Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.Boot.Pihar.C


  • Please log in to reply
7 replies to this topic

#1 babyheyzeus

babyheyzeus

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 20 July 2012 - 02:26 PM

History
Recently at the company I work for there was a computer running Windows 7 Pro 32 that was having constant blue screens every 10 minutes. After analyzing the dump files for the blue screen I had a suspicion that it was a rootkit. So I ran TDSSKiller and detected Rootkit.Boot.Pihar.C, and was able to remove it with a combination of TDSSkiller, ComboFix, and TFC. So trying to understand where it came from I ran TDSSkiller, with "Detect TDLFS file system" selected on 15 other computers.

Problem
Of 15 computers 3 computers (Windows XP various Dell models) that I checked with TDSSkiller (I have done nothing else) has detected "\Device\Harddisk0\DR0 ( TDSS File System )". The last computer I detected this on was a computer that was completely reformatted a year ago by an outside technician, and hasn't been turned on until today. All of these computers were worked on by the same guy, and I don't believe he's worked on any other ones. To try and make sure I wasn't the one to actually infect the computer I scanned my USB drive with ESET, and Malwarebytes (both clean).

Question(s)
Is this an actual infection or a false positive. If it's an actual infection how do I probably remove it, and how to I verify that it wasn't my USB that has caused this?

TDSSlog from last computer (Windows XP)

13:57:41.0209 2592 TDSS rootkit removing tool 2.7.46.0 Jul 16 2012 22:10:11
13:57:42.0084 2592 ============================================================
13:57:42.0084 2592 Current date / time: 2012/07/20 13:57:42.0084
13:57:42.0084 2592 SystemInfo:
13:57:42.0084 2592
13:57:42.0084 2592 OS Version: 5.1.2600 ServicePack: 3.0
13:57:42.0084 2592 Product type: Workstation
13:57:42.0084 2592 ComputerName: USER-432584067C
13:57:42.0084 2592 UserName: Administrator
13:57:42.0084 2592 Windows directory: C:\WINDOWS
13:57:42.0084 2592 System windows directory: C:\WINDOWS
13:57:42.0084 2592 Processor architecture: Intel x86
13:57:42.0084 2592 Number of processors: 2
13:57:42.0084 2592 Page size: 0x1000
13:57:42.0084 2592 Boot type: Normal boot
13:57:42.0084 2592 ============================================================
13:57:45.0381 2592 Drive \Device\Harddisk0\DR0 - Size: 0x12A05F2000 (74.51 Gb), SectorSize: 0x200, Cylinders: 0x25FE, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
13:57:45.0475 2592 Drive \Device\Harddisk1\DR2 - Size: 0x3BA300000 (14.91 Gb), SectorSize: 0x200, Cylinders: 0x79A, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
13:57:45.0475 2592 ============================================================
13:57:45.0475 2592 \Device\Harddisk0\DR0:
13:57:45.0490 2592 MBR partitions:
13:57:45.0490 2592 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x94FE97E
13:57:45.0490 2592 \Device\Harddisk1\DR2:
13:57:45.0490 2592 MBR partitions:
13:57:45.0490 2592 \Device\Harddisk1\DR2\Partition0: MBR, Type 0x7, StartLBA 0x20, BlocksNum 0x1DD17E0
13:57:45.0490 2592 ============================================================
13:57:45.0569 2592 C: <-> \Device\Harddisk0\DR0\Partition0
13:57:45.0569 2592 ============================================================
13:57:45.0569 2592 Initialize success
13:57:45.0569 2592 ============================================================
14:04:04.0772 3400 ============================================================
14:04:04.0772 3400 Scan started
14:04:04.0772 3400 Mode: Manual; TDLFS;
14:04:04.0772 3400 ============================================================
14:04:05.0006 3400 Abiosdsk - ok
14:04:05.0006 3400 abp480n5 - ok
14:04:05.0053 3400 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
14:04:05.0069 3400 ACPI - ok
14:04:05.0100 3400 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
14:04:05.0100 3400 ACPIEC - ok
14:04:05.0115 3400 adpu160m - ok
14:04:05.0178 3400 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
14:04:05.0178 3400 aec - ok
14:04:05.0240 3400 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
14:04:05.0240 3400 AFD - ok
14:04:05.0256 3400 Aha154x - ok
14:04:05.0256 3400 aic78u2 - ok
14:04:05.0272 3400 aic78xx - ok
14:04:05.0303 3400 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
14:04:05.0319 3400 Alerter - ok
14:04:05.0350 3400 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
14:04:05.0350 3400 ALG - ok
14:04:05.0365 3400 AliIde - ok
14:04:05.0365 3400 amsint - ok
14:04:05.0412 3400 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
14:04:05.0412 3400 AppMgmt - ok
14:04:05.0428 3400 asc - ok
14:04:05.0428 3400 asc3350p - ok
14:04:05.0444 3400 asc3550 - ok
14:04:05.0475 3400 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
14:04:05.0475 3400 AsyncMac - ok
14:04:05.0506 3400 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
14:04:05.0506 3400 atapi - ok
14:04:05.0522 3400 Atdisk - ok
14:04:05.0569 3400 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
14:04:05.0569 3400 Atmarpc - ok
14:04:05.0600 3400 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
14:04:05.0600 3400 AudioSrv - ok
14:04:05.0647 3400 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
14:04:05.0647 3400 audstub - ok
14:04:05.0678 3400 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
14:04:05.0678 3400 Beep - ok
14:04:05.0740 3400 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
14:04:05.0850 3400 BITS - ok
14:04:05.0912 3400 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
14:04:05.0912 3400 Browser - ok
14:04:05.0944 3400 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
14:04:05.0944 3400 cbidf2k - ok
14:04:05.0959 3400 cd20xrnt - ok
14:04:05.0990 3400 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
14:04:05.0990 3400 Cdaudio - ok
14:04:06.0022 3400 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
14:04:06.0022 3400 Cdfs - ok
14:04:06.0069 3400 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
14:04:06.0069 3400 Cdrom - ok
14:04:06.0084 3400 Changer - ok
14:04:06.0100 3400 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
14:04:06.0100 3400 CiSvc - ok
14:04:06.0115 3400 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
14:04:06.0115 3400 ClipSrv - ok
14:04:06.0131 3400 CmdIde - ok
14:04:06.0147 3400 COMSysApp - ok
14:04:06.0162 3400 Cpqarray - ok
14:04:06.0209 3400 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
14:04:06.0209 3400 CryptSvc - ok
14:04:06.0209 3400 dac2w2k - ok
14:04:06.0225 3400 dac960nt - ok
14:04:06.0287 3400 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
14:04:06.0303 3400 DcomLaunch - ok
14:04:06.0350 3400 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
14:04:06.0365 3400 Dhcp - ok
14:04:06.0381 3400 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
14:04:06.0381 3400 Disk - ok
14:04:06.0381 3400 dmadmin - ok
14:04:06.0459 3400 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
14:04:06.0475 3400 dmboot - ok
14:04:06.0490 3400 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
14:04:06.0490 3400 dmio - ok
14:04:06.0506 3400 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
14:04:06.0506 3400 dmload - ok
14:04:06.0569 3400 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
14:04:06.0569 3400 dmserver - ok
14:04:06.0615 3400 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
14:04:06.0615 3400 DMusic - ok
14:04:06.0662 3400 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
14:04:06.0662 3400 Dnscache - ok
14:04:06.0694 3400 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
14:04:06.0694 3400 Dot3svc - ok
14:04:06.0709 3400 dpti2o - ok
14:04:06.0740 3400 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
14:04:06.0740 3400 drmkaud - ok
14:04:06.0787 3400 E100B (7d91dc6342248369f94d6eba0cf42e99) C:\WINDOWS\system32\DRIVERS\e100b325.sys
14:04:06.0803 3400 E100B - ok
14:04:06.0959 3400 eamon (8c2b6bbc82ad12cd9a2e73e5dcbba705) C:\WINDOWS\system32\DRIVERS\eamon.sys
14:04:06.0975 3400 eamon - ok
14:04:07.0006 3400 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
14:04:07.0006 3400 EapHost - ok
14:04:07.0022 3400 ehdrv (5412ed24fffca64e2f0168399b86c952) C:\WINDOWS\system32\DRIVERS\ehdrv.sys
14:04:07.0022 3400 ehdrv - ok
14:04:07.0178 3400 ekrn (ad4faade819e0da9933bea7c01d2c763) C:\Program Files\ESET\ESET Smart Security\ekrn.exe
14:04:07.0272 3400 ekrn - ok
14:04:07.0303 3400 epfw (774babcb1144513dc86992003740b774) C:\WINDOWS\system32\DRIVERS\epfw.sys
14:04:07.0319 3400 epfw - ok
14:04:07.0334 3400 Epfwndis (4b86da2c58063b647577cd669cffaeeb) C:\WINDOWS\system32\DRIVERS\Epfwndis.sys
14:04:07.0334 3400 Epfwndis - ok
14:04:07.0350 3400 epfwtdi (1b36748ea9e25549ebe5d8ea105bd981) C:\WINDOWS\system32\DRIVERS\epfwtdi.sys
14:04:07.0350 3400 epfwtdi - ok
14:04:07.0397 3400 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
14:04:07.0397 3400 ERSvc - ok
14:04:07.0444 3400 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
14:04:07.0459 3400 Eventlog - ok
14:04:07.0522 3400 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
14:04:07.0537 3400 EventSystem - ok
14:04:07.0584 3400 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
14:04:07.0600 3400 Fastfat - ok
14:04:07.0694 3400 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
14:04:07.0740 3400 FastUserSwitchingCompatibility - ok
14:04:07.0772 3400 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
14:04:07.0772 3400 Fdc - ok
14:04:07.0787 3400 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
14:04:07.0787 3400 Fips - ok
14:04:07.0803 3400 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
14:04:07.0803 3400 Flpydisk - ok
14:04:07.0850 3400 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
14:04:07.0850 3400 FltMgr - ok
14:04:07.0897 3400 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
14:04:07.0897 3400 Fs_Rec - ok
14:04:07.0928 3400 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
14:04:07.0944 3400 Ftdisk - ok
14:04:07.0959 3400 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
14:04:07.0959 3400 Gpc - ok
14:04:08.0053 3400 gupdate (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
14:04:08.0053 3400 gupdate - ok
14:04:08.0069 3400 gupdatem (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
14:04:08.0069 3400 gupdatem - ok
14:04:08.0162 3400 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
14:04:08.0162 3400 helpsvc - ok
14:04:08.0194 3400 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
14:04:08.0194 3400 HidServ - ok
14:04:08.0225 3400 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
14:04:08.0225 3400 hidusb - ok
14:04:08.0256 3400 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
14:04:08.0256 3400 hkmsvc - ok
14:04:08.0272 3400 hpn - ok
14:04:08.0334 3400 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
14:04:08.0350 3400 HTTP - ok
14:04:08.0381 3400 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
14:04:08.0412 3400 HTTPFilter - ok
14:04:08.0412 3400 i2omgmt - ok
14:04:08.0428 3400 i2omp - ok
14:04:08.0475 3400 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
14:04:08.0475 3400 i8042prt - ok
14:04:08.0584 3400 ialm (9a883c3c4d91292c0d09de7c728e781c) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
14:04:08.0615 3400 ialm - ok
14:04:08.0662 3400 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
14:04:08.0662 3400 Imapi - ok
14:04:08.0772 3400 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
14:04:08.0787 3400 ImapiService - ok
14:04:08.0787 3400 ini910u - ok
14:04:08.0834 3400 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
14:04:08.0834 3400 IntelIde - ok
14:04:08.0865 3400 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
14:04:08.0865 3400 intelppm - ok
14:04:08.0897 3400 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
14:04:08.0897 3400 Ip6Fw - ok
14:04:08.0928 3400 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
14:04:08.0928 3400 IpFilterDriver - ok
14:04:08.0959 3400 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
14:04:08.0959 3400 IpInIp - ok
14:04:08.0990 3400 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
14:04:08.0990 3400 IpNat - ok
14:04:09.0037 3400 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
14:04:09.0037 3400 IPSec - ok
14:04:09.0084 3400 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
14:04:09.0084 3400 IRENUM - ok
14:04:09.0115 3400 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
14:04:09.0115 3400 isapnp - ok
14:04:09.0162 3400 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
14:04:09.0162 3400 Kbdclass - ok
14:04:09.0162 3400 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
14:04:09.0162 3400 kbdhid - ok
14:04:09.0225 3400 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
14:04:09.0225 3400 kmixer - ok
14:04:09.0272 3400 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
14:04:09.0272 3400 KSecDD - ok
14:04:09.0319 3400 LanmanServer (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
14:04:09.0319 3400 LanmanServer - ok
14:04:09.0381 3400 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
14:04:09.0381 3400 lanmanworkstation - ok
14:04:09.0397 3400 lbrtfdc - ok
14:04:09.0444 3400 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
14:04:09.0444 3400 LmHosts - ok
14:04:09.0490 3400 MBAMProtector (6dfe7f2e8e8a337263aa5c92a215f161) C:\WINDOWS\system32\drivers\mbam.sys
14:04:09.0490 3400 MBAMProtector - ok
14:04:09.0569 3400 MBAMService (43683e970f008c93c9429ef428147a54) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
14:04:09.0600 3400 MBAMService - ok
14:04:09.0631 3400 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
14:04:09.0631 3400 mdmxsdk - ok
14:04:09.0678 3400 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
14:04:09.0678 3400 Messenger - ok
14:04:09.0709 3400 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
14:04:09.0709 3400 mnmdd - ok
14:04:09.0740 3400 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
14:04:09.0740 3400 mnmsrvc - ok
14:04:09.0772 3400 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
14:04:09.0772 3400 Modem - ok
14:04:09.0834 3400 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
14:04:09.0834 3400 MODEMCSA - ok
14:04:09.0881 3400 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
14:04:09.0881 3400 Mouclass - ok
14:04:09.0897 3400 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
14:04:09.0897 3400 mouhid - ok
14:04:09.0944 3400 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
14:04:09.0944 3400 MountMgr - ok
14:04:09.0959 3400 mraid35x - ok
14:04:10.0006 3400 MRVW225 (5d235daa0a9feed8d880df7277d6ccc8) C:\WINDOWS\system32\DRIVERS\MRVW225.sys
14:04:10.0022 3400 MRVW225 - ok
14:04:10.0069 3400 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
14:04:10.0069 3400 MRxDAV - ok
14:04:10.0147 3400 MRxSmb (0dc719e9b15e902346e87e9dcd5751fa) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
14:04:10.0162 3400 MRxSmb - ok
14:04:10.0209 3400 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
14:04:10.0209 3400 MSDTC - ok
14:04:10.0256 3400 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
14:04:10.0256 3400 Msfs - ok
14:04:10.0272 3400 MSIServer - ok
14:04:10.0287 3400 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
14:04:10.0303 3400 MSKSSRV - ok
14:04:10.0350 3400 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
14:04:10.0350 3400 MSPCLOCK - ok
14:04:10.0365 3400 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
14:04:10.0365 3400 MSPQM - ok
14:04:10.0397 3400 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
14:04:10.0397 3400 mssmbios - ok
14:04:10.0444 3400 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
14:04:10.0444 3400 Mup - ok
14:04:10.0506 3400 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
14:04:10.0506 3400 napagent - ok
14:04:10.0553 3400 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
14:04:10.0569 3400 NDIS - ok
14:04:10.0615 3400 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
14:04:10.0615 3400 NdisTapi - ok
14:04:10.0678 3400 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
14:04:10.0678 3400 Ndisuio - ok
14:04:10.0694 3400 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
14:04:10.0725 3400 NdisWan - ok
14:04:10.0756 3400 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
14:04:10.0756 3400 NDProxy - ok
14:04:10.0772 3400 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
14:04:10.0772 3400 NetBIOS - ok
14:04:10.0803 3400 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
14:04:10.0803 3400 NetBT - ok
14:04:10.0881 3400 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
14:04:10.0881 3400 NetDDE - ok
14:04:10.0912 3400 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
14:04:10.0912 3400 NetDDEdsdm - ok
14:04:10.0944 3400 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
14:04:10.0944 3400 Netlogon - ok
14:04:10.0990 3400 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
14:04:11.0006 3400 Netman - ok
14:04:11.0069 3400 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
14:04:11.0084 3400 Nla - ok
14:04:11.0100 3400 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
14:04:11.0100 3400 Npfs - ok
14:04:11.0162 3400 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
14:04:11.0194 3400 Ntfs - ok
14:04:11.0194 3400 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
14:04:11.0194 3400 NtLmSsp - ok
14:04:11.0256 3400 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
14:04:11.0272 3400 NtmsSvc - ok
14:04:11.0319 3400 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
14:04:11.0319 3400 Null - ok
14:04:11.0365 3400 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
14:04:11.0365 3400 NwlnkFlt - ok
14:04:11.0365 3400 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
14:04:11.0365 3400 NwlnkFwd - ok
14:04:11.0412 3400 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
14:04:11.0412 3400 Parport - ok
14:04:11.0428 3400 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
14:04:11.0428 3400 PartMgr - ok
14:04:11.0475 3400 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
14:04:11.0475 3400 ParVdm - ok
14:04:11.0506 3400 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
14:04:11.0506 3400 PCI - ok
14:04:11.0522 3400 PCIDump - ok
14:04:11.0553 3400 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
14:04:11.0553 3400 PCIIde - ok
14:04:11.0600 3400 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
14:04:11.0600 3400 Pcmcia - ok
14:04:11.0615 3400 PDCOMP - ok
14:04:11.0615 3400 PDFRAME - ok
14:04:11.0647 3400 PDRELI - ok
14:04:11.0647 3400 PDRFRAME - ok
14:04:11.0662 3400 perc2 - ok
14:04:11.0662 3400 perc2hib - ok
14:04:11.0709 3400 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
14:04:11.0725 3400 PlugPlay - ok
14:04:11.0725 3400 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
14:04:11.0725 3400 PolicyAgent - ok
14:04:11.0756 3400 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
14:04:11.0756 3400 PptpMiniport - ok
14:04:11.0772 3400 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
14:04:11.0772 3400 ProtectedStorage - ok
14:04:11.0787 3400 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
14:04:11.0787 3400 PSched - ok
14:04:11.0819 3400 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
14:04:11.0819 3400 Ptilink - ok
14:04:11.0819 3400 ql1080 - ok
14:04:11.0850 3400 Ql10wnt - ok
14:04:11.0850 3400 ql12160 - ok
14:04:11.0865 3400 ql1240 - ok
14:04:11.0865 3400 ql1280 - ok
14:04:11.0944 3400 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
14:04:11.0944 3400 RasAcd - ok
14:04:11.0975 3400 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
14:04:11.0975 3400 RasAuto - ok
14:04:12.0006 3400 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
14:04:12.0006 3400 Rasl2tp - ok
14:04:12.0053 3400 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
14:04:12.0053 3400 RasMan - ok
14:04:12.0084 3400 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
14:04:12.0084 3400 RasPppoe - ok
14:04:12.0115 3400 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
14:04:12.0115 3400 Raspti - ok
14:04:12.0178 3400 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
14:04:12.0178 3400 Rdbss - ok
14:04:12.0194 3400 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
14:04:12.0194 3400 RDPCDD - ok
14:04:12.0287 3400 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
14:04:12.0303 3400 rdpdr - ok
14:04:12.0365 3400 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
14:04:12.0365 3400 RDPWD - ok
14:04:12.0412 3400 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
14:04:12.0412 3400 RDSessMgr - ok
14:04:12.0459 3400 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
14:04:12.0459 3400 redbook - ok
14:04:12.0537 3400 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
14:04:12.0537 3400 RemoteAccess - ok
14:04:12.0584 3400 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
14:04:12.0584 3400 RemoteRegistry - ok
14:04:12.0615 3400 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
14:04:12.0615 3400 RpcLocator - ok
14:04:12.0678 3400 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
14:04:12.0678 3400 RpcSs - ok
14:04:12.0740 3400 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
14:04:12.0756 3400 RSVP - ok
14:04:12.0803 3400 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
14:04:12.0803 3400 SamSs - ok
14:04:12.0850 3400 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
14:04:12.0850 3400 SCardSvr - ok
14:04:12.0897 3400 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
14:04:12.0912 3400 Schedule - ok
14:04:12.0944 3400 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
14:04:12.0944 3400 Secdrv - ok
14:04:12.0975 3400 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
14:04:12.0975 3400 seclogon - ok
14:04:13.0053 3400 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
14:04:13.0069 3400 senfilt - ok
14:04:13.0084 3400 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
14:04:13.0100 3400 SENS - ok
14:04:13.0147 3400 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
14:04:13.0147 3400 serenum - ok
14:04:13.0147 3400 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
14:04:13.0147 3400 Serial - ok
14:04:13.0162 3400 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
14:04:13.0162 3400 Sfloppy - ok
14:04:13.0225 3400 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
14:04:13.0240 3400 SharedAccess - ok
14:04:13.0287 3400 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
14:04:13.0287 3400 ShellHWDetection - ok
14:04:13.0287 3400 Simbad - ok
14:04:13.0334 3400 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys
14:04:13.0350 3400 smwdm - ok
14:04:13.0365 3400 Sparrow - ok
14:04:13.0381 3400 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
14:04:13.0381 3400 splitter - ok
14:04:13.0428 3400 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
14:04:13.0428 3400 Spooler - ok
14:04:13.0475 3400 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
14:04:13.0475 3400 sr - ok
14:04:13.0506 3400 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
14:04:13.0522 3400 srservice - ok
14:04:13.0584 3400 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
14:04:13.0600 3400 Srv - ok
14:04:13.0631 3400 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
14:04:13.0647 3400 SSDPSRV - ok
14:04:13.0709 3400 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
14:04:13.0725 3400 stisvc - ok
14:04:13.0725 3400 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
14:04:13.0725 3400 swenum - ok
14:04:13.0803 3400 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
14:04:13.0803 3400 swmidi - ok
14:04:13.0819 3400 SwPrv - ok
14:04:13.0819 3400 symc810 - ok
14:04:13.0834 3400 symc8xx - ok
14:04:13.0850 3400 sym_hi - ok
14:04:13.0865 3400 sym_u3 - ok
14:04:13.0912 3400 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
14:04:13.0912 3400 sysaudio - ok
14:04:13.0944 3400 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
14:04:13.0959 3400 SysmonLog - ok
14:04:14.0022 3400 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
14:04:14.0022 3400 TapiSrv - ok
14:04:14.0084 3400 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
14:04:14.0100 3400 Tcpip - ok
14:04:14.0131 3400 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
14:04:14.0131 3400 TDPIPE - ok
14:04:14.0131 3400 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
14:04:14.0147 3400 TDTCP - ok
14:04:14.0178 3400 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
14:04:14.0178 3400 TermDD - ok
14:04:14.0240 3400 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
14:04:14.0256 3400 TermService - ok
14:04:14.0319 3400 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
14:04:14.0319 3400 Themes - ok
14:04:14.0350 3400 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
14:04:14.0350 3400 TlntSvr - ok
14:04:14.0381 3400 TosIde - ok
14:04:14.0428 3400 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
14:04:14.0428 3400 TrkWks - ok
14:04:14.0459 3400 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
14:04:14.0475 3400 Udfs - ok
14:04:14.0475 3400 ultra - ok
14:04:14.0537 3400 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
14:04:14.0553 3400 Update - ok
14:04:14.0600 3400 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
14:04:14.0615 3400 upnphost - ok
14:04:14.0615 3400 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
14:04:14.0631 3400 UPS - ok
14:04:14.0662 3400 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
14:04:14.0662 3400 usbccgp - ok
14:04:14.0709 3400 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
14:04:14.0709 3400 usbehci - ok
14:04:14.0756 3400 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
14:04:14.0756 3400 usbhub - ok
14:04:14.0772 3400 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
14:04:14.0772 3400 USBSTOR - ok
14:04:14.0803 3400 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
14:04:14.0819 3400 usbuhci - ok
14:04:14.0897 3400 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
14:04:14.0897 3400 VgaSave - ok
14:04:14.0897 3400 ViaIde - ok
14:04:14.0944 3400 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
14:04:14.0944 3400 VolSnap - ok
14:04:15.0006 3400 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
14:04:15.0006 3400 VSS - ok
14:04:15.0100 3400 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
14:04:15.0115 3400 W32Time - ok
14:04:15.0162 3400 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
14:04:15.0162 3400 Wanarp - ok
14:04:15.0178 3400 WDICA - ok
14:04:15.0209 3400 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
14:04:15.0225 3400 wdmaud - ok
14:04:15.0272 3400 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
14:04:15.0272 3400 WebClient - ok
14:04:15.0350 3400 Winachcf (ddb6b2d33bb299664f1470ed4e83c389) C:\WINDOWS\system32\DRIVERS\winachcf.sys
14:04:15.0381 3400 Winachcf - ok
14:04:15.0475 3400 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
14:04:15.0475 3400 winmgmt - ok
14:04:15.0569 3400 WmdmPmSN (c7e39ea41233e9f5b86c8da3a9f1e4a8) C:\WINDOWS\system32\mspmsnsv.dll
14:04:15.0569 3400 WmdmPmSN - ok
14:04:15.0647 3400 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
14:04:15.0662 3400 Wmi - ok
14:04:15.0740 3400 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
14:04:15.0756 3400 WmiApSrv - ok
14:04:15.0787 3400 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
14:04:15.0803 3400 wscsvc - ok
14:04:15.0850 3400 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
14:04:15.0850 3400 wuauserv - ok
14:04:15.0928 3400 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
14:04:15.0944 3400 WZCSVC - ok
14:04:15.0975 3400 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
14:04:15.0990 3400 xmlprov - ok
14:04:16.0037 3400 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
14:04:16.0506 3400 \Device\Harddisk0\DR0 ( TDSS File System ) - warning
14:04:16.0506 3400 \Device\Harddisk0\DR0 - detected TDSS File System (1)
14:04:16.0522 3400 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk1\DR2
14:04:16.0678 3400 \Device\Harddisk1\DR2 - ok
14:04:16.0694 3400 Boot (0x1200) (ce2d1d8751c662de10c2bca55e8c52f9) \Device\Harddisk0\DR0\Partition0
14:04:16.0709 3400 \Device\Harddisk0\DR0\Partition0 - ok
14:04:16.0709 3400 Boot (0x1200) (314adf32c632a26d2d70fd14c7f4b084) \Device\Harddisk1\DR2\Partition0
14:04:16.0709 3400 \Device\Harddisk1\DR2\Partition0 - ok
14:04:16.0709 3400 ============================================================
14:04:16.0709 3400 Scan finished
14:04:16.0709 3400 ============================================================
14:04:16.0725 3320 Detected object count: 1
14:04:16.0725 3320 Actual detected object count: 1

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 62,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:24 AM

Posted 20 July 2012 - 02:52 PM

Welcome babyheyzeus,
Did you let TDSS cure or delete anything? It looks like the bottom of the log is not there.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#3 babyheyzeus

babyheyzeus
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 20 July 2012 - 04:46 PM

No I didn't delete anything, and I'm pretty sure that was the entire log unless the forum cut something off. I can verify later though when I get home.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 62,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:24 AM

Posted 20 July 2012 - 08:23 PM

OK, usually when it says "detected" it will return something like this after it.
22:26:07.0318 3208 Detected object count: 1
22:26:07.0318 3208 Actual detected object count: 1
22:26:21.0393 3208 \Device\Harddisk1\DR1 ( TDSS File System ) - skipped by user
22:26:21.0393 3208 \Device\Harddisk1\DR1 ( TDSS File System ) - User select action: Skip
22:26:45.0838 2680 Deinitialize success
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#5 babyheyzeus

babyheyzeus
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 20 July 2012 - 09:55 PM

Wow I'm really sorry I guess I didn't get all of it copied. Here's the rest of the log.

14:04:16.0709 3400 ============================================================
14:04:16.0709 3400 Scan finished
14:04:16.0709 3400 ============================================================
14:04:16.0725 3320 Detected object count: 1
14:04:16.0725 3320 Actual detected object count: 1
14:27:59.0709 3320 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
14:27:59.0725 3320 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip
14:28:02.0397 0312 Deinitialize success

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 62,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:24 AM

Posted 21 July 2012 - 10:16 PM

Thats OK.. Sorry had a busy day today and just got in.

RE run TDSS and change the options for these from Skip to Cure or Delete.
14:27:59.0709 3320 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
14:27:59.0725 3320 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip


Let me know hoe it is after these...

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#7 babyheyzeus

babyheyzeus
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 22 July 2012 - 12:24 AM

It's all good, your giving out free advice so I don't think there is any room to complain.

Here's the log from the ESET scan


C:\TDSSKiller_Quarantine\20.07.2012_10.41.14\tdlfs0000\tsk0003.dta Win32/Olmarik.RN trojan cleaned by deleting - quarantined

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 62,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:24 AM

Posted 23 July 2012 - 01:19 PM

Thanks looks go to me too.

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Tips to protect yourself against malware and reduce the potential for re-infection:Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users