WalMart holiday contest Trojan ?

[Robert Crim]

I ran into a rather vicious virus which behaves like virtumonde but is not recognized as such by any anti-virus program, including specific virtumonde removal tools. It comes in as a Trojan disguised as a WalMart holiday contest, and it quickly sets itself up as a browser hijacker so effective that it essentially cuts off access to the internet. It tries to disable Spybot Search and Destroy, as well as Malwarebytes, and AVG cannot get it all. Obit360 also was not able to fix the hijacking problem completely, nor will standard registry cleaning. One of the characteristics is that it fills the computer with tracking cookies, which then regenerate with each rebooting. In the last few days, my virus vault has become stuffed to the gills. The computer has gone clunky, and I've seriously considered throwing it away.

 

Any ideas, anyone, on how to execute this thing? I've tried ripping out Internet Explorer and replacing it with a newer version. Even that did not work.

[So_sad]

Hi there, and welcome to the forums :-)

 

I'm not familiar with this particular infection's presentation (WalMart contest), but it sounds like others we've been seeing. From what you've said, it could be something that infected your master boot record ; it's the new trend. If that's the case, then none of the standard tools can nail it, including antivirus programs.

 

Please follow instructions in Step #3 from this post :

http://forums.iobit.com/showthread.php?t=6216

 

...then post the content of the two logs from DDS, using one message for each log (two won't fit in one message because of size limitations on the forum).

 

See you back here soon.

 

====

[Robert Crim]

DDS (Ver_10-12-12.02) - NTFSx86

Run by Owner at 23:34:51.89 on Mon 12/13/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.272 [GMT -5:00]

 

AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

 

============== Running Processes ===============

 

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\agrsmsvc.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\IObit\IObit Security 360\IS360srv.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\runservice.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\Program Files\AVG\AVG9\avgemc.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\zHotkey.exe

C:\WINDOWS\ModPS2Key.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\WINDOWS\StartupMonitor.exe

C:\Program Files\IObit\IObit Security 360\IS360tray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\IObit\IObit Security 360\is360.exe

C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

C:\Program Files\Messenger\msmsgs.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\OpenOffice.org 3\program\swriter.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\Documents and Settings\Owner\Desktop\dds.scr

C:\Documents and Settings\Owner\Desktop\dds.scr

 

============== Pseudo HJT Report ===============

 

uStart Page = hxxp://www.yahoo.com/

uSearch Page = hxxp://www.google.com

uInternet Settings,ProxyOverride = <local>

mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&SubCH=nofound&Br=EM&Loc=ENG_US&Sys=DTP&M=W3650

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

uURLSearchHooks: H - No File

mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll

BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

uRun: [PopUpStopperFreeEdition] "c:\progra~1\panicw~1\pop-up~1\PSFree.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [CHotkey] zHotkey.exe

mRun: [showWnd] ShowWnd.exe

mRun: [ModPS2] ModPS2Key.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"

mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup

mRun: [symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"

mRun: [Run StartupMonitor] StartupMonitor.exe

mRun: [iObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\bigfix.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab

DPF: {1C855A0E-34AF-4660-A2FD-66A82A57D14B} - hxxp://auctions.liveglobalbid.com/container_repository/LAloader.cab

DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab

DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Notify: avgrsstarter - avgrsstx.dll

Notify: GoToAssist - c:\program files\citrix\gotoassist\615\G2AWinLogon.dll

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Hosts: 127.0.0.1 http://www.spywareinfo.com

 

============= SERVICES / DRIVERS ===============

 

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-23 216400]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-9-23 29584]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-23 243024]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-15 921952]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]

R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2010-12-12 312152]

R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2008-11-2 2560]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-10-26 517448]

S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [2006-7-1 69692]

 

=============== Created Last 30 ================

 

2010-12-13 20:22:09 -------- d-----w- c:\windows\system32\wbem\repository\FS

2010-12-13 20:22:09 -------- d-----w- c:\windows\system32\wbem\Repository

2010-12-12 16:53:56 -------- d-----w- c:\docume~1\owner\applic~1\IObit

2010-12-12 16:53:53 -------- d-----w- c:\docume~1\alluse~1\applic~1\IObit

2010-12-12 16:53:36 -------- d-----w- c:\program files\IObit

2010-12-11 20:46:24 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools

2010-12-11 11:32:53 -------- dc-h--w- c:\windows\ie8

2010-12-11 10:42:24 -------- d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files

2010-12-11 02:11:54 -------- d-----w- C:\VundoFix Backups

2010-12-07 20:12:32 709456 ----a-w- c:\windows\is-A1TC9.exe

2010-12-07 19:50:00 0 ----a-w- c:\windows\Ecahogodobuvoge.bin

2010-12-07 19:49:57 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\{6857607B-7CA6-4498-9486-F073793084CD}

2010-11-20 08:13:31 -------- d-----w- c:\windows\system32\NtmsData

2010-11-19 17:36:48 -------- d-----w- c:\docume~1\owner\applic~1\ParetoLogic

2010-11-19 17:36:32 -------- d-----w- c:\program files\common files\ParetoLogic

2010-11-18 15:11:59 -------- d-----w- c:\docume~1\owner\applic~1\ElevatedDiagnostics

 

==================== Find3M ====================

 

2010-12-13 20:53:38 2633 --sha-w- c:\windows\system32\mmf.sys

2010-12-13 02:04:18 2633 --sha-w- c:\windows\system32\mmf(2).sys

2010-12-09 23:35:32 2633 --sha-w- c:\windows\system32\mmf(2)(3).sys

2010-11-08 15:59:41 103784 ----a-w- c:\documents and settings\owner\GoToAssistDownloadHelper.exe

2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53:25 954368 ------w- c:\windows\system32\mfc40.dll

2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll

 

=================== ROOTKIT ====================

 

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600

 

CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.

device: opened successfully

user: error reading MBR

 

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86D63555]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86d697b0]; MOV EAX, [0x86d6982c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x86D4EAB8]

3 CLASSPNP[0xF76A7FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000094[0x86D51030]

5 ACPI[0xF749E620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x86D8B940]

\Driver\atapi[0x86D5D3A0] -> IRP_MJ_CREATE -> 0x86D63555

kernel: MBR read successfully

_asm { XOR DI, DI; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV DS, BX; MOV ES, BX; MOV SI, 0x200; MOV CX, SI; CLD ; REP MOVSB ; JMP FAR 0x7a0:0xa3; }

detected disk devices:

detected hooks:

\Driver\atapi DriverStartIo -> 0x86D6339B

user != kernel MBR !!!

Warning: possible TDL4 rootkit infection !

TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

 

============= FINISH: 23:36:53.07 ===============

[Robert Crim]

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

 

DDS (Ver_10-12-12.02)

 

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume1

Install Date: 7/24/2008 12:44:11 PM

System Uptime: 12/13/2010 3:52:42 PM (8 hours ago)

 

Motherboard: ELITEGROUP | | 945GCT-M3

Processor: Intel Celeron processor | Socket 775 | 1999/200mhz

 

==== Disk Partitions =========================

 

C: is FIXED (NTFS) - 142 GiB total, 67.932 GiB free.

D: is FIXED (FAT32) - 7 GiB total, 4.219 GiB free.

E: is CDROM ()

 

==== Disabled Device Manager Items =============

 

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Description: Parallel Device

Device ID: ROOT\LEGACY_HPFECP06\0000

Manufacturer:

Name: Parallel Device

PNP Device ID: ROOT\LEGACY_HPFECP06\0000

Service: HPFECP06

 

==== System Restore Points ===================

 

RP615: 9/14/2010 10:58:40 PM - Software Distribution Service 3.0

RP616: 9/16/2010 4:17:22 AM - System Checkpoint

RP617: 9/21/2010 1:31:25 AM - System Checkpoint

RP618: 9/22/2010 3:27:54 AM - System Checkpoint

RP619: 9/23/2010 3:33:29 AM - System Checkpoint

RP620: 9/23/2010 8:13:27 AM - Avg Update

RP621: 9/23/2010 8:14:52 AM - Avg Update

RP622: 9/25/2010 5:32:05 PM - System Checkpoint

RP623: 9/26/2010 5:37:27 PM - System Checkpoint

RP624: 9/29/2010 3:00:35 AM - Software Distribution Service 3.0

RP625: 10/1/2010 7:23:04 PM - System Checkpoint

RP626: 10/3/2010 3:18:47 AM - System Checkpoint

RP627: 10/4/2010 6:32:00 AM - System Checkpoint

RP628: 10/5/2010 7:16:05 AM - System Checkpoint

RP629: 10/6/2010 7:16:27 AM - System Checkpoint

RP630: 10/6/2010 9:52:13 AM - Avg Update

RP631: 10/7/2010 11:59:53 AM - System Checkpoint

RP632: 10/7/2010 9:40:08 PM - Software Distribution Service 3.0

RP633: 10/8/2010 9:55:50 PM - System Checkpoint

RP634: 10/9/2010 11:34:33 PM - System Checkpoint

RP635: 10/11/2010 3:01:13 AM - System Checkpoint

RP636: 10/14/2010 3:11:03 PM - Software Distribution Service 3.0

RP637: 10/16/2010 7:44:02 PM - System Checkpoint

RP638: 10/17/2010 8:26:13 PM - System Checkpoint

RP639: 10/19/2010 5:19:13 AM - System Checkpoint

RP640: 10/19/2010 1:24:33 PM - Restore Operation

RP641: 10/21/2010 12:52:47 AM - System Checkpoint

RP642: 10/22/2010 4:28:58 AM - System Checkpoint

RP643: 10/23/2010 5:14:33 AM - System Checkpoint

RP644: 10/24/2010 6:14:41 AM - System Checkpoint

RP645: 10/25/2010 7:07:20 AM - System Checkpoint

RP646: 10/26/2010 8:07:29 AM - System Checkpoint

RP647: 10/26/2010 9:08:10 AM - Avg Update

RP648: 10/27/2010 8:24:10 PM - System Checkpoint

RP649: 10/28/2010 9:30:24 PM - System Checkpoint

RP650: 10/30/2010 3:11:01 AM - System Checkpoint

RP651: 10/31/2010 3:12:04 AM - System Checkpoint

RP652: 11/1/2010 11:04:22 PM - System Checkpoint

RP653: 11/3/2010 12:01:33 AM - System Checkpoint

RP654: 11/4/2010 12:31:59 AM - System Checkpoint

RP655: 11/5/2010 12:38:58 PM - System Checkpoint

RP656: 11/6/2010 2:43:35 PM - System Checkpoint

RP657: 11/7/2010 3:56:18 PM - System Checkpoint

RP658: 11/9/2010 9:02:37 AM - Avg Update

RP659: 11/9/2010 9:28:38 AM - Avg Update

RP660: 11/10/2010 1:00:31 PM - Software Distribution Service 3.0

RP661: 11/11/2010 6:10:10 PM - System Checkpoint

RP662: 11/13/2010 5:31:21 PM - System Checkpoint

RP663: 11/15/2010 2:01:48 AM - System Checkpoint

RP664: 11/16/2010 3:23:30 AM - System Checkpoint

RP665: 11/17/2010 7:26:34 PM - System Checkpoint

RP666: 11/18/2010 10:09:44 AM - Installed %1 %2.

RP667: 11/19/2010 12:27:52 PM - System Checkpoint

RP668: 11/20/2010 12:38:50 PM - System Checkpoint

RP669: 11/21/2010 1:12:58 PM - System Checkpoint

RP670: 11/22/2010 4:57:41 PM - System Checkpoint

RP671: 11/24/2010 11:16:42 AM - Avg Update

RP672: 11/24/2010 11:17:09 AM - Made by Eusing Free Registry Cleaner

RP673: 11/24/2010 11:17:49 AM - Avg Update

RP674: 11/24/2010 1:08:27 PM - Restore Operation

RP675: 11/24/2010 1:17:14 PM - Avg Update

RP676: 11/24/2010 1:20:10 PM - Avg Update

RP677: 11/25/2010 10:42:31 PM - System Checkpoint

RP678: 11/27/2010 1:07:57 PM - System Checkpoint

RP679: 11/27/2010 8:24:48 PM - Made by Eusing Free Registry Cleaner

RP680: 11/28/2010 9:13:18 PM - System Checkpoint

RP681: 12/2/2010 12:43:57 PM - System Checkpoint

RP682: 12/3/2010 11:02:52 PM - System Checkpoint

RP683: 12/5/2010 2:53:23 AM - System Checkpoint

RP684: 12/6/2010 12:53:31 PM - System Checkpoint

RP685: 12/7/2010 3:02:49 PM - Made by Eusing Free Registry Cleaner

RP686: 12/7/2010 3:03:33 PM - Restore Operation

RP687: 12/8/2010 12:20:01 AM - Restore Operation

RP688: 12/8/2010 12:24:21 AM - Made by Eusing Free Registry Cleaner

RP689: 12/8/2010 12:29:35 AM - Restore Operation

RP690: 12/8/2010 12:30:43 AM - Restore Operation

RP691: 12/9/2010 9:43:16 PM - Restore Operation

RP692: 12/10/2010 2:25:42 PM - Made by Eusing Free Registry Cleaner

RP693: 12/10/2010 4:16:20 PM - Made by Eusing Free Registry Cleaner

RP694: 12/10/2010 4:22:08 PM - Made by Eusing Free Registry Cleaner

RP695: 12/10/2010 11:19:31 PM - Made by Eusing Free Registry Cleaner

RP696: 12/11/2010 6:35:07 AM - Installed Windows Internet Explorer 8.

RP697: 12/11/2010 8:56:59 AM - Made by Eusing Free Registry Cleaner

RP698: 12/11/2010 9:02:25 AM - Made by Eusing Free Registry Cleaner

RP699: 12/11/2010 2:30:22 PM - Made by Eusing Free Registry Cleaner

RP700: 12/12/2010 8:38:39 AM - Made by Eusing Free Registry Cleaner

RP701: 12/12/2010 12:42:50 PM - Made by Eusing Free Registry Cleaner

RP702: 12/12/2010 9:09:11 PM - Made by Eusing Free Registry Cleaner

RP703: 12/13/2010 12:08:49 AM - Advanced SystemCare RestorePoint

RP704: 12/13/2010 3:20:06 PM - Restore Operation

RP705: 12/13/2010 3:57:11 PM - Made by Eusing Free Registry Cleaner

RP706: 12/13/2010 4:53:45 PM - Advanced SystemCare RestorePoint

 

==== Installed Programs ======================

 

µTorrent

A+ Spanish

Acrobat.com

Activation Assistant for the 2007 Microsoft Office suites

Adobe AIR

Adobe Download Manager

Adobe Flash Player 10 ActiveX

Adobe Media Player

Adobe Reader 9.4.0

Adobe Setup

Advanced SystemCare 3

Agere Systems PCI-SV92PP Soft Modem

AVG Free 9.0

AVS Update Manager 1.0

AVS Video Converter 6

AVS4YOU Software Navigator 1.3

Before You Know It Viewer

BigFix

Browser Address Error Redirector

Card Games

Compatibility Pack for the 2007 Office system

Critical Update for Windows Media Player 11 (KB959772)

doPDF 6.1 printer

DVD Suite

Dziobas Rar Player 0.008.9

eMachines Connect

eMachines Games

Eusing Free Registry Cleaner

Google Desktop

Google Toolbar for Internet Explorer

GoToAssist Corporate

Greenfoot 1.5.6

High Definition Audio Driver Package - KB888111

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB2158563)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

Hotfix for Windows XP (KB981793)

Intel® Graphics Media Accelerator Driver

IObit Security 360

Java Auto Updater

Java DB 10.5.3.0

Java 6 Update 19

Java 6 Update 4

Java 6 Update 7

Java SE Development Kit 6 Update 18

LiveUpdate (Symantec Corporation)

LiveUpdate Notice (Symantec Corporation)

Malwarebytes' Anti-Malware

Media Player Classic - Home Cinema v. 1.3.1249.0

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB2416447)

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Encarta 98 Encyclopedia

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office 2007 Service Pack 2 (SP2)

Microsoft Office Excel MUI (English) 2007

Microsoft Office Home and Student 2007

Microsoft Office Home and Student 2007 Trial

Microsoft Office OneNote MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office PowerPoint Viewer 2007 (English)

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Word MUI (English) 2007

Microsoft Silverlight

Microsoft Software Update for Web Folders (English) 12

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Works

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB941833)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 6.0 Parser (KB933579)

OpenOffice.org 3.0

ParetoLogic PC Health Advisor

PhotoScape

Pixel Bender Toolkit

Pop-Up Stopper Free Edition

Power2Go 5.0

PowerDVD

PS2 Multimedia Keyboard Driver

QuickTime for Windows (32-bit)

REALTEK GbE & FE Ethernet PCI NIC Driver

Realtek High Definition Audio Driver

Recovery Software Suite eMachines

Security Update for 2007 Microsoft Office System (KB2288621)

Security Update for 2007 Microsoft Office System (KB2289158)

Security Update for 2007 Microsoft Office System (KB2344875)

Security Update for 2007 Microsoft Office System (KB2345043)

Security Update for 2007 Microsoft Office System (KB969559)

Security Update for 2007 Microsoft Office System (KB976321)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)

Security Update for Microsoft Office Excel 2007 (KB2345035)

Security Update for Microsoft Office InfoPath 2007 (KB979441)

Security Update for Microsoft Office PowerPoint 2007 (KB982158)

Security Update for Microsoft Office PowerPoint Viewer (KB2413381)

Security Update for Microsoft Office system 2007 (972581)

Security Update for Microsoft Office system 2007 (KB974234)

Security Update for Microsoft Office Visio Viewer 2007 (KB973709)

Security Update for Microsoft Office Word 2007 (KB2344993)

Security Update for Step By Step Interactive Training (KB898458)

Security Update for Step By Step Interactive Training (KB923723)

Security Update for Windows Internet Explorer 7 (KB931768)

Security Update for Windows Internet Explorer 7 (KB933566)

Security Update for Windows Internet Explorer 7 (KB937143)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB939653)

Security Update for Windows Internet Explorer 7 (KB942615)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Internet Explorer 7 (KB963027)

Security Update for Windows Internet Explorer 7 (KB969897)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player 10 (KB911565)

Security Update for Windows Media Player 10 (KB917734)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2160329)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2279986)

Security Update for Windows XP (KB2286198)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB913433)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977165)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981852)

Security Update for Windows XP (KB981957)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982665)

Security Update for Windows XP (KB982802)

Spelling Dictionaries Support For Adobe Reader 8

Spybot - Search & Destroy

SpywareBlaster 4.4

StartupMonitor

Sun ODF Plugin for Microsoft Office 3.1

Symantec Technical Support Web Controls

The History Channel Civil War

Title Bout Championship Boxing 2.5

Tournament Chess

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft Office OneNote 2007 (KB980729)

Update for Windows XP (KB2141007)

Update for Windows XP (KB2345886)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

WebFldrs XP

Webshots Desktop

Windows Backup Utility

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 7

Windows Internet Explorer 8

Windows Media Format 11 runtime

Windows Media Player 11

Windows PowerShell 1.0

Windows XP Service Pack 3

WinZip 14.0

WinZip Self-Extractor

Yahoo! BrowserPlus 2.7.1

 

==== Event Viewer Messages From Past Week ========

 

12/7/2010 9:51:55 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: abp480n5 ACPIEC adpu160m agp440 agpCPQ Aha154x aic78u2 aic78xx AliIde alim1541 amdagp amsint asc asc3350p asc3550 cbidf cd20xrnt CmdIde Cpqarray dac2w2k dac960nt dpti2o hpn i2omp ini910u IntelIde mraid35x Pcmcia perc2 perc2hib ql1080 Ql10wnt ql12160 ql1240 ql1280 sisagp Sparrow symc810 symc8xx sym_hi sym_u3 TosIde ultra viaagp ViaIde

12/7/2010 9:49:51 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

12/7/2010 3:25:31 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.

12/7/2010 3:25:31 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

12/13/2010 1:47:45 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\spoolsv.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.6024.

 

==== End Of File ===========================

[Robert Crim]

The "attach" file appears simply to list what programs are on the computer. Note that the DDS file warns at the very end of a rootkit infection and suggests a way to fix it. Is this a program I download or a program I can run from the controls, e.g., "start" and "run"?

[wozofoz]

Please wait for So_sad

 

The "attach" file appears simply to list what programs are on the computer. Note that the DDS file warns at the very end of a rootkit infection and suggests a way to fix it. Is this a program I download or a program I can run from the controls, e.g., "start" and "run"?

 

Hi :smile:

 

The cleanup procedure must be followed step by step!

Please wait and only follow the instructions of So_sad

Please do not download and run any software until instructed to by So_sad.

 

All the best, woz of oz

[So_sad]

Hello Robert, Woz,

 

Yeah that's what I thought, the MBR is infected (master boot record).

 

Here's the next step :

 

 

Download TDSSKiller.zip from the folllowing link and save it to your Desktop :

http://support.kaspersky.com/downloads/utils/tdsskiller.zip

 

* Extract (unzip) its contents to your Desktop

* Double-click the TDSSKiller Folder on your Desktop

* Important!: Run this fix once and once only

* Double-click TDSSKiller.exe then click Start scan

* A box will appear saying System scan completed

* If any Malicious objects are found, click the default action Cure > Continue > Reboot now

* If any suspicious objects are detected the default action will be Skip, ensure Skip is selected then click Continue

* A log file should be created on your C: drive named something like TDSSKiller.2.4.0.0 30.09.2010

* Please post the contents of that log in your next reply.

 

==================

 

See you again soon ;)

[SweetCityWoman]

Hi!

 

I found this site, did what you said. I have saved both files on my desktop. Can you help me?:roll:

 

Moved to own thread:

Help with Wal Mart Holiday Contest Trojan also

http://forums.iobit.com/showthread.php?t=8790

[Robert Crim]

Was Out of Office.

 

I've been away for a week, will get back to everyone as soon as I can.

 

Let me take this time to thank all for their help so far.

 

RBC

[Robert Crim]

Rootkit Killer Report

 

2010/12/18 19:09:07.0625 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46

2010/12/18 19:09:07.0625 ================================================================================

2010/12/18 19:09:07.0625 SystemInfo:

2010/12/18 19:09:07.0625

2010/12/18 19:09:07.0625 OS Version: 5.1.2600 ServicePack: 3.0

2010/12/18 19:09:07.0625 Product type: Workstation

2010/12/18 19:09:07.0625 ComputerName: ROBERTBRIANCRIM

2010/12/18 19:09:07.0625 UserName: Owner

2010/12/18 19:09:07.0625 Windows directory: C:\WINDOWS

2010/12/18 19:09:07.0625 System windows directory: C:\WINDOWS

2010/12/18 19:09:07.0625 Processor architecture: Intel x86

2010/12/18 19:09:07.0625 Number of processors: 1

2010/12/18 19:09:07.0625 Page size: 0x1000

2010/12/18 19:09:07.0625 Boot type: Normal boot

2010/12/18 19:09:07.0625 ================================================================================

2010/12/18 19:09:08.0156 Initialize success

2010/12/18 19:09:39.0734 ================================================================================

2010/12/18 19:09:39.0734 Scan started

2010/12/18 19:09:39.0734 Mode: Manual;

2010/12/18 19:09:39.0734 ================================================================================

2010/12/18 19:09:41.0031 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS

2010/12/18 19:09:41.0140 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/12/18 19:09:41.0171 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys

2010/12/18 19:09:41.0234 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys

2010/12/18 19:09:41.0312 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/12/18 19:09:41.0406 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/12/18 19:09:41.0546 AgereSoftModem (1cfeba39fc613e45b49d3eddfbcda289) C:\WINDOWS\system32\DRIVERS\AGRSM.sys

2010/12/18 19:09:41.0687 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

2010/12/18 19:09:41.0718 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys

2010/12/18 19:09:41.0781 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys

2010/12/18 19:09:41.0843 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys

2010/12/18 19:09:41.0890 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys

2010/12/18 19:09:41.0984 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys

2010/12/18 19:09:42.0015 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys

2010/12/18 19:09:42.0046 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys

2010/12/18 19:09:42.0078 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys

2010/12/18 19:09:42.0140 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2010/12/18 19:09:42.0203 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys

2010/12/18 19:09:42.0250 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys

2010/12/18 19:09:42.0281 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys

2010/12/18 19:09:42.0390 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/12/18 19:09:42.0406 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/12/18 19:09:42.0500 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/12/18 19:09:42.0562 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/12/18 19:09:42.0671 AvgLdx86 (b8c187439d27aba430dd69fdcf1fa657) C:\WINDOWS\System32\Drivers\avgldx86.sys

2010/12/18 19:09:42.0718 AvgMfx86 (53b3f979930a786a614d29cafe99f645) C:\WINDOWS\System32\Drivers\avgmfx86.sys

2010/12/18 19:09:42.0843 AvgTdiX (22e3b793c3e61720f03d3a22351af410) C:\WINDOWS\System32\Drivers\avgtdix.sys

2010/12/18 19:09:42.0906 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/12/18 19:09:42.0968 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys

2010/12/18 19:09:43.0015 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/12/18 19:09:43.0062 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys

2010/12/18 19:09:43.0078 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/12/18 19:09:43.0156 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/12/18 19:09:43.0218 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/12/18 19:09:43.0296 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2010/12/18 19:09:43.0375 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys

2010/12/18 19:09:43.0421 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2010/12/18 19:09:43.0515 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys

2010/12/18 19:09:43.0578 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys

2010/12/18 19:09:43.0609 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys

2010/12/18 19:09:43.0640 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/12/18 19:09:43.0734 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/12/18 19:09:43.0828 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/12/18 19:09:43.0890 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/12/18 19:09:43.0937 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/12/18 19:09:44.0000 dot4 (3e4b043f8bc6be1d4820cc6c9c500306) C:\WINDOWS\system32\DRIVERS\Dot4.sys

2010/12/18 19:09:44.0046 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys

2010/12/18 19:09:44.0109 Dot4Scan (bd05306428da63369692477ddc0f6f5f) C:\WINDOWS\system32\DRIVERS\Dot4Scan.sys

2010/12/18 19:09:44.0140 dot4usb (6ec3af6bb5b30e488a0c559921f012e1) C:\WINDOWS\system32\DRIVERS\dot4usb.sys

2010/12/18 19:09:44.0187 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys

2010/12/18 19:09:44.0265 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/12/18 19:09:44.0328 el575nd5 (23f6b9cf432f492ebbd8105d78cb008c) C:\WINDOWS\system32\DRIVERS\el575nd5.sys

2010/12/18 19:09:44.0390 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/12/18 19:09:44.0421 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2010/12/18 19:09:44.0500 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/12/18 19:09:44.0562 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2010/12/18 19:09:44.0640 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/12/18 19:09:44.0703 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/12/18 19:09:44.0781 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/12/18 19:09:44.0875 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/12/18 19:09:44.0906 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2010/12/18 19:09:44.0984 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/12/18 19:09:45.0078 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys

2010/12/18 19:09:45.0125 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/12/18 19:09:45.0203 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys

2010/12/18 19:09:45.0234 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys

2010/12/18 19:09:45.0281 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/12/18 19:09:45.0390 ialm (6fcb904910da07c9dc2593d66438fa29) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys

2010/12/18 19:09:45.0500 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/12/18 19:09:45.0578 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys

2010/12/18 19:09:45.0812 IntcAzAudAddService (e37589414437a60797e94c0f57c546db) C:\WINDOWS\system32\drivers\RtkHDAud.sys

2010/12/18 19:09:46.0078 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2010/12/18 19:09:46.0140 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/12/18 19:09:46.0187 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/12/18 19:09:46.0218 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/12/18 19:09:46.0250 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/12/18 19:09:46.0296 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/12/18 19:09:46.0343 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/12/18 19:09:46.0406 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/12/18 19:09:46.0484 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/12/18 19:09:46.0546 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/12/18 19:09:46.0562 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2010/12/18 19:09:46.0609 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/12/18 19:09:46.0656 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/12/18 19:09:46.0843 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/12/18 19:09:46.0937 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/12/18 19:09:47.0015 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/12/18 19:09:47.0078 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/12/18 19:09:47.0156 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/12/18 19:09:47.0234 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys

2010/12/18 19:09:47.0328 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/12/18 19:09:47.0375 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/12/18 19:09:47.0468 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/12/18 19:09:47.0531 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/12/18 19:09:47.0578 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/12/18 19:09:47.0640 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/12/18 19:09:47.0687 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/12/18 19:09:47.0765 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/12/18 19:09:47.0843 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/12/18 19:09:47.0906 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/12/18 19:09:47.0968 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/12/18 19:09:47.0984 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/12/18 19:09:48.0046 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/12/18 19:09:48.0062 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/12/18 19:09:48.0125 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/12/18 19:09:48.0187 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2010/12/18 19:09:48.0234 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/12/18 19:09:48.0296 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/12/18 19:09:48.0390 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/12/18 19:09:48.0453 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/12/18 19:09:48.0578 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/12/18 19:09:48.0703 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2010/12/18 19:09:48.0859 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/12/18 19:09:48.0953 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/12/18 19:09:49.0125 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/12/18 19:09:49.0203 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/12/18 19:09:49.0359 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/12/18 19:09:49.0437 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

2010/12/18 19:09:49.0562 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys

2010/12/18 19:09:49.0593 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys

2010/12/18 19:09:49.0671 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/12/18 19:09:49.0734 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/12/18 19:09:49.0796 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/12/18 19:09:49.0828 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys

2010/12/18 19:09:49.0843 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys

2010/12/18 19:09:49.0906 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys

2010/12/18 19:09:49.0937 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys

2010/12/18 19:09:49.0953 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys

2010/12/18 19:09:50.0000 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/12/18 19:09:50.0062 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/12/18 19:09:50.0125 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/12/18 19:09:50.0187 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/12/18 19:09:50.0234 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/12/18 19:09:50.0296 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/12/18 19:09:50.0359 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2010/12/18 19:09:50.0437 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/12/18 19:09:50.0500 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/12/18 19:09:50.0625 RTL8023xp (8e34400ffc7d647946d9c820678775af) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys

2010/12/18 19:09:50.0671 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS

2010/12/18 19:09:50.0796 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys

2010/12/18 19:09:50.0843 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/12/18 19:09:50.0984 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/12/18 19:09:51.0015 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2010/12/18 19:09:51.0109 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/12/18 19:09:51.0218 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys

2010/12/18 19:09:51.0281 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys

2010/12/18 19:09:51.0328 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/12/18 19:09:51.0390 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/12/18 19:09:51.0484 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/12/18 19:09:51.0578 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/12/18 19:09:51.0640 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/12/18 19:09:51.0734 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys

2010/12/18 19:09:51.0750 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys

2010/12/18 19:09:51.0812 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys

2010/12/18 19:09:51.0828 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys

2010/12/18 19:09:51.0875 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/12/18 19:09:51.0953 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/12/18 19:09:52.0015 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/12/18 19:09:52.0062 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/12/18 19:09:52.0125 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/12/18 19:09:52.0250 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys

2010/12/18 19:09:52.0312 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/12/18 19:09:52.0343 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys

2010/12/18 19:09:52.0437 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/12/18 19:09:52.0500 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/12/18 19:09:52.0593 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/12/18 19:09:52.0671 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/12/18 19:09:52.0750 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/12/18 19:09:52.0796 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/12/18 19:09:52.0859 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/12/18 19:09:52.0984 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys

2010/12/18 19:09:53.0015 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

2010/12/18 19:09:53.0031 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/12/18 19:09:53.0093 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/12/18 19:09:53.0171 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/12/18 19:09:53.0312 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2010/12/18 19:09:53.0359 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2010/12/18 19:09:53.0437 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)

2010/12/18 19:09:53.0437 ================================================================================

2010/12/18 19:09:53.0437 Scan finished

2010/12/18 19:09:53.0437 ================================================================================

2010/12/18 19:09:53.0468 Detected object count: 1

2010/12/18 19:12:09.0906 \HardDisk0 - will be cured after reboot

2010/12/18 19:12:09.0906 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure

2010/12/18 19:12:11.0890 Deinitialize success

[Robert Crim]

Rootkit Killer Follow-up.

 

Did exactly what you said. Scan produced 1 malicious object detected: Rootkit.Win32.TDSS.tdl4. I'll have to run some tests, but I think we got it.

 

Your admonition that the destroyer be run only once suggests that it, itself, is dangerous. Should it be deleted, stored safe, disabled in any way, rezipped?

 

RBC

[Robert Crim]

Further Follow-up

 

I have reported this matter to WalMart's corporate headquarters with the recommendation that they warn the public against this danger. I also told them I am willing to help prosecute the SOB behind this if we can catch him.

 

RBC

[So_sad]

Hi Robert,

 

Good to hear about TDSSKiller nailing the sucker :wink:

That tool is from Kaspersky, so it can be trusted even though it is very powerful and has bricked some infected machines. We just need to keep things in perspective, because such infections are really brutal and affect systems at a very low level ; removing them is no easy chore so the artillery needs to be brutal as well. The warning to only use it once comes from their team, as a precaution. It can be run more than once, but under certain conditions only.

You can safely delete its components right now (right-click > Delete), along with the log it produced.

 

We have another user here with the same presentation (WalMart contest...), so it's spreading for sure. TDL4 is sophisticated and seems to please its buyers, so it shows up with different clothing, so to speak. Organized crime is behind these, so I wouldn't get my hopes up as far as prosecuting anybody...

 

===

 

If you're not getting redirected, your antivirus isn't barking and MBAM quick scan comes back clean, then you should be good to go :smile:

 

===

===