Remove-Malware.com Forums

[FieryDemon]

there we go, found the culprit

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  

  Code: Select all

  :filefind
atapi.sys


  
  
• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

[jan777]

woot!

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 03:06 on 24/07/2010 by aileen (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [17:30 10/05/2009] [14:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\erdnt\cache\atapi.sys --a--- 96512 bytes [03:06 21/07/2010] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [12:59 03/09/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys --a--- 96512 bytes [12:00 28/02/2006] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\atapi.sys --a--- 95360 bytes [07:17 02/04/2008] [12:00 28/02/2006] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\i386\atapi.sys --a--- 95360 bytes [07:17 02/04/2008] [14:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

-=End Of File=-

[FieryDemon]

Download a new copy of combofix


Open up Notepad and paste the following:

Code: Select all

TDL::
C:\WINDOWS\system32\drivers\atapi.sys


* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe

* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

[jan777]

ComboFix 10-07-22.06 - aileen 07/24/2010 3:33.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.117 [GMT 8:00]
Running from: c:\documents and settings\aileen\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\aileen\Desktop\CFscript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty had a snack :p
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((( Files Created from 2010-06-23 to 2010-07-23 )))))))))))))))))))))))))))))))
.

2010-07-23 00:32 . 2010-07-23 00:32 -------- d-----w- c:\documents and settings\aileen\DoctorWeb
2010-07-22 14:51 . 2010-07-22 14:51 69232 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-22 14:36 . 2010-07-22 14:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-21 21:49 . 2010-07-21 21:49 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-07-21 09:46 . 2010-07-21 09:47 -------- d-----w- c:\documents and settings\aileen\Application Data\PSPdisp
2010-07-21 09:42 . 2009-08-04 16:04 7808 ----a-w- c:\windows\system32\pspdisp.dll
2010-07-21 09:42 . 2009-08-04 16:04 3072 ----a-w- c:\windows\system32\drivers\pspdisp.sys
2010-07-21 01:33 . 2008-04-13 18:41 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-07-21 01:33 . 2008-04-13 18:41 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-07-21 01:33 . 2001-08-17 06:07 25952 -c--a-w- c:\windows\system32\dllcache\hpn.sys
2010-07-21 01:33 . 2001-08-17 06:07 25952 ----a-w- c:\windows\system32\drivers\hpn.sys
2010-07-21 00:46 . 2010-07-21 03:46 -------- d-----w- c:\program files\AA Antimalware
2010-07-20 21:27 . 2010-07-20 21:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-07-20 20:54 . 2010-07-20 20:54 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2010-07-20 20:54 . 2010-07-20 20:54 -------- d-----w- c:\documents and settings\LocalService\Application Data\Yahoo!
2010-07-20 20:54 . 2010-07-21 02:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\HPAppData
2010-07-20 20:54 . 2010-07-20 20:54 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-07-20 16:11 . 2010-07-20 16:11 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-07-20 16:10 . 2010-07-21 00:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-07-20 10:29 . 2010-07-23 09:11 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-20 10:29 . 2010-07-23 09:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-20 09:13 . 2010-07-23 16:19 -------- d-----w- C:\Hjt
2010-07-19 07:20 . 2010-07-19 07:20 -------- d-----w- c:\documents and settings\aileen\Application Data\fofix
2010-07-17 06:18 . 2010-07-17 06:35 -------- d-----w- c:\documents and settings\aileen\Application Data\vlc
2010-07-17 06:14 . 2010-07-17 06:14 -------- d-----w- c:\program files\VideoLAN
2010-07-13 21:16 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-11 02:13 . 2010-07-11 02:13 -------- d-----w- c:\documents and settings\aileen\Local Settings\Application Data\tjnet
2010-07-10 04:10 . 2010-07-23 19:48 -------- d-----w- c:\documents and settings\aileen\Application Data\mjusbsp
2010-07-10 04:05 . 2008-04-13 18:45 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2010-07-04 08:43 . 2010-07-04 08:43 -------- d-----w- c:\program files\Chikka Messenger
2010-07-03 06:44 . 2009-10-17 04:17 324096 ----a-w- c:\windows\SDL.dll
2010-07-03 06:44 . 2008-01-26 07:59 53248 ----a-w- c:\windows\DsPad.dll
2010-06-30 04:35 . 2010-07-21 01:12 -------- d-----w- c:\program files\Mozilla Firefox 4.0 Beta 1
2010-06-30 03:57 . 2001-08-17 06:02 2688 -c--a-w- c:\windows\system32\dllcache\hidswvd.sys
2010-06-30 03:57 . 2001-08-17 06:02 2688 ----a-w- c:\windows\system32\drivers\HIDSwvd.sys
2010-06-30 03:57 . 2008-04-13 18:45 59136 -c--a-w- c:\windows\system32\dllcache\gckernel.sys
2010-06-30 03:57 . 2008-04-13 18:45 59136 ----a-w- c:\windows\system32\drivers\GcKernel.sys
2010-06-29 15:13 . 2010-07-22 09:40 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-06-29 09:17 . 2010-07-23 16:37 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-27 22:13 . 2010-07-21 09:46 -------- d-----w- c:\program files\PSPdisp
2010-06-27 21:56 . 2010-06-27 21:56 -------- d-----w- c:\program files\PPJoy Joystick Driver
2010-06-27 21:47 . 2010-06-27 21:47 -------- d-----w- c:\program files\Parallel Port Joystick
2010-06-27 21:37 . 2010-06-27 21:37 -------- d-----w- c:\documents and settings\aileen\Application Data\TightVNC
2010-06-27 21:09 . 2010-06-27 21:09 -------- d-----w- c:\documents and settings\LocalService\Application Data\TightVNC
2010-06-27 07:32 . 2010-06-27 07:32 -------- d-----w- c:\windows\Ubisoft
2010-06-27 07:30 . 2010-06-27 07:30 -------- d-----w- c:\program files\directx
2010-06-27 07:24 . 2010-06-27 07:24 -------- d-----w- c:\program files\Ubi Soft
2010-06-26 02:08 . 2010-06-26 02:08 -------- d-----w- c:\documents and settings\aileen\Local Settings\Application Data\GameTuts
2010-06-26 02:08 . 2010-06-26 02:08 -------- d-----w- c:\documents and settings\aileen\Application Data\GameTuts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-23 09:19 . 2009-12-08 09:16 -------- d-----w- c:\program files\Garena
2010-07-22 11:22 . 2010-06-12 05:54 -------- d-----w- c:\program files\Defraggler
2010-07-22 08:42 . 2008-05-04 09:51 -------- d-----w- c:\program files\uTorrent
2010-07-22 08:42 . 2008-08-28 14:03 -------- d-----w- c:\documents and settings\aileen\Application Data\uTorrent
2010-07-22 07:27 . 2008-12-27 14:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-07-20 15:55 . 2008-04-02 07:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-20 15:21 . 2009-03-17 15:00 -------- d-----w- c:\documents and settings\aileen\Application Data\LimeWire
2010-07-20 15:19 . 2008-08-28 14:03 -------- d-----w- c:\documents and settings\aileen\Application Data\Media Player Classic
2010-07-20 15:14 . 2010-06-12 04:39 -------- d-----w- c:\program files\CCleaner
2010-07-20 05:00 . 2009-01-27 09:51 -------- d-----w- c:\documents and settings\aileen\Application Data\HPAppData
2010-07-18 06:55 . 2010-06-04 20:27 -------- d-----w- c:\program files\JDownloader
2010-07-12 20:18 . 2010-04-07 16:21 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-07-12 20:18 . 2010-04-01 13:40 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-07-12 20:17 . 2010-07-12 20:17 56765 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-07-12 20:17 . 2010-04-07 16:12 -------- d-----w- c:\program files\DivX
2010-07-12 20:17 . 2010-07-12 20:17 57715 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe
2010-07-12 20:17 . 2010-07-12 20:17 84054 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe
2010-07-12 20:16 . 2008-04-10 03:53 -------- d-----w- c:\program files\FlashGet
2010-07-12 20:15 . 2010-07-12 20:15 54153 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DFXPlugin\Uninstaller.exe
2010-07-12 20:15 . 2010-04-07 16:21 1062184 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-07-12 20:15 . 2010-04-07 16:21 895256 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-07-02 06:02 . 2010-05-16 22:33 -------- d-----w- c:\program files\RocketDock
2010-07-02 06:01 . 2010-04-08 05:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-07-02 06:01 . 2009-01-23 09:59 -------- d-----w- c:\program files\Norton Security Scan
2010-07-02 06:01 . 2010-06-06 08:12 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-07-01 19:30 . 2010-06-15 04:30 -------- d-----w- c:\documents and settings\aileen\Application Data\Image Zone Express
2010-06-23 02:40 . 2010-06-05 19:44 -------- d-----w- c:\documents and settings\aileen\Application Data\DivX
2010-06-14 14:31 . 2008-04-02 07:08 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-12 05:58 . 2010-06-12 05:58 -------- d-----w- c:\program files\RAM Def
2010-06-12 04:41 . 2010-06-12 04:41 -------- d-----w- c:\program files\Speccy
2010-06-05 19:44 . 2010-06-05 19:44 56997 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-06-05 19:44 . 2010-06-05 19:44 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-06-05 19:43 . 2010-06-05 19:43 57054 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe
2010-06-05 19:43 . 2010-06-05 19:43 54166 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe
2010-06-05 19:43 . 2010-06-05 19:43 57532 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe
2010-06-05 19:43 . 2010-06-05 19:43 56458 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-06-05 19:43 . 2010-06-05 19:43 54174 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAACDecoder\Uninstaller.exe
2010-06-05 19:43 . 2010-06-05 19:43 54128 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Converter\Uninstaller.exe
2010-06-05 19:43 . 2010-06-05 19:43 54644 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TranscodeEngine\Uninstaller.exe
2010-06-05 19:43 . 2010-06-05 19:43 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
2010-06-05 19:43 . 2010-06-05 19:43 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe
2010-06-05 19:43 . 2010-06-05 19:43 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe
2010-06-05 02:18 . 2010-06-01 02:29 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-03 03:26 . 2010-05-28 08:13 -------- d-----w- c:\program files\AeroSnap
2010-05-29 02:21 . 2010-05-21 17:26 -------- d-----w- c:\program files\FileZilla Server
2010-05-28 08:22 . 2010-05-28 08:22 -------- d-----w- c:\documents and settings\aileen\Application Data\AeroSnapApp
2010-05-28 04:48 . 2010-05-28 04:48 -------- d-----w- c:\documents and settings\aileen\Application Data\VitySoft
2010-05-15 22:32 . 2010-05-15 22:32 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-05-04 17:20 . 2006-02-28 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2006-02-28 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2006-02-28 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 07:39 . 2010-05-01 23:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 07:39 . 2010-05-01 23:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-27 00:15 . 2009-12-08 11:58 36928 ----a-w- c:\windows\system32\drivers\pssdk41.sys
2008-06-25 14:17 . 2008-06-25 14:17 4736 -c--a-w- c:\program files\log467700245.txt
2006-05-03 10:06 . 2008-12-23 07:56 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2008-12-23 07:56 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2008-12-23 07:56 216064 --sh--r- c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\aileen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-07-31 133104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"cdloader"="c:\documents and settings\aileen\Application Data\mjusbsp\cdloader2.exe" [2010-02-26 50520]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"QuickTime Task"="c:\program files\K-Lite Codec Pack\QuickTime\QTTask.exe" [2009-09-04 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
"RAMDef"="c:\program files\RAM Def\ramdef.exe" [2002-10-28 122040]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]

c:\documents and settings\aileen\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]
PSPdisp.lnk - c:\program files\PSPdisp\bin\app\PSPdisp.exe [2010-6-1 608256]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
[BU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^aileen^Start Menu^Programs^Startup^FrostWire On Startup.lnk]
path=c:\documents and settings\aileen\Start Menu\Programs\Startup\FrostWire On Startup.lnk
backup=c:\windows\pss\FrostWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^aileen^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\aileen\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^aileen^Start Menu^Programs^Startup^Multiply AutoUploader.lnk]
path=c:\documents and settings\aileen\Start Menu\Programs\Startup\Multiply AutoUploader.lnk
backup=c:\windows\pss\Multiply AutoUploader.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^aileen^Start Menu^Programs^Startup^WinShake Control.lnk]
path=c:\documents and settings\aileen\Start Menu\Programs\Startup\WinShake Control.lnk
backup=c:\windows\pss\WinShake Control.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-14 17:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AeroSnap]
2008-12-06 11:32 886784 ----a-w- c:\program files\AeroSnap\AeroSnap.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-07-31 22:58 133104 ----atw- c:\documents and settings\aileen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-10-14 13:17 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2007-08-22 08:31 80896 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-21 08:36 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]
2009-02-23 13:05 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-03-19 09:11 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
2009-02-23 13:05 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Java\\jre1.6.0_07\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\JDownloader.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"e:\\Warcraft III 1.21 DotA 6.44b pack\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\aileen\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"e:\\Warcraft III 1.21 DotA 6.44b pack\\Warcraft III\\war3.exe"=
"c:\\Program Files\\PSPdisp\\bin\\app\\PSPdisp.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Documents and Settings\\aileen\\Application Data\\mjusbsp\\magicJack.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27985:TCP"= 27985:TCP:limewire
"8370:TCP"= 8370:TCP:League of Legends Launcher
"8370:UDP"= 8370:UDP:League of Legends Launcher
"8371:TCP"= 8371:TCP:League of Legends Launcher
"8371:UDP"= 8371:UDP:League of Legends Launcher
"8372:TCP"= 8372:TCP:League of Legends Launcher
"8372:UDP"= 8372:UDP:League of Legends Launcher
"6926:TCP"= 6926:TCP:League of Legends Launcher
"6926:UDP"= 6926:UDP:League of Legends Launcher
"6908:TCP"= 6908:TCP:League of Legends Launcher
"6908:UDP"= 6908:UDP:League of Legends Launcher
"6893:TCP"= 6893:TCP:League of Legends Launcher
"6893:UDP"= 6893:UDP:League of Legends Launcher
"8377:TCP"= 8377:TCP:League of Legends Launcher
"8377:UDP"= 8377:UDP:League of Legends Launcher
"8378:TCP"= 8378:TCP:League of Legends Launcher
"8378:UDP"= 8378:UDP:League of Legends Launcher
"2145:TCP"= 2145:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/2/2010 7:22 AM 304464]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/2/2010 7:22 AM 20952]
R3 PPJoyBus;Parallel Port Joystick Bus Enumerator;c:\windows\system32\drivers\PPJoyBus.sys [1/23/2004 4:33 PM 16056]
R3 PPortJoystick;Parallel Port Joystick Device Driver;c:\windows\system32\drivers\PPortJoy.sys [1/23/2004 4:32 PM 31928]
R3 pspdisp;pspdisp;c:\windows\system32\drivers\pspdisp.sys [7/21/2010 5:42 PM 3072]
S0 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.SYS --> c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [?]
S2 d2cs;d2cs service;c:\documents and settings\aileen\Desktop\pvpgn-1.8.0\d2cs.exe --service --> c:\documents and settings\aileen\Desktop\pvpgn-1.8.0\d2cs.exe --service [?]
S2 d2dbs;d2dbs service;c:\documents and settings\aileen\Desktop\pvpgn-1.8.0\d2dbs.exe --service --> c:\documents and settings\aileen\Desktop\pvpgn-1.8.0\d2dbs.exe --service [?]
S2 pvpgn;PvPGN service;c:\documents and settings\aileen\Desktop\pvpgn-1.8.0\PvPGN.exe --service --> c:\documents and settings\aileen\Desktop\pvpgn-1.8.0\PvPGN.exe --service [?]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\aileen\LOCALS~1\Temp\LSH34.tmp --> c:\docume~1\aileen\LOCALS~1\Temp\LSH34.tmp [?]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\DRIVERS\ewusbfake.sys --> c:\windows\system32\DRIVERS\ewusbfake.sys [?]
S3 leafnets;Leaf Networks Adapter;c:\windows\system32\drivers\leafnets.sys [5/3/2007 7:48 AM 55296]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [12/8/2009 7:58 PM 36928]
S3 WPRO_40_1123;WinPcap Packet Driver (WPRO_40_1123);c:\windows\system32\drivers\WPRO_40_1123.sys --> c:\windows\system32\drivers\WPRO_40_1123.sys [?]
S3 ZSMC0305;Look 316;c:\windows\system32\drivers\usbVM305.sys [4/9/2008 9:45 PM 1466624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-07-23 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 03:20]

2010-07-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-27 13:13]

2010-07-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-152049171-725345543-1007Core.job
- c:\documents and settings\aileen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-31 22:58]

2010-07-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-152049171-725345543-1007UA.job
- c:\documents and settings\aileen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-31 22:58]

2010-07-23 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-25 13:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.garena.com/portal/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add Hyperlink iComment - c:\program files\iComment 2.0.2\iComment.dll/267
IE: Add Picture iComment - c:\program files\iComment 2.0.2\iComment.dll/267
IE: Add Text iComment - c:\program files\iComment 2.0.2\iComment.dll/267
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: kuaiche.com\software
FF - ProfilePath - c:\documents and settings\aileen\Application Data\Mozilla\Firefox\Profiles\bx42ntav.default\
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin7.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox 4.0 Beta 1\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox 4.0 Beta 1\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox 4.0 Beta 1\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox 4.0 Beta 1\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox 4.0 Beta 1\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox 4.0 Beta 1\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox 4.0 Beta 1\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox 4.0 Beta 1\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox 4.0 Beta 1\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox 4.0 Beta 1\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox 4.0 Beta 1\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox 4.0 Beta 1\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox 4.0 Beta 1\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox 4.0 Beta 1\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox 4.0 Beta 1\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox 4.0 Beta 1\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox 4.0 Beta 1\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox 4.0 Beta 1\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox 4.0 Beta 1\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox 4.0 Beta 1\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox 4.0 Beta 1\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox 4.0 Beta 1\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox 4.0 Beta 1\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox 4.0 Beta 1\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox 4.0 Beta 1\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox 4.0 Beta 1\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox 4.0 Beta 1\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox 4.0 Beta 1\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-TrueTransparency - c:\documents and settings\aileen\My Documents\Downloads\truetransparency-crystalxp.net-en-5139\TrueTransparency\TrueTransparency.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-24 03:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8326BB4C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf85f7f28
\Driver\ACPI -> ACPI.sys @ 0xf848acb8
\Driver\atapi -> atapi.sys @ 0xf841c852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Realtek RTL8139 Family PCI Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf8329bd4
PacketIndicateHandler -> NDIS.sys @ 0xf8335a21
SendHandler -> NDIS.sys @ 0xf8329d44
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\aileen\LOCALS~1\Temp\LSH34.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(388)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(448)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2352)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\FileZilla Server\FileZilla Server.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\documents and settings\aileen\Application Data\mjusbsp\magicJack.exe
.
**************************************************************************
.
Completion time: 2010-07-24 03:59:54 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-23 19:59
ComboFix2.txt 2010-07-22 23:27
ComboFix3.txt 2010-07-22 08:07
ComboFix4.txt 2010-07-22 07:04
ComboFix5.txt 2010-07-23 19:21

Pre-Run: 14,768,353,280 bytes free
Post-Run: 14,785,736,704 bytes free

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 53C1E0AC475152C4811E5698209A3DF4

[FieryDemon]

can you run TDSS killer again? I think you got a new tdss rootkit variant

The only thing i can think of now is to run GMER and have everything UNCHECKED except for the C drive and sections. and then run it. Hopefully it provides two drivers with suspicious modification.

[jan777]

got nothing with TDSSkiller


2010/07/24 05:46:05.0406 TDSS rootkit removing tool 2.4.0.0 Jul 22 2010 16:09:49
2010/07/24 05:46:05.0406 ================================================================================
2010/07/24 05:46:05.0406 SystemInfo:
2010/07/24 05:46:05.0406
2010/07/24 05:46:05.0406 OS Version: 5.1.2600 ServicePack: 3.0
2010/07/24 05:46:05.0406 Product type: Workstation
2010/07/24 05:46:05.0406 ComputerName: JOSEPH-7
2010/07/24 05:46:05.0406 UserName: aileen
2010/07/24 05:46:05.0406 Windows directory: C:\WINDOWS
2010/07/24 05:46:05.0406 System windows directory: C:\WINDOWS
2010/07/24 05:46:05.0406 Processor architecture: Intel x86
2010/07/24 05:46:05.0406 Number of processors: 2
2010/07/24 05:46:05.0406 Page size: 0x1000
2010/07/24 05:46:05.0406 Boot type: Normal boot
2010/07/24 05:46:05.0406 ================================================================================
2010/07/24 05:46:07.0421 Initialize success
2010/07/24 05:46:20.0312 ================================================================================
2010/07/24 05:46:20.0312 Scan started
2010/07/24 05:46:20.0312 Mode: Manual;
2010/07/24 05:46:20.0312 ================================================================================
2010/07/24 05:46:26.0859 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\drivers\abp480n5.sys
2010/07/24 05:46:26.0921 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys
2010/07/24 05:46:26.0968 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/07/24 05:46:27.0078 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/07/24 05:46:27.0109 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\drivers\adpu160m.sys
2010/07/24 05:46:27.0156 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/07/24 05:46:27.0281 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/07/24 05:46:27.0343 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\drivers\Aha154x.sys
2010/07/24 05:46:27.0359 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\drivers\aic78u2.sys
2010/07/24 05:46:27.0437 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\drivers\aic78xx.sys
2010/07/24 05:46:27.0453 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\drivers\AliIde.sys
2010/07/24 05:46:27.0468 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\drivers\amsint.sys
2010/07/24 05:46:27.0484 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\drivers\asc.sys
2010/07/24 05:46:27.0531 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\drivers\asc3350p.sys
2010/07/24 05:46:27.0546 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\drivers\asc3550.sys
2010/07/24 05:46:27.0625 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/07/24 05:46:27.0687 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/07/24 05:46:27.0718 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/07/24 05:46:27.0765 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/07/24 05:46:27.0875 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/07/24 05:46:27.0937 CA561 (1fa7ff7ba22769b414aee5965fdb05b4) C:\WINDOWS\system32\Drivers\SPCA561.SYS
2010/07/24 05:46:27.0984 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/07/24 05:46:28.0015 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/07/24 05:46:28.0046 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\drivers\cd20xrnt.sys
2010/07/24 05:46:28.0218 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/07/24 05:46:28.0281 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/07/24 05:46:28.0343 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/07/24 05:46:28.0453 Changer (2a5815ca6fff24b688c01f828b96819c) C:\WINDOWS\system32\drivers\Changer.sys
2010/07/24 05:46:28.0500 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\drivers\CmdIde.sys
2010/07/24 05:46:28.0531 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\drivers\Cpqarray.sys
2010/07/24 05:46:28.0578 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\drivers\dac2w2k.sys
2010/07/24 05:46:28.0609 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\drivers\dac960nt.sys
2010/07/24 05:46:28.0703 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/07/24 05:46:28.0812 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/07/24 05:46:28.0937 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/07/24 05:46:28.0984 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/07/24 05:46:29.0031 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/07/24 05:46:29.0093 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\drivers\dpti2o.sys
2010/07/24 05:46:29.0109 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/07/24 05:46:29.0218 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/07/24 05:46:29.0234 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/07/24 05:46:29.0312 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/07/24 05:46:29.0328 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/07/24 05:46:29.0421 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/07/24 05:46:29.0453 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/07/24 05:46:29.0500 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/07/24 05:46:29.0671 GcKernel (72fe2bea6863d4eb93442a1c4fb5ca48) C:\WINDOWS\system32\DRIVERS\GcKernel.sys
2010/07/24 05:46:29.0703 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2010/07/24 05:46:29.0718 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/07/24 05:46:29.0734 HIDSwvd (bd205320308fb41c88a4049a2d1764b4) C:\WINDOWS\system32\DRIVERS\HIDSwvd.sys
2010/07/24 05:46:29.0765 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/07/24 05:46:29.0828 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\drivers\hpn.sys
2010/07/24 05:46:29.0906 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2010/07/24 05:46:29.0937 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2010/07/24 05:46:29.0953 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2010/07/24 05:46:29.0984 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/07/24 05:46:30.0125 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2010/07/24 05:46:30.0156 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\drivers\i2omp.sys
2010/07/24 05:46:30.0187 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/07/24 05:46:30.0375 ialm (48846b31be5a4fa662ccfde7a1ba86b9) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2010/07/24 05:46:30.0625 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/07/24 05:46:30.0640 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\drivers\ini910u.sys
2010/07/24 05:46:30.0671 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\drivers\IntelIde.sys
2010/07/24 05:46:30.0718 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/07/24 05:46:30.0828 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/07/24 05:46:30.0875 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/07/24 05:46:30.0906 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/07/24 05:46:30.0937 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/07/24 05:46:31.0046 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/07/24 05:46:31.0062 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/07/24 05:46:31.0093 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/07/24 05:46:31.0125 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/07/24 05:46:31.0156 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/07/24 05:46:31.0250 klmd24 (6485ad0a17a0d6286b4d44c652adabb2) C:\WINDOWS\system32\drivers\klmd.sys
2010/07/24 05:46:31.0296 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/07/24 05:46:31.0328 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/07/24 05:46:31.0375 lbrtfdc (406598827a1b5f77954de11dde115ced) C:\WINDOWS\system32\drivers\lbrtfdc.sys
2010/07/24 05:46:31.0453 leafnets (51674c5c2eeff3d155edab0f5ef9a4d2) C:\WINDOWS\system32\DRIVERS\leafnets.sys
2010/07/24 05:46:31.0515 MBAMProtector (67b48a903430c6d4fb58cbaca1866601) C:\WINDOWS\system32\drivers\mbam.sys
2010/07/24 05:46:31.0531 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/07/24 05:46:31.0578 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/07/24 05:46:31.0625 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/07/24 05:46:31.0703 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/07/24 05:46:31.0718 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/07/24 05:46:31.0765 MpFilter (c98301ad8173a2235a9ab828955c32bb) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
2010/07/24 05:46:31.0796 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\drivers\mraid35x.sys
2010/07/24 05:46:31.0890 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/07/24 05:46:31.0984 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/07/24 05:46:32.0093 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/07/24 05:46:32.0125 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/07/24 05:46:32.0156 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/07/24 05:46:32.0171 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/07/24 05:46:32.0218 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/07/24 05:46:32.0296 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/07/24 05:46:32.0343 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/07/24 05:46:32.0375 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/07/24 05:46:32.0421 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/07/24 05:46:32.0500 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/07/24 05:46:32.0531 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/07/24 05:46:32.0562 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/07/24 05:46:32.0578 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/07/24 05:46:32.0609 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/07/24 05:46:32.0640 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/07/24 05:46:32.0765 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/07/24 05:46:32.0812 nm (1e421a6bcf2203cc61b821ada9de878b) C:\WINDOWS\system32\DRIVERS\NMnt.sys
2010/07/24 05:46:32.0859 nocashio (03bba4dedefb48c510061529651b453a) C:\WINDOWS\system32\drivers\nocashio.sys
2010/07/24 05:46:32.0937 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/07/24 05:46:32.0968 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/07/24 05:46:33.0015 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/07/24 05:46:33.0046 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/07/24 05:46:33.0062 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/07/24 05:46:33.0171 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/07/24 05:46:33.0203 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/07/24 05:46:33.0250 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/07/24 05:46:33.0296 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/07/24 05:46:33.0437 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/07/24 05:46:33.0531 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/07/24 05:46:33.0640 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\drivers\perc2.sys
2010/07/24 05:46:33.0703 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\drivers\perc2hib.sys
2010/07/24 05:46:33.0765 PPJoyBus (80cd87cfea9f96cca12cca13de8ea6bc) C:\WINDOWS\system32\drivers\PPJoyBus.sys
2010/07/24 05:46:33.0906 PPortJoystick (fc6ac6ff02af91d661556fc5cd07689d) C:\WINDOWS\system32\drivers\PPortJoy.sys
2010/07/24 05:46:33.0953 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/07/24 05:46:33.0984 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/07/24 05:46:34.0015 pspdisp (30c867c08b13e66710e3210c8938e902) C:\WINDOWS\system32\DRIVERS\pspdisp.sys
2010/07/24 05:46:34.0046 PsSdk41 (0c234a4a2fbab98e5e1bafaf3e3e403a) C:\WINDOWS\system32\Drivers\pssdk41.sys
2010/07/24 05:46:34.0140 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/07/24 05:46:34.0187 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\drivers\ql1080.sys
2010/07/24 05:46:34.0203 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\drivers\Ql10wnt.sys
2010/07/24 05:46:34.0218 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\drivers\ql12160.sys
2010/07/24 05:46:34.0250 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\drivers\ql1240.sys
2010/07/24 05:46:34.0250 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\drivers\ql1280.sys
2010/07/24 05:46:34.0359 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/07/24 05:46:34.0406 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/07/24 05:46:34.0421 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/07/24 05:46:34.0437 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/07/24 05:46:34.0484 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/07/24 05:46:34.0578 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/07/24 05:46:34.0625 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/07/24 05:46:34.0656 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/07/24 05:46:34.0703 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/07/24 05:46:34.0796 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2010/07/24 05:46:34.0921 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/07/24 05:46:34.0953 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/07/24 05:46:35.0062 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/07/24 05:46:35.0140 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/07/24 05:46:35.0218 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/07/24 05:46:35.0250 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\drivers\Sparrow.sys
2010/07/24 05:46:35.0359 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/07/24 05:46:35.0421 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/07/24 05:46:35.0468 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/07/24 05:46:35.0515 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/07/24 05:46:35.0593 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/07/24 05:46:35.0625 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/07/24 05:46:35.0671 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\drivers\symc810.sys
2010/07/24 05:46:35.0687 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\drivers\symc8xx.sys
2010/07/24 05:46:35.0703 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\drivers\sym_hi.sys
2010/07/24 05:46:35.0734 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\drivers\sym_u3.sys
2010/07/24 05:46:35.0875 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/07/24 05:46:35.0906 taphss (0c3b2a9c4bd2dd9a6c2e4084314dd719) C:\WINDOWS\system32\DRIVERS\taphss.sys
2010/07/24 05:46:35.0984 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/07/24 05:46:36.0093 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/07/24 05:46:36.0125 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/07/24 05:46:36.0203 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/07/24 05:46:36.0234 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\drivers\TosIde.sys
2010/07/24 05:46:36.0312 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/07/24 05:46:36.0359 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\drivers\ultra.sys
2010/07/24 05:46:36.0390 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/07/24 05:46:36.0437 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/07/24 05:46:36.0515 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2010/07/24 05:46:36.0546 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/07/24 05:46:36.0562 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/07/24 05:46:36.0609 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/07/24 05:46:36.0640 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/07/24 05:46:36.0718 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/07/24 05:46:36.0765 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/07/24 05:46:36.0796 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/07/24 05:46:36.0843 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2010/07/24 05:46:36.0984 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/07/24 05:46:37.0015 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\drivers\ViaIde.sys
2010/07/24 05:46:37.0062 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/07/24 05:46:37.0078 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/07/24 05:46:37.0203 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/07/24 05:46:37.0265 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
2010/07/24 05:46:37.0312 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2010/07/24 05:46:37.0437 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/07/24 05:46:37.0468 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/07/24 05:46:37.0484 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/07/24 05:46:37.0593 ZDPSp50 (00ae175b903d45ed4a62384d3315dc2a) C:\WINDOWS\system32\Drivers\ZDPSp50.sys
2010/07/24 05:46:37.0671 ZSMC0305 (517aab1c63d30e4478db9ffea541cc51) C:\WINDOWS\system32\Drivers\usbVM305.sys
2010/07/24 05:46:37.0703 ================================================================================
2010/07/24 05:46:37.0703 Scan finished
2010/07/24 05:46:37.0703 ================================================================================

can you tell me what specifically do i have to check with gmer? thanks.

or do you think maybe we should replace atapi.sys?

UPDATE: idk why, but mBAM doesnt block sites anymore. i updated it and Microsoft security essentials. might it be that the virus is gone?

[FieryDemon]

for gmer, check:

sections
C drive


We have tried to replace atapi with the last combofix script but the log still shows a rootkit hooking atapi.

[jan777]

found nothing with gmer.

[FieryDemon]

can you still post the log?

Are you still having redirects, slow computer or MBAM blocking sites?

[jan777]

i saved a log, but when i opened it, it was blank.

mm, no more redirects, MBAM not blocking site anymore, And the computer is usually slow during startup, but gets faster after about 5-10 mins.