Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Logs for Windows Defender Virus


  • This topic is locked This topic is locked
37 replies to this topic

#1 Dinx

Dinx

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:34 AM

Posted 28 December 2011 - 03:50 PM

My original post is located at

http://www.bleepingcomputer.com/forums/topic434808.html/page__gopid__2527485#entry2527485.

I started out with using rkill (renamed to iExplore) to remove the virus then executed mbam to install Malwarebytes. I made the mistake of saying yes to malwarebyte's reboot request. Now when I try to reinstall and say no, the icon disappears. When I clicked Start/All Programs it said "Empty" so I had to run "unhide" from a san disk to get the files back. I have had to do this before. Now, if I try to run Malwarebytes I get "Run-time error '5': Invalid procedure call or argument. It seems I am making "progress", then all of a sudden, I am back to square one. The only thing that has NOT re-happened is that Task Manager went away. Another interesting development. Every time I attach my san disk to the pc (i.e. to run rkill or unhide, etc.), when I reattach to my laptop, my Norton finds a file called firework.mp3.exe and deletes it. Description is Trojan.Zeroaccess. I am now going to attach DDS.txt and Attach.txt - neither are large files. I have been running "Gmer" for about 2 hours. If it ever finishes I will send that, too, but I'm beginning to wonder if it has been "subverted" as my virus definition updates were. Any help you can provide would be very much appreciated.

Thanks - Dinx

BC AdBot (Login to Remove)

 


#2 Dinx

Dinx
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:34 AM

Posted 29 December 2011 - 08:19 AM

Just an update - I have let GMER run all night. Task manager still shows it as running. Since this is an older machine with only 512K memory I guess it is possible it is taking this long so I am continuing to let it "run".

#3 Dinx

Dinx
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:34 AM

Posted 31 December 2011 - 09:12 AM

I let GMER run for two days. It never finished. I am beginning to think getting rid of this is hopeless . . .

#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:34 AM

Posted 03 January 2012 - 10:43 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

I am now going to attach DDS.txt


I do not see the file. Can you please run DDS again and post the DDS.txt only for my review.

Wait for further instructions.

#5 Dinx

Dinx
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:34 AM

Posted 05 January 2012 - 11:26 AM

Nasdaq - I currently have the computer off as I got an email from Comcast security that I have a "bot" on my computer (the computer with the virus (or whatever it is) runs our comcast software for our internet, phone and tv and - since I was not sure what it was doing, I turned the computer off. However, I saved a copy of the DDS file on a thumb drive and I will paste the contents below. I'm not sure if you meant me to post this only to you but I only know how to "reply" - hope this is okay.

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.11
Run by Dorothy at 13:59:42 on 2011-12-28
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.comcast.net?cid=NET_mmhpset
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Page_URL = hxxp://home.bellsouth.net
mSearch Page = hxxp://my.att.net/
mStart Page = hxxp://my.att.net/
mSearch Bar =
uInternet Connection Wizard,ShellNext = hxxp://home.bellsouth.net/
uSearchAssistant = hxxp://www.google.com/ie
uCustomizeSearch = hxxp://ie.search.msn.com
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
mCustomizeSearch = hxxp://ie.search.msn.com
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Picasa: {138b4b0a-923a-4981-ae90-ee90fac91ce0} - c:\documents and settings\dorothy\application data\picasa\ie\Picasa.dll
BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll
BHO: StartNow Toolbar Helper: {6e13d095-45c3-4271-9475-f3b48227dd9f} - c:\program files\startnow toolbar\Toolbar32.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
TB: StartNow Toolbar: {5911488e-9d1e-40ec-8cbb-06b231cc153f} - c:\program files\startnow toolbar\Toolbar32.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Creative Live! Cam Manager] c:\program files\creative\creative live! cam\live! cam manager\CTLCMgr.exe
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
uRun: [{E029FD62-7B09-DAD8-A187-CCFCA8736F20}] "c:\documents and settings\dorothy\application data\efopv\dyysb.exe"
uRun: [aIdFJYXaJU] c:\documents and settings\all users\application data\aIdFJYXaJU.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [diagent] "c:\program files\creative\sblive\diagnostics\diagent.exe" startup
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [OmniPage] c:\program files\caere\omnipagepro90\opware32.exe
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [SC3300CC] c:\windows\twain_32\sipix\sc-3300\SC3300CC.exe
mRun: [USBPNP] c:\windows\twain_32\sipix\sc-3300\USBPNP.exe
mRun: [nwiz] nwiz.exe /install
mRun: [IPInSightMonitor 01] "c:\program files\bellsouth\connection tool\IPMon32.exe"
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [tgcmd] "c:\program files\support.com\bellsouth\hcenter.exe" /starthidden /tgcmdwrapper
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [V0230Mon.exe] c:\windows\V0230Mon.exe
mRun: [AVFX Engine] c:\program files\creative\creative live! cam\videofx\StartFX.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [BellSouthWCC_McciTrayApp] c:\program files\bellsouthwcc\McciTrayApp.exe
mRun: [HPPQVideo] "c:\program files\hp\scheduledlaunch\hp color laserjet cm1312 mfp series\bin\hppschlnch.exe" -r software\hewlett-packard\scheduledlaunch\CLJ_CM1312_MFP_Series -f PQOptimizerVideo.xml -o remindLater
mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /fl:on /fr:on /appData:on /tmcp:on
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\dorothy\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\volumewatcher\SPUVolumeWatcher.exe
StartupFolder: c:\documents and settings\dorothy\start menu\programs\startup\PowerReg Scheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 8.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\efaxdl~1.lnk - c:\program files\efax messenger 3.5\J2GDllCmd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\efaxtr~1.lnk - c:\program files\efax messenger 3.5\J2GTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
mPolicies-explorer: <NO NAME> =
mPolicies-system: DisableTaskMgr = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
LSP: mswsock.dll
Trusted Zone: bbandt.com\www
Trusted Zone: cofc.edu\gibbes
Trusted Zone: intuit.com\quickbooks
Trusted Zone: musicmatch.com
Trusted Zone: shopetc.com
Trusted Zone: yankeecandle.com
Trusted Zone: musicmatch.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: FirstViewer - hxxp://www.rod.dorchestercounty.net/alchemyweb/Components/FirstVwr.CAB
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000032-9593-4264-8B29-930B3E4EDCCD} - hxxps://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall32.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://support.att.net/sdccommon/download/tgctlcm.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {037790A6-1576-11D6-903D-00105AABADD3} - hxxps://webprod.cio.sc.gov/BlueZoneWeb/ez3270/sglw2hcm.ocx
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - hxxp://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {238EC5B8-0BF5-11D5-826E-00010239321B} - hxxp://testimg.charlestoncounty.org/asp/Applets/OBXViewer.cab
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxps://access.cofc.edu/workplace/webifiers/wficat.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.snapfish.com/SnapfishActivia.cab
DPF: {42C9E5EE-DA49-49B4-8ECC-1CAB1C51A2AB} - hxxp://www.kodakgallery.com/downloads/hmpr/HMPR_WIN_IE_1/wiaaut.cab
DPF: {4592C0F5-3382-44C6-9F79-BEA2CCBDA2EA} - hxxp://imgweb.charlestoncounty.org/appnet/activex/OBXWebSelect.cab
DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - hxxps://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
DPF: {556DDE35-E955-11D0-A707-000000521957} - hxxp://www.xblock.com/download/xclean_micro.exe
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125405841375
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {76D90D08-EAB7-46D8-BF99-87445BF59E72} - hxxp://directv.direcway.com/dwayready/dpcsysinfo.cab
DPF: {8285080A-3FAF-41B1-B7BD-933EE724B650} - hxxp://testimg.charlestoncounty.org/asp/Applets/OBXSelect.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8B2808C6-118A-407B-81DE-1127D33284CE} - hxxp://testimg.charlestoncounty.org/asp/Applets/OBXKeywordPanel.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://floridakeysmedia.tv/axiscam/Codebase/AxisCamControl.ocx
DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C}
DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab
DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} - hxxp://di.imgag.com/imgag/cp/install/Crusher.cab
DPF: {CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131_04-win.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su2/CTL_V02002/ocx/15031/CTPID.cab
DPF: {FD3FF62E-61A7-48EE-A4A4-97CE7BD1F99D} - hxxps://access.cofc.edu/postauthACC/SodaAgent.CAB
TCP: NameServer = 85.255.116.136 85.255.112.13
TCP: DhcpNameServer = 68.87.68.166 68.87.74.166
TCP: Interfaces\{6ED63B6F-0844-48ED-9BDB-5A458A0B794A} : DhcpNameServer = 68.87.68.166 68.87.74.166
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2011-12-27 18:00:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-12-27 18:00:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-26 16:11:13 -------- d-----w- c:\program files\ESET
2011-12-22 21:49:01 -------- d--h--w- c:\documents and settings\dorothy\application data\Picasa
.
==================== Find3M ====================
.
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD1200JB-75CRA0 rev.16.06V16 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x82F8FAB8]
3 CLASSPNP[0xF8536FD7] -> nt!IofCallDriver[0x804E13B9] -> [0x82B76628]
\Driver\Disk[0x82E156C0] -> IRP_MJ_CREATE -> 0xF858B134
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
user & kernel MBR OK
.
============= FINISH: 14:02:18.39 ===============

#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:34 AM

Posted 05 January 2012 - 01:51 PM

Download Malwarebytes Anti-Malware and ComboFix tools using a good computer from the sites listed below. Save the file to a CD or Flash drive.

Copy both files to the Desktop of the infectec computer.

You will need to reconnect the problem computer to run these tools.
When the logs are saved you can disconnect.
Copy the logs to a CD and Flash driver and post them in your next reply.

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • alternate download link 2
    • Make sure you are connected to the Internet.
    • Double-click on Download_mbam-setup.exe to install the application.
    • When the installation begins, follow the prompts and do not make any changes to default settings.
    • When installation has finished, make sure you leave both of these checked:[list]
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Post back with the Malwarebytes Anti-Malware log once it's complete.
===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If ComboFix stalls at any point for more than 30 minutes, disable the process and run the tool again. A log will be generated.

#7 Dinx

Dinx
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:34 AM

Posted 06 January 2012 - 01:44 PM

Nasdaq- once I get Malwarebytes downloaded and run the install (which seems to finish fine), I get the following popup:
Malwarebytes Anti-Malware: mban.exe - Application error
The instruction at "0x10002737" referenced memory at "0x00000000". The memory could not be "read". Click on OK to terminate the program." I have tryed X'ing out of that popup, uninstalling malwarebytes and re-installing it, but I get this same message. Also, every time I reboot this computer, I have to re-run rkill (iexplore from my flash drive) to get rid of the big Windows Security Window then run unhide to get my files back. And every time I access my flash drive from this computer, when I hook it back into my laptop, Norton security finds and deletes a file called firework.mp3.exe. Says risk is Trojan zeroaccess. I have looked for that file on this computer but could not find one of the same name. What should I try next? - is there any hope?

#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:34 AM

Posted 07 January 2012 - 09:58 AM

Lets check further.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) ( 511KB ) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Please post the logs for my review.

#9 Dinx

Dinx
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:34 AM

Posted 07 January 2012 - 03:24 PM

Text from aswMBR.txt follows and I will attempt to attach the zip file MBR.dat
aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-07 12:38:33
-----------------------------
12:38:33.715 OS Version: Windows 5.1.2600 Service Pack 3
12:38:33.715 Number of processors: 1 586 0x207
12:38:33.715 ComputerName: PLAYROOM UserName: Dorothy
12:38:34.403 Initialize success
12:43:33.637 AVAST engine defs: 12010701
12:56:54.950 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
12:56:54.950 Disk 0 Vendor: WDC_WD1200JB-75CRA0 16.06V16 Size: 114440MB BusType: 3
12:56:54.981 Disk 0 MBR read successfully
12:56:54.981 Disk 0 MBR scan
12:56:55.825 Disk 0 Windows XP default MBR code
12:56:55.856 Disk 0 Partition 1 00 DE Dell Utility Dell 4.1 39 MB offset 63
12:56:56.387 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 114400 MB offset 80325
12:56:56.543 Disk 0 scanning sectors +234372285
12:56:56.965 Disk 0 scanning C:\WINDOWS\system32\drivers
12:57:54.950 File: C:\WINDOWS\system32\drivers\usbehci.sys **INFECTED** Win32:Sirefef [Rtk]
12:57:56.434 File: C:\WINDOWS\system32\drivers\vbma9c1a.sys **INFECTED** Win32:Rootkit-gen [Rtk]
12:58:00.200 File: C:\WINDOWS\system32\drivers\volsnap.sys **INFECTED** Win32:Alureon-PS
12:58:02.981 Disk 0 trace - called modules:
12:58:03.528 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xf79c0134]<<
12:58:03.528 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82f89ab8]
12:58:03.543 3 CLASSPNP.SYS[f8536fd7] -> nt!IofCallDriver -> [0x82b6c9a0]
12:58:03.543 \Driver\Disk[0x829ac268] -> IRP_MJ_CREATE -> 0xf79c0134
12:58:04.215 AVAST engine scan C:\WINDOWS
12:58:55.278 File: C:\WINDOWS\wanmpsvc.exe **INFECTED** Win32:Patched-WQ [Trj]
12:58:57.590 AVAST engine scan C:\WINDOWS\system32
12:59:30.762 File: C:\WINDOWS\system32\CTsvcCDA.EXE **INFECTED** Win32:Patched-WQ [Trj]
13:01:23.809 File: C:\WINDOWS\system32\MsPMSPSv.exe **INFECTED** Win32:Patched-WQ [Trj]
13:01:41.762 File: C:\WINDOWS\system32\ngvpnmgr.exe **INFECTED** Win32:Patched-WQ [Trj]
13:01:51.653 File: C:\WINDOWS\system32\nvsvc32.exe **INFECTED** Win32:Patched-WQ [Trj]
13:03:24.825 File: C:\WINDOWS\system32\wuauclt.exe **INFECTED** Win32:Patched-ZF [Trj]
13:03:32.543 AVAST engine scan C:\WINDOWS\system32\drivers
13:03:53.200 File: C:\WINDOWS\system32\drivers\usbehci.sys **INFECTED** Win32:Sirefef [Rtk]
13:03:53.856 File: C:\WINDOWS\system32\drivers\vbma9c1a.sys **INFECTED** Win32:Rootkit-gen [Rtk]
13:03:57.200 File: C:\WINDOWS\system32\drivers\volsnap.sys **INFECTED** Win32:Alureon-PS
13:04:00.434 AVAST engine scan C:\Documents and Settings\Dorothy
13:04:08.184 File: C:\Documents and Settings\Dorothy\Application Data\Efopv\dyysb.exe **INFECTED** Win32:Malware-gen
13:05:24.965 File: C:\Documents and Settings\Dorothy\Application Data\Picasa\IE\PicasaUpdater.exe **INFECTED** Win32:Patched-WQ [Trj]
13:09:13.871 File: C:\Documents and Settings\Dorothy\Local Settings\Temp\jar_cache37979.tmp **INFECTED** Win32:FakeAlert-ACC [Trj]
13:09:14.278 File: C:\Documents and Settings\Dorothy\Local Settings\Temp\jar_cache52971.tmp **INFECTED** Win32:MalOb-GE [Cryp]
13:38:12.965 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Dorothy\Desktop\MBR.dat"
13:38:13.200 The log file has been saved successfully to "C:\Documents and Settings\Dorothy\Desktop\aswMBR.txt"
__________________________

Text from TDSSKiller . . .
13:43:11.0356 2792 TDSS rootkit removing tool 2.6.25.0 Dec 23 2011 14:51:16
13:43:12.0950 2792 ============================================================
13:43:12.0950 2792 Current date / time: 2012/01/07 13:43:12.0950
13:43:12.0950 2792 SystemInfo:
13:43:12.0950 2792
13:43:12.0950 2792 OS Version: 5.1.2600 ServicePack: 3.0
13:43:12.0950 2792 Product type: Workstation
13:43:12.0950 2792 ComputerName: PLAYROOM
13:43:12.0950 2792 UserName: Dorothy
13:43:12.0950 2792 Windows directory: C:\WINDOWS
13:43:12.0950 2792 System windows directory: C:\WINDOWS
13:43:12.0965 2792 Processor architecture: Intel x86
13:43:12.0965 2792 Number of processors: 1
13:43:12.0965 2792 Page size: 0x1000
13:43:12.0965 2792 Boot type: Normal boot
13:43:12.0965 2792 ============================================================
13:43:14.0825 2792 Initialize success
13:43:32.0668 1960 ============================================================
13:43:32.0668 1960 Scan started
13:43:32.0668 1960 Mode: Manual;
13:43:32.0668 1960 ============================================================
13:43:33.0059 1960 Abiosdsk - ok
13:43:33.0137 1960 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\System32\DRIVERS\ABP480N5.SYS
13:43:33.0153 1960 abp480n5 - ok
13:43:33.0246 1960 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
13:43:33.0262 1960 ACPI - ok
13:43:33.0371 1960 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
13:43:33.0387 1960 ACPIEC - ok
13:43:33.0465 1960 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\System32\DRIVERS\adpu160m.sys
13:43:33.0481 1960 adpu160m - ok
13:43:33.0559 1960 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
13:43:33.0575 1960 aec - ok
13:43:33.0653 1960 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
13:43:33.0684 1960 AFD - ok
13:43:33.0731 1960 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
13:43:33.0746 1960 agp440 - ok
13:43:33.0809 1960 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\System32\DRIVERS\agpCPQ.sys
13:43:33.0825 1960 agpCPQ - ok
13:43:33.0903 1960 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\System32\DRIVERS\aha154x.sys
13:43:33.0903 1960 Aha154x - ok
13:43:33.0981 1960 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\System32\DRIVERS\aic78u2.sys
13:43:33.0996 1960 aic78u2 - ok
13:43:34.0075 1960 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\System32\DRIVERS\aic78xx.sys
13:43:34.0075 1960 aic78xx - ok
13:43:34.0168 1960 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\System32\DRIVERS\aliide.sys
13:43:34.0184 1960 AliIde - ok
13:43:34.0246 1960 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\System32\DRIVERS\alim1541.sys
13:43:34.0262 1960 alim1541 - ok
13:43:34.0340 1960 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\System32\DRIVERS\amdagp.sys
13:43:34.0356 1960 amdagp - ok
13:43:34.0434 1960 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\System32\DRIVERS\amsint.sys
13:43:34.0450 1960 amsint - ok
13:43:34.0528 1960 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\System32\DRIVERS\asc.sys
13:43:34.0528 1960 asc - ok
13:43:34.0606 1960 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\System32\DRIVERS\asc3350p.sys
13:43:34.0637 1960 asc3350p - ok
13:43:34.0731 1960 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\System32\DRIVERS\asc3550.sys
13:43:34.0762 1960 asc3550 - ok
13:43:34.0856 1960 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
13:43:34.0871 1960 AsyncMac - ok
13:43:34.0950 1960 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
13:43:34.0965 1960 atapi - ok
13:43:35.0028 1960 Atdisk - ok
13:43:35.0106 1960 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
13:43:35.0106 1960 Atmarpc - ok
13:43:35.0184 1960 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
13:43:35.0184 1960 audstub - ok
13:43:35.0278 1960 BCMModem (c5e6518985f92355a5190cb143329b08) C:\WINDOWS\system32\DRIVERS\BCMSM.sys
13:43:35.0371 1960 BCMModem - ok
13:43:35.0434 1960 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
13:43:35.0434 1960 Beep - ok
13:43:35.0512 1960 bvrp_pci - ok
13:43:35.0575 1960 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\System32\DRIVERS\cbidf2k.sys
13:43:35.0590 1960 cbidf - ok
13:43:35.0668 1960 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
13:43:35.0668 1960 cbidf2k - ok
13:43:35.0715 1960 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
13:43:35.0731 1960 CCDECODE - ok
13:43:35.0840 1960 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\System32\DRIVERS\cd20xrnt.sys
13:43:35.0840 1960 cd20xrnt - ok
13:43:35.0918 1960 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
13:43:35.0934 1960 Cdaudio - ok
13:43:35.0996 1960 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
13:43:36.0012 1960 Cdfs - ok
13:43:36.0090 1960 Cdr4_xp (297acc7d7c66ec86ee0b4eb5af9a8fd3) C:\WINDOWS\system32\drivers\Cdr4_xp.sys
13:43:36.0137 1960 Cdr4_xp - ok
13:43:36.0215 1960 Cdralw2k (5e31abf467a6fd857710c0927c88ee4c) C:\WINDOWS\system32\drivers\Cdralw2k.sys
13:43:36.0278 1960 Cdralw2k - ok
13:43:36.0371 1960 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
13:43:36.0387 1960 Cdrom - ok
13:43:36.0434 1960 cdudf_xp (cfd81f2140193fc7f1812e6d6eaf6795) C:\WINDOWS\system32\drivers\cdudf_xp.sys
13:43:36.0465 1960 cdudf_xp - ok
13:43:36.0512 1960 Changer - ok
13:43:36.0621 1960 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\System32\DRIVERS\cmdide.sys
13:43:36.0621 1960 CmdIde - ok
13:43:36.0731 1960 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\System32\DRIVERS\cpqarray.sys
13:43:36.0746 1960 Cpqarray - ok
13:43:36.0856 1960 CVirtA (cb7d7c0e74adcb7da96d08ec8db86062) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
13:43:36.0871 1960 CVirtA - ok
13:43:36.0981 1960 CVPNDRVA (992b8e263f30109967c15f7b464ccb05) C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
13:43:37.0028 1960 CVPNDRVA - ok
13:43:37.0121 1960 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\System32\DRIVERS\dac2w2k.sys
13:43:37.0153 1960 dac2w2k - ok
13:43:37.0231 1960 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\System32\DRIVERS\dac960nt.sys
13:43:37.0246 1960 dac960nt - ok
13:43:37.0387 1960 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
13:43:37.0403 1960 Disk - ok
13:43:37.0528 1960 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
13:43:37.0590 1960 dmboot - ok
13:43:37.0668 1960 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
13:43:37.0684 1960 dmio - ok
13:43:37.0762 1960 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
13:43:37.0778 1960 dmload - ok
13:43:37.0856 1960 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
13:43:37.0871 1960 DMusic - ok
13:43:37.0950 1960 DNE (c86fbf607445bf693450d84b775f168c) C:\WINDOWS\system32\DRIVERS\dne2000.sys
13:43:37.0996 1960 DNE - ok
13:43:38.0106 1960 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\System32\DRIVERS\dpti2o.sys
13:43:38.0121 1960 dpti2o - ok
13:43:38.0184 1960 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
13:43:38.0200 1960 drmkaud - ok
13:43:38.0356 1960 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
13:43:38.0371 1960 DSproct - ok
13:43:38.0496 1960 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
13:43:38.0512 1960 dsunidrv - ok
13:43:38.0575 1960 dvd_2K (677829f7010768eeeed8d0083e510dab) C:\WINDOWS\system32\drivers\dvd_2K.sys
13:43:38.0621 1960 dvd_2K - ok
13:43:38.0715 1960 E100B (842c20ba5d00fa40e5a25b20fecd0f57) C:\WINDOWS\system32\DRIVERS\e100b325.sys
13:43:38.0762 1960 E100B - ok
13:43:38.0856 1960 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
13:43:38.0918 1960 eeCtrl - ok
13:43:39.0028 1960 EL90XBC (6e883bf518296a40959131c2304af714) C:\WINDOWS\system32\DRIVERS\el90xbc5.sys
13:43:39.0043 1960 EL90XBC - ok
13:43:39.0137 1960 elagopro (7ec42ec12a4bac14bcca99fb06f2d125) C:\WINDOWS\system32\DRIVERS\elagopro.sys
13:43:39.0137 1960 elagopro - ok
13:43:39.0215 1960 elaunidr (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\elaunidr.sys
13:43:39.0231 1960 elaunidr - ok
13:43:39.0262 1960 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
13:43:39.0325 1960 EraserUtilRebootDrv - ok
13:43:39.0450 1960 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
13:43:39.0465 1960 Fastfat - ok
13:43:39.0543 1960 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
13:43:39.0559 1960 Fdc - ok
13:43:39.0621 1960 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
13:43:39.0637 1960 Fips - ok
13:43:39.0700 1960 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
13:43:39.0700 1960 Flpydisk - ok
13:43:39.0762 1960 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
13:43:39.0778 1960 FltMgr - ok
13:43:39.0856 1960 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
13:43:39.0871 1960 Fs_Rec - ok
13:43:39.0950 1960 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
13:43:39.0965 1960 Ftdisk - ok
13:43:40.0043 1960 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
13:43:40.0059 1960 gameenum - ok
13:43:40.0137 1960 GEARAspiWDM (6f55305289a0765bd8ae8e8d32f17117) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
13:43:40.0200 1960 GEARAspiWDM - ok
13:43:40.0340 1960 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
13:43:40.0418 1960 Gpc - ok
13:43:40.0543 1960 grmnusb (cd007d03a9284bfe67d49c01213132bf) C:\WINDOWS\system32\drivers\grmnusb.sys
13:43:40.0559 1960 grmnusb - ok
13:43:40.0668 1960 HPFXBULK (299683d4c8aaa3f6f5d5d226a1782a6e) C:\WINDOWS\system32\drivers\hpfxbulk.sys
13:43:40.0715 1960 HPFXBULK - ok
13:43:40.0825 1960 HPFXFAX (f728db73a87231e27b6ba34d71ce2edb) C:\WINDOWS\system32\drivers\hpfxfax.sys
13:43:40.0934 1960 HPFXFAX - ok
13:43:41.0043 1960 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\System32\DRIVERS\hpn.sys
13:43:41.0059 1960 hpn - ok
13:43:41.0184 1960 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
13:43:41.0231 1960 HTTP - ok
13:43:41.0340 1960 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
13:43:41.0340 1960 i2omgmt - ok
13:43:41.0418 1960 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\System32\DRIVERS\i2omp.sys
13:43:41.0450 1960 i2omp - ok
13:43:41.0528 1960 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
13:43:41.0543 1960 i8042prt - ok
13:43:41.0621 1960 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
13:43:41.0668 1960 i81x - ok
13:43:41.0762 1960 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
13:43:41.0809 1960 iAimFP0 - ok
13:43:41.0903 1960 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
13:43:41.0918 1960 iAimFP1 - ok
13:43:41.0996 1960 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
13:43:42.0043 1960 iAimFP2 - ok
13:43:42.0137 1960 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
13:43:42.0184 1960 iAimFP3 - ok
13:43:42.0262 1960 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
13:43:42.0278 1960 iAimFP4 - ok
13:43:42.0387 1960 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
13:43:42.0418 1960 iAimTV0 - ok
13:43:42.0512 1960 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
13:43:42.0528 1960 iAimTV1 - ok
13:43:42.0590 1960 iAimTV2 - ok
13:43:42.0668 1960 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
13:43:42.0684 1960 iAimTV3 - ok
13:43:42.0731 1960 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
13:43:42.0793 1960 iAimTV4 - ok
13:43:42.0903 1960 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
13:43:42.0918 1960 Imapi - ok
13:43:43.0012 1960 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\System32\DRIVERS\ini910u.sys
13:43:43.0028 1960 ini910u - ok
13:43:43.0106 1960 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
13:43:43.0106 1960 IntelIde - ok
13:43:43.0168 1960 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
13:43:43.0184 1960 intelppm - ok
13:43:43.0262 1960 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
13:43:43.0262 1960 ip6fw - ok
13:43:43.0356 1960 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
13:43:43.0371 1960 IpFilterDriver - ok
13:43:43.0481 1960 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
13:43:43.0481 1960 IpInIp - ok
13:43:43.0543 1960 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
13:43:43.0590 1960 IpNat - ok
13:43:43.0668 1960 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
13:43:43.0684 1960 IPSec - ok
13:43:43.0762 1960 IPVNMon (0b46016d4df29ff99edb33fadb643cbb) C:\WINDOWS\system32\drivers\IPVNMon.sys
13:43:43.0809 1960 IPVNMon - ok
13:43:43.0887 1960 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
13:43:43.0934 1960 IRENUM - ok
13:43:44.0012 1960 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
13:43:44.0028 1960 isapnp - ok
13:43:44.0106 1960 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
13:43:44.0121 1960 Kbdclass - ok
13:43:44.0184 1960 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
13:43:44.0184 1960 kmixer - ok
13:43:44.0246 1960 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
13:43:44.0262 1960 KSecDD - ok
13:43:44.0325 1960 lbrtfdc - ok
13:43:44.0465 1960 ltmodem5 (9ee18a5a45552673a67532ea37370377) C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys
13:43:44.0575 1960 ltmodem5 - ok
13:43:44.0653 1960 MBAMSwissArmy (0db7527db188c7d967a37bb51bbf3963) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
13:43:44.0856 1960 MBAMSwissArmy - ok
13:43:45.0184 1960 mmc_2K (9b90303a9c9405a6ce1466ff4aa20fdd) C:\WINDOWS\system32\drivers\mmc_2K.sys
13:43:45.0340 1960 mmc_2K - ok
13:43:45.0668 1960 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
13:43:45.0684 1960 mnmdd - ok
13:43:45.0762 1960 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
13:43:45.0778 1960 Modem - ok
13:43:45.0825 1960 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
13:43:45.0840 1960 MODEMCSA - ok
13:43:45.0996 1960 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
13:43:46.0028 1960 Mouclass - ok
13:43:46.0121 1960 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
13:43:46.0137 1960 MountMgr - ok
13:43:46.0200 1960 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\System32\DRIVERS\mraid35x.sys
13:43:46.0215 1960 mraid35x - ok
13:43:46.0309 1960 MREMPR5 (2bc9e43f55de8c30fc817ed56d0ee907) C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS
13:43:46.0356 1960 MREMPR5 - ok
13:43:46.0387 1960 MRENDIS5 (594b9d8194e3f4ecbf0325bd10bbeb05) C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS
13:43:46.0434 1960 MRENDIS5 - ok
13:43:46.0512 1960 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
13:43:46.0528 1960 MRxDAV - ok
13:43:46.0715 1960 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
13:43:46.0762 1960 MRxSmb - ok
13:43:46.0871 1960 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
13:43:46.0871 1960 Msfs - ok
13:43:46.0950 1960 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
13:43:46.0950 1960 MSKSSRV - ok
13:43:47.0028 1960 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
13:43:47.0043 1960 MSPCLOCK - ok
13:43:47.0106 1960 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
13:43:47.0121 1960 MSPQM - ok
13:43:47.0184 1960 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
13:43:47.0184 1960 mssmbios - ok
13:43:47.0262 1960 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
13:43:47.0262 1960 MSTEE - ok
13:43:47.0340 1960 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
13:43:47.0387 1960 Mup - ok
13:43:47.0465 1960 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
13:43:47.0496 1960 NABTSFEC - ok
13:43:47.0543 1960 NAVAP - ok
13:43:47.0621 1960 NAVENG (c8ef74e4d8105b1d02d58ea4734cf616) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110212.004\naveng.sys
13:43:47.0668 1960 NAVENG - ok
13:43:47.0762 1960 NAVEX15 (94b3164055d821a62944d9fe84036470) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110212.004\navex15.sys
13:43:47.0887 1960 NAVEX15 - ok
13:43:48.0012 1960 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
13:43:48.0059 1960 NDIS - ok
13:43:48.0121 1960 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
13:43:48.0137 1960 NdisIP - ok
13:43:48.0200 1960 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
13:43:48.0200 1960 NdisTapi - ok
13:43:48.0262 1960 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
13:43:48.0262 1960 Ndisuio - ok
13:43:48.0371 1960 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
13:43:48.0387 1960 NdisWan - ok
13:43:48.0496 1960 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
13:43:48.0512 1960 NDProxy - ok
13:43:48.0575 1960 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
13:43:48.0590 1960 NetBIOS - ok
13:43:48.0684 1960 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
13:43:48.0700 1960 NetBT - ok
13:43:48.0793 1960 NgFilter (52b393a30694366dfa093cdc54e8f648) C:\WINDOWS\system32\DRIVERS\ngfilter.sys
13:43:48.0887 1960 NgFilter - ok
13:43:49.0059 1960 NgLog (222434a0738b5ab16d8d2c9df171b3af) C:\WINDOWS\system32\DRIVERS\nglog.sys
13:43:49.0075 1960 NgLog - ok
13:43:49.0137 1960 NgVpn (c7815e48973528e86b9064e814cde535) C:\WINDOWS\system32\DRIVERS\ngvpn.sys
13:43:49.0168 1960 NgVpn - ok
13:43:49.0262 1960 NgWfp (e25ed06d5c190d451019b876e4a8c1ca) C:\WINDOWS\system32\DRIVERS\ngwfp.sys
13:43:49.0309 1960 NgWfp - ok
13:43:49.0403 1960 NMSCFG (1d3bb79a0035077297779c8c52ca3c01) C:\WINDOWS\System32\drivers\NMSCFG.SYS
13:43:49.0434 1960 NMSCFG - ok
13:43:49.0543 1960 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
13:43:49.0543 1960 Npfs - ok
13:43:49.0637 1960 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
13:43:49.0700 1960 Ntfs - ok
13:43:49.0809 1960 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
13:43:49.0809 1960 Null - ok
13:43:50.0012 1960 nv (71dbdc08df86b80511e72953fa1ad6b0) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
13:43:50.0137 1960 nv - ok
13:43:50.0231 1960 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
13:43:50.0231 1960 NwlnkFlt - ok
13:43:50.0309 1960 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
13:43:50.0325 1960 NwlnkFwd - ok
13:43:50.0403 1960 omci (1d98907d80461371437a7c898c58c8ae) C:\WINDOWS\system32\DRIVERS\omci.sys
13:43:50.0450 1960 omci - ok
13:43:50.0575 1960 P16X (e433c553d00d76fbc616294b60a7a530) C:\WINDOWS\system32\drivers\P16X.sys
13:43:50.0668 1960 P16X - ok
13:43:50.0746 1960 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
13:43:50.0762 1960 P3 - ok
13:43:50.0825 1960 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
13:43:50.0825 1960 Parport - ok
13:43:50.0887 1960 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
13:43:50.0918 1960 PartMgr - ok
13:43:50.0965 1960 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
13:43:50.0981 1960 ParVdm - ok
13:43:51.0028 1960 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
13:43:51.0043 1960 PCI - ok
13:43:51.0106 1960 PCIDump - ok
13:43:51.0153 1960 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\System32\DRIVERS\pciide.sys
13:43:51.0168 1960 PCIIde - ok
13:43:51.0246 1960 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
13:43:51.0262 1960 Pcmcia - ok
13:43:51.0356 1960 PCTBD (3a0262b85b5bb4d4cfc096ea00ed610b) C:\WINDOWS\system32\Drivers\PCTBD.sys
13:43:51.0403 1960 PCTBD - ok
13:43:51.0496 1960 PCTCore (0edb74bd0d52d6d94cf862322e48b94e) C:\WINDOWS\system32\drivers\PCTCore.sys
13:43:51.0559 1960 PCTCore - ok
13:43:51.0621 1960 pctDS (af08ec0f2093867ab955e24121ee7002) C:\WINDOWS\system32\drivers\pctDS.sys
13:43:51.0653 1960 pctDS - ok
13:43:51.0731 1960 pctEFA (4b1b0cd45a047c0941f6b6151f6fb3c1) C:\WINDOWS\system32\drivers\pctEFA.sys
13:43:51.0778 1960 pctEFA - ok
13:43:51.0856 1960 PCTSD (86b9af53e46d0618d230608aed82622f) C:\WINDOWS\system32\Drivers\PCTSD.sys
13:43:51.0903 1960 PCTSD - ok
13:43:51.0965 1960 PDCOMP - ok
13:43:52.0028 1960 PDFRAME - ok
13:43:52.0075 1960 PDRELI - ok
13:43:52.0121 1960 PDRFRAME - ok
13:43:52.0200 1960 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\System32\DRIVERS\perc2.sys
13:43:52.0215 1960 perc2 - ok
13:43:52.0309 1960 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\System32\DRIVERS\perc2hib.sys
13:43:52.0309 1960 perc2hib - ok
13:43:52.0418 1960 pfc (ed2e7f396b4098608c95bc3806bdf6fc) C:\WINDOWS\system32\drivers\pfc.sys
13:43:52.0528 1960 pfc - ok
13:43:52.0606 1960 PfModNT (2f5532f9b0f903b26847da674b4f55b2) C:\WINDOWS\System32\PfModNT.sys
13:43:52.0684 1960 PfModNT - ok
13:43:52.0778 1960 Point32 (e4910ce9d882bf825979fcf4636a9bd8) C:\WINDOWS\system32\DRIVERS\point32.sys
13:43:52.0793 1960 Point32 - ok
13:43:52.0887 1960 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
13:43:52.0903 1960 PptpMiniport - ok
13:43:52.0965 1960 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
13:43:52.0981 1960 Processor - ok
13:43:53.0043 1960 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
13:43:53.0043 1960 PSched - ok
13:43:53.0106 1960 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
13:43:53.0121 1960 Ptilink - ok
13:43:53.0184 1960 pwd_2k (d8b90616a8bd53de281dbdb664c0984a) C:\WINDOWS\system32\drivers\pwd_2k.sys
13:43:53.0246 1960 pwd_2k - ok
13:43:53.0356 1960 PxHelp20 (30cbae0a34359f1cd19d1576245149ed) C:\WINDOWS\system32\Drivers\PxHelp20.sys
13:43:53.0356 1960 PxHelp20 - ok
13:43:53.0481 1960 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\System32\DRIVERS\ql1080.sys
13:43:53.0496 1960 ql1080 - ok
13:43:53.0559 1960 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\System32\DRIVERS\ql10wnt.sys
13:43:53.0606 1960 Ql10wnt - ok
13:43:53.0684 1960 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\System32\DRIVERS\ql12160.sys
13:43:53.0715 1960 ql12160 - ok
13:43:53.0793 1960 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\System32\DRIVERS\ql1240.sys
13:43:53.0793 1960 ql1240 - ok
13:43:53.0871 1960 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\System32\DRIVERS\ql1280.sys
13:43:53.0887 1960 ql1280 - ok
13:43:53.0950 1960 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
13:43:53.0950 1960 RasAcd - ok
13:43:54.0028 1960 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
13:43:54.0090 1960 Rasl2tp - ok
13:43:54.0153 1960 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
13:43:54.0168 1960 RasPppoe - ok
13:43:54.0215 1960 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
13:43:54.0231 1960 Raspti - ok
13:43:54.0340 1960 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
13:43:54.0356 1960 Rdbss - ok
13:43:54.0418 1960 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
13:43:54.0450 1960 RDPCDD - ok
13:43:54.0528 1960 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
13:43:54.0543 1960 rdpdr - ok
13:43:54.0606 1960 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
13:43:54.0653 1960 RDPWD - ok
13:43:54.0731 1960 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
13:43:54.0746 1960 redbook - ok
13:43:54.0903 1960 SAVRT (cdb565c093b0105086cc630b32f9e6e6) C:\Program Files\Symantec AntiVirus\savrt.sys
13:43:54.0950 1960 SAVRT - ok
13:43:54.0981 1960 SAVRTPEL (1042cb5a003f9aed8d6cec56a0fc6c49) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
13:43:55.0059 1960 SAVRTPEL - ok
13:43:55.0137 1960 SDDMI2 - ok
13:43:55.0215 1960 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
13:43:55.0231 1960 Secdrv - ok
13:43:55.0293 1960 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
13:43:55.0325 1960 serenum - ok
13:43:55.0403 1960 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
13:43:55.0403 1960 Serial - ok
13:43:55.0465 1960 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
13:43:55.0481 1960 Sfloppy - ok
13:43:55.0543 1960 Simbad - ok
13:43:55.0621 1960 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\System32\DRIVERS\sisagp.sys
13:43:55.0637 1960 sisagp - ok
13:43:55.0700 1960 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
13:43:55.0700 1960 SLIP - ok
13:43:55.0809 1960 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
13:43:55.0809 1960 SONYPVU1 - ok
13:43:55.0903 1960 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\System32\DRIVERS\sparrow.sys
13:43:55.0903 1960 Sparrow - ok
13:43:56.0012 1960 SPBBCDrv (677b10906838d3bfb1c07ac9087e4bf7) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
13:43:56.0121 1960 SPBBCDrv - ok
13:43:56.0450 1960 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
13:43:56.0528 1960 splitter - ok
13:43:56.0621 1960 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
13:43:56.0637 1960 sr - ok
13:43:56.0715 1960 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
13:43:56.0762 1960 Srv - ok
13:43:56.0825 1960 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
13:43:56.0840 1960 streamip - ok
13:43:56.0918 1960 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
13:43:56.0934 1960 swenum - ok
13:43:57.0012 1960 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
13:43:57.0028 1960 swmidi - ok
13:43:57.0121 1960 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\System32\DRIVERS\symc810.sys
13:43:57.0137 1960 symc810 - ok
13:43:57.0215 1960 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\System32\DRIVERS\symc8xx.sys
13:43:57.0231 1960 symc8xx - ok
13:43:57.0325 1960 SymEvent (3c6790d26d03fe5163e2bec490e51a7e) C:\Program Files\Symantec\SYMEVENT.SYS
13:43:57.0387 1960 SymEvent - ok
13:43:57.0481 1960 SYMREDRV (5314e345dfc068504cfb2676d3b2ca39) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
13:43:57.0528 1960 SYMREDRV - ok
13:43:57.0606 1960 SYMTDI (8cd0a1478256240249b8ee88e6f25e94) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
13:43:57.0668 1960 SYMTDI - ok
13:43:57.0746 1960 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\System32\DRIVERS\sym_hi.sys
13:43:57.0762 1960 sym_hi - ok
13:43:57.0825 1960 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\System32\DRIVERS\sym_u3.sys
13:43:57.0856 1960 sym_u3 - ok
13:43:57.0965 1960 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
13:43:57.0981 1960 sysaudio - ok
13:43:58.0090 1960 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
13:43:58.0121 1960 Tcpip - ok
13:43:58.0200 1960 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
13:43:58.0278 1960 TDPIPE - ok
13:43:58.0371 1960 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
13:43:58.0434 1960 TDTCP - ok
13:43:58.0528 1960 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
13:43:58.0543 1960 TermDD - ok
13:43:58.0653 1960 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\System32\DRIVERS\toside.sys
13:43:58.0653 1960 TosIde - ok
13:43:58.0762 1960 UdfReadr_xp (4e75005b74be901c30f2636df40b0c15) C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
13:43:58.0778 1960 UdfReadr_xp - ok
13:43:58.0840 1960 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
13:43:58.0856 1960 Udfs - ok
13:43:58.0934 1960 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\System32\DRIVERS\ultra.sys
13:43:58.0950 1960 ultra - ok
13:43:59.0028 1960 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
13:43:59.0059 1960 Update - ok
13:43:59.0137 1960 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
13:43:59.0153 1960 usbccgp - ok
13:43:59.0215 1960 usbehci (f893037807bf96f652a7c7e1dc388a25) C:\WINDOWS\system32\DRIVERS\usbehci.sys
13:43:59.0356 1960 usbehci ( Rootkit.Win32.ZAccess.c ) - infected
13:43:59.0356 1960 usbehci - detected Rootkit.Win32.ZAccess.c (0)
13:43:59.0528 1960 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
13:43:59.0559 1960 usbhub - ok
13:43:59.0621 1960 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
13:43:59.0637 1960 usbprint - ok
13:43:59.0700 1960 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
13:43:59.0762 1960 usbscan - ok
13:43:59.0825 1960 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
13:43:59.0856 1960 USBSTOR - ok
13:43:59.0918 1960 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
13:43:59.0934 1960 usbuhci - ok
13:44:00.0028 1960 V0230Vfx (a0c643d5f8c60f12faa6e3454dfe9c32) C:\WINDOWS\system32\DRIVERS\V0230Vfx.sys
13:44:00.0028 1960 V0230Vfx - ok
13:44:00.0168 1960 V0230VID (4dda6f6d396cb34171aa36ad025fdc76) C:\WINDOWS\system32\DRIVERS\V0230VID.sys
13:44:00.0262 1960 V0230VID - ok
13:44:00.0262 1960 Suspicious service (NoAccess): vbma9c1a
13:44:00.0387 1960 vbma9c1a (08f156d687a57938584accf930d73adc) C:\WINDOWS\system32\drivers\vbma9c1a.sys
13:44:00.0387 1960 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\vbma9c1a.sys. md5: 08f156d687a57938584accf930d73adc
13:44:00.0387 1960 vbma9c1a ( LockedService.Multi.Generic ) - warning
13:44:00.0387 1960 vbma9c1a - detected LockedService.Multi.Generic (1)
13:44:00.0450 1960 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
13:44:00.0465 1960 VgaSave - ok
13:44:00.0543 1960 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\System32\DRIVERS\viaagp.sys
13:44:00.0559 1960 viaagp - ok
13:44:00.0637 1960 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\System32\DRIVERS\viaide.sys
13:44:00.0653 1960 ViaIde - ok
13:44:00.0731 1960 VolSnap (7c38f81f40d61d1607ddb62fe5817bb9) C:\WINDOWS\system32\drivers\VolSnap.sys
13:44:00.0731 1960 Suspicious file (Forged): C:\WINDOWS\system32\drivers\VolSnap.sys. Real md5: 7c38f81f40d61d1607ddb62fe5817bb9, Fake md5: 4c8fcb5cc53aab716d810740fe59d025
13:44:00.0746 1960 VolSnap ( Rootkit.Win32.TDSS.tdl3 ) - infected
13:44:00.0746 1960 VolSnap - detected Rootkit.Win32.TDSS.tdl3 (0)
13:44:00.0840 1960 vsdatant (d658e49302c382b88c8e9a08e20b2e82) C:\WINDOWS\System32\vsdatant.sys
13:44:00.0887 1960 vsdatant - ok
13:44:00.0981 1960 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
13:44:01.0012 1960 Wanarp - ok
13:44:01.0106 1960 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
13:44:01.0153 1960 wanatw - ok
13:44:01.0215 1960 WDICA - ok
13:44:01.0293 1960 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
13:44:01.0325 1960 wdmaud - ok
13:44:01.0512 1960 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
13:44:01.0528 1960 WSTCODEC - ok
13:44:01.0668 1960 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
13:44:01.0918 1960 WudfPf - ok
13:44:01.0981 1960 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
13:44:02.0012 1960 WudfRd - ok
13:44:02.0059 1960 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
13:44:02.0246 1960 \Device\Harddisk0\DR0 - ok
13:44:02.0262 1960 Boot (0x1200) (2c0bc4d1117981af102cbb184519578c) \Device\Harddisk0\DR0\Partition0
13:44:02.0262 1960 \Device\Harddisk0\DR0\Partition0 - ok
13:44:02.0262 1960 ============================================================
13:44:02.0262 1960 Scan finished
13:44:02.0262 1960 ============================================================
13:44:02.0309 1808 Detected object count: 3
13:44:02.0309 1808 Actual detected object count: 3
13:44:16.0981 1808 VerifyFileNameVersionInfo: GetFileVersionInfoSizeW(C:\WINDOWS\system32\drivers\usbehci.sys) error 1813
13:44:23.0121 1808 Backup copy found, using it..
13:44:23.0153 1808 C:\WINDOWS\system32\DRIVERS\usbehci.sys - will be cured on reboot
13:44:29.0856 1808 usbehci ( Rootkit.Win32.ZAccess.c ) - User select action: Cure
13:44:29.0871 1808 vbma9c1a ( LockedService.Multi.Generic ) - skipped by user
13:44:29.0871 1808 vbma9c1a ( LockedService.Multi.Generic ) - User select action: Skip
13:44:30.0403 1808 Backup copy found, using it..
13:44:30.0496 1808 C:\WINDOWS\system32\drivers\VolSnap.sys - will be cured on reboot
13:44:30.0496 1808 VolSnap ( Rootkit.Win32.TDSS.tdl3 ) - User select action: Cure
13:44:39.0684 3552 Deinitialize success
--------------------------
At reboot, amount the "hard disk failure" messages I also got a "Windoes - Delayed Write Filed" popup that says "Windows was unable to save all the data for the file \\System32\\496A8300. The data has been lost. This error my be caused by a failure of your computer hardware" ALSO, a Malwarebytes popup came up that says "Malwarebytes Anti-Malware has detected a malicious process attempting to start and has blocked the execution attempt. Please select an option below." Then it lists "C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AIDFJYXAJU.EXE" It gave me the choice to Ignore or Quarantine and I chose Quarantine, but the whole message is suspect as it is just sitting there. According to Task Manager, Malwarebytes is still running. I had to run rkill again after the reboot, and notice it "killed" the file that Malwarebytes was supposed to have quaranteed. Also - Run Programs is empty again. Here is the text from the Rkill log:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 01/07/2012 at 14:57:23.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

\\.\globalroot\Device\svchost.exe\svchost.exe
C:\Documents and Settings\Dorothy\Application Data\Picasa\IE\PicasaUpdater.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Documents and Settings\All Users\Application Data\aIdFJYXaJU.exe
C:\WINDOWS\system32\grpconv.exe


Rkill completed on 01/07/2012 at 14:58:06.
___________________________________________

To make matters worse, I just opened a bill from Direct TV (which I do not subscribe to - we have Comcast) that shows current charges of about $140 and that an auto payment was made via my AmEx for LAST month's bill. I can only think this "bot" and the bogus account that was set up are definitely related . . .

I THINK I have done everything you asked. Please let me know the next step. I appreciate the help but I am about ready to turn this pc off and trash it!!

Attached Files

  • Attached File  MBR.zip   512bytes   0 downloads


#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:34 AM

Posted 08 January 2012 - 09:24 AM

That is a bad infection. A number of operating files were corrupted.

Lets try this.

Now run the aswMBR.exe tool. Select the Fix button.

Important > you need to wait for the tool to report ... Infection fixed successfully
Do not reboot the machine until it has said so.

When you see the message restart the computer normally.

Run aswBMR.exe normally and post the log for my review.
===

Download and run the ComboFix tool as suggested in my post No. 6.

Post theaswMBR and ComboFix logs and let me know what problem persists.

#11 Dinx

Dinx
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:34 AM

Posted 08 January 2012 - 12:45 PM

I ran aswMBR but only Scan and FixMBR, Save Log, and Exit was available. Fix was grayed out. At the end, I tried clicking on fix and the window went away. Could the virus be doing this? I am in the process of trying again with the scan now . . .

#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:34 AM

Posted 08 January 2012 - 01:39 PM

Run the aswMBR again and cick the FixMBR

Post the logs as previously requested.

#13 Dinx

Dinx
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:34 AM

Posted 08 January 2012 - 02:24 PM

I ran aswMBR again. Once it finished (still showing lots of infections), the Fix was available and I clicked on it but then the aswMBR window disappeared entirely, just as it did before. Task Manager does not show it as still running . . . does not look good!

#14 Dinx

Dinx
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:34 AM

Posted 08 January 2012 - 02:25 PM

Oh sorry, just saw where you said try FixMBR I'll try that.

#15 Dinx

Dinx
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:34 AM

Posted 08 January 2012 - 02:48 PM

I had to download another copy and put it in another location to run that second time because the first copy did nothing when I tried to run it and I was not able to over-write it. Now BOTH copies do nothing and when I try to delete them I get access denied. I can't rename, either. Says make sure disk is not full or write-protected. I did not save the log on my previous two attempts but hit Fix instead; however, they looked pretty much like the one I originally sent.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users