Possible rootkit, I have doubts

  1. 24-01-2011  #1
    xero
    xero is offline Elite Member

    Possible rootkit, I have doubts

    I come to you largely empty handed.
    Avast! detected a rootkit, twice. One was on Friday, and prompted a Windows re installation, the other after the re installation.
    I printed out your sticky, and have not much to offer.
    GMER ran its scans, then locked up. I was only able to get the computer going again by holding in the Start button, so no log to post. Neither the initial, or subsequent scans indicated a rootkit warning. But it has made the computer very slow and I intend to use ERUNT to get back to normal, if you concur.
    MBRCheck did produce a log, DDS refused to run, twice. "Unexplained error."
    The reason for my doubts is that Avast! found the same rootkit before and after WIndows re installation, what are the odds?
    Malwarebytes found nothing, so not much point in posting that.
    MBRCheck log:
    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Home Edition
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x000007fd

    Kernel Drivers (total 135):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806E4000 \WINDOWS\system32\hal.dll
    0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
    0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
    0xB9F79000 ACPI.sys
    0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xB9F68000 pci.sys
    0xBA0A8000 isapnp.sys
    0xBA0B8000 ohci1394.sys
    0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
    0xBA670000 pciide.sys
    0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xBA0D8000 MountMgr.sys
    0xB9F49000 ftdisk.sys
    0xBA330000 PartMgr.sys
    0xBA0E8000 VolSnap.sys
    0xB9F31000 atapi.sys
    0xBA0F8000 disk.sys
    0xBA108000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xB9F11000 fltmgr.sys
    0xB9EFF000 sr.sys
    0xB9EE8000 KSecDD.sys
    0xB9E5B000 Ntfs.sys
    0xB9E45000 inspect.sys
    0xB9E18000 \WINDOWS\System32\DRIVERS\NDIS.SYS
    0xBA338000 \WINDOWS\System32\DRIVERS\TDI.SYS
    0xB9DFE000 Mup.sys
    0xBA238000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xB9B10000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xB975A000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
    0xB9746000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xBA3F0000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xB9722000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xBA3F8000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xB96E4000 \SystemRoot\system32\DRIVERS\yk51x86.sys
    0xBA400000 \SystemRoot\system32\DRIVERS\fdc.sys
    0xBA248000 \SystemRoot\system32\DRIVERS\serial.sys
    0xBA58C000 \SystemRoot\system32\DRIVERS\serenum.sys
    0xB96D0000 \SystemRoot\system32\DRIVERS\parport.sys
    0xBA258000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xBA408000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xBA268000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xB96B8000 \SystemRoot\System32\Drivers\AnyDVD.sys
    0xBA278000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xBA288000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xB9695000 \SystemRoot\system32\DRIVERS\ks.sys
    0xBA7DA000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xBA298000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xBA594000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xB967E000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xBA2A8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xBA2B8000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xB966D000 \SystemRoot\system32\DRIVERS\psched.sys
    0xBA2C8000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xBA410000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xBA418000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xBA2D8000 \SystemRoot\System32\Drivers\pcouffin.sys
    0xBA2E8000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xBA420000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xBA5CC000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xB956F000 \SystemRoot\system32\DRIVERS\update.sys
    0xBA5A4000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xBA308000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xB9121000 \SystemRoot\system32\drivers\RtkHDAud.sys
    0xB90FD000 \SystemRoot\system32\drivers\portcls.sys
    0xBA318000 \SystemRoot\system32\drivers\drmk.sys
    0xBA158000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xBA5D0000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xBA428000 \SystemRoot\system32\DRIVERS\flpydisk.sys
    0xB4A4F000 \SystemRoot\System32\DRIVERS\cmdguard.sys
    0xBA5D6000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xBA716000 \SystemRoot\System32\Drivers\Null.SYS
    0xBA5D8000 \SystemRoot\System32\Drivers\Beep.SYS
    0xBA438000 \SystemRoot\System32\drivers\vga.sys
    0xBA5DA000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xBA5DC000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xBA440000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xBA448000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xBA564000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xB49F4000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xB499B000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xBA450000 \SystemRoot\System32\DRIVERS\cmdhlp.sys
    0xB4975000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xBA178000 \SystemRoot\System32\Drivers\aswTdi.SYS
    0xBA188000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xB494D000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xBA458000 \SystemRoot\System32\Drivers\aswRdr.SYS
    0xB492B000 \SystemRoot\System32\drivers\afd.sys
    0xBA198000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xBA1A8000 \SystemRoot\System32\Drivers\SCDEmu.SYS
    0xB4819000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
    0xBA460000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    0xB47EE000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xB4756000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xBA1B8000 \SystemRoot\System32\Drivers\Fips.SYS
    0xBA468000 \SystemRoot\System32\Drivers\ElbyCDIO.sys
    0xB470F000 \SystemRoot\System32\Drivers\aswSP.SYS
    0xBA478000 \SystemRoot\System32\Drivers\Aavmker4.SYS
    0xB4699000 \SystemRoot\system32\DRIVERS\AF15BDA.sys
    0xB4A17000 \SystemRoot\system32\DRIVERS\BdaSup.SYS
    0xBA480000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    0xBA490000 \SystemRoot\system32\DRIVERS\usbprint.sys
    0xB4A0B000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0xBA1D8000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0xBA498000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xB4A07000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0xB464D000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xB4635000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xBA5F0000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xB485F000 \SystemRoot\System32\drivers\Dxapi.sys
    0xBA348000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xBA6ED000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\ati2dvag.dll
    0xBF065000 \SystemRoot\System32\ati2cqag.dll
    0xBF0FE000 \SystemRoot\System32\atikvmag.dll
    0xBF182000 \SystemRoot\System32\atiok3x2.dll
    0xBF1CD000 \SystemRoot\System32\ati3duag.dll
    0xBF572000 \SystemRoot\System32\ativvaxx.dll
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xB2425000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
    0xB22DD000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xB20AE000 \SystemRoot\System32\Drivers\aswMon2.SYS
    0xB1E69000 \SystemRoot\system32\drivers\wdmaud.sys
    0xB2245000 \SystemRoot\system32\drivers\sysaudio.sys
    0xB1A56000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xBA66E000 \SystemRoot\System32\Drivers\ParVdm.SYS
    0xB1986000 \SystemRoot\system32\DRIVERS\srv.sys
    0xB1A83000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xBA430000 \SystemRoot\system32\WinFLdrv.sys
    0xB14E5000 \SystemRoot\System32\Drivers\HTTP.sys
    0xB102A000 \SystemRoot\system32\DRIVERS\psi_mf.sys
    0xB0EEF000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 43):
    0 System Idle Process
    4 System
    760 C:\WINDOWS\system32\smss.exe
    808 csrss.exe
    840 C:\WINDOWS\system32\winlogon.exe
    884 C:\WINDOWS\system32\services.exe
    896 C:\WINDOWS\system32\lsass.exe
    1072 C:\WINDOWS\system32\ati2evxx.exe
    1092 C:\WINDOWS\system32\svchost.exe
    1164 svchost.exe
    1260 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    1296 C:\WINDOWS\system32\svchost.exe
    1452 svchost.exe
    1588 C:\WINDOWS\system32\ati2evxx.exe
    1648 svchost.exe
    1748 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    188 C:\WINDOWS\system32\spoolsv.exe
    1276 C:\WINDOWS\explorer.exe
    536 svchost.exe
    512 C:\Program Files\Bonjour\mDNSResponder.exe
    948 C:\Program Files\Secunia\PSI\psia.exe
    1972 C:\WINDOWS\RTHDCPL.exe
    2084 C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    2328 C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
    2336 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    2352 C:\Program Files\PowerISO\PWRISOVM.EXE
    2360 C:\Program Files\Unlocker\UnlockerAssistant.exe
    2368 C:\WINDOWS\system32\ctfmon.exe
    2384 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    2556 C:\WINDOWS\system32\wuauclt.exe
    2708 C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
    2716 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    2740 C:\Program Files\KWorld MultiMedia\TiVme\ScheduleAgent.exe
    2784 C:\Program Files\Secunia\PSI\psi_tray.exe
    2820 C:\Program Files\KWorld MultiMedia\RC Utility\KWRCtl.exe
    2876 C:\Program Files\Westnet Usage Grabber\wug.exe
    3376 C:\WINDOWS\system32\CNAB3RPK.EXE
    3504 alg.exe
    436 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    2896 C:\Program Files\Mozilla Firefox\firefox.exe
    2588 C:\WINDOWS\system32\wuauclt.exe
    1600 C:\Program Files\Secunia\PSI\sua.exe
    3988 C:\Documents and Settings\Russell Chapman\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
    \\.\D: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
    \\.\E: --> \\.\PhysicalDrive2 at offset 0x00000000`00007e00 (NTFS)
    \\.\F: --> \\.\PhysicalDrive3 at offset 0x00000000`00007e00 (NTFS)
    \\.\H: --> \\.\PhysicalDrive2 at offset 0x0000007d`00146e00 (NTFS)
    \\.\I: --> \\.\PhysicalDrive3 at offset 0x00000080`2c72e000 (NTFS)

    PhysicalDrive0 Model Number: WDCWD1500HLFS-01G6U3, Rev: 04.04V05
    PhysicalDrive1 Model Number: ST32000542AS, Rev: CC34
    PhysicalDrive2 Model Number: ST31000340AS, Rev: SD15
    PhysicalDrive3 Model Number: WDCWD20EARS-00J2GB0, Rev: 80.00A80

    Size Device Name MBR Status
    --------------------------------------------
    139 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
    1863 GB \\.\PhysicalDrive1 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
    931 GB \\.\PhysicalDrive2 Unknown MBR code
    SHA1: 639AC5CDF8A5CF3245975932C6A4215450A7B98F
    1863 GB \\.\PhysicalDrive3 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    Done!
    I attempted to attach 2 screenshots of the Avast (doc) result, and the forum is not allowing that. The "rootkit" is C:\Windows\system32\WinFLdrv.sys, if that helps.
    Last time I had a suspected rootkit, it turned out to be a likely false positive, confirmed, if that is the right word, by 2 other apps you provided links to. I would like those again if possible.
    Apart from GMER locking the computer other weird behavior is that it has "lost" one of the printers I reinstalled.
    Please advise, I am both baffled and frazzled.
    Attached Files
    Last edited by xero; 24-01-2011 at 04:39 AM. Reason: Spelling
  2. 24-01-2011  #2
    xero
    xero is offline Elite Member
    Well something is up.
    Nero is not working, and is missing from Add/Remove programs.
    Given the directive about not installing anything new I have refrained from re installation. Which is bloody inconvenient, but you get that.
    needed!
    I think I shall do some gardening!
    Last edited by xero; 24-01-2011 at 06:08 AM. Reason: gallows humour
  3. 25-01-2011  #3
    broni
    broni is offline Senior Member
    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
  4. 25-01-2011  #4
    xero
    xero is offline Elite Member
    Hi Broni,
    Thar she blows:
    2011/01/25 10:44:42.0984 TDSS rootkit removing tool 2.4.15.0 Jan 22 2011 19:37:53
    2011/01/25 10:44:42.0984 ================================================== ==============================
    2011/01/25 10:44:42.0984 SystemInfo:
    2011/01/25 10:44:42.0984
    2011/01/25 10:44:42.0984 OS Version: 5.1.2600 ServicePack: 3.0
    2011/01/25 10:44:42.0984 Product type: Workstation
    2011/01/25 10:44:42.0984 ComputerName: RUSSELL-D34FC42
    2011/01/25 10:44:42.0984 UserName: Russell Chapman
    2011/01/25 10:44:42.0984 Windows directory: C:\WINDOWS
    2011/01/25 10:44:42.0984 System windows directory: C:\WINDOWS
    2011/01/25 10:44:42.0984 Processor architecture: Intel x86
    2011/01/25 10:44:42.0984 Number of processors: 2
    2011/01/25 10:44:42.0984 Page size: 0x1000
    2011/01/25 10:44:42.0984 Boot type: Normal boot
    2011/01/25 10:44:42.0984 ================================================== ==============================
    2011/01/25 10:44:43.0781 Initialize success
    2011/01/25 10:45:01.0109 ================================================== ==============================
    2011/01/25 10:45:01.0109 Scan started
    2011/01/25 10:45:01.0109 Mode: Manual;
    2011/01/25 10:45:01.0109 ================================================== ==============================
    2011/01/25 10:45:01.0937 Aavmker4 (479c9835b91147be1a92cb76fad9c6de) C:\WINDOWS\system32\drivers\Aavmker4.sys
    2011/01/25 10:45:01.0984 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/01/25 10:45:02.0015 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2011/01/25 10:45:02.0046 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2011/01/25 10:45:02.0078 AF15BDA (e3f08935158038d385ad382442f4bb2d) C:\WINDOWS\system32\DRIVERS\AF15BDA.sys
    2011/01/25 10:45:02.0109 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
    2011/01/25 10:45:02.0203 AnyDVD (2b9996622040bdf865cbc1a25b483be3) C:\WINDOWS\system32\Drivers\AnyDVD.sys
    2011/01/25 10:45:02.0218 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    2011/01/25 10:45:02.0281 aswFsBlk (cba53c5e29ae0a0ce76f9a2be3a40d9e) C:\WINDOWS\system32\drivers\aswFsBlk.sys
    2011/01/25 10:45:02.0296 aswMon2 (a1c52b822b7b8a5c2162d38f579f97b7) C:\WINDOWS\system32\drivers\aswMon2.sys
    2011/01/25 10:45:02.0312 aswRdr (b6e8c5874377a42756c282fac2e20836) C:\WINDOWS\system32\drivers\aswRdr.sys
    2011/01/25 10:45:02.0343 aswSP (b93a553c9b0f14263c8f016a44c3258c) C:\WINDOWS\system32\drivers\aswSP.sys
    2011/01/25 10:45:02.0359 aswTdi (1408421505257846eb336feeef33352d) C:\WINDOWS\system32\drivers\aswTdi.sys
    2011/01/25 10:45:02.0375 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/01/25 10:45:02.0406 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/01/25 10:45:02.0500 ati2mtag (c0b86ecb324e50f6bbd529f9d5c6b24b) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
    2011/01/25 10:45:02.0593 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/01/25 10:45:02.0625 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/01/25 10:45:02.0656 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/01/25 10:45:02.0687 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/01/25 10:45:02.0703 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
    2011/01/25 10:45:02.0734 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/01/25 10:45:02.0765 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/01/25 10:45:02.0781 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/01/25 10:45:02.0843 cmdGuard (dd530ee7d9efbb0ec42aebe7226b8a93) C:\WINDOWS\system32\DRIVERS\cmdguard.sys
    2011/01/25 10:45:02.0859 cmdHlp (07cbbe993ed08a52dafac1e6cf27b6a5) C:\WINDOWS\system32\DRIVERS\cmdhlp.sys
    2011/01/25 10:45:02.0953 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/01/25 10:45:02.0984 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/01/25 10:45:03.0031 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2011/01/25 10:45:03.0062 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/01/25 10:45:03.0078 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/01/25 10:45:03.0125 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/01/25 10:45:03.0140 ElbyCDIO (178cc9403816c082d22a1d47fa1f9c85) C:\WINDOWS\system32\Drivers\ElbyCDIO.sys
    2011/01/25 10:45:03.0187 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/01/25 10:45:03.0203 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    2011/01/25 10:45:03.0218 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2011/01/25 10:45:03.0234 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    2011/01/25 10:45:03.0265 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    2011/01/25 10:45:03.0281 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/01/25 10:45:03.0296 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/01/25 10:45:03.0328 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/01/25 10:45:03.0343 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    2011/01/25 10:45:03.0375 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2011/01/25 10:45:03.0406 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/01/25 10:45:03.0500 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/01/25 10:45:03.0531 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/01/25 10:45:03.0578 Inspect (8154a2c13b72b08db11157673c60c3eb) C:\WINDOWS\system32\DRIVERS\inspect.sys
    2011/01/25 10:45:03.0656 IntcAzAudAddService (12f4d2aa29745dc2a403ff42e75cf7fa) C:\WINDOWS\system32\drivers\RtkHDAud.sys
    2011/01/25 10:45:03.0750 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2011/01/25 10:45:03.0765 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    2011/01/25 10:45:03.0781 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2011/01/25 10:45:03.0843 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/01/25 10:45:03.0875 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/01/25 10:45:03.0890 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/01/25 10:45:03.0906 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/01/25 10:45:03.0937 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/01/25 10:45:03.0968 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/01/25 10:45:03.0984 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/01/25 10:45:04.0015 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/01/25 10:45:04.0078 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/01/25 10:45:04.0109 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2011/01/25 10:45:04.0125 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/01/25 10:45:04.0156 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2011/01/25 10:45:04.0171 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/01/25 10:45:04.0203 MPE (c0f8e0c2c3c0437cf37c6781896dc3ec) C:\WINDOWS\system32\DRIVERS\MPE.sys
    2011/01/25 10:45:04.0234 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/01/25 10:45:04.0250 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/01/25 10:45:04.0312 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/01/25 10:45:04.0328 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/01/25 10:45:04.0343 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/01/25 10:45:04.0375 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/01/25 10:45:04.0390 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/01/25 10:45:04.0406 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
    2011/01/25 10:45:04.0421 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2011/01/25 10:45:04.0453 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
    2011/01/25 10:45:04.0468 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/01/25 10:45:04.0484 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
    2011/01/25 10:45:04.0500 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/01/25 10:45:04.0531 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/01/25 10:45:04.0546 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/01/25 10:45:04.0562 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/01/25 10:45:04.0578 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/01/25 10:45:04.0609 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2011/01/25 10:45:04.0640 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    2011/01/25 10:45:04.0687 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/01/25 10:45:04.0718 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/01/25 10:45:04.0765 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/01/25 10:45:04.0781 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/01/25 10:45:04.0796 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/01/25 10:45:04.0812 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    2011/01/25 10:45:04.0843 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    2011/01/25 10:45:04.0859 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/01/25 10:45:04.0890 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/01/25 10:45:04.0921 pbfilter (61a5701e3f543861b21bbe0932c4cc03) C:\Program Files\PeerBlock\pbfilter.sys
    2011/01/25 10:45:04.0968 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/01/25 10:45:05.0000 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2011/01/25 10:45:05.0031 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2011/01/25 10:45:05.0046 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
    2011/01/25 10:45:05.0171 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/01/25 10:45:05.0203 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2011/01/25 10:45:05.0265 PSI (d24dfd16a1e2a76034df5aa18125c35d) C:\WINDOWS\system32\DRIVERS\psi_mf.sys
    2011/01/25 10:45:05.0281 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/01/25 10:45:05.0375 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/01/25 10:45:05.0390 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/01/25 10:45:05.0406 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/01/25 10:45:05.0421 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/01/25 10:45:05.0437 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/01/25 10:45:05.0468 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/01/25 10:45:05.0500 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/01/25 10:45:05.0531 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/01/25 10:45:05.0593 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    2011/01/25 10:45:05.0609 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
    2011/01/25 10:45:05.0640 SCDEmu (f441ba47bd8610cb9536965bd7d1f943) C:\WINDOWS\system32\drivers\SCDEmu.sys
    2011/01/25 10:45:05.0687 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/01/25 10:45:05.0734 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2011/01/25 10:45:05.0765 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    2011/01/25 10:45:05.0812 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2011/01/25 10:45:05.0843 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
    2011/01/25 10:45:05.0890 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2011/01/25 10:45:05.0906 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2011/01/25 10:45:05.0953 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/01/25 10:45:05.0968 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
    2011/01/25 10:45:06.0000 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/01/25 10:45:06.0015 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/01/25 10:45:06.0093 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/01/25 10:45:06.0125 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/01/25 10:45:06.0156 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/01/25 10:45:06.0171 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/01/25 10:45:06.0203 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/01/25 10:45:06.0250 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/01/25 10:45:06.0296 UnlockerDriver5 (bb879dcfd22926efbeb3298129898cbb) C:\Program Files\Unlocker\UnlockerDriver5.sys
    2011/01/25 10:45:06.0359 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/01/25 10:45:06.0406 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2011/01/25 10:45:06.0421 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2011/01/25 10:45:06.0453 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/01/25 10:45:06.0484 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2011/01/25 10:45:06.0500 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2011/01/25 10:45:06.0515 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/01/25 10:45:06.0531 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2011/01/25 10:45:06.0546 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2011/01/25 10:45:06.0593 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/01/25 10:45:06.0625 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/01/25 10:45:06.0656 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/01/25 10:45:06.0687 WinFLdrv (7acc77e135a709ae0f7e1df428a2f908) C:\WINDOWS\system32\WinFLdrv.sys
    2011/01/25 10:45:06.0734 Suspicious file (Hidden): C:\WINDOWS\system32\WinFLdrv.sys. md5: 7acc77e135a709ae0f7e1df428a2f908
    2011/01/25 10:45:06.0734 WinFLdrv - detected Hidden file (1)
    2011/01/25 10:45:06.0812 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
    2011/01/25 10:45:06.0843 yukonwxp (d3b19eed593d12cdd2b06ba0c2062876) C:\WINDOWS\system32\DRIVERS\yk51x86.sys
    2011/01/25 10:45:07.0046 ================================================== ==============================
    2011/01/25 10:45:07.0046 Scan finished
    2011/01/25 10:45:07.0046 ================================================== ==============================
    2011/01/25 10:45:07.0062 Detected object count: 1
    2011/01/25 10:45:22.0031 Hidden file(WinFLdrv) - User select action: Skip

    Latest app to die is VLC, this is getting scary!
  5. 25-01-2011  #5
    broni
    broni is offline Senior Member
    It may be false positive.
    Do/did you have FolderLock installed?
    See here: ThreatExpert Report
    Item #19.
  6. 25-01-2011  #6
    xero
    xero is offline Elite Member
    After a spontaneous restart, I was out of the room(!) VLC is working again, and even downloaded the latest version. Go figure.
  7. 25-01-2011  #7
    broni
    broni is offline Senior Member
    Gremlins?
    I still would like to know about that FolderLock.
  8. 25-01-2011  #8
    xero
    xero is offline Elite Member
    Hi again,
    Yes I do have Folder Lock installed.
    I have had it about 6 weeks, and if it is the source of this problem I will be asking for my money back!
    I first had problems with apps, initially drivers in fact, around 4 weeks after the installation, so if FL is the problem (which they will doubtless deny) it took a while.
    What do you make of the spontaneous restart and the behavior of VLC, which is a very reliable app especially the more recent versions? Can this also be laid at the feet of Folder Lock?
  9. 25-01-2011  #9
    broni
    broni is offline Senior Member
    I don't know, but as you can see from my link, what is flagged by Avast as a rootkit is a part of FolderLock.
    It probably displays rootkit behavior and that's the reason for Avast alarm.
  10. 25-01-2011  #10
    xero
    xero is offline Elite Member
    Save 20% on AVG Internet Security 2012 Suite!
    False Positive, always sounds good, especially after looking down the barrel of another Windows reinstall.
    I will contact them, with your link, but I expect a stonewall response.
    Will report back with their response, FYI.
    Some things, like VLC, and Nero were never in Folder Lock, so I will assume it safe to reinstall stuff.
    Thanks again for your ever friendly help.
+ Reply to Thread
Page 1 of 2 1 2 LastLast
« unknown files | Infected with Personal Internet Security virus etc »