Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help: to remove trojan.dropper/SVChost-fake


  • Please log in to reply
13 replies to this topic

#1 lstp0136

lstp0136

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:03 AM

Posted 29 November 2010 - 12:04 AM

Hi, i was using the internet today and got infected with some virus. my wallpaper has been changed to a black box saying "YOUR SYSTEM HAS BEEN INFECTED! system has been stopped due to a serious malfunction. Spyware activity has been detected". There is also a pop up box saying "Security Warning! Worm.Win32.NetSky detected on your machine...", it appears everytime i turn on my computer.
I tried using superantispyware, it detects the torjan: "trojan.dropper/SVChost-fake" but can't remove it. I also tried AVG 2011, ESET, and Malwarebytes. None of them can finish scanning, the programs would just disappear after about 2 minutes of scanning. There is also a regular pop up from antivirus 2010 saying "Attention! Network attack detected!". I tried removing the antivirus 2010 in safe mode, but was unable to do so.
Help, i am no computer expert and i don't know what to do now. Any help would be appreciated, thank you thank you.

BC AdBot (Login to Remove)

 


#2 cookmiester

cookmiester

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Stoke-on-Trent
  • Local time:10:03 AM

Posted 29 November 2010 - 11:06 AM

Hello. Antivirus 2010 blocks pretty much every exe file you attempt to run. Therefore stopping your virus scans.
We need to stop the antivirus 2010 service, which will allow us to do a scan.
Please download Rkill from one of these links here.

http://download.bleepingcomputer.com/grinler/rkill.com
http://download.bleepingcomputer.com/grinler/rkill.exe
http://download.bleepingcomputer.com/grinler/rkill.scr
http://download.bleepingcomputer.com/grinler/eXplorer.exe - This renamed copy may trigger an alert from MBAM. It can be ignored and is safe.ou
http://download.bleepingcomputer.com/grinler/iExplore.exe

A console box will appear when you run one of these, follow instructions it gives. When it's finished, the box will go, and a log will appear. This has now disabled antivirus 2010.

Now, open up malwarebytes. Then, update it, and run a full scan. Post log here.

Cookmiester

#3 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:08:03 PM

Posted 29 November 2010 - 07:16 PM

To add to the previous post by cookmiester:

You may have more than one rogue security program at work here.
You mention "There is also a pop up box saying "Security Warning! Worm.Win32.NetSky detected on your machine...", it appears every time i turn on my computer."

Internet Security 2010 is typically bundled with numerous Trojans that display fake security alerts on your computer. For example, one Trojan will display a message when you login into Windows before you see your desktop. This message will state:
Security Warning!
Worm.Win32.NetSky detected on your machine
.

Please follow the removal guide at the following link:
Remove Internet Security 2010 (Uninstall Guide)


You also stated "There is also a regular pop up from antivirus 2010"

Please follow the removal guide at the following link:
How to remove Antivirus 2010 (Uninstall Instructions)

The MBAM logs are automatically saved and can be viewed by clicking the Logs tab in MBAM. Copy and paste the contents of those reports in your next reply. Be sure to post the complete logs to include the top portion which shows MBAM's database version and your operating system.

Please post the logs and let us know how the system is running now.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#4 lstp0136

lstp0136
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:03 AM

Posted 29 November 2010 - 11:33 PM

Hi there, thank you so much for replying;
firstly: this is the print screen of what i see when i turn the computer on, (i don't know how useful this is, but here it is)
http://tinypic.com/r/2959yro/7

@ Cookmiester:
i downloaded the rkill file and ran it. Then i updated the malwarebytes and tried scanning, but it would still close after 10 seconds. When i try and open malwarebytes again, a box saying "Windows cannot access the specified device, path, or file. you may not have the appropriate permissions to access the item." would appear.
BTW, after running the rkill, the wallpaper from the virus disappears, so it would be a blank wallpaper.

@AustrAlien:
I don't see any internet security 2010 pop up, but i downloaded the "Malwarebytes' EXE Download" file anyway from Remove Internet Security 2010 (Uninstall Guide). I ran it and updated the malwarebytes. I tried scanning the computer, but it would close after 10 seconds also.

So overall, i still cannot do any scanning. I am terribly sorry for all the problems, but i am trying really really hard to follow all the instructions you guys are giving me, please don't give up on me! I appreciate all the help you guys are providing for me.

#5 lstp0136

lstp0136
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:03 AM

Posted 29 November 2010 - 11:40 PM

Hi, its me again.
Just to clarify,

the "Security Warning! Worm.Win32.NetSky detected on your machine." is part of a pop up box that appears everytime i turn on my computer, you can see it from the attached print screen. Thank you again for doing this, i really appreciate it.

#6 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:08:03 PM

Posted 30 November 2010 - 01:20 AM

Did you follow the instructions in this link:
How to remove Antivirus 2010 (Uninstall Instructions)
to start Windows in "Safe Mode with networking", and then continue to follow the instructions?
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#7 lstp0136

lstp0136
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:03 AM

Posted 30 November 2010 - 09:06 AM

yes i did. i tried starting in safe mode, run the rkill file, then update and run malwarebytes, but the same thing happened (ie. cannnot finish scanning).
What do i do next? i'm pulling my hair out as we speak!!..

#8 cookmiester

cookmiester

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Stoke-on-Trent
  • Local time:10:03 AM

Posted 30 November 2010 - 10:46 AM

We could try SUPER Anti-Spyware. But, if it's doing it to MBAM, it may do it to this. But, let's try.
Again, run Rkill, to disable the fake AV.
Download Super Anti-Spyware here:

http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE

Update, and scan. If it's successful, then post your log here.

You may also try this on Safe Mode with Networking.

Wait, what if safe mode with networking is making the Fake Av's contact their server's online?
Try no networking, but get the definitions updated first before you go without networking.

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:03 AM

Posted 30 November 2010 - 12:05 PM

Reboot into Safe Mode with Networking
How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode with Networking using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.


>>>> Download this file and doubleclick on it to run it. Allow the information to be merged with the registry.

RKill....

Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.


If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.



Next run Superantisypware (SAS):

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 lstp0136

lstp0136
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:03 AM

Posted 30 November 2010 - 12:56 PM

Hi, no luck.
I tried running the computer in safe mode (not the safe mode with networking); i ran rkill and used both superantispyware and malwarebytes (both updated beforehand), but both were closed during scanning. I tried safe mode with networking again as suggestd by AustrAlien, but it didn't work either.
I then ran superantispyware for a second time, paused it before it closes, and obtained the log( well i guess the partial log):

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/30/2010 at 12:45 PM

Application Version : 4.46.1000

Core Rules Database Version : 5930
Trace Rules Database Version: 3742

Scan type : Complete Scan
Total Scan Time : 00:01:51

Memory items scanned : 233
Memory threats detected : 1
Registry items scanned : 6077
Registry threats detected : 0
File items scanned : 0
File threats detected : 1

Trojan.Dropper/SVCHost-Fake
\.\GLOBALROOT\DEVICE\SVCHOST.EXE\SVCHOST.EXE
\.\GLOBALROOT\DEVICE\SVCHOST.EXE\SVCHOST.EXE

(LOG END HERE).
Thank you again for helping me..

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:03 AM

Posted 30 November 2010 - 01:04 PM

Hi, Ok let's do one more here ,,,,
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 lstp0136

lstp0136
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:03 AM

Posted 30 November 2010 - 01:45 PM

ok so i did the TDSSSkiller scan and i found one suspicious object, i don't have a "cure option", instead i can either choose (a.) skip (b.) Copy to quarantine (c.) delete.
The found object has the follow data:
Service
Service Name: vbmacec2
Service Type: Kernel driver (0x1)
Service start: Demand (0x3)
File: C:\WINDOWS\system32\drivers\vbmacec2.sys
MD5: 24c0e32fae44865b14741b4805e7b9cf

I tried choosing skip and continue, but apparently that doesn't do anything. So i'm wondering what i should do next, please give further direction thank you so much.
BTW, i'm using my laptop, its my desktop thats going crazy.

#13 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:08:03 PM

Posted 30 November 2010 - 03:33 PM

@ lstp0136

Please post the complete log from TDSSKiller.

Thank you.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#14 lstp0136

lstp0136
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:03 AM

Posted 30 November 2010 - 10:30 PM

Hi all,

the title of the file: TDSSKiller.2.4.10.0_30.11.2010_22.22.18_log

2010/11/30 22:22:18.0546 TDSS rootkit removing tool 2.4.10.0 Nov 28 2010 18:35:56
2010/11/30 22:22:18.0546 ================================================================================
2010/11/30 22:22:18.0546 SystemInfo:
2010/11/30 22:22:18.0546
2010/11/30 22:22:18.0546 OS Version: 5.1.2600 ServicePack: 3.0
2010/11/30 22:22:18.0546 Product type: Workstation
2010/11/30 22:22:18.0546 ComputerName: JUDY
2010/11/30 22:22:18.0546 UserName: Ricky Cheung
2010/11/30 22:22:18.0546 Windows directory: C:\WINDOWS
2010/11/30 22:22:18.0546 System windows directory: C:\WINDOWS
2010/11/30 22:22:18.0546 Processor architecture: Intel x86
2010/11/30 22:22:18.0546 Number of processors: 2
2010/11/30 22:22:18.0546 Page size: 0x1000
2010/11/30 22:22:18.0546 Boot type: Normal boot
2010/11/30 22:22:18.0546 ================================================================================
2010/11/30 22:22:19.0265 Initialize success
2010/11/30 22:22:20.0468 ================================================================================
2010/11/30 22:22:20.0468 Scan started
2010/11/30 22:22:20.0468 Mode: Manual;
2010/11/30 22:22:20.0468 ================================================================================
2010/11/30 22:22:23.0625 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/11/30 22:22:23.0687 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/11/30 22:22:23.0796 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/11/30 22:22:23.0890 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/11/30 22:22:24.0000 AgereSoftModem (ceffa3db1657293322e0bdea7d99e754) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
2010/11/30 22:22:24.0843 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/11/30 22:22:25.0421 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/11/30 22:22:25.0546 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/11/30 22:22:25.0937 ati2mtag (2fbdfec8cd60cec3d55e615865333033) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/11/30 22:22:26.0203 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/11/30 22:22:26.0359 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/11/30 22:22:26.0593 AVGIDSDriver (0c61f066f4d94bd67063dc6691935143) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
2010/11/30 22:22:26.0734 AVGIDSEH (84853f800cd69252c3c764fe50d0346f) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
2010/11/30 22:22:26.0859 AVGIDSFilter (28d6adcd03e10f3838488b9b5d407dd4) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
2010/11/30 22:22:27.0140 AVGIDSShim (0eb16f4dbbb946360af30d2b13a52d1d) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
2010/11/30 22:22:27.0312 Avgldx86 (1119e5bec6e749e0d292f0f84d48edba) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
2010/11/30 22:22:27.0468 Avgmfx86 (54f1a9b4c9b540c2d8ac4baa171696b1) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
2010/11/30 22:22:27.0625 Avgrkx86 (8da3b77993c5f354cc2977b7ea06d03a) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
2010/11/30 22:22:27.0796 Avgtdix (354e0fec3bfdfa9c369e0f67ac362f9f) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
2010/11/30 22:22:28.0015 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/11/30 22:22:28.0328 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/11/30 22:22:28.0500 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/11/30 22:22:28.0718 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/11/30 22:22:28.0859 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/11/30 22:22:29.0015 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/11/30 22:22:30.0359 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/11/30 22:22:30.0500 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/11/30 22:22:30.0609 DMICall (526192bf7696f72e29777bf4a180513a) C:\WINDOWS\system32\DRIVERS\DMICall.sys
2010/11/30 22:22:30.0703 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/11/30 22:22:30.0890 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/11/30 22:22:30.0984 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/11/30 22:22:31.0265 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/11/30 22:22:31.0484 E100B (7d91dc6342248369f94d6eba0cf42e99) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2010/11/30 22:22:31.0625 eamon (1ceb779239965000b8f6adee17d4515b) C:\WINDOWS\system32\DRIVERS\eamon.sys
2010/11/30 22:22:31.0859 ehdrv (7d300a43a7bd8769e0f901bf9e1ae367) C:\WINDOWS\system32\DRIVERS\ehdrv.sys
2010/11/30 22:22:32.0062 epfw (15bfe00f030ea20955117bb0677e9668) C:\WINDOWS\system32\DRIVERS\epfw.sys
2010/11/30 22:22:32.0234 Epfwndis (52310e0e603d7da79ecca7d764937a91) C:\WINDOWS\system32\DRIVERS\Epfwndis.sys
2010/11/30 22:22:32.0390 epfwtdi (bdde7dd8fcdb1de7e879bb320b0605c0) C:\WINDOWS\system32\DRIVERS\epfwtdi.sys
2010/11/30 22:22:32.0562 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/11/30 22:22:32.0625 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/11/30 22:22:32.0734 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/11/30 22:22:32.0781 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/11/30 22:22:32.0875 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/11/30 22:22:32.0968 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
2010/11/30 22:22:33.0062 FsVga (455f778ee14368468560bd7cb8c854d0) C:\WINDOWS\system32\DRIVERS\fsvga.sys
2010/11/30 22:22:33.0187 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/11/30 22:22:33.0296 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/11/30 22:22:33.0484 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2010/11/30 22:22:33.0671 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/11/30 22:22:33.0984 HdAudAddService (9131ede087af04a7d80f7ebadc164254) C:\WINDOWS\system32\drivers\HdAudio.sys
2010/11/30 22:22:34.0187 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/11/30 22:22:34.0359 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/11/30 22:22:34.0625 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2010/11/30 22:22:34.0796 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2010/11/30 22:22:34.0953 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2010/11/30 22:22:35.0296 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/11/30 22:22:35.0812 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/11/30 22:22:37.0875 ialm (2aae7be67911f4aec9ad28e9cfb9096f) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2010/11/30 22:22:40.0718 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/11/30 22:22:41.0578 IntcAzAudAddService (b2b7af5dc5e1b6b171dfda681d105c7c) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2010/11/30 22:22:42.0015 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/11/30 22:22:42.0156 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/11/30 22:22:42.0359 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/11/30 22:22:42.0546 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/11/30 22:22:42.0656 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/11/30 22:22:42.0734 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/11/30 22:22:42.0859 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/11/30 22:22:42.0921 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/11/30 22:22:42.0984 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/11/30 22:22:43.0171 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/11/30 22:22:43.0343 kl1 (ce3958f58547454884e97bda78cd7040) C:\WINDOWS\system32\drivers\kl1.sys
2010/11/30 22:22:43.0468 klbg (53eedab3f0511321ac3ae8bc968b158c) C:\WINDOWS\system32\drivers\klbg.sys
2010/11/30 22:22:43.0640 KLIF (439c778700fce23f2852535d6fa5996d) C:\WINDOWS\system32\DRIVERS\klif.sys
2010/11/30 22:22:43.0781 klim5 (fbdc2034b58d2135d25fe99eb8b747c3) C:\WINDOWS\system32\DRIVERS\klim5.sys
2010/11/30 22:22:43.0906 klmouflt (1f351c4ba53bfe58a1ca5fcdd11e1f81) C:\WINDOWS\system32\DRIVERS\klmouflt.sys
2010/11/30 22:22:44.0046 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/11/30 22:22:44.0203 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/11/30 22:22:44.0437 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/11/30 22:22:44.0812 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/11/30 22:22:44.0890 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2010/11/30 22:22:45.0093 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/11/30 22:22:45.0218 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/11/30 22:22:45.0328 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/11/30 22:22:45.0500 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/11/30 22:22:45.0593 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/11/30 22:22:45.0859 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/11/30 22:22:45.0921 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/11/30 22:22:46.0000 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/11/30 22:22:46.0062 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/11/30 22:22:46.0140 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/11/30 22:22:46.0234 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/11/30 22:22:46.0281 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/11/30 22:22:46.0437 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/11/30 22:22:46.0531 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/11/30 22:22:46.0609 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/11/30 22:22:46.0671 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/11/30 22:22:46.0750 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/11/30 22:22:46.0781 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/11/30 22:22:46.0921 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/11/30 22:22:46.0953 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/11/30 22:22:47.0046 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/11/30 22:22:47.0156 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/11/30 22:22:47.0234 nmwcd (4a8a2aa0706b659175169decf198e9d7) C:\WINDOWS\system32\drivers\ccdcmb.sys
2010/11/30 22:22:47.0281 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/11/30 22:22:47.0375 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/11/30 22:22:47.0484 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/11/30 22:22:47.0546 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/11/30 22:22:47.0593 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/11/30 22:22:47.0671 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/11/30 22:22:47.0765 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/11/30 22:22:47.0812 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/11/30 22:22:47.0875 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/11/30 22:22:47.0921 pccsmcfd (fd2041e9ba03db7764b2248f02475079) C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys
2010/11/30 22:22:47.0953 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/11/30 22:22:48.0062 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/11/30 22:22:48.0125 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/11/30 22:22:48.0515 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/11/30 22:22:48.0562 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/11/30 22:22:48.0640 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/11/30 22:22:48.0734 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/11/30 22:22:48.0968 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/11/30 22:22:49.0031 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/11/30 22:22:49.0062 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/11/30 22:22:49.0140 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/11/30 22:22:49.0218 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/11/30 22:22:49.0296 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/11/30 22:22:49.0390 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/11/30 22:22:49.0453 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/11/30 22:22:49.0562 s916bus (fec4f19c80f623c3bfb386fc815bcd30) C:\WINDOWS\system32\DRIVERS\s916bus.sys
2010/11/30 22:22:49.0765 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/11/30 22:22:49.0796 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2010/11/30 22:22:49.0890 SE27bus (59a9eb4073a39895af314780d0a032fa) C:\WINDOWS\system32\DRIVERS\SE27bus.sys
2010/11/30 22:22:49.0953 SE27mdfl (d53e7e53107d1796825540129f8fe89f) C:\WINDOWS\system32\DRIVERS\SE27mdfl.sys
2010/11/30 22:22:50.0000 SE27mdm (2afa2f65a6e91da5b5070e734769827e) C:\WINDOWS\system32\DRIVERS\SE27mdm.sys
2010/11/30 22:22:50.0046 SE27mgmt (5a33a8d7b44c7bd8abe248b4dcd1ff3c) C:\WINDOWS\system32\DRIVERS\SE27mgmt.sys
2010/11/30 22:22:50.0093 se27nd5 (bb30139683bbf3ee89ec931393d9335c) C:\WINDOWS\system32\DRIVERS\se27nd5.sys
2010/11/30 22:22:50.0171 SE27obex (5da6ff71e94b9134ddd094ebb09f05e6) C:\WINDOWS\system32\DRIVERS\SE27obex.sys
2010/11/30 22:22:50.0250 se27unic (4d54a9d7c22157ab3d2442e8bcf5ecd2) C:\WINDOWS\system32\DRIVERS\se27unic.sys
2010/11/30 22:22:50.0375 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/11/30 22:22:50.0468 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2010/11/30 22:22:50.0593 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
2010/11/30 22:22:50.0734 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/11/30 22:22:51.0578 SNP2STD (d5c9643589313db08fd27a30d93e4146) C:\WINDOWS\system32\DRIVERS\snp2sxp.sys
2010/11/30 22:22:52.0406 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/11/30 22:22:52.0515 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/11/30 22:22:52.0609 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/11/30 22:22:52.0750 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/11/30 22:22:52.0812 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/11/30 22:22:52.0843 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/11/30 22:22:53.0062 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/11/30 22:22:53.0187 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/11/30 22:22:53.0250 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/11/30 22:22:53.0296 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/11/30 22:22:53.0359 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/11/30 22:22:53.0484 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/11/30 22:22:53.0609 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/11/30 22:22:53.0734 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/11/30 22:22:53.0781 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/11/30 22:22:53.0859 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/11/30 22:22:53.0937 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/11/30 22:22:54.0046 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/11/30 22:22:54.0093 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/11/30 22:22:54.0156 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/11/30 22:22:54.0203 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/11/30 22:22:54.0296 V0080Dev (eebf6b85abe3aa35e2c16d572e587fd9) C:\WINDOWS\system32\DRIVERS\V0080Dev.sys
2010/11/30 22:22:54.0406 Suspicious service (NoAccess): vbmacec2
2010/11/30 22:22:54.0453 vbmacec2 (24c0e32fae44865b14741b4805e7b9cf) C:\WINDOWS\system32\drivers\vbmacec2.sys
2010/11/30 22:22:54.0453 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\vbmacec2.sys. md5: 24c0e32fae44865b14741b4805e7b9cf
2010/11/30 22:22:54.0468 vbmacec2 - detected Locked service (1)
2010/11/30 22:22:54.0500 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/11/30 22:22:54.0609 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/11/30 22:22:54.0734 w810bus (5e8b60606fc4173b69cdecd964f22d28) C:\WINDOWS\system32\DRIVERS\w810bus.sys
2010/11/30 22:22:54.0796 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/11/30 22:22:54.0875 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
2010/11/30 22:22:55.0000 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/11/30 22:22:55.0218 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2010/11/30 22:22:55.0265 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2010/11/30 22:22:55.0328 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/11/30 22:22:55.0406 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/11/30 22:22:55.0468 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/11/30 22:22:55.0562 ZD1211U(ZyDAS) (adf52208702b6cb497dcce95a16f1e32) C:\WINDOWS\system32\DRIVERS\zd1211u.sys
2010/11/30 22:22:56.0015 ================================================================================
2010/11/30 22:22:56.0015 Scan finished
2010/11/30 22:22:56.0015 ================================================================================
2010/11/30 22:22:56.0031 Detected object count: 1
2010/11/30 22:22:58.0531 Locked service(vbmacec2) - User select action: Skip






this is it, thank you so much for your time.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users