Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AV8 virus infection with damaged MBR


  • Please log in to reply
24 replies to this topic

#1 stonemanjr

stonemanjr

  • Members
  • 308 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 25 November 2010 - 01:11 AM

This thing is all f--d up. WHen AV8 1st appeared I started getting all these virus warngins popping up, then the machine just froze, did reboot, froze again, then went into some type of repair screen for 10 mins, finished, came back up with boot, and trying to open firefox browser or explorer and move around at all, becaome very slow, then just stopped, Rebooted into safe where I can operate now. See logs here og GMER, DDS files, I will do Hijack THis is a minute. MBR check says there is a prob with the MBR also.

Malwarebytes began running then just stopped. nothing. requied a reboot. I will try it again in safe mode

ok.. so dont run in SAFE mode again but do what?

malwarebytes is running in SAFE right now, leave it and let it finish?

m-bytes appears to be running so far. what do I do with the MBR issue? I really hate this stuff

see OTL files attached

See Hijack This

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:24:24 AM, on 11/25/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18975)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [UpdateLBPShortCut] "C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
O4 - HKLM\..\Run: [UpdatePSTShortCut] "C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UpdateP2GoShortCut] "C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
O4 - HKLM\..\Run: [UpdatePDIRShortCut] "C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [uPc+kt0NnQaXms] rundll32.exe C:\Windows\system32\ndq7yd.dll, SystemServer
O4 - HKLM\..\Run: [nwxkpvg] c:\programdata\application data\microsoft\ydaldpu0j\ydaldpu0j.exe
O4 - HKLM\..\Run: [Mqva] C:\Windows\win.exe
O4 - HKLM\..\Run: [MqmPsd] C:\Windows\TEMP\taskmgr.exe
O4 - HKLM\..\Run: [Mqvsc] C:\Windows\winlogon.exe
O4 - HKLM\..\Run: [Mqrtc] C:\Windows\hexdump.exe
O4 - HKLM\..\Run: [MqmPsf] C:\Windows\TEMP\lsass.exe
O4 - HKLM\..\Run: [MqmPvc] C:\Windows\TEMP\user.exe
O4 - HKLM\..\Run: [MqmPqe] C:\Windows\TEMP\login.exe
O4 - HKLM\..\Run: [Mquxe] C:\Windows\system.exe
O4 - HKLM\..\Run: [Mquvc] C:\Windows\setup.exe
O4 - HKLM\..\RunOnce: [GrpConv] grpconv -o
O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYATgBKADMAMgAtAEcAMwBMAEEAQQAtAEEANAA4ADkAUgAtADkAVQBKAEsARgAtAEUASwBLADMAWAA"&"inst=NwA3AC0ANAAwADMAOAAzADkAMAA3ADkALQBUAEIAOQArADIALQBGAEwAKwA5AC0ARgA5AE0AKwAxAC0ARgA5AE0ANwBBACsANQA"&"prod=90"&"ver=9.0.872
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [uPc+kt0NnQaXms] rundll32.exe C:\Windows\system32\ndq7yd.dll, SystemServer
O4 - HKCU\..\Run: [Mqmnqe] C:\Windows\Temp\login.exe
O4 - HKCU\..\Run: [Mquxe] C:\Windows\system.exe
O4 - HKCU\..\Run: [Mqmnsd] C:\Windows\Temp\taskmgr.exe
O4 - HKCU\..\Run: [Mqrtc] C:\Windows\hexdump.exe
O4 - HKCU\..\Run: [Mqmnvc] C:\Windows\Temp\user.exe
O4 - HKCU\..\Run: [Mqmnsf] C:\Windows\Temp\lsass.exe
O4 - HKCU\..\Run: [Mquvc] C:\Windows\setup.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: Google Desktop Manager 5.9.1005.12335 (GoogleDesktopManager-051210-111108) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8914 bytes

malwareB results.

Still after restart said that a win32 dll was unable to start.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5185

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18975

11/25/2010 5:24:00 AM
mbam-log-2010-11-25 (05-24-00).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 349140
Time elapsed: 1 hour(s), 45 minute(s), 1 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 20
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 22

Memory Processes Infected:
C:\ProgramData\Application Data\microsoft\ydaldpu0j\ydaldpu0j.exe (Spyware.Passwords.XGen) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nwxkpvg (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqmnsf (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqmpsf (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqmnsd (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqmpsd (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mquxe (Worm.AutoRun) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mquxe (Worm.AutoRun) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqva (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqvsc (Backdoor.Wonknuwi) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqrtc (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mquvc (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upc+kt0nnqaxms (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqrtc (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mquvc (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upc+kt0nnqaxms (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqmpvc (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqmpqe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqmnqe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqmnvc (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\ProgramData\Application Data\microsoft\ydaldpu0j\ydaldpu0j.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
C:\ProgramData\fGgAd03100\fGgAd03100.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\ydaldpu0j\tkcuy (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\ydaldpu0j\ydaldpu0j.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\ydaldpu0j\ydaldpu0jxj.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
C:\Windows\Temp\1400.tmp (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\Windows\Temp\hkvsp.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\Windows\Temp\jsdfaot.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Windows\Temp\481678588.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
C:\Users\Shannon\AppData\Local\Temp\iExplorer.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Windows\Temp\iExplorer.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Windows\Temp\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\Temp\taskmgr.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Public\Documents\Server\admin.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\system.exe (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\Windows\win.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\winlogon.exe (Backdoor.Wonknuwi) -> Quarantined and deleted successfully.
C:\Windows\hexdump.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\System32\ndq7yd.dll (Trojan.Downloader.Gen) -> Delete on reboot.
C:\Windows\Temp\user.exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
C:\Windows\Temp\login.exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.


AVIRA

Avira AntiVir Personal
Report file date: Thursday, November 25, 2010 01:58

Scanning for 3089492 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows Vista
Windows version : (Service Pack 2) [6.0.6002]
Boot mode : Normally booted
Username : Shannon
Computer name : SHANNON-PC

Version information:
BUILD.DAT : 10.0.0.596 31825 Bytes 11/16/2010 15:57:00
AVSCAN.EXE : 10.0.3.1 434344 Bytes 11/3/2010 02:38:58
AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 17:57:04
LUKE.DLL : 10.0.2.3 104296 Bytes 3/7/2010 23:33:04
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 04:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 15:38:03
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 15:36:57
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 08:05:37
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 14:38:35
VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 19:20:24
VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 14:13:29
VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 14:13:55
VBASE007.VDF : 7.10.9.165 4840960 Bytes 7/23/2010 16:06:05
VBASE008.VDF : 7.10.11.133 3454464 Bytes 9/13/2010 14:32:25
VBASE009.VDF : 7.10.13.80 2265600 Bytes 11/2/2010 02:38:58
VBASE010.VDF : 7.10.13.81 2048 Bytes 11/2/2010 02:38:58
VBASE011.VDF : 7.10.13.82 2048 Bytes 11/2/2010 02:38:58
VBASE012.VDF : 7.10.13.83 2048 Bytes 11/2/2010 02:38:58
VBASE013.VDF : 7.10.13.116 147968 Bytes 11/4/2010 02:49:58
VBASE014.VDF : 7.10.13.147 146944 Bytes 11/7/2010 17:00:37
VBASE015.VDF : 7.10.13.180 123904 Bytes 11/9/2010 17:00:38
VBASE016.VDF : 7.10.13.211 122368 Bytes 11/11/2010 17:00:39
VBASE017.VDF : 7.10.13.243 147456 Bytes 11/15/2010 17:00:40
VBASE018.VDF : 7.10.14.15 142848 Bytes 11/17/2010 12:57:13
VBASE019.VDF : 7.10.14.41 134144 Bytes 11/19/2010 04:57:06
VBASE020.VDF : 7.10.14.63 128000 Bytes 11/22/2010 04:57:07
VBASE021.VDF : 7.10.14.87 143872 Bytes 11/24/2010 04:57:08
VBASE022.VDF : 7.10.14.88 2048 Bytes 11/24/2010 04:57:08
VBASE023.VDF : 7.10.14.89 2048 Bytes 11/24/2010 04:57:08
VBASE024.VDF : 7.10.14.90 2048 Bytes 11/24/2010 04:57:09
VBASE025.VDF : 7.10.14.91 2048 Bytes 11/24/2010 04:57:09
VBASE026.VDF : 7.10.14.92 2048 Bytes 11/24/2010 04:57:09
VBASE027.VDF : 7.10.14.93 2048 Bytes 11/24/2010 04:57:09
VBASE028.VDF : 7.10.14.94 2048 Bytes 11/24/2010 04:57:10
VBASE029.VDF : 7.10.14.95 2048 Bytes 11/24/2010 04:57:10
VBASE030.VDF : 7.10.14.96 2048 Bytes 11/24/2010 04:57:10
VBASE031.VDF : 7.10.14.99 27136 Bytes 11/24/2010 04:57:10
Engineversion : 8.2.4.112
AEVDF.DLL : 8.1.2.1 106868 Bytes 7/30/2010 12:31:13
AESCRIPT.DLL : 8.1.3.47 1294716 Bytes 11/25/2010 04:57:19
AESCN.DLL : 8.1.7.2 127349 Bytes 11/25/2010 04:57:18
AESBX.DLL : 8.1.3.2 254324 Bytes 11/25/2010 04:57:20
AERDL.DLL : 8.1.9.2 635252 Bytes 9/21/2010 16:00:32
AEPACK.DLL : 8.2.3.11 471416 Bytes 10/11/2010 16:01:55
AEOFFICE.DLL : 8.1.1.10 201084 Bytes 11/25/2010 04:57:17
AEHEUR.DLL : 8.1.2.44 3076471 Bytes 11/25/2010 04:57:16
AEHELP.DLL : 8.1.14.0 246134 Bytes 10/11/2010 16:00:57
AEGEN.DLL : 8.1.4.2 401781 Bytes 11/25/2010 04:57:13
AEEMU.DLL : 8.1.3.0 393589 Bytes 11/25/2010 04:57:12
AECORE.DLL : 8.1.18.1 196984 Bytes 11/25/2010 04:57:11
AEBB.DLL : 8.1.1.0 53618 Bytes 6/4/2010 14:14:11
AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 17:03:38
AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 17:03:35
AVREP.DLL : 10.0.0.8 62209 Bytes 2/18/2010 21:47:40
AVREG.DLL : 10.0.3.2 53096 Bytes 11/3/2010 02:38:58
AVSCPLR.DLL : 10.0.3.1 83816 Bytes 11/3/2010 02:38:58
AVARKT.DLL : 10.0.0.14 227176 Bytes 4/1/2010 17:22:13
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 14:53:30
SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 17:57:58
AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 20:38:56
NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 19:41:00
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 18:10:20
RCTEXT.DLL : 10.0.58.0 97128 Bytes 11/3/2010 02:38:58

Configuration settings for the scan:
Jobname.............................: Manual Selection
Configuration file..................: C:\ProgramData\Avira\AntiVir Desktop\PROFILES\folder.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: Intelligent file selection
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Thursday, November 25, 2010 01:58

The scan of running processes will be started
Scan process 'SkypeNames2.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'wmpnetwk.exe' - '1' Module(s) have been scanned
Scan process 'IntuitUpdateService.exe' - '1' Module(s) have been scanned
Scan process 'mbam.exe' - '1' Module(s) have been scanned
Scan process 'PresentationFontCache.exe' - '1' Module(s) have been scanned
Scan process 'SynTPHelper.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'Com4QLBEx.exe' - '1' Module(s) have been scanned
Scan process 'WiFiMsg.EXE' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'TeaTimer.exe' - '1' Module(s) have been scanned
Scan process 'HPAdvisor.exe' - '1' Module(s) have been scanned
Scan process 'LightScribeControlPanel.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'ydaldpu0j.exe' - '1' Module(s) have been scanned
Module is OK -> <C:\ProgramData\Application Data\ydaldpu0j\ydaldpu0j.exe>
[WARNING] The file could not be opened!
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'GoogleDesktop.exe' - '1' Module(s) have been scanned
Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
Scan process 'hpqwmiex.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'HPWAMain.exe' - '1' Module(s) have been scanned
Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned
Scan process 'igfxsrvc.exe' - '1' Module(s) have been scanned
Scan process 'QLBCTRL.exe' - '1' Module(s) have been scanned
Scan process 'QPService.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'avshadow.exe' - '1' Module(s) have been scanned
Scan process 'taskeng.exe' - '1' Module(s) have been scanned
Scan process 'Explorer.EXE' - '1' Module(s) have been scanned
Scan process 'taskeng.exe' - '1' Module(s) have been scanned
Scan process 'Dwm.exe' - '1' Module(s) have been scanned
Scan process 'SDWinSec.exe' - '1' Module(s) have been scanned
Scan process 'xaudio.exe' - '1' Module(s) have been scanned
Scan process 'SearchIndexer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'RichVideo.exe' - '1' Module(s) have been scanned
Scan process 'BLService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'WLANExt.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'SLsvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsm.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'wininit.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
C:\Windows\win.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\Windows\Temp\taskmgr.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\Windows\winlogon.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\Windows\hexdump.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\Windows\Temp\lsass.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\Windows\Temp\user.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\Windows\Temp\login.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\Windows\system.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\Windows\setup.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

The registry was scanned ( '1803' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\Users\Shannon\AppData\Local\Temp\iexplorer.exe
[DETECTION] Is the TR/Crypt.FSPM.Gen Trojan
C:\Users\Shannon\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1\13492401-2fe1af68
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the JAVA/Agent.3131 Java virus
--> vmain.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.3131 Java virus
C:\Users\Shannon\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\4f76de0c-4b400d28
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the JAVA/Agent.BH Java virus
--> dev/s/AdgredY.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.BH Java virus
--> dev/s/DyesyasZ.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.M.2 Java virus
--> dev/s/LoaderX.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.M.1 Java virus
C:\Users\Shannon\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\714431da-2cd073dc
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the JAVA/ClassLoad.R Java virus
--> vmain.class
[DETECTION] Contains recognition pattern of the JAVA/ClassLoad.R Java virus
C:\Users\Shannon\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\28\350e9cdc-6e78f843
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the JAVA/Agent.AX Java virus
--> vmain.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.AX Java virus
C:\Users\Shannon\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\3d2572e5-2211bb2b
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the JAVA/C-2009-3867.EH Java virus
--> vmain.class
[DETECTION] Contains recognition pattern of the JAVA/C-2009-3867.EH Java virus
C:\Users\Shannon\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\184340f3-24c77cd8
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the JAVA/Agent.AJ.1 Java virus
--> ________vload.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.AJ.1 Java virus
--> vmain.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.AJ.1 Java virus
C:\Users\Shannon\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\1968e4f5-11dde69f
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the JAVA/C-2009-3867.EH Java virus
--> vmain.class
[DETECTION] Contains recognition pattern of the JAVA/C-2009-3867.EH Java virus
C:\Users\Shannon\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\1b3f007d-130cfb3e
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the JAVA/Agent.S Java virus
--> dev/s/AdgredY.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.S Java virus
--> dev/s/DyesyasZ.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.R Java virus
--> dev/s/LoaderX.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.M.1 Java virus
C:\Users\Shannon\Documents\FrostWire\Saved\Kutless - Changing World.mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
C:\Windows\hexdump.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\Windows\setup.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\Windows\system.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\Windows\win.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\Windows\winlogon.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\Windows\System32\config\systemprofile\AppData\Local\nwlawd1.dll
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Windows\Temp\1400.tmp
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
--> Object
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\Windows\Temp\1FD3.tmp
[DETECTION] Contains recognition pattern of the W32/Sality.AB.2 Windows virus
C:\Windows\Temp\481678588.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\Windows\Temp\gcjc.exe
[DETECTION] Is the TR/FakeAV.htfx Trojan
--> Object
[DETECTION] Is the TR/FakeAV.htfx Trojan
C:\Windows\Temp\iexplorer.exe
[DETECTION] Is the TR/Crypt.FSPM.Gen Trojan
C:\Windows\Temp\login.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\Windows\Temp\lsass.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\Windows\Temp\quwklmx.exe
[DETECTION] Is the TR/FakeAV.htfx Trojan
--> Object
[DETECTION] Is the TR/FakeAV.htfx Trojan
C:\Windows\Temp\taskmgr.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\Windows\Temp\user.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\Windows\Temp\xjv7z.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\Windows\Temp\xzre12eji.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\Windows\Temp\yidykjwu.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan

Beginning disinfection:
C:\Windows\Temp\yidykjwu.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '49f49ee8.qua'.
C:\Windows\Temp\xzre12eji.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '5151b158.qua'.
C:\Windows\Temp\xjv7z.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '030aeba0.qua'.
C:\Windows\Temp\quwklmx.exe
[DETECTION] Is the TR/FakeAV.htfx Trojan
[NOTE] The file was moved to the quarantine directory under the name '653ca469.qua'.
C:\Windows\Temp\iexplorer.exe
[DETECTION] Is the TR/Crypt.FSPM.Gen Trojan
[WARNING] The file could not be copied to quarantine!
[WARNING] The file does not exist!
[NOTE] The file is scheduled for deleting after reboot.
C:\Windows\Temp\gcjc.exe
[DETECTION] Is the TR/FakeAV.htfx Trojan
[NOTE] The file was moved to the quarantine directory under the name '5f9ebb33.qua'.
C:\Windows\Temp\481678588.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[WARNING] The file could not be copied to quarantine!
[WARNING] The file does not exist!
[NOTE] The file is scheduled for deleting after reboot.
C:\Windows\Temp\1FD3.tmp
[DETECTION] Contains recognition pattern of the W32/Sality.AB.2 Windows virus
[NOTE] The file was moved to the quarantine directory under the name '6f54d75a.qua'.
C:\Windows\Temp\1400.tmp
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[WARNING] The file could not be copied to quarantine!
[WARNING] The file does not exist!
[NOTE] The file is scheduled for deleting after reboot.
C:\Windows\System32\config\systemprofile\AppData\Local\nwlawd1.dll
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '5b0ec3c0.qua'.
C:\Users\Shannon\Documents\FrostWire\Saved\Kutless - Changing World.mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
[NOTE] The file was moved to the quarantine directory under the name '376aeff6.qua'.
C:\Users\Shannon\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\1b3f007d-130cfb3e
[DETECTION] Contains recognition pattern of the JAVA/Agent.M.1 Java virus
[NOTE] The file was moved to the quarantine directory under the name '4690d64e.qua'.
C:\Users\Shannon\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\1968e4f5-11dde69f
[DETECTION] Contains recognition pattern of the JAVA/C-2009-3867.EH Java virus
[NOTE] The file was moved to the quarantine directory under the name '488fe6e0.qua'.
C:\Users\Shannon\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\184340f3-24c77cd8
[DETECTION] Contains recognition pattern of the JAVA/Agent.AJ.1 Java virus
[NOTE] The file was moved to the quarantine directory under the name '0da09fa1.qua'.
C:\Users\Shannon\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\3d2572e5-2211bb2b
[DETECTION] Contains recognition pattern of the JAVA/C-2009-3867.EH Java virus
[NOTE] The file was moved to the quarantine directory under the name '04a99b5e.qua'.
C:\Users\Shannon\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\28\350e9cdc-6e78f843
[DETECTION] Contains recognition pattern of the JAVA/Agent.AX Java virus
[NOTE] The file was moved to the quarantine directory under the name '5cd68264.qua'.
C:\Users\Shannon\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\714431da-2cd073dc
[DETECTION] Contains recognition pattern of the JAVA/ClassLoad.R Java virus
[NOTE] The file was moved to the quarantine directory under the name '701efbb4.qua'.
C:\Users\Shannon\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\4f76de0c-4b400d28
[DETECTION] Contains recognition pattern of the JAVA/Agent.M.1 Java virus
[NOTE] The file was moved to the quarantine directory under the name '4ee79b23.qua'.
C:\Users\Shannon\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1\13492401-2fe1af68
[DETECTION] Contains recognition pattern of the JAVA/Agent.3131 Java virus
[NOTE] The file was moved to the quarantine directory under the name '2deeb002.qua'.
C:\Users\Shannon\AppData\Local\Temp\iexplorer.exe
[DETECTION] Is the TR/Crypt.FSPM.Gen Trojan
[WARNING] The file could not be copied to quarantine!
[WARNING] The file does not exist!
[NOTE] The file is scheduled for deleting after reboot.
The registration entry <HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools> was removed successfully.
The registration entry <HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NofolderOptions> was removed successfully.
C:\Windows\setup.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[WARNING] The file could not be copied to quarantine!
[WARNING] The file does not exist!
[NOTE] The file is scheduled for deleting after reboot.
C:\Windows\system.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[WARNING] The file could not be copied to quarantine!
[WARNING] The file does not exist!
[NOTE] The file is scheduled for deleting after reboot.
C:\Windows\Temp\login.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[WARNING] The file could not be copied to quarantine!
[WARNING] The file does not exist!
[NOTE] The file is scheduled for deleting after reboot.
C:\Windows\Temp\user.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[WARNING] The file could not be copied to quarantine!
[WARNING] The file does not exist!
[NOTE] The file is scheduled for deleting after reboot.
C:\Windows\Temp\lsass.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[WARNING] The file could not be copied to quarantine!
[WARNING] The file does not exist!
[NOTE] The file is scheduled for deleting after reboot.
C:\Windows\hexdump.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[WARNING] The file could not be copied to quarantine!
[WARNING] The file does not exist!
[NOTE] The file is scheduled for deleting after reboot.
C:\Windows\winlogon.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[WARNING] The file could not be copied to quarantine!
[WARNING] The file does not exist!
[NOTE] The file is scheduled for deleting after reboot.
C:\Windows\Temp\taskmgr.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[WARNING] The file could not be copied to quarantine!
[WARNING] The file does not exist!
[NOTE] The file is scheduled for deleting after reboot.
C:\Windows\win.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[WARNING] The file could not be copied to quarantine!
[WARNING] The file does not exist!
[NOTE] The file is scheduled for deleting after reboot.
The repair notes were written to the file 'C:\avrescue\rescue.avp'.

ok thanks. today the system is running but the MBR is still damaged and every so often a crypt/Genpack Trojan thing appears thru avira. there have been over 18 of these found. :thumbup2: appreciate any help you can offer

that AV8 thing just blew up like a shotgun in here

Merged 7 posts. ~ OB

OK heres where we are at so far (please let me know something as soon as you can- i know you guys are busy)

1- Ran Avira Antivirus several times. It has picked up over 20+ trojans and other (esp something called TrojanCrypt-Gen18pack?

2- Ran Malwarebytes 2x- this also cleared out quite a few
3- Ran Superantispyware 1x- 12 items taken out inlc trojans and adware-track items

MBRchk is still showing a damaged master boot record but the machine is now loading up

The laptop is running slower/different at times for sure. I have not attempted the system recovery option for VISTA yet or using bootrec until I hear from you all.

thank again :thumbup2:

Merged posts again. ~ OB

Attached Files


Edited by Orange Blossom, 26 November 2010 - 03:36 PM.


BC AdBot (Login to Remove)

 


#2 stonemanjr

stonemanjr
  • Topic Starter

  • Members
  • 308 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 28 November 2010 - 10:47 AM

Could someone get back to me? I know you all are busy but just to let me know we are in cue. thanks :lol:

#3 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:10 AM

Posted 02 December 2010 - 05:57 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#4 stonemanjr

stonemanjr
  • Topic Starter

  • Members
  • 308 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 02 December 2010 - 08:44 AM

HI Casey and thanks. How about having a look at all the logs already posted above 1st. :thumbup2:

#5 sjpritch25

sjpritch25

  • Security Colleague
  • 903 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:05:10 AM

Posted 03 December 2010 - 11:31 AM

Before we fix the mbr we need to backup your mbr.

Please download mbr.exe to your root drive (usually C;).

Go to Start ---> Type Run in the Search box to open the run command ---> Type the following into the run command

MBR.exe -c 0 63 MBR_backup.dat and press Enter.



==========================================


  • Download TDSSKiller.zip and extract TDSSKiller.exe to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found, ensure Cure is selected (it should be by default)
  • Click Continue then click Reboot now
  • Once complete, a log will be produced at the root drive which is typically C:\

    For example, C:\TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt
  • Attach that log, please.

Microsoft MVP Consumer Security--2007-2010

#6 stonemanjr

stonemanjr
  • Topic Starter

  • Members
  • 308 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 04 December 2010 - 01:24 AM

DOne. Nothing found by rootkit MBR backed up

#7 stonemanjr

stonemanjr
  • Topic Starter

  • Members
  • 308 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 04 December 2010 - 01:26 AM

2010/12/04 01:23:03.0187 TDSS rootkit removing tool 2.4.10.1 Dec 2 2010 12:28:01
2010/12/04 01:23:03.0187 ================================================================================
2010/12/04 01:23:03.0187 SystemInfo:
2010/12/04 01:23:03.0188
2010/12/04 01:23:03.0188 OS Version: 6.0.6002 ServicePack: 2.0
2010/12/04 01:23:03.0188 Product type: Workstation
2010/12/04 01:23:03.0188 ComputerName: SHANNON-PC
2010/12/04 01:23:03.0188 UserName: Shannon
2010/12/04 01:23:03.0188 Windows directory: C:\Windows
2010/12/04 01:23:03.0188 System windows directory: C:\Windows
2010/12/04 01:23:03.0188 Processor architecture: Intel x86
2010/12/04 01:23:03.0188 Number of processors: 2
2010/12/04 01:23:03.0188 Page size: 0x1000
2010/12/04 01:23:03.0188 Boot type: Normal boot
2010/12/04 01:23:03.0188 ================================================================================
2010/12/04 01:23:04.0335 Initialize success
2010/12/04 01:23:06.0016 ================================================================================
2010/12/04 01:23:06.0016 Scan started
2010/12/04 01:23:06.0016 Mode: Manual;
2010/12/04 01:23:06.0016 ================================================================================
2010/12/04 01:23:07.0351 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
2010/12/04 01:23:07.0417 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
2010/12/04 01:23:07.0656 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
2010/12/04 01:23:07.0886 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
2010/12/04 01:23:07.0981 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
2010/12/04 01:23:08.0240 AFD (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys
2010/12/04 01:23:08.0311 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys
2010/12/04 01:23:08.0399 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2010/12/04 01:23:08.0495 aliide (3d76fda1a10acc3dc84728f55c29b6d4) C:\Windows\system32\drivers\aliide.sys
2010/12/04 01:23:08.0596 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
2010/12/04 01:23:08.0628 amdide (5b92e7839f5a1fbc1b39de67758ad6f8) C:\Windows\system32\drivers\amdide.sys
2010/12/04 01:23:08.0674 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
2010/12/04 01:23:08.0795 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\drivers\amdk8.sys
2010/12/04 01:23:08.0904 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
2010/12/04 01:23:09.0027 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
2010/12/04 01:23:09.0139 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2010/12/04 01:23:09.0175 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
2010/12/04 01:23:09.0310 athr (8aefd56986964bbae02b790971f2abaf) C:\Windows\system32\DRIVERS\athr.sys
2010/12/04 01:23:09.0418 avgio (6a646c46b9415e13095aa9b352040a7a) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
2010/12/04 01:23:09.0533 AvgLdx86 (b8c187439d27aba430dd69fdcf1fa657) C:\Windows\system32\Drivers\avgldx86.sys
2010/12/04 01:23:09.0676 AvgMfx86 (53b3f979930a786a614d29cafe99f645) C:\Windows\system32\Drivers\avgmfx86.sys
2010/12/04 01:23:09.0744 avgntflt (47b879406246ffdced59e18d331a0e7d) C:\Windows\system32\DRIVERS\avgntflt.sys
2010/12/04 01:23:09.0882 AvgTdiX (22e3b793c3e61720f03d3a22351af410) C:\Windows\system32\Drivers\avgtdix.sys
2010/12/04 01:23:10.0003 avipbb (f8c56231ed5ecf7d1b46b0330880ccef) C:\Windows\system32\DRIVERS\avipbb.sys
2010/12/04 01:23:10.0118 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2010/12/04 01:23:10.0158 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
2010/12/04 01:23:10.0291 bowser (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys
2010/12/04 01:23:10.0381 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2010/12/04 01:23:10.0506 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2010/12/04 01:23:10.0552 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2010/12/04 01:23:10.0647 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2010/12/04 01:23:10.0713 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2010/12/04 01:23:10.0821 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2010/12/04 01:23:10.0875 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2010/12/04 01:23:11.0041 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2010/12/04 01:23:11.0175 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
2010/12/04 01:23:11.0216 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\drivers\circlass.sys
2010/12/04 01:23:11.0314 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
2010/12/04 01:23:11.0479 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
2010/12/04 01:23:11.0594 cmdide (d36372a6ea6805efbe8884d10772313f) C:\Windows\system32\drivers\cmdide.sys
2010/12/04 01:23:11.0732 CnxtHdAudService (dda0cb141150fef87419926790cd26c8) C:\Windows\system32\drivers\CHDRT32.sys
2010/12/04 01:23:11.0774 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
2010/12/04 01:23:11.0875 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
2010/12/04 01:23:11.0919 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
2010/12/04 01:23:12.0039 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys
2010/12/04 01:23:12.0168 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
2010/12/04 01:23:12.0208 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2010/12/04 01:23:12.0337 DSI_SiUSBXp_3_1 (bc9c2ef22ee0320c079e3ff9b4d29951) C:\Windows\system32\drivers\DSI_SiUSBXp_3_1.sys
2010/12/04 01:23:12.0576 DXGKrnl (5c7e2097b91d689ded7a6ff90f0f3a25) C:\Windows\System32\drivers\dxgkrnl.sys
2010/12/04 01:23:12.0693 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
2010/12/04 01:23:12.0847 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
2010/12/04 01:23:12.0987 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
2010/12/04 01:23:13.0119 ErrDev (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys
2010/12/04 01:23:13.0243 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
2010/12/04 01:23:13.0381 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
2010/12/04 01:23:13.0502 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
2010/12/04 01:23:13.0541 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2010/12/04 01:23:13.0668 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2010/12/04 01:23:13.0741 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
2010/12/04 01:23:13.0858 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
2010/12/04 01:23:13.0995 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2010/12/04 01:23:14.0117 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
2010/12/04 01:23:14.0223 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
2010/12/04 01:23:14.0456 HdAudAddService (3f90e001369a07243763bd5a523d8722) C:\Windows\system32\drivers\HdAudio.sys
2010/12/04 01:23:14.0598 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
2010/12/04 01:23:14.0662 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2010/12/04 01:23:14.0786 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2010/12/04 01:23:14.0912 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
2010/12/04 01:23:14.0971 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
2010/12/04 01:23:15.0087 HpqKbFiltr (35956140e686d53bf676cf0c778880fc) C:\Windows\system32\DRIVERS\HpqKbFiltr.sys
2010/12/04 01:23:15.0369 HSF_DPV (cc267848cb3508e72762be65734e764d) C:\Windows\system32\DRIVERS\HSX_DPV.sys
2010/12/04 01:23:15.0480 HSXHWAZL (a2882945cc4b6e3e4e9e825590438888) C:\Windows\system32\DRIVERS\HSXHWAZL.sys
2010/12/04 01:23:15.0645 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
2010/12/04 01:23:15.0795 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
2010/12/04 01:23:15.0962 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2010/12/04 01:23:16.0185 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
2010/12/04 01:23:16.0767 igfx (8266ae06df974e5ba047b3e9e9e70b3f) C:\Windows\system32\DRIVERS\igdkmd32.sys
2010/12/04 01:23:17.0160 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2010/12/04 01:23:17.0207 IntcHdmiAddService (c7e7e43cbd34d3b0a0156b51b917dfcc) C:\Windows\system32\drivers\IntcHdmi.sys
2010/12/04 01:23:17.0297 intelide (dd512a049bd7b4bce8a83554c5eff2c1) C:\Windows\system32\drivers\intelide.sys
2010/12/04 01:23:17.0325 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
2010/12/04 01:23:17.0434 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2010/12/04 01:23:17.0491 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys
2010/12/04 01:23:17.0640 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2010/12/04 01:23:17.0768 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2010/12/04 01:23:17.0995 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
2010/12/04 01:23:18.0066 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
2010/12/04 01:23:18.0149 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2010/12/04 01:23:18.0207 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2010/12/04 01:23:18.0334 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
2010/12/04 01:23:18.0362 kbdhid (18247836959ba67e3511b62846b9c2e0) C:\Windows\system32\drivers\kbdhid.sys
2010/12/04 01:23:18.0609 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
2010/12/04 01:23:18.0774 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2010/12/04 01:23:18.0910 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
2010/12/04 01:23:19.0035 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
2010/12/04 01:23:19.0162 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
2010/12/04 01:23:19.0284 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2010/12/04 01:23:19.0407 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
2010/12/04 01:23:19.0530 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
2010/12/04 01:23:19.0584 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
2010/12/04 01:23:19.0678 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2010/12/04 01:23:19.0756 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2010/12/04 01:23:19.0841 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
2010/12/04 01:23:19.0967 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
2010/12/04 01:23:20.0090 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2010/12/04 01:23:20.0190 MpFilter (c98301ad8173a2235a9ab828955c32bb) C:\Windows\system32\DRIVERS\MpFilter.sys
2010/12/04 01:23:20.0288 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
2010/12/04 01:23:20.0391 MpNWMon (aeb186afff5d9cfed823c15d846aac3b) C:\Windows\system32\DRIVERS\MpNWMon.sys
2010/12/04 01:23:20.0478 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2010/12/04 01:23:20.0607 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2010/12/04 01:23:20.0710 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
2010/12/04 01:23:20.0831 mrxsmb (454341e652bdf5e01b0f2140232b073e) C:\Windows\system32\DRIVERS\mrxsmb.sys
2010/12/04 01:23:20.0971 mrxsmb10 (2a4901aff069944fa945ed5bbf4dcde3) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2010/12/04 01:23:21.0095 mrxsmb20 (28b3f1ab44bdd4432c041581412f17d9) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2010/12/04 01:23:21.0143 msahci (5457dcfa7c0da43522f4d9d4049c1472) C:\Windows\system32\drivers\msahci.sys
2010/12/04 01:23:21.0255 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
2010/12/04 01:23:21.0407 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2010/12/04 01:23:21.0431 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2010/12/04 01:23:21.0557 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2010/12/04 01:23:21.0614 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2010/12/04 01:23:21.0744 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2010/12/04 01:23:21.0883 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
2010/12/04 01:23:22.0002 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2010/12/04 01:23:22.0126 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2010/12/04 01:23:22.0181 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
2010/12/04 01:23:22.0287 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
2010/12/04 01:23:22.0457 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
2010/12/04 01:23:22.0560 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2010/12/04 01:23:22.0614 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2010/12/04 01:23:22.0759 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
2010/12/04 01:23:22.0809 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2010/12/04 01:23:22.0908 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2010/12/04 01:23:23.0050 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
2010/12/04 01:23:23.0209 NETw3v32 (35d5458d9a1b26b2005abffbf4c1c5e7) C:\Windows\system32\DRIVERS\NETw3v32.sys
2010/12/04 01:23:23.0432 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2010/12/04 01:23:23.0567 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
2010/12/04 01:23:23.0626 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2010/12/04 01:23:23.0766 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
2010/12/04 01:23:23.0892 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2010/12/04 01:23:23.0918 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2010/12/04 01:23:24.0026 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys
2010/12/04 01:23:24.0057 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys
2010/12/04 01:23:24.0158 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys
2010/12/04 01:23:24.0224 ohci1394 (790e27c3db53410b40ff9ef2fd10a1d9) C:\Windows\system32\DRIVERS\ohci1394.sys
2010/12/04 01:23:24.0370 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
2010/12/04 01:23:24.0504 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
2010/12/04 01:23:24.0583 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
2010/12/04 01:23:24.0712 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
2010/12/04 01:23:24.0769 pciide (1d8b3d8df8eb7fcf2f0ac02f9f947802) C:\Windows\system32\drivers\pciide.sys
2010/12/04 01:23:24.0892 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
2010/12/04 01:23:24.0943 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2010/12/04 01:23:25.0117 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2010/12/04 01:23:25.0157 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\drivers\processr.sys
2010/12/04 01:23:25.0303 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
2010/12/04 01:23:25.0368 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
2010/12/04 01:23:25.0533 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2010/12/04 01:23:25.0583 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2010/12/04 01:23:25.0687 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2010/12/04 01:23:25.0832 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2010/12/04 01:23:25.0968 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
2010/12/04 01:23:26.0085 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
2010/12/04 01:23:26.0130 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
2010/12/04 01:23:26.0230 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
2010/12/04 01:23:26.0276 rdpdr (fbc0bacd9c3d7f6956853f64a66e252d) C:\Windows\system32\drivers\rdpdr.sys
2010/12/04 01:23:26.0375 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
2010/12/04 01:23:26.0506 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
2010/12/04 01:23:26.0582 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
2010/12/04 01:23:26.0739 RTL8169 (53892cbd9735a80712ee9439268344b4) C:\Windows\system32\DRIVERS\Rtlh86.sys
2010/12/04 01:23:26.0958 RTSTOR (8dab5975b5c7923d61506a48e251dbad) C:\Windows\system32\drivers\RTSTOR.SYS
2010/12/04 01:23:27.0055 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/12/04 01:23:27.0121 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2010/12/04 01:23:27.0214 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2010/12/04 01:23:27.0355 sdbus (126ea89bcc413ee45e3004fb0764888f) C:\Windows\system32\DRIVERS\sdbus.sys
2010/12/04 01:23:27.0463 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2010/12/04 01:23:27.0593 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
2010/12/04 01:23:27.0684 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
2010/12/04 01:23:27.0757 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
2010/12/04 01:23:27.0888 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys
2010/12/04 01:23:27.0920 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys
2010/12/04 01:23:28.0018 sffp_sd (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys
2010/12/04 01:23:28.0152 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2010/12/04 01:23:28.0288 sisagp (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys
2010/12/04 01:23:28.0321 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys
2010/12/04 01:23:28.0496 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys
2010/12/04 01:23:28.0631 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
2010/12/04 01:23:28.0796 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
2010/12/04 01:23:28.0984 srv (ff3cbc13db84d81f56931bc922cc37c4) C:\Windows\system32\DRIVERS\srv.sys
2010/12/04 01:23:29.0140 srv2 (d15959d9f69f0d39a0153e9c244f20dd) C:\Windows\system32\DRIVERS\srv2.sys
2010/12/04 01:23:29.0170 srvnet (faa0d553a49e85008c6bb3781987c574) C:\Windows\system32\DRIVERS\srvnet.sys
2010/12/04 01:23:29.0298 sscdbus (d5dffeaa1e15d4effabb9d9a3068ac5b) C:\Windows\system32\DRIVERS\sscdbus.sys
2010/12/04 01:23:29.0441 sscdmdfl (8a1be0c347814f482f493aea619d57f6) C:\Windows\system32\DRIVERS\sscdmdfl.sys
2010/12/04 01:23:29.0478 sscdmdm (5ab0b1987f682a59b15b78f84c6ad7d0) C:\Windows\system32\DRIVERS\sscdmdm.sys
2010/12/04 01:23:29.0644 sscdserd (751e66eb32efa80633b80f5d7ff0a1d8) C:\Windows\system32\DRIVERS\sscdserd.sys
2010/12/04 01:23:29.0730 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\Windows\system32\DRIVERS\ssmdrv.sys
2010/12/04 01:23:29.0860 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
2010/12/04 01:23:29.0900 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2010/12/04 01:23:29.0922 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2010/12/04 01:23:30.0036 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2010/12/04 01:23:30.0096 SynTP (00b19f27858f56181edb58b71a7c67a0) C:\Windows\system32\DRIVERS\SynTP.sys
2010/12/04 01:23:30.0271 Tcpip (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\drivers\tcpip.sys
2010/12/04 01:23:30.0436 Tcpip6 (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\DRIVERS\tcpip.sys
2010/12/04 01:23:30.0554 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
2010/12/04 01:23:30.0668 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
2010/12/04 01:23:30.0778 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
2010/12/04 01:23:30.0856 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
2010/12/04 01:23:30.0967 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
2010/12/04 01:23:31.0028 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
2010/12/04 01:23:31.0125 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
2010/12/04 01:23:31.0256 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
2010/12/04 01:23:31.0322 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys
2010/12/04 01:23:31.0439 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
2010/12/04 01:23:31.0489 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys
2010/12/04 01:23:31.0615 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys
2010/12/04 01:23:31.0637 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2010/12/04 01:23:31.0769 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2010/12/04 01:23:31.0820 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
2010/12/04 01:23:31.0927 usbbus (adb68aa60ef991ce2e217223fa20b4ff) C:\Windows\system32\DRIVERS\lgusbbus.sys
2010/12/04 01:23:32.0061 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
2010/12/04 01:23:32.0098 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2010/12/04 01:23:32.0232 UsbDiag (d4a6201dd361f019e44483645b490e4e) C:\Windows\system32\DRIVERS\lgusbdiag.sys
2010/12/04 01:23:32.0272 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
2010/12/04 01:23:32.0353 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
2010/12/04 01:23:32.0490 USBModem (a2b99411e10287f327a9820d260e7fe4) C:\Windows\system32\DRIVERS\lgusbmodem.sys
2010/12/04 01:23:32.0528 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
2010/12/04 01:23:32.0662 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
2010/12/04 01:23:32.0734 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2010/12/04 01:23:32.0838 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
2010/12/04 01:23:32.0880 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys
2010/12/04 01:23:33.0019 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
2010/12/04 01:23:33.0067 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
2010/12/04 01:23:33.0206 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys
2010/12/04 01:23:33.0248 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys
2010/12/04 01:23:33.0378 viaide (ea1aa6e3abb3c194feba12a46de8cf2c) C:\Windows\system32\drivers\viaide.sys
2010/12/04 01:23:33.0405 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
2010/12/04 01:23:33.0543 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
2010/12/04 01:23:33.0626 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
2010/12/04 01:23:33.0738 vsmraid (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys
2010/12/04 01:23:33.0781 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2010/12/04 01:23:33.0901 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2010/12/04 01:23:33.0958 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2010/12/04 01:23:34.0063 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
2010/12/04 01:23:34.0103 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
2010/12/04 01:23:34.0222 winachsf (0acd399f5db3df1b58903cf4949ab5a8) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
2010/12/04 01:23:34.0369 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
2010/12/04 01:23:34.0562 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
2010/12/04 01:23:34.0689 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
2010/12/04 01:23:34.0753 WSDPrintDevice (4422ac5ed8d4c2f0db63e71d4c069dd7) C:\Windows\system32\DRIVERS\WSDPrint.sys
2010/12/04 01:23:34.0887 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
2010/12/04 01:23:34.0928 XAudio (dab33cfa9dd24251aaa389ff36b64d4b) C:\Windows\system32\DRIVERS\xaudio.sys
2010/12/04 01:23:35.0043 yukonwlh (7d1f3b131d503ef43ee594b5a2b9b427) C:\Windows\system32\DRIVERS\yk60x86.sys
2010/12/04 01:23:35.0112 ================================================================================
2010/12/04 01:23:35.0112 Scan finished
2010/12/04 01:23:35.0112 ================================================================================

#8 sjpritch25

sjpritch25

  • Security Colleague
  • 903 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:05:10 AM

Posted 04 December 2010 - 06:01 PM

  • Go to StartRun and type the following mbr.exe t c:\mbr.log followed by Enter.
  • After the scan has completed, please post the log (located in C:\drive) in your next reply. Thanks

Microsoft MVP Consumer Security--2007-2010

#9 stonemanjr

stonemanjr
  • Topic Starter

  • Members
  • 308 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 05 December 2010 - 01:12 PM

ok will do this evening. thanks- is this to fix the MBR?

#10 stonemanjr

stonemanjr
  • Topic Starter

  • Members
  • 308 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 06 December 2010 - 07:52 PM

ok I ran this but cannot find the log under c:\???

#11 stonemanjr

stonemanjr
  • Topic Starter

  • Members
  • 308 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 06 December 2010 - 07:53 PM

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: TOSHIBA_MK3255GSX rev.FG011C -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

#12 sjpritch25

sjpritch25

  • Security Colleague
  • 903 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:05:10 AM

Posted 06 December 2010 - 10:17 PM

your mbr is not infected. how is everything running??
Microsoft MVP Consumer Security--2007-2010

#13 stonemanjr

stonemanjr
  • Topic Starter

  • Members
  • 308 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 07 December 2010 - 01:35 PM

thanks. the MBR boot record is being reported as damaged from the previous test/report that you all had me do.
Did you see this above? we are also getting an occasional bad_spooling blue screen that we have never had and no software has been installed recently???

#14 sjpritch25

sjpritch25

  • Security Colleague
  • 903 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:05:10 AM

Posted 07 December 2010 - 09:22 PM

You can fix the bad mbr by fixing the mbr, but i would recommend that you backup any important data. Let me know what you want to do and we can proceed.
Microsoft MVP Consumer Security--2007-2010

#15 stonemanjr

stonemanjr
  • Topic Starter

  • Members
  • 308 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 11 December 2010 - 08:29 PM

ok.done. Im ready




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users