Jump to content

HELP Infected win32/01marik.tdl4 trojan


Recommended Posts

I am running Windows XP Media Edition. ESET came back with "win32/01marik.tdl4" trojan infection as well as a detection for ..."newgenerationp.com/x".

I downloaded Mbar and it came back with the following logs...

mbar log:

Malwarebytes Anti-Rootkit 1.1.0.1009

www.malwarebytes.org

Database version: v2012.12.03.11

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Joaquin :: HOME-8AE08796D2 [administrator]

12/3/2012 2:45:57 PM

mbar-log-2012-12-03 (14-45-57).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken

Scan options disabled: PUP | PUM | P2P

Objects scanned: 26068

Time elapsed: 24 minute(s), 37 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 5

C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Bootstrap_0_0_44_infected.mbam (Rootkit.Pihar.c.MBR) -> Delete on reboot. [6fc15857440feacd8fcdb372e06b3ab0]

C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\MBR_0_infected.mbam (Rootkit.Pihar.c.MBR) -> Delete on reboot. [9a154a23176dc6e2810ce6bf0e8b3706]

C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Sector_0_156301151_user.mbam (Forged physical sector) -> Delete on reboot. [8240dd042845ebed5e91aabb51877474]

C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Sector_0_156301177_user.mbam (Forged physical sector) -> Delete on reboot. [f036c0faf257caa4615e044197964be8]

C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Sector_0_156301279_user.mbam (Forged physical sector) -> Delete on reboot. [a5443992b8a3e8faa46a5b77afc914c8]

(end)

System log:

alwarebytes Anti-Rootkit BETA 1.01.0.1009

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

Java version: 1.6.0_24

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED

CPU speed: 1.994000 GHz

Memory total: 937385984, free: 194953216

------------ Kernel report ------------

12/03/2012 14:06:41

------------ Loaded modules -----------

\WINDOWS\system32\ntkrnlpa.exe

\WINDOWS\system32\hal.dll

\WINDOWS\system32\KDCOM.DLL

\WINDOWS\system32\BOOTVID.dll

ACPI.sys

\WINDOWS\system32\DRIVERS\WMILIB.SYS

pci.sys

isapnp.sys

compbatt.sys

\WINDOWS\system32\DRIVERS\BATTC.SYS

pciide.sys

\WINDOWS\system32\DRIVERS\PCIIDEX.SYS

MountMgr.sys

ftdisk.sys

dmload.sys

dmio.sys

ACPIEC.sys

\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS

PartMgr.sys

VolSnap.sys

atapi.sys

cercsr6.sys

\WINDOWS\System32\Drivers\SCSIPORT.SYS

disk.sys

\WINDOWS\system32\DRIVERS\CLASSPNP.SYS

fltmgr.sys

sr.sys

DRVMCDB.SYS

PxHelp20.sys

KSecDD.sys

Ntfs.sys

NDIS.sys

Mup.sys

\SystemRoot\system32\DRIVERS\processr.sys

\SystemRoot\system32\DRIVERS\wmiacpi.sys

\SystemRoot\system32\DRIVERS\ati2mtag.sys

\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS

\SystemRoot\system32\DRIVERS\bcmwl5.sys

\SystemRoot\system32\DRIVERS\usbohci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\DRIVERS\imapi.sys

\SystemRoot\System32\Drivers\DLACDBHM.SYS

\SystemRoot\system32\DRIVERS\cdrom.sys

\SystemRoot\system32\DRIVERS\redbook.sys

\SystemRoot\system32\DRIVERS\ks.sys

\SystemRoot\System32\Drivers\GEARAspiWDM.sys

\SystemRoot\system32\DRIVERS\HDAudBus.sys

\SystemRoot\system32\DRIVERS\i8042prt.sys

\SystemRoot\system32\DRIVERS\kbdclass.sys

\SystemRoot\system32\DRIVERS\SynTP.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\DRIVERS\mouclass.sys

\SystemRoot\system32\DRIVERS\bcm4sbxp.sys

\SystemRoot\system32\DRIVERS\sdbus.sys

\SystemRoot\system32\DRIVERS\CmBatt.sys

\SystemRoot\system32\DRIVERS\audstub.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\system32\DRIVERS\psched.sys

\SystemRoot\system32\DRIVERS\msgpc.sys

\SystemRoot\system32\DRIVERS\ptilink.sys

\SystemRoot\system32\DRIVERS\raspti.sys

\SystemRoot\system32\DRIVERS\rdpdr.sys

\SystemRoot\system32\DRIVERS\termdd.sys

\SystemRoot\system32\DRIVERS\swenum.sys

\SystemRoot\system32\DRIVERS\update.sys

\SystemRoot\system32\DRIVERS\mssmbios.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\system32\DRIVERS\HSXHWAZL.sys

\SystemRoot\system32\DRIVERS\HSX_DPV.sys

\SystemRoot\system32\DRIVERS\HSX_CNXT.sys

\SystemRoot\System32\Drivers\Modem.SYS

\SystemRoot\system32\drivers\sthda.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\System32\Drivers\Fs_Rec.SYS

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\Drivers\DLARTL_N.SYS

\SystemRoot\system32\DRIVERS\ehdrv.sys

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\Drivers\mnmdd.SYS

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\rasacd.sys

\SystemRoot\system32\DRIVERS\ipsec.sys

\SystemRoot\system32\DRIVERS\tcpip.sys

\SystemRoot\system32\DRIVERS\netbt.sys

\SystemRoot\system32\DRIVERS\epfwtdir.sys

\SystemRoot\System32\drivers\afd.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\System32\Drivers\Fips.SYS

\SystemRoot\system32\DRIVERS\ipnat.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\SYSTEM32\DRIVERS\APPDRV.SYS

\SystemRoot\System32\Drivers\Cdfs.SYS

\SystemRoot\System32\Drivers\dump_atapi.sys

\SystemRoot\System32\Drivers\dump_WMILIB.SYS

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\System32\watchdog.sys

\SystemRoot\System32\drivers\dxg.sys

\SystemRoot\System32\drivers\dxgthk.sys

\SystemRoot\System32\ati2dvag.dll

\SystemRoot\System32\ati2cqag.dll

\SystemRoot\System32\atikvmag.dll

\SystemRoot\System32\ati3duag.dll

\SystemRoot\System32\ativvaxx.dll

\SystemRoot\System32\ATMFD.DLL

\SystemRoot\system32\DRIVERS\eamon.sys

\SystemRoot\System32\Drivers\DRVNDDM.SYS

\SystemRoot\System32\DLA\DLADResN.SYS

\SystemRoot\System32\DLA\DLAIFS_M.SYS

\SystemRoot\System32\DLA\DLAOPIOM.SYS

\SystemRoot\System32\DLA\DLAPoolM.SYS

\SystemRoot\System32\DLA\DLABOIOM.SYS

\SystemRoot\System32\DLA\DLAUDFAM.SYS

\SystemRoot\System32\DLA\DLAUDF_M.SYS

\SystemRoot\system32\DRIVERS\ndisuio.sys

\SystemRoot\system32\drivers\wdmaud.sys

\SystemRoot\system32\drivers\sysaudio.sys

\SystemRoot\system32\DRIVERS\mrxdav.sys

\SystemRoot\System32\Drivers\HTTP.sys

\SystemRoot\system32\DRIVERS\mdmxsdk.sys

\SystemRoot\system32\DRIVERS\srv.sys

\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys

\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys

\WINDOWS\system32\ntdll.dll

----------- End -----------

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xffffffff8572eab8

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: Unknown

Lower Device Object: 0xffffffff85788b00

Lower Device Driver Name: Unknown

Driver name found: atapi

DriverEntry returned 0x0

Function returned 0x0

Downloaded database version: v2012.12.03.11

Downloaded database version: v2012.11.30.01

Initializing...

Done!

Scanning directory: C:\WINDOWS\system32\drivers...

<<<2>>>

Device number: 0, partition: 1

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xffffffff8572eab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff85783e08, DeviceName: Unknown, DriverName: \Driver\PartMgr\

DevicePointer: 0xffffffff8572eab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff85788b00, DeviceName: Unknown, DriverName: Unknown

------------ End ----------

Upper DeviceData: 0xffffffffe1c6ef88, 0xffffffff8572eab8, 0xffffffff845b7040

Lower DeviceData: 0xffffffffe2c0f308, 0xffffffff85788b00, 0xffffffff84635378

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Done!

Drive 0

Scanning MBR on drive 0...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: E686F016

Partition information:

Partition 0 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 63 Numsec = 156280257

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1009

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

Java version: 1.6.0_24

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED

CPU speed: 1.994000 GHz

Memory total: 937385984, free: 399478784

------------ Kernel report ------------

12/03/2012 14:20:17

------------ Loaded modules -----------

\WINDOWS\system32\ntkrnlpa.exe

\WINDOWS\system32\hal.dll

\WINDOWS\system32\KDCOM.DLL

\WINDOWS\system32\BOOTVID.dll

ACPI.sys

\WINDOWS\system32\DRIVERS\WMILIB.SYS

pci.sys

isapnp.sys

compbatt.sys

\WINDOWS\system32\DRIVERS\BATTC.SYS

pciide.sys

\WINDOWS\system32\DRIVERS\PCIIDEX.SYS

MountMgr.sys

ftdisk.sys

dmload.sys

dmio.sys

ACPIEC.sys

\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS

PartMgr.sys

VolSnap.sys

atapi.sys

cercsr6.sys

\WINDOWS\System32\Drivers\SCSIPORT.SYS

disk.sys

\WINDOWS\system32\DRIVERS\CLASSPNP.SYS

fltmgr.sys

sr.sys

DRVMCDB.SYS

PxHelp20.sys

KSecDD.sys

Ntfs.sys

NDIS.sys

Mup.sys

\SystemRoot\system32\DRIVERS\processr.sys

\SystemRoot\system32\DRIVERS\wmiacpi.sys

\SystemRoot\system32\DRIVERS\ati2mtag.sys

\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS

\SystemRoot\system32\DRIVERS\bcmwl5.sys

\SystemRoot\system32\DRIVERS\usbohci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\DRIVERS\imapi.sys

\SystemRoot\System32\Drivers\DLACDBHM.SYS

\SystemRoot\system32\DRIVERS\cdrom.sys

\SystemRoot\system32\DRIVERS\redbook.sys

\SystemRoot\system32\DRIVERS\ks.sys

\SystemRoot\System32\Drivers\GEARAspiWDM.sys

\SystemRoot\system32\DRIVERS\HDAudBus.sys

\SystemRoot\system32\DRIVERS\i8042prt.sys

\SystemRoot\system32\DRIVERS\kbdclass.sys

\SystemRoot\system32\DRIVERS\SynTP.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\DRIVERS\mouclass.sys

\SystemRoot\system32\DRIVERS\bcm4sbxp.sys

\SystemRoot\system32\DRIVERS\sdbus.sys

\SystemRoot\system32\DRIVERS\CmBatt.sys

\SystemRoot\system32\DRIVERS\audstub.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\system32\DRIVERS\psched.sys

\SystemRoot\system32\DRIVERS\msgpc.sys

\SystemRoot\system32\DRIVERS\ptilink.sys

\SystemRoot\system32\DRIVERS\raspti.sys

\SystemRoot\system32\DRIVERS\rdpdr.sys

\SystemRoot\system32\DRIVERS\termdd.sys

\SystemRoot\system32\DRIVERS\swenum.sys

\SystemRoot\system32\DRIVERS\update.sys

\SystemRoot\system32\DRIVERS\mssmbios.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\system32\DRIVERS\HSXHWAZL.sys

\SystemRoot\system32\DRIVERS\HSX_DPV.sys

\SystemRoot\system32\DRIVERS\HSX_CNXT.sys

\SystemRoot\System32\Drivers\Modem.SYS

\SystemRoot\system32\drivers\sthda.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\System32\Drivers\Fs_Rec.SYS

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\Drivers\DLARTL_N.SYS

\SystemRoot\system32\DRIVERS\ehdrv.sys

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\Drivers\mnmdd.SYS

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\rasacd.sys

\SystemRoot\system32\DRIVERS\ipsec.sys

\SystemRoot\system32\DRIVERS\tcpip.sys

\SystemRoot\system32\DRIVERS\netbt.sys

\SystemRoot\system32\DRIVERS\epfwtdir.sys

\SystemRoot\System32\drivers\afd.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\System32\Drivers\Fips.SYS

\SystemRoot\system32\DRIVERS\ipnat.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\SYSTEM32\DRIVERS\APPDRV.SYS

\SystemRoot\System32\Drivers\Cdfs.SYS

\SystemRoot\System32\Drivers\dump_atapi.sys

\SystemRoot\System32\Drivers\dump_WMILIB.SYS

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\System32\watchdog.sys

\SystemRoot\System32\drivers\dxg.sys

\SystemRoot\System32\drivers\dxgthk.sys

\SystemRoot\System32\ati2dvag.dll

\SystemRoot\System32\ati2cqag.dll

\SystemRoot\System32\atikvmag.dll

\SystemRoot\System32\ati3duag.dll

\SystemRoot\System32\ativvaxx.dll

\SystemRoot\System32\ATMFD.DLL

\SystemRoot\system32\DRIVERS\eamon.sys

\SystemRoot\System32\Drivers\DRVNDDM.SYS

\SystemRoot\System32\DLA\DLADResN.SYS

\SystemRoot\System32\DLA\DLAIFS_M.SYS

\SystemRoot\System32\DLA\DLAOPIOM.SYS

\SystemRoot\System32\DLA\DLAPoolM.SYS

\SystemRoot\System32\DLA\DLABOIOM.SYS

\SystemRoot\System32\DLA\DLAUDFAM.SYS

\SystemRoot\System32\DLA\DLAUDF_M.SYS

\SystemRoot\system32\DRIVERS\ndisuio.sys

\SystemRoot\system32\drivers\wdmaud.sys

\SystemRoot\system32\drivers\sysaudio.sys

\SystemRoot\system32\DRIVERS\mrxdav.sys

\SystemRoot\System32\Drivers\HTTP.sys

\SystemRoot\system32\DRIVERS\mdmxsdk.sys

\SystemRoot\system32\DRIVERS\srv.sys

\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys

\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys

\WINDOWS\system32\ntdll.dll

----------- End -----------

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xffffffff85781ab8

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: Unknown

Lower Device Object: 0xffffffff85728b00

Lower Device Driver Name: Unknown

Driver name found: atapi

DriverEntry returned 0x0

Function returned 0x0

Initializing...

Done!

Scanning directory: C:\WINDOWS\system32\drivers...

<<<2>>>

Device number: 0, partition: 1

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xffffffff85781ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff8571f958, DeviceName: Unknown, DriverName: \Driver\PartMgr\

DevicePointer: 0xffffffff85781ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff85728b00, DeviceName: Unknown, DriverName: Unknown

------------ End ----------

Upper DeviceData: 0xffffffffe25b2e88, 0xffffffff85781ab8, 0xffffffff84788608

Lower DeviceData: 0xffffffffe1660868, 0xffffffff85728b00, 0xffffffff854f5040

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Done!

Drive 0

Scanning MBR on drive 0...

MBR is forged!

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: E686F016

Partition information:

Partition 0 type is Empty (0x0)

Partition is ACTIVE.

Partition starts at LBA: 44 Numsec = 0

Partition is not bootable

Infected: VBR on Empty active partition --> [Rootkit.Pihar.c.MBR]

Changing partition to empty and not active. New active partition is 0 on drive 0 ...

Partition 0 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 63 Numsec = 156280257

Partition file system is NTFS

Partition is bootable

Partition 1 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

MBR infection found on drive 0

Disk Size: 80026361856 bytes

Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-43-156281488-156301488)...

Sector 156301151 --> [Forged physical sector]

Sector 156301152 --> [Forged physical sector]

Sector 156301153 --> [Forged physical sector]

Sector 156301154 --> [Forged physical sector]

Sector 156301155 --> [Forged physical sector]

Sector 156301156 --> [Forged physical sector]

Sector 156301157 --> [Forged physical sector]

here I deleted the lines because here were written all the sector's string and the post was too long

Done!

Performing system, memory and registry scan...

Done!

Scan finished

Link to post
Share on other sites

Hello slabh and welcome to MalwareBytes forums.

Backdoor trojan warning:

This is a point where you need to decide about whether to make a clean start.

According to the information provided in logs, one or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information, and download and execute files.

You are strongly advised to do the following immediately.

1. Contact your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and ask them to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups.

3. Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.These trojans leave a backdoor open on the system that can allow a hacker total and complete access to your computer. (Remote access trojan) Hackers can operate your computer just as if they were sitting in front of it. Hackers can watch everything you are doing on the computer, play tricks, do screenshots, log passwords, start and stop programs.

See this article on creating strong passwords http://www.microsoft.com/security/online-privacy/passwords-create.aspx

* Take any other steps you think appropriate for an attempted identity theft.

You should also understand that once a system has been compromised by a Trojan backdoor, it can never really be trusted again unless you completely reformat the hard drives and reinstall Windows fresh.

While we usually can successfully remove malware like this, we cannot guarantee that it is totally gone, and that your system is completely safe to use for future financial information and/or transactions.

Here is some additional information: What Is A Backdoor Trojan? http://www.geekstogo...backdoor-trojan

Danger: Remote Access Trojans http://www.microsoft...o/virusrat.mspx

Consumers – Identity Theft http://www.ftc.gov/b...mers/index.html

When should I re-format? How should I reinstall? http://www.dslreports.com/faq/10063

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? http://www.dslreports.com/faq/10451

Rootkits: The Obscure Hacker Attack http://www.microsoft...tip/st1005.mspx

Help: I Got Hacked. Now What Do I Do? http://www.microsoft...gmt/sm0504.mspx

Help: I Got Hacked. Now What Do I Do? Part II http://www.microsoft...gmt/sm0704.mspx

Microsoft Says Recovery from Malware Becoming Impossible http://www.eweek.com...,1945808,00.asp

Let me know what you decide.

If you decide to proceed with hunting for & removing malware, then do this:

Step 1

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 2

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

Step 3

Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Double-Click on TDSSKiller.exe to run the application, then on Start Scan.
    If running Vista or Windows 7, do a RIGHT-Click and select Run as Administrator to start TDSSKILLER.exe.
  • If an infected file is detected, the default action will be Cure, click on Continue.
    TDSSKillerMal-1.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    TDSSKillerCompleted.png
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Step 4

  • Download & SAVE to your Desktop >> Tigzy's RogueKillerfrom here << or
    >> from here <<
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
    For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Click on Scan.
  • Click on Report and copy/paste the content of the notepad into your next reply.

Step 5

RE-Enable your antivirus program.

Copy & Paste contents of TDSSKILLER log & RogueKiller log.

Use separate replies as needed if logs do not fit into one reply box.

Link to post
Share on other sites

RogueKiller Log

RogueKiller V8.3.1 [Dec 2 2012] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User : Joaquin [Admin rights]

Mode : Scan -- Date : 12/03/2012 16:53:11

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 1 ¤¤¤

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK8034GSX +++++

--- User ---

[MBR] 9a154a23176dc6e2810ce6bf0e8b3706

[bSP] 0865dbc3033a5b0d1557ae0b87d99f0b : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76308 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_12032012_02d1653.txt >>

RKreport[1]_S_12032012_02d1653.txt

Link to post
Share on other sites

is this the log for TDSS?

15:31:45.0936 3060 TDSS rootkit removing tool 2.8.15.0 Oct 31 2012 21:47:35

15:31:46.0467 3060 ============================================================

15:31:46.0467 3060 Current date / time: 2012/12/03 15:31:46.0467

15:31:46.0467 3060 SystemInfo:

15:31:46.0467 3060

15:31:46.0467 3060 OS Version: 5.1.2600 ServicePack: 3.0

15:31:46.0467 3060 Product type: Workstation

15:31:46.0467 3060 ComputerName: HOME-8AE08796D2

15:31:46.0467 3060 UserName: Joaquin

15:31:46.0467 3060 Windows directory: C:\WINDOWS

15:31:46.0467 3060 System windows directory: C:\WINDOWS

15:31:46.0467 3060 Processor architecture: Intel x86

15:31:46.0467 3060 Number of processors: 1

15:31:46.0467 3060 Page size: 0x1000

15:31:46.0467 3060 Boot type: Normal boot

15:31:46.0467 3060 ============================================================

15:31:48.0749 3060 Drive \Device\Harddisk0\DR0 - Size: 0x12A1F16000 (74.53 Gb), SectorSize: 0x200, Cylinders: 0x2601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054

15:31:48.0749 3060 ============================================================

15:31:48.0749 3060 \Device\Harddisk0\DR0:

15:31:48.0749 3060 MBR partitions:

15:31:48.0749 3060 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x950A5C1

15:31:48.0749 3060 ============================================================

15:31:48.0796 3060 C: <-> \Device\Harddisk0\DR0\Partition1

15:31:48.0796 3060 ============================================================

15:31:48.0796 3060 Initialize success

15:31:48.0796 3060 ============================================================

15:32:31.0489 2888 ============================================================

15:32:31.0489 2888 Scan started

15:32:31.0489 2888 Mode: Manual;

15:32:31.0489 2888 ============================================================

15:32:31.0755 2888 ================ Scan system memory ========================

15:32:31.0770 2888 System memory - ok

15:32:31.0770 2888 ================ Scan services =============================

15:32:31.0833 2888 Abiosdsk - ok

15:32:31.0833 2888 abp480n5 - ok

15:32:31.0911 2888 [ 8FD99680A539792A30E97944FDAECF17 ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys

15:32:31.0958 2888 ACPI - ok

15:32:31.0974 2888 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\DRIVERS\ACPIEC.sys

15:32:31.0974 2888 ACPIEC - ok

15:32:31.0989 2888 adpu160m - ok

15:32:32.0020 2888 [ 8BED39E3C35D6A489438B8141717A557 ] aec C:\WINDOWS\system32\drivers\aec.sys

15:32:32.0052 2888 aec - ok

15:32:32.0114 2888 [ 1E44BC1E83D8FD2305F8D452DB109CF9 ] AFD C:\WINDOWS\System32\drivers\afd.sys

15:32:32.0114 2888 AFD - ok

15:32:32.0114 2888 Aha154x - ok

15:32:32.0130 2888 aic78u2 - ok

15:32:32.0146 2888 aic78xx - ok

15:32:32.0177 2888 [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter C:\WINDOWS\system32\alrsvc.dll

15:32:32.0177 2888 Alerter - ok

15:32:32.0208 2888 [ 8C515081584A38AA007909CD02020B3D ] ALG C:\WINDOWS\System32\alg.exe

15:32:32.0208 2888 ALG - ok

15:32:32.0224 2888 AliIde - ok

15:32:32.0239 2888 amsint - ok

15:32:32.0271 2888 [ EC94E05B76D033B74394E7B2175103CF ] APPDRV C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS

15:32:32.0286 2888 APPDRV - ok

15:32:32.0396 2888 [ 1961CB10BB48EB4D97E37DB6373E9E63 ] Apple Mobile Device C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

15:32:32.0411 2888 Apple Mobile Device - ok

15:32:32.0458 2888 [ D8849F77C0B66226335A59D26CB4EDC6 ] AppMgmt C:\WINDOWS\System32\appmgmts.dll

15:32:32.0458 2888 AppMgmt - ok

15:32:32.0474 2888 asc - ok

15:32:32.0474 2888 asc3350p - ok

15:32:32.0489 2888 asc3550 - ok

15:32:32.0599 2888 [ 0E5E4957549056E2BF2C49F4F6B601AD ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe

15:32:32.0614 2888 aspnet_state - ok

15:32:32.0661 2888 [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys

15:32:32.0677 2888 AsyncMac - ok

15:32:32.0708 2888 [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys

15:32:32.0708 2888 atapi - ok

15:32:32.0708 2888 Atdisk - ok

15:32:32.0755 2888 [ 8BB6A2488A93259FDDC18D040008C1A4 ] Ati HotKey Poller C:\WINDOWS\system32\Ati2evxx.exe

15:32:32.0771 2888 Ati HotKey Poller - ok

15:32:32.0864 2888 [ E78B73EB84C257D0D940E041742D2699 ] ati2mtag C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

15:32:32.0896 2888 ati2mtag - ok

15:32:32.0927 2888 [ 9916C1225104BA14794209CFA8012159 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys

15:32:32.0958 2888 Atmarpc - ok

15:32:33.0005 2888 [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv C:\WINDOWS\System32\audiosrv.dll

15:32:33.0021 2888 AudioSrv - ok

15:32:33.0068 2888 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys

15:32:33.0083 2888 audstub - ok

15:32:33.0161 2888 [ 30D20FC98BCFD52E1DA778CF19B223D4 ] BCM43XX C:\WINDOWS\system32\DRIVERS\bcmwl5.sys

15:32:33.0177 2888 BCM43XX - ok

15:32:33.0224 2888 [ CD4646067CC7DCBA1907FA0ACF7E3966 ] bcm4sbxp C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys

15:32:33.0239 2888 bcm4sbxp - ok

15:32:33.0302 2888 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys

15:32:33.0318 2888 Beep - ok

15:32:33.0396 2888 [ 574738F61FCA2935F5265DC4E5691314 ] BITS C:\WINDOWS\system32\qmgr.dll

15:32:33.0411 2888 BITS - ok

15:32:33.0474 2888 [ CFD4C3352E29A8B729536648466E8DF5 ] Bonjour Service C:\Program Files\Bonjour\mDNSResponder.exe

15:32:33.0474 2888 Bonjour Service - ok

15:32:33.0521 2888 [ A06CE3399D16DB864F55FAEB1F1927A9 ] Browser C:\WINDOWS\System32\browser.dll

15:32:33.0536 2888 Browser - ok

15:32:33.0568 2888 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys

15:32:33.0583 2888 cbidf2k - ok

15:32:33.0599 2888 cd20xrnt - ok

15:32:33.0599 2888 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys

15:32:33.0614 2888 Cdaudio - ok

15:32:33.0646 2888 [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys

15:32:33.0677 2888 Cdfs - ok

15:32:33.0693 2888 [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys

15:32:33.0708 2888 Cdrom - ok

15:32:33.0739 2888 [ 84853B3FD012251690570E9E7E43343F ] cercsr6 C:\WINDOWS\system32\drivers\cercsr6.sys

15:32:33.0755 2888 cercsr6 - ok

15:32:33.0771 2888 Changer - ok

15:32:33.0786 2888 [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc C:\WINDOWS\system32\cisvc.exe

15:32:33.0786 2888 CiSvc - ok

15:32:33.0802 2888 [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv C:\WINDOWS\system32\clipsrv.exe

15:32:33.0802 2888 ClipSrv - ok

15:32:33.0833 2888 [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

15:32:33.0864 2888 clr_optimization_v2.0.50727_32 - ok

15:32:33.0896 2888 [ 0F6C187D38D98F8DF904589A5F94D411 ] CmBatt C:\WINDOWS\system32\DRIVERS\CmBatt.sys

15:32:33.0911 2888 CmBatt - ok

15:32:33.0927 2888 CmdIde - ok

15:32:33.0943 2888 [ 6E4C9F21F0FAE8940661144F41B13203 ] Compbatt C:\WINDOWS\system32\DRIVERS\compbatt.sys

15:32:33.0943 2888 Compbatt - ok

15:32:33.0958 2888 COMSysApp - ok

15:32:33.0974 2888 Cpqarray - ok

15:32:34.0005 2888 [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll

15:32:34.0005 2888 CryptSvc - ok

15:32:34.0021 2888 dac2w2k - ok

15:32:34.0021 2888 dac960nt - ok

15:32:34.0083 2888 [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch C:\WINDOWS\system32\rpcss.dll

15:32:34.0099 2888 DcomLaunch - ok

15:32:34.0146 2888 [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll

15:32:34.0161 2888 Dhcp - ok

15:32:34.0193 2888 [ 044452051F3E02E7963599FC8F4F3E25 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys

15:32:34.0193 2888 Disk - ok

15:32:34.0271 2888 [ D8D58A84F3ECE3359DF95FD2E459B330 ] DLABOIOM C:\WINDOWS\system32\DLA\DLABOIOM.SYS

15:32:34.0302 2888 DLABOIOM - ok

15:32:34.0318 2888 [ EC6AE8BC9F773382D2EED49E4DFDAE2A ] DLACDBHM C:\WINDOWS\system32\Drivers\DLACDBHM.SYS

15:32:34.0318 2888 DLACDBHM - ok

15:32:34.0333 2888 [ 27C78078BD9C4F2DE2AD3EB04BFE101B ] DLADResN C:\WINDOWS\system32\DLA\DLADResN.SYS

15:32:34.0333 2888 DLADResN - ok

15:32:34.0333 2888 [ 7F2D93E560B763EF5D11422D78DA8ED0 ] DLAIFS_M C:\WINDOWS\system32\DLA\DLAIFS_M.SYS

15:32:34.0365 2888 DLAIFS_M - ok

15:32:34.0380 2888 [ F643637DE6AAC57E38D197AA63D9EA74 ] DLAOPIOM C:\WINDOWS\system32\DLA\DLAOPIOM.SYS

15:32:34.0396 2888 DLAOPIOM - ok

15:32:34.0396 2888 [ 340705474807F57A46D59D18FC2959F1 ] DLAPoolM C:\WINDOWS\system32\DLA\DLAPoolM.SYS

15:32:34.0427 2888 DLAPoolM - ok

15:32:34.0427 2888 [ 0605B66052F82B6F07204DBDB61C13FF ] DLARTL_N C:\WINDOWS\system32\Drivers\DLARTL_N.SYS

15:32:34.0427 2888 DLARTL_N - ok

15:32:34.0443 2888 [ 6984EA763907C045CE813468882BC587 ] DLAUDFAM C:\WINDOWS\system32\DLA\DLAUDFAM.SYS

15:32:34.0474 2888 DLAUDFAM - ok

15:32:34.0474 2888 [ 12B30C449CFD36ADBED53EB6560933C6 ] DLAUDF_M C:\WINDOWS\system32\DLA\DLAUDF_M.SYS

15:32:34.0505 2888 DLAUDF_M - ok

15:32:34.0521 2888 dmadmin - ok

15:32:34.0568 2888 [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys

15:32:34.0615 2888 dmboot - ok

15:32:34.0646 2888 [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio C:\WINDOWS\system32\drivers\dmio.sys

15:32:34.0661 2888 dmio - ok

15:32:34.0677 2888 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys

15:32:34.0677 2888 dmload - ok

15:32:34.0724 2888 [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver C:\WINDOWS\System32\dmserver.dll

15:32:34.0724 2888 dmserver - ok

15:32:34.0740 2888 [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys

15:32:34.0740 2888 DMusic - ok

15:32:34.0802 2888 [ 5F7E24FA9EAB896051FFB87F840730D2 ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll

15:32:34.0802 2888 Dnscache - ok

15:32:34.0849 2888 [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc C:\WINDOWS\System32\dot3svc.dll

15:32:34.0865 2888 Dot3svc - ok

15:32:34.0865 2888 dpti2o - ok

15:32:34.0880 2888 [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys

15:32:34.0896 2888 drmkaud - ok

15:32:34.0912 2888 [ FD0F95981FEF9073659D8EC58E40AA3C ] DRVMCDB C:\WINDOWS\system32\Drivers\DRVMCDB.SYS

15:32:34.0912 2888 DRVMCDB - ok

15:32:34.0927 2888 [ B4869D320428CDC5EC4D7F5E808E99B5 ] DRVNDDM C:\WINDOWS\system32\Drivers\DRVNDDM.SYS

15:32:34.0927 2888 DRVNDDM - ok

15:32:34.0974 2888 [ 1CEB779239965000B8F6ADEE17D4515B ] eamon C:\WINDOWS\system32\DRIVERS\eamon.sys

15:32:34.0990 2888 eamon - ok

15:32:35.0005 2888 [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost C:\WINDOWS\System32\eapsvc.dll

15:32:35.0021 2888 EapHost - ok

15:32:35.0052 2888 [ 7D300A43A7BD8769E0F901BF9E1AE367 ] ehdrv C:\WINDOWS\system32\DRIVERS\ehdrv.sys

15:32:35.0083 2888 ehdrv - ok

15:32:35.0177 2888 [ 5D1347AA5AE6E2F77D7F4F8372D95AC9 ] ehRecvr C:\WINDOWS\eHome\ehRecvr.exe

15:32:35.0177 2888 ehRecvr - ok

15:32:35.0240 2888 [ A53243709439AC2A4C216B817F8D7411 ] ehSched C:\WINDOWS\eHome\ehSched.exe

15:32:35.0240 2888 ehSched - ok

15:32:35.0302 2888 [ 1CD97C1DE1EA4C185D2B3FAC1F8513ED ] EhttpSrv C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

15:32:35.0318 2888 EhttpSrv - ok

15:32:35.0365 2888 [ E6A6E6D58A8DCB64A0FFBC43863D0A80 ] ekrn C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

15:32:35.0380 2888 ekrn - ok

15:32:35.0396 2888 [ ECD5F68E32FF5C6A728EB03DC892AE7F ] epfwtdir C:\WINDOWS\system32\DRIVERS\epfwtdir.sys

15:32:35.0443 2888 epfwtdir - ok

15:32:35.0490 2888 [ BC93B4A066477954555966D77FEC9ECB ] ERSvc C:\WINDOWS\System32\ersvc.dll

15:32:35.0505 2888 ERSvc - ok

15:32:35.0552 2888 [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog C:\WINDOWS\system32\services.exe

15:32:35.0552 2888 Eventlog - ok

15:32:35.0615 2888 [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem C:\WINDOWS\system32\es.dll

15:32:35.0630 2888 EventSystem - ok

15:32:35.0630 2888 [ 38D332A6D56AF32635675F132548343E ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys

15:32:35.0662 2888 Fastfat - ok

15:32:35.0724 2888 [ 99BC0B50F511924348BE19C7C7313BBF ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll

15:32:35.0724 2888 FastUserSwitchingCompatibility - ok

15:32:35.0771 2888 [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc C:\WINDOWS\system32\drivers\Fdc.sys

15:32:35.0787 2888 Fdc - ok

15:32:35.0802 2888 [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips C:\WINDOWS\system32\drivers\Fips.sys

15:32:35.0818 2888 Fips - ok

15:32:35.0834 2888 [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk C:\WINDOWS\system32\drivers\Flpydisk.sys

15:32:35.0849 2888 Flpydisk - ok

15:32:35.0896 2888 [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr C:\WINDOWS\system32\drivers\fltmgr.sys

15:32:35.0896 2888 FltMgr - ok

15:32:35.0974 2888 [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe

15:32:35.0974 2888 FontCache3.0.0.0 - ok

15:32:36.0005 2888 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys

15:32:36.0021 2888 Fs_Rec - ok

15:32:36.0037 2888 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys

15:32:36.0037 2888 Ftdisk - ok

15:32:36.0084 2888 [ 5DC17164F66380CBFEFD895C18467773 ] GEARAspiWDM C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys

15:32:36.0084 2888 GEARAspiWDM - ok

15:32:36.0130 2888 [ 9D28B83E5830C143C37D6678C7409304 ] GoToAssist C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe

15:32:36.0130 2888 GoToAssist - ok

15:32:36.0193 2888 [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys

15:32:36.0209 2888 Gpc - ok

15:32:36.0224 2888 [ 573C7D0A32852B48F3058CFD8026F511 ] HDAudBus C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

15:32:36.0240 2888 HDAudBus - ok

15:32:36.0334 2888 [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll

15:32:36.0349 2888 helpsvc - ok

15:32:36.0349 2888 HidServ - ok

15:32:36.0412 2888 [ CCF82C5EC8A7326C3066DE870C06DAF1 ] HidUsb C:\WINDOWS\system32\DRIVERS\hidusb.sys

15:32:36.0427 2888 HidUsb - ok

15:32:36.0474 2888 [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc C:\WINDOWS\System32\kmsvc.dll

15:32:36.0474 2888 hkmsvc - ok

15:32:36.0490 2888 hpn - ok

15:32:36.0568 2888 [ E8EC1767EA315A39A0DD8989952CA0E9 ] HSF_DPV C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys

15:32:36.0599 2888 HSF_DPV - ok

15:32:36.0630 2888 [ 61478FA42EE04562E7F11F4DCA87E9C8 ] HSXHWAZL C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys

15:32:36.0662 2888 HSXHWAZL - ok

15:32:36.0724 2888 [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys

15:32:36.0756 2888 HTTP - ok

15:32:36.0787 2888 [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll

15:32:36.0818 2888 HTTPFilter - ok

15:32:36.0818 2888 i2omgmt - ok

15:32:36.0834 2888 i2omp - ok

15:32:36.0865 2888 [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys

15:32:36.0896 2888 i8042prt - ok

15:32:36.0990 2888 [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe

15:32:37.0037 2888 idsvc - ok

15:32:37.0068 2888 [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys

15:32:37.0084 2888 Imapi - ok

15:32:37.0115 2888 [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService C:\WINDOWS\system32\imapi.exe

15:32:37.0131 2888 ImapiService - ok

15:32:37.0146 2888 ini910u - ok

15:32:37.0146 2888 IntelIde - ok

15:32:37.0193 2888 [ 3BB22519A194418D5FEC05D800A19AD0 ] Ip6Fw C:\WINDOWS\system32\drivers\ip6fw.sys

15:32:37.0240 2888 Ip6Fw - ok

15:32:37.0256 2888 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

15:32:37.0302 2888 IpFilterDriver - ok

15:32:37.0318 2888 [ B87AB476DCF76E72010632B5550955F5 ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys

15:32:37.0334 2888 IpInIp - ok

15:32:37.0365 2888 [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys

15:32:37.0396 2888 IpNat - ok

15:32:37.0459 2888 [ 1CB96E83FD76EB5580451CEF29E24303 ] iPod Service C:\Program Files\iPod\bin\iPodService.exe

15:32:37.0474 2888 iPod Service - ok

15:32:37.0490 2888 [ 23C74D75E36E7158768DD63D92789A91 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys

15:32:37.0521 2888 IPSec - ok

15:32:37.0537 2888 [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys

15:32:37.0568 2888 IRENUM - ok

15:32:37.0584 2888 [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys

15:32:37.0599 2888 isapnp - ok

15:32:37.0709 2888 [ 5E06A9D23727DAF96FAA796F1135FDCD ] JavaQuickStarterService C:\Program Files\Java\jre6\bin\jqs.exe

15:32:37.0709 2888 JavaQuickStarterService - ok

15:32:37.0740 2888 [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys

15:32:37.0756 2888 Kbdclass - ok

15:32:37.0803 2888 [ 692BCF44383D056AED41B045A323D378 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys

15:32:37.0803 2888 kmixer - ok

15:32:37.0834 2888 [ B467646C54CC746128904E1654C750C1 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys

15:32:37.0849 2888 KSecDD - ok

15:32:37.0896 2888 [ 3A7C3CBE5D96B8AE96CE81F0B22FB527 ] lanmanserver C:\WINDOWS\System32\srvsvc.dll

15:32:37.0896 2888 lanmanserver - ok

15:32:37.0928 2888 [ A8888A5327621856C0CEC4E385F69309 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll

15:32:37.0928 2888 lanmanworkstation - ok

15:32:37.0943 2888 lbrtfdc - ok

15:32:37.0990 2888 [ A7DB739AE99A796D91580147E919CC59 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll

15:32:37.0990 2888 LmHosts - ok

15:32:38.0021 2888 [ 4A5FFDF0FE830C448830BD4B02B02B4B ] mbamchameleon C:\WINDOWS\system32\drivers\mbamchameleon.sys

15:32:38.0021 2888 mbamchameleon - ok

15:32:38.0084 2888 [ DF0A511F38F16016BF658FCA0090CB87 ] McrdSvc C:\WINDOWS\ehome\mcrdsvc.exe

15:32:38.0084 2888 McrdSvc - ok

15:32:38.0084 2888 MCSTRM - ok

15:32:38.0115 2888 [ E246A32C445056996074A397DA56E815 ] mdmxsdk C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

15:32:38.0115 2888 mdmxsdk - ok

15:32:38.0146 2888 [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger C:\WINDOWS\System32\msgsvc.dll

15:32:38.0162 2888 Messenger - ok

15:32:38.0193 2888 [ B7521F69C0A9B29D356157229376FB21 ] MHN C:\WINDOWS\System32\mhn.dll

15:32:38.0193 2888 MHN - ok

15:32:38.0209 2888 [ 7F2F1D2815A6449D346FCCCBC569FBD6 ] MHNDRV C:\WINDOWS\system32\DRIVERS\mhndrv.sys

15:32:38.0224 2888 MHNDRV - ok

15:32:38.0271 2888 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys

15:32:38.0287 2888 mnmdd - ok

15:32:38.0318 2888 [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc C:\WINDOWS\system32\mnmsrvc.exe

15:32:38.0318 2888 mnmsrvc - ok

15:32:38.0349 2888 [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem C:\WINDOWS\system32\drivers\Modem.sys

15:32:38.0349 2888 Modem - ok

15:32:38.0365 2888 [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys

15:32:38.0396 2888 Mouclass - ok

15:32:38.0443 2888 [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys

15:32:38.0459 2888 mouhid - ok

15:32:38.0474 2888 [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys

15:32:38.0474 2888 MountMgr - ok

15:32:38.0490 2888 mraid35x - ok

15:32:38.0506 2888 [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys

15:32:38.0506 2888 MRxDAV - ok

15:32:38.0553 2888 [ 7D304A5EB4344EBEEAB53A2FE3FFB9F0 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

15:32:38.0568 2888 MRxSmb - ok

15:32:38.0599 2888 [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC C:\WINDOWS\system32\msdtc.exe

15:32:38.0599 2888 MSDTC - ok

15:32:38.0615 2888 [ C941EA2454BA8350021D774DAF0F1027 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys

15:32:38.0615 2888 Msfs - ok

15:32:38.0631 2888 MSIServer - ok

15:32:38.0678 2888 [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys

15:32:38.0693 2888 MSKSSRV - ok

15:32:38.0725 2888 [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys

15:32:38.0740 2888 MSPCLOCK - ok

15:32:38.0756 2888 [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys

15:32:38.0771 2888 MSPQM - ok

15:32:38.0803 2888 [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys

15:32:38.0818 2888 mssmbios - ok

15:32:38.0865 2888 [ DE6A75F5C270E756C5508D94B6CF68F5 ] Mup C:\WINDOWS\system32\drivers\Mup.sys

15:32:38.0865 2888 Mup - ok

15:32:38.0943 2888 [ 0102140028FAD045756796E1C685D695 ] napagent C:\WINDOWS\System32\qagentrt.dll

15:32:38.0943 2888 napagent - ok

15:32:39.0006 2888 [ 1DF7F42665C94B825322FAE71721130D ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys

15:32:39.0006 2888 NDIS - ok

15:32:39.0037 2888 [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys

15:32:39.0068 2888 NdisTapi - ok

15:32:39.0100 2888 [ F927A4434C5028758A842943EF1A3849 ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys

15:32:39.0115 2888 Ndisuio - ok

15:32:39.0115 2888 [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys

15:32:39.0146 2888 NdisWan - ok

15:32:39.0162 2888 [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys

15:32:39.0162 2888 NDProxy - ok

15:32:39.0178 2888 [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys

15:32:39.0178 2888 NetBIOS - ok

15:32:39.0209 2888 [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys

15:32:39.0240 2888 NetBT - ok

15:32:39.0287 2888 [ B857BA82860D7FF85AE29B095645563B ] NetDDE C:\WINDOWS\system32\netdde.exe

15:32:39.0287 2888 NetDDE - ok

15:32:39.0303 2888 [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe

15:32:39.0303 2888 NetDDEdsdm - ok

15:32:39.0350 2888 [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon C:\WINDOWS\system32\lsass.exe

15:32:39.0350 2888 Netlogon - ok

15:32:39.0365 2888 [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman C:\WINDOWS\System32\netman.dll

15:32:39.0381 2888 Netman - ok

15:32:39.0412 2888 [ D34612C5D02D026535B3095D620626AE ] NetTcpPortSharing c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe

15:32:39.0412 2888 NetTcpPortSharing - ok

15:32:39.0475 2888 [ 943337D786A56729263071623BBB9DE5 ] Nla C:\WINDOWS\System32\mswsock.dll

15:32:39.0475 2888 Nla - ok

15:32:39.0521 2888 [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys

15:32:39.0521 2888 Npfs - ok

15:32:39.0568 2888 [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys

15:32:39.0584 2888 Ntfs - ok

15:32:39.0600 2888 [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp C:\WINDOWS\system32\lsass.exe

15:32:39.0600 2888 NtLmSsp - ok

15:32:39.0647 2888 [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll

15:32:39.0647 2888 NtmsSvc - ok

15:32:39.0678 2888 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys

15:32:39.0709 2888 Null - ok

15:32:39.0756 2888 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

15:32:39.0772 2888 NwlnkFlt - ok

15:32:39.0787 2888 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

15:32:39.0803 2888 NwlnkFwd - ok

15:32:39.0818 2888 [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport C:\WINDOWS\system32\drivers\Parport.sys

15:32:39.0850 2888 Parport - ok

15:32:39.0850 2888 [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys

15:32:39.0850 2888 PartMgr - ok

15:32:39.0897 2888 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys

15:32:39.0912 2888 ParVdm - ok

15:32:39.0928 2888 [ A219903CCF74233761D92BEF471A07B1 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys

15:32:39.0928 2888 PCI - ok

15:32:39.0928 2888 PCIDump - ok

15:32:39.0959 2888 [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys

15:32:39.0959 2888 PCIIde - ok

15:32:39.0959 2888 [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia C:\WINDOWS\system32\drivers\Pcmcia.sys

15:32:40.0006 2888 Pcmcia - ok

15:32:40.0022 2888 PDCOMP - ok

15:32:40.0022 2888 PDFRAME - ok

15:32:40.0037 2888 PDRELI - ok

15:32:40.0037 2888 PDRFRAME - ok

15:32:40.0053 2888 perc2 - ok

15:32:40.0068 2888 perc2hib - ok

15:32:40.0115 2888 [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay C:\WINDOWS\system32\services.exe

15:32:40.0115 2888 PlugPlay - ok

15:32:40.0115 2888 [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent C:\WINDOWS\system32\lsass.exe

15:32:40.0131 2888 PolicyAgent - ok

15:32:40.0178 2888 [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys

15:32:40.0209 2888 PptpMiniport - ok

15:32:40.0225 2888 [ A32BEBAF723557681BFC6BD93E98BD26 ] Processor C:\WINDOWS\system32\DRIVERS\processr.sys

15:32:40.0240 2888 Processor - ok

15:32:40.0256 2888 [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe

15:32:40.0256 2888 ProtectedStorage - ok

15:32:40.0272 2888 [ 09298EC810B07E5D582CB3A3F9255424 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys

15:32:40.0303 2888 PSched - ok

15:32:40.0318 2888 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys

15:32:40.0334 2888 Ptilink - ok

15:32:40.0365 2888 [ 7C81AE3C9B82BA2DA437ED4D31BC56CF ] PxHelp20 C:\WINDOWS\system32\Drivers\PxHelp20.sys

15:32:40.0365 2888 PxHelp20 - ok

15:32:40.0365 2888 ql1080 - ok

15:32:40.0381 2888 Ql10wnt - ok

15:32:40.0397 2888 ql12160 - ok

15:32:40.0397 2888 ql1240 - ok

15:32:40.0412 2888 ql1280 - ok

15:32:40.0443 2888 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys

15:32:40.0459 2888 RasAcd - ok

15:32:40.0506 2888 [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto C:\WINDOWS\System32\rasauto.dll

15:32:40.0522 2888 RasAuto - ok

15:32:40.0537 2888 [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

15:32:40.0553 2888 Rasl2tp - ok

15:32:40.0615 2888 [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan C:\WINDOWS\System32\rasmans.dll

15:32:40.0615 2888 RasMan - ok

15:32:40.0631 2888 [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys

15:32:40.0647 2888 RasPppoe - ok

15:32:40.0662 2888 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys

15:32:40.0678 2888 Raspti - ok

15:32:40.0725 2888 [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys

15:32:40.0725 2888 Rdbss - ok

15:32:40.0740 2888 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

15:32:40.0756 2888 RDPCDD - ok

15:32:40.0787 2888 [ 15CABD0F7C00C47C70124907916AF3F1 ] rdpdr C:\WINDOWS\system32\DRIVERS\rdpdr.sys

15:32:40.0803 2888 rdpdr - ok

15:32:40.0850 2888 [ 5B3055DAA788BD688594D2F5981F2A83 ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys

15:32:40.0850 2888 RDPWD - ok

15:32:40.0897 2888 [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe

15:32:40.0897 2888 RDSessMgr - ok

15:32:40.0912 2888 [ F828DD7E1419B6653894A8F97A0094C5 ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys

15:32:40.0944 2888 redbook - ok

15:32:40.0975 2888 [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll

15:32:40.0975 2888 RemoteAccess - ok

15:32:41.0006 2888 [ 5B19B557B0C188210A56A6B699D90B8F ] RemoteRegistry C:\WINDOWS\system32\regsvc.dll

15:32:41.0006 2888 RemoteRegistry - ok

15:32:41.0022 2888 [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator C:\WINDOWS\system32\locator.exe

15:32:41.0022 2888 RpcLocator - ok

15:32:41.0069 2888 [ 6B27A5C03DFB94B4245739065431322C ] RpcSs C:\WINDOWS\system32\rpcss.dll

15:32:41.0069 2888 RpcSs - ok

15:32:41.0115 2888 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\system32\rsvp.exe

15:32:41.0131 2888 RSVP - ok

15:32:41.0147 2888 [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs C:\WINDOWS\system32\lsass.exe

15:32:41.0147 2888 SamSs - ok

15:32:41.0162 2888 [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe

15:32:41.0162 2888 SCardSvr - ok

15:32:41.0225 2888 [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule C:\WINDOWS\system32\schedsvc.dll

15:32:41.0240 2888 Schedule - ok

15:32:41.0287 2888 [ 8D04819A3CE51B9EB47E5689B44D43C4 ] sdbus C:\WINDOWS\system32\DRIVERS\sdbus.sys

15:32:41.0350 2888 sdbus - ok

15:32:41.0381 2888 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys

15:32:41.0412 2888 Secdrv - ok

15:32:41.0428 2888 [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon C:\WINDOWS\System32\seclogon.dll

15:32:41.0444 2888 seclogon - ok

15:32:41.0459 2888 [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS C:\WINDOWS\system32\sens.dll

15:32:41.0475 2888 SENS - ok

15:32:41.0506 2888 [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial C:\WINDOWS\system32\drivers\Serial.sys

15:32:41.0553 2888 Serial - ok

15:32:41.0631 2888 [ 0FA803C64DF0914B41F807EA276BF2A6 ] sffdisk C:\WINDOWS\system32\DRIVERS\sffdisk.sys

15:32:41.0647 2888 sffdisk - ok

15:32:41.0678 2888 [ C17C331E435ED8737525C86A7557B3AC ] sffp_sd C:\WINDOWS\system32\DRIVERS\sffp_sd.sys

15:32:41.0694 2888 sffp_sd - ok

15:32:41.0725 2888 [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys

15:32:41.0741 2888 Sfloppy - ok

15:32:41.0803 2888 [ 83F41D0D89645D7235C051AB1D9523AC ] SharedAccess C:\WINDOWS\System32\ipnathlp.dll

15:32:41.0819 2888 SharedAccess - ok

15:32:41.0834 2888 [ 99BC0B50F511924348BE19C7C7313BBF ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll

15:32:41.0850 2888 ShellHWDetection - ok

15:32:41.0850 2888 Simbad - ok

15:32:41.0866 2888 Sparrow - ok

15:32:41.0897 2888 [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter C:\WINDOWS\system32\drivers\splitter.sys

15:32:41.0912 2888 splitter - ok

15:32:41.0959 2888 [ 60784F891563FB1B767F70117FC2428F ] Spooler C:\WINDOWS\system32\spoolsv.exe

15:32:41.0959 2888 Spooler - ok

15:32:41.0991 2888 [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr C:\WINDOWS\system32\DRIVERS\sr.sys

15:32:41.0991 2888 sr - ok

15:32:42.0053 2888 [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice C:\WINDOWS\system32\srsvc.dll

15:32:42.0053 2888 srservice - ok

15:32:42.0131 2888 [ 47DDFC2F003F7F9F0592C6874962A2E7 ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys

15:32:42.0131 2888 Srv - ok

15:32:42.0178 2888 [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll

15:32:42.0178 2888 SSDPSRV - ok

15:32:42.0287 2888 [ 951801DFB54D86F611F0AF47825476F9 ] STHDA C:\WINDOWS\system32\drivers\sthda.sys

15:32:42.0366 2888 STHDA - ok

15:32:42.0428 2888 [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc C:\WINDOWS\system32\wiaservc.dll

15:32:42.0444 2888 stisvc - ok

15:32:42.0491 2888 [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys

15:32:42.0506 2888 swenum - ok

15:32:42.0538 2888 [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys

15:32:42.0584 2888 swmidi - ok

15:32:42.0600 2888 SwPrv - ok

15:32:42.0600 2888 symc810 - ok

15:32:42.0616 2888 symc8xx - ok

15:32:42.0631 2888 sym_hi - ok

15:32:42.0647 2888 sym_u3 - ok

15:32:42.0694 2888 [ FA2DAA32BED908023272A0F77D625DAE ] SynTP C:\WINDOWS\system32\DRIVERS\SynTP.sys

15:32:42.0725 2888 SynTP - ok

15:32:42.0741 2888 [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys

15:32:42.0756 2888 sysaudio - ok

15:32:42.0772 2888 [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe

15:32:42.0788 2888 SysmonLog - ok

15:32:42.0819 2888 [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv C:\WINDOWS\System32\tapisrv.dll

15:32:42.0819 2888 TapiSrv - ok

15:32:42.0881 2888 [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys

15:32:42.0881 2888 Tcpip - ok

15:32:42.0913 2888 [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys

15:32:42.0928 2888 TDPIPE - ok

15:32:42.0928 2888 [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys

15:32:42.0959 2888 TDTCP - ok

15:32:42.0975 2888 [ 88155247177638048422893737429D9E ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys

15:32:43.0022 2888 TermDD - ok

15:32:43.0084 2888 [ FF3477C03BE7201C294C35F684B3479F ] TermService C:\WINDOWS\System32\termsrv.dll

15:32:43.0100 2888 TermService - ok

15:32:43.0116 2888 [ 99BC0B50F511924348BE19C7C7313BBF ] Themes C:\WINDOWS\System32\shsvcs.dll

15:32:43.0116 2888 Themes - ok

15:32:43.0163 2888 [ DB7205804759FF62C34E3EFD8A4CC76A ] TlntSvr C:\WINDOWS\system32\tlntsvr.exe

15:32:43.0163 2888 TlntSvr - ok

15:32:43.0178 2888 TosIde - ok

15:32:43.0209 2888 [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks C:\WINDOWS\system32\trkwks.dll

15:32:43.0209 2888 TrkWks - ok

15:32:43.0225 2888 [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys

15:32:43.0256 2888 Udfs - ok

15:32:43.0256 2888 ultra - ok

15:32:43.0319 2888 [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update C:\WINDOWS\system32\DRIVERS\update.sys

15:32:43.0366 2888 Update - ok

15:32:43.0397 2888 [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost C:\WINDOWS\System32\upnphost.dll

15:32:43.0413 2888 upnphost - ok

15:32:43.0413 2888 [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS C:\WINDOWS\System32\ups.exe

15:32:43.0428 2888 UPS - ok

15:32:43.0475 2888 [ F340199E8CB097E1ACD58A967C665919 ] USBAAPL C:\WINDOWS\system32\Drivers\usbaapl.sys

15:32:43.0491 2888 USBAAPL - ok

15:32:43.0522 2888 [ E919708DB44ED8543A7C017953148330 ] usbaudio C:\WINDOWS\system32\drivers\usbaudio.sys

15:32:43.0553 2888 usbaudio - ok

15:32:43.0600 2888 [ D9F3BB7C292F194F3B053CE295754EB8 ] usbbus C:\WINDOWS\system32\DRIVERS\lgusbbus.sys

15:32:43.0600 2888 usbbus - ok

15:32:43.0631 2888 [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys

15:32:43.0647 2888 usbccgp - ok

15:32:43.0678 2888 [ C4F77DA649F99FAD116EA585376FC164 ] UsbDiag C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys

15:32:43.0710 2888 UsbDiag - ok

15:32:43.0741 2888 [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys

15:32:43.0756 2888 usbehci - ok

15:32:43.0772 2888 [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys

15:32:43.0788 2888 usbhub - ok

15:32:43.0819 2888 [ C0613CE45E617BC671DE8EBB1B30D175 ] USBModem C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys

15:32:43.0819 2888 USBModem - ok

15:32:43.0850 2888 [ 0DAECCE65366EA32B162F85F07C6753B ] usbohci C:\WINDOWS\system32\DRIVERS\usbohci.sys

15:32:43.0866 2888 usbohci - ok

15:32:43.0897 2888 [ A0B8CF9DEB1184FBDD20784A58FA75D4 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys

15:32:43.0913 2888 usbscan - ok

15:32:43.0944 2888 [ A32426D9B14A089EAA1D922E0C5801A9 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

15:32:43.0960 2888 USBSTOR - ok

15:32:43.0991 2888 [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys

15:32:44.0006 2888 VgaSave - ok

15:32:44.0022 2888 ViaIde - ok

15:32:44.0038 2888 [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys

15:32:44.0038 2888 VolSnap - ok

15:32:44.0100 2888 [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS C:\WINDOWS\System32\vssvc.exe

15:32:44.0116 2888 VSS - ok

15:32:44.0194 2888 [ 54AF4B1D5459500EF0937F6D33B1914F ] W32Time C:\WINDOWS\system32\w32time.dll

15:32:44.0194 2888 W32Time - ok

15:32:44.0241 2888 [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys

15:32:44.0257 2888 Wanarp - ok

15:32:44.0272 2888 WDICA - ok

15:32:44.0288 2888 [ 6768ACF64B18196494413695F0C3A00F ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys

15:32:44.0303 2888 wdmaud - ok

15:32:44.0335 2888 [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient C:\WINDOWS\System32\webclnt.dll

15:32:44.0335 2888 WebClient - ok

15:32:44.0382 2888 [ BA6B6FB242A6BA4068C8B763063BEB63 ] winachsf C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys

15:32:44.0413 2888 winachsf - ok

15:32:44.0507 2888 [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll

15:32:44.0522 2888 winmgmt - ok

15:32:44.0538 2888 wltrysvc - ok

15:32:44.0569 2888 [ C51B4A5C05A5475708E3C81C7765B71D ] WmdmPmSN C:\WINDOWS\system32\MsPMSNSv.dll

15:32:44.0569 2888 WmdmPmSN - ok

15:32:44.0616 2888 [ E76F8807070ED04E7408A86D6D3A6137 ] Wmi C:\WINDOWS\System32\advapi32.dll

15:32:44.0632 2888 Wmi - ok

15:32:44.0647 2888 [ C42584FD66CE9E17403AEBCA199F7BDB ] WmiAcpi C:\WINDOWS\system32\DRIVERS\wmiacpi.sys

15:32:44.0663 2888 WmiAcpi - ok

15:32:44.0694 2888 [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv C:\WINDOWS\system32\wbem\wmiapsrv.exe

15:32:44.0694 2888 WmiApSrv - ok

15:32:44.0819 2888 [ F74E3D9A7FA9556C3BBB14D4E5E63D3B ] WMPNetworkSvc C:\Program Files\Windows Media Player\WMPNetwk.exe

15:32:44.0850 2888 WMPNetworkSvc - ok

15:32:44.0882 2888 [ CF4DEF1BF66F06964DC0D91844239104 ] WpdUsb C:\WINDOWS\system32\Drivers\wpdusb.sys

15:32:44.0882 2888 WpdUsb - ok

15:32:44.0944 2888 [ 7C278E6408D1DCE642230C0585A854D5 ] wscsvc C:\WINDOWS\system32\wscsvc.dll

15:32:44.0944 2888 wscsvc - ok

15:32:44.0960 2888 [ 35321FB577CDC98CE3EB3A3EB9E4610A ] wuauserv C:\WINDOWS\system32\wuauserv.dll

15:32:44.0991 2888 wuauserv - ok

15:32:45.0022 2888 [ F15FEAFFFBB3644CCC80C5DA584E6311 ] WudfPf C:\WINDOWS\system32\DRIVERS\WudfPf.sys

15:32:45.0038 2888 WudfPf - ok

15:32:45.0069 2888 [ 28B524262BCE6DE1F7EF9F510BA3985B ] WudfRd C:\WINDOWS\system32\DRIVERS\wudfrd.sys

15:32:45.0069 2888 WudfRd - ok

15:32:45.0085 2888 [ 05231C04253C5BC30B26CBAAE680ED89 ] WudfSvc C:\WINDOWS\System32\WUDFSvc.dll

15:32:45.0085 2888 WudfSvc - ok

15:32:45.0147 2888 [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll

15:32:45.0163 2888 WZCSVC - ok

15:32:45.0163 2888 [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov C:\WINDOWS\System32\xmlprov.dll

15:32:45.0179 2888 xmlprov - ok

15:32:45.0194 2888 ================ Scan global ===============================

15:32:45.0257 2888 [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll

15:32:45.0304 2888 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll

15:32:45.0335 2888 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll

15:32:45.0350 2888 [ 65DF52F5B8B6E9BBD183505225C37315 ] C:\WINDOWS\system32\services.exe

15:32:45.0350 2888 [Global] - ok

15:32:45.0366 2888 ================ Scan MBR ==================================

15:32:45.0366 2888 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk0\DR0

15:32:45.0366 2888 Suspicious mbr (Forged): \Device\Harddisk0\DR0

15:32:45.0382 2888 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - infected

15:32:45.0382 2888 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.c (0)

15:32:45.0397 2888 ================ Scan VBR ==================================

15:32:45.0397 2888 [ 71FAA3142DDC3CC757063053085BA61B ] \Device\Harddisk0\DR0\Partition1

15:32:45.0397 2888 \Device\Harddisk0\DR0\Partition1 - ok

15:32:45.0397 2888 ============================================================

15:32:45.0397 2888 Scan finished

15:32:45.0397 2888 ============================================================

15:32:45.0413 2608 Detected object count: 1

15:32:45.0413 2608 Actual detected object count: 1

15:35:23.0200 2608 \Device\Harddisk0\DR0\# - copied to quarantine

15:35:23.0200 2608 \Device\Harddisk0\DR0 - copied to quarantine

15:35:23.0231 2608 \Device\Harddisk0\DR0\TDLFS\ldrm - copied to quarantine

15:35:23.0262 2608 \Device\Harddisk0\DR0\TDLFS\cmd.dll - copied to quarantine

15:35:23.0278 2608 \Device\Harddisk0\DR0\TDLFS\cmd64.dll - copied to quarantine

15:35:23.0294 2608 \Device\Harddisk0\DR0\TDLFS\drv32 - copied to quarantine

15:35:23.0309 2608 \Device\Harddisk0\DR0\TDLFS\drv64 - copied to quarantine

15:35:23.0356 2608 \Device\Harddisk0\DR0\TDLFS\config.ini - copied to quarantine

15:35:23.0356 2608 \Device\Harddisk0\DR0\TDLFS\servers.dat - copied to quarantine

15:35:23.0372 2608 \Device\Harddisk0\DR0\TDLFS\ldr16 - copied to quarantine

15:35:23.0372 2608 \Device\Harddisk0\DR0\TDLFS\ldr32 - copied to quarantine

15:35:23.0372 2608 \Device\Harddisk0\DR0\TDLFS\ldr64 - copied to quarantine

15:35:23.0372 2608 \Device\Harddisk0\DR0\TDLFS\s - copied to quarantine

15:35:23.0372 2608 \Device\Harddisk0\DR0\TDLFS\u - copied to quarantine

15:35:23.0387 2608 \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine

15:35:23.0419 2608 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - will be cured on reboot

15:35:23.0419 2608 \Device\Harddisk0\DR0 - ok

15:35:23.0419 2608 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - User select action: Cure

15:35:29.0013 2160 Deinitialize success

Link to post
Share on other sites

Yes, that is the log. This indicates it removed some of remainders of a backdoor rootkit.

Confirm for me, that you have read my previous notes, and you have covered the identity-fraud steps !!

Next:

Download aswMBR.exe ( 511KB ) to your desktop.

On Windows 7 or Vista, RIGHT click on aswMBR.exe and select Run As Administrator to start.

On Windows XP, double click the exe to start.

change the a-v scan to None.

uncheck trace disk IO calls

Click the "Scan" button to start scan

On completion of the scan (Note if the Fix button is enabled (not the FixMBR button) and tell me) click save log, save it to your desktop and post in your next reply

Step 2

Logoff and Restart the system fresh.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

If you have a prior copy of Combofix, delete it now !

Have infinite patience during the run & scan by Combofix. It has many phases: some 50+ stages

It will display it's "stage" within the Command prompt window. Do NOT panic if it seems slow to change ! It has lots of work.

You may notice the desktop icons disappear. Do NOT panic, as that is expected behavior.

Combofix my take as little as 10 minutes and perhaps as much as 30-40 minutes. Time taken will depend on speed of your system and how much there is to scan & how much it needs to clean.

If this is on a notebook system, make sure first the notebook is connected to wall-power (AC power)

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

CF_download_FF.gif

CF_download_rename.gif

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on Combo-Fix.exe cf-icon.jpg accept the EULA & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

-------------------------------------------------------

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

Notes:

[1] IF after Combofix reboot you get the message

Illegal operation attempted on registry key that has been marked for deletion

....please reboot the computer, this should resolve the problem. You may have reboot the pc a second time if needed.

[2] Do not mouseclick combofix's window nor run any program while Combofix is running.

That may cause it to stall.

[3]When all done, IF Combofix did not do a Restart...then ... I need for you to Restart the system fresh !

Reply & Copy / Paste the contents of C:\Combofix.txt log and tell me, How is the system now ?

RE-Enable your AntiVirus and AntiSpyware applications.

There will be more to do later. We are not done yet.

Make sure you do NOT do any websurfing of any kind, nor do any online shopping or banking until I give the all clear.

Link to post
Share on other sites

aSWMBR Log:

ftware

Run date: 2012-12-07 16:58:50

-----------------------------

16:58:50.055 OS Version: Windows 5.1.2600 Service Pack 3

16:58:50.055 Number of processors: 1 586 0x4C02

16:58:50.055 ComputerName: HOME-8AE08796D2 UserName: Joaquin

16:58:51.102 Initialize success

16:59:34.901 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

16:59:34.901 Disk 0 Vendor: TOSHIBA_MK8034GSX AH301D Size: 76319MB BusType: 3

16:59:34.932 Disk 0 MBR read successfully

16:59:34.932 Disk 0 MBR scan

16:59:34.932 Disk 0 Windows XP default MBR code

16:59:34.932 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 76308 MB offset 63

16:59:34.932 Disk 0 scanning sectors +156280320

16:59:35.011 Disk 0 scanning C:\WINDOWS\system32\drivers

16:59:47.417 Service scanning

17:00:01.371 Modules scanning

17:00:09.668 Module: C:\WINDOWS\System32\DLA\DLADResN.SYS **SUSPICIOUS**

17:00:11.090 Scan finished successfully

17:02:07.142 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Joaquin\Desktop\MBR.dat"

17:02:07.142 The log file has been saved successfully to "C:\Documents and Settings\Joaquin\Desktop\aswMBR.txt"

Link to post
Share on other sites

Combofix Log:

ComboFix 12-12-04.01 - Joaquin 12/07/2012 17:29:13.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.394 [GMT -5:00]

Running from: c:\documents and settings\Joaquin\Desktop\Combo-Fix.exe

AV: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Joaquin\Application Data\C8B8ED

c:\documents and settings\Joaquin\g2mdlhlpx.exe

c:\windows\system32\URTTemp

c:\windows\system32\URTTemp\fusion.dll

c:\windows\system32\URTTemp\mscoree.dll

c:\windows\system32\URTTemp\mscoree.dll.local

c:\windows\system32\URTTemp\mscorsn.dll

c:\windows\system32\URTTemp\mscorwks.dll

c:\windows\system32\URTTemp\msvcr71.dll

c:\windows\system32\URTTemp\regtlib.exe

.

.

((((((((((((((((((((((((( Files Created from 2012-11-07 to 2012-12-07 )))))))))))))))))))))))))))))))

.

.

2012-12-04 08:11 . 2012-08-28 15:14 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll

2012-12-03 21:52 . 2012-12-03 21:52 14336 ----a-w- c:\windows\system32\drivers\TrueSight.sys

2012-12-03 20:35 . 2012-12-03 20:35 -------- d-----w- C:\TDSSKiller_Quarantine

2012-12-03 20:27 . 2012-12-03 20:27 -------- d-----w- c:\program files\ERUNT

2012-12-03 19:27 . 2012-12-03 19:27 -------- d-----w- c:\documents and settings\Joaquin\Local Settings\Application Data\ESET

2012-12-03 19:12 . 2012-12-03 19:13 -------- d-----w- c:\documents and settings\Administrator

2012-12-03 19:06 . 2012-12-03 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2012-12-03 19:06 . 2012-12-03 19:06 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-10-22 08:37 . 2004-08-10 11:00 1866368 ----a-w- c:\windows\system32\win32k.sys

2012-10-02 18:04 . 2004-08-10 11:00 58368 ----a-w- c:\windows\system32\synceng.dll

2009-03-21 15:01 . 2008-05-07 04:17 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll

2009-03-21 15:01 . 2008-05-07 04:17 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2009-03-21 15:01 . 2008-05-07 04:17 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll

2009-03-21 15:01 . 2008-05-07 04:17 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll

2009-03-21 15:01 . 2008-05-07 04:17 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"cdloader"="c:\documents and settings\Joaquin\Application Data\mjusbsp\cdloader2.exe" [2012-02-01 50592]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]

"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-21 118784]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-07 185896]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]

"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-11-04 2219184]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

.

c:\documents and settings\Joaquin\Start Menu\Programs\Startup\

ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-4-18 147456]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2008-05-07 03:20 10792 ----a-w- c:\program files\Citrix\GoToAssist\480\g2awinlogon.dll

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Documents and Settings\\Joaquin\\Application Data\\mjusbsp\\magicJack.exe"=

.

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [7/29/2010 12:31 PM 115008]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [8/3/2010 12:28 PM 95896]

R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [11/4/2010 5:15 PM 810144]

S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [12/3/2012 2:06 PM 35144]

.

Contents of the 'Scheduled Tasks' folder

.

2012-12-04 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 23:57]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uInternet Settings,ProxyOverride = *.local

TCP: DhcpNameServer = 192.168.1.254

FF - ProfilePath - c:\documents and settings\Joaquin\Application Data\Mozilla\Firefox\Profiles\x317rxl5.default\

.

- - - - ORPHANS REMOVED - - - -

.

SafeBoot-26742650.sys

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-12-07 17:38

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(832)

c:\windows\system32\Ati2evxx.dll

c:\program files\Citrix\GoToAssist\480\G2AWinLogon.dll

c:\windows\System32\BCMLogon.dll

.

Completion time: 2012-12-07 17:40:51

ComboFix-quarantined-files.txt 2012-12-07 22:40

.

Pre-Run: 60,471,128,064 bytes free

Post-Run: 61,499,449,344 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

.

- - End Of File - - 12854971C52DA09658DAA16B44C71A1D

Link to post
Share on other sites

Save and close any work documents, close any apps that you started.

Temporarily turn off (disable) your antivirus program

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.

Then click the Scanner settings sub-tab in second row of tabs. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

If prompted for a Restart, do that.

When done, click the Scanner tab.

Do a Full Scan. i_arrow-l.gif

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

When all done, Copy & paste the MBAM scan log into a new reply.

Tell me, How is the system ?

Re-enable your antivirus program.

Link to post
Share on other sites

Mbam Log:

Malwarebytes Anti-Malware (Trial) 1.65.1.1000

www.malwarebytes.org

Database version: v2012.12.09.02

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Joaquin :: HOME-8AE08796D2 [administrator]

Protection: Enabled

12/9/2012 7:18:43 AM

mbam-log-2012-12-09 (07-18-43).txt

Scan type: Full scan (C:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 286621

Time elapsed: 40 minute(s), 35 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

Very good MBAM result.

Download Security Check by screen317 from here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Link to post
Share on other sites

Security Check Log:

Results of screen317's Security Check version 0.99.56

Windows XP Service Pack 3 x86

Internet Explorer 8

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

ESET NOD32 Antivirus 4.2

Antivirus up to date!

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.65.1.1000

Java 6 Update 24

Java 6 Update 5

Java version out of Date!

Adobe Flash Player 10 Flash Player out of Date!

Adobe Reader 8 Adobe Reader out of Date!

Mozilla Firefox (2.0.0 Firefox out of Date!

````````Process Check: objlist.exe by Laurent````````

ESET NOD32 Antivirus egui.exe

ESET NOD32 Antivirus ekrn.exe

Malwarebytes Anti-Malware mbamservice.exe

Malwarebytes Anti-Malware mbamgui.exe

Malwarebytes' Anti-Malware mbamscheduler.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C:: 7%

````````````````````End of Log``````````````````````

Link to post
Share on other sites

You need to update 4 utilities:

Step 1

javaicon.gifYour Java runtime is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

  • Accept the EULA & Download the latest version of >> Windows Offline << from here
    or >> from here <<
    and save it to your desktop.
  • Get the Offline version that corresponds to your "bit-tedness" of your Windows (32-bit or 64-bit)
    How to determine whether a computer is running a 32-bit version or 64-bit version of the Windows operating system
  • Close any programs you may have running - especially your web browser(s).
  • Go to Start > Settings > Control Panel, select Add-or-Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7u9-windows-i586.exe to install the newest version.
    ( jre-7u9-windows-x64.exe if this is a 64-bit Windows o.s.)

  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup) javaicon.gif
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files

      [*]Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

      [*]Click OK to leave the Temporary Files Window

Small tweaks for Java runtime, since most all users do not need to load Java at each Windows startup:

Click Advanced Tab. Expand the Miscellaneous item.

UN-check the line Java quick starter

Press Apply then OK. Close the applet when done.

Step 2

To de-install Flash Player

Use Programs and Features (Windows 7 & Vista) or Add-or-Remove Programs (Windows XP) to de-install older versions of Flash Player.

For stubborn cases,

Download and save the Flash Player uninstaller >> uninstall Flash Player for 32-bit Windows<<

If you have Windows 64-bit, use this Flash Player uninstaller >> uninstall Flash Player for 64-bit Windows<<

Close all browsers and instant messenger (IM) programs.

Run the uninstaller.

To get latest Flash Player

Go to http://www.adobe.com/go/getflash

and get the latest Flash Player

Un-Check any checkbox for Google Chrome, or McAfee Security Scan Plus, or any other widget or toolbar or add-on!!!

Reference: How to determine whether a computer is running a 32-bit version or 64-bit version of the Windows operating system

http://support.microsoft.com/kb/827218

Step 3

Older versions of Adobe Reader pose a potential security risk.

De-install your Adobe Reader: Use Control Panel's Add-or-Remove Programs , Un-install Adobe Reader.

Get latest Adobe Reader version

http://get.adobe.com/reader/

Be sure to un-check the box for Free McAfee Security Scan or any "toolbar" (if offered )

Step 4

Start Firefox. From it;s menu, select Help >>About Firefox

Click on Check for Updates button.

Allow it to get the update and then to apply and restart Firefox. Exit F-F when done.

Step 5

Download Dr.Web CureIt to the desktop.

  • Turn OFF your antivirus program.
    How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
  • Doubleclick the drweb-cureit.exe file, then on Start and allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, chose the Complete Scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow drweb.jpg at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look and see if you can click the following icon next to the files found:
    check.gif
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
  • This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer to allow files that were in use to be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

NOTE: During the scan, a pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Re-Enable your antivirus program when all done.

Link to post
Share on other sites

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

Using Internet Explorer browser only, go to ESET Online Scanner website:

{Windows 7 & Vista users should start IE by Start >> Internet Explorer >> Right-Click and select Run As Administrator.}

  • Press the ESET Online scanner" button
  • Check the I accept the terms box. Accept the Terms of Use and press Start button;
  • Approve the install of the required ActiveX Control, then follow on-screen instructions;
  • Un-check the Remove found threats option.
  • Checkmark Scan Archives option.
  • Click on Advanced Settings and checkmark the following
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology
    click Scan.
  • After the scan completes, the Details tab in the Results window will display what was found and removed.
    • A logfile is created and located at C:\Program Files\Eset\EsetOnlineScanner\log.txt.

    Look at contents of this file using Notepad or Wordpad.

    The Frequently Asked Questions for ESET Online Scanner can be viewed here

    http://www.eset.com/onlinescan/cac4.php?page=faq

    [*]Use of Internet Explorer for the online scan is preferred. If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.

After the scan is done, re-enable your antivirus program.

Reply with copy of the Eset scan log.

Link to post
Share on other sites

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=8

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6844

# api_version=3.0.2

# EOSSerial=ee38e376f834394eaf724efacf4b9fb6

# end=finished

# remove_checked=false

# archives_checked=true

# unwanted_checked=false

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2012-12-18 07:09:26

# local_time=2012-12-18 02:09:26 (-0500, Eastern Standard Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=8199 16776701 100 100 0 74079686 0 0

# scanned=58621

# found=7

# cleaned=0

# scan_time=3089

# nod_component=V3 Build:0x30000000

C:\TDSSKiller_Quarantine\03.12.2012_15.31.46\mbr0000\tdlfs0000\tsk0001.dta a variant of Win32/Olmarik.AYI trojan (unable to clean) BD1D3BF759D78450B2F5ABD9F29B5EF91D684536 I

C:\TDSSKiller_Quarantine\03.12.2012_15.31.46\mbr0000\tdlfs0000\tsk0002.dta Win64/Olmarik.AK trojan (unable to clean) F281E8D97D77A6578BF8EA9290BEF4BBE02EF3FE I

C:\TDSSKiller_Quarantine\03.12.2012_15.31.46\mbr0000\tdlfs0000\tsk0003.dta Win32/Olmarik.AWO trojan (unable to clean) F7F17F266BD9A76D66E4F4F8511CA12101A57FC5 I

C:\TDSSKiller_Quarantine\03.12.2012_15.31.46\mbr0000\tdlfs0000\tsk0004.dta Win64/Olmarik.AK trojan (unable to clean) DBDF099D4D9921EA809AB857CF1CA9776E109FD3 I

C:\TDSSKiller_Quarantine\03.12.2012_15.31.46\mbr0000\tdlfs0000\tsk0008.dta Win32/Olmarik.AFK trojan (unable to clean) F6FE0B6B7C92FEF6CBA3DB3D1435AC00F27F7EA1 I

C:\TDSSKiller_Quarantine\03.12.2012_15.31.46\mbr0000\tdlfs0000\tsk0009.dta Win64/Olmarik.AK trojan (unable to clean) 5F329A1069EB6A8151C2CA3E589DBF1B481B50A2 I

C:\TDSSKiller_Quarantine\03.12.2012_15.31.46\mbr0000\tdlfs0000\tsk0012.dta a variant of Win32/Olmarik.AYI trojan (unable to clean) BD1D3BF759D78450B2F5ABD9F29B5EF91D684536 I

# version=8

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6844

# api_version=3.0.2

# EOSSerial=ee38e376f834394eaf724efacf4b9fb6

# end=finished

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2012-12-18 08:04:02

# local_time=2012-12-18 03:04:02 (-0500, Eastern Standard Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=8199 16776701 100 100 0 74082962 0 0

# scanned=58633

# found=7

# cleaned=0

# scan_time=3021

# nod_component=V3 Build:0x30000000

C:\TDSSKiller_Quarantine\03.12.2012_15.31.46\mbr0000\tdlfs0000\tsk0001.dta a variant of Win32/Olmarik.AYI trojan (unable to clean) BD1D3BF759D78450B2F5ABD9F29B5EF91D684536 I

C:\TDSSKiller_Quarantine\03.12.2012_15.31.46\mbr0000\tdlfs0000\tsk0002.dta Win64/Olmarik.AK trojan (unable to clean) F281E8D97D77A6578BF8EA9290BEF4BBE02EF3FE I

C:\TDSSKiller_Quarantine\03.12.2012_15.31.46\mbr0000\tdlfs0000\tsk0003.dta Win32/Olmarik.AWO trojan (unable to clean) F7F17F266BD9A76D66E4F4F8511CA12101A57FC5 I

C:\TDSSKiller_Quarantine\03.12.2012_15.31.46\mbr0000\tdlfs0000\tsk0004.dta Win64/Olmarik.AK trojan (unable to clean) DBDF099D4D9921EA809AB857CF1CA9776E109FD3 I

C:\TDSSKiller_Quarantine\03.12.2012_15.31.46\mbr0000\tdlfs0000\tsk0008.dta Win32/Olmarik.AFK trojan (unable to clean) F6FE0B6B7C92FEF6CBA3DB3D1435AC00F27F7EA1 I

C:\TDSSKiller_Quarantine\03.12.2012_15.31.46\mbr0000\tdlfs0000\tsk0009.dta Win64/Olmarik.AK trojan (unable to clean) 5F329A1069EB6A8151C2CA3E589DBF1B481B50A2 I

C:\TDSSKiller_Quarantine\03.12.2012_15.31.46\mbr0000\tdlfs0000\tsk0012.dta a variant of Win32/Olmarik.AYI trojan (unable to clean) BD1D3BF759D78450B2F5ABD9F29B5EF91D684536 I

Link to post
Share on other sites

The system seems to be operating ok Though I have not been using it?

From the Eset Log:

"C:\TDSSKiller_Quarantine\03.12.2012_15.31.46\mbr0000\tdlfs0000\tsk0001.dta a variant of Win32/Olmarik.AYI trojan (unable to clean) BD1D3BF759D78450B2F5ABD9F29B5EF91D684536 I

C:\TDSSKiller_Quarantine\03.12.2012_15.31.46\mbr0000\tdlfs0000\tsk0002.dta Win64/Olmarik.AK trojan (unable to clean) F281E8D97D77A6578BF8EA9290BEF4BBE02EF3FE I

C:\TDSSKiller_Quarantine\03.12.2012_15.31.46\mbr0000\tdlfs0000\tsk0003.dta Win32/Olmarik.AWO trojan (unable to clean) F7F17F266BD9A76D66E4F4F8511CA12101A57FC5 I

C:\TDSSKiller_Quarantine\03.12.2012_15.31.46\mbr0000\tdlfs0000\tsk0004.dta Win64/Olmarik.AK trojan (unable to clean) DBDF099D4D9921EA809AB857CF1CA9776E109FD3 I

C:\TDSSKiller_Quarantine\03.12.2012_15.31.46\mbr0000\tdlfs0000\tsk0008.dta Win32/Olmarik.AFK trojan (unable to clean) F6FE0B6B7C92FEF6CBA3DB3D1435AC00F27F7EA1 I

C:\TDSSKiller_Quarantine\03.12.2012_15.31.46\mbr0000\tdlfs0000\tsk0009.dta Win64/Olmarik.AK trojan (unable to clean) 5F329A1069EB6A8151C2CA3E589DBF1B481B50A2 I

C:\TDSSKiller_Quarantine\03.12.2012_15.31.46\mbr0000\tdlfs0000\tsk0012.dta a variant of Win32/Olmarik.AYI trojan (unable to clean) BD1D3BF759D78450B2F5ABD9F29B5EF91D684536 I "

Does this no longer pose a threat?

Link to post
Share on other sites

No, no threat posed by the quarantined items. You may delete C:\TDSSKiller_Quarantine ...<----this folder

I see that you are clear of your original issues.

If you have a problem with these steps, or something does not quite work here, do let me know. Let me know when you have finished the cleanup steps below.

The following few steps will remove tools we used.

We have to remove Combofix and all its associated folders. By whichever name you named it, ( you had named it Combo-Fix icon_exclaim.gif), put that name in the RUN box stated just below.

The "/uninstall" in the Run line below is to start Combofix for it's cleanup & removal function.

Note the space after exe and before the slash mark.

The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.

  • Click Start, then click Run.
    In the text box that opens, type or copy/paste
    Combo-Fix.exe /uninstall
    and then click OK.

IF in the case Combofix un-install has an issue, skip that step.

  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

ERUNT you should keep and use on a periodic basis to backup Windows registry.

Delete the following if still present:

TDSSKILLER.exe

RogueKiller.exe

aswMBR.exe

SecurityCheck.exe

DrWeb Cure-It

Safer practices & malware prevention

We are finished here. Best regards. cool.gif

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.