Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit Trojan, Redirects Browser


  • This topic is locked This topic is locked
19 replies to this topic

#1 momgeek

momgeek

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 13 March 2012 - 03:31 PM

My husband discovered last night that our browser was redirecting. Through his research, he found out about "HitmanPro" which he ran and discovered we had the following trojan "mbr.pihar.e" Our concern is whether running "HitmanPro" was sufficient, or if we need to take further action, such as
"ComboFix".

We sincerely appreciate your help.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Tyner Family at 13:05:16 on 2012-03-13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.58 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Free Firewall *Enabled*
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\HitmanPro\hmpsched.exe
svchost.exe
svchost.exe
C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
svchost.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\MSN Toolbar\Platform\5.0.1449.0\mswinext.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE
C:\Program Files\Microsoft LifeCam\LifeExp.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\HitmanPro\HitmanPro.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\Program Files\Internet Explorer\iexplore.exe

Attached Files



BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,414 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:32 AM

Posted 13 March 2012 - 05:47 PM

Hi momgeek and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you!


===================================================


Ground Rules:

  • First, I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  • When you post your reply, do not use the Posted Image button but use the Posted Image button instead.
  • In the upper right hand corner of the topic you will see the Posted Image button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:

===================================================


Please allow me some time to review the information you have provided. I will post back as soon as possible.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,414 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:32 AM

Posted 13 March 2012 - 08:29 PM

Greetings momgeek,


I need to ask you to do a couple of things for me, if you would. This will help us to evaluate the current state of your machine.


===================================================


Run TDSSKiller by Kaspersky on XP

--------------------

  • Please download Kaspersky's TDSSKiller and save it to your Desktop. <-Important!!!
  • If you desire you may print out and follow the instructions for performing a scan.
  • Double-click on TDSSKiller.exe.
  • When the program opens, click the Start Scan button.


    Posted Image

  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • Any objects found, will show in the Scan results - Select action for found objects and offer three options.
  • If an infected file is detected, the default action will be Cure...do not change it.


    Posted Image

  • Click Continue > Reboot now to finish the cleaning process.<- Important!!


    Posted Image

  • If 'Suspicious' objects are detected, you will be given the option to Skip or Quarantine. Skip will be the default selection. Leave it as such for now.
  • A log file named TDSSKiller_version_date_time_log.txt will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
-- If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer or to perform the scan in "safe mode".

-- For any files detected as 'Suspicious' (except those identified as Forged to be cured after reboot) get a second opinion by submitting to Jotti's or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis. Please submit these results with your next reply


===================================================


aswMBR

--------------------

Please download aswMBR and save it to your desktop.

  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily. They will interfere and may cause unexpected results.
  • If you need help to disable your protection programs see here and here.
  • Double click the aswMBR.exe file to run it. Please allow when you are asked to download AVAST antivirus engine defs.
  • Wait until the AV update is done, then click on the Scan button to start. The program will launch a scan.
  • When done, you will see Scan finished successfully. Please click on Save log and save the file to your desktop.
  • Please post the contents of the log in your next reply.

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • TDSSKiller log
  • aswMBR log
  • How is your machine running?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#4 momgeek

momgeek
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 14 March 2012 - 10:30 AM

Oh My,

Thank you for responding so quickly.

The TDSSKiller did not find any problems. The Log is as follows:

08:24:00.0265 2256 TDSS rootkit removing tool 2.7.20.0 Mar 9 2012 17:10:43
08:24:02.0421 2256 ============================================================
08:24:02.0421 2256 Current date / time: 2012/03/14 08:24:02.0421
08:24:02.0421 2256 SystemInfo:
08:24:02.0421 2256
08:24:02.0421 2256 OS Version: 5.1.2600 ServicePack: 3.0
08:24:02.0421 2256 Product type: Workstation
08:24:02.0421 2256 ComputerName: TYNERBOX
08:24:02.0421 2256 UserName: Tyner Family
08:24:02.0421 2256 Windows directory: C:\WINDOWS
08:24:02.0421 2256 System windows directory: C:\WINDOWS
08:24:02.0421 2256 Processor architecture: Intel x86
08:24:02.0421 2256 Number of processors: 1
08:24:02.0421 2256 Page size: 0x1000
08:24:02.0421 2256 Boot type: Normal boot
08:24:02.0421 2256 ============================================================
08:24:12.0140 2256 Drive \Device\Harddisk0\DR0 - Size: 0x174A446000 (93.16 Gb), SectorSize: 0x200, Cylinders: 0x2F81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
08:24:12.0156 2256 \Device\Harddisk0\DR0:
08:24:12.0187 2256 MBR used
08:24:12.0203 2256 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F00, BlocksNum 0xA91C55F
08:24:12.0203 2256 \Device\Harddisk0\DR0\Partition1: MBR, Type 0xC, StartLBA 0xA92045F, BlocksNum 0xF2ED1F
08:24:12.0609 2256 Initialize success
08:24:12.0609 2256 ============================================================
08:24:54.0187 5332 ============================================================
08:24:54.0187 5332 Scan started
08:24:54.0187 5332 Mode: Manual;
08:24:54.0187 5332 ============================================================
08:24:59.0906 5332 Abiosdsk - ok
08:25:00.0109 5332 abp480n5 - ok
08:25:00.0953 5332 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
08:25:01.0093 5332 ACPI - ok
08:25:01.0656 5332 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
08:25:01.0703 5332 ACPIEC - ok
08:25:02.0125 5332 adpu160m - ok
08:25:02.0453 5332 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
08:25:02.0515 5332 aec - ok
08:25:02.0750 5332 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
08:25:02.0796 5332 AFD - ok
08:25:02.0843 5332 Aha154x - ok
08:25:02.0890 5332 aic78u2 - ok
08:25:03.0250 5332 aic78xx - ok
08:25:03.0765 5332 AliIde - ok
08:25:04.0265 5332 Amddfltr (c26488bfb5278b3d357f99d3bbc790c9) C:\WINDOWS\system32\DRIVERS\Amddfltr.sys
08:25:04.0281 5332 Amddfltr - ok
08:25:05.0109 5332 AmdK8 (efbb0956baed786e137351b5ca272aef) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
08:25:05.0140 5332 AmdK8 - ok
08:25:06.0562 5332 amsint - ok
08:25:06.0921 5332 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
08:25:06.0937 5332 Arp1394 - ok
08:25:07.0296 5332 asc - ok
08:25:07.0656 5332 asc3350p - ok
08:25:07.0906 5332 asc3550 - ok
08:25:09.0468 5332 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
08:25:09.0500 5332 AsyncMac - ok
08:25:10.0125 5332 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
08:25:10.0125 5332 atapi - ok
08:25:10.0296 5332 Atdisk - ok
08:25:11.0328 5332 ati2mtag (d81980c64543ba5c39dd2a92dc1d2daf) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
08:25:11.0687 5332 ati2mtag - ok
08:25:12.0250 5332 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
08:25:12.0312 5332 Atmarpc - ok
08:25:12.0468 5332 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
08:25:12.0468 5332 audstub - ok
08:25:12.0656 5332 AVGIDSDriver (4fa401b33c1b50c816486f6951244a14) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
08:25:12.0687 5332 AVGIDSDriver - ok
08:25:12.0781 5332 AVGIDSEH (69578bc9d43d614c6b3455db4af19762) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
08:25:12.0796 5332 AVGIDSEH - ok
08:25:12.0843 5332 AVGIDSFilter (6df528406aa22201f392b9b19121cd6f) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
08:25:12.0843 5332 AVGIDSFilter - ok
08:25:12.0906 5332 AVGIDSShim (1e01c2166b5599802bcd61b9691f7476) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
08:25:12.0937 5332 AVGIDSShim - ok
08:25:13.0078 5332 Avgldx86 (bf8118cd5e2255387b715b534d64acd1) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
08:25:13.0093 5332 Avgldx86 - ok
08:25:13.0171 5332 Avgmfx86 (1c77ef67f196466adc9924cb288afe87) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
08:25:13.0171 5332 Avgmfx86 - ok
08:25:13.0265 5332 Avgrkx86 (f2038ed7284b79dcef581468121192a9) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
08:25:13.0312 5332 Avgrkx86 - ok
08:25:13.0593 5332 Avgtdix (a6d562b612216d8d02a35ebeb92366bd) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
08:25:13.0625 5332 Avgtdix - ok
08:25:13.0890 5332 BCM43XX (30d20fc98bcfd52e1da778cf19b223d4) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
08:25:14.0390 5332 BCM43XX - ok
08:25:14.0750 5332 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
08:25:14.0828 5332 Beep - ok
08:25:15.0296 5332 CAMCAUD (c2ef37f09cfee9665e6cd7c0b0afb84f) C:\WINDOWS\system32\drivers\camc6aud.sys
08:25:15.0390 5332 CAMCAUD - ok
08:25:15.0890 5332 CAMCHALA (512df898de5c0654647acd5c82f0bd99) C:\WINDOWS\system32\drivers\camc6hal.sys
08:25:16.0000 5332 CAMCHALA - ok
08:25:16.0734 5332 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
08:25:16.0812 5332 cbidf2k - ok
08:25:17.0296 5332 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
08:25:17.0390 5332 CCDECODE - ok
08:25:17.0468 5332 cd20xrnt - ok
08:25:17.0609 5332 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
08:25:17.0609 5332 Cdaudio - ok
08:25:17.0703 5332 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
08:25:17.0718 5332 Cdfs - ok
08:25:17.0781 5332 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
08:25:17.0796 5332 Cdrom - ok
08:25:17.0843 5332 Changer - ok
08:25:17.0906 5332 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
08:25:17.0906 5332 CmBatt - ok
08:25:18.0031 5332 CmdIde - ok
08:25:18.0062 5332 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
08:25:18.0078 5332 Compbatt - ok
08:25:18.0125 5332 Cpqarray - ok
08:25:18.0171 5332 dac2w2k - ok
08:25:18.0218 5332 dac960nt - ok
08:25:18.0328 5332 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
08:25:18.0328 5332 Disk - ok
08:25:18.0531 5332 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
08:25:18.0578 5332 dmboot - ok
08:25:18.0734 5332 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
08:25:18.0765 5332 dmio - ok
08:25:18.0812 5332 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
08:25:18.0828 5332 dmload - ok
08:25:18.0906 5332 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
08:25:18.0906 5332 DMusic - ok
08:25:18.0984 5332 dpti2o - ok
08:25:19.0046 5332 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
08:25:19.0046 5332 drmkaud - ok
08:25:19.0125 5332 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
08:25:19.0140 5332 Fastfat - ok
08:25:19.0203 5332 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
08:25:19.0203 5332 Fdc - ok
08:25:19.0250 5332 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
08:25:19.0265 5332 Fips - ok
08:25:19.0312 5332 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
08:25:19.0312 5332 Flpydisk - ok
08:25:19.0406 5332 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
08:25:19.0406 5332 FltMgr - ok
08:25:19.0531 5332 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
08:25:19.0546 5332 Fs_Rec - ok
08:25:19.0609 5332 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
08:25:19.0640 5332 Ftdisk - ok
08:25:19.0796 5332 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
08:25:19.0796 5332 Gpc - ok
08:25:19.0921 5332 hpn - ok
08:25:20.0031 5332 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
08:25:20.0031 5332 HPZius12 - ok
08:25:20.0109 5332 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
08:25:20.0140 5332 HTTP - ok
08:25:20.0203 5332 i2omgmt - ok
08:25:20.0234 5332 i2omp - ok
08:25:20.0312 5332 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
08:25:20.0312 5332 i8042prt - ok
08:25:20.0421 5332 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
08:25:20.0421 5332 Imapi - ok
08:25:20.0484 5332 ini910u - ok
08:25:20.0562 5332 IntelIde - ok
08:25:20.0640 5332 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
08:25:20.0640 5332 Ip6Fw - ok
08:25:20.0718 5332 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
08:25:20.0718 5332 IpFilterDriver - ok
08:25:20.0765 5332 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
08:25:20.0781 5332 IpInIp - ok
08:25:20.0843 5332 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
08:25:20.0843 5332 IpNat - ok
08:25:20.0937 5332 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
08:25:20.0937 5332 IPSec - ok
08:25:21.0015 5332 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
08:25:21.0015 5332 IRENUM - ok
08:25:21.0093 5332 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
08:25:21.0093 5332 isapnp - ok
08:25:21.0171 5332 ISWKL (08a811bfd207dfdec588881c18bacbaa) C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys
08:25:21.0171 5332 ISWKL - ok
08:25:21.0234 5332 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
08:25:21.0234 5332 Kbdclass - ok
08:25:21.0296 5332 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
08:25:21.0296 5332 kmixer - ok
08:25:21.0390 5332 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
08:25:21.0390 5332 KSecDD - ok
08:25:21.0468 5332 lbrtfdc - ok
08:25:21.0593 5332 MBAMSwissArmy (0db7527db188c7d967a37bb51bbf3963) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
08:25:21.0625 5332 MBAMSwissArmy - ok
08:25:21.0718 5332 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
08:25:21.0718 5332 mnmdd - ok
08:25:21.0796 5332 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
08:25:21.0796 5332 Modem - ok
08:25:21.0906 5332 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
08:25:21.0906 5332 Mouclass - ok
08:25:21.0953 5332 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
08:25:21.0953 5332 MountMgr - ok
08:25:22.0000 5332 mraid35x - ok
08:25:22.0046 5332 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
08:25:22.0062 5332 MRxDAV - ok
08:25:22.0156 5332 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
08:25:22.0187 5332 MRxSmb - ok
08:25:22.0250 5332 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
08:25:22.0265 5332 Msfs - ok
08:25:22.0359 5332 MSHUSBVideo (29e0ec2a9dc4c7913657a51dfff97856) C:\WINDOWS\system32\Drivers\nx6000.sys
08:25:22.0359 5332 MSHUSBVideo - ok
08:25:22.0468 5332 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
08:25:22.0468 5332 MSKSSRV - ok
08:25:22.0546 5332 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
08:25:22.0546 5332 MSPCLOCK - ok
08:25:22.0578 5332 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
08:25:22.0578 5332 MSPQM - ok
08:25:22.0625 5332 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
08:25:22.0625 5332 mssmbios - ok
08:25:22.0687 5332 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
08:25:22.0703 5332 MSTEE - ok
08:25:22.0781 5332 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
08:25:22.0796 5332 Mup - ok
08:25:22.0843 5332 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
08:25:22.0843 5332 NABTSFEC - ok
08:25:22.0921 5332 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
08:25:22.0937 5332 NDIS - ok
08:25:22.0984 5332 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
08:25:22.0984 5332 NdisIP - ok
08:25:23.0062 5332 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
08:25:23.0062 5332 NdisTapi - ok
08:25:23.0109 5332 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
08:25:23.0109 5332 Ndisuio - ok
08:25:23.0203 5332 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
08:25:23.0203 5332 NdisWan - ok
08:25:23.0281 5332 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
08:25:23.0281 5332 NDProxy - ok
08:25:23.0375 5332 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
08:25:23.0375 5332 NetBIOS - ok
08:25:23.0453 5332 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
08:25:23.0453 5332 NetBT - ok
08:25:23.0671 5332 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
08:25:23.0687 5332 NIC1394 - ok
08:25:23.0781 5332 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
08:25:23.0781 5332 Npfs - ok
08:25:23.0921 5332 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
08:25:23.0953 5332 Ntfs - ok
08:25:24.0015 5332 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
08:25:24.0015 5332 Null - ok
08:25:24.0109 5332 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
08:25:24.0109 5332 NwlnkFlt - ok
08:25:24.0156 5332 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
08:25:24.0171 5332 NwlnkFwd - ok
08:25:24.0234 5332 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
08:25:24.0234 5332 ohci1394 - ok
08:25:24.0296 5332 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
08:25:24.0312 5332 Parport - ok
08:25:24.0375 5332 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
08:25:24.0375 5332 PartMgr - ok
08:25:24.0406 5332 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
08:25:24.0421 5332 ParVdm - ok
08:25:24.0468 5332 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
08:25:24.0484 5332 PCI - ok
08:25:24.0515 5332 PCIDump - ok
08:25:24.0609 5332 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
08:25:24.0609 5332 PCIIde - ok
08:25:24.0703 5332 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
08:25:24.0703 5332 Pcmcia - ok
08:25:24.0843 5332 PDCOMP - ok
08:25:24.0859 5332 PDFRAME - ok
08:25:24.0875 5332 PDRELI - ok
08:25:24.0890 5332 PDRFRAME - ok
08:25:24.0921 5332 perc2 - ok
08:25:24.0937 5332 perc2hib - ok
08:25:25.0062 5332 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
08:25:25.0062 5332 PptpMiniport - ok
08:25:25.0156 5332 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
08:25:25.0156 5332 Processor - ok
08:25:25.0218 5332 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
08:25:25.0218 5332 PSched - ok
08:25:25.0312 5332 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
08:25:25.0312 5332 Ptilink - ok
08:25:25.0359 5332 ql1080 - ok
08:25:25.0375 5332 Ql10wnt - ok
08:25:25.0406 5332 ql12160 - ok
08:25:25.0421 5332 ql1240 - ok
08:25:25.0453 5332 ql1280 - ok
08:25:25.0484 5332 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
08:25:25.0484 5332 RasAcd - ok
08:25:25.0578 5332 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
08:25:25.0593 5332 Rasl2tp - ok
08:25:25.0625 5332 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
08:25:25.0640 5332 RasPppoe - ok
08:25:25.0671 5332 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
08:25:25.0671 5332 Raspti - ok
08:25:25.0750 5332 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
08:25:25.0750 5332 Rdbss - ok
08:25:25.0796 5332 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
08:25:25.0812 5332 RDPCDD - ok
08:25:25.0890 5332 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
08:25:25.0890 5332 rdpdr - ok
08:25:26.0046 5332 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
08:25:26.0046 5332 RDPWD - ok
08:25:26.0078 5332 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
08:25:26.0093 5332 redbook - ok
08:25:26.0203 5332 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
08:25:26.0203 5332 rtl8139 - ok
08:25:26.0281 5332 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
08:25:26.0281 5332 sdbus - ok
08:25:26.0343 5332 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
08:25:26.0343 5332 Secdrv - ok
08:25:26.0421 5332 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
08:25:26.0421 5332 Serial - ok
08:25:26.0531 5332 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
08:25:26.0531 5332 Sfloppy - ok
08:25:26.0640 5332 Simbad - ok
08:25:26.0718 5332 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
08:25:26.0718 5332 SLIP - ok
08:25:26.0765 5332 Sparrow - ok
08:25:26.0828 5332 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
08:25:26.0828 5332 splitter - ok
08:25:26.0937 5332 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
08:25:26.0937 5332 sr - ok
08:25:27.0062 5332 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
08:25:27.0078 5332 Srv - ok
08:25:27.0187 5332 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
08:25:27.0187 5332 streamip - ok
08:25:27.0265 5332 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
08:25:27.0265 5332 swenum - ok
08:25:27.0359 5332 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
08:25:27.0359 5332 swmidi - ok
08:25:27.0421 5332 symc810 - ok
08:25:27.0468 5332 symc8xx - ok
08:25:27.0500 5332 sym_hi - ok
08:25:27.0578 5332 sym_u3 - ok
08:25:27.0656 5332 SynTP (1de40024679cde0e573465253519730e) C:\WINDOWS\system32\DRIVERS\SynTP.sys
08:25:27.0671 5332 SynTP - ok
08:25:27.0796 5332 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
08:25:27.0796 5332 sysaudio - ok
08:25:27.0937 5332 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
08:25:27.0953 5332 Tcpip - ok
08:25:28.0062 5332 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
08:25:28.0078 5332 TDPIPE - ok
08:25:28.0187 5332 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
08:25:28.0187 5332 TDTCP - ok
08:25:28.0234 5332 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
08:25:28.0250 5332 TermDD - ok
08:25:28.0312 5332 TosIde - ok
08:25:28.0406 5332 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
08:25:28.0421 5332 Udfs - ok
08:25:28.0484 5332 ultra - ok
08:25:28.0609 5332 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
08:25:28.0625 5332 Update - ok
08:25:28.0750 5332 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
08:25:28.0765 5332 usbaudio - ok
08:25:28.0859 5332 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
08:25:28.0875 5332 usbccgp - ok
08:25:28.0968 5332 usbehci (52674b5dbee499342a599c7771abecaa) C:\WINDOWS\system32\DRIVERS\usbehci.sys
08:25:28.0984 5332 usbehci - ok
08:25:29.0062 5332 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
08:25:29.0062 5332 usbhub - ok
08:25:29.0390 5332 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
08:25:29.0390 5332 usbohci - ok
08:25:29.0906 5332 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
08:25:29.0937 5332 usbprint - ok
08:25:30.0109 5332 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
08:25:30.0109 5332 usbscan - ok
08:25:30.0234 5332 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
08:25:30.0234 5332 USBSTOR - ok
08:25:30.0437 5332 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
08:25:30.0437 5332 usbvideo - ok
08:25:30.0656 5332 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
08:25:30.0656 5332 VgaSave - ok
08:25:30.0796 5332 ViaIde - ok
08:25:30.0859 5332 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
08:25:30.0875 5332 VolSnap - ok
08:25:31.0203 5332 Vsdatant (558cee3d9c470651f1843d51b42d761b) C:\WINDOWS\system32\vsdatant.sys
08:25:31.0312 5332 Vsdatant - ok
08:25:31.0453 5332 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
08:25:31.0468 5332 Wanarp - ok
08:25:31.0656 5332 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
08:25:31.0703 5332 Wdf01000 - ok
08:25:31.0796 5332 WDICA - ok
08:25:31.0875 5332 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
08:25:31.0875 5332 wdmaud - ok
08:25:32.0000 5332 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
08:25:32.0000 5332 WmiAcpi - ok
08:25:32.0093 5332 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
08:25:32.0093 5332 WSTCODEC - ok
08:25:32.0187 5332 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
08:25:32.0406 5332 \Device\Harddisk0\DR0 - ok
08:25:32.0453 5332 Boot (0x1200) (b0f8e5f810a8cd4a1e38f8d3ad67bb93) \Device\Harddisk0\DR0\Partition0
08:25:32.0453 5332 \Device\Harddisk0\DR0\Partition0 - ok
08:25:32.0468 5332 Boot (0x1200) (e5bf6c4f0138df302499eea4f028a830) \Device\Harddisk0\DR0\Partition1
08:25:32.0468 5332 \Device\Harddisk0\DR0\Partition1 - ok
08:25:32.0484 5332 ============================================================
08:25:32.0484 5332 Scan finished
08:25:32.0484 5332 ============================================================
08:25:32.0500 5248 Detected object count: 0
08:25:32.0500 5248 Actual detected object count: 0
08:25:50.0953 2660 Deinitialize success



Here is the aswMBR log:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-14 08:43:00
-----------------------------
08:43:00.703 OS Version: Windows 5.1.2600 Service Pack 3
08:43:00.703 Number of processors: 1 586 0x2402
08:43:00.703 ComputerName: TYNERBOX UserName:
08:43:03.265 Initialize success
08:48:42.468 AVAST engine defs: 12031400
08:48:48.000 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
08:48:48.000 Disk 0 Vendor: FUJITSU_MHV2100AT_PL 008300A1 Size: 95396MB BusType: 3
08:48:48.062 Disk 0 MBR read successfully
08:48:48.062 Disk 0 MBR scan
08:48:48.140 Disk 0 Windows XP default MBR code
08:48:48.140 Disk 0 Partition - 00 0F Extended LBA 86584 MB offset 16065
08:48:48.187 Disk 0 Partition 1 80 (A) 0C FAT32 LBA RECOVERY 7773 MB offset 177341535
08:48:48.218 Disk 0 Partition 2 00 D7 NTFS 1027 MB offset 193261950
08:48:48.296 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 86584 MB offset 16128
08:48:48.312 Disk 0 scanning sectors +195366465
08:48:48.562 Disk 0 scanning C:\WINDOWS\system32\drivers
08:49:27.140 Service scanning
08:49:48.953 Modules scanning
08:50:49.468 Disk 0 trace - called modules:
08:50:49.500 ntkrnlpa.exe CLASSPNP.SYS disk.sys Amddfltr.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
08:50:49.500 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86736ab8]
08:50:49.500 3 CLASSPNP.SYS[f7672fd7] -> nt!IofCallDriver -> [0x86747a48]
08:50:49.500 5 Amddfltr.sys[f78ab0b6] -> nt!IofCallDriver -> \Device\00000073[0x867cdb40]
08:50:49.500 7 ACPI.sys[f74e9620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86737d98]
08:50:50.828 AVAST engine scan C:\WINDOWS
08:51:22.359 AVAST engine scan C:\WINDOWS\system32
08:57:28.859 AVAST engine scan C:\WINDOWS\system32\drivers
08:58:09.703 AVAST engine scan C:\Documents and Settings\Tyner Family
09:08:23.093 AVAST engine scan C:\Documents and Settings\All Users
09:10:14.125 Scan finished successfully
09:11:22.812 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Tyner Family\Desktop\MBR.dat"
09:11:22.828 The log file has been saved successfully to "C:\Documents and Settings\Tyner Family\Desktop\aswMBR.txt"


As far as the performance of my computer, it has been slow for sometime (my husband always complains! :) ). I've wondered what the reasons behind that were, but I couldn't figure it out. It seemed to have plenty of memory and I even tried repartitioning the hard drive to no avail. I was a programmer in a former life (before kids), but I have to admit I never fully understood the workings of the machines themselves. (Thus, my deep appreciation and respect for the System Administrators and people like you that have helped me do my job.) So, I'm not sure how much the things I tried would have actually helped. All of that said, it appears to me that my computer has been especially slow for the last few days. I've also been noticing the little "memory usage" box popping up more as of late. There have been some especially frustrating times, but I think they are website specific, since they always seem to happen on one of my favorite recipe websites (skinnytaste.com). In fact, I often get a pop up while I'm on that website that says that a script is trying to run and asks if I want to kill it.

Hope I've answered your questions. Let me know if you need anything else from my end.

Thanks again!
momgeek

#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,414 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:32 AM

Posted 14 March 2012 - 07:00 PM

Greetings momgeek,


Thank you for the information, both the logs and explanation about what you are experiencing with your computer.

The two logs look clean. Let's do a couple of other things to take a further look into your concerns. In addition, I am going to provide instructions to update Java so we know that is not an issue.


===================================================


Temporary File Cleaner (TFC)

--------------------

  • Download TFC by OldTimer to your desktop.
  • Close any open windows
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run
  • Click the Start button to begin the process
  • Allow TFC to run uninterrupted
  • The program should not take long to finish it's job
  • Once it's finished it should automatically reboot your machine, if it doesn't, manually reboot to ensure a complete clean
NOTE: It's normal for the computer to boot more slowly the first time after running TFC

TFC will clear out all temporary folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder. TFC only cleans temporary folders and will not clean URL history, prefetch, or cookies



===================================================


I would like to take a look at the Processes tab of your Task Manager. Please provide a screen shot of that information and post it as an attachment.


===================================================


I only see Internet Explorer on your computer so I am assuming you are experiencing script errors with that browser alone. If that is not the case please let me know. Either way, please perform the following for me.


Disabling Script Debugging in Internet Explorer

--------------------

  • Launch Internet Explorer
  • Click the Tools button, then click Internet Options
  • Click Advanced
  • Select the Disable script debugging (Internet Explorer) and Disable script debugging (other) boxes.
  • Clear the Display a notification about every script error check box
  • Click OK
  • Try accessing the web site again to see if you still get the script warning

===================================================


Update Java

-------------------

Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java Runtime Environment (JRE) Version 7 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select your OS and Platform (32-bit or 64-bit).
  • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.

  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7-windows-i586.exe to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.
Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.

To disable the JQS service if you don't want to use it:

  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • Did TFC and Java run successfully
  • Processes list screen shot
  • Do you still receive script warnings?
  • How is your machine running now?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 momgeek

momgeek
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 17 March 2012 - 08:56 PM

Oh my suggested that I let the rest of you know that I have been out of pocket and will respond as soon as possible. Thanks!

#7 momgeek

momgeek
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 18 March 2012 - 08:58 PM

Oh My,
Thank you again for your help and your patience.

1) TFC and Java both ran successfully.

2) I made a couple of screenshots for you (I couldn't fit all of the processes on one), but I couldn't figure out how to paste it onto the blog.

3) The website still hiccups for a couple of seconds when it would give me that message, but it no longer gives me the message and it no longer completely freezes up.

4) Our computer is running MUCH better. In fact better than it has in a long time! Thank you SO much!

momgeek

#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,414 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:32 AM

Posted 18 March 2012 - 09:14 PM

Greetings momgeek,


Welcome back!


Please go to this web site and scroll down to the last part of section :step9:. There you will find how you can attach the screen shots to a reply.

If you can, could you describe what the "hiccup" looks like (flickers, stalls, etc.)
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 momgeek

momgeek
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 18 March 2012 - 09:59 PM

Oh My,

Sorry! I just assumed that you would want those pasted instead of attached too. I've attached them below.
Edited as requested - m0le

As far as the hiccup is concerned the page locks ups and stalls for a couple of seconds. Annoying, but no where near as frustrating as before.

I have a few followup questions for you:
1) How safe do I assume my computer is at this point? Am I ready to begin logging back into sites that involve data that I very much do not want to be compromised?

2) All of the stuff I downloaded during this process. When everything is said and done, how much of it should I get rid of? How much of it should I keep and run periodically for the safety and health of my computer?

3) How much should I worry about all of the stuff about my computer that is now on the internet via the logs I've posted on this site? I used to work with some VERY security conscious guys and they taught me to be pretty paranoid (which is partly why they were so good at their jobs! :) ). I cannot tell you how much my husband and I appreciate all of your help. It has been invaluable. Posting all of this on the internet has just made me a little nervous.

Thanks again!
momgeek

Edited by m0le, 19 March 2012 - 05:51 PM.


#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,414 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:32 AM

Posted 19 March 2012 - 06:47 PM

Greetings momgeek,


Your processes list shows things that don't need to be run at startup and eat up your memory unnecessarily because they run in the background even though you may not be using them. Please click here to both download Autoruns and read the excellent tutorial about the program and how to best use it.

In additiion, BleepingComputer has an excellent database of startup program information you may find useful as well.


----------


Once we are done you may remove the programs that have been used thus far. I will be providing you information about how to greatly minimize the risks of reinfection and they do not involve these programs.


----------


I understand the nervousness of posting information on the internet, especially when you have been tutored by security experts! However, I don't believe there is any information you have posted that would allow someone to specifically target you. Even though that is the case, we have removed the posts so they can no longer be accessed by anyone.


----------


I have no reason to doubt the accuracy of Hitman Pro's detection of the "mbr.pihar.e" virus but it is not something I investigated, determined, and resolved. Your situation involves what is known as a "Backdoor Trojan." If you want absolute peace about the security of your computer and eliminate all possibility of any compromise remaining even after cleaning, a reformat/reinstall is the only certain resolution. It needs to be your decision on how best to define your comfort zone.

Here is some information about Backdoor Trojans and the warning we provide.


One or more of the identified infections (mbr.pihar.e) is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall


----------


I would like to run a couple of scans to check for any remaining remnants. If you would like to at least continue through that step please perform the following for me.


===================================================


Rerun Malwarebytes

--------------------

Temporarily disable your antivirus program.

  • Please locate your Malwarebytes icon Posted Image and launch the program
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.


===================================================


ESET Online Scanner

--------------------

I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.

    Posted Image

  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:

    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • MBAM report
  • ESET log
  • Please let me know how your computer is running

And by the way, it is my pleasure to help you and your husband. :thumbsup: These are not fun things to deal with. :thumbdown:
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 momgeek

momgeek
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 20 March 2012 - 06:22 PM

Oh My,
1) Still working on the "Autoruns" thing, because it's a bit time consuming
2) ESET didn't find anything, and in light of that I couldn't see a way to print a log.
3) Malwarebytes didn't find anything either, but just in case you want to see it, the log is below:

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.20.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Tyner Family :: TYNERBOX [administrator]

3/20/2012 4:38:26 PM
mbam-log-2012-03-20 (16-38-26).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 178346
Time elapsed: 5 minute(s), 23 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


4) The computer seems to be running fine. I haven't noticed a significant change in either direction. Of course, I haven't finished my "Autorun" homework either. :)

Thank You!!
momgeek

#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,414 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:32 AM

Posted 20 March 2012 - 07:48 PM

Greetings momgeek,


That is excellent news! I will await the results of your "homework".
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 momgeek

momgeek
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 22 March 2012 - 02:24 PM

Oh My,
After realizing that some compromised financial data of ours might be related to this problem, we have decided that the best of course of action is probably to reformat my computer. Can you walk me through the best way to do that? Also, in a panic that our computer was about to shut down, when this first started my husband and I copied some of our more recent photos, videos, and other household files on to our external hard drive (I should have already backed them up, but hadn't). At that point, we would rather have an infected picture of our kids than have no pictures of our kids. Can you give me suggestions about what you would do about those files/that drive?

Thanks again! We are deeply appreciative.

momgeek

#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,414 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:32 AM

Posted 22 March 2012 - 08:28 PM

Greetings momgeek,


In light of what you have shared I would agree reformatting is the best option to protect yourself, along with changing all of your passwords if you have not done so already.

The best time to back up your data is AFTER your machine has been cleaned as much as possible. We are at that point now. Both the Malwarebyte and ESET logs look good.

If the pictures and videos were ones that you took and were not ones downloaded from the internet, especially from an unknown source, then you need not worry about them. Same thing with your documents.

Here is a tutorial explaining the steps for a clean install of Windows XP.

Finally, I would like to provide some general information for you to consider to keep you computer protected against malware in the future.


===================================================


Please read the following in order to prevent reinfecting your PC:

  • Install and update the following programs regularly:

    • Outbound firewall.
      If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
  • Keep Windows (and your other Microsoft software) up to date!

    • I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    • Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well

    • Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine
    .
  • Stay up to date!

    • The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.
Some more links you might find of interest:


We will leave this topic open for just a few days in case you have any further issues then it will be closed shortly thereafter.

Thank you for placing your trust in BleepingComputer. It was a pleasure serving you. Posted Image
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 momgeek

momgeek
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 23 March 2012 - 08:00 AM

Oh My,

Thanks for all of the great info! Once again, you've been extremely helpful. I'm afraid I may not be able to do all of this till Mon. The whole extended family is going out of town to celebrate a birthday. Do you think the topic could be left open long enough for me to get back and do all of this and see if I need help?

Thanks again!
momgeek




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users