Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

redirect issue, alureon.h / TDSS


  • This topic is locked This topic is locked
7 replies to this topic

#1 Modesto_73

Modesto_73

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 04 February 2011 - 07:56 AM

Good morning,

I posted something in the "am I infected?" section, and was asked to run DDS and post the log here by Bleepin' Janitor. I have run TDSSKiller after finding out what the nature of the infection was, unfortunately it says it will clean the system on re-boot and that does not work. When I reboot the computer it just restarts after the windows splash comes up... the system will work fine if I choose the "use last known good configuration" option, but this restores the infected file(s) and the issue is still present. I've tried to select "safe mode" but even that option will not allow me to boot the system. I might add that this is a work computer, and there are various people who access it at times, so I can't establish the source of the infection, and there is no IT Team here as such. We contract a computer store to also provide some service, but I am certain their solution would be to reformat the system and then I'd have a lot of setup work on my hands. As far as minor "in-house" solutions for PC issues, it is me that usually gets called.

Any help you can provide would be greatly appreciated, I am posting the log below, and have the "attach.txt" file DDS generates as well, but the instructions say not to attach unless specifically requested. Thank you in advance for your time :)


DDS (Ver_10-12-12.02) - NTFSx86
Run by aromijn at 7:39:55.28 on 04/02/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2013.1189 [GMT -5:00]

AV: Trend Micro Client/Server Security Agent Antivirus *Enabled/Updated* {612601B3-802B-40B7-B9FE-D4A22E509065}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Kaseya\Agent\AgentMon.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\Kaseya\Agent\KaUsrTsk.exe
C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe
C:\Program Files\Trend Micro\Client Server Security Agent\CNTAoSMgr.exe
C:\Program Files\Trend Micro\Client Server Security Agent\TmProxy.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Common Files\Nokia\NoA\nokiaaserver.exe
C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
C:\Program Files\TSI\Label Traxx Client\Label Traxx Client.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\aromijn\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\client server security agent\bho\1006\TmIEPlg.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [<NO NAME>]
uRun: [NokiaOviSuite2] c:\program files\nokia\nokia ovi suite\NokiaOviSuite.exe -tray
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\client server security agent\pccntmon.exe" -HideWindow
mRun: [OE] "c:\program files\trend micro\client server security agent\tmas_oe\TMAS_OEMon.exe"
mRun: [Kaseya Agent Service Helper] "c:\program files\kaseya\agent\KaUsrTsk.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [NokiaMServer] c:\program files\common files\nokia\mplatform\NokiaMServer /watchfiles startup
mRun: [RTHDCPL] RTHDCPL.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - hxxps://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6886.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\client server security agent\bho\1006\TmIEPlg.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-10-19 64288]
R0 m5289;m5289;c:\windows\system32\drivers\m5289.sys [2010-1-27 51840]
R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [2010-1-27 143256]
R2 KaseyaAgent;Kaseya Agent;c:\program files\kaseya\agent\AgentMon.exe [2010-9-8 610304]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\client server security agent\tmxpflt.sys [2010-5-21 230928]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\client server security agent\tmpreflt.sys [2010-5-21 36368]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
R3 TmProxy;Trend Micro Client/Server Security Agent Proxy Service;c:\program files\trend micro\client server security agent\tmproxy.exe [2010-5-21 689416]
S0 iteraid;ITERAID_Service_Install;c:\windows\system32\drivers\iteraid.sys [2010-1-27 24971]
S0 m5287;m5287;c:\windows\system32\drivers\m5287.sys [2010-1-27 85888]
S0 mv614x;mv614x;c:\windows\system32\drivers\mv614x.sys [2010-1-27 61184]
S0 Si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\Si3112r.sys [2010-1-27 89610]
S0 SiSRaid1;SiSRaid1;c:\windows\system32\drivers\sisraid1.sys [2010-1-27 45568]
S0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2010-1-27 77056]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-8-13 1691480]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-9-23 1375992]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2010-9-9 137344]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2011-02-03 18:45:48 138496 ----a-w- c:\windows\system32\drivers\tsk15.tmp
2011-02-03 18:30:16 138496 ----a-w- c:\windows\system32\drivers\tskB.tmp
2011-02-03 18:26:23 77912 ----a-w- c:\windows\system32\drivers\klmdb.sys
2011-02-03 18:26:23 138496 ----a-w- c:\windows\system32\drivers\tsk125.tmp
2011-02-02 13:31:11 47306 ----a-w- c:\windows\system32\drivers\ser2pl.sys
2011-01-28 16:41:05 -------- d-----w- c:\docume~1\aromijn\locals~1\applic~1\Ahead
2011-01-25 15:16:08 -------- d-----w- c:\program files\DVD Decrypter
2011-01-21 20:52:52 -------- d-----w- c:\program files\LG Electronics

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll

============= FINISH: 7:41:00.56 ===============

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:37 PM

Posted 05 February 2011 - 11:27 AM

Hi Modesto_73,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. In case of making changes I shall assume my assistance is not needed any more. Thank you.

  • Download Farbar Recovery Scan Tool from: http://download.bleepingcomputer.com/farbar/FRST.exe and save it to your desktop.

    Type the following in the edit box after "Search:"

    afd.sys

    Click Search button and post the log it makes to your reply.
  • Download MiniRegTool and save it to your desktop.

    Run the tool. Copy and paste the following in the edit box:

    hklm\system\currentcontrolset\services\afd

    Check Export key(s) radio button and click Go.
    Please post the log (Export.txt) it makes to your reply.


#3 Modesto_73

Modesto_73
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 07 February 2011 - 07:48 AM

Hi Farbar,

Thanks so much for your reply, and sorry it took some time to reply, I had to wait until I was back at work. The logs you asked for are posted below:

Search.txt:

Farbars Recovery Scan Tool 2.0.3
Ran by aromijn at 2011-02-07 07:43:30
Running from C:\Documents and Settings\aromijn\Desktop

================== Search: afd.sys ===================

C:\WINDOWS\system32\drivers\afd.sys
[2010-01-27 10:19] - [2008-08-14 05:04] - 0138496 ____A (Microsoft Corporation) 7e775010ef291da96ad17ca4b17137d7

C:\WINDOWS\system32\dllcache\afd.sys
[2010-01-27 10:19] - [2008-08-14 05:04] - 0138496 ____C (Microsoft Corporation) 7e775010ef291da96ad17ca4b17137d7

C:\WINDOWS\$NtUninstallKB956803$\afd.sys
[2010-01-27 13:15] - [2008-06-20 06:40] - 0138496 ___AC (Microsoft Corporation) e3049b90fe06f3f740b7cfda44995e2c

C:\WINDOWS\$NtUninstallKB951748$\afd.sys
[2010-01-27 13:13] - [2008-04-14 07:00] - 0138112 ___AC (Microsoft Corporation) 322d0e36693d6e24a2398bee62a268cd

C:\WINDOWS\$hf_mig$\KB956803\SP3QFE\afd.sys
[2010-01-27 12:14] - [2008-08-14 05:34] - 0138496 ____A (Microsoft Corporation) 4d43e74f2a1239d53929b82600f1971c

C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\afd.sys
[2010-01-27 12:12] - [2008-06-20 06:48] - 0138496 ____A (Microsoft Corporation) d6ee6014241d034e63c49a50cb2b442a

C:\pebuilder313\BartPE\i386\system32\drivers\afd.sys
[2010-09-17 11:52] - [2002-12-31 07:00] - 0138496 ____A (Microsoft Corporation) 5ac495f4cb807b2b98ad2ad591e6d92e

================== End Of Search =================


export.txt:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\afd]
"DisplayName"="AFD"
"Description"="AFD Networking Support Environment"
"Group"="TDI"
"ImagePath"="\\SystemRoot\\System32\\drivers\\afd.sys"
"Start"=dword:00000001
"Type"=dword:00000001
"ErrorControl"=dword:00000001

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\afd\Parameters]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\afd\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\afd\Enum]
"0"="Root\\LEGACY_AFD\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:37 PM

Posted 07 February 2011 - 11:21 AM

No worries about the delay I thought you should get to office to be able to reply.

  • Please go to start => Run, copy and paste the following in the run box and click OK:

    cmd /c copy /y C:\WINDOWS\system32\dllcache\afd.sys c:\

    A windows flashes, it is normal.
    Check to make sure afd.sys file is in the root of C drive (c:\afd.sys).
  • Open a notepad (start => Run, copy and paste notepad in the run box and click OK) , copy and paste the following in the open notepad:

    Replace: c:\afd.sys C:\WINDOWS\system32\drivers\afd.sys
    cmd: sc query afd
    File: C:\WINDOWS\system32\drivers\afd.sys

    Save the notepad as fixlist.txt and save it on the desktop.
  • Start in Safe Mode Using the F8 key:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
    • Use the arrow keys to select the Safe Mode menu item.
      Important note: Please don't select Safe Mode with networking.
    • Press the Enter key.
    • Log to your usual account.
  • Now run FRST, click Fix button. It will make a log (Fixlog.txt) on the desktop.
  • Then restart and boot to normal mode. Run TDSSKiller and post the log along with Fixlog.txt.


#5 Modesto_73

Modesto_73
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 07 February 2011 - 12:53 PM

Ok, I followed the steps you outlined, and TDSSKiller no longer detects any issues... posted are the logs below:

TDSSKiller:

2011/02/07 12:49:18.0771 3624 TDSS rootkit removing tool 2.4.16.0 Feb 1 2011 10:34:03
2011/02/07 12:49:19.0051 3624 ================================================================================
2011/02/07 12:49:19.0051 3624 SystemInfo:
2011/02/07 12:49:19.0051 3624
2011/02/07 12:49:19.0051 3624 OS Version: 5.1.2600 ServicePack: 3.0
2011/02/07 12:49:19.0051 3624 Product type: Workstation
2011/02/07 12:49:19.0051 3624 ComputerName: SHIPPING-02
2011/02/07 12:49:19.0067 3624 UserName: aromijn
2011/02/07 12:49:19.0067 3624 Windows directory: C:\WINDOWS
2011/02/07 12:49:19.0067 3624 System windows directory: C:\WINDOWS
2011/02/07 12:49:19.0067 3624 Processor architecture: Intel x86
2011/02/07 12:49:19.0067 3624 Number of processors: 2
2011/02/07 12:49:19.0067 3624 Page size: 0x1000
2011/02/07 12:49:19.0067 3624 Boot type: Normal boot
2011/02/07 12:49:19.0067 3624 ================================================================================
2011/02/07 12:49:19.0161 3624 Initialize success
2011/02/07 12:49:24.0405 3916 ================================================================================
2011/02/07 12:49:24.0405 3916 Scan started
2011/02/07 12:49:24.0405 3916 Mode: Manual;
2011/02/07 12:49:24.0405 3916 ================================================================================
2011/02/07 12:49:25.0154 3916 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/02/07 12:49:25.0201 3916 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/02/07 12:49:25.0248 3916 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/02/07 12:49:25.0263 3916 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/02/07 12:49:25.0357 3916 Ambfilt (267fc636801edc5ab28e14036349e3be) C:\WINDOWS\system32\drivers\Ambfilt.sys
2011/02/07 12:49:25.0388 3916 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys
2011/02/07 12:49:25.0482 3916 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/02/07 12:49:25.0498 3916 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/02/07 12:49:25.0544 3916 ati2mtaa (2d030c2f6b036ca0bc243e1b16d924d1) C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys
2011/02/07 12:49:25.0560 3916 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/02/07 12:49:25.0576 3916 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/02/07 12:49:25.0622 3916 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/02/07 12:49:25.0669 3916 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/02/07 12:49:25.0700 3916 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/02/07 12:49:25.0716 3916 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/02/07 12:49:25.0732 3916 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/02/07 12:49:25.0794 3916 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/02/07 12:49:25.0841 3916 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/02/07 12:49:25.0857 3916 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/02/07 12:49:25.0872 3916 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/02/07 12:49:25.0903 3916 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/02/07 12:49:25.0919 3916 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/02/07 12:49:25.0966 3916 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/02/07 12:49:25.0981 3916 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/02/07 12:49:26.0013 3916 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/02/07 12:49:26.0044 3916 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/02/07 12:49:26.0075 3916 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/02/07 12:49:26.0091 3916 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/02/07 12:49:26.0122 3916 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/02/07 12:49:26.0153 3916 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/02/07 12:49:26.0169 3916 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/02/07 12:49:26.0216 3916 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/02/07 12:49:26.0262 3916 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/02/07 12:49:26.0325 3916 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/02/07 12:49:26.0387 3916 ialm (748d242a1c1a92d14dfe225892a8749b) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2011/02/07 12:49:26.0450 3916 iaStor (d5edb998656e6ecf1a17c78dab019a3c) C:\WINDOWS\system32\DRIVERS\iaStor.sys
2011/02/07 12:49:26.0496 3916 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/02/07 12:49:26.0637 3916 IntcAzAudAddService (988a112c4061f309ce9c1abfc971d001) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/02/07 12:49:26.0684 3916 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/02/07 12:49:26.0715 3916 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/02/07 12:49:26.0731 3916 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/02/07 12:49:26.0731 3916 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/02/07 12:49:26.0746 3916 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/02/07 12:49:26.0762 3916 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/02/07 12:49:26.0793 3916 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/02/07 12:49:26.0840 3916 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/02/07 12:49:26.0871 3916 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/02/07 12:49:26.0918 3916 iteatapi (da1e87f07a64e144ca12843d9438e5f6) C:\WINDOWS\system32\DRIVERS\iteatapi.sys
2011/02/07 12:49:26.0918 3916 iteraid (c53360c1932904fe89c6be55378628cb) C:\WINDOWS\system32\DRIVERS\iteraid.sys
2011/02/07 12:49:26.0949 3916 KAPFA (d4c8c5525e478335cca41b30045dec01) C:\WINDOWS\system32\drivers\KAPFA.SYS
2011/02/07 12:49:26.0965 3916 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/02/07 12:49:26.0996 3916 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/02/07 12:49:27.0027 3916 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/02/07 12:49:27.0058 3916 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/02/07 12:49:27.0090 3916 L1e (964dadea4cce08f1de491e25ce50ba72) C:\WINDOWS\system32\DRIVERS\l1e51x86.sys
2011/02/07 12:49:27.0121 3916 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys
2011/02/07 12:49:27.0168 3916 m5287 (fc969e4e53c602884958a5fdffc53526) C:\WINDOWS\system32\DRIVERS\m5287.sys
2011/02/07 12:49:27.0183 3916 m5289 (2424b13987360840b4bf4e5fb5a66d3f) C:\WINDOWS\system32\DRIVERS\m5289.sys
2011/02/07 12:49:27.0214 3916 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/02/07 12:49:27.0230 3916 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/02/07 12:49:27.0292 3916 Monfilt (c7d9f9717916b34c1b00dd4834af485c) C:\WINDOWS\system32\drivers\Monfilt.sys
2011/02/07 12:49:27.0324 3916 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/02/07 12:49:27.0355 3916 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/02/07 12:49:27.0355 3916 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/02/07 12:49:27.0402 3916 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/02/07 12:49:27.0449 3916 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/02/07 12:49:27.0480 3916 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/02/07 12:49:27.0511 3916 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/02/07 12:49:27.0527 3916 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/02/07 12:49:27.0542 3916 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/02/07 12:49:27.0573 3916 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/02/07 12:49:27.0620 3916 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
2011/02/07 12:49:27.0651 3916 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/02/07 12:49:27.0683 3916 mv614x (9cc2eba4ccb35225b5597a78ca80084f) C:\WINDOWS\system32\DRIVERS\mv614x.sys
2011/02/07 12:49:27.0698 3916 mv61xx (86944f540289e16298af4f5b1c45fa4e) C:\WINDOWS\system32\DRIVERS\mv61xx.sys
2011/02/07 12:49:27.0729 3916 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/02/07 12:49:27.0761 3916 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/02/07 12:49:27.0776 3916 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/02/07 12:49:27.0792 3916 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/02/07 12:49:27.0823 3916 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/02/07 12:49:27.0854 3916 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/02/07 12:49:27.0901 3916 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/02/07 12:49:27.0948 3916 nmwcd (c3963d85b721a7f80d8a55f4e2867a3a) C:\WINDOWS\system32\drivers\ccdcmb.sys
2011/02/07 12:49:27.0979 3916 nmwcdc (3859c69a77793180548802dac9f34a38) C:\WINDOWS\system32\drivers\ccdcmbo.sys
2011/02/07 12:49:28.0010 3916 nmwcdnsu (338f83ee9cb9e15eeacf0cbb90218cbf) C:\WINDOWS\system32\drivers\nmwcdnsu.sys
2011/02/07 12:49:28.0042 3916 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/02/07 12:49:28.0073 3916 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/02/07 12:49:28.0120 3916 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/02/07 12:49:28.0135 3916 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/02/07 12:49:28.0151 3916 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/02/07 12:49:28.0182 3916 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/02/07 12:49:28.0198 3916 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/02/07 12:49:28.0229 3916 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/02/07 12:49:28.0260 3916 pccsmcfd (fd2041e9ba03db7764b2248f02475079) C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys
2011/02/07 12:49:28.0276 3916 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/02/07 12:49:28.0291 3916 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/02/07 12:49:28.0307 3916 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/02/07 12:49:28.0401 3916 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/02/07 12:49:28.0401 3916 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/02/07 12:49:28.0416 3916 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/02/07 12:49:28.0479 3916 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/02/07 12:49:28.0479 3916 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/02/07 12:49:28.0525 3916 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/02/07 12:49:28.0541 3916 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/02/07 12:49:28.0572 3916 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/02/07 12:49:28.0588 3916 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/02/07 12:49:28.0604 3916 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/02/07 12:49:28.0635 3916 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/02/07 12:49:28.0650 3916 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/02/07 12:49:28.0682 3916 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2011/02/07 12:49:28.0713 3916 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/02/07 12:49:28.0744 3916 Ser2pl (5d418bc3bd53a24a382988d5bef4fc27) C:\WINDOWS\system32\DRIVERS\ser2pl.sys
2011/02/07 12:49:28.0744 3916 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/02/07 12:49:28.0760 3916 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/02/07 12:49:28.0791 3916 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/02/07 12:49:28.0822 3916 Si3112r (39dcaa6a073c1be997ad7685b95685e1) C:\WINDOWS\system32\DRIVERS\si3112r.sys
2011/02/07 12:49:28.0838 3916 SI3132 (9604998d0c578608151b6e59266fcae1) C:\WINDOWS\system32\DRIVERS\SI3132.sys
2011/02/07 12:49:28.0869 3916 SiSRaid (4c597e4de6edf6453990059ba0eac7d0) C:\WINDOWS\system32\DRIVERS\SiSRaid.sys
2011/02/07 12:49:28.0869 3916 SiSRaid1 (52192d1a30ae56a203c047213b0f596b) C:\WINDOWS\system32\DRIVERS\SiSRaid1.sys
2011/02/07 12:49:28.0884 3916 SiSRaid2 (a2a23d27934e0d89a09efd02ac587269) C:\WINDOWS\system32\DRIVERS\SiSRaid2.sys
2011/02/07 12:49:28.0931 3916 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/02/07 12:49:28.0962 3916 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/02/07 12:49:28.0994 3916 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/02/07 12:49:29.0041 3916 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/02/07 12:49:29.0056 3916 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/02/07 12:49:29.0134 3916 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/02/07 12:49:29.0181 3916 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/02/07 12:49:29.0228 3916 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/02/07 12:49:29.0228 3916 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/02/07 12:49:29.0259 3916 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/02/07 12:49:29.0321 3916 tmcomm (c4ddce6124bf6a711ab14d8153eac61d) C:\WINDOWS\system32\drivers\tmcomm.sys
2011/02/07 12:49:29.0384 3916 TmFilter (3e615f370f0c7db414b6bcd1c18399d4) C:\Program Files\Trend Micro\Client Server Security Agent\TmXPFlt.sys
2011/02/07 12:49:29.0431 3916 TmPreFilter (c7c7959ec0940e0eddfc881fed8ec214) C:\Program Files\Trend Micro\Client Server Security Agent\TmPreFlt.sys
2011/02/07 12:49:29.0462 3916 tmtdi (44c262c1b2412ded35078b6166d2acc2) C:\WINDOWS\system32\DRIVERS\tmtdi.sys
2011/02/07 12:49:29.0509 3916 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/02/07 12:49:29.0556 3916 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/02/07 12:49:29.0602 3916 upperdev (0ccadc7391021376edbb8aa649d04e68) C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys
2011/02/07 12:49:29.0634 3916 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/02/07 12:49:29.0665 3916 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/02/07 12:49:29.0680 3916 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/02/07 12:49:29.0696 3916 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/02/07 12:49:29.0727 3916 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/02/07 12:49:29.0759 3916 usbser (1c888b000c2f9492f4b15b5b6b84873e) C:\WINDOWS\system32\drivers\usbser.sys
2011/02/07 12:49:29.0774 3916 UsbserFilt (68b4f83cccf70a2ff32ee142c234332a) C:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys
2011/02/07 12:49:29.0805 3916 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/02/07 12:49:29.0837 3916 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/02/07 12:49:29.0852 3916 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/02/07 12:49:29.0899 3916 viasraid (8d20736efc3e9ac93f3721865cd69dab) C:\WINDOWS\system32\DRIVERS\viasraid.sys
2011/02/07 12:49:29.0930 3916 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/02/07 12:49:30.0039 3916 VSApiNt (60dfbc34228ca36221b03460789f5d4e) C:\Program Files\Trend Micro\Client Server Security Agent\VSApiNt.sys
2011/02/07 12:49:30.0086 3916 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/02/07 12:49:30.0117 3916 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
2011/02/07 12:49:30.0180 3916 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/02/07 12:49:30.0227 3916 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
2011/02/07 12:49:30.0274 3916 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/02/07 12:49:30.0289 3916 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/02/07 12:49:30.0398 3916 ================================================================================
2011/02/07 12:49:30.0398 3916 Scan finished
2011/02/07 12:49:30.0398 3916 ================================================================================
2011/02/07 12:50:13.0820 3628 Deinitialize success


Fixlog.txt:

Fix result of Farbars's Recovery Tool (FRST written by farbar Version 2.0.4)
Ran by aromijn at 2011-02-07 12:45:33 R:1
Running from C:\Documents and Settings\aromijn.SHIPPING-02\Desktop

==============================================

C:\WINDOWS\system32\drivers\afd.sys moved successfully.
C:\WINDOWS\system32\drivers\afd.sys repleced successfully with c:\afd.sys

========= sc query afd =========


SERVICE_NAME: afd
TYPE : 1 KERNEL_DRIVER
STATE : 1 STOPPED
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 31 (0x1f)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

========= End of CMD: =========


========================= File: C:\WINDOWS\system32\drivers\afd.sys ========================

MD5: 7e775010ef291da96ad17ca4b17137d7
Creation and modification date: 2010-01-27 10:19 - 2008-08-14 05:04
Size: 0138496
Attributes: ----A
Company Name: Microsoft Corporation
Internal Name: afd.sys
Original Name: afd.sys
Product Name: Microsoft® Windows® Operating System
Description: Ancillary Function Driver for WinSock
File Version: 5.1.2600.5657 (xpsp_sp3_gdr.080814-1236)
Product Version: 5.1.2600.5657
Copyright: © Microsoft Corporation. All rights reserved.

====== End Of File: ======

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:37 PM

Posted 07 February 2011 - 12:57 PM

Great. The rootkit is taken care of. :thumbup2:

Do you need my assistance to check other things?

Edited by farbar, 07 February 2011 - 12:57 PM.


#7 Modesto_73

Modesto_73
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 07 February 2011 - 03:20 PM

Farbar,

Thanks so much for the great help! Did I see you are from the Netherlans? Ik ook!
No other problems to look at, you are the best!

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:37 PM

Posted 07 February 2011 - 04:09 PM

Hi Modesto_73,

Please delete FRST tool. Also go to C:\FRST and delete the entire FRST folder as the infected driver file we replaced is there in the quarantine folder the tool has made.

Ik ben blij het is opgelost.:)

And you are most welcome. :)

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users