010/08/23 13:09:51.0969 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
2010/08/23 13:09:52.0058 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2010/08/23 13:09:52.0255 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2010/08/23 13:09:52.0299 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
2010/08/23 13:09:52.0414 Ps2 (390c204ced3785609ab24e9c52054a84) C:\Windows\system32\DRIVERS\PS2.sys
2010/08/23 13:09:52.0469 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
2010/08/23 13:09:52.0584 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
2010/08/23 13:09:52.0737 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2010/08/23 13:09:52.0811 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2010/08/23 13:09:52.0879 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2010/08/23 13:09:52.0944 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2010/08/23 13:09:53.0009 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
2010/08/23 13:09:53.0146 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
2010/08/23 13:09:53.0291 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
2010/08/23 13:09:53.0368 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
2010/08/23 13:09:53.0458 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
2010/08/23 13:09:53.0478 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
2010/08/23 13:09:53.0533 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
2010/08/23 13:09:53.0673 RFCOMM (6482707f9f4da0ecbab43b2e0398a101) C:\Windows\system32\DRIVERS\rfcomm.sys
2010/08/23 13:09:53.0814 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
2010/08/23 13:09:53.0903 RTL8169 (3d2b6520699d1dcd5a13f9e7cad62199) C:\Windows\system32\DRIVERS\Rtlh86.sys
2010/08/23 13:09:53.0980 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2010/08/23 13:09:54.0043 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2010/08/23 13:09:54.0169 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
2010/08/23 13:09:54.0304 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
2010/08/23 13:09:54.0379 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
2010/08/23 13:09:54.0456 sffdisk (51cf56aa8bcc241f134b420b8f850406) C:\Windows\system32\drivers\sffdisk.sys
2010/08/23 13:09:54.0512 sffp_mmc (96ded8b20c734ac41641ce275250e55d) C:\Windows\system32\drivers\sffp_mmc.sys
2010/08/23 13:09:54.0537 sffp_sd (8b08cab1267b2c377883fc9e56981f90) C:\Windows\system32\drivers\sffp_sd.sys
2010/08/23 13:09:54.0568 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2010/08/23 13:09:54.0667 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
2010/08/23 13:09:54.0731 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
2010/08/23 13:09:54.0760 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
2010/08/23 13:09:54.0806 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
2010/08/23 13:09:54.0854 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
2010/08/23 13:09:54.0911 srv (96a5e2c642af8f591a7366429809506b) C:\Windows\system32\DRIVERS\srv.sys
2010/08/23 13:09:54.0994 srv2 (71da2d64880c97e5ffc3c81761632751) C:\Windows\system32\DRIVERS\srv2.sys
2010/08/23 13:09:55.0029 srvnet (0c5ab1892ae0fa504218db094bf6d041) C:\Windows\system32\DRIVERS\srvnet.sys
2010/08/23 13:09:55.0085 StillCam (ef70b3d22b4bffda6ea851ecb063efaa) C:\Windows\system32\DRIVERS\serscan.sys
2010/08/23 13:09:55.0121 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
2010/08/23 13:09:55.0161 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2010/08/23 13:09:55.0232 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2010/08/23 13:09:55.0312 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2010/08/23 13:09:55.0381 Tcpip (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\drivers\tcpip.sys
2010/08/23 13:09:55.0420 Tcpip6 (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\DRIVERS\tcpip.sys
2010/08/23 13:09:55.0461 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
2010/08/23 13:09:55.0498 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
2010/08/23 13:09:55.0525 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
2010/08/23 13:09:55.0629 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
2010/08/23 13:09:55.0705 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
2010/08/23 13:09:55.0743 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
2010/08/23 13:09:55.0773 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
2010/08/23 13:09:55.0949 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
2010/08/23 13:09:56.0866 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
2010/08/23 13:09:57.0786 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
2010/08/23 13:09:58.0679 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
2010/08/23 13:09:58.0865 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
2010/08/23 13:09:59.0732 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2010/08/23 13:09:59.0861 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2010/08/23 13:10:00.0715 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
2010/08/23 13:10:01.0059 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\Windows\system32\Drivers\usbaapl.sys
2010/08/23 13:10:01.0753 usbaudio (32db9517628ff0d070682aab61e688f0) C:\Windows\system32\drivers\usbaudio.sys
2010/08/23 13:10:02.0107 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
2010/08/23 13:10:02.0791 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2010/08/23 13:10:03.0715 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
2010/08/23 13:10:03.0948 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
2010/08/23 13:10:04.0769 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
2010/08/23 13:10:04.0953 usbprint (b51e52acf758be00ef3a58ea452fe360) C:\Windows\system32\drivers\usbprint.sys
2010/08/23 13:10:05.0821 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
2010/08/23 13:10:06.0072 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2010/08/23 13:10:06.0930 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
2010/08/23 13:10:07.0009 Suspicious service (NoAccess): uteajs
2010/08/23 13:10:08.0076 uteajs (fe15d978c96489a567e270c790e1d56f) C:\Windows\system32\drivers\uteajs.sys
2010/08/23 13:10:08.0077 Suspicious file (NoAccess): C:\Windows\system32\drivers\uteajs.sys. md5: fe15d978c96489a567e270c790e1d56f
2010/08/23 13:10:08.0083 uteajs - detected Locked service (1)
2010/08/23 13:10:08.0791 VClone (94d73b62e458fb56c9ce60aa96d914f9) C:\Windows\system32\DRIVERS\VClone.sys
2010/08/23 13:10:09.0192 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
2010/08/23 13:10:09.0909 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
2010/08/23 13:10:10.0377 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
2010/08/23 13:10:10.0951 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
2010/08/23 13:10:11.0404 viaide (61acdd65bc5d6e4936297610506281d7) C:\Windows\system32\drivers\viaide.sys
2010/08/23 13:10:12.0040 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
2010/08/23 13:10:12.0598 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
2010/08/23 13:10:13.0303 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
2010/08/23 13:10:14.0220 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
2010/08/23 13:10:14.0902 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2010/08/23 13:10:15.0791 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2010/08/23 13:10:15.0898 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2010/08/23 13:10:16.0471 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
2010/08/23 13:10:17.0156 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
2010/08/23 13:10:18.0430 winachsf (3b4522d0e750bac8fe7ae61622a57014) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
2010/08/23 13:10:19.0462 WmiAcpi (701a9f884a294327e9141d73746ee279) C:\Windows\system32\drivers\wmiacpi.sys
2010/08/23 13:10:20.0336 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
2010/08/23 13:10:21.0198 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
2010/08/23 13:10:21.0961 WSDPrintDevice (4422ac5ed8d4c2f0db63e71d4c069dd7) C:\Windows\system32\DRIVERS\WSDPrint.sys
2010/08/23 13:10:22.0581 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
2010/08/23 13:10:23.0435 XAudio (88af537264f2b818da15479ceeaf5d7c) C:\Windows\system32\DRIVERS\xaudio.sys
2010/08/23 13:10:23.0649 ================================================================================
2010/08/23 13:10:23.0649 Scan finished
2010/08/23 13:10:23.0649 ================================================================================
2010/08/23 13:10:23.0661 Detected object count: 2
2010/08/23 13:11:57.0598 C:\Windows\system32\drivers\ndis.sys - processing error
2010/08/23 13:11:57.0598 Rootkit.Win32.TDSS.tdl3(NDIS) - User select action: Cure
2010/08/23 13:11:57.0602 Locked service(uteajs) - User select action: Skip
2010/08/23 13:13:27.0114 Deinitialize success


I'm rescanning with MBAM now.

Edited by prdufresne, 23 August 2010 - 12:57 PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:21 AM

Posted 23 August 2010 - 12:59 PM

This is the pertinent section of the log which indicates a TDSS/TDL3 rootkit infection was found and you selected to cure.

2010/08/23 13:10:23.0661 Detected object count: 2
2010/08/23 13:11:57.0598 C:\Windows\system32\drivers\ndis.sys - processing error
2010/08/23 13:11:57.0598 Rootkit.Win32.TDSS.tdl3(NDIS) - User select action: Cure

Did you reboot afterwards? If not, please do so.

Edited by quietman7, 23 August 2010 - 01:14 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 prdufresne

prdufresne
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:21 AM

Posted 23 August 2010 - 01:05 PM

I did reboot afterward, but I had other applications to shut down and thought this might have affected it, so I tried again with nothing else running, re-ran TDSSkiller and rebooted. I also tried it once from safe mode. Same result. Each time it detects the same two items.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:21 AM

Posted 23 August 2010 - 01:15 PM

Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is hidden piece of malware (i.e. rootkit) which has not been detected by your security tools that protects malicious files and registry keys so they cannot be permanently deleted. Other types of malware can even terminate your security tools by changing the permissions on targeted programs so that they cannot run or complete scans. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a DDS log for further investigation.

Please read the pinned topic titled "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help". If you cannot complete a step, then skip it and continue with the next. In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the Malware Response Team.

Please be patient. It may take a while to get a response because the Malware Response Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have posted your log and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the Malware Response Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Response Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 prdufresne

prdufresne
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:21 AM

Posted 23 August 2010 - 04:55 PM

ThanX. I followed your instructions, and posted the results in the following thread:

http://www.bleepingcomputer.com/forums/topic342267.html

#8 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:21 PM

Posted 23 August 2010 - 04:59 PM

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MR Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users