Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ComboFix log report


  • Please log in to reply
25 replies to this topic

#1 karen_needs_help

karen_needs_help

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 12 July 2013 - 04:42 PM

Hi,
 
I restarted my computer after installing some software and received the following 2 errors;
 
Error message #1 - ATI graphics
You do not have permission to change Catalyst Control settings.  Please contact your system administrator.
 
Error message #2 -
Generic host processes for Win32 Services has encountered an error and needs to close.
All icons on my desktop do absolutely nothing.
 
I am able to run windows explorer and try to dble click on Malware bytes.  Nothing happens.  There is a command line application that \i can click and it successfully opens a command window and I can see that updates are tryong to be loaded but nothing happends.  I end up getting a vbAccelerator SGrid II Control "Runtime error 0", then Runtime error 440.  I visited the following site: http://forums.malwarebytes.org/index.php?showtopic=11413
 and followed instructions located: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
 
I have successfully followed instructions by downloading combofix.exe from a working laptop, then copied to USB stick, then copied the combofix.exe from stick to the desktop of infected computer.  (note: I cannot download any files from internet as none of the desktop icons work).  Anyway, I dble clicked on the desktop .exe and successfully ran combo fix.  There was a log file generated that I do not know how to read.  as per the above Website, it had said:
"We strongly suggest that you still post your log into the topic that you are receiving help as you most likely will have infections left over that your helper will need to analyze further"
 
When I ran combofix I was in "safemode", after running, combofix restarted my computer and I still ended up with the same errors as stated above|!  I still have a problem and |I am hoping someone can please look at the attached log file and tell me what to do next....
 
Any help will be greatly appreciated!

*Moderator Edit: Moved topic from XP to the appropriate forum. Combofix logs are allowed only in Malware Removal Logs ~ Queen-Evie*

Attached Files

  • Attached File  log.txt   19.97KB   6 downloads

Edited by Queen-Evie, 12 July 2013 - 04:56 PM.


BC AdBot (Login to Remove)

 


#2 karen_needs_help

karen_needs_help
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 13 July 2013 - 01:34 PM

Hi,

 

I noticed that this topic was moved as I did not post in the correct forum.  Can you please tell me where it has been moved to and how I get there?  I looked for a forum call Malware Removal Logs and could not find it??

 

If you could provide the URL to the where the responses to this posting would be that would be very helpful.

 

Thanks so much!



#3 karen_needs_help

karen_needs_help
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 13 July 2013 - 02:03 PM

Never mind I found the posting. Thanks! I will monitor for any responses.....

#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:07 AM

Posted 17 July 2013 - 08:44 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Lets start with this.

Read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Double-click on TDSSKiller.exe to run the application.
    tdss1.png
  • Click Change parameters
    settings20121003115955.png
  • Check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK
    tdss3.png
  • Click on the Start Scan button to begin the scan and wait for it to finish.
    NOTE: Do not use the computer during the scan!
  • During the scan it will look similar to the image below:
    tdss4.jpg
  • When it finishes, you will either see a report that no threats were found like below:
    tdss5.jpg
    If no threats are found at this point, just click the Report selection on the top right of the form to generate a log. A log file report will pop which you can just close since the report file is already saved.
  • If any infection or suspected items are found, you will see a window similar to below:
    tdss7.jpg
    • If you have files that are shown to fail signature check do not take any action on these. Make sure you select Skip. I will tell you what to do with these later. They may not be issues at all.
    • If Suspicious objects are detected, the default action will be Skip. Leave the default set to Skip.
    • If Malicious objects are detected, they will show in the Scan results. TDSSKiller automatically selects an action (Cure or Delete) for malicious objects
    • Make sure that Cure is selected. Important! - If Cure is not available, please choose Skip instead. Do not choose Delete unless instructed to do so.
  • Click Continue to apply selected actions.
  • A reboot may be required to complete disinfection. A window like the below will appear:
    tdss6.jpg
    Reboot immediately if TDSSKiller states that one is needed.
  • Whether an infection is found or not, a log file should have already been created on your C: drive (or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run.
  • Paste the log to your next reply, DO NOT ATTACH IT.
===

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it.
  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please paste the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
===

#5 karen_needs_help

karen_needs_help
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 18 July 2013 - 08:14 PM

Hi Nasdaq,
 
I executed the TDSKiller.exe and the results of the scan were logged in 2 seperate log files on my C: drive as follows:
 
contents pasted from the first log file:
19:31:01.0774 3220  TDSS rootkit removing tool 2.8.16.0 Feb 11 2013 18:50:42
19:31:02.0353 3220  ============================================================
19:31:02.0353 3220  Current date / time: 2013/07/18 19:31:02.0353
19:31:02.0353 3220  SystemInfo:
19:31:02.0353 3220  
19:31:02.0353 3220  OS Version: 5.1.2600 ServicePack: 3.0
19:31:02.0353 3220  Product type: Workstation
19:31:02.0353 3220  ComputerName: KAREN
19:31:02.0353 3220  UserName: KarenK
19:31:02.0353 3220  Windows directory: C:\WINDOWS
19:31:02.0353 3220  System windows directory: C:\WINDOWS
19:31:02.0353 3220  Processor architecture: Intel x86
19:31:02.0353 3220  Number of processors: 1
19:31:02.0353 3220  Page size: 0x1000
19:31:02.0353 3220  Boot type: Normal boot
19:31:02.0353 3220  ============================================================
19:31:02.0962 3220  Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2DC00 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000058
19:31:02.0978 3220  Drive \Device\Harddisk5\DR11 - Size: 0xEF000000 (3.73 Gb), SectorSize: 0x200, Cylinders: 0x1E7, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
19:31:02.0978 3220  ============================================================
19:31:02.0978 3220  \Device\Harddisk0\DR0:
19:31:02.0978 3220  MBR partitions:
19:31:02.0978 3220  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x4B02B2, BlocksNum 0x1CD142CF
19:31:02.0978 3220  \Device\Harddisk5\DR11:
19:31:02.0978 3220  MBR partitions:
19:31:02.0978 3220  \Device\Harddisk5\DR11\Partition1: MBR, Type 0xC, StartLBA 0x8, BlocksNum 0x777FF8
19:31:02.0978 3220  ============================================================
19:31:03.0024 3220  C: <-> \Device\Harddisk0\DR0\Partition1
19:31:03.0024 3220  ============================================================
19:31:03.0024 3220  Initialize success
19:31:03.0024 3220  ============================================================
19:31:50.0493 3340  ============================================================
19:31:50.0493 3340  Scan started
19:31:50.0493 3340  Mode: Manual; SigCheck; TDLFS;
19:31:50.0493 3340  ============================================================
19:31:51.0478 3340  ================ Scan system memory ========================
19:31:51.0478 3340  System memory - ok
19:31:51.0493 3340  ================ Scan services =============================
19:31:51.0696 3340  Abiosdsk - ok
19:31:51.0712 3340  abp480n5 - ok
19:31:51.0759 3340  [ 8FD99680A539792A30E97944FDAECF17 ] ACPI            C:\WINDOWS\system32\DRIVERS\ACPI.sys
19:31:53.0321 3340  ACPI - ok
19:31:53.0368 3340  [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC          C:\WINDOWS\system32\drivers\ACPIEC.sys
19:31:53.0524 3340  ACPIEC - ok
19:31:53.0759 3340  [ 9915504F602D277EE47FD843A677FD15 ] AdobeFlashPlayerUpdateSvc C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
19:31:53.0790 3340  AdobeFlashPlayerUpdateSvc - ok
19:31:53.0806 3340  adpu160m - ok
19:31:53.0837 3340  [ 8BED39E3C35D6A489438B8141717A557 ] aec             C:\WINDOWS\system32\drivers\aec.sys
19:31:53.0962 3340  aec - ok
19:31:54.0009 3340  [ 7E775010EF291DA96AD17CA4B17137D7 ] AFD             C:\WINDOWS\System32\drivers\afd.sys
19:31:54.0071 3340  AFD - ok
19:31:54.0087 3340  Aha154x - ok
19:31:54.0087 3340  aic78u2 - ok
19:31:54.0103 3340  aic78xx - ok
19:31:54.0149 3340  [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter         C:\WINDOWS\system32\alrsvc.dll
19:31:54.0290 3340  Alerter - ok
19:31:54.0306 3340  [ 8C515081584A38AA007909CD02020B3D ] ALG             C:\WINDOWS\System32\alg.exe
19:31:54.0384 3340  ALG - ok
19:31:54.0415 3340  [ 1140AB9938809700B46BB88E46D72A96 ] AliIde          C:\WINDOWS\system32\DRIVERS\aliide.sys
19:31:54.0540 3340  AliIde - ok
19:31:54.0571 3340  amsint - ok
19:31:54.0681 3340  [ D8E18021F91AD79CA8491CB5A5DA22D4 ] Apple Mobile Device C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
19:31:54.0696 3340  Apple Mobile Device - ok
19:31:54.0743 3340  [ D8849F77C0B66226335A59D26CB4EDC6 ] AppMgmt         C:\WINDOWS\System32\appmgmts.dll
19:31:54.0806 3340  AppMgmt - ok
19:31:54.0806 3340  asc - ok
19:31:54.0821 3340  asc3350p - ok
19:31:54.0821 3340  asc3550 - ok
19:31:54.0884 3340  [ 54AB078660E536DA72B21A27F56B035B ] ASPI            C:\WINDOWS\System32\DRIVERS\ASPI32.sys
19:31:54.0899 3340  ASPI ( UnsignedFile.Multi.Generic ) - warning
19:31:54.0899 3340  ASPI - detected UnsignedFile.Multi.Generic (1)
19:31:55.0009 3340  [ 0E5E4957549056E2BF2C49F4F6B601AD ] aspnet_state    C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
19:31:55.0056 3340  aspnet_state - ok
19:31:55.0103 3340  [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac        C:\WINDOWS\system32\DRIVERS\asyncmac.sys
19:31:55.0228 3340  AsyncMac - ok
19:31:55.0259 3340  [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi           C:\WINDOWS\system32\DRIVERS\atapi.sys
19:31:55.0415 3340  atapi - ok
19:31:55.0415 3340  Atdisk - ok
19:31:55.0618 3340  [ BBA22521D24625C7A7B8D57FB20A812E ] Ati HotKey Poller C:\WINDOWS\system32\Ati2evxx.exe
19:31:55.0728 3340  Ati HotKey Poller - ok
19:31:55.0790 3340  [ D79AC81BDEC6FA6CD9B94D28238E7608 ] ATI Smart       C:\WINDOWS\system32\ati2sgag.exe
19:31:55.0853 3340  ATI Smart ( UnsignedFile.Multi.Generic ) - warning
19:31:55.0853 3340  ATI Smart - detected UnsignedFile.Multi.Generic (1)
19:31:55.0931 3340  [ 07AC9A98EA70B5A6655A5797174BD282 ] ati2mtag        C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
19:31:56.0103 3340  ati2mtag - ok
19:31:56.0196 3340  [ 9916C1225104BA14794209CFA8012159 ] Atmarpc         C:\WINDOWS\system32\DRIVERS\atmarpc.sys
19:31:56.0306 3340  Atmarpc - ok
19:31:56.0353 3340  [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv        C:\WINDOWS\System32\audiosrv.dll
19:31:56.0462 3340  AudioSrv - ok
19:31:56.0493 3340  [ D9F724AA26C010A217C97606B160ED68 ] audstub         C:\WINDOWS\system32\DRIVERS\audstub.sys
19:31:56.0618 3340  audstub - ok
19:31:56.0681 3340  [ 4BEFF67C1775D353A16A62347E727874 ] BBSvc           C:\Program Files\Microsoft\BingBar\7.1.355.0\BBSvc.exe
19:31:56.0696 3340  BBSvc - ok
19:31:56.0728 3340  [ A6DAAD3EA93DBDBD07FA821BCED133F6 ] BBUpdate        C:\Program Files\Microsoft\BingBar\7.1.355.0\SeaPort.exe
19:31:56.0759 3340  BBUpdate - ok
19:31:56.0790 3340  [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep            C:\WINDOWS\system32\drivers\Beep.sys
19:31:56.0931 3340  Beep - ok
19:31:56.0978 3340  [ 574738F61FCA2935F5265DC4E5691314 ] BITS            C:\WINDOWS\system32\qmgr.dll
19:31:57.0243 3340  BITS - ok
19:31:57.0337 3340  [ DB5BEA73EDAF19AC68B2C0FAD0F92B1A ] Bonjour Service C:\Program Files\Bonjour\mDNSResponder.exe
19:31:57.0368 3340  Bonjour Service - ok
19:31:57.0415 3340  [ A06CE3399D16DB864F55FAEB1F1927A9 ] Browser         C:\WINDOWS\System32\browser.dll
19:31:57.0556 3340  Browser - ok
19:31:57.0571 3340  catchme - ok
19:31:57.0603 3340  [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k         C:\WINDOWS\system32\drivers\cbidf2k.sys
19:31:57.0743 3340  cbidf2k - ok
19:31:57.0743 3340  cd20xrnt - ok
19:31:57.0774 3340  [ C1B486A7658353D33A10CC15211A873B ] Cdaudio         C:\WINDOWS\system32\drivers\Cdaudio.sys
19:31:57.0899 3340  Cdaudio - ok
19:31:57.0931 3340  [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs            C:\WINDOWS\system32\drivers\Cdfs.sys
19:31:58.0056 3340  Cdfs - ok
19:31:58.0071 3340  [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom           C:\WINDOWS\system32\DRIVERS\cdrom.sys
19:31:58.0212 3340  Cdrom - ok
19:31:58.0228 3340  Changer - ok
19:31:58.0274 3340  [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc           C:\WINDOWS\system32\cisvc.exe
19:31:58.0399 3340  CiSvc - ok
19:31:58.0446 3340  [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv         C:\WINDOWS\system32\clipsrv.exe
19:31:58.0571 3340  ClipSrv - ok
19:31:58.0603 3340  [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
19:31:58.0728 3340  clr_optimization_v2.0.50727_32 - ok
19:31:58.0806 3340  [ C5A75EB48E2344ABDC162BDA79E16841 ] clr_optimization_v4.0.30319_32 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
19:31:58.0837 3340  clr_optimization_v4.0.30319_32 - ok
19:31:58.0837 3340  CmdIde - ok
19:31:58.0853 3340  COMSysApp - ok
19:31:58.0868 3340  Cpqarray - ok
19:31:58.0915 3340  [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc        C:\WINDOWS\System32\cryptsvc.dll
19:31:59.0040 3340  CryptSvc - ok
19:31:59.0056 3340  dac2w2k - ok
19:31:59.0071 3340  dac960nt - ok
19:31:59.0118 3340  [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch      C:\WINDOWS\system32\rpcss.dll
19:31:59.0196 3340  DcomLaunch - ok
19:31:59.0228 3340  [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp            C:\WINDOWS\System32\dhcpcsvc.dll
19:31:59.0368 3340  Dhcp - ok
19:31:59.0399 3340  [ 044452051F3E02E7963599FC8F4F3E25 ] Disk            C:\WINDOWS\system32\DRIVERS\disk.sys
19:31:59.0509 3340  Disk - ok
19:31:59.0524 3340  dmadmin - ok
19:31:59.0571 3340  [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot          C:\WINDOWS\system32\drivers\dmboot.sys
19:31:59.0743 3340  dmboot - ok
19:31:59.0759 3340  [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio            C:\WINDOWS\system32\drivers\dmio.sys
19:31:59.0899 3340  dmio - ok
19:31:59.0931 3340  [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload          C:\WINDOWS\system32\drivers\dmload.sys
19:32:00.0056 3340  dmload - ok
19:32:00.0087 3340  [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver        C:\WINDOWS\System32\dmserver.dll
19:32:00.0228 3340  dmserver - ok
19:32:00.0259 3340  [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic          C:\WINDOWS\system32\drivers\DMusic.sys
19:32:00.0399 3340  DMusic - ok
19:32:00.0431 3340  [ 474B4DC3983173E4B4C9740B0DAC98A6 ] Dnscache        C:\WINDOWS\System32\dnsrslvr.dll
19:32:00.0556 3340  Dnscache - ok
19:32:00.0649 3340  [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc         C:\WINDOWS\System32\dot3svc.dll
19:32:00.0774 3340  Dot3svc - ok
19:32:00.0790 3340  dpti2o - ok
19:32:00.0821 3340  [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud         C:\WINDOWS\system32\drivers\drmkaud.sys
19:32:00.0931 3340  drmkaud - ok
19:32:00.0946 3340  [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost         C:\WINDOWS\System32\eapsvc.dll
19:32:01.0071 3340  EapHost - ok
19:32:01.0149 3340  [ 27434C42A13C11F92CA45840B720D671 ] ehRecvr         C:\WINDOWS\eHome\ehRecvr.exe
19:32:01.0181 3340  ehRecvr ( UnsignedFile.Multi.Generic ) - warning
19:32:01.0181 3340  ehRecvr - detected UnsignedFile.Multi.Generic (1)
19:32:01.0181 3340  [ 16910F8B482919BB6035ED053B691692 ] ehSched         C:\WINDOWS\eHome\ehSched.exe
19:32:01.0243 3340  ehSched - ok
19:32:01.0274 3340  [ BC93B4A066477954555966D77FEC9ECB ] ERSvc           C:\WINDOWS\System32\ersvc.dll
19:32:01.0399 3340  ERSvc - ok
19:32:01.0431 3340  [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog        C:\WINDOWS\system32\services.exe
19:32:01.0462 3340  Eventlog - ok
19:32:01.0509 3340  [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem     C:\WINDOWS\system32\es.dll
19:32:01.0556 3340  EventSystem - ok
19:32:01.0587 3340  [ 38D332A6D56AF32635675F132548343E ] Fastfat         C:\WINDOWS\system32\drivers\Fastfat.sys
19:32:01.0728 3340  Fastfat - ok
19:32:01.0759 3340  [ 1926899BF9FFE2602B63074971700412 ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
19:32:01.0915 3340  FastUserSwitchingCompatibility - ok
19:32:01.0931 3340  [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc             C:\WINDOWS\system32\DRIVERS\fdc.sys
19:32:02.0056 3340  Fdc - ok
19:32:02.0103 3340  [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips            C:\WINDOWS\system32\drivers\Fips.sys
19:32:02.0228 3340  Fips - ok
19:32:02.0259 3340  [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk        C:\WINDOWS\system32\DRIVERS\flpydisk.sys
19:32:02.0384 3340  Flpydisk - ok
19:32:02.0431 3340  [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr          C:\WINDOWS\system32\drivers\fltmgr.sys
19:32:02.0540 3340  FltMgr - ok
19:32:02.0618 3340  [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
19:32:02.0634 3340  FontCache3.0.0.0 - ok
19:32:02.0665 3340  [ C6EE3A87FE609D3E1DB9DBD072A248DE ] fssfltr         C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
19:32:02.0696 3340  fssfltr - ok
19:32:02.0774 3340  [ 206AD9A89BF05DFA1621F1FC7B82592D ] fsssvc          C:\Program Files\Windows Live\Family Safety\fsssvc.exe
19:32:02.0837 3340  fsssvc - ok
19:32:02.0884 3340  [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec          C:\WINDOWS\system32\drivers\Fs_Rec.sys
19:32:03.0009 3340  Fs_Rec - ok
19:32:03.0040 3340  [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk          C:\WINDOWS\system32\DRIVERS\ftdisk.sys
19:32:03.0165 3340  Ftdisk - ok
19:32:03.0196 3340  [ 8182FF89C65E4D38B2DE4BB0FB18564E ] GEARAspiWDM     C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
19:32:03.0196 3340  GEARAspiWDM - ok
19:32:03.0212 3340  getPlusHelper - ok
19:32:03.0228 3340  [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc             C:\WINDOWS\system32\DRIVERS\msgpc.sys
19:32:03.0353 3340  Gpc - ok
19:32:03.0415 3340  [ 751C1D2CA2ABF4A9F5A6B8D7D45B907C ] gusvc           C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
19:32:03.0446 3340  gusvc - ok
19:32:03.0493 3340  [ 2A013E7530BEAB6E569FAA83F517E836 ] HdAudAddService C:\WINDOWS\system32\drivers\HdAudio.sys
19:32:03.0556 3340  HdAudAddService - ok
19:32:03.0587 3340  [ 573C7D0A32852B48F3058CFD8026F511 ] HDAudBus        C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
19:32:03.0712 3340  HDAudBus - ok
19:32:03.0806 3340  [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc         C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
19:32:03.0931 3340  helpsvc - ok
19:32:03.0946 3340  HidServ - ok
19:32:03.0978 3340  [ CCF82C5EC8A7326C3066DE870C06DAF1 ] HidUsb          C:\WINDOWS\system32\DRIVERS\hidusb.sys
19:32:04.0118 3340  HidUsb - ok
19:32:04.0149 3340  [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc          C:\WINDOWS\System32\kmsvc.dll
19:32:04.0274 3340  hkmsvc - ok
19:32:04.0290 3340  hpn - ok
19:32:04.0321 3340  [ 881D1C3A64904F4B6068013A99A5855B ] HSFHWBS2        C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
19:32:04.0399 3340  HSFHWBS2 - ok
19:32:04.0446 3340  [ 8ED6714C8E754520DD8A939F91383EA0 ] HSF_DP          C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
19:32:04.0556 3340  HSF_DP - ok
19:32:04.0618 3340  [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP            C:\WINDOWS\system32\Drivers\HTTP.sys
19:32:04.0681 3340  HTTP - ok
19:32:04.0712 3340  [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter      C:\WINDOWS\System32\w3ssl.dll
19:32:04.0837 3340  HTTPFilter - ok
19:32:04.0837 3340  i2omgmt - ok
19:32:04.0853 3340  i2omp - ok
19:32:04.0899 3340  [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt        C:\WINDOWS\system32\DRIVERS\i8042prt.sys
19:32:05.0024 3340  i8042prt - ok
19:32:05.0118 3340  [ 66793A4CBE9B5AA07882E3F3622F4FFE ] icsak           C:\Program Files\CheckPoint\ZAForceField\AK\icsak.sys
19:32:05.0571 3340  icsak - ok
19:32:05.0649 3340  [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc           c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
19:32:05.0712 3340  idsvc - ok
19:32:05.0743 3340  [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi           C:\WINDOWS\system32\DRIVERS\imapi.sys
19:32:05.0884 3340  Imapi - ok
19:32:05.0931 3340  [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService    C:\WINDOWS\system32\imapi.exe
19:32:06.0040 3340  ImapiService - ok
19:32:06.0056 3340  ini910u - ok
19:32:06.0228 3340  [ A30685283F90AE02F1CD50972C6065E3 ] IntcAzAudAddService C:\WINDOWS\system32\drivers\RtkHDAud.sys
19:32:06.0571 3340  IntcAzAudAddService - ok
19:32:06.0571 3340  IntelIde - ok
19:32:06.0618 3340  [ 3BB22519A194418D5FEC05D800A19AD0 ] Ip6Fw           C:\WINDOWS\system32\drivers\ip6fw.sys
19:32:06.0728 3340  Ip6Fw - ok
19:32:06.0774 3340  [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver  C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
19:32:06.0884 3340  IpFilterDriver - ok
19:32:06.0899 3340  [ B87AB476DCF76E72010632B5550955F5 ] IpInIp          C:\WINDOWS\system32\DRIVERS\ipinip.sys
19:32:07.0024 3340  IpInIp - ok
19:32:07.0056 3340  [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat           C:\WINDOWS\system32\DRIVERS\ipnat.sys
19:32:07.0165 3340  IpNat - ok
19:32:07.0228 3340  [ 33642C17C232AA272C68E446A2619899 ] iPod Service    C:\Program Files\iPod\bin\iPodService.exe
19:32:07.0274 3340  iPod Service - ok
19:32:07.0321 3340  [ 23C74D75E36E7158768DD63D92789A91 ] IPSec           C:\WINDOWS\system32\DRIVERS\ipsec.sys
19:32:07.0431 3340  IPSec - ok
19:32:07.0462 3340  [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM          C:\WINDOWS\system32\DRIVERS\irenum.sys
19:32:07.0509 3340  IRENUM - ok
19:32:07.0540 3340  [ 75224E7C875BECA1AB1DBCB7FA42F746 ] isapnp          C:\WINDOWS\system32\DRIVERS\isapnp.sys
19:32:07.0540 3340  Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\isapnp.sys. Real md5: 75224E7C875BECA1AB1DBCB7FA42F746, Fake md5: 05A299EC56E52649B1CF2FC52D20F2D7
19:32:07.0540 3340  isapnp ( Rootkit.Win32.TDSS.tdl3 ) - infected
19:32:07.0540 3340  isapnp - detected Rootkit.Win32.TDSS.tdl3 (0)
19:32:07.0571 3340  [ F0DEC1FDC2E67AEDD8CC00B48EEE0D43 ] ISWKL           C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys
19:32:07.0587 3340  ISWKL - ok
19:32:07.0618 3340  [ 0D50F54856B569302006F590F56109FA ] IswSvc          C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
19:32:07.0665 3340  IswSvc - ok
19:32:07.0712 3340  [ 691B9B7C0CC1653732717D292D6B305D ] JavaQuickStarterService C:\Program Files\Java\jre6\bin\jqs.exe
19:32:07.0728 3340  JavaQuickStarterService - ok
19:32:07.0774 3340  [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass        C:\WINDOWS\system32\DRIVERS\kbdclass.sys
19:32:07.0884 3340  Kbdclass - ok
19:32:07.0946 3340  [ 7DD41B7AC1FBB1DBF20BB1F4E4FBE58C ] kl1             C:\WINDOWS\system32\DRIVERS\kl1.sys
19:32:07.0946 3340  kl1 - ok
19:32:07.0978 3340  [ 692BCF44383D056AED41B045A323D378 ] kmixer          C:\WINDOWS\system32\drivers\kmixer.sys
19:32:08.0118 3340  kmixer - ok
19:32:08.0149 3340  [ B467646C54CC746128904E1654C750C1 ] KSecDD          C:\WINDOWS\system32\drivers\KSecDD.sys
19:32:08.0243 3340  KSecDD - ok
19:32:08.0290 3340  [ F385F4B02C535BFFE1D70CAB80838123 ] lanmanserver    C:\WINDOWS\System32\srvsvc.dll
19:32:08.0415 3340  lanmanserver - ok
19:32:08.0462 3340  [ A8888A5327621856C0CEC4E385F69309 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
19:32:08.0556 3340  lanmanworkstation - ok
19:32:08.0556 3340  lbrtfdc - ok
19:32:08.0603 3340  [ A7DB739AE99A796D91580147E919CC59 ] LmHosts         C:\WINDOWS\System32\lmhsvc.dll
19:32:08.0728 3340  LmHosts - ok
19:32:08.0774 3340  [ FC969E4E53C602884958A5FDFFC53526 ] m5287           C:\WINDOWS\system32\drivers\m5287.sys
19:32:08.0821 3340  m5287 - ok
19:32:08.0868 3340  [ 0DB7527DB188C7D967A37BB51BBF3963 ] MBAMSwissArmy   C:\WINDOWS\system32\drivers\mbamswissarmy.sys
19:32:08.0868 3340  MBAMSwissArmy - ok
19:32:08.0899 3340  [ 3C318B9CD391371BED62126581EE9961 ] mdmxsdk         C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
19:32:08.0931 3340  mdmxsdk - ok
19:32:08.0978 3340  [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger       C:\WINDOWS\System32\msgsvc.dll
19:32:09.0103 3340  Messenger - ok
19:32:09.0134 3340  [ B7521F69C0A9B29D356157229376FB21 ] MHN             C:\WINDOWS\System32\mhn.dll
19:32:09.0165 3340  MHN ( UnsignedFile.Multi.Generic ) - warning
19:32:09.0165 3340  MHN - detected UnsignedFile.Multi.Generic (1)
19:32:09.0196 3340  [ 7F2F1D2815A6449D346FCCCBC569FBD6 ] MHNDRV          C:\WINDOWS\system32\DRIVERS\mhndrv.sys
19:32:09.0196 3340  MHNDRV ( UnsignedFile.Multi.Generic ) - warning
19:32:09.0196 3340  MHNDRV - detected UnsignedFile.Multi.Generic (1)
19:32:09.0274 3340  [ 7C4C76B39D5525C4A465E0BE32528E19 ] Microsoft Office Groove Audit Service C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe
19:32:09.0274 3340  Microsoft Office Groove Audit Service - ok
19:32:09.0306 3340  [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd           C:\WINDOWS\system32\drivers\mnmdd.sys
19:32:09.0431 3340  mnmdd - ok
19:32:09.0478 3340  [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc         C:\WINDOWS\system32\mnmsrvc.exe
19:32:09.0587 3340  mnmsrvc - ok
19:32:09.0618 3340  [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem           C:\WINDOWS\system32\drivers\Modem.sys
19:32:09.0728 3340  Modem - ok
19:32:09.0759 3340  [ 1992E0D143B09653AB0F9C5E04B0FD65 ] MODEMCSA        C:\WINDOWS\system32\drivers\MODEMCSA.sys
19:32:09.0884 3340  MODEMCSA - ok
19:32:09.0884 3340  [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass        C:\WINDOWS\system32\DRIVERS\mouclass.sys
19:32:10.0009 3340  Mouclass - ok
19:32:10.0056 3340  [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid          C:\WINDOWS\system32\DRIVERS\mouhid.sys
19:32:10.0181 3340  mouhid - ok
19:32:10.0212 3340  [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr        C:\WINDOWS\system32\drivers\MountMgr.sys
19:32:10.0321 3340  MountMgr - ok
19:32:10.0337 3340  mraid35x - ok
19:32:10.0337 3340  [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV          C:\WINDOWS\system32\DRIVERS\mrxdav.sys
19:32:10.0446 3340  MRxDAV - ok
19:32:10.0493 3340  [ F3AEFB11ABC521122B67095044169E98 ] MRxSmb          C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
19:32:10.0571 3340  MRxSmb - ok
19:32:10.0618 3340  [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC           C:\WINDOWS\system32\msdtc.exe
19:32:10.0712 3340  MSDTC - ok
19:32:10.0743 3340  [ C941EA2454BA8350021D774DAF0F1027 ] Msfs            C:\WINDOWS\system32\drivers\Msfs.sys
19:32:10.0853 3340  Msfs - ok
19:32:10.0868 3340  MSIServer - ok
19:32:10.0915 3340  [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV         C:\WINDOWS\system32\drivers\MSKSSRV.sys
19:32:11.0024 3340  MSKSSRV - ok
19:32:11.0040 3340  [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK        C:\WINDOWS\system32\drivers\MSPCLOCK.sys
19:32:11.0165 3340  MSPCLOCK - ok
19:32:11.0181 3340  [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM           C:\WINDOWS\system32\drivers\MSPQM.sys
19:32:11.0274 3340  MSPQM - ok
19:32:11.0321 3340  [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios        C:\WINDOWS\system32\DRIVERS\mssmbios.sys
19:32:11.0415 3340  mssmbios - ok
19:32:11.0462 3340  [ D48659BB24C48345D926ECB45C1EBDF5 ] MTsensor        C:\WINDOWS\system32\DRIVERS\ASACPI.sys
19:32:11.0493 3340  MTsensor - ok
19:32:11.0524 3340  [ 2F625D11385B1A94360BFC70AAEFDEE1 ] Mup             C:\WINDOWS\system32\drivers\Mup.sys
19:32:11.0618 3340  Mup - ok
19:32:11.0681 3340  [ 0102140028FAD045756796E1C685D695 ] napagent        C:\WINDOWS\System32\qagentrt.dll
19:32:11.0806 3340  napagent - ok
19:32:11.0853 3340  [ 1DF7F42665C94B825322FAE71721130D ] NDIS            C:\WINDOWS\system32\drivers\NDIS.sys
19:32:11.0962 3340  NDIS - ok
19:32:11.0993 3340  [ 1AB3D00C991AB086E69DB84B6C0ED78F ] NdisTapi        C:\WINDOWS\system32\DRIVERS\ndistapi.sys
19:32:12.0118 3340  NdisTapi - ok
19:32:12.0134 3340  [ F927A4434C5028758A842943EF1A3849 ] Ndisuio         C:\WINDOWS\system32\DRIVERS\ndisuio.sys
19:32:12.0243 3340  Ndisuio - ok
19:32:12.0243 3340  [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan         C:\WINDOWS\system32\DRIVERS\ndiswan.sys
19:32:12.0368 3340  NdisWan - ok
19:32:12.0384 3340  [ 6215023940CFD3702B46ABC304E1D45A ] NDProxy         C:\WINDOWS\system32\drivers\NDProxy.sys
19:32:12.0509 3340  NDProxy - ok
19:32:12.0540 3340  [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS         C:\WINDOWS\system32\DRIVERS\netbios.sys
19:32:12.0634 3340  NetBIOS - ok
19:32:12.0649 3340  [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT           C:\WINDOWS\system32\DRIVERS\netbt.sys
19:32:12.0774 3340  NetBT - ok
19:32:12.0806 3340  [ B857BA82860D7FF85AE29B095645563B ] NetDDE          C:\WINDOWS\system32\netdde.exe
19:32:12.0931 3340  NetDDE - ok
19:32:12.0931 3340  [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm      C:\WINDOWS\system32\netdde.exe
19:32:13.0040 3340  NetDDEdsdm - ok
19:32:13.0087 3340  [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon        C:\WINDOWS\system32\lsass.exe
19:32:13.0196 3340  Netlogon - ok
19:32:13.0243 3340  [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman          C:\WINDOWS\System32\netman.dll
19:32:13.0384 3340  Netman - ok
19:32:13.0431 3340  [ D34612C5D02D026535B3095D620626AE ] NetTcpPortSharing c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
19:32:13.0446 3340  NetTcpPortSharing - ok
19:32:13.0493 3340  [ 832E4DD8964AB7ACC880B2837CB1ED20 ] Nla             C:\WINDOWS\System32\mswsock.dll
19:32:13.0540 3340  Nla - ok
19:32:13.0571 3340  [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs            C:\WINDOWS\system32\drivers\Npfs.sys
19:32:13.0696 3340  Npfs - ok
19:32:13.0743 3340  [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs            C:\WINDOWS\system32\drivers\Ntfs.sys
19:32:13.0915 3340  Ntfs - ok
19:32:13.0946 3340  [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp         C:\WINDOWS\system32\lsass.exe
19:32:14.0040 3340  NtLmSsp - ok
19:32:14.0087 3340  [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc         C:\WINDOWS\system32\ntmssvc.dll
19:32:14.0196 3340  NtmsSvc - ok
19:32:14.0228 3340  [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null            C:\WINDOWS\system32\drivers\Null.sys
19:32:14.0337 3340  Null - ok
19:32:14.0368 3340  [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt        C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
19:32:14.0462 3340  NwlnkFlt - ok
19:32:14.0493 3340  [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd        C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
19:32:14.0603 3340  NwlnkFwd - ok
19:32:14.0696 3340  [ 1F0E05DFF4F5A833168E49BE1256F002 ] odserv          C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
19:32:14.0728 3340  odserv - ok
19:32:14.0774 3340  [ 5A432A042DAE460ABE7199B758E8606C ] ose             C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
19:32:14.0790 3340  ose - ok
19:32:14.0837 3340  [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport         C:\WINDOWS\system32\DRIVERS\parport.sys
19:32:14.0962 3340  Parport - ok
19:32:14.0993 3340  [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr         C:\WINDOWS\system32\drivers\PartMgr.sys
19:32:15.0087 3340  PartMgr - ok
19:32:15.0118 3340  [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm          C:\WINDOWS\system32\drivers\ParVdm.sys
19:32:15.0243 3340  ParVdm - ok
19:32:15.0259 3340  [ A219903CCF74233761D92BEF471A07B1 ] PCI             C:\WINDOWS\system32\DRIVERS\pci.sys
19:32:15.0353 3340  PCI - ok
19:32:15.0384 3340  PCIDump - ok
19:32:15.0399 3340  PCIIde - ok
19:32:15.0431 3340  [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia          C:\WINDOWS\system32\drivers\Pcmcia.sys
19:32:15.0540 3340  Pcmcia - ok
19:32:15.0556 3340  PDCOMP - ok
19:32:15.0556 3340  PDFRAME - ok
19:32:15.0571 3340  PDRELI - ok
19:32:15.0587 3340  PDRFRAME - ok
19:32:15.0603 3340  perc2 - ok
19:32:15.0603 3340  perc2hib - ok
19:32:15.0649 3340  [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay        C:\WINDOWS\system32\services.exe
19:32:15.0681 3340  PlugPlay - ok
19:32:15.0774 3340  [ B597C2C966B447E011B4AE1B4D053677 ] PMBDeviceInfoProvider C:\Program Files\Sony\PlayMemories Home\PMBDeviceInfoProvider.exe
19:32:15.0806 3340  PMBDeviceInfoProvider - ok
19:32:15.0821 3340  [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent     C:\WINDOWS\system32\lsass.exe
19:32:15.0931 3340  PolicyAgent - ok
19:32:15.0962 3340  [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport    C:\WINDOWS\system32\DRIVERS\raspptp.sys
19:32:16.0071 3340  PptpMiniport - ok
19:32:16.0103 3340  [ A32BEBAF723557681BFC6BD93E98BD26 ] Processor       C:\WINDOWS\system32\DRIVERS\processr.sys
19:32:16.0212 3340  Processor - ok
19:32:16.0228 3340  [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
19:32:16.0321 3340  ProtectedStorage - ok
19:32:16.0353 3340  [ 09298EC810B07E5D582CB3A3F9255424 ] PSched          C:\WINDOWS\system32\DRIVERS\psched.sys
19:32:16.0478 3340  PSched - ok
19:32:16.0493 3340  [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink         C:\WINDOWS\system32\DRIVERS\ptilink.sys
19:32:16.0587 3340  Ptilink - ok
19:32:16.0618 3340  [ 40F2031BD9148D3194353EA7DEC97A07 ] PxHelp20        C:\WINDOWS\system32\Drivers\PxHelp20.sys
19:32:16.0649 3340  PxHelp20 - ok
19:32:16.0665 3340  ql1080 - ok
19:32:16.0681 3340  Ql10wnt - ok
19:32:16.0681 3340  ql12160 - ok
19:32:16.0696 3340  ql1240 - ok
19:32:16.0696 3340  ql1280 - ok
19:32:16.0728 3340  [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd          C:\WINDOWS\system32\DRIVERS\rasacd.sys
19:32:16.0837 3340  RasAcd - ok
19:32:16.0899 3340  [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto         C:\WINDOWS\System32\rasauto.dll
19:32:17.0040 3340  RasAuto - ok
19:32:17.0087 3340  [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp         C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
19:32:17.0228 3340  Rasl2tp - ok
19:32:17.0306 3340  [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan          C:\WINDOWS\System32\rasmans.dll
19:32:17.0446 3340  RasMan - ok
19:32:17.0478 3340  [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe        C:\WINDOWS\system32\DRIVERS\raspppoe.sys
19:32:17.0618 3340  RasPppoe - ok
19:32:17.0728 3340  [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti          C:\WINDOWS\system32\DRIVERS\raspti.sys
19:32:17.0868 3340  Raspti - ok
19:32:17.0946 3340  [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss           C:\WINDOWS\system32\DRIVERS\rdbss.sys
19:32:18.0118 3340  Rdbss - ok
19:32:18.0165 3340  [ 4912D5B403614CE99C28420F75353332 ] RDPCDD          C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
19:32:18.0274 3340  RDPCDD - ok
19:32:18.0306 3340  [ 15CABD0F7C00C47C70124907916AF3F1 ] rdpdr           C:\WINDOWS\system32\DRIVERS\rdpdr.sys
19:32:18.0431 3340  rdpdr - ok
19:32:18.0462 3340  [ 6728E45B66F93C08F11DE2E316FC70DD ] RDPWD           C:\WINDOWS\system32\drivers\RDPWD.sys
19:32:18.0571 3340  RDPWD - ok
19:32:18.0618 3340  [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr       C:\WINDOWS\system32\sessmgr.exe
19:32:18.0759 3340  RDSessMgr - ok
19:32:18.0774 3340  [ F828DD7E1419B6653894A8F97A0094C5 ] redbook         C:\WINDOWS\system32\DRIVERS\redbook.sys
19:32:18.0884 3340  redbook - ok
19:32:18.0946 3340  [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess    C:\WINDOWS\System32\mprdim.dll
19:32:19.0071 3340  RemoteAccess - ok
19:32:19.0103 3340  [ 5B19B557B0C188210A56A6B699D90B8F ] RemoteRegistry  C:\WINDOWS\system32\regsvc.dll
19:32:19.0228 3340  RemoteRegistry - ok
19:32:19.0290 3340  [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator      C:\WINDOWS\system32\locator.exe
19:32:19.0399 3340  RpcLocator - ok
19:32:19.0509 3340  [ 6B27A5C03DFB94B4245739065431322C ] RpcSs           C:\WINDOWS\System32\rpcss.dll
19:32:19.0556 3340  RpcSs - ok
19:32:19.0603 3340  [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP            C:\WINDOWS\system32\rsvp.exe
19:32:19.0759 3340  RSVP - ok
19:32:19.0790 3340  [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs           C:\WINDOWS\system32\lsass.exe
19:32:19.0884 3340  SamSs - ok
19:32:19.0931 3340  [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr        C:\WINDOWS\System32\SCardSvr.exe
19:32:20.0056 3340  SCardSvr - ok
19:32:20.0134 3340  [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule        C:\WINDOWS\system32\schedsvc.dll
19:32:20.0274 3340  Schedule - ok
19:32:20.0321 3340  [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv          C:\WINDOWS\system32\DRIVERS\secdrv.sys
19:32:20.0368 3340  Secdrv - ok
19:32:20.0384 3340  [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon        C:\WINDOWS\System32\seclogon.dll
19:32:20.0509 3340  seclogon - ok
19:32:20.0524 3340  [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS            C:\WINDOWS\system32\sens.dll
19:32:20.0649 3340  SENS - ok
19:32:20.0696 3340  [ 0F29512CCD6BEAD730039FB4BD2C85CE ] serenum         C:\WINDOWS\system32\DRIVERS\serenum.sys
19:32:20.0853 3340  serenum - ok
19:32:20.0853 3340  [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial          C:\WINDOWS\system32\DRIVERS\serial.sys
19:32:20.0993 3340  Serial - ok
19:32:21.0040 3340  [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy         C:\WINDOWS\system32\drivers\Sfloppy.sys
19:32:21.0196 3340  Sfloppy - ok
19:32:21.0243 3340  [ 83F41D0D89645D7235C051AB1D9523AC ] SharedAccess    C:\WINDOWS\System32\ipnathlp.dll
19:32:21.0415 3340  SharedAccess - ok
19:32:21.0446 3340  [ 1926899BF9FFE2602B63074971700412 ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
19:32:21.0587 3340  ShellHWDetection - ok
19:32:21.0603 3340  Simbad - ok
19:32:21.0681 3340  [ 726530D3A8BA37DCEF26C545AB62EF51 ] SkyhawkeUSBLan  C:\WINDOWS\system32\DRIVERS\btblan.sys
19:32:21.0681 3340  SkyhawkeUSBLan - ok
19:32:21.0696 3340  Sparrow - ok
19:32:21.0743 3340  [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter        C:\WINDOWS\system32\drivers\splitter.sys
19:32:21.0868 3340  splitter - ok
19:32:21.0915 3340  [ D8E14A61ACC1D4A6CD0D38AEBAC7FA3B ] Spooler         C:\WINDOWS\system32\spoolsv.exe
19:32:22.0024 3340  Spooler - ok
19:32:22.0056 3340  [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr              C:\WINDOWS\system32\DRIVERS\sr.sys
19:32:22.0149 3340  sr - ok
19:32:22.0181 3340  srescan - ok
19:32:22.0228 3340  [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice       C:\WINDOWS\system32\srsvc.dll
19:32:22.0306 3340  srservice - ok
19:32:22.0337 3340  [ 89220B427890AA1DFFD1A02648AE51C3 ] Srv             C:\WINDOWS\system32\DRIVERS\srv.sys
19:32:22.0415 3340  Srv - ok
19:32:22.0446 3340  [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV         C:\WINDOWS\System32\ssdpsrv.dll
19:32:22.0493 3340  SSDPSRV - ok
19:32:22.0540 3340  [ A9573045BAA16EAB9B1085205B82F1ED ] StillCam        C:\WINDOWS\system32\DRIVERS\serscan.sys
19:32:22.0634 3340  StillCam - ok
19:32:22.0681 3340  [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc          C:\WINDOWS\system32\wiaservc.dll
19:32:22.0821 3340  stisvc - ok
19:32:22.0853 3340  [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum          C:\WINDOWS\system32\DRIVERS\swenum.sys
19:32:22.0962 3340  swenum - ok
19:32:22.0993 3340  [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi          C:\WINDOWS\system32\drivers\swmidi.sys
19:32:23.0087 3340  swmidi - ok
19:32:23.0103 3340  SwPrv - ok
19:32:23.0118 3340  symc810 - ok
19:32:23.0134 3340  symc8xx - ok
19:32:23.0149 3340  sym_hi - ok
19:32:23.0149 3340  sym_u3 - ok
19:32:23.0181 3340  [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio        C:\WINDOWS\system32\drivers\sysaudio.sys
19:32:23.0290 3340  sysaudio - ok
19:32:23.0337 3340  [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog       C:\WINDOWS\system32\smlogsvc.exe
19:32:23.0446 3340  SysmonLog - ok
19:32:23.0478 3340  [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv         C:\WINDOWS\System32\tapisrv.dll
19:32:23.0571 3340  TapiSrv - ok
19:32:23.0603 3340  [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip           C:\WINDOWS\system32\DRIVERS\tcpip.sys
19:32:23.0665 3340  Tcpip - ok
19:32:23.0712 3340  [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE          C:\WINDOWS\system32\drivers\TDPIPE.sys
19:32:23.0821 3340  TDPIPE - ok
19:32:23.0853 3340  [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP           C:\WINDOWS\system32\drivers\TDTCP.sys
19:32:23.0962 3340  TDTCP - ok
19:32:23.0993 3340  [ 88155247177638048422893737429D9E ] TermDD          C:\WINDOWS\system32\DRIVERS\termdd.sys
19:32:24.0103 3340  TermDD - ok
19:32:24.0165 3340  [ FF3477C03BE7201C294C35F684B3479F ] TermService     C:\WINDOWS\System32\termsrv.dll
19:32:24.0290 3340  TermService - ok
19:32:24.0321 3340  [ 1926899BF9FFE2602B63074971700412 ] Themes          C:\WINDOWS\System32\shsvcs.dll
19:32:24.0415 3340  Themes - ok
19:32:24.0446 3340  [ DB7205804759FF62C34E3EFD8A4CC76A ] TlntSvr         C:\WINDOWS\system32\tlntsvr.exe
19:32:24.0509 3340  TlntSvr - ok
19:32:24.0524 3340  TosIde - ok
19:32:24.0571 3340  [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks          C:\WINDOWS\system32\trkwks.dll
19:32:24.0681 3340  TrkWks - ok
19:32:24.0712 3340  [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs            C:\WINDOWS\system32\drivers\Udfs.sys
19:32:24.0806 3340  Udfs - ok
19:32:24.0853 3340  [ CE2DD5EFB0F773382376FAAF9F506542 ] ULI5261XP       C:\WINDOWS\system32\DRIVERS\ULILAN51.SYS
19:32:24.0884 3340  ULI5261XP - ok
19:32:24.0899 3340  ultra - ok
19:32:24.0915 3340  [ AB0A7CA90D9E3D6A193905DC1715DED0 ] UMWdf           C:\WINDOWS\system32\wdfmgr.exe
19:32:24.0978 3340  UMWdf - ok
19:32:25.0024 3340  [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update          C:\WINDOWS\system32\DRIVERS\update.sys
19:32:25.0165 3340  Update - ok
19:32:25.0212 3340  [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost        C:\WINDOWS\System32\upnphost.dll
19:32:25.0274 3340  upnphost - ok
19:32:25.0306 3340  [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS             C:\WINDOWS\System32\ups.exe
19:32:25.0415 3340  UPS - ok
19:32:25.0509 3340  [ 83CAFCB53201BBAC04D822F32438E244 ] USBAAPL         C:\WINDOWS\system32\Drivers\usbaapl.sys
19:32:25.0587 3340  USBAAPL - ok
19:32:25.0634 3340  [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp         C:\WINDOWS\system32\DRIVERS\usbccgp.sys
19:32:25.0790 3340  usbccgp - ok
19:32:25.0806 3340  [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci         C:\WINDOWS\system32\DRIVERS\usbehci.sys
19:32:25.0931 3340  usbehci - ok
19:32:26.0009 3340  [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub          C:\WINDOWS\system32\DRIVERS\usbhub.sys
19:32:26.0165 3340  usbhub - ok
19:32:26.0228 3340  [ 0DAECCE65366EA32B162F85F07C6753B ] usbohci         C:\WINDOWS\system32\DRIVERS\usbohci.sys
19:32:26.0368 3340  usbohci - ok
19:32:26.0415 3340  [ A717C8721046828520C9EDF31288FC00 ] usbprint        C:\WINDOWS\system32\DRIVERS\usbprint.sys
19:32:26.0556 3340  usbprint - ok
19:32:26.0603 3340  [ A0B8CF9DEB1184FBDD20784A58FA75D4 ] usbscan         C:\WINDOWS\system32\DRIVERS\usbscan.sys
19:32:26.0743 3340  usbscan - ok
19:32:26.0821 3340  [ A32426D9B14A089EAA1D922E0C5801A9 ] USBSTOR         C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
19:32:26.0931 3340  USBSTOR - ok
19:32:27.0056 3340  [ 622FCF264119F7DF127BE353F796B319 ] UtilityChest_49Service C:\PROGRA~1\UTILIT~2\bar\1.bin\49barsvc.exe
19:32:27.0087 3340  UtilityChest_49Service - ok
19:32:27.0134 3340  [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave         C:\WINDOWS\System32\drivers\vga.sys
19:32:27.0259 3340  VgaSave - ok
19:32:27.0274 3340  ViaIde - ok
19:32:27.0290 3340  [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap         C:\WINDOWS\system32\drivers\VolSnap.sys
19:32:27.0415 3340  VolSnap - ok
19:32:27.0743 3340  [ 7F10C6C385A03F40B07D682BFAA07E2F ] vsdatant        C:\WINDOWS\system32\vsdatant.sys
19:32:27.0899 3340  vsdatant - ok
19:32:27.0915 3340  vsmon - ok
19:32:27.0962 3340  [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS             C:\WINDOWS\System32\vssvc.exe
19:32:28.0040 3340  VSS - ok
19:32:28.0118 3340  [ 54AF4B1D5459500EF0937F6D33B1914F ] W32Time         C:\WINDOWS\system32\w32time.dll
19:32:28.0337 3340  W32Time - ok
19:32:28.0353 3340  WajamUpdater - ok
19:32:28.0368 3340  [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp          C:\WINDOWS\system32\DRIVERS\wanarp.sys
19:32:28.0478 3340  Wanarp - ok
19:32:28.0493 3340  WDICA - ok
19:32:28.0556 3340  [ 6768ACF64B18196494413695F0C3A00F ] wdmaud          C:\WINDOWS\system32\drivers\wdmaud.sys
19:32:28.0681 3340  wdmaud - ok
19:32:28.0728 3340  [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient       C:\WINDOWS\System32\webclnt.dll
19:32:28.0853 3340  WebClient - ok
19:32:29.0009 3340  [ 7DD2EC1EFD9F48843FFC5815AEBF1068 ] winachsf        C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
19:32:29.0165 3340  winachsf - ok
19:32:29.0353 3340  [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt         C:\WINDOWS\system32\wbem\WMIsvc.dll
19:32:29.0556 3340  winmgmt - ok
19:32:29.0618 3340  [ 140EF97B64F560FD78643CAE2CDAD838 ] WmdmPmSN        C:\WINDOWS\system32\MsPMSNSv.dll
19:32:29.0665 3340  WmdmPmSN - ok
19:32:29.0728 3340  [ E76F8807070ED04E7408A86D6D3A6137 ] Wmi             C:\WINDOWS\System32\advapi32.dll
19:32:29.0790 3340  Wmi - ok
19:32:29.0853 3340  [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv        C:\WINDOWS\system32\wbem\wmiapsrv.exe
19:32:29.0962 3340  WmiApSrv - ok
19:32:30.0024 3340  [ 1385E5AA9C9821790D33A9563B8D2DD0 ] WpdUsb          C:\WINDOWS\system32\Drivers\wpdusb.sys
19:32:30.0040 3340  WpdUsb - ok
19:32:30.0149 3340  [ DCF3E3EDF5109EE8BC02FE6E1F045795 ] WPFFontCache_v0400 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
19:32:30.0274 3340  WPFFontCache_v0400 - ok
19:32:30.0321 3340  [ 6ABE6E225ADB5A751622A9CC3BC19CE8 ] WS2IFSL         C:\WINDOWS\System32\drivers\ws2ifsl.sys
19:32:30.0399 3340  WS2IFSL - ok
19:32:30.0478 3340  [ 7C278E6408D1DCE642230C0585A854D5 ] wscsvc          C:\WINDOWS\system32\wscsvc.dll
19:32:30.0587 3340  wscsvc - ok
19:32:30.0618 3340  [ 35321FB577CDC98CE3EB3A3EB9E4610A ] wuauserv        C:\WINDOWS\system32\wuauserv.dll
19:32:30.0728 3340  wuauserv - ok
19:32:30.0993 3340  [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC          C:\WINDOWS\System32\wzcsvc.dll
19:32:31.0509 3340  WZCSVC - ok
19:32:31.0540 3340  [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov         C:\WINDOWS\System32\xmlprov.dll
19:32:31.0712 3340  xmlprov - ok
19:32:31.0712 3340  ================ Scan global ===============================
19:32:31.0759 3340  [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll
19:32:31.0790 3340  [ 1618F36D4F7F6CCCEB3EE44BA95BE85C ] C:\WINDOWS\system32\winsrv.dll
19:32:31.0821 3340  [ 1618F36D4F7F6CCCEB3EE44BA95BE85C ] C:\WINDOWS\system32\winsrv.dll
19:32:31.0853 3340  [ 65DF52F5B8B6E9BBD183505225C37315 ] C:\WINDOWS\system32\services.exe
19:32:31.0853 3340  [Global] - ok
19:32:31.0853 3340  ================ Scan MBR ==================================
19:32:31.0884 3340  [ 923A599A126887912E20C0D762FB67BC ] \Device\Harddisk0\DR0
19:32:32.0040 3340  \Device\Harddisk0\DR0 ( TDSS File System ) - warning
19:32:32.0040 3340  \Device\Harddisk0\DR0 - detected TDSS File System (1)
19:32:32.0056 3340  [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk5\DR11
19:32:35.0196 3340  \Device\Harddisk5\DR11 - ok
19:32:35.0212 3340  ================ Scan VBR ==================================
19:32:35.0212 3340  [ F0CD32CD320998ACE2F89DD21420E52D ] \Device\Harddisk0\DR0\Partition1
19:32:35.0228 3340  \Device\Harddisk0\DR0\Partition1 - ok
19:32:35.0228 3340  [ 6D74C1E1C9E39320409F63F2C01A357A ] \Device\Harddisk5\DR11\Partition1
19:32:35.0228 3340  \Device\Harddisk5\DR11\Partition1 - ok
19:32:35.0243 3340  ============================================================
19:32:35.0243 3340  Scan finished
19:32:35.0243 3340  ============================================================
19:32:35.0368 3332  Detected object count: 7
19:32:35.0368 3332  Actual detected object count: 7
19:37:23.0962 3332  ASPI ( UnsignedFile.Multi.Generic ) - skipped by user
19:37:23.0962 3332  ASPI ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:37:23.0962 3332  ATI Smart ( UnsignedFile.Multi.Generic ) - skipped by user
19:37:23.0962 3332  ATI Smart ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:37:23.0962 3332  ehRecvr ( UnsignedFile.Multi.Generic ) - skipped by user
19:37:23.0962 3332  ehRecvr ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:37:24.0009 3332  C:\WINDOWS\system32\DRIVERS\isapnp.sys - copied to quarantine
19:37:24.0024 3332  \Device\Harddisk0\DR0\TDLFS\config.ini - copied to quarantine
19:37:24.0040 3332  \Device\Harddisk0\DR0\TDLFS\tdl - copied to quarantine
19:37:24.0056 3332  \Device\Harddisk0\DR0\TDLFS\rsrc.dat - copied to quarantine
19:37:24.0056 3332  \Device\Harddisk0\DR0\TDLFS\bckfg.tmp - copied to quarantine
19:37:24.0056 3332  \Device\Harddisk0\DR0\TDLFS\tdlcmd.dll - copied to quarantine
19:37:24.0056 3332  \Device\Harddisk0\DR0\TDLFS\keywords - copied to quarantine
19:37:24.0071 3332  \Device\Harddisk0\DR0\TDLFS\jxxb.tmp - copied to quarantine
19:37:24.0071 3332  \Device\Harddisk0\DR0\TDLFS\glht.tmp - copied to quarantine
19:37:24.0071 3332  \Device\Harddisk0\DR0\TDLFS\fdex.tmp - copied to quarantine
19:37:25.0696 3332  Backup copy not found, trying to cure infected file..
19:37:25.0696 3332  Cure success, using it..
19:37:25.0712 3332  C:\WINDOWS\system32\DRIVERS\isapnp.sys - will be cured on reboot
19:37:25.0712 3332  isapnp ( Rootkit.Win32.TDSS.tdl3 ) - User select action: Cure
19:37:25.0728 3332  MHN ( UnsignedFile.Multi.Generic ) - skipped by user
19:37:25.0728 3332  MHN ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:37:25.0728 3332  MHNDRV ( UnsignedFile.Multi.Generic ) - skipped by user
19:37:25.0728 3332  MHNDRV ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:37:25.0728 3332  \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
19:37:25.0728 3332  \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip
19:37:41.0712 0620  Deinitialize success
 
Contents within the 2nd log file generated are as follows:
19:39:53.0750 1748  TDSS rootkit removing tool 2.8.16.0 Feb 11 2013 18:50:42
19:39:54.0312 1748  ============================================================
19:39:54.0312 1748  Current date / time: 2013/07/18 19:39:54.0312
19:39:54.0312 1748  SystemInfo:
19:39:54.0312 1748  
19:39:54.0312 1748  OS Version: 5.1.2600 ServicePack: 3.0
19:39:54.0312 1748  Product type: Workstation
19:39:54.0312 1748  ComputerName: KAREN
19:39:54.0312 1748  UserName: KarenK
19:39:54.0312 1748  Windows directory: C:\WINDOWS
19:39:54.0312 1748  System windows directory: C:\WINDOWS
19:39:54.0312 1748  Processor architecture: Intel x86
19:39:54.0312 1748  Number of processors: 1
19:39:54.0312 1748  Page size: 0x1000
19:39:54.0312 1748  Boot type: Normal boot
19:39:54.0312 1748  ============================================================
19:39:55.0734 1748  BG loaded
19:39:56.0156 1748  Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2DC00 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000058
19:39:56.0171 1748  ============================================================
19:39:56.0171 1748  \Device\Harddisk0\DR0:
19:39:56.0171 1748  MBR partitions:
19:39:56.0171 1748  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x4B02B2, BlocksNum 0x1CD142CF
19:39:56.0171 1748  ============================================================
19:39:56.0218 1748  C: <-> \Device\Harddisk0\DR0\Partition1
19:39:56.0281 1748  ============================================================
19:39:56.0281 1748  Initialize success
19:39:56.0281 1748  ============================================================
 
I then ran the aswMBR.exe file.  I saved the contents to my desktop.  The contents of that log file are pasted below:
aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-07-18 19:50:02
-----------------------------
19:50:02.234    OS Version: Windows 5.1.2600 Service Pack 3
19:50:02.234    Number of processors: 1 586 0x2701
19:50:02.250    ComputerName: KAREN  UserName:
19:50:03.906    Initialize success
19:50:24.968    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi\m52871Port2Path0Target0Lun0
19:50:24.968    Disk 0 Vendor: ST325082 3.AA Size: 238475MB BusType: 1
19:50:25.078    Disk 0 MBR read successfully
19:50:25.078    Disk 0 MBR scan
19:50:25.078    Disk 0 unknown MBR code
19:50:25.093    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       236072 MB offset 4915890
19:50:25.093    Disk 0 Partition 2 00     12  Compaq diag RECOVERY     2400 MB offset 63
19:50:25.093    Disk 0 scanning sectors +488392065
19:50:25.156    Disk 0 scanning C:\WINDOWS\system32\drivers
19:50:30.937    Service scanning
19:50:39.625    Service vsdatant C:\WINDOWS\System32\vsdatant.sys **LOCKED** 32
19:50:40.875    Modules scanning
19:50:45.296    Disk 0 trace - called modules:
19:50:45.312    ntkrnlpa.exe CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll m5287.sys
19:50:45.671    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84f61ab8]
19:50:45.671    3 CLASSPNP.SYS[f76b6fd7] -> nt!IofCallDriver -> \Device\Scsi\m52871Port2Path0Target0Lun0[0x84f61030]
19:50:45.671    Scan finished successfully
19:51:16.296    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\KarenK\Desktop\MBR.dat"
19:51:16.312    The log file has been saved successfully to "C:\Documents and Settings\KarenK\Desktop\aswMBR.txt"

 
I have zipped and attached the MBR file that was created on my desktop.

 

Note: after rebooting my computer all my desk top icons still do not work?  I suppose I still have an issue.... 

 

Thanks very much for your help, I am looking forward to your reply.

 

KarenAttached File  MBR.zip   554bytes   0 downloads



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:07 AM

Posted 19 July 2013 - 06:07 AM

Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.

Download DDS by sUBs from one of the following links, if you no longer have it available. Save it to your desktop.

1: DDS.scr (Not recommended if you use Chrome to download this .scr file. Use the other options.)
2: DDS.pif
3: DDS.COM

Double click on the DDS icon, allow it to run.
A small box will open, with an explanation about the tool. No input is needed, the scan is running.
Notepad will open with the results.
Follow the instructions that pop up for posting the results.
Please note: You may have to disable any script protection running if the scan fails to run.

dds_scr.gif

Please just paste the contents of the DDS.txt log in your next post. DO NOT attach the log.
===

If you have an internet connection on this computer run ComboFix.
You may be asked to update the program, please do.

Please paste the logs in your next reply, DO NOT ATTACH THEM
Let me know what problem persists.

#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:07 AM

Posted 25 July 2013 - 07:38 AM

Are you still with me?

#8 karen_needs_help

karen_needs_help
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 26 July 2013 - 07:29 PM

yes I am trying to post a reply, I keep trying to post and I get the error that I do not have permission to perform that function.  I will try "breaking it up" into 2 posts because it is quite long.



#9 karen_needs_help

karen_needs_help
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 26 July 2013 - 07:37 PM

part 1:

I downloaded the DDS file onto a \usb from a good laptop, then transfered to my infected machine desktop and dble clicked and executed the scan. I try to paste the results of the dds.txt file and I get an error??

 

should I send it in an attachment?



#10 karen_needs_help

karen_needs_help
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 26 July 2013 - 07:42 PM

There was another file that was created called the \'attach.txt" file and I have zipped this file up but have not attached it to the posting as per your request.  I tried posting the pasted cotents of this file and got an error stating that I do not have permission to perform the function??  Anyway I have the log files created, I can attach them if you want me to as it appears I cannot successfullt post the pasted contents?? 

 

 

I tried running combo fix but got an error connecting to the internet??  Not too sure why this happened as \i was able to successfully do this before?  I think when I ran it before, I executed the program thru command line.  I must have follwed online instructions to do so.  It really is a bit of a fog on what I did when??
 
All of my desktop icons do not work and the "All Programs" listing in my start menu are not visible.  I also cannot get a command prompt without pressing the windows key and the "r" key simultaneously.
 
I am not too sure what to do next??  When I reboot I am still getting the following error:
Error message #1 - ATI graphics
You do not have permission to change Catalyst Control settings.  Please contact your system administrator.
 
When I restart my computer, prior to shutdown, I get the following error:
 
"End Program - Microsoft Visual C++ Runtime Library"
This program is not responding
If you choose to end the program immediately, you will lose any unsaved data.  To end the program now click End Now"
 
If I click cancel - nothing happens and my computer will not shutdown
 
I go to start, turn off computer, turn off
same error as above, then
If I click end now - the computer will shut down
 
But when I start the computer again, I still get the error about the "catalyst converter" and most of my icons are not clickable, and I do not have a "run" in my start menu and \i cannot launch a browser. Also, I get a balloon popping up about my computer being at risk because there is no virus scan software installed.
 
I have a desktop icon for zone alarm securty suite, so I tried clicking on that icon and it worked, saying that I was downloading "Zone Alarm Security Suite". It appeared to be successfully installing the program, but I then got an error stating "The installer cannot shutdown your current version of Zone Alarm.  To resolve this, please restart your computer and then restart your upgrade" I click OK then receive the follwoing error: The file C:\Documents and Settings\KarenK\LocalSettings\temp\072313185925\glf7.tmp could not be opened", I then click OK.
then receive the following "the system must be restarted to complete the installation", I click OK , my computer restarts( I still get the Visual C++ error on shutdown - click end now) My computer restarts and I still appear to have NOT installed Zone ALarm.
 
I still do not have a Internet explorer Icon on my desktop, so I am not too sure how to get to the internet.  The Icon in my start menu says \"Internet Explorer (No Add ons)"  The Malware bytes icon on my desktop does not work either.
 
I am able to view personal files thru windows explorer though.
 
If you could please help me I would appreciate it! I can attach the .txt files in an attachment in another posting, please let me know if you would like me to do so.  I am hoping the contents in the log files might mean something to you and you able to give me some more ideas, as I am still dead in the water! I am using my daughter's laptop to post this reply.
 
Thank you, I look forward to hearing from you.


#11 karen_needs_help

karen_needs_help
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 26 July 2013 - 07:46 PM

I have attached the contents of my original posting in a .txt file

Attached Files



#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:07 AM

Posted 27 July 2013 - 07:51 AM

Run this and post or attach the log if you can.

--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+


#13 karen_needs_help

karen_needs_help
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 28 July 2013 - 05:02 PM

Hi Nasdaq,

 

I downloaded and ran "RogueKiller for 32 bit".  After following the steps you had posted, I shut down my computer.  Note: when i shutdown I still see the

"End Program - Microsoft Visual C++ Runtime Library"
This program is not responding
If you choose to end the program immediately, you will lose any unsaved data.  To end the program now click End Now", I click end now - the computer will shut down.
 
When I restarted my computer I still do not see any programs listed from my start menu and I do not have an IE explorer icon on my desktop that I can click??
 
Looks like the same symptoms as before.  I still get the ATI Graphics error "you do not have permission to change CATALYST Control Centre settings.  Please contact you administrator for further help.  (I then just click OK).
 
I have attached the two text files created after running the scan.  I seem to have an issue posting when I paste the contents of these logs.  I hope that is OK?
 
Please let me know "next steps".
 
Thanks again, I look forward to your response.
 

 

Attached Files



#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:07 AM

Posted 29 July 2013 - 07:27 AM


Reinstall the Microsoft Visual C++
Follow the installation instructions on this page.

http://www.microsoft.com/en-us/download/details.aspx?id=29
===

Please download MiniToolBox to Desktop and run it.

Check mark the following boxes:

  • List last 10 Event Viewer log
  • List installed programs

  • Click Go and copy/paste the log (Result.txt) into your next post.
    ===

    You will normally find the iexplore.exe in this folder.
    C:\Program Files\Internet Explorer\iexplore.exe

    Right click on the .exe file and drag it to your desktop.
    This should give you an icon that you can use.
    ===

    To make your files visible again, please download the following program to your desktop: Unhide.exe

    Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.

    This may take sometime, please let if finish.
    =====

    Start menu problem.

    A variants of the FakeHDD rogue programs are now deleting the following folders and storing them into a numbered folder under %Temp%\smtmp\:

    %Temp%\smtmp\1\ => %AllUsersProfile%\Start Menu
    %Temp%\smtmp\2\ => %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch
    %Temp%\smtmp\3\ => %AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar
    %Temp%\smtmp\4\ => %AllUsersProfile%\Desktop

    It goes without saying that running a %temp% cleaner ahead of restoration would result in loss of these folders

    Do you see any such folder \Temp\smtmp\?

    If not try this:

    Download this .exe file to your desktop and run it.
    Windows XP Pro 32-bit US English - This should also work in other 32 bit version of Windows XP
    http://download.bleepingcomputer.com/grinler/fakehdd/winxp-pro-32bit-sm-reset.exe

    ===

    Will try to solve you ATI Graphics error later.

    Let me know what problem persists.


#15 karen_needs_help

karen_needs_help
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 29 July 2013 - 07:39 PM

Hi Nasdaq,

 

I went to re-install Microsoft Visual C++ but the instructions on the page said:

"IMPORTANT: If you have installed previous pre-release versions of Visual C++ 2008 or Visual Studio 2008, such as Beta 1, Beta 2 or Community Technical Preview (CTP) builds, then you must uninstall these versions via Add/Remove Programs in Control Panel before installing the final released version." NOTE: I was reading these instruction from a good laptop and not my infected machine.

 

When I went to add/remove programs in my control panel to see if I have these versions installed the list  of programs were not populated, so I executed "unhide.exe" first.

 

Once the unhide.exe finished running successfully, I rebooted my computer.  My program files are still not visible in my start menu. I went to the control panel add/remove programs to see if I had any of the previously mentioned versions of C++ installed on my computer he program listing in add/remove programs was also not visible. 

 

So I carried on with the instructions as listed above, starting from the top as you have suggested.

 

When I dble click the vcredist_86.exe file to re-install Visual C++, I get the following error:

 

An error has occured during setup

The following error has occurred during setup\Windows \installer service could not be accessed.  Contact your support personnel to verify that the Windows Installer service is properly registered.  For more information, visit the following web site

Product Support Centre (link|). 

 

When I clicked on the link an IE browser briefly appeared with the word "connecting" then the window closed automatically??

 

Tried clicking on the link again and I get a browser opened with "http://go.microsoft.com/fwlink/?Linkld=45396 - Windows Internet Explorer" in the title bar of the browser, the word "connecting......." appears in the title of the tab of the browser and nothing happens?

 

I got another window pop up with setup.exe in the title bar of the error window

 

"Microsoft Visiual C++ 2008 redistributable Package has encountered a problem during setup.  Setup did not complete correctly."\

 

When I click on "What does this report contain"  then on "what does this report contain", I see the following:

\WLF2.tmp

C:\DOCUME~1\KarenK\LOCALS~1\Temp\SDB3.tmp

C:\DOCUME~1\KarenK\LOCALS~1\Temp\VSW0\VSSWMSISummary.txt

C:\DOCUME~1\KarenK\LOCALS~1\Temp\VSW0\VSSWMSInstallTime.txt

C:\DOCUME~1\KarenK\LOCALS~1\Temp\VSW0\VSSWMSIFailInfotxt

<no files>

 

When I tried to navigate thru windows explorer to this location, I did not see a LOCALS~ folder under the KarenK directory.

 

I then proceeded with the 2nd step as you have outlined above running MINI Toolbox and have attached the result.txt log file created.  Please keep in mind that I have been downloading these .exe files on my daughter's laptop, then copying them to a stick, then transferring them to my infected computer's desktop and running them from there.  I hope this does not cause any issues.  The reason I ma telling you this is because I noticed something about "mallory's-PC" in the log file.  That is my daughters laptop where i downloaded the .exe files prior to copying to infected computer desktop via USB stick.  I cannot download anything on my computer as i am unable to open a browser??

 

As per your instructions I dragged the Internet explorer icon to my desktop from my program files.  I double clicked the icon and got the following error:

Your last browser session closed unexpectedly.  Would you like to restore your last session or go to your homepage?"

 

When I click on "go to home page" , the browser session freezeswith a "connecting...." message on the title of the browser tab.  When I click the "X" to close, I receive the following error:

"The program is not responding" End now etc.

I click "end now" and the browser window closes.

 

I get an error report message saying I have attempted to close a non-responsive program,  When I view the details of the report I see:

C:\DOCUME~1\KarenK\LOCALS~1\Temp\WERd6e6.dir00\iexplore.exe.mdmp

C:\DOCUME~1\KarenK\LOCALS~1\TempWERd6e6.dir00\appcompat.txt

 

I do not see any files called smtmp on my C: drive and my "Search" capability seems to be disabled. So I downloaded the reset.exe onto the good laptop and transferred to the infected desktop via a USB stick. I ran the reset.exe and received a messge that I will now have to restart computer to restore start menu.

 

I still got the C++ error, clicked end now and my computer restarted.I still see the error:

"Your Computer might be at risk"5- no Firewalls turned on

Anti Virus software might not be installed

Click this balloon tosolve the problem

 

and get the Catalyst Converter error (as usual)

 

I still do not have the "RUN" option in my start menu?

 

I am sorry Nasdaq but it appears that I was not able to do anything you have suggested successfully, except run the min tool box.exe of which I have attached the log file generated.

 

Once again any help you can give me would be greatly appreciated.  Thank you so much for your patienceAttached File  Result.txt   13.22KB   1 downloads, I look forward to hearing from you.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users