TechSpot

Rootkit issue? Multiple unwanted pop-ups. 8-step logs included

By rrw1217
Feb 15, 2011
  1. Hi there,

    Sorry to bother you, had a problem last year and you all were incredibly helpful. Very recently, started getting multiple pop-ups from some sites, particularly when initiating a Google search. WOT registered most of these sites as dangerous. Ran a scan using I've my anti-virus program (AVG) last week, came up with 56 warnings and 7 infected files (all Trojans - can provide specifics, if that would be helpful). Previous automated scans hadn't caught anything. Pop-up infestation continues, even though subsequent scans haven't caught any infected files. Very concerned, so ran through preliminary instructions. Logs are below (I noticed the DDS log mentioned something about "possible rootkit infection," hence the title). Please let me know if there's further info I can provide, and thanks for any assistance/advice you can offer:


    Malwarebytes' Anti-Malware 1.45
    www.malwarebytes.org

    Database version: 4005

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 6.0.2900.2180

    2/14/2011 3:19:17 PM
    mbam-log-2011-02-14 (15-19-17).txt

    Scan type: Quick scan
    Objects scanned: 112445
    Time elapsed: 7 minute(s), 54 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2011-02-14 15:35:57
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort0 WDC_WD800BB-75JHA0 rev.05.01C05
    Running: 049qrymt.exe; Driver: C:\DOCUME~1\Liz\LOCALS~1\Temp\ufddipod.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 11: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T1L0-17 822FF5F5
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 822FF5F5
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 822FF5F5
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-f 822FF5F5

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD800BB-75JHA0______________________05.01C05#5&2713bb34&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- EOF - GMER 1.0.15 ----

    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Liz at 15:45:26.21 on Mon 02/14/2011
    Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_16
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.95 [GMT -5:00]

    AV: AVG Anti-Virus Free *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    AV: McAfee VirusScan *Enabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall Plus *Enabled*

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    svchost.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
    C:\WINDOWS\system32\Rundll32.exe
    svchost.exe
    C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
    C:\Program Files\Panasonic\PHOTOfunSTUDIO 4.0\AutoStartupService.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\AVG\AVG9\avgui.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\Liz\My Documents\Downloads\dds(2).scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=6.1&bm=ho_home
    uInternet Connection Wizard,ShellNext = https://activate.verizon.net/launch/res1/html/vol_with_msn_help.html
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: WhiteSmoke Toolbar: {52794457-af6c-4c50-9def-f2e24f4c8889} - c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll
    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    TB: WhiteSmoke Toolbar: {52794457-af6c-4c50-9def-f2e24f4c8889} - c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll
    TB: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - No File
    mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
    mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
    mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
    mRun: [Motive SmartBridge] c:\progra~1\verizo~1\smartb~1\MotiveSB.exe
    mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
    mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [CTSysVol] c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r
    mRun: [P17Helper] Rundll32 P17.dll,P17Helper
    mRun: [UpdReg] c:\windows\UpdReg.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\audibl~1.lnk - c:\program files\audible\bin\AudibleDownloadHelper.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photof~1.lnk - c:\program files\panasonic\photofunstudio 4.0\AutoStartupService.exe
    IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
    DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1269205387408
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170535137421
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389}
    DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Notify: avgrsstarter - avgrsstx.dll
    Notify: igfxcui - igfxdev.dll
    mASetup: {4BFBEBE3-34EC-4BEF-9BA9-8FEABF8C1B75} - rundll32.exe "c:\documents and settings\liz\application data\sun\iimsu.dll", UnregisterDll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\liz\applic~1\mozilla\firefox\profiles\3hljs8kd.default\
    FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
    FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4bafb9c7&v=6.010.006.004&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
    FF - component: c:\documents and settings\liz\application data\mozilla\firefox\profiles\3hljs8kd.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
    FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
    FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
    FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
    FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
    FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
    FF - plugin: c:\documents and settings\liz\application data\mozilla\firefox\profiles\3hljs8kd.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
    FF - plugin: c:\documents and settings\liz\application data\mozilla\firefox\profiles\3hljs8kd.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
    FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
    FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg9\Firefox
    FF - Ext: AVG Security Toolbar em:version=6.010.006.004 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - c:\program files\avg\avg9\toolbar\firefox\avg@igeared

    ============= SERVICES / DRIVERS ===============

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-3-28 216400]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-3-28 29584]
    R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-3-28 243024]
    R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-16 308136]
    S1 MPFIREWL;MPFIREWL;c:\windows\system32\drivers\mpfirewall.sys --> c:\windows\system32\drivers\MpFirewall.sys [?]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-10-26 517448]
    S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys --> c:\windows\system32\drivers\naiavf5x.sys [?]

    =============== Created Last 30 ================

    2011-02-06 18:16:52 90112 ------w- c:\windows\Updreg.EXE
    2011-02-06 18:16:49 84992 ------w- c:\windows\system32\SFCVRT32.DLL
    2011-02-06 18:16:49 53552 ------w- c:\windows\CTCCW.DLL
    2011-02-06 18:16:49 40960 ------w- c:\windows\system32\AC3API.DLL
    2011-02-06 18:16:49 24976 ------w- c:\windows\CTRES.DLL
    2011-02-06 18:16:47 82432 ------w- c:\windows\system32\CTWFLT32.DLL
    2011-02-06 18:16:47 26768 ------w- c:\windows\system32\CTL3D.DLL
    2011-02-06 18:16:45 -------- d-----w- c:\windows\system32\Defaults
    2011-02-06 18:14:19 176128 ----a-w- c:\windows\system32\USBAudio.cpl
    2011-02-06 18:14:19 135168 ----a-w- c:\windows\system32\USBAudio.crl
    2011-02-06 18:12:34 15840 ----a-w- c:\windows\system32\drivers\Pfmodnt.sys
    2011-02-06 17:22:20 -------- d-----w- c:\docume~1\liz\applic~1\AVG9
    2011-02-03 03:55:59 -------- d-----w- c:\docume~1\liz\applic~1\whitesmoketoolbar
    2011-02-02 02:14:53 -------- d-----w- c:\program files\whitesmoketoolbar

    ==================== Find3M ====================


    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: WDC_WD800BB-75JHA0 rev.05.01C05 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x822FF7AF]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x823059b0]; MOV EAX, [0x82305a2c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8234DAB8]
    3 CLASSPNP[0xF85F905B] -> nt!IofCallDriver[0x804E37D5] -> [0x82352BD0]
    \Driver\atapi[0x82367030] -> IRP_MJ_CREATE -> 0x822FF7AF
    kernel: MBR read successfully
    _asm { CLI ; MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; STI ; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62f; }
    detected disk devices:
    \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD800BB-75JHA0______________________05.01C05#5&2713bb34&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x822FF5F5
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !

    ============= FINISH: 15:46:29.70 ===============



    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume2
    Install Date: 3/20/2010 3:38:20 PM
    System Uptime: 2/14/2011 3:08:19 PM (0 hours ago)

    Motherboard: Dell Computer Corp. | | 0F8403
    Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2793/533mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 71 GiB total, 2.844 GiB free.
    D: is CDROM ()
    E: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID:
    Description:
    Device ID: ROOT\LEGACY_MCDETECT.EXE\0000
    Manufacturer:
    Name:
    PNP Device ID: ROOT\LEGACY_MCDETECT.EXE\0000
    Service:

    Class GUID:
    Description:
    Device ID: ROOT\LEGACY_MCSHIELD\0000
    Manufacturer:
    Name:
    PNP Device ID: ROOT\LEGACY_MCSHIELD\0000
    Service:

    Class GUID:
    Description:
    Device ID: ROOT\LEGACY_MCTSKSHD.EXE\0000
    Manufacturer:
    Name:
    PNP Device ID: ROOT\LEGACY_MCTSKSHD.EXE\0000
    Service:

    Class GUID:
    Description:
    Device ID: ROOT\LEGACY_MCUPDMGR.EXE\0000
    Manufacturer:
    Name:
    PNP Device ID: ROOT\LEGACY_MCUPDMGR.EXE\0000
    Service:

    Class GUID:
    Description:
    Device ID: ROOT\LEGACY_MPFSERVICE\0000
    Manufacturer:
    Name:
    PNP Device ID: ROOT\LEGACY_MPFSERVICE\0000
    Service:

    ==== System Restore Points ===================

    RP215: 1/1/2011 11:39:36 PM - System Checkpoint
    RP216: 1/3/2011 1:01:05 AM - System Checkpoint
    RP217: 1/4/2011 1:39:42 AM - System Checkpoint
    RP218: 1/5/2011 2:18:08 AM - System Checkpoint
    RP219: 1/6/2011 2:39:42 AM - System Checkpoint
    RP220: 1/7/2011 3:39:38 AM - System Checkpoint
    RP221: 1/8/2011 3:55:12 PM - System Checkpoint
    RP222: 1/9/2011 4:09:41 PM - System Checkpoint
    RP223: 1/10/2011 4:43:07 PM - System Checkpoint
    RP224: 1/11/2011 10:24:11 PM - System Checkpoint
    RP225: 1/13/2011 3:00:26 AM - Software Distribution Service 3.0
    RP226: 1/17/2011 8:16:36 PM - System Checkpoint
    RP227: 1/18/2011 8:42:10 PM - System Checkpoint
    RP228: 1/20/2011 12:05:14 AM - System Checkpoint
    RP229: 1/21/2011 12:16:40 AM - System Checkpoint
    RP230: 1/22/2011 1:15:58 AM - System Checkpoint
    RP231: 1/23/2011 2:16:00 AM - System Checkpoint
    RP232: 1/24/2011 3:16:06 AM - System Checkpoint
    RP233: 1/25/2011 3:56:27 AM - System Checkpoint
    RP234: 1/26/2011 8:54:51 PM - System Checkpoint
    RP235: 1/31/2011 10:40:14 PM - System Checkpoint
    RP236: 2/1/2011 11:05:39 PM - System Checkpoint
    RP237: 2/5/2011 11:54:24 AM - Installed HiJackThis
    RP238: 2/5/2011 3:19:24 PM - Removed EarthLink setup files
    RP239: 2/5/2011 3:21:02 PM - Removed Musicmatch for Windows Media Player
    RP240: 2/5/2011 3:21:43 PM - Removed NetZeroInstallers
    RP241: 2/5/2011 3:22:34 PM - Removed Sound Blaster Audigy
    RP242: 2/5/2011 3:22:57 PM - Configured Your Application Name
    RP243: 2/5/2011 3:23:12 PM - Configured Your Application Name
    RP244: 2/5/2011 3:23:28 PM - Configured Your Application Name
    RP245: 2/5/2011 3:23:41 PM - Configured Your Application Name
    RP246: 2/5/2011 3:26:16 PM - Removed Sonic Update Manager
    RP247: 2/6/2011 1:13:34 PM - Installed Sound Blaster Audigy
    RP248: 2/6/2011 1:13:55 PM - Installed Your Application Name
    RP249: 2/6/2011 1:54:47 PM - Configured E-Center
    RP250: 2/6/2011 1:52:34 PM - Installed Your Application Name
    RP251: 2/6/2011 1:53:29 PM - Configured Your Application Name
    RP252: 2/6/2011 1:53:57 PM - Installed Your Application Name
    RP253: 2/6/2011 1:54:26 PM - Installed Your Application Name
    RP254: 2/7/2011 9:04:05 PM - System Checkpoint
    RP255: 2/8/2011 9:09:07 PM - System Checkpoint
    RP256: 2/9/2011 10:25:05 PM - System Checkpoint
    RP257: 2/10/2011 11:14:11 PM - System Checkpoint
    RP258: 2/11/2011 11:42:33 PM - System Checkpoint
    RP259: 2/13/2011 12:14:11 AM - System Checkpoint
    RP260: 2/14/2011 12:15:35 AM - System Checkpoint

    ==== Installed Programs ======================

    ABBYY FineReader 5.0 Sprint Plus
    Ad-Aware SE Personal
    Adobe Acrobat - Reader 6.0.2 Update
    Adobe Flash Player 10 Plugin
    Adobe Illustrator 10
    Adobe Photoshop 7.0
    Adobe Reader 6.0.1
    Adobe SVG Viewer 3.0
    America Online (Choose which version to remove)
    AOL Coach Version 1.0(Build:20040229.1 en)
    AOL Connectivity Services
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Audible Download Manager
    AVG Free 9.0
    Banctec Service Agreement
    Bonjour
    Conexant D850 56K V.9x DFVc Modem
    Creative MediaSource
    Dell Driver Reset Tool
    Dell Media Experience
    Dell Photo AIO Printer 922
    Dell Picture Studio v3.0
    Dell System Restore
    DellSupport
    Digital Line Detect
    Engine Installer
    G5a922EN
    Get High Speed Internet!
    HiJackThis
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    Intel(R) Extreme Graphics 2 Driver
    Intel(R) PRO Network Adapters and Drivers
    Intel(R) PROSet for Wired Connections
    Internet Explorer Default Page
    iPod for Windows 2005-06-26
    iTunes
    Jasc Paint Shop Photo Album 5
    Jasc Paint Shop Pro Studio, Dell Editon
    Java 2 Runtime Environment, SE v1.4.2_03
    Java(TM) 6 Update 16
    Learn2 Player (Uninstall Only)
    Macromedia Flash Player
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Office 2000 Small Business
    Microsoft Plus! Digital Media Edition Installer
    Microsoft Plus! Photo Story 2 LE
    Microsoft SQL Server Compact 3.5 SP1 English
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
    Modem Helper
    Mozilla Firefox (3.6.13)
    MSN
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6 Service Pack 2 (KB973686)
    Musicmatch® Jukebox
    My Way Search Assistant
    NetWaiting
    PHOTOfunSTUDIO 4.0
    PowerDVD 5.3
    QuickTime
    RealPlayer Basic
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB944338-v2)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953155)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958470)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165-v2)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB981350)
    Security Update for Windows XP (KB982381)
    Sonic DLA
    Sonic RecordNow!
    Sony USB Driver
    Sound Blaster Live! 24-bit
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows XP (KB925720)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update for Windows XP (KB980182)
    Verizon Online
    Verizon Online Support Center
    Viewpoint Media Player
    WebFldrs XP
    Windows Installer 3.1 (KB893803)
    Windows Media Format Runtime
    Windows Media Player 10
    WordPerfect Office 12

    ==== Event Viewer Messages From Past Week ========

    2/7/2011 8:10:50 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: MPFIREWL
    2/14/2011 2:58:52 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    2/14/2011 2:58:52 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
    2/14/2011 2:58:52 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
    2/14/2011 2:58:49 PM, error: Service Control Manager [7034] - The AOL Connectivity Service service terminated unexpectedly. It has done this 1 time(s).
    2/14/2011 2:58:49 PM, error: Service Control Manager [7031] - The AVG Free WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
    2/14/2011 2:58:49 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

    ==== End Of File ===========================
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot!
    [​IMG]

    First order of business: You have 2 antivirus program running:
    AV: AVG Anti-Virus Free *Disabled/Updated*
    AV: McAfee VirusScan *Enabled/Outdated*

    This makes a system more vulnerable, not less and it can also slow it down. Please remove one of them:
    Going by some Serveices that are not bing used, it appears that you may have had McAee Security at one time, but now use AVG instead. If that is the case, you can't just abandon a security program> you must uninstall it to stop entries from loading.Tools to help:

    AVG Remover eliminates all the parts of your AVG installation from your computer, including registry items, installation files, user files, etc.
    Note:
    • AVG user settings will be removed.
    • Virus Vault contents will be removed.
    • All other items related to AVG installation and use will be removed.
    • You will be asked during the removal procedure to restart your computer. Please do so.
    • Make sure there is no open work in process prior toto launching AVG Remover.
    Use the appropriate download for your system for the AVG Remover: AVG Remover:32bit
    AVG Remover:64 bit
    McAfee Removal
    Reboot the computer when through.
    =============================================
    There is evidence of a rootkit so we'll address that:
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result. Please include the log in your next reply.
    • A reboot is required after disinfection.
     
  3. rrw1217

    rrw1217 TS Rookie Topic Starter Posts: 28

    Thank you - I will try the rootkit removal program once I get home. Re: the anti-virus, I am at a complete loss... I've run the MCPR.exe program, deleted every folder and every registry file I can find for McAfee. It doesn't show up in my Control Panel as a program that I can remove. I've contacted them directly - the account is long cancelled (since about a year ago, which is when I installed AVG) and they hence aren't willing/able to assist as I'm no longer a customer. I'm at a loss as to why it still comes up as an active program.
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Don't worry about McAfee. After you have run Combofix (later) if it just remains in the Header, I can remove it.
     
  5. rrw1217

    rrw1217 TS Rookie Topic Starter Posts: 28

    Ran the TDSS, report below:

    2011/02/16 15:40:43.0476 2612 TDSS rootkit removing tool 2.4.17.0 Feb 10 2011 11:07:20
    2011/02/16 15:40:43.0804 2612 ================================================================================
    2011/02/16 15:40:43.0804 2612 SystemInfo:
    2011/02/16 15:40:43.0804 2612
    2011/02/16 15:40:43.0804 2612 OS Version: 5.1.2600 ServicePack: 2.0
    2011/02/16 15:40:43.0804 2612 Product type: Workstation
    2011/02/16 15:40:43.0804 2612 ComputerName: TIGGER2
    2011/02/16 15:40:43.0804 2612 UserName: Liz
    2011/02/16 15:40:43.0804 2612 Windows directory: C:\WINDOWS
    2011/02/16 15:40:43.0804 2612 System windows directory: C:\WINDOWS
    2011/02/16 15:40:43.0804 2612 Processor architecture: Intel x86
    2011/02/16 15:40:43.0804 2612 Number of processors: 1
    2011/02/16 15:40:43.0804 2612 Page size: 0x1000
    2011/02/16 15:40:43.0804 2612 Boot type: Normal boot
    2011/02/16 15:40:43.0804 2612 ================================================================================
    2011/02/16 15:40:45.0742 2612 Initialize success
    2011/02/16 15:40:59.0148 2728 ================================================================================
    2011/02/16 15:40:59.0148 2728 Scan started
    2011/02/16 15:40:59.0148 2728 Mode: Manual;
    2011/02/16 15:40:59.0148 2728 ================================================================================
    2011/02/16 15:41:00.0976 2728 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
    2011/02/16 15:41:02.0023 2728 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/02/16 15:41:02.0773 2728 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2011/02/16 15:41:03.0195 2728 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
    2011/02/16 15:41:03.0617 2728 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
    2011/02/16 15:41:03.0835 2728 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
    2011/02/16 15:41:04.0195 2728 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys
    2011/02/16 15:41:04.0460 2728 agpCPQ (67288b07d6aba6c1267b626e67bc56fd) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
    2011/02/16 15:41:04.0679 2728 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
    2011/02/16 15:41:04.0882 2728 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
    2011/02/16 15:41:05.0132 2728 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
    2011/02/16 15:41:05.0320 2728 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
    2011/02/16 15:41:05.0523 2728 alim1541 (f312b7cef21eff52fa23056b9d815fad) C:\WINDOWS\system32\DRIVERS\alim1541.sys
    2011/02/16 15:41:05.0757 2728 amdagp (675c16a3c1f8482f85ee4a97fc0dde3d) C:\WINDOWS\system32\DRIVERS\amdagp.sys
    2011/02/16 15:41:05.0960 2728 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
    2011/02/16 15:41:06.0195 2728 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
    2011/02/16 15:41:06.0413 2728 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
    2011/02/16 15:41:06.0632 2728 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
    2011/02/16 15:41:06.0788 2728 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys
    2011/02/16 15:41:07.0195 2728 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/02/16 15:41:07.0398 2728 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/02/16 15:41:07.0570 2728 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/02/16 15:41:07.0867 2728 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/02/16 15:41:08.0163 2728 AvgLdx86 (b8c187439d27aba430dd69fdcf1fa657) C:\WINDOWS\system32\Drivers\avgldx86.sys
    2011/02/16 15:41:08.0335 2728 AvgMfx86 (53b3f979930a786a614d29cafe99f645) C:\WINDOWS\system32\Drivers\avgmfx86.sys
    2011/02/16 15:41:08.0554 2728 AvgTdiX (22e3b793c3e61720f03d3a22351af410) C:\WINDOWS\system32\Drivers\avgtdix.sys
    2011/02/16 15:41:09.0023 2728 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/02/16 15:41:09.0320 2728 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
    2011/02/16 15:41:09.0445 2728 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/02/16 15:41:09.0492 2728 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
    2011/02/16 15:41:09.0710 2728 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/02/16 15:41:09.0929 2728 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/02/16 15:41:10.0148 2728 cdrbsvsd (7fc46240546c16c0448c29c9d233b915) C:\WINDOWS\system32\drivers\cdrbsvsd.sys
    2011/02/16 15:41:10.0632 2728 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/02/16 15:41:11.0054 2728 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
    2011/02/16 15:41:11.0273 2728 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
    2011/02/16 15:41:11.0523 2728 ctsfm2k (b459ae4afca570088adddbe55eabbc92) C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys
    2011/02/16 15:41:11.0913 2728 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
    2011/02/16 15:41:12.0101 2728 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
    2011/02/16 15:41:12.0351 2728 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/02/16 15:41:12.0679 2728 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/02/16 15:41:13.0085 2728 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
    2011/02/16 15:41:13.0226 2728 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/02/16 15:41:13.0445 2728 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/02/16 15:41:13.0663 2728 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
    2011/02/16 15:41:13.0851 2728 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/02/16 15:41:14.0070 2728 drvmcdb (b15f9e526ba511a48b1b1b8537815740) C:\WINDOWS\system32\drivers\drvmcdb.sys
    2011/02/16 15:41:14.0398 2728 drvnddm (fa4670cae95ae2bb857c68e535661145) C:\WINDOWS\system32\drivers\drvnddm.sys
    2011/02/16 15:41:14.0710 2728 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
    2011/02/16 15:41:15.0132 2728 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
    2011/02/16 15:41:15.0507 2728 E100B (7d91dc6342248369f94d6eba0cf42e99) C:\WINDOWS\system32\DRIVERS\e100b325.sys
    2011/02/16 15:41:15.0913 2728 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/02/16 15:41:16.0163 2728 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
    2011/02/16 15:41:16.0382 2728 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
    2011/02/16 15:41:16.0601 2728 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    2011/02/16 15:41:16.0820 2728 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\drivers\fltmgr.sys
    2011/02/16 15:41:17.0023 2728 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/02/16 15:41:17.0148 2728 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/02/16 15:41:17.0367 2728 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
    2011/02/16 15:41:17.0554 2728 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/02/16 15:41:17.0757 2728 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2011/02/16 15:41:17.0992 2728 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
    2011/02/16 15:41:18.0351 2728 HSFHWBS2 (77e4ff0b73bc0aeaaf39bf0c8104231f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
    2011/02/16 15:41:19.0132 2728 HSF_DP (60e1604729a15ef4a3b05f298427b3b1) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
    2011/02/16 15:41:19.0570 2728 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/02/16 15:41:19.0898 2728 i2omgmt (8f09f91b5c91363b77bcd15599570f2c) C:\WINDOWS\system32\drivers\i2omgmt.sys
    2011/02/16 15:41:20.0054 2728 i2omp (ed6bf9e441fdea13292a6d30a64a24c3) C:\WINDOWS\system32\DRIVERS\i2omp.sys
    2011/02/16 15:41:20.0242 2728 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/02/16 15:41:20.0476 2728 ialm (9a883c3c4d91292c0d09de7c728e781c) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
    2011/02/16 15:41:21.0117 2728 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/02/16 15:41:21.0335 2728 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
    2011/02/16 15:41:21.0570 2728 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
    2011/02/16 15:41:21.0820 2728 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2011/02/16 15:41:22.0038 2728 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys
    2011/02/16 15:41:22.0257 2728 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2011/02/16 15:41:22.0445 2728 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/02/16 15:41:22.0726 2728 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/02/16 15:41:23.0038 2728 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/02/16 15:41:23.0179 2728 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/02/16 15:41:23.0445 2728 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/02/16 15:41:23.0632 2728 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/02/16 15:41:23.0835 2728 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/02/16 15:41:24.0070 2728 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/02/16 15:41:24.0382 2728 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
    2011/02/16 15:41:24.0679 2728 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/02/16 15:41:24.0851 2728 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
    2011/02/16 15:41:25.0038 2728 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
    2011/02/16 15:41:25.0132 2728 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/02/16 15:41:25.0351 2728 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2011/02/16 15:41:25.0585 2728 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/02/16 15:41:25.0913 2728 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
    2011/02/16 15:41:26.0788 2728 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/02/16 15:41:28.0226 2728 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/02/16 15:41:29.0710 2728 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/02/16 15:41:31.0038 2728 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/02/16 15:41:31.0898 2728 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/02/16 15:41:32.0695 2728 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/02/16 15:41:33.0773 2728 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/02/16 15:41:34.0788 2728 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
    2011/02/16 15:41:36.0648 2728 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/02/16 15:41:38.0163 2728 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/02/16 15:41:39.0257 2728 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/02/16 15:41:40.0382 2728 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/02/16 15:41:41.0398 2728 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/02/16 15:41:42.0288 2728 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/02/16 15:41:43.0195 2728 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2011/02/16 15:41:44.0648 2728 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/02/16 15:41:45.0679 2728 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/02/16 15:41:47.0148 2728 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/02/16 15:41:48.0804 2728 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    2011/02/16 15:41:50.0945 2728 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/02/16 15:41:52.0070 2728 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/02/16 15:41:52.0976 2728 ossrv (c720c25b2d0c93dc425155f5b6a707f3) C:\WINDOWS\system32\DRIVERS\ctoss2k.sys
    2011/02/16 15:41:54.0710 2728 P17 (3a7290f2c423b80ba95becae015b9b1b) C:\WINDOWS\system32\drivers\P17.sys
    2011/02/16 15:41:58.0507 2728 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
    2011/02/16 15:41:59.0398 2728 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/02/16 15:42:00.0242 2728 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/02/16 15:42:01.0070 2728 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/02/16 15:42:02.0648 2728 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2011/02/16 15:42:03.0570 2728 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2011/02/16 15:42:06.0632 2728 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
    2011/02/16 15:42:07.0523 2728 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
    2011/02/16 15:42:08.0507 2728 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/02/16 15:42:09.0288 2728 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
    2011/02/16 15:42:10.0257 2728 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/02/16 15:42:11.0007 2728 PxHelp20 (db3b30c3a4cdcf07e164c14584d9d0f2) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2011/02/16 15:42:12.0617 2728 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
    2011/02/16 15:42:13.0335 2728 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
    2011/02/16 15:42:14.0492 2728 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
    2011/02/16 15:42:15.0195 2728 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
    2011/02/16 15:42:16.0179 2728 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
    2011/02/16 15:42:17.0257 2728 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/02/16 15:42:18.0710 2728 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/02/16 15:42:19.0663 2728 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/02/16 15:42:20.0648 2728 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/02/16 15:42:21.0382 2728 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/02/16 15:42:22.0413 2728 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/02/16 15:42:23.0242 2728 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2011/02/16 15:42:25.0023 2728 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/02/16 15:42:26.0304 2728 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/02/16 15:42:27.0460 2728 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/02/16 15:42:28.0929 2728 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2011/02/16 15:42:29.0945 2728 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
    2011/02/16 15:42:30.0835 2728 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2011/02/16 15:42:32.0460 2728 sisagp (732d859b286da692119f286b21a2a114) C:\WINDOWS\system32\DRIVERS\sisagp.sys
    2011/02/16 15:42:33.0257 2728 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
    2011/02/16 15:42:34.0023 2728 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
    2011/02/16 15:42:34.0898 2728 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
    2011/02/16 15:42:35.0710 2728 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
    2011/02/16 15:42:36.0523 2728 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/02/16 15:42:37.0960 2728 sscdbhk5 (d7968049be0adbb6a57cee3960320911) C:\WINDOWS\system32\drivers\sscdbhk5.sys
    2011/02/16 15:42:39.0476 2728 ssrtln (c3ffd65abfb6441e7606cf74f1155273) C:\WINDOWS\system32\drivers\ssrtln.sys
    2011/02/16 15:42:40.0867 2728 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/02/16 15:42:42.0117 2728 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/02/16 15:42:43.0835 2728 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
    2011/02/16 15:42:45.0929 2728 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
    2011/02/16 15:42:47.0132 2728 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
    2011/02/16 15:42:47.0976 2728 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
    2011/02/16 15:42:48.0695 2728 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/02/16 15:42:49.0757 2728 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/02/16 15:42:50.0945 2728 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/02/16 15:42:51.0867 2728 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/02/16 15:42:53.0023 2728 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/02/16 15:42:54.0148 2728 tfsnboio (1d265cd2fb1673a0873bf8cec19ddc7f) C:\WINDOWS\system32\dla\tfsnboio.sys
    2011/02/16 15:42:55.0648 2728 tfsncofs (62e4901295e0467cac78e5b4b131ae5c) C:\WINDOWS\system32\dla\tfsncofs.sys
    2011/02/16 15:42:57.0148 2728 tfsndrct (a2f380f9252ab3464c859adf91eead9c) C:\WINDOWS\system32\dla\tfsndrct.sys
    2011/02/16 15:42:58.0757 2728 tfsndres (eee79bbefe9c6a2a3ce6c8753cfea950) C:\WINDOWS\system32\dla\tfsndres.sys
    2011/02/16 15:43:00.0023 2728 tfsnifs (9d644eb11fec9487450c4cfcd63a5df4) C:\WINDOWS\system32\dla\tfsnifs.sys
    2011/02/16 15:43:01.0195 2728 tfsnopio (e656af05c67edb7c0e9230a5df71ed1b) C:\WINDOWS\system32\dla\tfsnopio.sys
    2011/02/16 15:43:03.0023 2728 tfsnpool (64fccb9cce703ca507dffc3cebf6b2cb) C:\WINDOWS\system32\dla\tfsnpool.sys
    2011/02/16 15:43:04.0242 2728 tfsnudf (48bc9d8ab4e4b9bff70fb18e55cec3d6) C:\WINDOWS\system32\dla\tfsnudf.sys
    2011/02/16 15:43:05.0273 2728 tfsnudfa (79f60822224256b49bfc855da8d651d5) C:\WINDOWS\system32\dla\tfsnudfa.sys
    2011/02/16 15:43:06.0757 2728 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
    2011/02/16 15:43:07.0929 2728 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/02/16 15:43:08.0413 2728 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
    2011/02/16 15:43:08.0929 2728 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/02/16 15:43:09.0507 2728 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2011/02/16 15:43:09.0960 2728 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2011/02/16 15:43:10.0507 2728 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/02/16 15:43:11.0038 2728 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2011/02/16 15:43:11.0617 2728 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2011/02/16 15:43:12.0367 2728 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/02/16 15:43:12.0976 2728 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2011/02/16 15:43:13.0788 2728 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
    2011/02/16 15:43:14.0226 2728 viaagp (d92e7c8a30cfd14d8e15b5f7f032151b) C:\WINDOWS\system32\DRIVERS\viaagp.sys
    2011/02/16 15:43:14.0773 2728 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys
    2011/02/16 15:43:15.0117 2728 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/02/16 15:43:15.0507 2728 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/02/16 15:43:16.0085 2728 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
    2011/02/16 15:43:16.0788 2728 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/02/16 15:43:17.0226 2728 winachsf (f59ed5a43b988a18ef582bb07b2327a7) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
    2011/02/16 15:43:17.0851 2728 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
    2011/02/16 15:43:17.0851 2728 ================================================================================
    2011/02/16 15:43:17.0851 2728 Scan finished
    2011/02/16 15:43:17.0851 2728 ================================================================================
    2011/02/16 15:43:17.0867 2212 Detected object count: 1
    2011/02/16 15:43:45.0288 2212 \HardDisk0 - copied to quarantine
    2011/02/16 15:43:45.0382 2212 \HardDisk0\TDLFS\cfg.ini - copied to quarantine
    2011/02/16 15:43:45.0460 2212 \HardDisk0\TDLFS\mbr - copied to quarantine
    2011/02/16 15:43:45.0476 2212 \HardDisk0\TDLFS\bckfg.tmp - copied to quarantine
    2011/02/16 15:43:45.0507 2212 \HardDisk0\TDLFS\cmd.dll - copied to quarantine
    2011/02/16 15:43:45.0507 2212 \HardDisk0\TDLFS\ldr16 - copied to quarantine
    2011/02/16 15:43:45.0538 2212 \HardDisk0\TDLFS\ldr32 - copied to quarantine
    2011/02/16 15:43:45.0554 2212 \HardDisk0\TDLFS\ldr64 - copied to quarantine
    2011/02/16 15:43:45.0554 2212 \HardDisk0\TDLFS\drv64 - copied to quarantine
    2011/02/16 15:43:45.0570 2212 \HardDisk0\TDLFS\cmd64.dll - copied to quarantine
    2011/02/16 15:43:45.0570 2212 \HardDisk0\TDLFS\drv32 - copied to quarantine
    2011/02/16 15:43:45.0632 2212 \HardDisk0\TDLFS\dkmks.tmp - copied to quarantine
    2011/02/16 15:43:45.0632 2212 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Quarantine
     
  6. rrw1217

    rrw1217 TS Rookie Topic Starter Posts: 28

    Hi there,

    Sorry to be a pest - was just wondering if I ran theTDSS accurately, and if so, if that step were sufficient, or if more action is needed on the computer. Sounded like there'd be at least one more program to run, didn't want to proceed and screw anything up. Thanks again for all your help!
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're not a pest- I'm running behind. You did fine with TDSSKiller.

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Click on "Copy to Clipboard"> (you won't see the 'clipboard)
    10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
    11. Re-enable your Antivirus software.
      NOTE: If you forget to copy to the cli[board, you can find the log here:
      C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    =========================================
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Re-enable your Antivirus software.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
     
  8. rrw1217

    rrw1217 TS Rookie Topic Starter Posts: 28

    Thank you so much, again - below is the ESET log. It took a bit longer than I planned to run it, so I have to leave for work tonight. Will post the combofix log tomorrow. Sorry to split them up.

    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6419
    # api_version=3.0.2
    # EOSSerial=d6fa630e09035f49a51ff1908076b92d
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=true
    # antistealth_checked=true
    # utc_time=2011-02-21 11:36:51
    # local_time=2011-02-21 06:36:51 (-0500, Eastern Standard Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 2
    # compatibility_mode=512 16777215 100 0 25247453 25247453 0 0
    # compatibility_mode=1024 16777191 100 0 28434987 28434987 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=72977
    # found=9
    # cleaned=0
    # scan_time=2690
    C:\Documents and Settings\Liz\Application Data\Sun\iimsu.dll a variant of Win32/AutoRun.Spy.Ambler.CJ worm (unable to clean) 00000000000000000000000000000000 I
    C:\I386\GTDownDE_87.ocx probably a variant of Win32/Adware.Agent.LCKGTSG application (unable to clean) 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\16.02.2011_15.40.43\boot0000\tdlfs0000\tsk0003.dta a variant of Win32/Olmarik.ADZ trojan (unable to clean) 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\16.02.2011_15.40.43\boot0000\tdlfs0000\tsk0005.dta Win32/Olmarik.AFK trojan (unable to clean) 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\16.02.2011_15.40.43\boot0000\tdlfs0000\tsk0006.dta Win64/Olmarik.AMO trojan (unable to clean) 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\16.02.2011_15.40.43\boot0000\tdlfs0000\tsk0007.dta Win64/Olmarik.I trojan (unable to clean) 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\16.02.2011_15.40.43\boot0000\tdlfs0000\tsk0008.dta Win64/Olmarik.A trojan (unable to clean) 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\16.02.2011_15.40.43\boot0000\tdlfs0000\tsk0009.dta a variant of Win32/Olmarik.ANB trojan (unable to clean) 00000000000000000000000000000000 I
    ${Memory} a variant of Win32/AutoRun.Spy.Ambler.CJ worm 00000000000000000000000000000000 I
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I believe your system has been compromised and recommend that you do a reformat and reinstall:

    This is a description of a Worm that is still active in your system:
    Win32/AutoRun.Spy.Ambler.CJ worm
    Alert Level>> Severe
    Summary
    Worm:Win32/Ambler.A is a worm that spreads via networked and removable drives, and attempts to steal sensitive information, such as passwords, from an affected computer.Worm:Win32/Ambler.A attempts to steal sensitive and confidential information from affected users in order to perpetrate fraud.

    When run, Worm:Win32/Ambler.A drops several randomly-named files onto the system. These file names vary from one instance of Ambler to the next
    Ambler launches the dropped DLL component and registers itself as a BHO. It makes a number of registry modifications in order to facilitate its actions on the affected computer.

    Stolen data is sent to a remote attacker. In the wild, Worm:Win32/Ambler.A has been observed to contact testthenewsource.net for this purpose.
    This worm attempts to steal stored passwords from the following locations:
    • Microsoft Outlook Express
    • Internet Explorer password protected sites(Most information courtesy Microsoft)
    • MSN Explorer Signup
    • Internet Explorer auto complete fields
    • Internet Explorer auto complete passwords
    • Internet cookies
    • Passwords stored in pstore.dll
    Manual removal is not recommended for this threat. It is also in memory which means that every time you startup, the Worm will launch again

    There must be an infected flash drive. A disinfection on that can be attempted. However, it should not be used between computer systems.

    You will find excellent reformat/reinstall instructions here:
    http://www.tech-101.com/tutorials/356-tutorial-windows-install-repair-xp-vista.html
     
  10. rrw1217

    rrw1217 TS Rookie Topic Starter Posts: 28

    Wow, thank you for that update - I will do that as soon as I get home. Also, thanks for the link - should I be doing the Repair Install, or the Fresh Install? I was guessing the Repair Install, although the link said that was best for "minor errors," which did not sound like an accurate description for this case.

    Finally, for what its worth, we mostly use Mozilla Firefox (I thought exclusively, although can't guarantee that in every user's case). I plan to change all my passwords when done anyway, but just for peace of mind, I am curious if you think it likely that data/passwords could also be stolen from Mozilla via this worm.

    Sorry for all of the questions - thanks again for the time and info.
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I think the Fresh Install would be better. As for passwords and Firefox> When you get malware on the system, especially a Worm like this, you should consider that anything on the system might have been compromised and act accordingly. While Firefox is a bit more secure than IE (in my opinion- and I use FF exclusively) when it comes to personal information, including passwords, you should think that those you have stored in Firefox could also be at risk.
     
  12. rrw1217

    rrw1217 TS Rookie Topic Starter Posts: 28

    sorry to bother again - would this be the kind of situation where anything that is backed up on an External hard drive is compromised as well? And if so, to what extent (do I need to buy an entirely new ext. drive, or just have this wiped)?

    Sorry for the delay, had to leave town unexpectedly, so have not been on the computer at all - plan to perform the Fresh Install tomorrow morning, and I am wondering what I might lose, and whether or not I should utilize the hard drive to "save" anything, or if I will just be recreating my problem all over again.

    Thanks again for all of your advice.
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Attach the external drive like you would a flash drive. Then run this:

    [*] Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
    1. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
      Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
    2. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    3. Wait until it has finished scanning and then exit the program.
    4. Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...