Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

1CBD1A13 / Crypt.AQLW / HAPPILI / possible SystemCheck


  • This topic is locked This topic is locked
8 replies to this topic

#1 wayche

wayche

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 02 May 2012 - 03:22 PM

Hi guys! Have I had a fun day!

The affected PC is in my office, runs XP and requires the use of a networked drive for writing data entry to a local database (hence the account being named Data Entry). I received a complaint on Monday that AVG was popping up trojan warnings which couldn't be closed or moved to Virus Vault (AVG identified these as 1CBD1A13, but instead of removing the threat it would pop up an unrelated warning "Please save all opened files prior to continuation" and then fail to remove the threat.)

I also updated MBAM's database and ran an MBAM scan, which came up with more results that also could not be removed or quarantined. Webpages that I'd try to load in Chrome/FF/IE would randomly redirect the first time I'd try them, but when I'd go back and try them again I was successful. One of the re-direct pages landed me at HAPPILI, too.

So today I decided to pop in a thread here, attempted to create all the logs requested (GMER locked up right after it completed a 5 hour scan, so unfortunately no log there), and I was just about to create this thread when AVG started to overload with warnings and finally surrendered to a mass of about 200 pop-up windows telling me all about my "possible HDD corruption". I knew I'd recognized that from somewhere, so I followed BC's instructions re: removing SystemCheck, managed to extract the DDS log files from where they were hiding to a jump drive, and so here we are.

Let me know what ya'll need. I'm totally prepared to format the HDD and start over with a fresh XP install if this doesn't work.

EDIT: one thing I forgot to mention, the PC refuses to restart properly; it hangs during shutdown, and must be turned off and hard booted.

EDIT 2: re-started to see if I could get in there to do a hardware audit (in prep for possibly reseating Windows) and the malware did identify itself as S.M.A.R.T. Repair. Just wanted to give a heads-up.

Good luck:


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Data Entry at 9:00:28 on 2012-05-02
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2494.1941 [GMT -5:00]
.
AV: *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\VTech\DownloadManager\System\AgentMonitor.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Documents and Settings\Data Entry\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\WINDOWS\system32\wuauclt.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uWindow Title = Internet Explorer, optimized for Bing and MSN
uSearch Bar =
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\10.2.0.3\AVG Secure Search_toolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\10.2.0.3\AVG Secure Search_toolbar.dll
TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ccleaner] "c:\program files\ccleaner\ccleaner.exe" /AUTO
uRun: [Google Update] "c:\documents and settings\data entry\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [AgentMonitor] c:\program files\vtech\downloadmanager\system\AgentMonitor.exe
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\documents and settings\data entry\start menu\programs\startup\logon.bat
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Open with WordPerfect - c:\program files\wordperfect office x3\programs\WPLauncher.hta
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: crcla.com\mail
Trusted Zone: statres.com\lscis
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1335889822275
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.50.2 192.168.50.1
TCP: Interfaces\{A8A076BF-030F-460F-BA20-28FA33AA03FA} : DhcpNameServer = 192.168.50.2 192.168.50.1
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\10.2.0\ViProtocol.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\data entry\application data\mozilla\firefox\profiles\ld47q9mc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us&tb_uuid=20110805163244937&tb_oid=05-08-2011&tb_mrud=05-08-2011
FF - prefs.js: browser.search.selectedEngine - My Web Search
FF - prefs.js: browser.startup.homepage - hxxp://us.lrd.yahoo.com/_ylt=AnNbLwF1MHSsMeTVP7ASp92xulI6/SIG=119ceate2/EXP=1331128605/**http%3A//www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?st=kwd&ptb=E26084C9-A638-46A5-A00F-2719A771E622&n=77ed55d6&ind=2012042710&id=CDxdm243YYus&ptnrS=CDxdm243YYus&si=31m-2&searchfor=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\data entry\local settings\application data\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\free ride games\npExentCtl.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_233.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-1-19 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-2-10 295248]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-5-2 24652]
R2 vToolbarUpdater10.2.0;vToolbarUpdater10.2.0;c:\program files\common files\avg secure search\vtoolbarupdater\10.2.0\ToolbarUpdater.exe [2012-3-12 918880]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-3-30 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 16720]
S2 avp;Adobeactivefilemonitor4.0;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 14336]
S2 ZumieSearch Service;ZumieSearch Service;"c:\documents and settings\all users\application data\zumiesearch\zumie175.exe" "c:\program files\zumiesearch\zumie.dll" service --> c:\documents and settings\all users\application data\zumiesearch\zumie175.exe [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-30 253088]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-1 129976]
.
=============== Created Last 30 ================
.
2012-05-02 13:48:40 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2012-05-02 13:48:27 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2012-05-02 13:48:27 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2012-05-02 13:48:27 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2012-05-02 13:48:27 575488 ------w- c:\windows\system32\xpsshhdr.dll
2012-05-02 13:48:27 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2012-05-02 13:48:27 1676288 ------w- c:\windows\system32\xpssvcs.dll
2012-05-02 13:48:27 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2012-05-02 13:48:27 117760 ------w- c:\windows\system32\prntvpt.dll
2012-05-02 13:48:26 -------- d-----w- C:\355e87b98bed2b41f1a88c6162f9
2012-05-02 13:44:35 -------- d-----w- C:\dc9e8ab36092d51e5644fc7e0c
2012-05-02 13:44:32 -------- d-----w- C:\ebf5e058585bbdbebac3b13b
2012-05-02 13:32:06 -------- d-----w- c:\windows\SxsCaPendDel
2012-05-02 13:13:59 274288 ----a-w- c:\windows\system32\mucltui.dll
2012-05-02 13:13:59 215920 ----a-w- c:\windows\system32\muweb.dll
2012-05-02 13:13:59 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-05-01 19:30:24 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-05-01 19:30:08 157352 ----a-w- c:\program files\mozilla firefox\maintenanceservice_installer.exe
2012-05-01 19:30:08 129976 ----a-w- c:\program files\mozilla firefox\maintenanceservice.exe
2012-05-01 15:17:29 -------- d-----w- c:\program files\ESET
2012-04-30 21:46:26 -------- d-----w- c:\documents and settings\data entry\application data\Malwarebytes
2012-04-30 21:46:20 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-30 21:46:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-04-30 21:46:20 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-04-30 14:53:14 -------- d-----w- c:\documents and settings\data entry\local settings\application data\PCHealth
2012-04-30 14:51:29 -------- dc-h--w- c:\windows\ie8
2012-04-30 13:57:32 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-30 13:14:18 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
.
==================== Find3M ====================
.
2012-04-30 14:25:12 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3808110AS rev.3.ADJ -> Harddisk0\DR0 -> \Device\00000032
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A31EFD0]<<
_asm { MOV EAX, [ESP+0x4]; MOV ECX, [EAX+0x28]; PUSH EBP; MOV EBP, [ECX+0x4]; PUSH ESI; MOV ESI, [ESP+0x10]; PUSH EDI; MOV EDI, [ESI+0x60]; MOV AL, [EDI]; CMP AL, 0x16; JNZ 0x36; PUSH ESI; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A87DAB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A3D0F08]
\Driver\00000791[0x8A3CAF38] -> IRP_MJ_CREATE -> 0x8A31EFD0
error: Read Incorrect function.
kernel: MBR read successfully
_asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62d; }
detected disk devices:
\Device\0000005f -> \??\IDE#DiskST3808110AS_____________________________3.ADJ___#2020202020202020202020204C3544534A305443#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 9:02:16.18 ===============

Attached Files


Edited by wayche, 02 May 2012 - 06:00 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:50 AM

Posted 03 May 2012 - 12:48 AM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 wayche

wayche
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 03 May 2012 - 10:50 AM

Hi Gringo! Thanks for taking up my request!

So I had to start the process in Windows Safe Mode with Networking in order to comply with your requests, since the malware in Normal Mode wouldn't allow me to even see my way into the jump drive where I'd downloaded Security Check and Combofix. AVG runs command-line-only in Safe Mode, so there was not really a way to temporarily disable it from there.

First let's talk about how Security Check went. I successfully ran SC with one slight hitch: an error dialog popped up stating "netsh.exe - Entry Point Not Found // The procedure entry point Migrate Winsock Configuration could not be located in the dynamic link library MSWSOCK.dll". I clicked OK and Security Check went on its merry way, eventually producing this log (which you requested):

------------------------

Results of screen317's Security Check version 0.99.32
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
AVG 2012
ESET Online Scanner v3
```````````````````````````````
Anti-malware/Other Utilities Check:

Out of date HijackThis installed!
HijackThis 1.99.1
CCleaner (remove only)
Java™ 6 Update 26
Java™ SE Runtime Environment 6 Update 1
Java™ 6 Update 3
Java™ 6 Update 7
Java version out of date!
Adobe Flash Player 11.2.202.233
Mozilla Firefox (12.0.)
````````````````````````````````
Process Check:
objlist.exe by Laurent

``````````End of Log````````````

----------------------

While still in Safe Mode w/ Networking, I then ran Combofix as requested, again with only a couple slight hiccups:

1.) Around the time it picked up its malware, this PC seems to have developed an issue whereby it will not restart on its own; it hangs either at the blue Windows "logging off" screen, or it goes to a black screen with only the mouse pointer present. In both of the instances where Combofix attempted to restart on its own, I let it sit for an hour in that state before holding down the power button and killing the power. In both instances Combofix picked right up where it would have left off in a "normal" restart, and the process appears to have completed normally.

2.) During its 2nd and final restart under Combofix, Windows booted into Normal mode, and AVG popped up a dialog box indicating that it found a problem right after Combofix's blue command prompt window came up. I had to temporarily disable AVG while it was sitting there; thankfully Combofix seemed to pick up where it left off and completed successfully. Here's the requested log file:

--------------------


ComboFix 12-05-03.01 - Data Entry 05/03/2012 8:51.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2494.2024 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\NYvWyUU0RE175n
c:\documents and settings\Data Entry\Application Data\Zaix
c:\documents and settings\Data Entry\Application Data\Zaix\jaav.xay
c:\documents and settings\Data Entry\Local Settings\Application Data\assembly\tmp
c:\documents and settings\Data Entry\WINDOWS
c:\windows\$NtUninstallKB37552$
c:\windows\$NtUninstallKB37552$\1414141467
c:\windows\$NtUninstallKB37552$\1924194304\@
c:\windows\$NtUninstallKB37552$\1924194304\cfg.ini
c:\windows\$NtUninstallKB37552$\1924194304\Desktop.ini
c:\windows\$NtUninstallKB37552$\1924194304\L\odetmngk
c:\windows\$NtUninstallKB37552$\1924194304\oemid
c:\windows\$NtUninstallKB37552$\1924194304\U\00000001.@
c:\windows\$NtUninstallKB37552$\1924194304\U\00000002.@
c:\windows\$NtUninstallKB37552$\1924194304\U\00000004.@
c:\windows\$NtUninstallKB37552$\1924194304\U\80000000.@
c:\windows\$NtUninstallKB37552$\1924194304\U\80000004.@
c:\windows\$NtUninstallKB37552$\1924194304\U\80000032.@
c:\windows\$NtUninstallKB37552$\1924194304\version
c:\windows\system32\Cache
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\9b32c5a5d738a7c5.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\d966440e47b13785.fb
c:\windows\system32\Cache\e0de16f883bea794.fb
c:\windows\system32\Cache\ea9471b5bb8fedea.fb
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\SET34.tmp
c:\windows\system32\SET36.tmp
c:\windows\system32\SET3B.tmp
c:\windows\system32\SET42.tmp
c:\windows\system32\SET4B.tmp
c:\windows\system32\SET4D.tmp
c:\windows\system32\SET50.tmp
c:\windows\TEMP\jzqezsxjblenqkpxgs.exe
.
Infected copy of c:\windows\system32\drivers\mrxsmb.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_RADIOSVR
-------\Legacy_ZUMIESEARCH_SERVICE
-------\Service_radiosvr
-------\Service_ZumieSearch Service
.
.
((((((((((((((((((((((((( Files Created from 2012-04-03 to 2012-05-03 )))))))))))))))))))))))))))))))
.
.
2012-05-03 13:21 . 2011-07-15 13:29 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2012-05-02 23:30 . 2012-05-02 23:31 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-05-02 22:40 . 2012-05-02 22:40 244224 ---ha-w- c:\documents and settings\All Users\Application Data\NYvWyUU0RE175n.exe
2012-05-02 19:46 . 2012-05-02 19:46 -------- d--h--w- c:\windows\PIF
2012-05-02 16:13 . 2012-05-02 16:45 -------- d-----w- c:\documents and settings\Administrator
2012-05-02 13:48 . 2012-05-02 13:48 -------- d-----w- c:\program files\Reference Assemblies
2012-05-02 13:48 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2012-05-02 13:48 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2012-05-02 13:48 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2012-05-02 13:48 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2012-05-02 13:48 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2012-05-02 13:48 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2012-05-02 13:48 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2012-05-02 13:48 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2012-05-02 13:48 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2012-05-02 13:48 . 2012-05-02 13:48 -------- d-----w- C:\355e87b98bed2b41f1a88c6162f9
2012-05-02 13:44 . 2012-05-02 13:44 -------- d-----w- C:\dc9e8ab36092d51e5644fc7e0c
2012-05-02 13:44 . 2012-05-02 13:44 -------- d-----w- C:\ebf5e058585bbdbebac3b13b
2012-05-02 13:32 . 2012-05-02 13:42 -------- d-----w- c:\windows\SxsCaPendDel
2012-05-02 13:13 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2012-05-02 13:13 . 2009-08-07 00:23 215920 ----a-w- c:\windows\system32\muweb.dll
2012-05-01 19:30 . 2012-05-01 19:30 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-05-01 19:30 . 2012-05-01 19:30 157352 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2012-05-01 19:30 . 2012-05-01 19:30 129976 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
2012-05-01 15:17 . 2012-05-01 15:17 -------- d-----w- c:\program files\ESET
2012-04-30 21:46 . 2012-04-30 21:46 -------- d--h--w- c:\documents and settings\Data Entry\Application Data\Malwarebytes
2012-04-30 21:46 . 2012-05-03 15:15 -------- d--h--w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-04-30 21:46 . 2012-05-02 23:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-04-30 21:46 . 2012-04-04 20:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-30 14:53 . 2012-04-30 14:53 -------- d--h--w- c:\documents and settings\Data Entry\Local Settings\Application Data\PCHealth
2012-04-30 14:51 . 2012-04-30 14:51 -------- dc-h--w- c:\windows\ie8
2012-04-30 13:57 . 2012-04-30 14:25 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-30 14:25 . 2011-05-25 17:27 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-01 19:30 . 2011-05-04 13:03 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-03-12 13:02 1869152 ----a-w- c:\program files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll" [2012-03-12 1869152]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccleaner"="c:\program files\CCleaner\ccleaner.exe" [2007-04-13 598920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-23 86016]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"SigmatelSysTrayApp"="stsystra.exe" [2006-08-15 282624]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
"AgentMonitor"="c:\program files\VTech\DownloadManager\System\AgentMonitor.exe" [2011-12-13 357800]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-03-12 982880]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\Data Entry\Start Menu\Programs\Startup\
logon.bat [2011-2-10 74]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\Data Entry\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\VTech\\DownloadManager\\System\\AgentMonitor.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26360:UDP"= 26360:UDP:UDP 26360
"13622:TCP"= 13622:TCP:TCP 13622
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2/22/2011 8:13 AM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [1/19/2011 4:32 AM 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [1/7/2011 6:41 AM 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2/10/2011 7:54 AM 295248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 6:09 AM 192776]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/2/2008 11:07 AM 24652]
R2 vToolbarUpdater10.2.0;vToolbarUpdater10.2.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe [3/12/2012 8:02 AM 918880]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [3/30/2011 5:17 PM 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2/10/2011 7:53 AM 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2/10/2011 7:53 AM 16720]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 6:25 AM 4433248]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/30/2012 8:57 AM 253088]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [5/2/2012 6:30 PM 40776]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/1/2012 2:30 PM 129976]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
NETSVCS REQUIRES REPAIRS - current entries shown
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
ERSvc
EventSystem
FastUserSwitchingCompatibility
HidServ
Ias
Iprip
Irmon
LanmanServer
LanmanWorkstation
Messenger
Netman
Nla
Ntmssvc
NWCWorkstation
Nwsapagent
Rasauto
MSMQ
s125mdfl
a8djusb
qserver
rtl8187Se
websenseuserservice
ADIDTSFiltService
UPATC
pensup
sfdrv01
steamdvr
tmmbd
CnxTrLan
QPSched
CSRBC
pgfilter
dot4
MTC0001_ESB
rvsinst
nhcDriverDevice
CTEXFIFX.DLL
djsnetcn
caili
lbtserv
deckzpsx
NtMtlFax
winsshd
rspndr
ZSMC303
JGOGO
fasttx2k
mpservice
SI3112
pxfhmdm
regdefend
se2Bnd5
sandboxu
ifxtcs
IWCA
ovsecurityserver
cmigameport
lexbces
dsunidrv
nmwcdcj
pavagente
mcredirector
alcaudsl
pae_1394
p17
WNIPROT5
CX23880
bt3cser
lemsgt
SSHDRV61
NTACCESS
ZDPSp50
maya70docserver
dvd-ram_service
PCDCODEC
se45mdm
se45bus
ufdsvc
NuidFltr
w550mgmt
sfhlp01
avp
Ndisipo
cacheserver
MQAC
tmcomm
oracle%oracle_home_service%clientcache80
UWProSys
CTAudSvcService
pcandis5
s217bus
ps2
Rasman
Remoteaccess
Schedule
Seclogon
SENS
Sharedaccess
SRService
Tapisrv
Themes
TrkWks
W32Time
WZCSVC
Wmi
WmdmPmSp
winmgmt
wscsvc
xmlprov
BITS
wuauserv
ShellHWDetection
helpsvc
WmdmPmSN
napagent
hkmsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-02 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-30 14:25]
.
2012-05-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3630478224-2016927212-2031060891-1006Core.job
- c:\documents and settings\Data Entry\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-04-19 13:39]
.
2012-05-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3630478224-2016927212-2031060891-1006UA.job
- c:\documents and settings\Data Entry\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-04-19 13:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Open with WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta
Trusted Zone: crcla.com\mail
Trusted Zone: statres.com\lscis
TCP: DhcpNameServer = 192.168.50.2 192.168.50.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\10.2.0\ViProtocol.dll
FF - ProfilePath - c:\documents and settings\Data Entry\Application Data\Mozilla\Firefox\Profiles\ld47q9mc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us&tb_uuid=20110805163244937&tb_oid=05-08-2011&tb_mrud=05-08-2011
FF - prefs.js: browser.search.selectedEngine - My Web Search
FF - prefs.js: browser.startup.homepage - hxxp://us.lrd.yahoo.com/_ylt=AnNbLwF1MHSsMeTVP7ASp92xulI6/SIG=119ceate2/EXP=1331128605/**http%3A//www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?st=kwd&ptb=E26084C9-A638-46A5-A00F-2719A771E622&n=77ed55d6&ind=2012042710&id=CDxdm243YYus&ptnrS=CDxdm243YYus&si=31m-2&searchfor=
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - (no file)
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
HKLM-Run-dplaysvr - c:\documents and settings\Administrator\Application Data\dplaysvr.exe
HKU-Default-Run-dplaysvr - c:\documents and settings\Administrator\Application Data\dplaysvr.exe
AddRemove-ESET Online Scanner - c:\program files\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe
AddRemove-HijackThis - d:\spyware removal\HijackThis.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-03 10:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3808110AS rev.3.ADJ -> Harddisk0\DR0 -> \Device\00000032
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
error: Read Incorrect function.
kernel: MBR read successfully
_asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62d; }
detected disk devices:
\Device\00000063 -> \??\IDE#DiskST3808110AS_____________________________3.ADJ___#2020202020202020202020204C3544534A305443#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3508)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\MI6841~1\MSSQL\binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\stsystra.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-05-03 10:23:32 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-03 15:23
.
Pre-Run: 52,674,322,432 bytes free
Post-Run: 53,955,997,696 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 21D054B8071F9247E63CA1747D5210DE

--------------------

Right now the PC seems to be somewhat back to its old self again, although the Desktop Wallpaper is flat gray and the files and shortcuts that were saved to the Desktop are now visible but are not in their usual places. (Not a big deal if we can't fix that, I'm just reporting it.) The file structure seems to be in order, and the PC also remembers the network drive (Z:) that I mentioned in my first post.

Let me know where we go from here.

EDIT: Now that AVG Resident Shield is back on, it's popping up warnings for IDP.Trojan.60C35EFF (not sure if that's related to Combofix), and appears to be unable to move them to Virus Vault as before (with the same error message "Please save all opened files prior to continuation".

Edited by wayche, 03 May 2012 - 11:04 AM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:50 AM

Posted 03 May 2012 - 12:16 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 wayche

wayche
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 03 May 2012 - 01:26 PM

Thanks again for your help Gringo! Here's where we're at:

I ran TDSSkiller as you asked, and as part of the process it rebooted itself, but this time the PC did NOT hang and I did NOT need to kill the power and restart it myself, which is a good thing. This is the first successful reboot I've seen on this machine since all this came about. Here's the TDSSkiller log:

-----------------


12:58:11.0031 5960 TDSS rootkit removing tool 2.7.34.0 May 2 2012 09:59:18
12:58:12.0875 5960 ============================================================
12:58:12.0875 5960 Current date / time: 2012/05/03 12:58:12.0875
12:58:12.0875 5960 SystemInfo:
12:58:12.0875 5960
12:58:12.0875 5960 OS Version: 5.1.2600 ServicePack: 3.0
12:58:12.0875 5960 Product type: Workstation
12:58:12.0875 5960 ComputerName: DATAENTRY0407
12:58:12.0875 5960 UserName: Data Entry
12:58:12.0875 5960 Windows directory: C:\WINDOWS
12:58:12.0875 5960 System windows directory: C:\WINDOWS
12:58:12.0875 5960 Processor architecture: Intel x86
12:58:12.0875 5960 Number of processors: 2
12:58:12.0875 5960 Page size: 0x1000
12:58:12.0875 5960 Boot type: Normal boot
12:58:12.0875 5960 ============================================================
12:58:14.0281 5960 Drive \Device\Harddisk0\DR0 - Size: 0x12A05F2000 (74.51 Gb), SectorSize: 0x200, Cylinders: 0x25FE, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
12:58:14.0281 5960 Drive \Device\Harddisk1\DR6 - Size: 0x77800000 (1.87 Gb), SectorSize: 0x200, Cylinders: 0xF3, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
12:58:14.0281 5960 ============================================================
12:58:14.0281 5960 \Device\Harddisk0\DR0:
12:58:14.0281 5960 MBR partitions:
12:58:14.0281 5960 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x139C5, BlocksNum 0x8EE9870
12:58:14.0281 5960 \Device\Harddisk1\DR6:
12:58:14.0281 5960 MBR partitions:
12:58:14.0281 5960 \Device\Harddisk1\DR6\Partition0: MBR, Type 0x6, StartLBA 0x20, BlocksNum 0x3BBFE0
12:58:14.0281 5960 ============================================================
12:58:14.0390 5960 C: <-> \Device\Harddisk0\DR0\Partition0
12:58:14.0390 5960 ============================================================
12:58:14.0390 5960 Initialize success
12:58:14.0390 5960 ============================================================
12:58:21.0078 5332 ============================================================
12:58:21.0078 5332 Scan started
12:58:21.0078 5332 Mode: Manual;
12:58:21.0078 5332 ============================================================
12:58:21.0250 5332 a8djusb - ok
12:58:21.0296 5332 Abiosdsk - ok
12:58:21.0328 5332 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
12:58:21.0328 5332 abp480n5 - ok
12:58:21.0359 5332 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
12:58:21.0375 5332 ACPI - ok
12:58:21.0390 5332 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
12:58:21.0406 5332 ACPIEC - ok
12:58:21.0406 5332 ADIDTSFiltService - ok
12:58:21.0453 5332 AdobeFlashPlayerUpdateSvc (459ac130c6ab892b1cd5d7544626efc5) C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
12:58:21.0484 5332 AdobeFlashPlayerUpdateSvc - ok
12:58:21.0640 5332 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
12:58:21.0687 5332 adpu160m - ok
12:58:21.0812 5332 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
12:58:21.0828 5332 aec - ok
12:58:21.0859 5332 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
12:58:21.0875 5332 AFD - ok
12:58:21.0906 5332 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
12:58:21.0906 5332 agp440 - ok
12:58:21.0921 5332 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
12:58:21.0921 5332 agpCPQ - ok
12:58:21.0953 5332 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
12:58:21.0953 5332 Aha154x - ok
12:58:21.0953 5332 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
12:58:21.0968 5332 aic78u2 - ok
12:58:21.0968 5332 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
12:58:21.0968 5332 aic78xx - ok
12:58:22.0000 5332 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
12:58:22.0093 5332 Alerter - ok
12:58:22.0156 5332 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
12:58:22.0171 5332 ALG - ok
12:58:22.0203 5332 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
12:58:22.0203 5332 AliIde - ok
12:58:22.0203 5332 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
12:58:22.0203 5332 alim1541 - ok
12:58:22.0218 5332 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
12:58:22.0218 5332 amdagp - ok
12:58:22.0234 5332 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
12:58:22.0234 5332 amsint - ok
12:58:22.0234 5332 AppMgmt - ok
12:58:22.0250 5332 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
12:58:22.0250 5332 asc - ok
12:58:22.0250 5332 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
12:58:22.0250 5332 asc3350p - ok
12:58:22.0250 5332 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
12:58:22.0265 5332 asc3550 - ok
12:58:22.0546 5332 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
12:58:22.0546 5332 aspnet_state - ok
12:58:22.0562 5332 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
12:58:22.0578 5332 AsyncMac - ok
12:58:22.0593 5332 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
12:58:22.0593 5332 atapi - ok
12:58:22.0593 5332 Atdisk - ok
12:58:22.0734 5332 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
12:58:22.0750 5332 Atmarpc - ok
12:58:22.0796 5332 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
12:58:22.0796 5332 AudioSrv - ok
12:58:22.0828 5332 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
12:58:22.0828 5332 audstub - ok
12:58:23.0140 5332 AVGIDSAgent (6d440ff3f44ca72edfd6176c6d6a89c0) C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
12:58:23.0265 5332 AVGIDSAgent - ok
12:58:23.0640 5332 AVGIDSDriver (4fa401b33c1b50c816486f6951244a14) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
12:58:23.0656 5332 AVGIDSDriver - ok
12:58:23.0687 5332 AVGIDSEH (69578bc9d43d614c6b3455db4af19762) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
12:58:23.0687 5332 AVGIDSEH - ok
12:58:23.0703 5332 AVGIDSFilter (6df528406aa22201f392b9b19121cd6f) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
12:58:23.0703 5332 AVGIDSFilter - ok
12:58:23.0734 5332 AVGIDSShim (1e01c2166b5599802bcd61b9691f7476) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
12:58:23.0734 5332 AVGIDSShim - ok
12:58:23.0750 5332 Avgldx86 (bf8118cd5e2255387b715b534d64acd1) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
12:58:23.0750 5332 Avgldx86 - ok
12:58:23.0765 5332 Avgmfx86 (1c77ef67f196466adc9924cb288afe87) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
12:58:23.0765 5332 Avgmfx86 - ok
12:58:23.0765 5332 Avgrkx86 (f2038ed7284b79dcef581468121192a9) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
12:58:23.0781 5332 Avgrkx86 - ok
12:58:23.0953 5332 Avgtdix (a6d562b612216d8d02a35ebeb92366bd) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
12:58:23.0953 5332 Avgtdix - ok
12:58:24.0078 5332 avgwd (6699ece24fe4b3f752a66c66a602ee86) C:\Program Files\AVG\AVG2012\avgwdsvc.exe
12:58:24.0078 5332 avgwd - ok
12:58:24.0078 5332 avp - ok
12:58:24.0125 5332 bcm4sbxp (78e7b52da292fa90bad2f887bbf22159) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
12:58:24.0125 5332 bcm4sbxp - ok
12:58:24.0171 5332 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
12:58:24.0171 5332 Beep - ok
12:58:24.0281 5332 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
12:58:24.0328 5332 BITS - ok
12:58:24.0375 5332 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
12:58:24.0375 5332 Browser - ok
12:58:24.0390 5332 bt3cser - ok
12:58:24.0390 5332 cacheserver - ok
12:58:24.0406 5332 caili - ok
12:58:24.0406 5332 catchme - ok
12:58:24.0421 5332 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
12:58:24.0421 5332 cbidf - ok
12:58:24.0421 5332 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
12:58:24.0437 5332 cbidf2k - ok
12:58:24.0453 5332 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
12:58:24.0453 5332 cd20xrnt - ok
12:58:24.0468 5332 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
12:58:24.0468 5332 Cdaudio - ok
12:58:24.0578 5332 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
12:58:24.0578 5332 Cdfs - ok
12:58:24.0609 5332 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
12:58:24.0609 5332 Cdrom - ok
12:58:24.0625 5332 Changer - ok
12:58:24.0656 5332 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
12:58:24.0656 5332 CiSvc - ok
12:58:24.0671 5332 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
12:58:24.0671 5332 ClipSrv - ok
12:58:25.0078 5332 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
12:58:25.0078 5332 clr_optimization_v2.0.50727_32 - ok
12:58:25.0109 5332 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
12:58:25.0109 5332 CmdIde - ok
12:58:25.0109 5332 CnxTrLan - ok
12:58:25.0109 5332 COMSysApp - ok
12:58:25.0125 5332 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
12:58:25.0125 5332 Cpqarray - ok
12:58:25.0171 5332 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
12:58:25.0171 5332 CryptSvc - ok
12:58:25.0171 5332 CSRBC - ok
12:58:25.0171 5332 CTAudSvcService - ok
12:58:25.0187 5332 CTEXFIFX.DLL - ok
12:58:25.0187 5332 CX23880 - ok
12:58:25.0218 5332 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
12:58:25.0234 5332 dac2w2k - ok
12:58:25.0234 5332 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
12:58:25.0234 5332 dac960nt - ok
12:58:25.0609 5332 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
12:58:25.0656 5332 DcomLaunch - ok
12:58:25.0656 5332 deckzpsx - ok
12:58:25.0687 5332 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
12:58:25.0687 5332 Dhcp - ok
12:58:25.0750 5332 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
12:58:25.0765 5332 Disk - ok
12:58:25.0781 5332 djsnetcn - ok
12:58:25.0781 5332 dmadmin - ok
12:58:25.0828 5332 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
12:58:25.0843 5332 dmboot - ok
12:58:25.0875 5332 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
12:58:25.0875 5332 dmio - ok
12:58:25.0906 5332 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
12:58:25.0906 5332 dmload - ok
12:58:25.0937 5332 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
12:58:25.0937 5332 dmserver - ok
12:58:25.0968 5332 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
12:58:25.0968 5332 DMusic - ok
12:58:26.0046 5332 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
12:58:26.0046 5332 Dnscache - ok
12:58:26.0078 5332 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
12:58:26.0125 5332 Dot3svc - ok
12:58:26.0156 5332 dot4 (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\nwdls.dll
12:58:26.0578 5332 Suspicious file (NoAccess): C:\WINDOWS\system32\nwdls.dll. md5: 11028c6a84a967070cb1286550f2058f
12:58:26.0578 5332 dot4 ( Backdoor.Multi.ZAccess.gen ) - infected
12:58:26.0578 5332 dot4 - detected Backdoor.Multi.ZAccess.gen (0)
12:58:26.0671 5332 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
12:58:26.0687 5332 dpti2o - ok
12:58:26.0703 5332 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
12:58:26.0703 5332 drmkaud - ok
12:58:26.0828 5332 DSproct - ok
12:58:26.0843 5332 dvd-ram_service - ok
12:58:27.0531 5332 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
12:58:27.0531 5332 E100B - ok
12:58:27.0796 5332 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
12:58:27.0843 5332 EapHost - ok
12:58:27.0968 5332 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
12:58:27.0968 5332 ERSvc - ok
12:58:28.0359 5332 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
12:58:28.0359 5332 Eventlog - ok
12:58:28.0671 5332 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
12:58:28.0687 5332 EventSystem - ok
12:58:28.0703 5332 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
12:58:28.0703 5332 Fastfat - ok
12:58:28.0750 5332 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
12:58:28.0750 5332 FastUserSwitchingCompatibility - ok
12:58:28.0781 5332 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
12:58:28.0781 5332 Fdc - ok
12:58:28.0843 5332 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
12:58:28.0859 5332 Fips - ok
12:58:28.0921 5332 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
12:58:28.0937 5332 Flpydisk - ok
12:58:28.0968 5332 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
12:58:28.0968 5332 FltMgr - ok
12:58:29.0000 5332 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
12:58:29.0015 5332 Fs_Rec - ok
12:58:29.0031 5332 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
12:58:29.0046 5332 Ftdisk - ok
12:58:29.0125 5332 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
12:58:29.0140 5332 Gpc - ok
12:58:29.0265 5332 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
12:58:29.0312 5332 HDAudBus - ok
12:58:29.0406 5332 helpsvc - ok
12:58:29.0468 5332 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
12:58:29.0484 5332 HidServ - ok
12:58:29.0531 5332 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
12:58:29.0531 5332 HidUsb - ok
12:58:29.0671 5332 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
12:58:29.0765 5332 hkmsvc - ok
12:58:29.0812 5332 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
12:58:29.0843 5332 hpn - ok
12:58:29.0937 5332 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
12:58:30.0000 5332 HTTP - ok
12:58:30.0015 5332 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
12:58:30.0015 5332 HTTPFilter - ok
12:58:30.0046 5332 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
12:58:30.0046 5332 i2omgmt - ok
12:58:30.0093 5332 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
12:58:30.0093 5332 i2omp - ok
12:58:30.0296 5332 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
12:58:30.0312 5332 i8042prt - ok
12:58:30.0328 5332 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
12:58:30.0343 5332 Imapi - ok
12:58:30.0375 5332 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
12:58:30.0375 5332 ImapiService - ok
12:58:30.0453 5332 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
12:58:30.0468 5332 ini910u - ok
12:58:30.0546 5332 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
12:58:30.0562 5332 IntelIde - ok
12:58:30.0609 5332 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
12:58:30.0609 5332 intelppm - ok
12:58:30.0625 5332 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
12:58:30.0640 5332 Ip6Fw - ok
12:58:30.0687 5332 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
12:58:30.0687 5332 IpFilterDriver - ok
12:58:30.0703 5332 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
12:58:30.0718 5332 IpInIp - ok
12:58:30.0734 5332 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
12:58:30.0734 5332 IpNat - ok
12:58:30.0750 5332 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
12:58:30.0750 5332 IPSec - ok
12:58:30.0781 5332 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
12:58:30.0796 5332 IRENUM - ok
12:58:30.0828 5332 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
12:58:30.0828 5332 isapnp - ok
12:58:30.0937 5332 JavaQuickStarterService (9dba73c2f1e76ec4cb837e67c5743596) C:\Program Files\Java\jre6\bin\jqs.exe
12:58:30.0953 5332 JavaQuickStarterService - ok
12:58:30.0953 5332 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
12:58:30.0968 5332 Kbdclass - ok
12:58:30.0968 5332 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
12:58:30.0968 5332 kbdhid - ok
12:58:31.0000 5332 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
12:58:31.0031 5332 kmixer - ok
12:58:31.0109 5332 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
12:58:31.0109 5332 KSecDD - ok
12:58:31.0156 5332 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
12:58:31.0156 5332 lanmanserver - ok
12:58:31.0187 5332 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
12:58:31.0187 5332 lanmanworkstation - ok
12:58:31.0203 5332 lbrtfdc - ok
12:58:31.0203 5332 lbtserv - ok
12:58:31.0218 5332 lemsgt - ok
12:58:31.0250 5332 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
12:58:31.0250 5332 LmHosts - ok
12:58:31.0250 5332 maya70docserver - ok
12:58:31.0281 5332 MBAMSwissArmy (0db7527db188c7d967a37bb51bbf3963) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
12:58:31.0296 5332 MBAMSwissArmy - ok
12:58:31.0359 5332 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
12:58:31.0484 5332 Messenger - ok
12:58:31.0515 5332 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
12:58:31.0515 5332 mnmdd - ok
12:58:31.0562 5332 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
12:58:31.0562 5332 mnmsrvc - ok
12:58:31.0625 5332 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
12:58:31.0781 5332 Modem - ok
12:58:31.0796 5332 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
12:58:31.0796 5332 Mouclass - ok
12:58:31.0828 5332 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
12:58:31.0843 5332 mouhid - ok
12:58:31.0843 5332 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
12:58:31.0859 5332 MountMgr - ok
12:58:31.0890 5332 MozillaMaintenance (96aa8ba23142cc8e2b30f3cae0c80254) C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
12:58:31.0890 5332 MozillaMaintenance - ok
12:58:31.0890 5332 MQAC - ok
12:58:31.0984 5332 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
12:58:32.0000 5332 mraid35x - ok
12:58:32.0000 5332 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
12:58:32.0015 5332 MRxDAV - ok
12:58:32.0062 5332 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
12:58:32.0125 5332 MRxSmb - ok
12:58:32.0187 5332 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
12:58:32.0203 5332 MSDTC - ok
12:58:32.0234 5332 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
12:58:32.0250 5332 Msfs - ok
12:58:32.0250 5332 MSIServer - ok
12:58:32.0265 5332 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
12:58:32.0265 5332 MSKSSRV - ok
12:58:32.0265 5332 MSMQ - ok
12:58:32.0296 5332 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
12:58:32.0312 5332 MSPCLOCK - ok
12:58:32.0312 5332 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
12:58:32.0328 5332 MSPQM - ok
12:58:32.0343 5332 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
12:58:32.0359 5332 mssmbios - ok
12:58:34.0125 5332 MSSQLSERVER (2dedd58635aec83c297981c789927ef4) C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
12:58:35.0437 5332 MSSQLSERVER - ok
12:58:35.0687 5332 MSSQLServerADHelper (4fa047ea300ab0e00edaafce8ac52468) C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe
12:58:35.0750 5332 MSSQLServerADHelper - ok
12:58:35.0890 5332 MTC0001_ESB - ok
12:58:35.0953 5332 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
12:58:35.0968 5332 Mup - ok
12:58:36.0015 5332 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
12:58:36.0078 5332 napagent - ok
12:58:36.0203 5332 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
12:58:36.0218 5332 NDIS - ok
12:58:36.0218 5332 Ndisipo - ok
12:58:36.0296 5332 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
12:58:36.0296 5332 NdisTapi - ok
12:58:36.0312 5332 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
12:58:36.0312 5332 Ndisuio - ok
12:58:36.0375 5332 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
12:58:36.0375 5332 NdisWan - ok
12:58:36.0468 5332 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
12:58:36.0484 5332 NDProxy - ok
12:58:36.0515 5332 Net Driver HPZ12 (51c6d8bfbd4ea5b62a1ba7f4469250d3) C:\WINDOWS\system32\HPZinw12.dll
12:58:36.0515 5332 Net Driver HPZ12 - ok
12:58:36.0531 5332 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
12:58:36.0531 5332 NetBIOS - ok
12:58:36.0562 5332 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
12:58:36.0578 5332 NetBT - ok
12:58:36.0609 5332 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
12:58:36.0609 5332 NetDDE - ok
12:58:36.0625 5332 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
12:58:36.0625 5332 NetDDEdsdm - ok
12:58:36.0656 5332 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
12:58:36.0656 5332 Netlogon - ok
12:58:36.0703 5332 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
12:58:36.0718 5332 Netman - ok
12:58:36.0734 5332 nhcDriverDevice - ok
12:58:36.0781 5332 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
12:58:36.0781 5332 Nla - ok
12:58:36.0796 5332 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
12:58:36.0796 5332 Npfs - ok
12:58:36.0796 5332 NTACCESS - ok
12:58:36.0828 5332 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
12:58:36.0843 5332 Ntfs - ok
12:58:36.0843 5332 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
12:58:36.0859 5332 NtLmSsp - ok
12:58:36.0984 5332 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
12:58:37.0234 5332 NtmsSvc - ok
12:58:37.0250 5332 NtMtlFax - ok
12:58:37.0265 5332 NuidFltr - ok
12:58:37.0296 5332 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
12:58:37.0296 5332 Null - ok
12:58:37.0500 5332 nv (15a6306a0b958bf60f09688d0ee70479) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
12:58:38.0828 5332 nv - ok
12:58:39.0640 5332 nvata (ef9941593b2e9b436f64a87ddb570d1a) C:\WINDOWS\system32\drivers\nvata.sys
12:58:39.0640 5332 nvata - ok
12:58:39.0906 5332 NVSvc (986d6666e076afd2b60acafd5b01a00f) C:\WINDOWS\system32\nvsvc32.exe
12:58:39.0937 5332 NVSvc - ok
12:58:39.0984 5332 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
12:58:39.0984 5332 NwlnkFlt - ok
12:58:40.0093 5332 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
12:58:40.0093 5332 NwlnkFwd - ok
12:58:40.0468 5332 odserv (785f487a64950f3cb8e9f16253ba3b7b) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
12:58:40.0500 5332 odserv - ok
12:58:40.0515 5332 oracle%oracle_home_service%clientcache80 - ok
12:58:40.0546 5332 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
12:58:40.0546 5332 ose - ok
12:58:40.0546 5332 p17 - ok
12:58:40.0593 5332 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
12:58:40.0593 5332 Parport - ok
12:58:40.0609 5332 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
12:58:40.0625 5332 PartMgr - ok
12:58:40.0640 5332 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
12:58:40.0781 5332 ParVdm - ok
12:58:40.0781 5332 pavagente - ok
12:58:40.0781 5332 pcandis5 - ok
12:58:40.0796 5332 PCDCODEC - ok
12:58:40.0812 5332 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
12:58:40.0828 5332 PCI - ok
12:58:40.0828 5332 PCIDump - ok
12:58:40.0859 5332 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
12:58:40.0859 5332 PCIIde - ok
12:58:40.0875 5332 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
12:58:40.0906 5332 Pcmcia - ok
12:58:40.0921 5332 PDCOMP - ok
12:58:40.0921 5332 PDFRAME - ok
12:58:40.0921 5332 PDRELI - ok
12:58:40.0937 5332 PDRFRAME - ok
12:58:40.0937 5332 pensup - ok
12:58:40.0968 5332 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
12:58:40.0968 5332 perc2 - ok
12:58:41.0000 5332 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
12:58:41.0000 5332 perc2hib - ok
12:58:41.0015 5332 pgfilter - ok
12:58:41.0046 5332 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
12:58:41.0062 5332 PlugPlay - ok
12:58:41.0078 5332 Pml Driver HPZ12 (79834aa2fbf9fe81eebb229024f6f7fc) C:\WINDOWS\system32\HPZipm12.dll
12:58:41.0078 5332 Pml Driver HPZ12 - ok
12:58:41.0109 5332 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
12:58:41.0109 5332 PolicyAgent - ok
12:58:41.0140 5332 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
12:58:41.0140 5332 PptpMiniport - ok
12:58:41.0156 5332 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
12:58:41.0156 5332 Processor - ok
12:58:41.0156 5332 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
12:58:41.0156 5332 ProtectedStorage - ok
12:58:41.0156 5332 ps2 - ok
12:58:41.0171 5332 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
12:58:41.0171 5332 PSched - ok
12:58:41.0218 5332 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
12:58:41.0234 5332 Ptilink - ok
12:58:41.0234 5332 pxfhmdm - ok
12:58:41.0250 5332 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
12:58:41.0265 5332 ql1080 - ok
12:58:41.0281 5332 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
12:58:41.0281 5332 Ql10wnt - ok
12:58:41.0296 5332 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
12:58:41.0296 5332 ql12160 - ok
12:58:41.0296 5332 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
12:58:41.0296 5332 ql1240 - ok
12:58:41.0328 5332 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
12:58:41.0328 5332 ql1280 - ok
12:58:41.0343 5332 QPSched - ok
12:58:41.0343 5332 qserver - ok
12:58:41.0359 5332 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
12:58:41.0359 5332 RasAcd - ok
12:58:41.0390 5332 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
12:58:41.0562 5332 RasAuto - ok
12:58:41.0671 5332 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
12:58:41.0687 5332 Rasl2tp - ok
12:58:41.0984 5332 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
12:58:42.0046 5332 RasMan - ok
12:58:42.0203 5332 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
12:58:42.0203 5332 RasPppoe - ok
12:58:42.0281 5332 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
12:58:42.0296 5332 Raspti - ok
12:58:42.0390 5332 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
12:58:42.0421 5332 Rdbss - ok
12:58:42.0453 5332 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
12:58:42.0453 5332 RDPCDD - ok
12:58:42.0859 5332 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
12:58:42.0921 5332 rdpdr - ok
12:58:43.0125 5332 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
12:58:43.0203 5332 RDPWD - ok
12:58:43.0390 5332 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
12:58:43.0453 5332 RDSessMgr - ok
12:58:43.0546 5332 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
12:58:43.0593 5332 redbook - ok
12:58:43.0843 5332 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
12:58:43.0953 5332 RemoteAccess - ok
12:58:43.0984 5332 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
12:58:44.0015 5332 RpcLocator - ok
12:58:44.0359 5332 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
12:58:44.0359 5332 RpcSs - ok
12:58:44.0375 5332 rspndr - ok
12:58:44.0500 5332 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
12:58:44.0531 5332 RSVP - ok
12:58:44.0531 5332 rtl8187Se - ok
12:58:44.0546 5332 rvsinst - ok
12:58:44.0546 5332 s125mdfl - ok
12:58:44.0562 5332 s217bus - ok
12:58:44.0656 5332 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
12:58:44.0656 5332 SamSs - ok
12:58:44.0703 5332 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
12:58:44.0750 5332 SCardSvr - ok
12:58:44.0812 5332 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
12:58:44.0843 5332 Schedule - ok
12:58:44.0875 5332 SDDMI2 (8edd7b9e4a4b4c16e2dab9188caa861b) C:\WINDOWS\system32\DDMI2.sys
12:58:44.0890 5332 SDDMI2 - ok
12:58:44.0890 5332 se45bus - ok
12:58:44.0890 5332 se45mdm - ok
12:58:44.0984 5332 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
12:58:45.0062 5332 Secdrv - ok
12:58:45.0109 5332 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
12:58:45.0125 5332 seclogon - ok
12:58:45.0156 5332 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
12:58:45.0156 5332 SENS - ok
12:58:45.0203 5332 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
12:58:45.0203 5332 serenum - ok
12:58:45.0234 5332 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
12:58:45.0234 5332 Serial - ok
12:58:45.0250 5332 sfdrv01 - ok
12:58:45.0250 5332 sfhlp01 - ok
12:58:45.0281 5332 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
12:58:45.0281 5332 Sfloppy - ok
12:58:45.0312 5332 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
12:58:45.0312 5332 SharedAccess - ok
12:58:45.0375 5332 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
12:58:45.0375 5332 ShellHWDetection - ok
12:58:45.0390 5332 SI3112 - ok
12:58:45.0390 5332 Simbad - ok
12:58:45.0437 5332 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
12:58:45.0437 5332 sisagp - ok
12:58:45.0468 5332 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
12:58:45.0468 5332 Sparrow - ok
12:58:45.0515 5332 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
12:58:45.0515 5332 splitter - ok
12:58:45.0734 5332 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
12:58:45.0734 5332 Spooler - ok
12:58:46.0953 5332 SQLSERVERAGENT (163ad09c3f9257066b78c2333302e488) C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlagent.exe
12:58:47.0187 5332 SQLSERVERAGENT - ok
12:58:47.0546 5332 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
12:58:47.0593 5332 sr - ok
12:58:47.0781 5332 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
12:58:47.0796 5332 srservice - ok
12:58:48.0062 5332 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
12:58:48.0156 5332 Srv - ok
12:58:48.0328 5332 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
12:58:48.0328 5332 SSDPSRV - ok
12:58:48.0328 5332 SSHDRV61 - ok
12:58:48.0343 5332 steamdvr - ok
12:58:48.0937 5332 STHDA (8990440e4b2a7ca5a56a1833b03741fd) C:\WINDOWS\system32\drivers\sthda.sys
12:58:49.0234 5332 STHDA - ok
12:58:49.0390 5332 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
12:58:49.0437 5332 stisvc - ok
12:58:49.0625 5332 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
12:58:49.0625 5332 swenum - ok
12:58:49.0718 5332 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
12:58:49.0734 5332 swmidi - ok
12:58:49.0734 5332 SwPrv - ok
12:58:49.0843 5332 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
12:58:49.0859 5332 symc810 - ok
12:58:50.0031 5332 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
12:58:50.0046 5332 symc8xx - ok
12:58:50.0078 5332 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
12:58:50.0093 5332 sym_hi - ok
12:58:50.0109 5332 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
12:58:50.0109 5332 sym_u3 - ok
12:58:50.0203 5332 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
12:58:50.0203 5332 sysaudio - ok
12:58:50.0359 5332 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
12:58:50.0359 5332 SysmonLog - ok
12:58:51.0000 5332 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
12:58:51.0015 5332 TapiSrv - ok
12:58:51.0437 5332 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
12:58:51.0828 5332 Tcpip - ok
12:58:51.0906 5332 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
12:58:51.0937 5332 TDPIPE - ok
12:58:52.0015 5332 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
12:58:52.0031 5332 TDTCP - ok
12:58:52.0093 5332 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
12:58:52.0109 5332 TermDD - ok
12:58:52.0281 5332 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
12:58:52.0281 5332 TermService - ok
12:58:52.0328 5332 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
12:58:52.0343 5332 Themes - ok
12:58:52.0343 5332 tmcomm - ok
12:58:52.0359 5332 tmmbd - ok
12:58:52.0421 5332 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
12:58:52.0421 5332 TosIde - ok
12:58:52.0531 5332 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
12:58:52.0546 5332 TrkWks - ok
12:58:52.0609 5332 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
12:58:52.0671 5332 Udfs - ok
12:58:52.0671 5332 ufdsvc - ok
12:58:52.0828 5332 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
12:58:52.0859 5332 ultra - ok
12:58:52.0875 5332 UPATC - ok
12:58:53.0234 5332 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
12:58:53.0328 5332 Update - ok
12:58:53.0640 5332 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
12:58:53.0734 5332 upnphost - ok
12:58:53.0875 5332 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
12:58:53.0875 5332 UPS - ok
12:58:54.0046 5332 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
12:58:54.0093 5332 usbccgp - ok
12:58:54.0218 5332 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
12:58:54.0234 5332 usbehci - ok
12:58:54.0281 5332 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
12:58:54.0281 5332 usbhub - ok
12:58:54.0296 5332 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
12:58:54.0296 5332 usbohci - ok
12:58:54.0312 5332 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
12:58:54.0328 5332 usbprint - ok
12:58:54.0421 5332 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
12:58:54.0453 5332 usbscan - ok
12:58:54.0640 5332 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
12:58:54.0640 5332 USBSTOR - ok
12:58:54.0796 5332 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
12:58:54.0828 5332 usbuhci - ok
12:58:54.0828 5332 UWProSys - ok
12:58:54.0953 5332 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
12:58:54.0968 5332 VgaSave - ok
12:58:55.0015 5332 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
12:58:55.0046 5332 viaagp - ok
12:58:55.0078 5332 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
12:58:55.0093 5332 ViaIde - ok
12:58:55.0406 5332 Viewpoint Manager Service (5f974fde801c73952770736becde11e7) C:\Program Files\Viewpoint\Common\ViewpointService.exe
12:58:55.0421 5332 Viewpoint Manager Service - ok
12:58:55.0578 5332 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
12:58:55.0609 5332 VolSnap - ok
12:58:55.0750 5332 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
12:58:55.0750 5332 VSS - ok
12:58:56.0000 5332 vToolbarUpdater10.2.0 (3080f1f093869a19fb3d1f0226c73809) C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe
12:58:56.0031 5332 vToolbarUpdater10.2.0 - ok
12:58:56.0062 5332 w32time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
12:58:56.0062 5332 w32time - ok
12:58:56.0140 5332 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
12:58:56.0140 5332 Wanarp - ok
12:58:56.0156 5332 WDICA - ok
12:58:56.0234 5332 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
12:58:56.0234 5332 wdmaud - ok
12:58:56.0281 5332 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
12:58:56.0281 5332 WebClient - ok
12:58:56.0296 5332 websenseuserservice - ok
12:58:56.0484 5332 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
12:58:56.0484 5332 winmgmt - ok
12:58:56.0500 5332 winsshd - ok
12:58:56.0625 5332 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
12:58:56.0671 5332 WmdmPmSN - ok
12:58:56.0984 5332 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
12:58:57.0015 5332 WmiApSrv - ok
12:58:57.0484 5332 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
12:58:57.0781 5332 WMPNetworkSvc - ok
12:58:57.0781 5332 WNIPROT5 - ok
12:58:58.0187 5332 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
12:58:58.0218 5332 WS2IFSL - ok
12:58:58.0281 5332 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
12:58:58.0296 5332 wscsvc - ok
12:58:58.0312 5332 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
12:58:58.0328 5332 wuauserv - ok
12:58:58.0375 5332 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
12:58:58.0375 5332 WudfPf - ok
12:58:58.0406 5332 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
12:58:58.0406 5332 WudfRd - ok
12:58:58.0453 5332 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
12:58:58.0453 5332 WudfSvc - ok
12:58:58.0500 5332 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
12:58:58.0718 5332 WZCSVC - ok
12:58:58.0937 5332 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
12:59:00.0031 5332 xmlprov - ok
12:59:00.0265 5332 YahooAUService (dd0042f0c3b606a6a8b92d49afb18ad6) C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
12:59:00.0421 5332 YahooAUService - ok
12:59:00.0421 5332 ZDPSp50 - ok
12:59:00.0437 5332 ZSMC303 - ok
12:59:00.0468 5332 MBR (0x1B8) (4bc21aabb8ea83c34000756722b7398b) \Device\Harddisk0\DR0
12:59:00.0500 5332 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
12:59:00.0500 5332 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
12:59:00.0500 5332 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR6
12:59:04.0031 5332 \Device\Harddisk1\DR6 - ok
12:59:04.0046 5332 Boot (0x1200) (80b4371372e00bedc936df0af710589c) \Device\Harddisk0\DR0\Partition0
12:59:04.0046 5332 \Device\Harddisk0\DR0\Partition0 - ok
12:59:04.0062 5332 Boot (0x1200) (06dc5f741ce9e63fd8c1f20da8e3e16a) \Device\Harddisk1\DR6\Partition0
12:59:04.0062 5332 \Device\Harddisk1\DR6\Partition0 - ok
12:59:04.0062 5332 ============================================================
12:59:04.0062 5332 Scan finished
12:59:04.0062 5332 ============================================================
12:59:04.0078 4732 Detected object count: 2
12:59:04.0078 4732 Actual detected object count: 2
12:59:52.0062 4732 HKLM\SYSTEM\ControlSet001\services\dot4 - will be deleted on reboot
12:59:52.0109 4732 HKLM\SYSTEM\ControlSet002\services\dot4 - will be deleted on reboot
12:59:52.0187 4732 C:\WINDOWS\system32\nwdls.dll - will be deleted on reboot
12:59:52.0187 4732 dot4 ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
12:59:52.0234 4732 \Device\Harddisk0\DR0\# - copied to quarantine
12:59:52.0234 4732 \Device\Harddisk0\DR0 - copied to quarantine
12:59:52.0265 4732 \Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine
12:59:52.0265 4732 \Device\Harddisk0\DR0\TDLFS\phs - copied to quarantine
12:59:52.0296 4732 \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
12:59:52.0296 4732 \Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine
12:59:52.0296 4732 \Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine
12:59:52.0296 4732 \Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine
12:59:52.0328 4732 \Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine
12:59:52.0328 4732 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
12:59:52.0328 4732 \Device\Harddisk0\DR0 - ok
12:59:52.0328 4732 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
12:59:55.0296 6084 Deinitialize success

----------------

I then ran aswMBR as you asked. While it was running, AVG Resident Shield seemed to pick up a couple instances of what it identified as Crypt.AQLW. This didn't seem to affect aswMBR's process at all, and it appeared to complete successfully. Here's the log from that:

----------------


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-05-03 13:03:10
-----------------------------
13:03:10.000 OS Version: Windows 5.1.2600 Service Pack 3
13:03:10.000 Number of processors: 2 586 0x6B01
13:03:10.000 ComputerName: DATAENTRY0407 UserName: Data Entry
13:03:10.656 Initialize success
13:04:27.062 AVAST engine defs: 12050300
13:06:10.046 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000061
13:06:10.046 Disk 0 Vendor: ST3808110AS 3.ADJ Size: 76293MB BusType: 3
13:06:10.062 Disk 0 MBR read successfully
13:06:10.062 Disk 0 MBR scan
13:06:10.109 Disk 0 unknown MBR code
13:06:10.109 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
13:06:10.125 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 73171 MB offset 80325
13:06:10.140 Disk 0 Partition 3 00 DB CP/M / CTOS Dell 8.0 3074 MB offset 149934645
13:06:10.140 Disk 0 scanning sectors +156232125
13:06:10.218 Disk 0 scanning C:\WINDOWS\system32\drivers
13:06:20.703 Service scanning
13:06:35.953 Modules scanning
13:06:54.203 Disk 0 trace - called modules:
13:06:54.218 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys
13:06:54.234 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a7ec030]
13:06:54.234 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000063[0x8a7d3848]
13:06:54.234 5 ACPI.sys[b9f68620] -> nt!IofCallDriver -> \Device\00000061[0x8a87a030]
13:06:54.515 AVAST engine scan C:\WINDOWS
13:06:59.531 AVAST engine scan C:\WINDOWS\system32
13:07:01.109 File: C:\WINDOWS\system32\armoucfltr.dll **INFECTED** Win32:Sirefef-SM [Trj]
13:07:48.812 File: C:\WINDOWS\system32\LMIRfsDriver.dll **INFECTED** Win32:Sirefef-SM [Trj]
13:08:02.093 File: C:\WINDOWS\system32\mskservice.dll **INFECTED** Win32:Sirefef-SM [Trj]
13:08:32.281 File: C:\WINDOWS\system32\roxliveshare.dll **INFECTED** Win32:Sirefef-SM [Trj]
13:09:45.718 AVAST engine scan C:\WINDOWS\system32\drivers
13:10:01.125 AVAST engine scan C:\Documents and Settings\Data Entry
13:13:26.687 AVAST engine scan C:\Documents and Settings\All Users
13:14:58.234 File: C:\Documents and Settings\All Users\Application Data\NYvWyUU0RE175n.exe **INFECTED** Win32:FakeSysdef-LR [Trj]
13:15:09.312 Scan finished successfully
13:15:49.656 Disk 0 MBR has been saved successfully to "E:\Katinas Computer\MBR.dat"
13:15:49.671 The log file has been saved successfully to "E:\Katinas Computer\aswMBR.txt"

-------------------

That's it so far. The PC seems to be acting somewhat normally right now, though I've basically cordoned off the machine and made sure no one is using it, nothing extravagant seems to be popping up.

Let me know where to go from here! Thanks again!

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:50 AM

Posted 03 May 2012 - 01:46 PM

Greetings


I have attached a file to this post - I want you to download it and double click to run when asked to merge into the registry please allow




:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

File::
C:\WINDOWS\system32\armoucfltr.dll
C:\WINDOWS\system32\LMIRfsDriver.dll
C:\WINDOWS\system32\mskservice.dll
C:\WINDOWS\system32\roxliveshare.dll
C:\Documents and Settings\All Users\Application Data\NYvWyUU0RE175n.exe

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

Attached Files


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 wayche

wayche
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 03 May 2012 - 02:45 PM

Hi Gringo! Just giving you a heads-up that I have run into a bit of a snag with your latest requests.

I went back to the affected PC with jump drive and instructions in hand, when I noticed the PC was completely hung up, black screen, no HDD light. I made a few key-presses, hit Ctrl-Alt-Del a few times, and after I got no response for about 10 mins I decided to hold down the power button and cold-boot the machine.

Unfortunately, the PC will no longer boot up. It gets good power, the fans come on, it appears to make an attempt to read from the CD-ROM drive, but the HDD light does not come on and no signal goes to the screen. I cannot hear any HDD seeking sounds inside the machine. The CPU fan eventually spools up to max speed and stays there.

I am going to work on figuring out a way to get it to boot, and if I can then I will implement the latest fixes you requested and deliver some logs to you. I have three potential outcomes here:

a.) I can see if it will boot from a Windows XP install disk, in which case I may need to format the drive and remount the OS (which was Plan B anyway), in which case I'll let you know and we can close the thread.

b.) If it will not, I will need to start yanking hardware inside the machine and see if it may be a wonky modem or video card. It MAY boot correctly in that case, and I'll go ahead with your proposed fixes and let you know the outcome.

c.) If that doesn't work, then I suppose we'll need to scrap the machine and replace it with something else, in which case I'll let you know and we can close the thread.

Thanks again for your help. Hang tight and I'll give you a response as soon as I can.

EDIT: I was not able to revive the PC in question, so I've been forced to put together another PC to take its place. I will use that box for parts, and when I pull the HDD from that unit I will take care to format it before using it in another machine.

So I guess that means we can close this thread. I appreciate the help you've given me up to this point Gringo! Thanks so much!

Edited by wayche, 03 May 2012 - 05:01 PM.


#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:50 AM

Posted 03 May 2012 - 05:42 PM

wow bad timing - do you know what it was anyway?


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:50 AM

Posted 06 May 2012 - 03:51 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users