Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Google Redirect Virus [Solved]

Started by malmbor , Mar 20 2012 05:58 PM

  • This topic is locked This topic is locked

#1
malmbor
Posted 20 March 2012 - 05:58 PM

malmbor

    Member

  • Member
  • PipPip
  • 72 posts
EDIT - Olmarik infection

When I run google searches, I am redirected to sites such as www.gimmeanswers.org and www.happili.com. Also, the homepage has been set to search.conduit.com and there is a "face smooch" toolbar in IE and Firefox. IE also has "ALOT Search" listed in the toolbar menu. I have tried to download OTL twice, but my computer reboots on its own when I hit "run." Furthermore, svchost.exe is using a lot of memory - 870,000 K.

The Malawarebytes quickscan shows nothing today, but here is the log from last night.


Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.20.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: DAVE [administrator]

3/19/2012 11:29:43 PM
mbam-log-2012-03-19 (23-29-43).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 216561
Time elapsed: 22 minute(s), 5 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 1
C:\Documents and Settings\NetworkService\Application Data\Microsoft\Microsoft\hmlxkn.dll (Trojan.Agent.GMAGen) -> Delete on reboot.

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Update (Trojan.Agent.GMAGen) -> Data: rundll32.exe "C:\Documents and Settings\NetworkService\Application Data\Microsoft\Microsoft\hmlxkn.dll",DllRegisterServer -> Quarantined and deleted successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Update (Trojan.Agent.GMAGen) -> Data: rundll32.exe "C:\Documents and Settings\NetworkService\Application Data\Microsoft\Microsoft\hmlxkn.dll",DllRegisterServer -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Documents and Settings\NetworkService\Application Data\Microsoft\Microsoft\hmlxkn.dll (Trojan.Agent.GMAGen) -> Delete on reboot.



Finally, the other day Microsoft Security Essentials found and deleted "Trojan:Win32/Alureon.FK." Information provided for that trojan stated, "The trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. As a result, it may be necessary to reconfigure DNS settings after Win32/Alureon is removed from the computer."


EDIT: I fixed the homepage and toolbar issues, but I still have Google redirect issues. I uninstalled Microsoft Security Essentials and now use ESET NOD32. It picked up the following but cannot clean them:

Operating memory - Win32/Olmarik.TDL4 trojan - unable to clean
Operating memory » svchost.exe(1188) - a variant of Win32/Olmarik.AYH trojan - unable to clean

Edited by malmbor, 23 March 2012 - 12:46 AM.

  • 0

Advertisements

#2
maliprog
Posted 27 March 2012 - 07:19 AM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hello malmbor and welcome to my office here at G2G! :)

My nick is maliprog and I'll be your technical support on this issue. Before we start please read my notes carefully:

NOTE:
  • Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
  • Absence of symptoms does not always mean the computer is clean
  • Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
  • Please DO NOT run any scans or fix on your own without my direction.
  • Please read all of my response through at least once before attempting to follow the procedures described.
  • If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
  • Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply.
  • You must reply within 3 days or your topic will be closed

Step 1

  • Download the latest version of TDSSKiller from here and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  • Check the boxes beside:

    • Verify Driver Digital Signature
    • Detect TDLFS file system
  • then click OK.
  • Click the Start Scan button to start the scan.
  • If a suspicious object is detected, the default action will be Skip
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure Cure is selected for malicious objects

    Posted Image
  • Click Continue then Reboot now to finish the cleaning process.
  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

Step 2

Download aswMBR.exe ( 511KB ) to your desktop.

  • Double click the aswMBR.exe to run it
  • Click the "Scan" button to start scan
  • On completion of the scan click save log, save it to your desktop and post aswMBR.txt in your next reply
  • Also, ZIP MBR.dat it creates and attach it to your next reply
Step 3

Download GMER from Here. Note the file's name and save it to your root folder, such as C:.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "No", save the log and post back the results.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Step 3

Please don't forget to include these items in your reply:

  • TDSSKiller log
  • aswMBR log
  • GMER log
It would be helpful if you could post each log in separate post
  • 0

#3
malmbor
Posted 27 March 2012 - 04:32 PM

malmbor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 72 posts
Thanks. Here is the TDSSKiller log:

18:18:09.0140 4004 TDSS rootkit removing tool 2.7.23.0 Mar 26 2012 13:40:18
18:18:09.0671 4004 ============================================================
18:18:09.0671 4004 Current date / time: 2012/03/27 18:18:09.0671
18:18:09.0671 4004 SystemInfo:
18:18:09.0671 4004
18:18:09.0671 4004 OS Version: 5.1.2600 ServicePack: 3.0
18:18:09.0671 4004 Product type: Workstation
18:18:09.0671 4004 ComputerName: DAVE
18:18:09.0671 4004 UserName: Administrator
18:18:09.0671 4004 Windows directory: C:\WINDOWS
18:18:09.0671 4004 System windows directory: C:\WINDOWS
18:18:09.0671 4004 Processor architecture: Intel x86
18:18:09.0671 4004 Number of processors: 2
18:18:09.0671 4004 Page size: 0x1000
18:18:09.0671 4004 Boot type: Normal boot
18:18:09.0671 4004 ============================================================
18:18:10.0421 4004 Drive \Device\Harddisk0\DR0 - Size: 0x12A05F2000 (74.51 Gb), SectorSize: 0x200, Cylinders: 0x25FE, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
18:18:10.0421 4004 \Device\Harddisk0\DR0:
18:18:10.0421 4004 MBR used
18:18:10.0421 4004 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x94FE97E
18:18:10.0453 4004 Initialize success
18:18:10.0453 4004 ============================================================
18:20:33.0125 1736 ============================================================
18:20:33.0125 1736 Scan started
18:20:33.0125 1736 Mode: Manual; SigCheck; TDLFS;
18:20:33.0125 1736 ============================================================
18:20:35.0359 1736 Abiosdsk - ok
18:20:35.0375 1736 abp480n5 - ok
18:20:35.0484 1736 ACDaemon (adc420616c501b45d26c0fd3ef1e54e4) C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
18:20:35.0687 1736 ACDaemon - ok
18:20:35.0765 1736 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
18:20:37.0593 1736 ACPI - ok
18:20:37.0671 1736 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
18:20:37.0812 1736 ACPIEC - ok
18:20:37.0859 1736 ADIHdAudAddService (307f5e03b02a3022d664c36d1ea25f2c) C:\WINDOWS\system32\drivers\ADIHdAud.sys
18:20:37.0937 1736 ADIHdAudAddService - ok
18:20:37.0937 1736 adpu160m - ok
18:20:37.0984 1736 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
18:20:38.0125 1736 aec - ok
18:20:38.0203 1736 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
18:20:38.0250 1736 AFD - ok
18:20:38.0250 1736 Aha154x - ok
18:20:38.0281 1736 aic78u2 - ok
18:20:38.0281 1736 aic78xx - ok
18:20:38.0359 1736 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
18:20:38.0484 1736 Alerter - ok
18:20:38.0562 1736 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
18:20:38.0625 1736 ALG - ok
18:20:38.0671 1736 AliIde - ok
18:20:38.0718 1736 amsint - ok
18:20:38.0828 1736 Apple Mobile Device (018857ead9a077a56aedfc0e5ef7a24a) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
18:20:38.0843 1736 Apple Mobile Device - ok
18:20:38.0906 1736 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
18:20:38.0984 1736 AppMgmt - ok
18:20:39.0000 1736 asc - ok
18:20:39.0031 1736 asc3350p - ok
18:20:39.0046 1736 asc3550 - ok
18:20:39.0171 1736 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
18:20:39.0187 1736 aspnet_state - ok
18:20:39.0234 1736 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
18:20:39.0390 1736 AsyncMac - ok
18:20:39.0468 1736 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
18:20:39.0625 1736 atapi - ok
18:20:39.0734 1736 atchksrv (eecc1d40aa10f85126708796aba1e7d5) C:\Program Files\Intel\AMT\atchksrv.exe
18:20:39.0750 1736 atchksrv - ok
18:20:39.0796 1736 Atdisk - ok
18:20:39.0828 1736 athr - ok
18:20:39.0843 1736 ativraxx - ok
18:20:39.0906 1736 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
18:20:40.0062 1736 Atmarpc - ok
18:20:40.0093 1736 ATWPKT2 - ok
18:20:40.0125 1736 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
18:20:40.0281 1736 AudioSrv - ok
18:20:40.0359 1736 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
18:20:40.0500 1736 audstub - ok
18:20:40.0593 1736 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
18:20:40.0703 1736 Beep - ok
18:20:40.0781 1736 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
18:20:40.0968 1736 BITS - ok
18:20:41.0078 1736 Bonjour Service (f832f1505ad8b83474bd9a5b1b985e01) C:\Program Files\Bonjour\mDNSResponder.exe
18:20:41.0093 1736 Bonjour Service - ok
18:20:41.0187 1736 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
18:20:41.0312 1736 Browser - ok
18:20:41.0328 1736 btwhid - ok
18:20:41.0375 1736 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
18:20:41.0515 1736 cbidf2k - ok
18:20:41.0531 1736 cd20xrnt - ok
18:20:41.0578 1736 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
18:20:41.0703 1736 Cdaudio - ok
18:20:41.0781 1736 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
18:20:41.0921 1736 Cdfs - ok
18:20:42.0015 1736 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
18:20:42.0171 1736 Cdrom - ok
18:20:42.0218 1736 cerc6 - ok
18:20:42.0234 1736 Changer - ok
18:20:42.0281 1736 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
18:20:42.0406 1736 CiSvc - ok
18:20:42.0484 1736 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
18:20:42.0609 1736 ClipSrv - ok
18:20:42.0687 1736 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
18:20:42.0687 1736 clr_optimization_v2.0.50727_32 - ok
18:20:42.0703 1736 CmdIde - ok
18:20:42.0718 1736 COMSysApp - ok
18:20:42.0750 1736 Cpqarray - ok
18:20:42.0796 1736 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
18:20:42.0921 1736 CryptSvc - ok
18:20:42.0968 1736 dac2w2k - ok
18:20:43.0000 1736 dac960nt - ok
18:20:43.0062 1736 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
18:20:43.0140 1736 DcomLaunch - ok
18:20:43.0171 1736 dcpflics - ok
18:20:43.0234 1736 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
18:20:43.0359 1736 Dhcp - ok
18:20:43.0406 1736 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
18:20:43.0578 1736 Disk - ok
18:20:43.0625 1736 dmadmin - ok
18:20:43.0687 1736 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
18:20:43.0953 1736 dmboot - ok
18:20:44.0015 1736 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
18:20:44.0187 1736 dmio - ok
18:20:44.0281 1736 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
18:20:44.0421 1736 dmload - ok
18:20:44.0546 1736 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
18:20:44.0671 1736 dmserver - ok
18:20:44.0750 1736 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
18:20:44.0875 1736 DMusic - ok
18:20:44.0968 1736 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
18:20:45.0031 1736 Dnscache - ok
18:20:45.0062 1736 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
18:20:45.0187 1736 Dot3svc - ok
18:20:45.0234 1736 dpti2o - ok
18:20:45.0296 1736 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
18:20:45.0453 1736 drmkaud - ok
18:20:45.0578 1736 e1express (33dc2a5b6298633f4dd8e4d407cdf8b4) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
18:20:45.0609 1736 e1express - ok
18:20:45.0671 1736 eamon (9309c5c9831203436e64cf2ae605c5d7) C:\WINDOWS\system32\DRIVERS\eamon.sys
18:20:45.0734 1736 eamon - ok
18:20:45.0765 1736 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
18:20:45.0921 1736 EapHost - ok
18:20:45.0984 1736 ehdrv (deff87f04ab5f6dd5edf2b80853bbe10) C:\WINDOWS\system32\DRIVERS\ehdrv.sys
18:20:46.0046 1736 ehdrv - ok
18:20:46.0171 1736 ekrn (c7bb95cf9631aa401e4aded1648f6af7) C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
18:20:46.0203 1736 ekrn - ok
18:20:46.0250 1736 epfwtdir (06c65ac0a703cf8eea4f284d901a1550) C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
18:20:46.0296 1736 epfwtdir - ok
18:20:46.0359 1736 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
18:20:46.0484 1736 ERSvc - ok
18:20:46.0562 1736 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
18:20:46.0609 1736 Eventlog - ok
18:20:46.0671 1736 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
18:20:46.0812 1736 EventSystem - ok
18:20:46.0875 1736 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
18:20:47.0015 1736 Fastfat - ok
18:20:47.0078 1736 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
18:20:47.0125 1736 FastUserSwitchingCompatibility - ok
18:20:47.0171 1736 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
18:20:47.0296 1736 Fdc - ok
18:20:47.0343 1736 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
18:20:47.0500 1736 Fips - ok
18:20:47.0578 1736 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
18:20:47.0718 1736 Flpydisk - ok
18:20:47.0750 1736 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
18:20:47.0890 1736 FltMgr - ok
18:20:47.0984 1736 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
18:20:48.0000 1736 FontCache3.0.0.0 - ok
18:20:48.0046 1736 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
18:20:48.0171 1736 Fs_Rec - ok
18:20:48.0234 1736 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
18:20:48.0390 1736 Ftdisk - ok
18:20:48.0484 1736 GEARAspiWDM (5ae3a887ece5bbb72cfab273c2fd1cfa) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
  • 0

#4
malmbor
Posted 27 March 2012 - 04:46 PM

malmbor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 72 posts
2) aswMBR log:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-27 18:34:22
-----------------------------
18:34:22.609 OS Version: Windows 5.1.2600 Service Pack 3
18:34:22.609 Number of processors: 2 586 0xF0D
18:34:22.609 ComputerName: DAVE UserName:
18:34:23.093 Initialize success
18:37:09.109 AVAST engine defs: 12032702
18:37:50.921 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
18:37:50.921 Disk 0 Vendor: ST380815 3.AD Size: 76293MB BusType: 3
18:37:50.937 Disk 0 MBR read successfully
18:37:50.937 Disk 0 MBR scan
18:37:50.984 Disk 0 Windows XP default MBR code
18:37:50.984 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 76285 MB offset 63
18:37:50.984 Disk 0 scanning sectors +156232125
18:37:51.093 Disk 0 scanning C:\WINDOWS\system32\drivers
18:38:03.593 Service scanning
18:38:19.843 Modules scanning
18:38:24.265 Disk 0 trace - called modules:
18:38:24.281 ntoskrnl.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
18:38:24.281 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89b63ab8]
18:38:24.312 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x89bc1028]
18:38:24.765 AVAST engine scan C:\WINDOWS
18:38:34.125 AVAST engine scan C:\WINDOWS\system32
18:40:51.937 AVAST engine scan C:\WINDOWS\system32\drivers
18:41:02.859 AVAST engine scan C:\Documents and Settings\Administrator
18:41:57.750 File: C:\Documents and Settings\Administrator\Local Settings\Temp\_av4_\data\aswar0.dll **INFECTED** Win32:Malware-gen
18:41:58.218 File: C:\Documents and Settings\Administrator\Local Settings\Temp\_av4_\data\updldr0.bin **INFECTED** Win32:Malware-gen
18:42:42.843 File: C:\Documents and Settings\Administrator\My Documents\Downloads\EOlmarikTdl4Cleaner(1).exe **INFECTED** MBR:Alureon-K [Rtk]
18:42:42.953 File: C:\Documents and Settings\Administrator\My Documents\Downloads\EOlmarikTdl4Cleaner(2).exe **INFECTED** MBR:Alureon-K [Rtk]
18:42:43.000 File: C:\Documents and Settings\Administrator\My Documents\Downloads\EOlmarikTdl4Cleaner(3).exe **INFECTED** MBR:Alureon-K [Rtk]
18:42:43.046 File: C:\Documents and Settings\Administrator\My Documents\Downloads\EOlmarikTdl4Cleaner.exe **INFECTED** MBR:Alureon-K [Rtk]
18:43:19.453 AVAST engine scan C:\Documents and Settings\All Users
18:43:46.859 Scan finished successfully
18:44:14.281 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
18:44:14.281 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"

Attached Files

  • Attached File  MBR.zip   499bytes   78 downloads

Edited by malmbor, 27 March 2012 - 05:09 PM.

  • 0

#5
malmbor
Posted 27 March 2012 - 06:42 PM

malmbor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 72 posts
3) GMER log:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-03-27 20:40:50
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST380815 rev.3.AD
Running: zxvccchm.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxtdapow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwAssignProcessToJobObject [0x9CA134B0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwCreateThread [0x9CA137F0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDebugActiveProcess [0x9CA13AB0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDuplicateObject [0x9CA135D0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwLoadDriver [0x9CA138B0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenProcess [0x9CA13350]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenThread [0x9CA13410]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwProtectVirtualMemory [0x9CA13570]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwQueueApcThread [0x9CA13630]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetContextThread [0x9CA13530]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetInformationThread [0x9CA134F0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSecurityObject [0x9CA13670]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSystemInformation [0x9CA13870]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendProcess [0x9CA133B0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendThread [0x9CA13430]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSystemDebugControl [0x9CA13830]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateProcess [0x9CA13370]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateThread [0x9CA13470]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwWriteVirtualMemory [0x9CA135F0]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 46A 804E4CC4 12 Bytes [B0, 33, A1, 9C, 30, 34, A1, ...]
? C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\aswMBR.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1304] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]
.text C:\WINDOWS\system32\SearchIndexer.exe[2152] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB26824$\147283983 0 bytes
File C:\WINDOWS\$NtUninstallKB26824$\147283983\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB26824$\147283983\cfg.ini 109 bytes
File C:\WINDOWS\$NtUninstallKB26824$\147283983\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB26824$\147283983\L 0 bytes
File C:\WINDOWS\$NtUninstallKB26824$\147283983\L\aaekazwk 162816 bytes
File C:\WINDOWS\$NtUninstallKB26824$\147283983\oemid 12 bytes
File C:\WINDOWS\$NtUninstallKB26824$\147283983\U 0 bytes
File C:\WINDOWS\$NtUninstallKB26824$\147283983\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB26824$\147283983\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB26824$\147283983\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB26824$\147283983\U\80000000.@ 66560 bytes
File C:\WINDOWS\$NtUninstallKB26824$\147283983\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB26824$\147283983\U\80000032.@ 115200 bytes
File C:\WINDOWS\$NtUninstallKB26824$\147283983\version 861 bytes
File C:\WINDOWS\$NtUninstallKB26824$\1936226844 0 bytes

---- EOF - GMER 1.0.15 ----
  • 0

#6
maliprog
Posted 28 March 2012 - 03:05 AM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi malmbor,

We have work to do....

Step 1

This program will take virus sample and upload it automatically for further analyze.

  • Please download GrabSample.exe
  • Start Notepad and copy and paste this into Notepad


    g2g:1:MBRAlureonK
C:\Documents and Settings\Administrator\Local Settings\Temp\_av4_\data\aswar0.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\_av4_\data\updldr0.bin
C:\Documents and Settings\Administrator\My Documents\Downloads\EOlmarikTdl4Cleaner.exe
  • Save it as getfiles.txt
  • Drag and drop getfiles.txt to GrabSample.exe
  • Wait until program finishes and press OK button at the end

Step 2

Please post TDSSKiller log again because you didn't posted full log first time.

Step 3

NOTE: This fix is custom made for this system only and for current system state! Don't try to run it on another system!

Please close all running programs and Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL

    :Files
    C:\Documents and Settings\Administrator\Local Settings\Temp\_av4_\data\aswar0.dll
    C:\Documents and Settings\Administrator\Local Settings\Temp\_av4_\data\updldr0.bin
    C:\Documents and Settings\Administrator\My Documents\Downloads\EOlmarikTdl4Cleaner(1).exe
    C:\Documents and Settings\Administrator\My Documents\Downloads\EOlmarikTdl4Cleaner(2).exe
    C:\Documents and Settings\Administrator\My Documents\Downloads\EOlmarikTdl4Cleaner(3).exe
    C:\Documents and Settings\Administrator\My Documents\Downloads\EOlmarikTdl4Cleaner(4).exe

    :Commands
    [purity]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post the fix log it produces in your next reply or you can find it in C:\_OTL\MovedFiles

Step 4

Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Step 5

Please don't forget to include these items in your reply:

  • TDSSKiller log again
  • OTL fix log
  • Combofix log
It would be helpful if you could post each log in separate post
  • 0

#7
malmbor
Posted 28 March 2012 - 06:22 PM

malmbor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 72 posts
I completed Step 1. Here is the TDSSKiller log:


18:18:09.0140 4004 TDSS rootkit removing tool 2.7.23.0 Mar 26 2012 13:40:18
18:18:09.0671 4004 ============================================================
18:18:09.0671 4004 Current date / time: 2012/03/27 18:18:09.0671
18:18:09.0671 4004 SystemInfo:
18:18:09.0671 4004
18:18:09.0671 4004 OS Version: 5.1.2600 ServicePack: 3.0
18:18:09.0671 4004 Product type: Workstation
18:18:09.0671 4004 ComputerName: DAVE
18:18:09.0671 4004 UserName: Administrator
18:18:09.0671 4004 Windows directory: C:\WINDOWS
18:18:09.0671 4004 System windows directory: C:\WINDOWS
18:18:09.0671 4004 Processor architecture: Intel x86
18:18:09.0671 4004 Number of processors: 2
18:18:09.0671 4004 Page size: 0x1000
18:18:09.0671 4004 Boot type: Normal boot
18:18:09.0671 4004 ============================================================
18:18:10.0421 4004 Drive \Device\Harddisk0\DR0 - Size: 0x12A05F2000 (74.51 Gb), SectorSize: 0x200, Cylinders: 0x25FE, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
18:18:10.0421 4004 \Device\Harddisk0\DR0:
18:18:10.0421 4004 MBR used
18:18:10.0421 4004 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x94FE97E
18:18:10.0453 4004 Initialize success
18:18:10.0453 4004 ============================================================
18:20:33.0125 1736 ============================================================
18:20:33.0125 1736 Scan started
18:20:33.0125 1736 Mode: Manual; SigCheck; TDLFS;
18:20:33.0125 1736 ============================================================
18:20:35.0359 1736 Abiosdsk - ok
18:20:35.0375 1736 abp480n5 - ok
18:20:35.0484 1736 ACDaemon (adc420616c501b45d26c0fd3ef1e54e4) C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
18:20:35.0687 1736 ACDaemon - ok
18:20:35.0765 1736 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
18:20:37.0593 1736 ACPI - ok
18:20:37.0671 1736 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
18:20:37.0812 1736 ACPIEC - ok
18:20:37.0859 1736 ADIHdAudAddService (307f5e03b02a3022d664c36d1ea25f2c) C:\WINDOWS\system32\drivers\ADIHdAud.sys
18:20:37.0937 1736 ADIHdAudAddService - ok
18:20:37.0937 1736 adpu160m - ok
18:20:37.0984 1736 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
18:20:38.0125 1736 aec - ok
18:20:38.0203 1736 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
18:20:38.0250 1736 AFD - ok
18:20:38.0250 1736 Aha154x - ok
18:20:38.0281 1736 aic78u2 - ok
18:20:38.0281 1736 aic78xx - ok
18:20:38.0359 1736 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
18:20:38.0484 1736 Alerter - ok
18:20:38.0562 1736 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
18:20:38.0625 1736 ALG - ok
18:20:38.0671 1736 AliIde - ok
18:20:38.0718 1736 amsint - ok
18:20:38.0828 1736 Apple Mobile Device (018857ead9a077a56aedfc0e5ef7a24a) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
18:20:38.0843 1736 Apple Mobile Device - ok
18:20:38.0906 1736 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
18:20:38.0984 1736 AppMgmt - ok
18:20:39.0000 1736 asc - ok
18:20:39.0031 1736 asc3350p - ok
18:20:39.0046 1736 asc3550 - ok
18:20:39.0171 1736 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
18:20:39.0187 1736 aspnet_state - ok
18:20:39.0234 1736 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
18:20:39.0390 1736 AsyncMac - ok
18:20:39.0468 1736 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
18:20:39.0625 1736 atapi - ok
18:20:39.0734 1736 atchksrv (eecc1d40aa10f85126708796aba1e7d5) C:\Program Files\Intel\AMT\atchksrv.exe
18:20:39.0750 1736 atchksrv - ok
18:20:39.0796 1736 Atdisk - ok
18:20:39.0828 1736 athr - ok
18:20:39.0843 1736 ativraxx - ok
18:20:39.0906 1736 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
18:20:40.0062 1736 Atmarpc - ok
18:20:40.0093 1736 ATWPKT2 - ok
18:20:40.0125 1736 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
18:20:40.0281 1736 AudioSrv - ok
18:20:40.0359 1736 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
18:20:40.0500 1736 audstub - ok
18:20:40.0593 1736 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
18:20:40.0703 1736 Beep - ok
18:20:40.0781 1736 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
18:20:40.0968 1736 BITS - ok
18:20:41.0078 1736 Bonjour Service (f832f1505ad8b83474bd9a5b1b985e01) C:\Program Files\Bonjour\mDNSResponder.exe
18:20:41.0093 1736 Bonjour Service - ok
18:20:41.0187 1736 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
18:20:41.0312 1736 Browser - ok
18:20:41.0328 1736 btwhid - ok
18:20:41.0375 1736 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
18:20:41.0515 1736 cbidf2k - ok
18:20:41.0531 1736 cd20xrnt - ok
18:20:41.0578 1736 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
18:20:41.0703 1736 Cdaudio - ok
18:20:41.0781 1736 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
18:20:41.0921 1736 Cdfs - ok
18:20:42.0015 1736 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
18:20:42.0171 1736 Cdrom - ok
18:20:42.0218 1736 cerc6 - ok
18:20:42.0234 1736 Changer - ok
18:20:42.0281 1736 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
18:20:42.0406 1736 CiSvc - ok
18:20:42.0484 1736 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
18:20:42.0609 1736 ClipSrv - ok
18:20:42.0687 1736 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
18:20:42.0687 1736 clr_optimization_v2.0.50727_32 - ok
18:20:42.0703 1736 CmdIde - ok
18:20:42.0718 1736 COMSysApp - ok
18:20:42.0750 1736 Cpqarray - ok
18:20:42.0796 1736 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
18:20:42.0921 1736 CryptSvc - ok
18:20:42.0968 1736 dac2w2k - ok
18:20:43.0000 1736 dac960nt - ok
18:20:43.0062 1736 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
18:20:43.0140 1736 DcomLaunch - ok
18:20:43.0171 1736 dcpflics - ok
18:20:43.0234 1736 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
18:20:43.0359 1736 Dhcp - ok
18:20:43.0406 1736 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
18:20:43.0578 1736 Disk - ok
18:20:43.0625 1736 dmadmin - ok
18:20:43.0687 1736 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
18:20:43.0953 1736 dmboot - ok
18:20:44.0015 1736 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
18:20:44.0187 1736 dmio - ok
18:20:44.0281 1736 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
18:20:44.0421 1736 dmload - ok
18:20:44.0546 1736 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
18:20:44.0671 1736 dmserver - ok
18:20:44.0750 1736 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
18:20:44.0875 1736 DMusic - ok
18:20:44.0968 1736 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
18:20:45.0031 1736 Dnscache - ok
18:20:45.0062 1736 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
18:20:45.0187 1736 Dot3svc - ok
18:20:45.0234 1736 dpti2o - ok
18:20:45.0296 1736 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
18:20:45.0453 1736 drmkaud - ok
18:20:45.0578 1736 e1express (33dc2a5b6298633f4dd8e4d407cdf8b4) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
18:20:45.0609 1736 e1express - ok
18:20:45.0671 1736 eamon (9309c5c9831203436e64cf2ae605c5d7) C:\WINDOWS\system32\DRIVERS\eamon.sys
18:20:45.0734 1736 eamon - ok
18:20:45.0765 1736 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
18:20:45.0921 1736 EapHost - ok
18:20:45.0984 1736 ehdrv (deff87f04ab5f6dd5edf2b80853bbe10) C:\WINDOWS\system32\DRIVERS\ehdrv.sys
18:20:46.0046 1736 ehdrv - ok
18:20:46.0171 1736 ekrn (c7bb95cf9631aa401e4aded1648f6af7) C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
18:20:46.0203 1736 ekrn - ok
18:20:46.0250 1736 epfwtdir (06c65ac0a703cf8eea4f284d901a1550) C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
18:20:46.0296 1736 epfwtdir - ok
18:20:46.0359 1736 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
18:20:46.0484 1736 ERSvc - ok
18:20:46.0562 1736 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
18:20:46.0609 1736 Eventlog - ok
18:20:46.0671 1736 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
18:20:46.0812 1736 EventSystem - ok
18:20:46.0875 1736 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
18:20:47.0015 1736 Fastfat - ok
18:20:47.0078 1736 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
18:20:47.0125 1736 FastUserSwitchingCompatibility - ok
18:20:47.0171 1736 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
18:20:47.0296 1736 Fdc - ok
18:20:47.0343 1736 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
18:20:47.0500 1736 Fips - ok
18:20:47.0578 1736 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
18:20:47.0718 1736 Flpydisk - ok
18:20:47.0750 1736 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
18:20:47.0890 1736 FltMgr - ok
18:20:47.0984 1736 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
18:20:48.0000 1736 FontCache3.0.0.0 - ok
18:20:48.0046 1736 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
18:20:48.0171 1736 Fs_Rec - ok
18:20:48.0234 1736 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
18:20:48.0390 1736 Ftdisk - ok
18:20:48.0484 1736 GEARAspiWDM (5ae3a887ece5bbb72cfab273c2fd1cfa) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
18:20:48.0515 1736 GEARAspiWDM - ok
18:20:48.0625 1736 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
18:20:48.0781 1736 Gpc - ok
18:20:48.0921 1736 gupdate (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
18:20:48.0937 1736 gupdate - ok
18:20:49.0031 1736 gupdatem (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
18:20:49.0031 1736 gupdatem - ok
18:20:49.0078 1736 gusvc (cc839e8d766cc31a7710c9f38cf3e375) C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
18:20:49.0093 1736 gusvc - ok
18:20:49.0187 1736 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
18:20:49.0328 1736 HDAudBus - ok
18:20:49.0390 1736 HECI (c865d1f6d03595df213dc3c67e4e4c58) C:\WINDOWS\system32\DRIVERS\HECI.sys
18:20:49.0437 1736 HECI - ok
18:20:49.0546 1736 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
18:20:49.0671 1736 helpsvc - ok
18:20:49.0734 1736 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
18:20:49.0859 1736 HidServ - ok
18:20:49.0937 1736 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
18:20:50.0093 1736 hidusb - ok
18:20:50.0187 1736 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
18:20:50.0312 1736 hkmsvc - ok
18:20:50.0359 1736 hpn - ok
18:20:50.0421 1736 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
18:20:50.0468 1736 HTTP - ok
18:20:50.0531 1736 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
18:20:50.0656 1736 HTTPFilter - ok
18:20:50.0671 1736 i2omgmt - ok
18:20:50.0687 1736 i2omp - ok
18:20:50.0734 1736 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
18:20:50.0875 1736 i8042prt - ok
18:20:51.0093 1736 ialm (bd9462e346229f37fd5b95fbcb6d3d34) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
18:20:51.0546 1736 ialm - ok
18:20:51.0640 1736 iastor (707c1692214b1c290271067197f075f6) C:\WINDOWS\system32\drivers\iastor.sys
18:20:51.0656 1736 iastor - ok
18:20:51.0781 1736 IDriverT (1cf03c69b49acb70c722df92755c0c8c) C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
18:20:51.0796 1736 IDriverT ( UnsignedFile.Multi.Generic ) - warning
18:20:51.0796 1736 IDriverT - detected UnsignedFile.Multi.Generic (1)
18:20:51.0968 1736 idsvc (c01ac32dc5c03076cfb852cb5da5229c) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
18:20:52.0015 1736 idsvc - ok
18:20:52.0109 1736 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
18:20:52.0265 1736 Imapi - ok
18:20:52.0312 1736 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
18:20:52.0468 1736 ImapiService - ok
18:20:52.0546 1736 ini910u - ok
18:20:52.0546 1736 IntelIde - ok
18:20:52.0625 1736 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
18:20:52.0812 1736 intelppm - ok
18:20:52.0859 1736 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
18:20:53.0031 1736 Ip6Fw - ok
18:20:53.0062 1736 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
18:20:53.0250 1736 IpFilterDriver - ok
18:20:53.0281 1736 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
18:20:53.0437 1736 IpInIp - ok
18:20:53.0500 1736 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
18:20:53.0656 1736 IpNat - ok
18:20:53.0734 1736 iPod Service (6e27978a4755f4789f912f5f49392f7c) C:\Program Files\iPod\bin\iPodService.exe
18:20:53.0765 1736 iPod Service - ok
18:20:53.0859 1736 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
18:20:54.0000 1736 IPSec - ok
18:20:54.0062 1736 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
18:20:54.0156 1736 IRENUM - ok
18:20:54.0234 1736 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
18:20:54.0390 1736 isapnp - ok
18:20:54.0500 1736 JavaQuickStarterService (e731921db2e17dcd3db472fad5549c57) C:\Program Files\Java\jre6\bin\jqs.exe
18:20:54.0515 1736 JavaQuickStarterService - ok
18:20:54.0625 1736 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
18:20:54.0781 1736 Kbdclass - ok
18:20:54.0843 1736 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
18:20:54.0968 1736 kbdhid - ok
18:20:55.0062 1736 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
18:20:55.0187 1736 kmixer - ok
18:20:55.0265 1736 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
18:20:55.0359 1736 KSecDD - ok
18:20:55.0453 1736 LanmanServer (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
18:20:55.0500 1736 LanmanServer - ok
18:20:55.0578 1736 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
18:20:55.0609 1736 lanmanworkstation - ok
18:20:55.0671 1736 lbrtfdc - ok
18:20:55.0812 1736 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
18:20:55.0984 1736 LmHosts - ok
18:20:56.0062 1736 LMS (c518d248041c259fcfa7175c866915c3) C:\Program Files\Intel\AMT\LMS.exe
18:20:56.0062 1736 LMS - ok
18:20:56.0156 1736 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
18:20:56.0343 1736 Messenger - ok
18:20:56.0406 1736 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
18:20:56.0546 1736 mnmdd - ok
18:20:56.0625 1736 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
18:20:56.0765 1736 mnmsrvc - ok
18:20:56.0843 1736 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
18:20:56.0953 1736 Modem - ok
18:20:57.0046 1736 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
18:20:57.0187 1736 Mouclass - ok
18:20:57.0234 1736 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
18:20:57.0390 1736 mouhid - ok
18:20:57.0468 1736 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
18:20:57.0593 1736 MountMgr - ok
18:20:57.0640 1736 mraid35x - ok
18:20:57.0687 1736 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
18:20:57.0890 1736 MRxDAV - ok
18:20:57.0984 1736 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
18:20:58.0062 1736 MRxSmb - ok
18:20:58.0156 1736 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
18:20:58.0296 1736 MSDTC - ok
18:20:58.0375 1736 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
18:20:58.0515 1736 Msfs - ok
18:20:58.0687 1736 MSIServer - ok
18:20:58.0750 1736 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
18:20:58.0921 1736 MSKSSRV - ok
18:20:58.0984 1736 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
18:20:59.0109 1736 MSPCLOCK - ok
18:20:59.0125 1736 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
18:20:59.0281 1736 MSPQM - ok
18:20:59.0328 1736 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
18:20:59.0453 1736 mssmbios - ok
18:20:59.0531 1736 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
18:20:59.0562 1736 Mup - ok
18:20:59.0625 1736 NAL (d465a12f4cf1ef2c9ae0f279c5b3ea3d) C:\WINDOWS\system32\Drivers\iqvw32.sys
18:20:59.0640 1736 NAL - ok
18:20:59.0703 1736 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
18:20:59.0843 1736 napagent - ok
18:20:59.0875 1736 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
18:21:00.0015 1736 NDIS - ok
18:21:00.0046 1736 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
18:21:00.0109 1736 NdisTapi - ok
18:21:00.0156 1736 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
18:21:00.0312 1736 Ndisuio - ok
18:21:00.0359 1736 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
18:21:00.0515 1736 NdisWan - ok
18:21:00.0578 1736 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
18:21:00.0625 1736 NDProxy - ok
18:21:00.0765 1736 Nero BackItUp Scheduler 3 (40d7d0a208ee863bca8d89e299216f15) C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
18:21:00.0796 1736 Nero BackItUp Scheduler 3 - ok
18:21:00.0890 1736 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
18:21:01.0046 1736 NetBIOS - ok
18:21:01.0125 1736 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
18:21:01.0296 1736 NetBT - ok
18:21:01.0359 1736 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
18:21:01.0484 1736 NetDDE - ok
18:21:01.0484 1736 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
18:21:01.0609 1736 NetDDEdsdm - ok
18:21:01.0656 1736 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:21:01.0781 1736 Netlogon - ok
18:21:01.0859 1736 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
18:21:01.0984 1736 Netman - ok
18:21:02.0093 1736 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
18:21:02.0109 1736 NetTcpPortSharing - ok
18:21:02.0156 1736 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
18:21:02.0187 1736 Nla - ok
18:21:02.0234 1736 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
18:21:02.0359 1736 Npfs - ok
18:21:02.0406 1736 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
18:21:02.0562 1736 Ntfs - ok
18:21:02.0609 1736 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:21:02.0734 1736 NtLmSsp - ok
18:21:02.0781 1736 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
18:21:02.0906 1736 NtmsSvc - ok
18:21:02.0953 1736 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
18:21:03.0078 1736 Null - ok
18:21:03.0125 1736 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
18:21:03.0265 1736 NwlnkFlt - ok
18:21:03.0343 1736 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
18:21:03.0500 1736 NwlnkFwd - ok
18:21:03.0562 1736 ose (7a56cf3e3f12e8af599963b16f50fb6a) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
18:21:03.0578 1736 ose - ok
18:21:03.0656 1736 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
18:21:03.0812 1736 Parport - ok
18:21:03.0890 1736 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
18:21:04.0000 1736 PartMgr - ok
18:21:04.0078 1736 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
18:21:04.0218 1736 ParVdm - ok
18:21:04.0296 1736 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
18:21:04.0453 1736 PCI - ok
18:21:04.0500 1736 PCIDump - ok
18:21:04.0578 1736 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
18:21:04.0718 1736 PCIIde - ok
18:21:04.0750 1736 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
18:21:04.0875 1736 Pcmcia - ok
18:21:04.0921 1736 PDCOMP - ok
18:21:04.0953 1736 PDFRAME - ok
18:21:04.0953 1736 PDRELI - ok
18:21:04.0984 1736 PDRFRAME - ok
18:21:05.0062 1736 pelmouse (e541a80cdffd6077c761b4578efc0450) C:\WINDOWS\system32\DRIVERS\pelmouse.sys
18:21:05.0171 1736 pelmouse - ok
18:21:05.0218 1736 pelusblf (6432858a4493e906a7d61b9b17a0672a) C:\WINDOWS\system32\DRIVERS\pelusblf.sys
18:21:05.0250 1736 pelusblf - ok
18:21:05.0265 1736 perc2 - ok
18:21:05.0281 1736 perc2hib - ok
18:21:05.0343 1736 PLFlash DeviceIoControl Service (875e4e0661f3a5994df9e5e3a0a4f96b) C:\WINDOWS\system32\IoctlSvc.exe
18:21:05.0359 1736 PLFlash DeviceIoControl Service ( UnsignedFile.Multi.Generic ) - warning
18:21:05.0359 1736 PLFlash DeviceIoControl Service - detected UnsignedFile.Multi.Generic (1)
18:21:05.0421 1736 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
18:21:05.0453 1736 PlugPlay - ok
18:21:05.0500 1736 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:21:05.0625 1736 PolicyAgent - ok
18:21:05.0656 1736 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
18:21:05.0796 1736 PptpMiniport - ok
18:21:05.0843 1736 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:21:05.0953 1736 ProtectedStorage - ok
18:21:05.0984 1736 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
18:21:06.0156 1736 PSched - ok
18:21:06.0250 1736 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
18:21:06.0406 1736 Ptilink - ok
18:21:06.0453 1736 ql1080 - ok
18:21:06.0468 1736 Ql10wnt - ok
18:21:06.0484 1736 ql12160 - ok
18:21:06.0515 1736 ql1240 - ok
18:21:06.0593 1736 ql1280 - ok
18:21:06.0671 1736 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
18:21:06.0796 1736 RasAcd - ok
18:21:06.0875 1736 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
18:21:07.0015 1736 RasAuto - ok
18:21:07.0093 1736 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
18:21:07.0250 1736 Rasl2tp - ok
18:21:07.0328 1736 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
18:21:07.0453 1736 RasMan - ok
18:21:07.0546 1736 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
18:21:07.0734 1736 RasPppoe - ok
18:21:07.0796 1736 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
18:21:07.0953 1736 Raspti - ok
18:21:08.0046 1736 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
18:21:08.0265 1736 Rdbss - ok
18:21:08.0437 1736 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
18:21:08.0593 1736 RDPCDD - ok
18:21:08.0687 1736 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
18:21:08.0859 1736 rdpdr - ok
18:21:08.0953 1736 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
18:21:09.0015 1736 RDPWD - ok
18:21:09.0078 1736 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
18:21:09.0218 1736 RDSessMgr - ok
18:21:09.0250 1736 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
18:21:09.0390 1736 redbook - ok
18:21:09.0593 1736 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
18:21:09.0750 1736 RemoteAccess - ok
18:21:09.0937 1736 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
18:21:10.0062 1736 RemoteRegistry - ok
18:21:10.0140 1736 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
18:21:10.0281 1736 RpcLocator - ok
18:21:10.0375 1736 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
18:21:10.0421 1736 RpcSs - ok
18:21:10.0468 1736 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
18:21:10.0593 1736 RSVP - ok
18:21:10.0609 1736 rvscc - ok
18:21:10.0640 1736 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:21:10.0750 1736 SamSs - ok
18:21:10.0796 1736 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
18:21:10.0968 1736 SCardSvr - ok
18:21:11.0031 1736 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
18:21:11.0156 1736 Schedule - ok
18:21:11.0203 1736 SE27mgmt - ok
18:21:11.0250 1736 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
18:21:11.0328 1736 Secdrv - ok
18:21:11.0406 1736 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
18:21:11.0546 1736 seclogon - ok
18:21:11.0609 1736 SenFiltService - ok
18:21:11.0703 1736 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
18:21:11.0828 1736 SENS - ok
18:21:11.0875 1736 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
18:21:12.0015 1736 serenum - ok
18:21:12.0078 1736 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
18:21:12.0234 1736 Serial - ok
18:21:12.0328 1736 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
18:21:12.0453 1736 Sfloppy - ok
18:21:12.0515 1736 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
18:21:12.0796 1736 SharedAccess - ok
18:21:12.0875 1736 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
18:21:12.0937 1736 ShellHWDetection - ok
18:21:12.0984 1736 Simbad - ok
18:21:13.0046 1736 Sparrow - ok
18:21:13.0125 1736 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
18:21:13.0296 1736 splitter - ok
18:21:13.0375 1736 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
18:21:13.0406 1736 Spooler - ok
18:21:13.0453 1736 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
18:21:13.0531 1736 sr - ok
18:21:13.0578 1736 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
18:21:13.0640 1736 srservice - ok
18:21:13.0656 1736 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
18:21:13.0718 1736 Srv - ok
18:21:13.0750 1736 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
18:21:13.0796 1736 SSDPSRV - ok
18:21:13.0875 1736 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
18:21:14.0015 1736 stisvc - ok
18:21:14.0109 1736 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
18:21:14.0281 1736 swenum - ok
18:21:14.0343 1736 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
18:21:14.0515 1736 swmidi - ok
18:21:14.0515 1736 SwPrv - ok
18:21:14.0531 1736 symc810 - ok
18:21:14.0531 1736 symc8xx - ok
18:21:14.0546 1736 sym_hi - ok
18:21:14.0562 1736 sym_u3 - ok
18:21:14.0609 1736 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
18:21:14.0734 1736 sysaudio - ok
18:21:14.0765 1736 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
18:21:14.0906 1736 SysmonLog - ok
18:21:14.0937 1736 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
18:21:15.0062 1736 TapiSrv - ok
18:21:15.0125 1736 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
18:21:15.0156 1736 Tcpip - ok
18:21:15.0234 1736 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
18:21:15.0343 1736 TDPIPE - ok
18:21:15.0406 1736 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
18:21:15.0531 1736 TDTCP - ok
18:21:15.0562 1736 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
18:21:15.0734 1736 TermDD - ok
18:21:15.0765 1736 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
18:21:15.0890 1736 TermService - ok
18:21:15.0953 1736 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
18:21:15.0968 1736 Themes - ok
18:21:16.0000 1736 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
18:21:16.0093 1736 TlntSvr - ok
18:21:16.0140 1736 TosIde - ok
18:21:16.0187 1736 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
18:21:16.0328 1736 TrkWks - ok
18:21:16.0390 1736 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
18:21:16.0531 1736 Udfs - ok
18:21:16.0546 1736 ultra - ok
18:21:16.0687 1736 UNS (0558985bd646203df5f36bf0fbd241a3) C:\Program Files\Intel\AMT\UNS.exe
18:21:16.0875 1736 UNS - ok
18:21:16.0953 1736 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
18:21:17.0171 1736 Update - ok
18:21:17.0234 1736 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
18:21:17.0312 1736 upnphost - ok
18:21:17.0359 1736 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
18:21:17.0500 1736 UPS - ok
18:21:17.0578 1736 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
18:21:17.0718 1736 usbccgp - ok
18:21:17.0765 1736 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
18:21:17.0906 1736 usbehci - ok
18:21:17.0937 1736 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
18:21:18.0078 1736 usbhub - ok
18:21:18.0203 1736 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
18:21:18.0343 1736 usbprint - ok
18:21:18.0421 1736 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
18:21:18.0562 1736 usbscan - ok
18:21:18.0640 1736 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:21:18.0781 1736 USBSTOR - ok
18:21:18.0828 1736 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
18:21:18.0984 1736 usbuhci - ok
18:21:19.0062 1736 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
18:21:19.0156 1736 VgaSave - ok
18:21:19.0203 1736 ViaIde - ok
18:21:19.0234 1736 viairda - ok
18:21:19.0296 1736 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
18:21:19.0421 1736 VolSnap - ok
18:21:19.0484 1736 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
18:21:19.0562 1736 VSS - ok
18:21:19.0609 1736 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
18:21:19.0734 1736 W32Time - ok
18:21:19.0781 1736 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
18:21:19.0937 1736 Wanarp - ok
18:21:19.0953 1736 WDICA - ok
18:21:20.0000 1736 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
18:21:20.0156 1736 wdmaud - ok
18:21:20.0234 1736 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
18:21:20.0359 1736 WebClient - ok
18:21:20.0484 1736 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
18:21:20.0593 1736 winmgmt - ok
18:21:20.0671 1736 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
18:21:20.0750 1736 WmdmPmSN - ok
18:21:20.0859 1736 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
18:21:20.0921 1736 Wmi - ok
18:21:21.0000 1736 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
18:21:21.0125 1736 WmiApSrv - ok
18:21:21.0265 1736 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
18:21:21.0328 1736 WMPNetworkSvc - ok
18:21:21.0406 1736 WSearch - ok
18:21:21.0484 1736 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
18:21:21.0609 1736 wuauserv - ok
18:21:21.0687 1736 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
18:21:21.0781 1736 WudfPf - ok
18:21:21.0796 1736 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
18:21:21.0828 1736 WudfSvc - ok
18:21:21.0906 1736 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
18:21:22.0078 1736 WZCSVC - ok
18:21:22.0125 1736 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
18:21:22.0281 1736 xmlprov - ok
18:21:22.0296 1736 zpjava - ok
18:21:22.0312 1736 MBR (0x1B8) (faee7e40dfb0440ad2cfc39befa1f4c2) \Device\Harddisk0\DR0
18:21:22.0343 1736 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
18:21:22.0343 1736 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
18:21:22.0375 1736 \Device\Harddisk0\DR0 ( TDSS File System ) - warning
18:21:22.0375 1736 \Device\Harddisk0\DR0 - detected TDSS File System (1)
18:21:22.0375 1736 Boot (0x1200) (1cfb7c7b52ae8f5309c197adf21bd40f) \Device\Harddisk0\DR0\Partition0
18:21:22.0375 1736 \Device\Harddisk0\DR0\Partition0 - ok
18:21:22.0390 1736 ============================================================
18:21:22.0390 1736 Scan finished
18:21:22.0390 1736 ============================================================
18:21:22.0515 3864 Detected object count: 4
18:21:22.0515 3864 Actual detected object count: 4
18:23:00.0531 3864 IDriverT ( UnsignedFile.Multi.Generic ) - skipped by user
18:23:00.0531 3864 IDriverT ( UnsignedFile.Multi.Generic ) - User select action: Skip
18:23:00.0531 3864 PLFlash DeviceIoControl Service ( UnsignedFile.Multi.Generic ) - skipped by user
18:23:00.0531 3864 PLFlash DeviceIoControl Service ( UnsignedFile.Multi.Generic ) - User select action: Skip
18:23:01.0281 3864 \Device\Harddisk0\DR0\# - copied to quarantine
18:23:01.0296 3864 \Device\Harddisk0\DR0 - copied to quarantine
18:23:01.0343 3864 \Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine
18:23:01.0375 3864 \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
18:23:02.0859 3864 \Device\Harddisk0\DR0\TDLFS\phx.dll - copied to quarantine
18:23:03.0359 3864 \Device\Harddisk0\DR0\TDLFS\sub.dll - copied to quarantine
18:23:03.0781 3864 \Device\Harddisk0\DR0\TDLFS\subx.dll - copied to quarantine
18:23:04.0218 3864 \Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine
18:23:04.0625 3864 \Device\Harddisk0\DR0\TDLFS\phdx - copied to quarantine
18:23:05.0031 3864 \Device\Harddisk0\DR0\TDLFS\phs - copied to quarantine
18:23:05.0031 3864 \Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine
18:23:05.0031 3864 \Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine
18:23:05.0046 3864 \Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine
18:23:05.0421 3864 \Device\Harddisk0\DR0\TDLFS\phlx - copied to quarantine
18:23:05.0828 3864 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
18:23:05.0828 3864 \Device\Harddisk0\DR0 - ok
18:23:05.0828 3864 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
18:23:05.0828 3864 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
18:23:05.0828 3864 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip
18:23:56.0140 2776 Deinitialize success
  • 0

#8
malmbor
Posted 28 March 2012 - 06:37 PM

malmbor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 72 posts
OTL Fix log:

========== OTL ==========
========== COMMANDS ==========

OTL by OldTimer - Version 3.2.39.2 log created on 03282012_203057
  • 0

#9
malmbor
Posted 28 March 2012 - 07:01 PM

malmbor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 72 posts
ComboFix log:

ComboFix 12-03-28.02 - Administrator 03/28/2012 20:46:14.1.2 - x86
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 5.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\NetworkService\Application Data\Microsoft\Microsoft
c:\windows\$NtUninstallKB26824$
c:\windows\$NtUninstallKB26824$\147283983\@
c:\windows\$NtUninstallKB26824$\147283983\cfg.ini
c:\windows\$NtUninstallKB26824$\147283983\Desktop.ini
c:\windows\$NtUninstallKB26824$\147283983\L\aaekazwk
c:\windows\$NtUninstallKB26824$\147283983\oemid
c:\windows\$NtUninstallKB26824$\147283983\U\00000001.@
c:\windows\$NtUninstallKB26824$\147283983\U\00000002.@
c:\windows\$NtUninstallKB26824$\147283983\U\00000004.@
c:\windows\$NtUninstallKB26824$\147283983\U\80000000.@
c:\windows\$NtUninstallKB26824$\147283983\U\80000004.@
c:\windows\$NtUninstallKB26824$\147283983\U\80000032.@
c:\windows\$NtUninstallKB26824$\147283983\version
c:\windows\$NtUninstallKB26824$\1936226844
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\drivers\SirefefRemover.sys
c:\windows\system32\spool\prtprocs\w32x86\pcldll6l.dll
c:\windows\system32\spool\prtprocs\w32x86\zpp.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-02-28 to 2012-03-29 )))))))))))))))))))))))))))))))
.
.
2012-03-29 00:30 . 2012-03-29 00:30 -------- d-----w- C:\_OTL
2012-03-27 22:54 . 2012-03-27 22:54 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\WinZip
2012-03-27 22:53 . 2012-03-27 22:54 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2012-03-27 22:23 . 2012-03-27 22:23 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-23 05:32 . 2012-03-23 05:32 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2012-03-23 03:43 . 2012-03-23 05:48 -------- d-----w- c:\program files\ESET
2012-03-23 03:43 . 2012-03-23 03:43 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2012-03-23 01:08 . 2012-03-23 01:08 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-23 01:08 . 2012-03-23 01:08 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-03-23 01:01 . 2012-03-23 01:05 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\NPE
2012-03-23 00:39 . 2012-03-23 02:05 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\LogMeIn Rescue Applet
2012-03-23 00:27 . 2012-03-23 00:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\Tific
2012-03-22 02:16 . 2012-03-22 02:17 -------- d-----w- c:\windows\Temp8610514F-18B1-03A5-16C7-FED07C0DD337-Signatures
2012-03-20 04:42 . 2012-03-20 04:42 -------- d-----w- c:\program files\Conduit
2012-03-20 04:42 . 2012-03-22 05:57 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Somoto
2012-03-20 04:42 . 2012-03-22 05:46 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Conduit
2012-03-20 04:03 . 2012-03-20 04:03 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-03-20 01:13 . 2012-03-20 01:13 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2012-03-17 03:43 . 2012-03-17 03:43 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-27 04:58 . 2012-03-27 04:58 162816 ----a-w- c:\windows\system32\drivers\netbt.sys.org
2012-03-22 01:35 . 2011-06-10 00:08 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:22 . 2008-04-13 23:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-31 12:44 . 2010-11-30 19:16 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-11 19:06 . 2012-02-17 02:00 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2010-03-01 22:03 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-01-02 18:22 . 2012-01-02 18:22 57344 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{87441A59-5E64-4096-A170-14EFE67200C3}\ARPPRODUCTICON.exe
2012-03-23 01:08 . 2012-02-27 22:59 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-04-21 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"atchk"="c:\program files\Intel\AMT\atchk.exe" [2007-06-12 408344]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-05-30 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-05-30 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-05-30 141848]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-07-09 570664]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Mouse Suite 98 Daemon"="ICO.EXE" [2003-11-20 57344]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-06-22 1044480]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-04-02 128232]
"hp 1000 firmware"="c:\program files\hp LaserJet 1000\fwdl.exe" [2001-12-15 36864]
"Nikon Message Center 2"="c:\program files\Nikon\Nikon Message Center 2\NkMC2.exe" [2010-05-26 619008]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2011-09-22 3080264]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK32.EXE [2011-12-23 611144]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\Administrator\\Desktop\\GrabSample.exe"=
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [8/4/2011 9:20 AM 118104]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [8/4/2011 9:20 AM 103112]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [9/22/2011 12:03 PM 974944]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [3/2/2010 9:57 AM 2521880]
S0 cerc6;cerc6; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/21/2011 10:22 AM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/21/2011 10:22 AM 136176]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
btwhid
dcpflics
ativraxx
rvscc
SE27mgmt
viairda
ATWPKT2
zpjava
athr
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-03-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-21 14:22]
.
2012-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-21 14:22]
.
2012-03-29 c:\windows\Tasks\User_Feed_Synchronization-{D855DFAE-6614-4717-84E5-05867E2AD715}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jmokftwi.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-28 20:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-665178515-2749075302-3743144992-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
@SACL=
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,21,61,8e,58,00,09,62,43,bc,e1,8c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e7,71,61,b9,8b,7f,25,4b,95,eb,0d,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1648)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Intel\AMT\atchksrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\ICO.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\IoctlSvc.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\zstatus.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-03-28 20:57:13 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-29 00:57
.
Pre-Run: 58,067,873,792 bytes free
Post-Run: 58,034,397,184 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 9870A6BFA80F567FEFB3034D112B53C0

Edited by malmbor, 28 March 2012 - 09:57 PM.

  • 0

#10
maliprog
Posted 28 March 2012 - 11:54 PM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi malmbor,

How is your system now? Problems?

Step 1

We need to run OTL fix again. Something went wrong first time.

NOTE: This fix is custom made for this system only and for current system state! Don't try to run it on another system!

Please close all running programs and Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL

    :Files
    C:\Documents and Settings\Administrator\Local Settings\Temp\_av4_\data\aswar0.dll
    C:\Documents and Settings\Administrator\Local Settings\Temp\_av4_\data\updldr0.bin
    C:\Documents and Settings\Administrator\My Documents\Downloads\EOlmarikTdl4Cleaner(1).exe
    C:\Documents and Settings\Administrator\My Documents\Downloads\EOlmarikTdl4Cleaner(2).exe
    C:\Documents and Settings\Administrator\My Documents\Downloads\EOlmarikTdl4Cleaner(3).exe
    C:\Documents and Settings\Administrator\My Documents\Downloads\EOlmarikTdl4Cleaner(4).exe

    :Commands
    [purity]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post the fix log it produces in your next reply or you can find it in C:\_OTL\MovedFiles

Step 2

Please run GMER scan one more time and post new log here for me.

Step 3

Please don't forget to include these items in your reply:

  • OTL fix log
  • New GMER log
It would be helpful if you could post each log in separate post
  • 0

Advertisements

#11
malmbor
Posted 29 March 2012 - 03:25 PM

malmbor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 72 posts
Yesterday I was still having some Google redirect issues, but less often. Today after running the OTL fix again, I am not experiencing those problems. Also, the svchost.exe memory problem seems to be resolved. Below is the OTL fix log. I will run GMER and post the log in a separate response. Thanks for your help.


========== OTL ==========
========== FILES ==========
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\_av4_\data\aswar0.dll not found.
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\_av4_\data\updldr0.bin not found.
C:\Documents and Settings\Administrator\My Documents\Downloads\EOlmarikTdl4Cleaner(1).exe moved successfully.
C:\Documents and Settings\Administrator\My Documents\Downloads\EOlmarikTdl4Cleaner(2).exe moved successfully.
C:\Documents and Settings\Administrator\My Documents\Downloads\EOlmarikTdl4Cleaner(3).exe moved successfully.
File\Folder C:\Documents and Settings\Administrator\My Documents\Downloads\EOlmarikTdl4Cleaner(4).exe not found.
========== COMMANDS ==========

OTL by OldTimer - Version 3.2.39.2 log created on 03292012_171404
  • 0

#12
malmbor
Posted 29 March 2012 - 06:35 PM

malmbor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 72 posts
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-03-29 20:32:12
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST380815 rev.3.AD
Running: bhbbpisw.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxtdapow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwAssignProcessToJobObject [0xA26F84B0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwCreateThread [0xA26F87F0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDebugActiveProcess [0xA26F8AB0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDuplicateObject [0xA26F85D0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwLoadDriver [0xA26F88B0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenProcess [0xA26F8350]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenThread [0xA26F8410]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwProtectVirtualMemory [0xA26F8570]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwQueueApcThread [0xA26F8630]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetContextThread [0xA26F8530]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetInformationThread [0xA26F84F0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSecurityObject [0xA26F8670]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSystemInformation [0xA26F8870]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendProcess [0xA26F83B0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendThread [0xA26F8430]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSystemDebugControl [0xA26F8830]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateProcess [0xA26F8370]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateThread [0xA26F8470]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwWriteVirtualMemory [0xA26F85F0]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 46A 804E4CC4 12 Bytes [B0, 83, 6F, A2, 30, 84, 6F, ...]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1304] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]
.text C:\WINDOWS\system32\SearchIndexer.exe[1936] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

---- EOF - GMER 1.0.15 ----
  • 0

#13
maliprog
Posted 29 March 2012 - 11:07 PM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi malmbor,

Nice to hear that. Let's remove leftovers.

Download Virus Removal Tool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

Click the cog in the upper right
Posted Image


Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan
Posted Image

Allow Virus Removal Tool to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threads report from the left and press Save button
Save it to your desktop and attach to your next post
  • 0

#14
malmbor
Posted 02 April 2012 - 05:56 PM

malmbor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 72 posts
Here is the Kaspersky log. I am still having some Google redirect issues to sites such as happili.com.

Attached Files

  • Attached File  KVRT.log   342bytes   99 downloads

Edited by malmbor, 02 April 2012 - 07:15 PM.

  • 0

#15
maliprog
Posted 02 April 2012 - 11:45 PM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Do you have these redirect only in Firefox or you also have the same in Internet Explorer?

Let's see what where we stand:

  • Run OTL.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open notepad window. OTL.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of this file, and post it with your next reply.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP