Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Infection with Fake Antivirus please help


  • This topic is locked This topic is locked
54 replies to this topic

#1 Chris Atamian

Chris Atamian

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 29 January 2011 - 12:13 PM

I am working on a friend's computer, Dell Inspiron Mini running WIN XP Home SP3. No Anti Virus software installed but it does appear to have most of the required updates.

I got the unit with a complaint there was pop up fake antivirus program that locked up the PC. It was registered in the Control Panel and was removed through the Add/Remove programs. They dont remember exactly what it was.

Here is what I see. Everything seemed normal at first. I loaded all the windows updates needed, no problem. I loaded the Windows security tools, it started to run once and will not start. I get several re-directs when surfing for Anti Malware software. Cannot run any of my standard tools.

Spybot installs, runs but terminates
Malwarebytes installs, runs but terminates at about 9 seconds, unable to run again without reinstalation.
Hijack runs and terminates.

I have tried each of these with alternate names and extensions (.scr or .com) Nothing seems to run.

I have been through the running processes and don't see anything obvious. I've looked up everything running and again nothing obivious (I'm guessing it's named to look like a valid process.)

I picked up a copy of Rkill. It ran but nothing changed in the symptoms. I do have one clue. I used a removable drive to install the tools on the Dell Mini. After working last night I plugged the same drive into my laptop and my Antivirus Software picked up on an infection on the Drive (Bloodhound.expolit343)

Scan type: Auto-Protect Scan
Event: Risk Found!
Security risk detected: Bloodhound.Exploit.343
File: E:\1F6D0078.lnk
Location: E:
Computer:
User:
Action taken: Pending Side Effects Analysis : Access denied
Date found: Saturday, January 22, 2011 8:03:25 AM

Defogger has been run to disable any CD Emulation Software

DDS TEXT:

DDS (Ver_10-12-12.02) - NTFSx86
Run by Bridget at 11:59:34.00 on Sat 01/22/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.498 [GMT -7:00]


============== Running Processes ===============

"\\.\globalroot\Device\svchost.exe\svchost.exe"
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Dell\Digital TV\Kernel\TV\TVECapSvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Dell\Digital TV\Kernel\TV\TVESched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\DellDock\DellDock.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\WSED\WSED.exe
C:\Program Files\Dell\Digital TV\TVEService.exe
"C:\Documents and Settings\Bridget\Application Data\Microsoft\svchost.exe"
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Dell\PlayMovie\PMVService.exe
C:\WINDOWS\system32\PersistenceThread.exe
C:\Program Files\Dell\Media Experience\PCMAgent.exe
C:\WINDOWS\OA012Mon.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Elantech\ETDCtrl.exe
C:\Program Files\Dell\Media Experience\Kernel\CLML\CLMLSvc.exe
C:\Program Files\Battery Meter\BTMeter.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Bridget\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.live.com
uInternet Settings,ProxyServer = http=127.0.0.1:50370
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
mRun: [WSED] c:\program files\wsed\WSED.exe
mRun: [TVEService] "c:\program files\dell\digital tv\TVEService.exe"
mRun: [svchost] c:\documents and settings\bridget\application data\microsoft\svchost.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [PlayMovie] "c:\program files\dell\playmovie\PMVService.exe"
mRun: [PersistenceThread] c:\windows\system32\PersistenceThread.exe
mRun: [PCMAgent] "c:\program files\dell\media experience\PCMAgent.exe"
mRun: [OA012Mon] c:\windows\OA012Mon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [ETDWare] c:\program files\elantech\ETDCtrl.exe
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [CLMLServer] "c:\program files\dell\media experience\kernel\clml\CLMLSvc.exe"
mRun: [BTMeter] c:\program files\battery meter\BTMeter.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\bridget\startm~1\programs\startup\delldo~1.lnk - c:\program files\dell\delldock\DellDock.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igdlogin - igdlogin.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [2009-8-19 14248]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-12-18 155648]
R2 TVECapSvc;TVEnhance Background Capture Service (TBCS);c:\program files\dell\digital tv\kernel\tv\TVECapSvc.exe [2009-8-19 382304]
R2 TVESched;TVEnhance Task Scheduler (TTS));c:\program files\dell\digital tv\kernel\tv\TVESched.exe [2009-8-19 189792]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2009-8-19 143840]
R3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\drivers\ETD.sys [2009-8-19 93952]
R3 hcw95bda;Hauppauge MOD7700 Tuner Driver;c:\windows\system32\drivers\hcw95bda.sys [2009-8-19 572416]
R3 igd;igd;c:\windows\system32\drivers\igxpmp32.sys [2009-8-19 5088896]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-8-19 110080]
R3 OA012Afx;Provides a software interface to control audio effects of OA012 camera.;c:\windows\system32\drivers\OA012Afx.sys [2009-8-19 135168]
R3 OA012Ufd;Creative Camera OA012 Upper Filter Driver;c:\windows\system32\drivers\OA012Ufd.sys [2009-8-19 133632]
R3 OA012Vid;Creative Camera OA012 Function Driver;c:\windows\system32\drivers\OA012Vid.sys [2009-8-19 272032]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2009-8-19 157696]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-8-19 1684736]

=============== Created Last 30 ================

2011-01-22 02:56:06 -------- d-----w- c:\program files\getum
2011-01-22 02:56:06 -------- d-----w- c:\docume~1\bridget\applic~1\Malwarebytes
2011-01-22 02:56:03 -------- d--h--w- c:\windows\PIF
2011-01-22 02:20:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-22 02:20:18 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-22 02:20:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-22 01:29:14 -------- d-----w- C:\new
2011-01-20 03:05:12 -------- d-----w- C:\job
2011-01-20 02:25:54 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-01-20 02:25:51 -------- d-----w- C:\Malwarebytes' Anti-Malware
2011-01-19 02:50:13 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-19 02:42:46 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll
2011-01-19 02:35:29 -------- d-----w- c:\docume~1\bridget\locals~1\applic~1\Stardock_Corporation
2011-01-19 02:18:36 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2011-01-19 02:17:47 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2011-01-19 02:17:42 -------- d-sh--w- c:\documents and settings\bridget\IECompatCache
2011-01-19 02:15:14 -------- d-sh--w- c:\documents and settings\bridget\PrivacIE
2011-01-19 02:07:11 100864 ----a-w- c:\docume~1\bridget\applic~1\microsoft\svchost.exe
2011-01-19 02:07:10 -------- d-----w- c:\docume~1\bridget\locals~1\applic~1\SupportSoft
2011-01-18 20:40:04 -------- d-----w- c:\windows\pss

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:27:10 1862272 ----a-w- c:\windows\system32\win32k.sys

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: SAMSUNG_HM160HI rev.HH100-14 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8652EAB8]
3 CLASSPNP[0xF75FDFD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8638C030]
\Driver\Disk[0x8652AA48] -> IRP_MJ_CREATE -> 0xF780211B
error: Read The system cannot find the file specified.
kernel: MBR read successfully
_asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62d; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskSAMSUNG_HM160HI_________________________HH100-14#5&21222167&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK

============= FINISH: 12:00:15.59 ===============

I have included the two files requested but I have not been able to get GMER to run using any of the links. The program terminates just like Malwarebytes and spybot.


Any help would be great.

Attached Files



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:33 AM

Posted 04 February 2011 - 05:39 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks and again sorry for the delay.


Regards,
Georgi :hello:

cXfZ4wS.png


#3 Chris Atamian

Chris Atamian
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 04 February 2011 - 11:47 AM

Dell Inspiron Mini running WIN XP Home 32bit SP3 (No original OS Discs, this system comes pre loaded NO CD/DVD Drive).

I have not done anything since the original post. These logs are new today.

I originally got the unit with a complaint from the owners that there was a pop up fake antivirus program that locked up the PC. It was registered in the Control Panel and was removed through the Add/Remove programs. They dont remember exactly what it was.

Here is what I see. Everything seemed normal at first. I loaded all the windows updates needed, no problem. I loaded the Windows security tools, it started to run once and will not start. I get several re-directs when surfing for Anti Malware software and cannot run any of my AV/Malware standard tools. This system occaisionally have difficulty restarting. I often need to use the power button to shut it down.

* Spybot installs, runs but terminates
* Malwarebytes installs, runs but terminates at about 9 seconds, unable to run again without reinstalation.
* Hijack runs and terminates.
*GMER runs initial scan, once I change the selections as directed and hit scan, the program terminates. I did attach a saved log from the initial run in case that may help.

I have tried each of these with alternate names and extensions (.scr or .com) with no luck.

Thank you for any assistance you can provide.

Chris


DDS (Ver_10-12-12.02) - NTFSx86
Run by Bridget at 9:18:38.59 on Fri 02/04/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.425 [GMT -7:00]


============== Running Processes ===============

"\\.\globalroot\Device\svchost.exe\svchost.exe"
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Dell\Digital TV\Kernel\TV\TVECapSvc.exe
C:\Program Files\Dell\Digital TV\Kernel\TV\TVESched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\Program Files\WSED\WSED.exe
C:\Program Files\Dell\Digital TV\TVEService.exe
C:\Program Files\Dell\DellDock\DellDock.exe
"C:\Documents and Settings\Bridget\Application Data\Microsoft\svchost.exe"
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Dell\PlayMovie\PMVService.exe
C:\WINDOWS\system32\PersistenceThread.exe
C:\Program Files\Dell\Media Experience\PCMAgent.exe
C:\WINDOWS\OA012Mon.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Elantech\ETDCtrl.exe
C:\Program Files\Dell\Media Experience\Kernel\CLML\CLMLSvc.exe
C:\Program Files\Battery Meter\BTMeter.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscript.exe
C:\Documents and Settings\Bridget\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.live.com
uInternet Settings,ProxyServer = http=127.0.0.1:50370
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
mRun: [WSED] c:\program files\wsed\WSED.exe
mRun: [TVEService] "c:\program files\dell\digital tv\TVEService.exe"
mRun: [svchost] c:\documents and settings\bridget\application data\microsoft\svchost.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [PlayMovie] "c:\program files\dell\playmovie\PMVService.exe"
mRun: [PersistenceThread] c:\windows\system32\PersistenceThread.exe
mRun: [PCMAgent] "c:\program files\dell\media experience\PCMAgent.exe"
mRun: [OA012Mon] c:\windows\OA012Mon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [ETDWare] c:\program files\elantech\ETDCtrl.exe
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [CLMLServer] "c:\program files\dell\media experience\kernel\clml\CLMLSvc.exe"
mRun: [BTMeter] c:\program files\battery meter\BTMeter.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\bridget\startm~1\programs\startup\delldo~1.lnk - c:\program files\dell\delldock\DellDock.exe
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
LSP: mswsock.dll
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igdlogin - igdlogin.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [2009-8-19 14248]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-12-18 155648]
R2 TVECapSvc;TVEnhance Background Capture Service (TBCS);c:\program files\dell\digital tv\kernel\tv\TVECapSvc.exe [2009-8-19 382304]
R2 TVESched;TVEnhance Task Scheduler (TTS));c:\program files\dell\digital tv\kernel\tv\TVESched.exe [2009-8-19 189792]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2009-8-19 143840]
R3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\drivers\ETD.sys [2009-8-19 93952]
R3 hcw95bda;Hauppauge MOD7700 Tuner Driver;c:\windows\system32\drivers\hcw95bda.sys [2009-8-19 572416]
R3 igd;igd;c:\windows\system32\drivers\igxpmp32.sys [2009-8-19 5088896]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-8-19 110080]
R3 OA012Afx;Provides a software interface to control audio effects of OA012 camera.;c:\windows\system32\drivers\OA012Afx.sys [2009-8-19 135168]
R3 OA012Ufd;Creative Camera OA012 Upper Filter Driver;c:\windows\system32\drivers\OA012Ufd.sys [2009-8-19 133632]
R3 OA012Vid;Creative Camera OA012 Function Driver;c:\windows\system32\drivers\OA012Vid.sys [2009-8-19 272032]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2009-8-19 157696]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-8-19 1684736]

=============== Created Last 30 ================

2011-01-22 02:56:06 -------- d-----w- c:\program files\getum
2011-01-22 02:56:06 -------- d-----w- c:\docume~1\bridget\applic~1\Malwarebytes
2011-01-22 02:56:03 -------- d--h--w- c:\windows\PIF
2011-01-22 02:20:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-22 02:20:18 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-22 02:20:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-22 01:29:14 -------- d-----w- C:\new
2011-01-20 03:05:12 -------- d-----w- C:\job
2011-01-20 02:25:54 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-01-20 02:25:51 -------- d-----w- C:\Malwarebytes' Anti-Malware
2011-01-19 02:50:13 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-19 02:42:46 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll
2011-01-19 02:35:29 -------- d-----w- c:\docume~1\bridget\locals~1\applic~1\Stardock_Corporation
2011-01-19 02:18:36 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2011-01-19 02:17:47 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2011-01-19 02:17:42 -------- d-sh--w- c:\documents and settings\bridget\IECompatCache
2011-01-19 02:15:14 -------- d-sh--w- c:\documents and settings\bridget\PrivacIE
2011-01-19 02:07:11 100864 ----a-w- c:\docume~1\bridget\applic~1\microsoft\svchost.exe
2011-01-19 02:07:10 -------- d-----w- c:\docume~1\bridget\locals~1\applic~1\SupportSoft
2011-01-18 20:40:04 -------- d-----w- c:\windows\pss

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: SAMSUNG_HM160HI rev.HH100-14 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xF77F211B]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; PUSH EBX; PUSH ESI; PUSH EDI; CMP EAX, [0xf77f5888]; JNZ 0x1f; MOV EBX, [EBP+0xc]; CALL 0xfffffffffffffd3b; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8653AAB8]
3 CLASSPNP[0xF75FDFD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x863D9F08]
\Driver\Disk[0x86485880] -> IRP_MJ_CREATE -> 0xF77F211B
error: Read The system cannot find the file specified.
kernel: MBR read successfully
_asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62d; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskSAMSUNG_HM160HI_________________________HH100-14#5&21222167&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 9:19:03.28 ===============



Attached Files



#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:33 AM

Posted 05 February 2011 - 06:59 AM

Hello Chris Atamian ! Welcome to BleepingComputer Forums! :welcome:

My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.



IMPORTANT NOTE: One or more of the identified infections is related to the rootkit Agent component. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used be the attacker for malicious purposes. Rootkits are used be Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bepasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, you should stay disconnected from the Internet until your system is fully cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you decide to continue please do this:



STEP 1



Please open the Device Manager.

Click Start => Run type in the following text and click OK:

devmgmt.msc

The Device Manager window should now be open. In the menu at the top, click the View tab and click 'Show hidden devices'

Scroll down to System Devices. Click the + sign to expand, and look for a device with [cmz vmkd] in the name. If it is there, right click the device and select 'disable'

See the picture below:

Posted Image



STEP 2



We need to reset the permissions altered by the malware on some files.
  • Download this tool and save it: http://download.bleepingcomputer.com/sUBs/MiniFixes/Inherit.exe
  • Copy and paste Inherit.exe to the same directory where the following file is located, then drag the mbam.exe to the tool and drop it:
    C:\Program Files\Malwarebytes' Anti-Malware
    Posted Image
  • When finished click OK. You may remove the Inherit.exe from the directory.



STEP 3



  • I see you have Malwarebytes' Anti-Malware installed on your computer.
  • Please start the application by double-click on it's icon.
  • Once the program has loaded go to the UPDATE tab and check for updates.
  • When the update is complete, select the Scanner tab
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad.
  • Please save it to a convenient location and post the results in your next reply.



Regards,
Georgi

cXfZ4wS.png


#5 Chris Atamian

Chris Atamian
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 05 February 2011 - 11:49 AM

Thanks Georgi ~

There was in fact a device labeled [cmz vmkd] Virtual Bus I disabled it as requested.

Downloaded and saved the Inherit.exe

Ran Malwarebytes after update. See log below:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5684

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/5/2011 9:39:31 AM
mbam-log-2011-02-05 (09-39-31).txt

Scan type: Quick scan
Objects scanned: 190757
Time elapsed: 9 minute(s), 3 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
c:\documents and settings\Bridget\application data\microsoft\svchost.exe (Trojan.Agent) -> 2692 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wdf01000 (Rootkit.ZAccess) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Trojan.Agent) -> Value: svchost -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Bridget\application data\microsoft\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\wdf01000.sys (Rootkit.ZAccess) -> Quarantined and deleted successfully.
c:\documents and settings\erickriebel\application data\microsoft\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\TEMP\application data\microsoft\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\TEMP\application data\microsoft\Windows\shell.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\us?rinit.exe (Rogue.Antivirus2010) -> Delete on reboot.
c:\WINDOWS\system32\drivers\vbmabb88.sys (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\TEMP\local settings\Temp\7B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\TEMP\local settings\Temp\dwm.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\Bridget\application data\microsoft\stor.cfg (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\erickriebel\application data\microsoft\stor.cfg (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\TEMP\application data\microsoft\stor.cfg (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\TEMP\start menu\Programs\Startup\chkntfs.exe (Trojan.Downloader) -> Quarantined and deleted successfully.




#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:33 AM

Posted 05 February 2011 - 12:52 PM

Hi Chris Atamian, :)



Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

    Posted Image
  • If an infected file is detected, the default action will be Cure, click on Continue.

    Posted Image
  • If a service named vbma*.sys (where the * stands for a number or letters) is detected, the default action will be Skip, change it to Delete at the top then click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • Select Skip to the sptd.sys as well.

    Posted Image
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

    Posted Image
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.



Regards,
Georgi


Edit: repaired missing image link.

Edited by B-boy/StyLe/, 05 February 2011 - 12:53 PM.

cXfZ4wS.png


#7 Chris Atamian

Chris Atamian
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 05 February 2011 - 01:36 PM

Georgi ~

All went as requested. reboot required. See Log File Below:

One thought. I reviewed your intial reply reccomending format and re-install of OS. I did some reading on this PC. It contains a hidden restore partition. There is nothing on this PCthe owners want to keep, if you think we should try that, let me know. I don't know what Dell's restore process does as far as formatting the drive or how it handles the hidden partition.

2011/02/05 11:20:30.0000 2860 TDSS rootkit removing tool 2.4.16.0 Feb 1 2011 10:34:03
2011/02/05 11:20:30.0390 2860 ================================================================================
2011/02/05 11:20:30.0390 2860 SystemInfo:
2011/02/05 11:20:30.0390 2860
2011/02/05 11:20:30.0390 2860 OS Version: 5.1.2600 ServicePack: 3.0
2011/02/05 11:20:30.0390 2860 Product type: Workstation
2011/02/05 11:20:30.0390 2860 ComputerName: BDOG
2011/02/05 11:20:30.0390 2860 UserName: Bridget
2011/02/05 11:20:30.0390 2860 Windows directory: C:\WINDOWS
2011/02/05 11:20:30.0390 2860 System windows directory: C:\WINDOWS
2011/02/05 11:20:30.0390 2860 Processor architecture: Intel x86
2011/02/05 11:20:30.0390 2860 Number of processors: 2
2011/02/05 11:20:30.0390 2860 Page size: 0x1000
2011/02/05 11:20:30.0390 2860 Boot type: Normal boot
2011/02/05 11:20:30.0390 2860 ================================================================================
2011/02/05 11:20:30.0781 2860 Initialize success
2011/02/05 11:20:43.0531 3540 ================================================================================
2011/02/05 11:20:43.0531 3540 Scan started
2011/02/05 11:20:43.0531 3540 Mode: Manual;
2011/02/05 11:20:43.0531 3540 ================================================================================
2011/02/05 11:20:44.0250 3540 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/02/05 11:20:44.0343 3540 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/02/05 11:20:44.0375 3540 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/02/05 11:20:44.0437 3540 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/02/05 11:20:44.0515 3540 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/02/05 11:20:44.0593 3540 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/02/05 11:20:44.0625 3540 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/02/05 11:20:44.0656 3540 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/02/05 11:20:44.0718 3540 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/02/05 11:20:44.0750 3540 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/02/05 11:20:44.0781 3540 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/02/05 11:20:44.0859 3540 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/02/05 11:20:44.0906 3540 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/02/05 11:20:45.0015 3540 Ambfilt (f6af59d6eee5e1c304f7f73706ad11d8) C:\WINDOWS\system32\drivers\Ambfilt.sys
2011/02/05 11:20:45.0109 3540 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/02/05 11:20:45.0156 3540 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/02/05 11:20:45.0203 3540 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/02/05 11:20:45.0234 3540 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/02/05 11:20:45.0281 3540 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/02/05 11:20:45.0343 3540 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/02/05 11:20:45.0406 3540 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/02/05 11:20:45.0484 3540 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/02/05 11:20:45.0562 3540 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/02/05 11:20:45.0703 3540 BCM43XX (2354560c307ee79546ee938db0aa3f87) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2011/02/05 11:20:45.0812 3540 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/02/05 11:20:45.0875 3540 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/02/05 11:20:45.0906 3540 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/02/05 11:20:45.0968 3540 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/02/05 11:20:46.0015 3540 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/02/05 11:20:46.0062 3540 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/02/05 11:20:46.0093 3540 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/02/05 11:20:46.0140 3540 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/02/05 11:20:46.0250 3540 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/02/05 11:20:46.0312 3540 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/02/05 11:20:46.0359 3540 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/02/05 11:20:46.0421 3540 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/02/05 11:20:46.0500 3540 CtClsFlt (b27d15c551a6678137c6b751b160756d) C:\WINDOWS\system32\DRIVERS\CtClsFlt.sys
2011/02/05 11:20:46.0578 3540 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/02/05 11:20:46.0609 3540 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/02/05 11:20:46.0671 3540 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/02/05 11:20:46.0765 3540 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/02/05 11:20:46.0828 3540 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/02/05 11:20:46.0859 3540 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/02/05 11:20:46.0937 3540 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/02/05 11:20:47.0000 3540 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/02/05 11:20:47.0046 3540 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/02/05 11:20:47.0140 3540 EMSC (a6da3468ffafbdce403ef2973ff03865) C:\WINDOWS\system32\DRIVERS\EMSC.SYS
2011/02/05 11:20:47.0187 3540 ETD (8d4e95d0f5c6ab46baa4deded7aef1e6) C:\WINDOWS\system32\DRIVERS\ETD.sys
2011/02/05 11:20:47.0250 3540 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/02/05 11:20:47.0312 3540 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/02/05 11:20:47.0359 3540 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/02/05 11:20:47.0390 3540 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/02/05 11:20:47.0453 3540 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/02/05 11:20:47.0500 3540 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/02/05 11:20:47.0562 3540 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/02/05 11:20:47.0609 3540 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/02/05 11:20:47.0703 3540 hcw95bda (b72b0158ca8f21b5b888169072c2b3cc) C:\WINDOWS\system32\Drivers\hcw95bda.sys
2011/02/05 11:20:47.0750 3540 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/02/05 11:20:47.0812 3540 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/02/05 11:20:47.0890 3540 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/02/05 11:20:47.0968 3540 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/02/05 11:20:48.0062 3540 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/02/05 11:20:48.0109 3540 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/02/05 11:20:48.0171 3540 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/02/05 11:20:48.0390 3540 igd (df07f31bde73577c670360ff897f27f1) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2011/02/05 11:20:48.0718 3540 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/02/05 11:20:48.0796 3540 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/02/05 11:20:49.0031 3540 IntcAzAudAddService (cb1113029fae50c685198eabd9885161) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/02/05 11:20:49.0218 3540 IntcHdmiAddService (64c301d73db18ebdc8680ca82d82af2d) C:\WINDOWS\system32\drivers\IntcHdmi.sys
2011/02/05 11:20:49.0296 3540 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/02/05 11:20:49.0375 3540 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/02/05 11:20:49.0437 3540 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/02/05 11:20:49.0468 3540 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/02/05 11:20:49.0531 3540 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/02/05 11:20:49.0609 3540 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/02/05 11:20:49.0671 3540 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/02/05 11:20:49.0734 3540 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/02/05 11:20:49.0812 3540 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/02/05 11:20:49.0875 3540 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/02/05 11:20:49.0937 3540 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/02/05 11:20:50.0015 3540 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/02/05 11:20:50.0078 3540 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/02/05 11:20:50.0203 3540 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/02/05 11:20:50.0265 3540 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/02/05 11:20:50.0359 3540 Monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\Monfilt.sys
2011/02/05 11:20:50.0453 3540 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/02/05 11:20:50.0515 3540 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/02/05 11:20:50.0546 3540 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/02/05 11:20:50.0625 3540 MPE (c0f8e0c2c3c0437cf37c6781896dc3ec) C:\WINDOWS\system32\DRIVERS\MPE.sys
2011/02/05 11:20:50.0703 3540 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/02/05 11:20:50.0750 3540 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/02/05 11:20:50.0828 3540 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/02/05 11:20:50.0890 3540 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/02/05 11:20:50.0984 3540 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/02/05 11:20:51.0015 3540 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/02/05 11:20:51.0078 3540 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/02/05 11:20:51.0125 3540 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/02/05 11:20:51.0187 3540 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/02/05 11:20:51.0218 3540 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/02/05 11:20:51.0265 3540 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/02/05 11:20:51.0328 3540 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/02/05 11:20:51.0359 3540 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/02/05 11:20:51.0406 3540 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/02/05 11:20:51.0453 3540 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/02/05 11:20:51.0484 3540 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/02/05 11:20:51.0546 3540 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/02/05 11:20:51.0593 3540 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/02/05 11:20:51.0656 3540 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/02/05 11:20:51.0750 3540 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/02/05 11:20:51.0843 3540 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/02/05 11:20:51.0953 3540 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/02/05 11:20:52.0000 3540 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/02/05 11:20:52.0062 3540 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/02/05 11:20:52.0125 3540 OA012Afx (aff089842ba83be89e51d7ea0aa09e53) C:\WINDOWS\system32\Drivers\OA012Afx.sys
2011/02/05 11:20:52.0218 3540 OA012Ufd (2cf21d5f8f1b74bb1922135ac2b12ddb) C:\WINDOWS\system32\DRIVERS\OA012Ufd.sys
2011/02/05 11:20:52.0281 3540 OA012Vid (a5342c5a78e01581226658b1e2a4ff51) C:\WINDOWS\system32\DRIVERS\OA012Vid.sys
2011/02/05 11:20:52.0296 3540 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\OA012Vid.sys. Real md5: a5342c5a78e01581226658b1e2a4ff51, Fake md5: 71346423b584daa06ea26e0bd2cb67c2
2011/02/05 11:20:52.0312 3540 OA012Vid - detected Forged file (1)
2011/02/05 11:20:52.0359 3540 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/02/05 11:20:52.0406 3540 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/02/05 11:20:52.0437 3540 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/02/05 11:20:52.0500 3540 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/02/05 11:20:52.0593 3540 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/02/05 11:20:52.0625 3540 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/02/05 11:20:52.0843 3540 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/02/05 11:20:52.0875 3540 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/02/05 11:20:53.0000 3540 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/02/05 11:20:53.0062 3540 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/02/05 11:20:53.0109 3540 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/02/05 11:20:53.0156 3540 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/02/05 11:20:53.0203 3540 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/02/05 11:20:53.0234 3540 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/02/05 11:20:53.0281 3540 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/02/05 11:20:53.0312 3540 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/02/05 11:20:53.0375 3540 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/02/05 11:20:53.0421 3540 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/02/05 11:20:53.0468 3540 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/02/05 11:20:53.0515 3540 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/02/05 11:20:53.0578 3540 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/02/05 11:20:53.0625 3540 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/02/05 11:20:53.0703 3540 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/02/05 11:20:53.0765 3540 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/02/05 11:20:53.0843 3540 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/02/05 11:20:53.0953 3540 RSUSBSTOR (2cb299f6cc04bac8889a52b0ff48a9d7) C:\WINDOWS\system32\Drivers\RTS5121.sys
2011/02/05 11:20:54.0031 3540 RTLE8023xp (6e7470477d08f6e47e91016d6a1c5a5f) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2011/02/05 11:20:54.0125 3540 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/02/05 11:20:54.0203 3540 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/02/05 11:20:54.0281 3540 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/02/05 11:20:54.0375 3540 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/02/05 11:20:54.0437 3540 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/02/05 11:20:54.0515 3540 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/02/05 11:20:54.0578 3540 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/02/05 11:20:54.0640 3540 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/02/05 11:20:54.0718 3540 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/02/05 11:20:54.0796 3540 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/02/05 11:20:54.0843 3540 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/02/05 11:20:54.0890 3540 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/02/05 11:20:54.0953 3540 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/02/05 11:20:54.0984 3540 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/02/05 11:20:55.0031 3540 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/02/05 11:20:55.0062 3540 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/02/05 11:20:55.0140 3540 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/02/05 11:20:55.0218 3540 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/02/05 11:20:55.0281 3540 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/02/05 11:20:55.0312 3540 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/02/05 11:20:55.0359 3540 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/02/05 11:20:55.0437 3540 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/02/05 11:20:55.0500 3540 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/02/05 11:20:55.0562 3540 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/02/05 11:20:55.0625 3540 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/02/05 11:20:55.0703 3540 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/02/05 11:20:55.0750 3540 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/02/05 11:20:55.0796 3540 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/02/05 11:20:55.0890 3540 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/02/05 11:20:55.0937 3540 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/02/05 11:20:55.0984 3540 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/02/05 11:20:56.0031 3540 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2011/02/05 11:20:56.0046 3540 Suspicious service (NoAccess): vbmabb88
2011/02/05 11:20:56.0109 3540 vbmabb88 (e56168ccaa41c00296577184e946fc86) C:\WINDOWS\system32\drivers\vbmabb88.sys
2011/02/05 11:20:56.0109 3540 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\vbmabb88.sys. md5: e56168ccaa41c00296577184e946fc86
2011/02/05 11:20:56.0109 3540 vbmabb88 - detected Locked service (1)
2011/02/05 11:20:56.0140 3540 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/02/05 11:20:56.0218 3540 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/02/05 11:20:56.0265 3540 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/02/05 11:20:56.0312 3540 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/02/05 11:20:56.0390 3540 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/02/05 11:20:56.0500 3540 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/02/05 11:20:56.0703 3540 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/02/05 11:20:56.0765 3540 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/02/05 11:20:56.0828 3540 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/02/05 11:20:58.0343 3540 ================================================================================
2011/02/05 11:20:58.0343 3540 Scan finished
2011/02/05 11:20:58.0343 3540 ================================================================================
2011/02/05 11:20:58.0390 3536 Detected object count: 2
2011/02/05 11:23:56.0796 3536 Forged file(OA012Vid) - User select action: Skip
2011/02/05 11:23:56.0796 3536 HKLM\SYSTEM\ControlSet001\services\vbmabb88 - will be deleted after reboot
2011/02/05 11:23:57.0437 3536 HKLM\SYSTEM\ControlSet003\services\vbmabb88 - will be deleted after reboot
2011/02/05 11:23:57.0453 3536 C:\WINDOWS\system32\drivers\vbmabb88.sys - will be deleted after reboot
2011/02/05 11:23:57.0453 3536 Locked service(vbmabb88) - User select action: Delete
2011/02/05 11:24:13.0125 2888 Deinitialize success

#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:33 AM

Posted 05 February 2011 - 03:27 PM

Hi Chris Atamian, :)



Unfortunately, you have a very nasty infection, with "backdoor" capabilities.
This allows intruders to remotely control the computer, log keystrokes, steal critical system information etc.

If you do any banking or other financial transactions on the PC, or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. This would include contacts like your Internet Provider, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups to which you belong.

Do NOT change passwords or do any transactions while using the infected computer because the intruder may get the new passwords and transaction information.

Yes indeed, reinstalling from scratch is the fastest and safest solution. A compromised system can't be trusted anymore.


However this is a well-known infection and we can clean it, so please let me know how you want to proceed.


Regards,
Georgi

cXfZ4wS.png


#9 Chris Atamian

Chris Atamian
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 05 February 2011 - 04:25 PM

I spoke to the owners. They have not used it for anything other than as a notepad for taking school notes and general surfing. I expressed your concerns and they are comfortable with continuing to clean it.

What would you like me to do next?

Chris

#10 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:33 AM

Posted 05 February 2011 - 05:03 PM

Hi Chris Atamian, :)



We need to re-run TDSSKiller to nuke an infected driver.
The web cam driver is infected and we need to remove it temporary...we will re-install it at the end of the cleaning process so please don't worry.



Please read carefully and follow these steps.

  • Please Double-click on TDSSKiller.exe to run the application, then on Start Scan.

    Posted Image
  • If an infected file is detected, the default action will be Cure, click on Continue.

    Posted Image
  • If a service named vbma*.sys (where the * stands for a number or letters) is detected, the default action will be Skip, change it to Delete at the top then click on Continue.
  • If a service named OA012Vid.sys is detected, the default action will be Skip, change it to Delete at the top then click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • Select Skip to the sptd.sys.

    Posted Image
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

    Posted Image
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.



Regards,
Georgi

cXfZ4wS.png


#11 Chris Atamian

Chris Atamian
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 05 February 2011 - 06:08 PM

TDSS KIller Log

2011/02/05 16:02:02.0687 0944 TDSS rootkit removing tool 2.4.16.0 Feb 1 2011 10:34:03
2011/02/05 16:02:02.0890 0944 ================================================================================
2011/02/05 16:02:02.0890 0944 SystemInfo:
2011/02/05 16:02:02.0890 0944
2011/02/05 16:02:02.0890 0944 OS Version: 5.1.2600 ServicePack: 3.0
2011/02/05 16:02:02.0890 0944 Product type: Workstation
2011/02/05 16:02:02.0890 0944 ComputerName: BDOG
2011/02/05 16:02:02.0890 0944 UserName: Bridget
2011/02/05 16:02:02.0890 0944 Windows directory: C:\WINDOWS
2011/02/05 16:02:02.0890 0944 System windows directory: C:\WINDOWS
2011/02/05 16:02:02.0890 0944 Processor architecture: Intel x86
2011/02/05 16:02:02.0890 0944 Number of processors: 2
2011/02/05 16:02:02.0890 0944 Page size: 0x1000
2011/02/05 16:02:02.0890 0944 Boot type: Normal boot
2011/02/05 16:02:02.0890 0944 ================================================================================
2011/02/05 16:02:03.0125 0944 Initialize success
2011/02/05 16:02:10.0296 2900 ================================================================================
2011/02/05 16:02:10.0296 2900 Scan started
2011/02/05 16:02:10.0296 2900 Mode: Manual;
2011/02/05 16:02:10.0296 2900 ================================================================================
2011/02/05 16:02:11.0421 2900 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/02/05 16:02:11.0484 2900 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/02/05 16:02:11.0515 2900 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/02/05 16:02:11.0578 2900 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/02/05 16:02:11.0656 2900 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/02/05 16:02:11.0734 2900 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/02/05 16:02:11.0781 2900 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/02/05 16:02:11.0828 2900 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/02/05 16:02:11.0875 2900 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/02/05 16:02:11.0937 2900 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/02/05 16:02:11.0968 2900 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/02/05 16:02:12.0015 2900 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/02/05 16:02:12.0062 2900 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/02/05 16:02:12.0156 2900 Ambfilt (f6af59d6eee5e1c304f7f73706ad11d8) C:\WINDOWS\system32\drivers\Ambfilt.sys
2011/02/05 16:02:12.0296 2900 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/02/05 16:02:12.0328 2900 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/02/05 16:02:12.0375 2900 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/02/05 16:02:12.0406 2900 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/02/05 16:02:12.0437 2900 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/02/05 16:02:12.0515 2900 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/02/05 16:02:12.0562 2900 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/02/05 16:02:12.0640 2900 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/02/05 16:02:12.0687 2900 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/02/05 16:02:12.0828 2900 BCM43XX (2354560c307ee79546ee938db0aa3f87) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2011/02/05 16:02:12.0937 2900 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/02/05 16:02:13.0031 2900 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/02/05 16:02:13.0062 2900 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/02/05 16:02:13.0093 2900 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/02/05 16:02:13.0140 2900 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/02/05 16:02:13.0171 2900 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/02/05 16:02:13.0203 2900 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/02/05 16:02:13.0250 2900 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/02/05 16:02:13.0343 2900 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/02/05 16:02:13.0406 2900 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/02/05 16:02:13.0453 2900 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/02/05 16:02:13.0500 2900 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/02/05 16:02:13.0578 2900 CtClsFlt (b27d15c551a6678137c6b751b160756d) C:\WINDOWS\system32\DRIVERS\CtClsFlt.sys
2011/02/05 16:02:13.0640 2900 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/02/05 16:02:13.0671 2900 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/02/05 16:02:13.0718 2900 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/02/05 16:02:13.0812 2900 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/02/05 16:02:13.0875 2900 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/02/05 16:02:13.0921 2900 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/02/05 16:02:14.0015 2900 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/02/05 16:02:14.0093 2900 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/02/05 16:02:14.0140 2900 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/02/05 16:02:14.0234 2900 EMSC (a6da3468ffafbdce403ef2973ff03865) C:\WINDOWS\system32\DRIVERS\EMSC.SYS
2011/02/05 16:02:14.0296 2900 ETD (8d4e95d0f5c6ab46baa4deded7aef1e6) C:\WINDOWS\system32\DRIVERS\ETD.sys
2011/02/05 16:02:14.0375 2900 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/02/05 16:02:14.0421 2900 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/02/05 16:02:14.0468 2900 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/02/05 16:02:14.0500 2900 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/02/05 16:02:14.0546 2900 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/02/05 16:02:14.0578 2900 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/02/05 16:02:14.0625 2900 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/02/05 16:02:14.0671 2900 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/02/05 16:02:14.0765 2900 hcw95bda (b72b0158ca8f21b5b888169072c2b3cc) C:\WINDOWS\system32\Drivers\hcw95bda.sys
2011/02/05 16:02:14.0812 2900 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/02/05 16:02:14.0859 2900 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/02/05 16:02:14.0906 2900 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/02/05 16:02:14.0984 2900 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/02/05 16:02:15.0031 2900 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/02/05 16:02:15.0062 2900 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/02/05 16:02:15.0125 2900 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/02/05 16:02:15.0359 2900 igd (df07f31bde73577c670360ff897f27f1) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2011/02/05 16:02:15.0703 2900 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/02/05 16:02:15.0796 2900 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/02/05 16:02:16.0093 2900 IntcAzAudAddService (cb1113029fae50c685198eabd9885161) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/02/05 16:02:16.0281 2900 IntcHdmiAddService (64c301d73db18ebdc8680ca82d82af2d) C:\WINDOWS\system32\drivers\IntcHdmi.sys
2011/02/05 16:02:16.0359 2900 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/02/05 16:02:16.0421 2900 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/02/05 16:02:16.0468 2900 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/02/05 16:02:16.0500 2900 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/02/05 16:02:16.0531 2900 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/02/05 16:02:16.0593 2900 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/02/05 16:02:16.0625 2900 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/02/05 16:02:16.0671 2900 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/02/05 16:02:16.0718 2900 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/02/05 16:02:16.0781 2900 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/02/05 16:02:16.0812 2900 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/02/05 16:02:16.0875 2900 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/02/05 16:02:16.0937 2900 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/02/05 16:02:17.0062 2900 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/02/05 16:02:17.0125 2900 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/02/05 16:02:17.0218 2900 Monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\Monfilt.sys
2011/02/05 16:02:17.0296 2900 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/02/05 16:02:17.0328 2900 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/02/05 16:02:17.0359 2900 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/02/05 16:02:17.0437 2900 MPE (c0f8e0c2c3c0437cf37c6781896dc3ec) C:\WINDOWS\system32\DRIVERS\MPE.sys
2011/02/05 16:02:17.0500 2900 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/02/05 16:02:17.0531 2900 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/02/05 16:02:17.0625 2900 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/02/05 16:02:17.0718 2900 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/02/05 16:02:17.0796 2900 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/02/05 16:02:17.0859 2900 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/02/05 16:02:17.0921 2900 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/02/05 16:02:18.0000 2900 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/02/05 16:02:18.0046 2900 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/02/05 16:02:18.0093 2900 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/02/05 16:02:18.0156 2900 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/02/05 16:02:18.0203 2900 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/02/05 16:02:18.0234 2900 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/02/05 16:02:18.0281 2900 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/02/05 16:02:18.0328 2900 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/02/05 16:02:18.0359 2900 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/02/05 16:02:18.0406 2900 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/02/05 16:02:18.0453 2900 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/02/05 16:02:18.0500 2900 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/02/05 16:02:18.0593 2900 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/02/05 16:02:18.0671 2900 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/02/05 16:02:18.0750 2900 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/02/05 16:02:18.0796 2900 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/02/05 16:02:18.0828 2900 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/02/05 16:02:18.0890 2900 OA012Afx (aff089842ba83be89e51d7ea0aa09e53) C:\WINDOWS\system32\Drivers\OA012Afx.sys
2011/02/05 16:02:18.0968 2900 OA012Ufd (2cf21d5f8f1b74bb1922135ac2b12ddb) C:\WINDOWS\system32\DRIVERS\OA012Ufd.sys
2011/02/05 16:02:19.0062 2900 OA012Vid (a5342c5a78e01581226658b1e2a4ff51) C:\WINDOWS\system32\DRIVERS\OA012Vid.sys
2011/02/05 16:02:19.0062 2900 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\OA012Vid.sys. Real md5: a5342c5a78e01581226658b1e2a4ff51, Fake md5: 71346423b584daa06ea26e0bd2cb67c2
2011/02/05 16:02:19.0078 2900 OA012Vid - detected Forged file (1)
2011/02/05 16:02:19.0125 2900 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/02/05 16:02:19.0156 2900 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/02/05 16:02:19.0187 2900 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/02/05 16:02:19.0234 2900 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/02/05 16:02:19.0328 2900 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/02/05 16:02:19.0375 2900 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/02/05 16:02:19.0578 2900 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/02/05 16:02:19.0609 2900 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/02/05 16:02:19.0718 2900 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/02/05 16:02:19.0750 2900 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/02/05 16:02:19.0796 2900 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/02/05 16:02:19.0828 2900 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/02/05 16:02:19.0859 2900 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/02/05 16:02:19.0906 2900 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/02/05 16:02:19.0953 2900 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/02/05 16:02:19.0984 2900 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/02/05 16:02:20.0031 2900 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/02/05 16:02:20.0078 2900 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/02/05 16:02:20.0125 2900 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/02/05 16:02:20.0156 2900 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/02/05 16:02:20.0218 2900 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/02/05 16:02:20.0250 2900 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/02/05 16:02:20.0312 2900 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/02/05 16:02:20.0375 2900 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/02/05 16:02:20.0421 2900 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/02/05 16:02:20.0500 2900 RSUSBSTOR (2cb299f6cc04bac8889a52b0ff48a9d7) C:\WINDOWS\system32\Drivers\RTS5121.sys
2011/02/05 16:02:20.0593 2900 RTLE8023xp (6e7470477d08f6e47e91016d6a1c5a5f) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2011/02/05 16:02:20.0671 2900 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/02/05 16:02:20.0734 2900 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/02/05 16:02:20.0796 2900 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/02/05 16:02:20.0890 2900 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/02/05 16:02:20.0937 2900 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/02/05 16:02:20.0984 2900 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/02/05 16:02:21.0031 2900 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/02/05 16:02:21.0109 2900 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/02/05 16:02:21.0187 2900 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/02/05 16:02:21.0265 2900 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/02/05 16:02:21.0312 2900 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/02/05 16:02:21.0343 2900 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/02/05 16:02:21.0406 2900 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/02/05 16:02:21.0437 2900 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/02/05 16:02:21.0468 2900 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/02/05 16:02:21.0515 2900 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/02/05 16:02:21.0562 2900 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/02/05 16:02:21.0640 2900 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/02/05 16:02:21.0703 2900 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/02/05 16:02:21.0734 2900 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/02/05 16:02:21.0765 2900 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/02/05 16:02:21.0828 2900 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/02/05 16:02:21.0890 2900 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/02/05 16:02:21.0953 2900 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/02/05 16:02:22.0015 2900 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/02/05 16:02:22.0093 2900 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/02/05 16:02:22.0140 2900 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/02/05 16:02:22.0171 2900 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/02/05 16:02:22.0234 2900 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/02/05 16:02:22.0281 2900 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/02/05 16:02:22.0328 2900 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/02/05 16:02:22.0375 2900 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2011/02/05 16:02:22.0390 2900 Suspicious service (NoAccess): vbmabb88
2011/02/05 16:02:22.0453 2900 vbmabb88 (e56168ccaa41c00296577184e946fc86) C:\WINDOWS\system32\drivers\vbmabb88.sys
2011/02/05 16:02:22.0453 2900 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\vbmabb88.sys. md5: e56168ccaa41c00296577184e946fc86
2011/02/05 16:02:22.0453 2900 vbmabb88 - detected Locked service (1)
2011/02/05 16:02:22.0500 2900 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/02/05 16:02:22.0546 2900 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/02/05 16:02:22.0593 2900 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/02/05 16:02:22.0640 2900 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/02/05 16:02:22.0718 2900 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/02/05 16:02:22.0828 2900 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/02/05 16:02:23.0031 2900 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/02/05 16:02:23.0109 2900 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/02/05 16:02:23.0156 2900 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/02/05 16:02:23.0281 2900 ================================================================================
2011/02/05 16:02:23.0281 2900 Scan finished
2011/02/05 16:02:23.0281 2900 ================================================================================
2011/02/05 16:02:23.0312 0356 Detected object count: 2
2011/02/05 16:03:32.0812 0356 HKLM\SYSTEM\ControlSet001\services\OA012Vid - will be deleted after reboot
2011/02/05 16:03:33.0453 0356 HKLM\SYSTEM\ControlSet003\services\OA012Vid - will be deleted after reboot
2011/02/05 16:03:33.0468 0356 C:\WINDOWS\system32\DRIVERS\OA012Vid.sys - will be deleted after reboot
2011/02/05 16:03:33.0468 0356 Forged file(OA012Vid) - User select action: Delete
2011/02/05 16:03:33.0468 0356 HKLM\SYSTEM\ControlSet001\services\vbmabb88 - will be deleted after reboot
2011/02/05 16:03:33.0468 0356 HKLM\SYSTEM\ControlSet003\services\vbmabb88 - will be deleted after reboot
2011/02/05 16:03:33.0484 0356 C:\WINDOWS\system32\drivers\vbmabb88.sys - will be deleted after reboot
2011/02/05 16:03:33.0484 0356 Locked service(vbmabb88) - User select action: Delete
2011/02/05 16:03:46.0343 3832 Deinitialize success

#12 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:33 AM

Posted 06 February 2011 - 09:27 AM

Hi Chris Atamian, :)



Please download ComboFix from the link below:

Combofix

Save it to your Desktop <-- Important!!!

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click it & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply



Regards,
Georgi


Edit: typo.

Edited by B-boy/StyLe/, 06 February 2011 - 09:27 AM.

cXfZ4wS.png


#13 Chris Atamian

Chris Atamian
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 06 February 2011 - 11:28 AM

Georgi ~

Combo Fix does not seem to run correctly.

Double click and I get a small dialog box with a progress bar. When it reaches the end, the box disappears with no further activity.

No log generated on the C Drive

Chris

#14 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:33 AM

Posted 06 February 2011 - 12:43 PM

Hi Chris Atamian, :)



The malware has messed up the permissions on your machine and in that way he is preventing ComboFix from running.


We need to scan the system with this special tool.
  • Please download Junction.zip and save it.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Go to Start => Run... => Copy and paste the following command in the run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

    A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.


Regards,
Georgi

cXfZ4wS.png


#15 Chris Atamian

Chris Atamian
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 06 February 2011 - 01:07 PM

Junction Log as requested:


I made a note in the log for a couple of file you may not recognize. While trying to load GMER and MalwareBytes before we started, I changed the names to various combinations of executibles. They are noted in Bold and Italics.

Chris


Junction v1.06 - Windows junction creator and reparse point viewer
Copyright © 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com


Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.

Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.

Failed to open \\?\c:\\System Volume Information: Access is denied.

Failed to open \\?\c:\\32788R22FWJFW\License\firefox.exe: Access is denied.

Failed to open \\?\c:\\39d70e3681a8a8532e7e\amd64: Access is denied.

Failed to open \\?\c:\\39d70e3681a8a8532e7e\i386: Access is denied.
..
Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp: Access is denied.
.

...


Failed to open \\?\c:\\Documents and Settings\Bridget\Desktop\123drtghj.com: Access is denied. (This is a file I created - renamed GMER)

Failed to open \\?\c:\\Documents and Settings\Bridget\Desktop\gmer.scr: Access is denied.
..
Failed to open \\?\c:\\Documents and Settings\Bridget\Local Settings\Temp\Temporary Directory 1 for gmer.zip\gmer.exe: Access is denied.

Failed to open \\?\c:\\Documents and Settings\Bridget\Local Settings\Temp\Temporary Directory 2 for gmer.zip\gmer.exe: Access is denied.

Failed to open \\?\c:\\Documents and Settings\Bridget\Local Settings\Temp\Temporary Directory 3 for gmer.zip\gmer.exe: Access is denied.
.

...

...

...

...

...

...
Failed to open \\?\c:\\Documents and Settings\erickriebel\My Documents\Downloads\HijackThis.exe: Access is denied.


...

...

...

...

...

...

..
Failed to open \\?\c:\\job\mbam.exe: Access is denied. (This is a file I created - renamed GMER)

Failed to open \\?\c:\\new\job.exe: Access is denied. (This is a file I created - renamed GMER)

Failed to open \\?\c:\\new\test.exe: Access is denied. (This is a file I created - renamed GMER)
.
Failed to open \\?\c:\\Program Files\Citrix\GoToAssist\514\g2aservice.exe: Access is denied.


...

...

...

...

...

...

..
Failed to open \\?\c:\\Program Files\getum\SpybotSD.exe: Access is denied.

Failed to open \\?\c:\\Program Files\getum\TeaTimer.exe: Access is denied.

Failed to open \\?\c:\\Program Files\Internet Explorer\iexplore.exe: Access is denied.
.
Failed to open \\?\c:\\Program Files\Malwarebytes' Anti-Malware\mbam.exe: Access is denied.


...
Failed to open \\?\c:\\RECYCLER\S-1-5-21-3993161772-1969806575-2782931185-1008\Dc4\gmer.exe: Access is denied.


...

...\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790


Failed to open \\?\c:\\WINDOWS\assembly\GAC_MSIL\Desktop.ini: Access is denied.
\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e



...

...

...

...

..
Failed to open \\?\c:\\WINDOWS\system32\MRT.exe: Access is denied.
.

...

..






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users