Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

trying to get rid of rogue security "Protection Center"

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: trying to get rid of rogue security "Protection Center"

Unread postby fedupwroguesw » June 5th, 2010, 9:38 am

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=C:\Program Files\Common Files\ArcSoft\Bin;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\;C:\Program Files\Wave Systems Corp\Gemalto\Access Client\v5\;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\;C:\PROGRA~1\IBM\CLIENT~1;C:\PROGRA~1\IBM\CLIENT~1\Shared;C:\PROGRA~1\IBM\CLIENT~1\Emulator;C:\Program Files\Common Files\HP\Digital Imaging\bin;C:\Program Files\HP\Digital Imaging\bin\;C:\Program Files\HP\Digital Imaging\bin\Qt\Qt 4.3.3;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 13, GenuineIntel
"PROCESSOR_REVISION"=0f0d
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"RoxioCentral"=C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\
"asl.log"=Destination=file;OnFirstLog=command,environment
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip

-----------------EOF-----------------
fedupwroguesw
Regular Member
 
Posts: 35
Joined: June 2nd, 2010, 9:53 pm
Advertisement
Register to Remove

Re: trying to get rid of rogue security "Protection Center"

Unread postby fedupwroguesw » June 5th, 2010, 9:43 am

It will not let me post one part of the txt it is a message that failed automatic updates from windows update I have copied and pasted and typed it out neither will let me post it.
fedupwroguesw
Regular Member
 
Posts: 35
Joined: June 2nd, 2010, 9:53 pm

Re: trying to get rid of rogue security "Protection Center"

Unread postby melboy » June 6th, 2010, 2:26 pm

Hi

It looks a though you may have an infected removable drive, either an external HDD or a USB flash drive. Do you have any of those?


Did you add these hosts file entries yourself, what do you know about them?

192.168.80.14 s103dklm
192.168.80.10 mp_albany
192.168.1.50 HP001CC4BB0B07
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: trying to get rid of rogue security "Protection Center"

Unread postby fedupwroguesw » June 6th, 2010, 3:16 pm

No I did not add any of these I do not know what they are, yes I have to usb flash drives that I use
fedupwroguesw
Regular Member
 
Posts: 35
Joined: June 2nd, 2010, 9:53 pm

Re: trying to get rid of rogue security "Protection Center"

Unread postby melboy » June 6th, 2010, 3:39 pm

Hi

Flash_Disinfector by sUBs
    Please download Flash_Disinfector and save it to your desktop.

  • Double click to run it.
  • You will be prompted to plug in your flash drive. Plug it in.
  • Flash_Disinfector will start disinfecting your flash and hard drives. This takes a few seconds. Your desktop will disappear in the meantime.
  • When done, a message box will appear. Click OK. Your desktop should now appear. If it doesn't, press Ctrl + Shift + Esc to open Task Manager.
  • Click on File > New Task (Run...). Type in explorer.exe and press Enter. Your desktop should now appear.

You can run Flash Disinfector with other flash drives and/or other removable drives. This may include your Mobile phone, Digital camera etc...
Please do so and allow the utility to clean up those drives as well.


Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.




Malwarebytes' Anti-Malware (MBAM)

As you have Malwarebytes' Anti-Malware installed on your computer. Could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform full scan, then click Scan. (Ensure ALL Drives are checked)
  • Click on Scan
  • When done, you will be prompted. Click OK. If Items are found, then click on Show Results
  • Check all items except items in the C:\System Volume Information folder... then click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply.

    The log can also be found here:
    1. C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    2. Or via the Logs tab when the application is started.

Note: MBAM may ask to reboot your computer so it can continue with the removal process, please do so immediately.
Failure to reboot will prevent MBAM from removing all the malware.
Last edited by melboy on June 13th, 2010, 11:29 am, edited 3 times in total.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: trying to get rid of rogue security "Protection Center"

Unread postby fedupwroguesw » June 6th, 2010, 5:52 pm

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4173

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/6/2010 5:51:28 PM
mbam-log-2010-06-06 (17-51-28).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|)
Objects scanned: 213197
Time elapsed: 1 hour(s), 53 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP388\A0055129.exe (Malware.Packer.Gen) -> No action taken.
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP388\A0055144.sys (Rootkit.TDSS.Gen) -> No action taken.
fedupwroguesw
Regular Member
 
Posts: 35
Joined: June 2nd, 2010, 9:53 pm

Re: trying to get rid of rogue security "Protection Center"

Unread postby fedupwroguesw » June 6th, 2010, 8:20 pm

Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP388\A0055129.exe (Malware.Packer.Gen) -> Not selected for removal.
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP388\A0055144.sys (Rootkit.TDSS.Gen) -> Not selected for removal.
fedupwroguesw
Regular Member
 
Posts: 35
Joined: June 2nd, 2010, 9:53 pm

Re: trying to get rid of rogue security "Protection Center"

Unread postby melboy » June 7th, 2010, 3:03 am

Hi

Again, make sure all external flash drives are plugged in when running the ESET scan only.



TDSSKiller
  • Download the file TDSSKiller.zip and save it on your desktop
  • Extract the file tdskiller.zip, it will create a folder named tdsskiller on your desktop. (Zip/UnZip Tutorial)
  • Next double-click the tdsskiller Folder on your desktop.
  • Double click tdsskiller.exe to run the tool.
  • If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.
  • A log will be created on your root (usually C:) drive. The log is like UtilityName.Version_Date_Time_log.txt.
    for example, C:\TDSSKiller.2.3.0.0_20.04.2010_15.31.43_log.txt.
  • Please post the contents in your next reply


After Reboot.


ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.
  • Please go here then click on: Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:

    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
    • Under "Current scan targets: Operating memory, Local drives" Click on Change...
    • Ensure ALL drives are checked under My Computer

  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: trying to get rid of rogue security "Protection Center"

Unread postby fedupwroguesw » June 7th, 2010, 6:51 pm

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv1.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv2.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv3.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv4.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv5.zip Win32/Bagle.gen.zip worm
C:\WINDOWS\system32\Process.exe Win32/PrcView application
F:\SmitfraudFix.exe multiple threats
fedupwroguesw
Regular Member
 
Posts: 35
Joined: June 2nd, 2010, 9:53 pm

Re: trying to get rid of rogue security "Protection Center"

Unread postby melboy » June 7th, 2010, 7:05 pm

Do you have the TDSSKiller log?
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: trying to get rid of rogue security "Protection Center"

Unread postby fedupwroguesw » June 7th, 2010, 7:43 pm

06:28:52:953 5756 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48
06:28:52:953 5756 ================================================================================
06:28:52:953 5756 SystemInfo:

06:28:52:953 5756 OS Version: 5.1.2600 ServicePack: 3.0
06:28:52:953 5756 Product type: Workstation
06:28:52:953 5756 ComputerName: JAMIE
06:28:52:953 5756 UserName: Rob
06:28:52:953 5756 Windows directory: C:\WINDOWS
06:28:52:953 5756 Processor architecture: Intel x86
06:28:52:953 5756 Number of processors: 2
06:28:52:953 5756 Page size: 0x1000
06:28:52:953 5756 Boot type: Normal boot
06:28:52:953 5756 ================================================================================
06:28:53:390 5756 Initialize success
06:28:53:390 5756
06:28:53:390 5756 Scanning Services ...
06:28:53:546 5756 Raw services enum returned 441 services
06:28:53:546 5756
06:28:53:546 5756 Scanning Drivers ...
06:28:54:906 5756 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
06:28:54:968 5756 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
06:28:55:015 5756 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
06:28:55:078 5756 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
06:28:55:171 5756 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
06:28:55:328 5756 AESTAud (20f078136f3bdc4c0405c0527b769303) C:\WINDOWS\system32\drivers\AESTAud.sys
06:28:55:406 5756 Afc (fe3ea6e9afc1a78e6edca121e006afb7) C:\WINDOWS\system32\drivers\Afc.sys
06:28:55:500 5756 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
06:28:55:562 5756 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
06:28:55:609 5756 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
06:28:55:734 5756 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
06:28:55:765 5756 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
06:28:55:828 5756 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
06:28:55:937 5756 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
06:28:56:000 5756 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
06:28:56:062 5756 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
06:28:56:296 5756 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
06:28:56:343 5756 ApfiltrService (b83f9da84f7079451c1c6a4a2f140920) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
06:28:56:375 5756 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
06:28:56:437 5756 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
06:28:56:484 5756 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
06:28:56:531 5756 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
06:28:56:625 5756 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
06:28:56:703 5756 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
06:28:56:796 5756 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
06:28:56:843 5756 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
06:28:56:937 5756 b57w2k (559ddda2c88459478056174247706deb) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
06:28:57:031 5756 BASFND (5c68ac6f3e5b3e6d6a78e97d05e42c3a) C:\Program Files\Broadcom\MgmtAgent\BASFND.sys
06:28:57:218 5756 BCM43XX (9208c78bd9283f79a30252ad954c77a2) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
06:28:57:312 5756 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
06:28:57:359 5756 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
06:28:57:390 5756 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
06:28:57:453 5756 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
06:28:57:578 5756 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
06:28:57:640 5756 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
06:28:57:671 5756 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
06:28:57:750 5756 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
06:28:57:796 5756 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
06:28:57:937 5756 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
06:28:58:000 5756 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
06:28:58:031 5756 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
06:28:58:078 5756 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
06:28:58:140 5756 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
06:28:58:281 5756 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
06:28:58:343 5756 DLABMFSM (a0500678a33802d8954153839301d539) C:\WINDOWS\system32\Drivers\DLABMFSM.SYS
06:28:58:421 5756 DLABOIOM (b8d2f68cac54d46281399f9092644794) C:\WINDOWS\system32\Drivers\DLABOIOM.SYS
06:28:58:468 5756 DLACDBHM (0ee93ab799d1cb4ec90b36f3612fe907) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
06:28:58:515 5756 DLADResM (87413b94ae1fabc117c4e8ae6725134e) C:\WINDOWS\system32\Drivers\DLADResM.SYS
06:28:58:562 5756 DLAIFS_M (766a148235be1c0039c974446e4c0edc) C:\WINDOWS\system32\Drivers\DLAIFS_M.SYS
06:28:58:609 5756 DLAOPIOM (38267cca177354f1c64450a43a4f7627) C:\WINDOWS\system32\Drivers\DLAOPIOM.SYS
06:28:58:656 5756 DLAPoolM (fd363369fd313b46b5aeab1a688b52e9) C:\WINDOWS\system32\Drivers\DLAPoolM.SYS
06:28:58:703 5756 DLARTL_M (336ae18f0912ef4fbe5518849e004d74) C:\WINDOWS\system32\Drivers\DLARTL_M.SYS
06:28:58:843 5756 DLAUDFAM (fd85f682c1cc2a7ca878c7a448e6d87e) C:\WINDOWS\system32\Drivers\DLAUDFAM.SYS
06:28:58:953 5756 DLAUDF_M (af389ce587b6bf5bbdcd6f6abe5eabc0) C:\WINDOWS\system32\Drivers\DLAUDF_M.SYS
06:28:59:062 5756 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
06:28:59:250 5756 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
06:28:59:296 5756 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
06:28:59:390 5756 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
06:28:59:468 5756 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
06:28:59:515 5756 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
06:28:59:593 5756 DRVMCDB (5d3b71bb2bb0009d65d290e2ef374bd3) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
06:28:59:750 5756 DRVNDDM (c591ba9f96f40a1fd6494dafdcd17185) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
06:28:59:875 5756 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
06:28:59:953 5756 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
06:29:00:062 5756 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
06:29:00:218 5756 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
06:29:00:265 5756 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
06:29:00:312 5756 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
06:29:00:359 5756 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
06:29:00:437 5756 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
06:29:00:531 5756 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
06:29:00:703 5756 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
06:29:00:796 5756 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
06:29:00:843 5756 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
06:29:00:906 5756 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
06:29:00:968 5756 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
06:29:01:187 5756 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
06:29:01:234 5756 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
06:29:01:296 5756 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
06:29:01:406 5756 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
06:29:01:515 5756 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
06:29:01:656 5756 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
06:29:01:765 5756 i8042prt (029ecdfc8d01be29e45b781ff0d4954f) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
06:29:01:765 5756 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\i8042prt.sys. Real md5: 029ecdfc8d01be29e45b781ff0d4954f, Fake md5: 4a0b06aa8943c1e332520f7440c0aa30
06:29:01:765 5756 File "C:\WINDOWS\system32\DRIVERS\i8042prt.sys" infected by TDSS rootkit ... 06:29:03:015 5756 Backup copy found, using it..
06:29:03:109 5756 will be cured on next reboot
06:29:03:421 5756 ialm (4f3139829f1ac202ff0d29c2fd6c15b6) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
06:29:03:750 5756 iaStor (692830b048aacd7e0d6ededf098acc01) C:\WINDOWS\system32\drivers\iaStor.sys
06:29:03:812 5756 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
06:29:03:984 5756 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
06:29:04:125 5756 IntcHdmiAddService (64c301d73db18ebdc8680ca82d82af2d) C:\WINDOWS\system32\drivers\IntcHdmi.sys
06:29:04:218 5756 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
06:29:04:328 5756 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
06:29:04:437 5756 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
06:29:04:500 5756 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
06:29:04:578 5756 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
06:29:04:671 5756 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
06:29:04:781 5756 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
06:29:04:906 5756 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
06:29:05:000 5756 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
06:29:05:046 5756 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
06:29:05:078 5756 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
06:29:05:203 5756 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\WINDOWS\system32\drivers\klmd.sys
06:29:05:312 5756 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
06:29:05:390 5756 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
06:29:05:546 5756 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
06:29:05:625 5756 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
06:29:05:750 5756 motmodem (fe80c18ba448ddd76b7bead9eb203d37) C:\WINDOWS\system32\DRIVERS\motmodem.sys
06:29:05:828 5756 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
06:29:05:921 5756 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
06:29:06:015 5756 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
06:29:06:140 5756 MPE (c0f8e0c2c3c0437cf37c6781896dc3ec) C:\WINDOWS\system32\DRIVERS\MPE.sys
06:29:06:234 5756 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
06:29:06:328 5756 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
06:29:06:468 5756 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
06:29:06:609 5756 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
06:29:06:687 5756 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
06:29:06:750 5756 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
06:29:06:796 5756 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
06:29:06:859 5756 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
06:29:06:968 5756 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
06:29:07:109 5756 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
06:29:07:218 5756 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
06:29:07:359 5756 NAVENG (83518e6cc82bdc3c3db0c12d1c9a2275) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100606.003\NAVENG.SYS
06:29:07:453 5756 NAVEX15 (85cf37740fe06c7a2eaa7f6c81f0819c) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100606.003\NAVEX15.SYS
06:29:07:625 5756 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
06:29:07:734 5756 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
06:29:07:796 5756 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
06:29:07:843 5756 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
06:29:07:937 5756 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
06:29:08:062 5756 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
06:29:08:140 5756 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
06:29:08:218 5756 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
06:29:08:296 5756 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
06:29:08:359 5756 nm (1e421a6bcf2203cc61b821ada9de878b) C:\WINDOWS\system32\DRIVERS\NMnt.sys
06:29:08:500 5756 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
06:29:08:609 5756 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
06:29:08:750 5756 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
06:29:08:828 5756 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
06:29:08:984 5756 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
06:29:09:031 5756 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
06:29:09:125 5756 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
06:29:09:281 5756 Par1284 (e2f8c7e5afe897700a57f45b7e680157) C:\Program Files\HP DesignJet 500PS\Program\Par1284.sys
06:29:09:453 5756 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
06:29:09:515 5756 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
06:29:09:593 5756 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
06:29:09:671 5756 PBADRV (4088c1ecd1f54281a92fa663b0fdc36f) C:\WINDOWS\system32\DRIVERS\PBADRV.sys
06:29:09:750 5756 PCASp50 (1961590aa191b6b7dcf18a6a693af7b8) C:\WINDOWS\system32\Drivers\PCASp50.sys
06:29:09:843 5756 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
06:29:10:000 5756 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
06:29:10:109 5756 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
06:29:10:187 5756 PCTINDIS5 (1e715247efffdda938c085913045d599) C:\WINDOWS\system32\PCTINDIS5.SYS
06:29:10:484 5756 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
06:29:10:546 5756 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
06:29:10:625 5756 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
06:29:10:765 5756 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
06:29:10:906 5756 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
06:29:11:031 5756 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
06:29:11:109 5756 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
06:29:11:187 5756 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
06:29:11:281 5756 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
06:29:11:390 5756 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
06:29:11:468 5756 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
06:29:11:515 5756 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
06:29:11:562 5756 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
06:29:11:609 5756 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
06:29:11:703 5756 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
06:29:11:781 5756 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
06:29:11:937 5756 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
06:29:12:062 5756 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
06:29:12:171 5756 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
06:29:12:250 5756 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
06:29:12:312 5756 rimmptsk (355aac141b214bef1dbc1483afd9bd50) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
06:29:12:484 5756 RimVSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
06:29:12:578 5756 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
06:29:12:703 5756 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
06:29:12:765 5756 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
06:29:12:875 5756 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
06:29:12:906 5756 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
06:29:13:031 5756 sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys
06:29:13:078 5756 sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
06:29:13:125 5756 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
06:29:13:281 5756 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
06:29:13:437 5756 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
06:29:13:546 5756 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
06:29:13:656 5756 SPBBCDrv (cb5a4e90451d80d415f0a6dbb86d1d9f) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
06:29:13:843 5756 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
06:29:13:953 5756 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
06:29:14:031 5756 SRTSP (655773f2f1a3730c6cf20280a49f4ee1) C:\WINDOWS\system32\Drivers\SRTSP.SYS
06:29:14:156 5756 SRTSPL (2a0aaf370d4c6574a34ae2f4a0709cae) C:\WINDOWS\system32\Drivers\SRTSPL.SYS
06:29:14:359 5756 SRTSPX (3104bdceace2d5710776dd05e6a286c1) C:\WINDOWS\system32\Drivers\SRTSPX.SYS
06:29:14:500 5756 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
06:29:14:687 5756 STHDA (9baa5e118c8e8726e39d1f60333e0842) C:\WINDOWS\system32\drivers\sthda.sys
06:29:14:843 5756 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
06:29:14:921 5756 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
06:29:15:015 5756 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
06:29:15:140 5756 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
06:29:15:312 5756 swmsflt (57bbaef27dc790160245b43eb6dcd576) C:\WINDOWS\System32\drivers\swmsflt.sys
06:29:15:406 5756 SWNC8U80 (7ae593fe3d78195987505da0a7e91542) C:\WINDOWS\system32\DRIVERS\swnc8u80.sys
06:29:15:484 5756 SWUMX80 (3076a3bb7c340bbf851075dd2ebad03f) C:\WINDOWS\system32\DRIVERS\swumx80.sys
06:29:15:609 5756 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
06:29:15:703 5756 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
06:29:15:859 5756 SymEvent (4517bd567d4eab459194feccfa654a51) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
06:29:15:921 5756 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
06:29:15:968 5756 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
06:29:16:078 5756 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
06:29:16:171 5756 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
06:29:16:343 5756 tcpipBM (9b05aa8089f4ea1bc31208ede33969f3) C:\WINDOWS\system32\drivers\tcpipBM.sys
06:29:16:437 5756 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
06:29:16:515 5756 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
06:29:16:593 5756 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
06:29:16:640 5756 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
06:29:16:687 5756 tunmp (8f861eda21c05857eb8197300a92501c) C:\WINDOWS\system32\DRIVERS\tunmp.sys
06:29:16:750 5756 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
06:29:16:859 5756 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
06:29:16:968 5756 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
06:29:17:109 5756 USB28xxBGA (4c3180982abbc7cfa14dd21c0cbb1c22) C:\WINDOWS\system32\DRIVERS\emBDA.sys
06:29:17:250 5756 USB28xxOEM (49b03351781de98981df0814a15dc992) C:\WINDOWS\system32\DRIVERS\emOEM.sys
06:29:17:421 5756 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\WINDOWS\system32\Drivers\usbaapl.sys
06:29:17:531 5756 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
06:29:17:640 5756 usbbus (9419faac6552a51542dbba02971c841c) C:\WINDOWS\system32\DRIVERS\lgusbbus.sys
06:29:17:734 5756 usbccgp (c18d6c74953621346df6b0a11f80c1cc) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
06:29:17:843 5756 UsbDiag (c0a466fa4ffec464320e159bc1bbdc0c) C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys
06:29:18:078 5756 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
06:29:18:187 5756 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
06:29:18:250 5756 USBModem (f74a54774a9b0afeb3c40adec68aa600) C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys
06:29:18:343 5756 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
06:29:18:406 5756 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
06:29:18:500 5756 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
06:29:18:625 5756 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
06:29:18:718 5756 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
06:29:18:828 5756 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
06:29:18:906 5756 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
06:29:18:968 5756 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
06:29:19:062 5756 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
06:29:19:140 5756 WavxDMgr (0be8dd6c95c5bdff9c5f3fa8095d304c) C:\WINDOWS\system32\DRIVERS\WavxDMgr.sys
06:29:19:281 5756 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
06:29:19:453 5756 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
06:29:19:593 5756 WGX (7e0f51c10e9db7efb8abe190c85f27c4) C:\WINDOWS\system32\Drivers\WGX.SYS
06:29:19:640 5756 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
06:29:19:765 5756 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
06:29:19:906 5756 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
06:29:20:015 5756 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
06:29:20:125 5756 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
06:29:20:234 5756 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
06:29:20:265 5756 Reboot required for cure complete..
06:29:20:359 5756 Cure on reboot scheduled successfully
06:29:20:359 5756
06:29:20:359 5756 Completed
06:29:20:359 5756
06:29:20:359 5756 Results:
06:29:20:359 5756 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
06:29:20:359 5756 File objects infected / cured / cured on reboot: 1 / 0 / 1
06:29:20:359 5756
06:29:20:375 5756 KLMD(ARK) unloaded successfully
fedupwroguesw
Regular Member
 
Posts: 35
Joined: June 2nd, 2010, 9:53 pm

Re: trying to get rid of rogue security "Protection Center"

Unread postby melboy » June 8th, 2010, 4:40 pm

Ok, that looks to have got it.

How are things running?



RootRepeal
Download RootRepeal.zip from here & unzip it to your Desktop.
  • Double click RootRepeal.exe to start the program
  • Click the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:
      Drivers
      Files
      Processes
      SSDT
      Stealth Objects
      Hidden Services
      Shadow SSDT
  • Click the OK button
  • In the next dialog, select all drives showing
  • Click OK to start the scan
Note: The scan can take some time. DO NOT run any other programs while the scan is running
  • When the scan is complete, the Save Report button will become available
  • Click this and save the report to your Desktop as RootRepeal.txt
  • Go to File then Exit to close the program



MBR Rootkit Detector

Please download MBR.exe by GMER
Be sure to download it to the root of your drive, e.g. C:\MBR.exe


Once the download has finished, click Start > Run. Copy and paste the contents of the codebox below into the run box (Do Not include Code:), then click OK :
Code: Select all
CMD /C \mbr -t >Log.txt&Log.txt&del Log.txt

A log will be generated, Post the contents in your next reply.



Update Java Runtime
You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 20.

  • Go to Sun Java
  • Scroll down to where it says "JDK 6 Update 20 (JDK or JRE)"
  • Click the orange Download JRE button to the right
  • In the Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says "jre-6u20-windows-i586.exe" and save the downloaded file to your desktop.
  • Uninstall all old versions of Java via Start > Control Panel > Add/Remove Programs:
    Java(TM) 6 Update 7
  • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
  • Reboot your computer



Disable Spybot's TeaTimer
This is a two step process.

First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have versions 1.5 or 1.6, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident

Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.



Backup the Registry:

Modifying the Registry can create unforseen problems, so it always wise to create a backup before doing so.

  • Please go here and download ERUNT.
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Install ERUNT by following the prompts.
  • Use the default install settings but say no to the portion that asks you to add ERUNT to the Start-Up folder. You can enable this option later if you wish.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is acceptable.
  • Make sure that at least the first two check boxes are selected.(System registry & Current user registry)
  • Click on OK
  • When the Question pop-up appears click on Yes to create the folder.
  • After a short duration the Registry backup is complete! popup will appear
  • Now click on OK. A backup has been created.



OTM

Download OTM by Old Timer and save it to your Desktop.
  • Double-click OTM.exe to run it.
  • Paste the following code under the Image area. Do not include the word Code.
    Code: Select all
    
    :Reg
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ce75a476-d092-11de-996a-00225f54032b}]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "SearchSettings"=-
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
    "HonorAutoRunSetting"=dword:00000001
    
    :Commands
    [purity]
    [emptytemp]
    [Reboot]
    

    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large Image button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.


NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: trying to get rid of rogue security "Protection Center"

Unread postby fedupwroguesw » June 8th, 2010, 8:05 pm

I was able to get windows updates yesterday and it seems to be running better, the automatic updates worked. Thank you for all your help


ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/06/08 18:20
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xA0EE6000 Size: 851968 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9FAAE000 Size: 49152 File Visible: No Signed: -
Status: -

Name: uphcleanhlp.sys
Image Path: C:\WINDOWS\system32\Drivers\uphcleanhlp.sys
Address: 0x9FFEA000 Size: 8960 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\rob\local settings\temp\~df1223.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\rob\local settings\temp\~df5740.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\rob\local settings\temp\~dfda73.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Interop.IWshRuntimeLibrary.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Interop.IWshRuntimeLibrary.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\stdole.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\stdole.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Xceed.Compression.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Xceed.Compression.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\DellDriverDownloadManager.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\DellDriverDownloadManager.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Core.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Core.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.ISOImage.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.ISOImage.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\DellDriverDownloadManager.exe.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rob\Local Settings\Apps\2.0\WM1CB0O5.BRL\WMLNLB4M.66W\manifests\DellDriverDownloadManager.exe.cdf-ms
Status: Locked to the Windows API!

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x8a4b1658

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x89a60390

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x8a4dc1b0

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x898ba4d0

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x89a64b20

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x89a278b8

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x89a13c28

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x8a484f28

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x89a5e210

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x89a59a90

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x89a32510

#: 129 Function Name: NtOpenThreadToken
Status: Hooked by "<unknown>" at address 0x8a4923f8

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x8a4a7630

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x89acb350

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x8a4a97a8

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x8a494a40

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x89a5f700

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8a492ab0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x89a53778

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x89a74568

#: 263 Function Name: NtUnloadKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\uphcleanhlp.sys" at address 0x9ffea6d0

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x8a4af9c0

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x898ff780

==EOF==


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

All processes killed
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ce75a476-d092-11de-996a-00225f54032b}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ce75a476-d092-11de-996a-00225f54032b}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\SearchSettings deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer\\"HonorAutoRunSetting"|dword:00000001 /E : value set successfully!
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 54903170 bytes
->Flash cache emptied: 9890 bytes

User: Rob
->Temp folder emptied: 2726342 bytes
->Temporary Internet Files folder emptied: 121485350 bytes
->Java cache emptied: 4529059 bytes
->Flash cache emptied: 5161 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 150127 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 175.00 mb


OTM by OldTimer - Version 3.1.12.2 log created on 06082010_194527

Files moved on Reboot...
C:\Documents and Settings\Rob\Local Settings\Temporary Internet Files\Content.IE5\VD92ACCU\viewtopic[1].htm moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_5a4.dat not found!

Registry entries deleted on Reboot...
fedupwroguesw
Regular Member
 
Posts: 35
Joined: June 2nd, 2010, 9:53 pm

Re: trying to get rid of rogue security "Protection Center"

Unread postby melboy » June 9th, 2010, 1:10 pm

Hi

How did you run MBR.exe? It needs to be at the root of your C:\ drive and then run the EXACT command I posted. Thanks - we're nearly done.



MBR Rootkit Detector

Be sure it's at the root of your drive, e.g. C:\MBR.exe

Click Start > Run. Copy and paste the contents of the codebox below into the run box (Do Not include Code:), then click OK :
Code: Select all
CMD /C \mbr -t >Log.txt&Log.txt&del Log.txt

A log will be generated, Post the contents in your next reply.



Malwarebytes' Anti-Malware (MBAM)

As you have Malwarebytes' Anti-Malware installed on your computer. Could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform Quick scan, then click on Scan
  • When done, you will be prompted. Click OK. If Items are found, then click on Show Results
  • Check all items then click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply.

    The log can also be found here:
    1. C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    2. Or via the Logs tab when the application is started.

Note: MBAM may ask to reboot your computer so it can continue with the removal process, please do so immediately.
Failure to reboot will prevent MBAM from removing all the malware.



Please post back with The mbr log, the MBAM log and a fresh HijackThis log (Do a system scan and save a log file) and a description of how the computer is running now.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: trying to get rid of rogue security "Protection Center"

Unread postby melboy » June 11th, 2010, 1:21 pm

Hi fedupwroguesw

It has been two days since my last post.

  • Do you still need help?
  • Do you need more time?
  • Are you having problems following my instructions?
  • According to Malware Removal's latest policy, topics can be closed after 3 days without a response. If you do not reply within the next 24 hours, this topic will be closed.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 113 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware