Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with more than just "AntiVirus 2010"


  • This topic is locked This topic is locked
22 replies to this topic

#1 smeadows00

smeadows00

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 24 December 2010 - 02:50 PM

First of all, "Merry Christmas" and thank you for taking the time to help me...I have a DELL Dimension 8400 Series desktop PC with the following: WIN XP Home w/SP-3, P4 @ 3 GHz, 1-GB RAM, 160-GB HDD. This PC has gotten more than just a single-type of an infection I believe. Initially it starts off with one-type that specifically gives a "black" POP-UP Box that says the system is copying files, etc...and then the "ANTIVIRUS 2010" panel pops up and the program starts to scan showing all the files, etc...that are infected. Naturally it also says I should "buy" the program to clean the files, etc... I believe it is infected with "more" than just one-type of malware/spyware/virus/Trojan/worm/etc...because each time I have attempted to use any form of Anti-Malware, Anti-Spyware, or Anti-Virus software the application will seem to load okay...and even "update" itself okay but, when it starts to scan, etc...the application "Disappears" and I don't get to see what it found, quarantined, etc...this is very frustrating! The various programs I have tried thus far, -{ ...and since gone into Control Panel-Add/Remove Programs, to remove are: Malwarebytes' AntiMalware, Super AntiSpyware, and even Norton AntiVirus...all to which have loaded and then "disappeared!" So I removed them...}. At this point, I tried to get to "BleepingComputer" for some assistance and then I seemed to have lost my Internet access as well! So I am having to use a different computer to write & send this, not to mention post the "logs" with, etc...Here's where I am at currently:

~~~ I have followed the "BleepingComputer" --- "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help" from the beginning of STEP #1 through to STEP #5 - "Enabling my Firewall" ...then on STEP #6, I wasn't sure if I had any "CD Emulation" software so I went ahead and performed STEP #6 anyway... Since I couldn't access the Internet, I had to utilize a different PC, -{ the same one I am writing this on...}- ...to download the "DDS Tool" and the "GMER Download." Once I had the necessary & required "Tools" downloaded and transferred over to the infected PC's desktop, I continued on with the "Guide's" STEPS as outlined. I was able to successfully run the "DDS Tool" just fine and produce the necessary LOGS. I then ran the "GMER Tool." I was able to successfully "unzip/extract" the "Tool" just fine and also to initially run the "Tool." After the initial run of the "GMER Tool," I was able to "un-check" the BOXES that "BleepingComputer" required to be "unchecked." Then, when I clicked the "SCAN" Button as outlined in the "Guide,", the program literally "disappeared!" Just as the "other" three-(3) above mentioned applications did when I tried to run them too...

~~~ All of the things I performed above, has brought me to this point, STEP #9 in your "guide," --- "Create a new malware removal topic and post the DDS logs and the GMER log" Everything I have mentioned above is the "best" Detailed Description I could give you outside of actually talking with someone on the phone as I was performing the action! Now, on to the "DDS Log(s):"


DDS (Ver_10-12-12.02) - NTFSx86
Run by Melissa at 13:28:41.23 on Fri 12/24/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.699 [GMT -5:00]

AV: Norton 360 Premier Edition *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 Premier Edition *Enabled*

============== Running Processes ===============

"\\.\globalroot\Device\svchost.exe\svchost.exe"
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
svchost.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxddserv.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Lexmark 2500 Series\lxddmon.exe
C:\Program Files\Lexmark 2500 Series\lxddamon.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinSetup.exe
C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Melissa\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page =
uSearch Bar =
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.yahoo.com/
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: {07B18EA9-A523-4961-B6BB-170DE4475CCA} - No File
uRun: [cdloader] "c:\documents and settings\melissa\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
uRun: [MyWebSearch Email Plugin] c:\progra~1\mywebs~1\bar\1.bin\mwsoemon.exe
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\bd7ee596-40c5-4bbb-916c-16f20481b55e.com
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [lxddmon.exe] "c:\program files\lexmark 2500 series\lxddmon.exe"
mRun: [lxddamon] "c:\program files\lexmark 2500 series\lxddamon.exe"
mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
mRun: [LogitechCameraAssistant] c:\program files\logitech\video\CameraAssistant.exe
mRun: [LogitechVideo[inspector]] c:\program files\logitech\video\InstallHelper.exe /inspect
mRun: [LogitechCameraService(E)] c:\windows\system32\ElkCtrl.exe /automation
mRun: [InstaLAN] "c:\program files\belkin\router setup and monitor\BelkinRouterMonitor.exe" startup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?s=100000338&p=ZJxdm596YYUS&si=&a=E1inqW9GPiDK0N63lSfr3g&n=2010042909
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]
R2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe [2008-9-15 99248]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-5-7 92008]
S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\mcafee security scan\2.0.181\mcchsvc.exe" --> c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [?]
S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\ptdubus.sys --> c:\windows\system32\drivers\PTDUBus.sys [?]
S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\ptdumdm.sys --> c:\windows\system32\drivers\PTDUMdm.sys [?]
S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\ptduvsp.sys --> c:\windows\system32\drivers\PTDUVsp.sys [?]
S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\ptduwwan.sys --> c:\windows\system32\drivers\PTDUWWAN.sys [?]

=============== Created Last 30 ================

2010-12-24 00:23:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-24 00:23:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-24 00:06:55 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-12-23 05:15:24 -------- d-----w- c:\docume~1\melissa\applic~1\SUPERAntiSpyware.com
2010-12-23 03:27:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-12-23 03:27:40 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-23 03:06:31 -------- d-----w- C:\Anti-MalSpy
2010-12-20 23:58:37 -------- d-----w- c:\docume~1\melissa\applic~1\Tific
2010-12-20 23:58:35 -------- d-----w- c:\docume~1\melissa\locals~1\applic~1\Symantec

==================== Find3M ====================


============= FINISH: 13:29:24.00 ===============


~~~ Thank you all so very much for your assistance. You are truly in a "thankless" job that, -{ ...unless you are specifically within the IT Field AND enjoy this type of work!}- ...I am ever so grateful for! I hope you and everyone there has a wonderfully "Blessed" and joyous Christmas Season! Thanks again...

<>< Scott

Attached File  Attach.txt   11.04KB   4 downloads

PS: Remember, the "GMER Tool" disappeared and I could not retrieve a LOG to give for this Tool...thanks again so much!

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:54 PM

Posted 27 December 2010 - 07:13 AM

Hi Scott,

Welcome to Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. In case of making changes I shall assume my assistance is not needed any more. Thank you.

If the issue is not resolved please update me on the current condition of your computer. No need for any log at this time.

#3 smeadows00

smeadows00
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 29 December 2010 - 10:06 PM

Hey Brother, I apologize so much for not getting back to you sooner! I kept waiting for a "reply" in my e-mail! Ne ver got one!!! SO I did the "manual" search through the FORUM to see if someone replied to my post...which YOU did! Thank You so much...
The current "status" of the PC is the same as when I posted the initial POST that you replied to. I didn't want to do anything until I heard back from someone there @ Bleepin'Computer...

Therefore...I anxiously await your reply!

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:54 PM

Posted 30 December 2010 - 02:51 PM

I thought there might be something wrong.

Please make sure you don't run any scan as this infection will lock the files. this one needs special treatment.

  • Please download TDSSKiller.zip and and extract it.
    • Run TDSSKiller.exe.
    • Click Start scan.
    • When it is finished the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Let the options as it is and click Continue
    • Let reboot if needed and tell me if the tool needed a reboot.
    • Click on Report and post the contents of the text file that will open.

      Note: By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder. The Log have a name like: TDSSKiller.Version_Date_Time_log.txt.
  • Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:

    @ECHO OFF
    Dir /a/b "C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\shsvcs.dll" >"%userprofile%\desktop\log.txt" 2>&1
    Dir /a/b "C:\Documents and Settings\All Users\Application Data" >>"%userprofile%\desktop\log.txt" 2>&1
    Dir /a/s/b C:\WINDOWS\WinSxS\shsvcs.dll >>"%userprofile%\desktop\log.txt" 2>&1
    
    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: look.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate look.bat on the desktop. It should look like this: Posted Image
    • Double-click to run it.
    • A log.txt file will be made on the desktop, copy and paste the content (of log.txt) to your reply.


#5 smeadows00

smeadows00
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 01 January 2011 - 11:02 PM

Thank you for the latest reply...I will do as you wish tomorrow afternoon after church!

Thanks again!

<>< Scott

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:54 PM

Posted 02 January 2011 - 01:43 PM

Okay Scot. :thumbup2:

#7 smeadows00

smeadows00
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 02 January 2011 - 02:07 PM

Okay Brother...I followed your instructions to the "letter." What surprised me was the fact that I was truly expecting a "boat-load" of infections, etc...to show up after I ran the "tdsskiller" you told me to run. But, as you will see from the scan log, I don't think that many, -( ...if any! )- showed up at all...also, there was "NO" Re-Boot required from the "tdsskiller" scan. At any rate, here is the "LOG" file for the "tdsskiller" scan you requested:


2011/01/02 13:38:32.0709 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
2011/01/02 13:38:32.0709 ================================================================================
2011/01/02 13:38:32.0709 SystemInfo:
2011/01/02 13:38:32.0709
2011/01/02 13:38:32.0709 OS Version: 5.1.2600 ServicePack: 3.0
2011/01/02 13:38:32.0709 Product type: Workstation
2011/01/02 13:38:32.0709 ComputerName: DELL-11203D064A
2011/01/02 13:38:32.0709 UserName: Melissa
2011/01/02 13:38:32.0709 Windows directory: C:\WINDOWS
2011/01/02 13:38:32.0709 System windows directory: C:\WINDOWS
2011/01/02 13:38:32.0709 Processor architecture: Intel x86
2011/01/02 13:38:32.0709 Number of processors: 1
2011/01/02 13:38:32.0709 Page size: 0x1000
2011/01/02 13:38:32.0709 Boot type: Normal boot
2011/01/02 13:38:32.0709 ================================================================================
2011/01/02 13:38:32.0990 Initialize success
2011/01/02 13:38:48.0162 ================================================================================
2011/01/02 13:38:48.0162 Scan started
2011/01/02 13:38:48.0162 Mode: Manual;
2011/01/02 13:38:48.0162 ================================================================================
2011/01/02 13:38:48.0443 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/01/02 13:38:48.0521 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/01/02 13:38:48.0615 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/01/02 13:38:48.0693 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/01/02 13:38:48.0771 AFGSp50 (1961590aa191b6b7dcf18a6a693af7b8) C:\WINDOWS\system32\Drivers\AFGSp50.sys
2011/01/02 13:38:48.0990 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/01/02 13:38:49.0005 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/01/02 13:38:49.0099 ati2mtag (f0d0b0cdec0be32d775f404cac2604bf) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/01/02 13:38:49.0177 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/01/02 13:38:49.0240 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/01/02 13:38:49.0287 b57w2k (4826fcf97c47b361a2e2f68cd487a19e) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2011/01/02 13:38:49.0318 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/01/02 13:38:49.0380 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/01/02 13:38:49.0427 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/01/02 13:38:49.0474 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/01/02 13:38:49.0521 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/01/02 13:38:49.0552 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/01/02 13:38:49.0599 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
2011/01/02 13:38:49.0755 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/01/02 13:38:49.0818 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/01/02 13:38:49.0927 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/01/02 13:38:50.0005 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/01/02 13:38:50.0037 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/01/02 13:38:50.0099 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/01/02 13:38:50.0146 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/01/02 13:38:50.0177 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/01/02 13:38:50.0209 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/01/02 13:38:50.0224 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/01/02 13:38:50.0255 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/01/02 13:38:50.0287 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/01/02 13:38:50.0302 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/01/02 13:38:50.0334 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/01/02 13:38:50.0380 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/01/02 13:38:50.0412 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/01/02 13:38:50.0490 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/01/02 13:38:50.0568 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/01/02 13:38:50.0630 iastor (294110966cedd127629c5be48367c8cf) C:\WINDOWS\system32\DRIVERS\iaStor.sys
2011/01/02 13:38:50.0646 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/01/02 13:38:50.0755 IntelC51 (7509c548400f4c9e0211e3f6e66abbe6) C:\WINDOWS\system32\DRIVERS\IntelC51.sys
2011/01/02 13:38:50.0896 IntelC52 (9584ffdd41d37f2c239681d0dac2513e) C:\WINDOWS\system32\DRIVERS\IntelC52.sys
2011/01/02 13:38:50.0943 IntelC53 (cf0b937710cec6ef39416edecd803cbb) C:\WINDOWS\system32\DRIVERS\IntelC53.sys
2011/01/02 13:38:50.0959 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/01/02 13:38:50.0990 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/01/02 13:38:51.0021 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/01/02 13:38:51.0084 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/01/02 13:38:51.0115 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/01/02 13:38:51.0146 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/01/02 13:38:51.0193 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/01/02 13:38:51.0224 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/01/02 13:38:51.0255 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/01/02 13:38:51.0287 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/01/02 13:38:51.0318 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/01/02 13:38:51.0365 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/01/02 13:38:51.0521 Lvckap (bd0d8c9e3aef163dafa0a3c27106d049) C:\WINDOWS\system32\drivers\Lvckap.sys
2011/01/02 13:38:51.0740 lvmvdrv (c2ad4603075b1c58d92b6bb00e08e958) C:\WINDOWS\system32\drivers\lvmvdrv.sys
2011/01/02 13:38:51.0896 LVPrcMon (4fd5a6335fb4fc1f758088b2f90613fe) C:\WINDOWS\system32\drivers\LVPrcMon.sys
2011/01/02 13:38:51.0943 LVUSBSta (c0883f7914afa7feaa41ada0d513ac16) C:\WINDOWS\system32\drivers\lvusbsta.sys
2011/01/02 13:38:52.0005 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/01/02 13:38:52.0052 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/01/02 13:38:52.0084 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2011/01/02 13:38:52.0099 mohfilt (59b8b11ff70728eec60e72131c58b716) C:\WINDOWS\system32\DRIVERS\mohfilt.sys
2011/01/02 13:38:52.0146 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/01/02 13:38:52.0162 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/01/02 13:38:52.0255 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
2011/01/02 13:38:52.0287 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
2011/01/02 13:38:52.0318 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/01/02 13:38:52.0412 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/01/02 13:38:52.0459 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/01/02 13:38:52.0490 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/01/02 13:38:52.0537 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/01/02 13:38:52.0568 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/01/02 13:38:52.0599 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/01/02 13:38:52.0662 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/01/02 13:38:52.0693 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/01/02 13:38:52.0724 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/01/02 13:38:52.0755 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/01/02 13:38:52.0787 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/01/02 13:38:52.0818 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/01/02 13:38:52.0849 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/01/02 13:38:52.0896 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/01/02 13:38:52.0927 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/01/02 13:38:52.0943 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/01/02 13:38:52.0990 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/01/02 13:38:53.0052 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/01/02 13:38:53.0099 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/01/02 13:38:53.0162 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/01/02 13:38:53.0193 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/01/02 13:38:53.0209 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/01/02 13:38:53.0271 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
2011/01/02 13:38:53.0302 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/01/02 13:38:53.0334 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/01/02 13:38:53.0365 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/01/02 13:38:53.0380 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/01/02 13:38:53.0427 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/01/02 13:38:53.0474 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/01/02 13:38:53.0552 PD0620VID (ea296b87ba381c640b441d95f90785f8) C:\WINDOWS\system32\DRIVERS\P0620Vid.sys
2011/01/02 13:38:53.0709 pepifilter (e111fab6c740a1a44e750c2061a23239) C:\WINDOWS\system32\DRIVERS\lv302af.sys
2011/01/02 13:38:53.0849 PID_08A0 (36eddcefdd036fffa95aa84d1645dd67) C:\WINDOWS\system32\DRIVERS\LV302AV.SYS
2011/01/02 13:38:53.0959 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/01/02 13:38:53.0974 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/01/02 13:38:54.0084 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/01/02 13:38:54.0209 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/01/02 13:38:54.0240 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/01/02 13:38:54.0255 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/01/02 13:38:54.0287 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/01/02 13:38:54.0318 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/01/02 13:38:54.0349 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/01/02 13:38:54.0396 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/01/02 13:38:54.0427 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/01/02 13:38:54.0505 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/01/02 13:38:54.0537 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/01/02 13:38:54.0584 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/01/02 13:38:54.0662 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
2011/01/02 13:38:54.0709 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/01/02 13:38:54.0724 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/01/02 13:38:54.0755 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/01/02 13:38:54.0834 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/01/02 13:38:54.0896 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys
2011/01/02 13:38:54.0943 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/01/02 13:38:55.0005 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/01/02 13:38:55.0084 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/01/02 13:38:55.0115 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/01/02 13:38:55.0146 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/01/02 13:38:55.0177 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/01/02 13:38:55.0302 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/01/02 13:38:55.0349 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/01/02 13:38:55.0396 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/01/02 13:38:55.0427 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/01/02 13:38:55.0459 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/01/02 13:38:55.0537 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/01/02 13:38:55.0584 UMAXPCLS (931e8cafcaa536e8252cd7a375ff9794) C:\WINDOWS\system32\DRIVERS\umaxpcls.sys
2011/01/02 13:38:55.0630 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/01/02 13:38:55.0724 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/01/02 13:38:55.0755 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/01/02 13:38:55.0818 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/01/02 13:38:55.0834 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/01/02 13:38:55.0865 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/01/02 13:38:55.0880 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/01/02 13:38:55.0912 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/01/02 13:38:55.0943 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/01/02 13:38:55.0959 Suspicious service (NoAccess): vbma9228
2011/01/02 13:38:55.0990 vbma9228 (a0ab2ee9d9b898c6ed47edf24820fec5) C:\WINDOWS\system32\drivers\vbma9228.sys
2011/01/02 13:38:55.0990 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\vbma9228.sys. md5: a0ab2ee9d9b898c6ed47edf24820fec5
2011/01/02 13:38:56.0005 vbma9228 - detected Locked service (1)
2011/01/02 13:38:56.0021 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/01/02 13:38:56.0068 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/01/02 13:38:56.0115 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/01/02 13:38:56.0162 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/01/02 13:38:56.0255 WpdUsb (c60dc16d4e406810fad54b98dc92d5ec) C:\WINDOWS\system32\Drivers\wpdusb.sys
2011/01/02 13:38:56.0318 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/01/02 13:38:56.0365 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/01/02 13:38:56.0396 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/01/02 13:38:56.0630 ================================================================================
2011/01/02 13:38:56.0630 Scan finished
2011/01/02 13:38:56.0630 ================================================================================
2011/01/02 13:38:56.0646 Detected object count: 1
2011/01/02 13:39:43.0318 Locked service(vbma9228) - User select action: Skip


After I ran the "tdsskiller" as you requested, I then made & ran the "Batch" file you wanted me to run...here is the "LOG" file results from what the "Batch" file did:

shsvcs.dll
.wtav
Adobe
Affinegy
Belkin
desktop.ini
FaxCtr
Google
ISx29.tmp
ISx39B.tmp
ISx71.tmp
ISx72.tmp
ISx7B.tmp
ISxD.tmp
magicJack
Malwarebytes
McAfee
Microsoft
Microsoft Help
Motive
Norton
NortonInstaller
Office Genuine Advantage
PCSettings
PlayFirst
Sun
SUPERAntiSpyware.com
Symantec
TomTom
Verizon Wireless
Windows Genuine Advantage
Yahoo!
{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\shsvcs.dll


I have done nothing to the PC since we have been corresponding. However, I will mention that the PC has been powered on, it has been connected to the Internet, and that is it. No update(s), etc...have been performed that I am aware of, etc...unless of course it occurred "behind-the-scenes" without my knowledge.
So Brother...there you have it! I pray for some decent news or something so I can get this thing back up & running like it should be! Thanks so very much for your gracious assistance...AND time! You are awesome!

Thanks again...let me know where to go from here! ...be "Blessed!"

<>< Scott

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:54 PM

Posted 02 January 2011 - 03:17 PM

Don't worry and relax, we will take care of it.:)

The TDSSKiller did the job we wanted to do. It identified the bad rootkit. However it didn't attempt to remove it because you chose to skip instead of cure. But that doesn't matter because even if it has removed it, it would come back the next reboot. So I didn't expected TDSSKiller to remove it. This round we wanted to identify all the elements of the infection. We have other means for this particular nasty infection as it requires special treatment.

Please do all the steps fully and in the order they are written.

  • Download The Avenger by Swandog46 from here.
    • Unzip/extract it to a folder on your desktop.
    • Double click on avenger.exe to run The Avenger.
    • Click OK.
    • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
    • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
      Comment: Process starts.
      Drivers to delete:
      userinit
      vbma9228
      Files to delete:
      c:\windows\system32\drivers\vbma9228.sys
      C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\shsvcs.dll
      C:\Documents and Settings\All Users\Application Data\.wtav
      
    • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
    • Click the Execute button.
    • You will be asked Are you sure you want to execute the current script?.
    • Click Yes.
    • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot.  Reboot now?.
    • Click Yes.
    • Your PC will now be rebooted.
    • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
    • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
    • Please post this log in your next reply.
  • We need to scan the system with this special tool.
    • Please download Junction.zip and save it.
    • First unzip. If it is extracted/unzipped to a folder open the folder and put junction.exe inside it on the desktop. Make sure the file itself is on the desktop. It should look like this: Posted Image
    • Go to Start => Run... => Copy and paste the following command in the run box and click OK:

      cmd /c "%userprofile%\desktop\junction.exe" -s c:\ >log.txt & notepad log.txt


      A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.
  • Please run TDSSKiler once more and post the log it makes.


#9 smeadows00

smeadows00
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 03 January 2011 - 05:26 PM

Hey Brother...I hit a "snag!" Upon following your directions completely, the "snag" occurred "AFTER" the code was copied into the "Script-Box" in Avenger. Actually, the "code" copied over just fine...but, when I went to CLICK the "EXECUTE" Button, an error box popped up that stated:

ERROR: Invalid Script. A valid script must begin with a command directive. Aborting execution! [OK]

I looked over what you posted just to be sure that I copied everything, etc...to which I did. Guess we need a different "First" -{ 1st }- ...line of code?

Let me know! Thanks again for your time! I can't begin to show my gratitude!

Be "Blessed!"

<>< Scott

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:54 PM

Posted 03 January 2011 - 05:35 PM

You are right. Please try this one:

Comment:
Process starts.
Drivers to delete:
userinit
vbma9228
Files to delete:
c:\windows\system32\drivers\vbma9228.sys
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\shsvcs.dll
C:\Documents and Settings\All Users\Application Data\.wtav


#11 smeadows00

smeadows00
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 03 January 2011 - 05:43 PM

...it's working! Will "POST" in a bit!

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:54 PM

Posted 03 January 2011 - 05:52 PM

:thumbup2:

#13 smeadows00

smeadows00
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 03 January 2011 - 06:56 PM

Okay Brother...I sure am glad YOU can read these things and "know" that there is still something there...If there "IS" something there, it is doing an awfully good job of hiding from me! That's why I had to call in the "Big Dogs!" Which is YOU! I followed your directions explicitly, as you requested...POSTED are the three-(3) logs:

~~~~~ The "AVENGER" log:


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Mon Jan 03 17:13:52 2011

17:13:52: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Mon Jan 03 17:14:53 2011

17:14:53: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Mon Jan 03 17:40:21 2011

17:40:21: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\userinit" not found!
Deletion of driver "userinit" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Driver "vbma9228" deleted successfully.
File "c:\windows\system32\drivers\vbma9228.sys" deleted successfully.
File "C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\shsvcs.dll" deleted successfully.
File "C:\Documents and Settings\All Users\Application Data\.wtav" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.



~~~~~ The "JUNCTION" log:


Junction v1.06 - Windows junction creator and reparse point viewer
Copyright © 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com


Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


Failed to open \\?\c:\\System Volume Information: Access is denied.

Failed to open \\?\c:\\Documents and Settings\Administrator\Desktop\Norton_Power_Eraser\NPE.exe: Access is denied.


Failed to open \\?\c:\\Documents and Settings\Melissa\Desktop\gmer\gmer.exe: Access is denied.

Failed to open \\?\c:\\Program Files\Malwarebytes' Anti-Malware\mbam.exe: Access is denied.


Failed to open \\?\c:\\Program Files\SUPERAntiSpyware\bd7ee596-40c5-4bbb-916c-16f20481b55e.com: Access is denied.



Failed to open \\?\c:\\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe: Access is denied.


.\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
.
..


~~~~~ ...and finally, The "TDSSKiller" log:

2011/01/03 18:42:39.0296 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
2011/01/03 18:42:39.0296 ================================================================================
2011/01/03 18:42:39.0296 SystemInfo:
2011/01/03 18:42:39.0296
2011/01/03 18:42:39.0296 OS Version: 5.1.2600 ServicePack: 3.0
2011/01/03 18:42:39.0296 Product type: Workstation
2011/01/03 18:42:39.0296 ComputerName: DELL-11203D064A
2011/01/03 18:42:39.0296 UserName: Melissa
2011/01/03 18:42:39.0296 Windows directory: C:\WINDOWS
2011/01/03 18:42:39.0296 System windows directory: C:\WINDOWS
2011/01/03 18:42:39.0296 Processor architecture: Intel x86
2011/01/03 18:42:39.0296 Number of processors: 1
2011/01/03 18:42:39.0296 Page size: 0x1000
2011/01/03 18:42:39.0296 Boot type: Normal boot
2011/01/03 18:42:39.0296 ================================================================================
2011/01/03 18:42:39.0531 Initialize success
2011/01/03 18:42:53.0421 ================================================================================
2011/01/03 18:42:53.0421 Scan started
2011/01/03 18:42:53.0421 Mode: Manual;
2011/01/03 18:42:53.0421 ================================================================================
2011/01/03 18:42:53.0703 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/01/03 18:42:53.0781 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/01/03 18:42:53.0859 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/01/03 18:42:53.0906 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/01/03 18:42:53.0968 AFGSp50 (1961590aa191b6b7dcf18a6a693af7b8) C:\WINDOWS\system32\Drivers\AFGSp50.sys
2011/01/03 18:42:54.0171 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/01/03 18:42:54.0187 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/01/03 18:42:54.0296 ati2mtag (f0d0b0cdec0be32d775f404cac2604bf) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/01/03 18:42:54.0343 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/01/03 18:42:54.0390 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/01/03 18:42:54.0453 b57w2k (4826fcf97c47b361a2e2f68cd487a19e) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2011/01/03 18:42:54.0500 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/01/03 18:42:54.0546 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/01/03 18:42:54.0593 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/01/03 18:42:54.0640 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/01/03 18:42:54.0687 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/01/03 18:42:54.0703 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/01/03 18:42:54.0750 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
2011/01/03 18:42:54.0906 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/01/03 18:42:54.0968 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/01/03 18:42:55.0078 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/01/03 18:42:55.0156 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/01/03 18:42:55.0187 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/01/03 18:42:55.0234 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/01/03 18:42:55.0281 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/01/03 18:42:55.0312 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/01/03 18:42:55.0343 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/01/03 18:42:55.0375 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/01/03 18:42:55.0421 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/01/03 18:42:55.0437 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/01/03 18:42:55.0468 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/01/03 18:42:55.0500 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/01/03 18:42:55.0515 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/01/03 18:42:55.0546 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/01/03 18:42:55.0625 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/01/03 18:42:55.0703 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/01/03 18:42:55.0750 iastor (294110966cedd127629c5be48367c8cf) C:\WINDOWS\system32\DRIVERS\iaStor.sys
2011/01/03 18:42:55.0765 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/01/03 18:42:55.0890 IntelC51 (7509c548400f4c9e0211e3f6e66abbe6) C:\WINDOWS\system32\DRIVERS\IntelC51.sys
2011/01/03 18:42:55.0968 IntelC52 (9584ffdd41d37f2c239681d0dac2513e) C:\WINDOWS\system32\DRIVERS\IntelC52.sys
2011/01/03 18:42:56.0000 IntelC53 (cf0b937710cec6ef39416edecd803cbb) C:\WINDOWS\system32\DRIVERS\IntelC53.sys
2011/01/03 18:42:56.0015 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/01/03 18:42:56.0031 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/01/03 18:42:56.0078 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/01/03 18:42:56.0140 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/01/03 18:42:56.0156 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/01/03 18:42:56.0203 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/01/03 18:42:56.0250 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/01/03 18:42:56.0281 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/01/03 18:42:56.0312 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/01/03 18:42:56.0359 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/01/03 18:42:56.0390 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/01/03 18:42:56.0437 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/01/03 18:42:56.0578 Lvckap (bd0d8c9e3aef163dafa0a3c27106d049) C:\WINDOWS\system32\drivers\Lvckap.sys
2011/01/03 18:42:56.0796 lvmvdrv (c2ad4603075b1c58d92b6bb00e08e958) C:\WINDOWS\system32\drivers\lvmvdrv.sys
2011/01/03 18:42:56.0937 LVPrcMon (4fd5a6335fb4fc1f758088b2f90613fe) C:\WINDOWS\system32\drivers\LVPrcMon.sys
2011/01/03 18:42:56.0984 LVUSBSta (c0883f7914afa7feaa41ada0d513ac16) C:\WINDOWS\system32\drivers\lvusbsta.sys
2011/01/03 18:42:57.0046 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/01/03 18:42:57.0093 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/01/03 18:42:57.0125 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2011/01/03 18:42:57.0140 mohfilt (59b8b11ff70728eec60e72131c58b716) C:\WINDOWS\system32\DRIVERS\mohfilt.sys
2011/01/03 18:42:57.0171 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/01/03 18:42:57.0203 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/01/03 18:42:57.0281 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
2011/01/03 18:42:57.0328 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
2011/01/03 18:42:57.0359 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/01/03 18:42:57.0421 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/01/03 18:42:57.0468 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/01/03 18:42:57.0515 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/01/03 18:42:57.0546 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/01/03 18:42:57.0578 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/01/03 18:42:57.0625 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/01/03 18:42:57.0671 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/01/03 18:42:57.0703 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/01/03 18:42:57.0734 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/01/03 18:42:57.0750 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/01/03 18:42:57.0796 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/01/03 18:42:57.0828 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/01/03 18:42:57.0859 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/01/03 18:42:57.0890 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/01/03 18:42:57.0906 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/01/03 18:42:57.0921 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/01/03 18:42:57.0968 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/01/03 18:42:58.0015 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/01/03 18:42:58.0046 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/01/03 18:42:58.0093 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/01/03 18:42:58.0140 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/01/03 18:42:58.0171 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/01/03 18:42:58.0203 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
2011/01/03 18:42:58.0234 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/01/03 18:42:58.0250 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/01/03 18:42:58.0281 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/01/03 18:42:58.0312 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/01/03 18:42:58.0359 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/01/03 18:42:58.0406 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/01/03 18:42:58.0484 PD0620VID (ea296b87ba381c640b441d95f90785f8) C:\WINDOWS\system32\DRIVERS\P0620Vid.sys
2011/01/03 18:42:58.0640 pepifilter (e111fab6c740a1a44e750c2061a23239) C:\WINDOWS\system32\DRIVERS\lv302af.sys
2011/01/03 18:42:58.0796 PID_08A0 (36eddcefdd036fffa95aa84d1645dd67) C:\WINDOWS\system32\DRIVERS\LV302AV.SYS
2011/01/03 18:42:58.0906 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/01/03 18:42:58.0937 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/01/03 18:42:59.0031 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/01/03 18:42:59.0140 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/01/03 18:42:59.0171 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/01/03 18:42:59.0187 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/01/03 18:42:59.0218 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/01/03 18:42:59.0250 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/01/03 18:42:59.0265 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/01/03 18:42:59.0312 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/01/03 18:42:59.0343 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/01/03 18:42:59.0437 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/01/03 18:42:59.0468 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/01/03 18:42:59.0531 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/01/03 18:42:59.0593 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
2011/01/03 18:42:59.0640 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/01/03 18:42:59.0687 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/01/03 18:42:59.0703 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/01/03 18:42:59.0781 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/01/03 18:42:59.0843 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys
2011/01/03 18:42:59.0906 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/01/03 18:42:59.0968 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/01/03 18:43:00.0031 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/01/03 18:43:00.0062 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/01/03 18:43:00.0109 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/01/03 18:43:00.0125 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/01/03 18:43:00.0234 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/01/03 18:43:00.0281 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/01/03 18:43:00.0343 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/01/03 18:43:00.0359 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/01/03 18:43:00.0421 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/01/03 18:43:00.0500 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/01/03 18:43:00.0562 UMAXPCLS (931e8cafcaa536e8252cd7a375ff9794) C:\WINDOWS\system32\DRIVERS\umaxpcls.sys
2011/01/03 18:43:00.0609 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/01/03 18:43:00.0687 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/01/03 18:43:00.0718 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/01/03 18:43:00.0750 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/01/03 18:43:00.0765 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/01/03 18:43:00.0796 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/01/03 18:43:00.0812 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/01/03 18:43:00.0843 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/01/03 18:43:00.0875 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/01/03 18:43:00.0906 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/01/03 18:43:00.0953 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/01/03 18:43:00.0984 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/01/03 18:43:01.0046 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/01/03 18:43:01.0140 WpdUsb (c60dc16d4e406810fad54b98dc92d5ec) C:\WINDOWS\system32\Drivers\wpdusb.sys
2011/01/03 18:43:01.0203 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/01/03 18:43:01.0250 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/01/03 18:43:01.0281 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/01/03 18:43:01.0531 ================================================================================
2011/01/03 18:43:01.0531 Scan finished
2011/01/03 18:43:01.0531 ================================================================================



Hope all this helps! Let me know what & where to go from here...or...if I just need to go ahead and place a "small" thermo-nuclear device next to the processor! Thanks again for "ALL" your fine assistance Brother!

...as always...

<>< Scott

Edited by farbar, 03 January 2011 - 08:03 PM.
Edited to remove empty spaces


#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:54 PM

Posted 03 January 2011 - 07:09 PM

Well done. :thumbup2:

It is good news and we need to follow up. From now on you should be able to run the tools. If you previously uninstalled Malwarebytes you need to reinstall it again. I see its file was locked and after running the perms tool it will be unlocked. A Quick Scan after updating will do.

  • Download http://download.bleepingcomputer.com/farbar/Perm.exe and run it.

    Copy and paste the following in the edit box and press Restore Permissions button:

    c:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    c:\Program Files\SUPERAntiSpyware\bd7ee596-40c5-4bbb-916c-16f20481b55e.com
    c:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    c:\Documents and Settings\Administrator\Desktop\Norton_Power_Eraser\NPE.exe
    c:\Documents and Settings\Melissa\Desktop\gmer\gmer.exe
    When finished click OK to exit.
  • Open your Malwarebytes' Anti-Malware.
  • First update it, to do that under the Update tab press "Check for Updates".
  • Under Scanner tab select "Perform Quick Scan", then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the MBAM log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


#15 smeadows00

smeadows00
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 03 January 2011 - 07:44 PM

Okay my Brother...following is/are the results from the "Quick" Malwarebyte's AntiMalware scan:

~~~~~ The "MBAM" log:


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5450

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

1/3/2011 7:35:44 PM
mbam-log-2011-01-03 (19-35-44).txt

Scan type: Quick scan
Objects scanned: 152250
Time elapsed: 3 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 17
Registry Values Infected: 6
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EAB-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EAB-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF6-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4D7B-9389-0F166788785A} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3DC201FB-E9C9-499C-A11F-23C360D7C3F8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9FF05104-B030-46FC-94B8-81276E4E27DF} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Value: {07B18EA9-A523-4961-B6BB-170DE4475CCA} -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{00A6FAF6-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Value: {00A6FAF6-072E-44CF-8957-5838F569A31D} -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Value: {07B18EA9-A523-4961-B6BB-170DE4475CCA} -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{00A6FAF6-072E-44cf-8957-5838F569A31D} (Adware.MyWebSearch) -> Value: {00A6FAF6-072E-44cf-8957-5838F569A31D} -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> Value: (default) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyWebSearch Email Plugin (Adware.MyWebSearch) -> Value: MyWebSearch Email Plugin -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\Temp\fffb22f1.tmp (Rogue.Antivirus2010) -> Quarantined and deleted successfully.



So...where to from here? I did copy & paste this log "before" the MBAM re-boot.

Anxiously awaiting your reply...


<>< Scott




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users