Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus? Hijacking google search results


  • This topic is locked This topic is locked
4 replies to this topic

#1 DoktorD1313

DoktorD1313

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 30 January 2012 - 10:02 AM

Hi guys,

Recently I became "infected" with something when my AVG started popping up with warnings. According to the event log, AVG found "Suspicious.Mystic" and "Win32.Tepfer" malware.

Whatever got in started to hijack my internet explorer, sending me to "news" sites on and off as well as causing new windows to pop up.

I then ran an AVG scan in Safe Mode as the administrator and it found the following items:

Virus found JS/Redir
Trojan horse Cryptic.BRX
Corrupted executable file
Corrupted executable file
Corrupted executable file
Trojan horse Generic26.CEEX
Trojan horse Generic_r.AIM

This still didn't fix whatever is wrong, so I then attempted to download Ad-Aware. However, when trying to access the lavasoft website or CNET download location, I would automatically be redirected to a bogus search website. (Screenshot attached).

Posted Image

I had to download it from a different computer and transfer it over to the infected machine. I then scanned with Ad-Aware in Safe Mode and it detected a few more miscellaneous malware/trojans. Unfortunately, I don't have that log for you.

This also didn't solve the problem. I still get redirected away from spyware/antivirus sites and I still get new windows appearing with bogus news sites.

Any idea what this could be or how to get rid of it?

My configuration:

Windows XP Home Edition SP3
Licensed AVG Anti-Virus 2011
Ad-Aware free version 9.6.0

Hopefully, I included all the information to get started on figuring out what exactly this is and how to get rid of it.


**EDIT**

Additional popup from AVG. Computer not in use when the notification occured.

Posted Image

Edited by DoktorD1313, 30 January 2012 - 11:34 AM.


BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:04:56 AM

Posted 30 January 2012 - 11:30 AM

Download

http://www.techspot.com/downloads/4716-malwarebytes-anti-malware.html

Install,update and run a full scan

Post the clean log

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report


Please download GMER from here(doesnot work on 64 bit OS)

http://www2.gmer.net/download.php

Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.

GMER will open to the Rootkit/Malware tab and perform an automatic Full Scan when first run. (do not use the computer while the scan is in progress)

If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.


Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

#3 DoktorD1313

DoktorD1313
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 31 January 2012 - 09:50 AM

Ok, here are the logs as per your instructions:

***MALWAREBYTES LOG***



Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.30.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
DEFAULT :: RECEIVING [administrator]

Protection: Enabled

1/30/2012 11:44:51 AM
mbam-log-2012-01-30 (11-44-51).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 390024
Time elapsed: 1 hour(s), 20 minute(s), 49 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 3
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



***TDSSkilLer LOG***



14:03:55.0484 3204 TDSS rootkit removing tool 2.7.8.0 Jan 30 2012 16:39:36
14:03:55.0812 3204 ============================================================
14:03:55.0812 3204 Current date / time: 2012/01/30 14:03:55.0812
14:03:55.0812 3204 SystemInfo:
14:03:55.0812 3204
14:03:55.0812 3204 OS Version: 5.1.2600 ServicePack: 3.0
14:03:55.0812 3204 Product type: Workstation
14:03:55.0812 3204 ComputerName: RECEIVING
14:03:55.0812 3204 UserName: DEFAULT
14:03:55.0812 3204 Windows directory: C:\WINDOWS
14:03:55.0812 3204 System windows directory: C:\WINDOWS
14:03:55.0812 3204 Processor architecture: Intel x86
14:03:55.0812 3204 Number of processors: 1
14:03:55.0812 3204 Page size: 0x1000
14:03:55.0812 3204 Boot type: Normal boot
14:03:55.0812 3204 ============================================================
14:03:58.0171 3204 Drive \Device\Harddisk0\DR0 - Size: 0x12A05F2000 (74.51 Gb), SectorSize: 0x200, Cylinders: 0x25FE, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
14:03:58.0203 3204 \Device\Harddisk0\DR0:
14:03:58.0218 3204 MBR used
14:03:58.0218 3204 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x139C5, BlocksNum 0x8E9B15C
14:03:58.0390 3204 Initialize success
14:03:58.0390 3204 ============================================================
14:04:50.0468 3444 ============================================================
14:04:50.0468 3444 Scan started
14:04:50.0468 3444 Mode: Manual; TDLFS;
14:04:50.0468 3444 ============================================================
14:04:51.0093 3444 Abiosdsk - ok
14:04:51.0140 3444 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
14:04:51.0140 3444 abp480n5 - ok
14:04:51.0203 3444 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
14:04:51.0203 3444 ACPI - ok
14:04:51.0234 3444 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
14:04:51.0234 3444 ACPIEC - ok
14:04:51.0265 3444 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
14:04:51.0265 3444 adpu160m - ok
14:04:51.0296 3444 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
14:04:51.0296 3444 aec - ok
14:04:51.0343 3444 Afc (a7b8a3a79d35215d798a300df49ed23f) C:\WINDOWS\system32\drivers\Afc.sys
14:04:51.0343 3444 Afc - ok
14:04:51.0406 3444 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
14:04:51.0406 3444 AFD - ok
14:04:51.0437 3444 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
14:04:51.0437 3444 agp440 - ok
14:04:51.0500 3444 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
14:04:51.0500 3444 agpCPQ - ok
14:04:51.0515 3444 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
14:04:51.0515 3444 Aha154x - ok
14:04:51.0546 3444 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
14:04:51.0546 3444 aic78u2 - ok
14:04:51.0578 3444 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
14:04:51.0578 3444 aic78xx - ok
14:04:51.0625 3444 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
14:04:51.0625 3444 AliIde - ok
14:04:51.0656 3444 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
14:04:51.0656 3444 alim1541 - ok
14:04:51.0687 3444 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
14:04:51.0687 3444 amdagp - ok
14:04:51.0718 3444 AmdK8 (0a4d13b388c814560bd69c3a496ecfa8) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
14:04:51.0718 3444 AmdK8 - ok
14:04:51.0750 3444 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
14:04:51.0750 3444 amsint - ok
14:04:51.0765 3444 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
14:04:51.0765 3444 asc - ok
14:04:51.0796 3444 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
14:04:51.0796 3444 asc3350p - ok
14:04:51.0812 3444 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
14:04:51.0812 3444 asc3550 - ok
14:04:51.0859 3444 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
14:04:51.0859 3444 AsyncMac - ok
14:04:51.0906 3444 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
14:04:51.0906 3444 atapi - ok
14:04:51.0921 3444 Atdisk - ok
14:04:51.0968 3444 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
14:04:51.0968 3444 Atmarpc - ok
14:04:52.0015 3444 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
14:04:52.0015 3444 audstub - ok
14:04:52.0078 3444 AVGIDSDriver (2d18221aab3db2d408d6c55c0f23090a) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
14:04:52.0078 3444 AVGIDSDriver - ok
14:04:52.0109 3444 AVGIDSEH (1af676db3f3d4cc709cfab2571cf5fc3) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
14:04:52.0109 3444 AVGIDSEH - ok
14:04:52.0140 3444 AVGIDSFilter (4c51e233c87f9ec7598551de554bc99d) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
14:04:52.0140 3444 AVGIDSFilter - ok
14:04:52.0187 3444 AVGIDSShim (c3fc426e54f55c1cc3219e415b88e10c) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
14:04:52.0187 3444 AVGIDSShim - ok
14:04:52.0218 3444 Avgldx86 (4e796d3d2c3182b13b3e3b5a2ad4ef0a) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
14:04:52.0218 3444 Avgldx86 - ok
14:04:52.0234 3444 Avgmfx86 (5639de66b37d02bd22df4cf3155fba60) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
14:04:52.0234 3444 Avgmfx86 - ok
14:04:52.0250 3444 Avgrkx86 (d1baf652eda0ae70896276a1fb32c2d4) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
14:04:52.0250 3444 Avgrkx86 - ok
14:04:52.0281 3444 Avgtdix (aaf0ebcad95f2164cffb544e00392498) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
14:04:52.0296 3444 Avgtdix - ok
14:04:52.0312 3444 bcm4sbxp (78e7b52da292fa90bad2f887bbf22159) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
14:04:52.0328 3444 bcm4sbxp - ok
14:04:52.0343 3444 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
14:04:52.0343 3444 Beep - ok
14:04:52.0390 3444 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
14:04:52.0390 3444 cbidf - ok
14:04:52.0406 3444 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
14:04:52.0406 3444 cbidf2k - ok
14:04:52.0437 3444 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
14:04:52.0437 3444 cd20xrnt - ok
14:04:52.0453 3444 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
14:04:52.0453 3444 Cdaudio - ok
14:04:52.0500 3444 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
14:04:52.0500 3444 Cdfs - ok
14:04:52.0515 3444 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
14:04:52.0515 3444 Cdrom - ok
14:04:52.0531 3444 Changer - ok
14:04:52.0578 3444 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
14:04:52.0578 3444 CmdIde - ok
14:04:52.0625 3444 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
14:04:52.0625 3444 Cpqarray - ok
14:04:52.0656 3444 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
14:04:52.0656 3444 dac2w2k - ok
14:04:52.0671 3444 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
14:04:52.0671 3444 dac960nt - ok
14:04:52.0703 3444 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
14:04:52.0703 3444 Disk - ok
14:04:52.0828 3444 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
14:04:52.0843 3444 dmboot - ok
14:04:52.0921 3444 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
14:04:52.0921 3444 dmio - ok
14:04:52.0953 3444 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
14:04:52.0953 3444 dmload - ok
14:04:53.0000 3444 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
14:04:53.0000 3444 DMusic - ok
14:04:53.0062 3444 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
14:04:53.0062 3444 dpti2o - ok
14:04:53.0093 3444 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
14:04:53.0093 3444 drmkaud - ok
14:04:53.0109 3444 DSproct - ok
14:04:53.0156 3444 DVDAccss (937ac237c80b2f0a1b7f88c40bc30334) C:\WINDOWS\system32\drivers\DVDAccss.sys
14:04:53.0156 3444 DVDAccss - ok
14:04:53.0203 3444 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
14:04:53.0203 3444 E100B - ok
14:04:53.0250 3444 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
14:04:53.0265 3444 Fastfat - ok
14:04:53.0312 3444 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
14:04:53.0312 3444 Fdc - ok
14:04:53.0343 3444 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
14:04:53.0343 3444 Fips - ok
14:04:53.0390 3444 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
14:04:53.0390 3444 Flpydisk - ok
14:04:53.0453 3444 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
14:04:53.0453 3444 FltMgr - ok
14:04:53.0484 3444 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
14:04:53.0484 3444 Fs_Rec - ok
14:04:53.0500 3444 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
14:04:53.0500 3444 Ftdisk - ok
14:04:53.0562 3444 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
14:04:53.0562 3444 Gpc - ok
14:04:53.0625 3444 Hardlock (c1cc0c9742b881c42f1cc628e6f9ebd1) C:\WINDOWS\system32\drivers\hardlock.sys
14:04:53.0640 3444 Hardlock - ok
14:04:53.0671 3444 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
14:04:53.0671 3444 HDAudBus - ok
14:04:53.0703 3444 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
14:04:53.0703 3444 HidUsb - ok
14:04:53.0734 3444 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
14:04:53.0734 3444 hpn - ok
14:04:53.0812 3444 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
14:04:53.0812 3444 HTTP - ok
14:04:53.0843 3444 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
14:04:53.0843 3444 i2omgmt - ok
14:04:53.0875 3444 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
14:04:53.0875 3444 i2omp - ok
14:04:53.0890 3444 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
14:04:53.0890 3444 i8042prt - ok
14:04:53.0921 3444 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
14:04:53.0921 3444 Imapi - ok
14:04:53.0953 3444 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
14:04:53.0953 3444 ini910u - ok
14:04:53.0984 3444 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
14:04:53.0984 3444 IntelIde - ok
14:04:54.0000 3444 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
14:04:54.0015 3444 intelppm - ok
14:04:54.0031 3444 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
14:04:54.0031 3444 Ip6Fw - ok
14:04:54.0078 3444 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
14:04:54.0078 3444 IpFilterDriver - ok
14:04:54.0093 3444 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
14:04:54.0109 3444 IpInIp - ok
14:04:54.0140 3444 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
14:04:54.0140 3444 IpNat - ok
14:04:54.0156 3444 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
14:04:54.0156 3444 IPSec - ok
14:04:54.0187 3444 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
14:04:54.0187 3444 IRENUM - ok
14:04:54.0234 3444 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
14:04:54.0234 3444 isapnp - ok
14:04:54.0296 3444 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
14:04:54.0296 3444 Kbdclass - ok
14:04:54.0328 3444 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
14:04:54.0328 3444 kbdhid - ok
14:04:54.0359 3444 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
14:04:54.0359 3444 kmixer - ok
14:04:54.0406 3444 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
14:04:54.0406 3444 KSecDD - ok
14:04:54.0515 3444 Lavasoft Kernexplorer (6c4a3804510ad8e0f0c07b5be3d44ddb) C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys
14:04:54.0515 3444 Lavasoft Kernexplorer - ok
14:04:54.0562 3444 Lbd (336abe8721cbc3110f1c6426da633417) C:\WINDOWS\system32\DRIVERS\Lbd.sys
14:04:54.0562 3444 Lbd - ok
14:04:54.0578 3444 lbrtfdc - ok
14:04:54.0625 3444 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\WINDOWS\system32\drivers\mbam.sys
14:04:54.0625 3444 MBAMProtector - ok
14:04:54.0671 3444 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
14:04:54.0671 3444 mnmdd - ok
14:04:54.0703 3444 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
14:04:54.0703 3444 Modem - ok
14:04:54.0718 3444 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
14:04:54.0718 3444 Mouclass - ok
14:04:54.0765 3444 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
14:04:54.0765 3444 mouhid - ok
14:04:54.0781 3444 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
14:04:54.0781 3444 MountMgr - ok
14:04:54.0812 3444 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
14:04:54.0812 3444 mraid35x - ok
14:04:54.0875 3444 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
14:04:54.0875 3444 MRxDAV - ok
14:04:54.0921 3444 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
14:04:54.0937 3444 MRxSmb - ok
14:04:54.0968 3444 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
14:04:54.0968 3444 Msfs - ok
14:04:55.0015 3444 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
14:04:55.0015 3444 MSKSSRV - ok
14:04:55.0046 3444 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
14:04:55.0046 3444 MSPCLOCK - ok
14:04:55.0078 3444 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
14:04:55.0078 3444 MSPQM - ok
14:04:55.0140 3444 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
14:04:55.0140 3444 mssmbios - ok
14:04:55.0187 3444 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
14:04:55.0187 3444 Mup - ok
14:04:55.0234 3444 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
14:04:55.0234 3444 NDIS - ok
14:04:55.0265 3444 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
14:04:55.0265 3444 NdisTapi - ok
14:04:55.0281 3444 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
14:04:55.0296 3444 Ndisuio - ok
14:04:55.0312 3444 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
14:04:55.0312 3444 NdisWan - ok
14:04:55.0359 3444 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
14:04:55.0359 3444 NDProxy - ok
14:04:55.0375 3444 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
14:04:55.0390 3444 NetBIOS - ok
14:04:55.0406 3444 NetBT (72da0a8ecf38b5949d3dd66a86ba8b1e) C:\WINDOWS\system32\DRIVERS\netbt.sys
14:04:55.0406 3444 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\netbt.sys. Real md5: 72da0a8ecf38b5949d3dd66a86ba8b1e, Fake md5: dee1aeab1acae1dec4ae2d2da40062f2
14:04:55.0406 3444 NetBT ( Virus.Win32.ZAccess.l ) - infected
14:04:55.0406 3444 NetBT - detected Virus.Win32.ZAccess.l (0)
14:04:55.0453 3444 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
14:04:55.0453 3444 Npfs - ok
14:04:55.0484 3444 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
14:04:55.0484 3444 Ntfs - ok
14:04:55.0515 3444 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
14:04:55.0515 3444 Null - ok
14:04:55.0656 3444 nv (15a6306a0b958bf60f09688d0ee70479) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
14:04:55.0687 3444 nv - ok
14:04:55.0718 3444 nvatabus (75562456aa672bb5fe56d3c64c6d1c7d) C:\WINDOWS\system32\drivers\nvatabus.sys
14:04:55.0718 3444 nvatabus - ok
14:04:55.0750 3444 nvraid (1d4781a5957300dc81b91161b45704bb) C:\WINDOWS\system32\drivers\nvraid.sys
14:04:55.0750 3444 nvraid - ok
14:04:55.0781 3444 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
14:04:55.0781 3444 NwlnkFlt - ok
14:04:55.0812 3444 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
14:04:55.0812 3444 NwlnkFwd - ok
14:04:55.0890 3444 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
14:04:55.0890 3444 Parport - ok
14:04:55.0921 3444 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
14:04:55.0921 3444 PartMgr - ok
14:04:55.0953 3444 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
14:04:55.0953 3444 ParVdm - ok
14:04:55.0984 3444 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
14:04:55.0984 3444 PCI - ok
14:04:56.0000 3444 PCIDump - ok
14:04:56.0015 3444 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
14:04:56.0015 3444 PCIIde - ok
14:04:56.0093 3444 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
14:04:56.0093 3444 Pcmcia - ok
14:04:56.0109 3444 PDCOMP - ok
14:04:56.0140 3444 PDFRAME - ok
14:04:56.0140 3444 PDRELI - ok
14:04:56.0156 3444 PDRFRAME - ok
14:04:56.0203 3444 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
14:04:56.0203 3444 perc2 - ok
14:04:56.0218 3444 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
14:04:56.0218 3444 perc2hib - ok
14:04:56.0281 3444 pfc (d1779c14abb7992f5c20c262ba5c7af2) C:\WINDOWS\system32\drivers\pfc.sys
14:04:56.0281 3444 pfc - ok
14:04:56.0312 3444 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
14:04:56.0312 3444 PptpMiniport - ok
14:04:56.0343 3444 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
14:04:56.0343 3444 Processor - ok
14:04:56.0359 3444 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
14:04:56.0359 3444 PSched - ok
14:04:56.0375 3444 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
14:04:56.0375 3444 Ptilink - ok
14:04:56.0421 3444 PxHelp20 (db3b30c3a4cdcf07e164c14584d9d0f2) C:\WINDOWS\system32\Drivers\PxHelp20.sys
14:04:56.0421 3444 PxHelp20 - ok
14:04:56.0437 3444 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
14:04:56.0437 3444 ql1080 - ok
14:04:56.0468 3444 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
14:04:56.0468 3444 Ql10wnt - ok
14:04:56.0484 3444 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
14:04:56.0484 3444 ql12160 - ok
14:04:56.0515 3444 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
14:04:56.0515 3444 ql1240 - ok
14:04:56.0546 3444 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
14:04:56.0546 3444 ql1280 - ok
14:04:56.0578 3444 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
14:04:56.0578 3444 RasAcd - ok
14:04:56.0609 3444 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
14:04:56.0609 3444 Rasl2tp - ok
14:04:56.0640 3444 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
14:04:56.0640 3444 RasPppoe - ok
14:04:56.0656 3444 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
14:04:56.0656 3444 Raspti - ok
14:04:56.0687 3444 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
14:04:56.0687 3444 Rdbss - ok
14:04:56.0703 3444 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
14:04:56.0703 3444 RDPCDD - ok
14:04:56.0796 3444 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
14:04:56.0796 3444 rdpdr - ok
14:04:56.0859 3444 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
14:04:56.0875 3444 RDPWD - ok
14:04:56.0921 3444 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
14:04:56.0921 3444 redbook - ok
14:04:56.0968 3444 RsFx0150 (a95840a95a9ff74b0009e5d848cddb39) C:\WINDOWS\system32\DRIVERS\RsFx0150.sys
14:04:56.0984 3444 RsFx0150 - ok
14:04:57.0031 3444 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
14:04:57.0046 3444 Secdrv - ok
14:04:57.0093 3444 Ser2pl (b490ad520257dda26c1d587a71e527b5) C:\WINDOWS\system32\DRIVERS\ser2pl.sys
14:04:57.0093 3444 Ser2pl - ok
14:04:57.0125 3444 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
14:04:57.0140 3444 serenum - ok
14:04:57.0171 3444 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
14:04:57.0171 3444 Serial - ok
14:04:57.0218 3444 sermouse (1f16931c722c69e4a7866244796c66a0) C:\WINDOWS\system32\DRIVERS\sermouse.sys
14:04:57.0218 3444 sermouse - ok
14:04:57.0312 3444 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
14:04:57.0312 3444 Sfloppy - ok
14:04:57.0343 3444 Simbad - ok
14:04:57.0390 3444 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
14:04:57.0390 3444 sisagp - ok
14:04:57.0437 3444 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
14:04:57.0437 3444 Sparrow - ok
14:04:57.0468 3444 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
14:04:57.0468 3444 splitter - ok
14:04:57.0562 3444 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
14:04:57.0562 3444 sr - ok
14:04:57.0625 3444 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
14:04:57.0640 3444 Srv - ok
14:04:57.0718 3444 STHDA (8990440e4b2a7ca5a56a1833b03741fd) C:\WINDOWS\system32\drivers\sthda.sys
14:04:57.0734 3444 STHDA - ok
14:04:57.0765 3444 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
14:04:57.0765 3444 swenum - ok
14:04:57.0796 3444 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
14:04:57.0796 3444 swmidi - ok
14:04:57.0828 3444 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
14:04:57.0828 3444 symc810 - ok
14:04:57.0859 3444 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
14:04:57.0859 3444 symc8xx - ok
14:04:57.0875 3444 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
14:04:57.0875 3444 sym_hi - ok
14:04:57.0890 3444 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
14:04:57.0890 3444 sym_u3 - ok
14:04:57.0921 3444 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
14:04:57.0921 3444 sysaudio - ok
14:04:57.0968 3444 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
14:04:57.0968 3444 Tcpip - ok
14:04:58.0015 3444 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
14:04:58.0015 3444 TDPIPE - ok
14:04:58.0031 3444 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
14:04:58.0031 3444 TDTCP - ok
14:04:58.0046 3444 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
14:04:58.0046 3444 TermDD - ok
14:04:58.0093 3444 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
14:04:58.0093 3444 TosIde - ok
14:04:58.0156 3444 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
14:04:58.0156 3444 Udfs - ok
14:04:58.0203 3444 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
14:04:58.0203 3444 ultra - ok
14:04:58.0250 3444 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
14:04:58.0265 3444 Update - ok
14:04:58.0296 3444 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
14:04:58.0296 3444 usbehci - ok
14:04:58.0328 3444 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
14:04:58.0328 3444 usbhub - ok
14:04:58.0359 3444 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
14:04:58.0359 3444 usbohci - ok
14:04:58.0390 3444 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
14:04:58.0390 3444 usbprint - ok
14:04:58.0421 3444 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
14:04:58.0421 3444 USBSTOR - ok
14:04:58.0453 3444 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
14:04:58.0468 3444 usbuhci - ok
14:04:58.0484 3444 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
14:04:58.0484 3444 VgaSave - ok
14:04:58.0546 3444 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
14:04:58.0546 3444 viaagp - ok
14:04:58.0578 3444 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
14:04:58.0578 3444 ViaIde - ok
14:04:58.0609 3444 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
14:04:58.0609 3444 VolSnap - ok
14:04:58.0656 3444 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
14:04:58.0656 3444 Wanarp - ok
14:04:58.0671 3444 wanatw - ok
14:04:58.0687 3444 WDICA - ok
14:04:58.0734 3444 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
14:04:58.0734 3444 wdmaud - ok
14:04:58.0921 3444 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
14:04:58.0921 3444 WudfPf - ok
14:04:58.0937 3444 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
14:04:58.0953 3444 WudfRd - ok
14:04:58.0984 3444 MBR (0x1B8) (5cb90281d1a59b251f6603134774eec3) \Device\Harddisk0\DR0
14:04:59.0093 3444 \Device\Harddisk0\DR0 - ok
14:04:59.0125 3444 Boot (0x1200) (552ce049311db5490b219ddd991a9e1b) \Device\Harddisk0\DR0\Partition0
14:04:59.0125 3444 \Device\Harddisk0\DR0\Partition0 - ok
14:04:59.0125 3444 ============================================================
14:04:59.0125 3444 Scan finished
14:04:59.0125 3444 ============================================================
14:04:59.0140 3440 Detected object count: 1
14:04:59.0140 3440 Actual detected object count: 1
14:05:15.0203 3440 C:\WINDOWS\system32\DRIVERS\netbt.sys - copied to quarantine
14:05:19.0203 3440 Backup copy found, using it..
14:05:19.0218 3440 C:\WINDOWS\system32\DRIVERS\netbt.sys - will be cured on reboot
14:05:20.0859 3440 NetBT ( Virus.Win32.ZAccess.l ) - User select action: Cure


***GMER LOG***



GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-31 08:02:24
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 SAMSUNG_HD080HJ/P rev.ZH100-34
Running: r7oovk4d[1].exe; Driver: C:\DOCUME~1\DEFAULT\LOCALS~1\Temp\pxtyypow.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xBA0F887E]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xBA411738]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xBA0F8BFE]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xBA4117DC]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xBA411878]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xBA411914]

---- Kernel code sections - GMER 1.0.15 ----

? 43667122.sys The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB891B360, 0x2456AE, 0xE8000020]
.text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xB4404400, 0x7960C, 0xE8000020]
.protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xB44A6420] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xB44A6420]
.protect˙˙˙˙hardlockunknown last code section [0xB44A6200, 0x5049, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xB44A6200, 0x5049, 0xE0000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[3964] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB54224$\134470611 0 bytes
File C:\WINDOWS\$NtUninstallKB54224$\134470611\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB54224$\134470611\bckfg.tmp 854 bytes
File C:\WINDOWS\$NtUninstallKB54224$\134470611\cfg.ini 231 bytes
File C:\WINDOWS\$NtUninstallKB54224$\134470611\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB54224$\134470611\keywords 91 bytes
File C:\WINDOWS\$NtUninstallKB54224$\134470611\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB54224$\134470611\L 0 bytes
File C:\WINDOWS\$NtUninstallKB54224$\134470611\L\odetmngk 162816 bytes
File C:\WINDOWS\$NtUninstallKB54224$\134470611\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB54224$\134470611\oemid 329 bytes
File C:\WINDOWS\$NtUninstallKB54224$\134470611\U 0 bytes
File C:\WINDOWS\$NtUninstallKB54224$\134470611\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB54224$\134470611\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB54224$\134470611\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB54224$\134470611\U\80000000.@ 11264 bytes
File C:\WINDOWS\$NtUninstallKB54224$\134470611\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB54224$\134470611\U\80000032.@ 73216 bytes
File C:\WINDOWS\$NtUninstallKB54224$\134470611\version 858 bytes
File C:\WINDOWS\$NtUninstallKB54224$\1566243591 0 bytes

---- EOF - GMER 1.0.15 ----


***aswMBR LOG***




aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-01-31 08:54:20
-----------------------------
08:54:20.312 OS Version: Windows 5.1.2600 Service Pack 3
08:54:20.312 Number of processors: 1 586 0x4F02
08:54:20.312 ComputerName: RECEIVING UserName: DEFAULT
08:54:21.390 Initialize success
09:01:19.843 AVAST engine defs: 12013100
09:03:40.703 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
09:03:40.703 Disk 0 Vendor: SAMSUNG_HD080HJ/P ZH100-34 Size: 76293MB BusType: 3
09:03:40.765 Disk 0 MBR read successfully
09:03:40.765 Disk 0 MBR scan
09:03:40.812 Disk 0 unknown MBR code
09:03:40.812 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
09:03:40.843 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 73014 MB offset 80325
09:03:40.921 Disk 0 Partition 3 00 DB CP/M / CTOS Dell 8.0 3231 MB offset 149613345
09:03:41.109 Disk 0 scanning sectors +156232125
09:03:41.328 Disk 0 scanning C:\WINDOWS\system32\drivers
09:05:00.578 Service scanning
09:05:01.734 Modules scanning
09:05:53.390 Disk 0 trace - called modules:
09:05:53.468 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
09:05:53.468 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a7bdab8]
09:05:53.468 3 CLASSPNP.SYS[ba0c8fd7] -> nt!IofCallDriver -> \Device\0000005e[0x8a7bf2a0]
09:05:53.468 5 ACPI.sys[b9f68620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a8c8940]
09:05:53.937 AVAST engine scan C:\WINDOWS
09:07:05.375 AVAST engine scan C:\WINDOWS\system32
09:15:40.984 AVAST engine scan C:\WINDOWS\system32\drivers
09:16:22.765 AVAST engine scan C:\Documents and Settings\DEFAULT
09:34:18.640 AVAST engine scan C:\Documents and Settings\All Users
09:37:59.843 Scan finished successfully
09:43:54.531 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\DEFAULT\Desktop\MBR.dat"
09:43:54.531 The log file has been saved successfully to "C:\Documents and Settings\DEFAULT\Desktop\aswMBR log.txt"




Thank you for all your help so far, its GREATLY appreciated!

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:04:56 AM

Posted 31 January 2012 - 12:47 PM

Your GMER log indicates that PC is infected by zero access rootkit which requires advanced tools to remove it

Read the guide here

http://www.bleepingcomputer.com/forums/topic34773.html

and create a topic here

http://www.bleepingcomputer.com/forums/forum22.html

Good luck

#5 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:56 PM

Posted 31 January 2012 - 04:47 PM

Malware topic here: http://www.bleepingcomputer.com/forums/topic440794.html

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MR Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.

Edited by Budapest, 31 January 2012 - 04:47 PM.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users