Results 1 to 10 of 28

Thread: in need of help with malware removal

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Senior Member
    Join Date
    Jan 2010
    Posts
    115

    Default in need of help with malware removal

    I am trying to fix my husband's laptop and I have been lucky enough to have benefitted from wonderful help here in the past for another computer in the house so I am looking forward to delving into another "adventure"!
    I have run Microsoft Security Essentials, Spybot, and Malwarebytes AntiMalware scans and have deleted what I could but I am sure there is something lurking in the deep here so I turn to the experts! I ran ERUNT and am including the DDS log here but I'm not sure if I zipped the "attach.txt" file correctly. Please let me know if I need to fix it. Many thanks in advance for your expertise. Any help would be much appreciated!

    DDS txt
    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by Home at 14:58:43 on 2012-04-12
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.73 [GMT -4:00]
    .
    AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.comcast.net/
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    mRun: [igfxtray] c:\windows\system32\igfxtray.exe
    mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
    mRun: [igfxpers] c:\windows\system32\igfxpers.exe
    mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
    mRun: [SigmatelSysTrayApp] stsystra.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    StartupFolder: c:\docume~1\home\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.shockwave.com/content/insaniquarium/sis/popcaploader_v10.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{6F3861E7-6528-4210-A9A9-EE79613318EF} : DhcpNameServer = 192.168.1.1
    Notify: igfxcui - igfxdev.dll
    AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
    LSA: Notification Packages = scecli scecli
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ============= SERVICES / DRIVERS ===============
    .
    .
    =============== Created Last 30 ================
    .
    2012-04-11 23:55:48 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{38e91212-b480-4e13-9ae4-f7ed7becc7c4}\offreg.dll
    2012-04-11 23:55:47 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{38e91212-b480-4e13-9ae4-f7ed7becc7c4}\MpKsl1d15e7b3.sys
    2012-04-11 21:37:23 6582328 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{38e91212-b480-4e13-9ae4-f7ed7becc7c4}\mpengine.dll
    2012-04-10 18:41:25 -------- d-----w- c:\documents and settings\home\application data\Malwarebytes
    2012-04-10 18:38:38 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2012-04-10 18:38:34 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-04-10 18:38:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-04-09 21:44:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2012-04-09 21:44:02 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
    2012-04-09 21:36:19 -------- d-----w- c:\documents and settings\all users\application data\NortonInstaller
    .
    ==================== Find3M ====================
    .
    2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
    2012-01-31 12:44:05 237072 ------w- c:\windows\system32\MpSigStub.exe
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: ST94813AS rev.8.04 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8699549F]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8699c740]; MOV EAX, [0x8699c8b4]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86D7AAB8]
    3 CLASSPNP[0xF757EFD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000074[0x86CEC3B8]
    5 ACPI[0xF7415620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86CEB940]
    \Driver\atapi[0x86BAC518] -> IRP_MJ_CREATE -> 0x8699549F
    error: Read A device attached to the system is not functioning.
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x869952C6
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !
    .
    ============= FINISH: 15:00:59.31 ===============

  2. #2
    Senior Member
    Join Date
    Sep 2010
    Posts
    631

    Default

    Hi mla34, welcome to the forum.

    To make cleaning this machine easier
    • Please do not uninstall/install any programs unless asked to
      It is more difficult when files/programs are appearing in/disappearing from the logs.
    • Please do not run any scans other than those requested
    • Please follow all instructions in the order posted
    • All logs/reports, etc.. must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
    • Do not attach any logs/reports, etc.. unless specifically requested to do so.
    • If you have problems with or do not understand the instructions, Please ask before continuing.
    • Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.





    Download the latest version of TDSSKiller from here and save it to your Desktop.


    • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.


    • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.


    • Click the Start Scan button.


    • If a suspicious object is detected, the default action will be Skip, click on Continue.


    • If malicious objects are found, they will show in the Scan results and offer three (3) options.
    • Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.


    • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


    A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
    Member of UNITE and ASAP

  3. #3
    Senior Member
    Join Date
    Jan 2010
    Posts
    115

    Default

    Thanks so much for your help. Here is the log from the scan. Want to also mention that after the scan was completed, Microsoft Security Essentials popped up with finding 6 threats, all of which were trojans and wanted to clean. I did not do that since I want to check with you first to see what I should do next. Please let me know if I should ignore the request to clean for now. Thanks again. Maureen

    07:57:34.0453 0860 TDSS rootkit removing tool 2.7.28.0 Apr 10 2012 16:54:05
    07:57:44.0812 0860 ============================================================
    07:57:44.0812 0860 Current date / time: 2012/04/13 07:57:44.0812
    07:57:44.0812 0860 SystemInfo:
    07:57:44.0812 0860
    07:57:44.0812 0860 OS Version: 5.1.2600 ServicePack: 3.0
    07:57:44.0812 0860 Product type: Workstation
    07:57:44.0906 0860 ComputerName: 8G77SC1
    07:57:44.0968 0860 UserName: Home
    07:57:44.0968 0860 Windows directory: C:\WINDOWS
    07:57:44.0968 0860 System windows directory: C:\WINDOWS
    07:57:44.0968 0860 Processor architecture: Intel x86
    07:57:44.0968 0860 Number of processors: 2
    07:57:44.0968 0860 Page size: 0x1000
    07:57:44.0968 0860 Boot type: Normal boot
    07:57:44.0968 0860 ============================================================
    07:58:59.0375 0860 Drive \Device\Harddisk0\DR0 - Size: 0x950A60000 (37.26 Gb), SectorSize: 0x200, Cylinders: 0x1300, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
    07:58:59.0828 0860 \Device\Harddisk0\DR0:
    07:59:00.0078 0860 MBR used
    07:59:00.0078 0860 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x4A852C1
    07:59:00.0671 0860 Initialize success
    07:59:00.0671 0860 ============================================================
    08:00:59.0843 1624 ============================================================
    08:00:59.0968 1624 Scan started
    08:00:59.0968 1624 Mode: Manual; SigCheck; TDLFS;
    08:00:59.0968 1624 ============================================================
    08:01:22.0843 1624 Abiosdsk - ok
    08:01:23.0375 1624 abp480n5 - ok
    08:01:23.0687 1624 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    08:03:32.0890 1624 ACPI - ok
    08:03:34.0343 1624 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    08:05:33.0015 1624 ACPIEC - ok
    08:05:37.0203 1624 adpu160m - ok
    08:05:37.0828 1624 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    08:06:38.0203 1624 aec - ok
    08:06:41.0781 1624 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
    08:06:52.0984 1624 AFD - ok
    08:06:56.0718 1624 Aha154x - ok
    08:07:00.0234 1624 aic78u2 - ok
    08:07:01.0765 1624 aic78xx - ok
    08:07:04.0750 1624 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
    08:07:37.0968 1624 Alerter - ok
    08:07:38.0968 1624 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
    08:08:06.0015 1624 ALG - ok
    08:08:06.0640 1624 AliIde - ok
    08:08:07.0031 1624 amsint - ok
    08:08:07.0421 1624 Apple Mobile Device (20f6f19fe9e753f2780dc2fa083ad597) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    08:08:14.0390 1624 Apple Mobile Device - ok
    08:08:17.0000 1624 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
    08:08:19.0484 1624 AppMgmt - ok
    08:08:19.0875 1624 asc - ok
    08:08:20.0078 1624 asc3350p - ok
    08:08:21.0093 1624 asc3550 - ok
    08:08:21.0890 1624 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    08:08:23.0078 1624 AsyncMac - ok
    08:08:24.0156 1624 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    08:08:25.0343 1624 atapi - ok
    08:08:26.0093 1624 Atdisk - ok
    08:08:26.0406 1624 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    08:08:26.0828 1624 Atmarpc - ok
    08:08:27.0421 1624 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
    08:08:28.0734 1624 AudioSrv - ok
    08:08:29.0406 1624 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    08:08:29.0625 1624 audstub - ok
    08:08:31.0265 1624 b57w2k (c0acd392ece55784884cc208aafa06ce) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
    08:08:33.0234 1624 b57w2k - ok
    08:08:35.0109 1624 BCM43XX (30d20fc98bcfd52e1da778cf19b223d4) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
    08:08:37.0468 1624 BCM43XX - ok
    08:08:39.0671 1624 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    08:08:40.0421 1624 Beep - ok
    08:08:40.0890 1624 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
    08:08:43.0906 1624 BITS - ok
    08:08:46.0890 1624 Bonjour Service (1c87705ccb2f60172b0fc86b5d82f00d) C:\Program Files\Bonjour\mDNSResponder.exe
    08:08:54.0343 1624 Bonjour Service - ok
    08:08:54.0796 1624 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
    08:08:56.0187 1624 Browser - ok
    08:08:57.0328 1624 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    08:08:57.0671 1624 cbidf2k - ok
    08:08:58.0921 1624 cd20xrnt - ok
    08:08:59.0046 1624 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    08:08:59.0312 1624 Cdaudio - ok
    08:08:59.0421 1624 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    08:09:00.0000 1624 Cdfs - ok
    08:09:00.0187 1624 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    08:09:00.0453 1624 Cdrom - ok
    08:09:01.0281 1624 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
    08:09:01.0406 1624 cercsr6 ( UnsignedFile.Multi.Generic ) - warning
    08:09:01.0468 1624 cercsr6 - detected UnsignedFile.Multi.Generic (1)
    08:09:02.0156 1624 Changer - ok
    08:09:02.0984 1624 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
    08:09:21.0046 1624 CiSvc - ok
    08:09:22.0234 1624 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
    08:13:42.0937 1624 ClipSrv - ok
    08:14:41.0890 1624 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
    08:14:54.0421 1624 CmBatt - ok
    08:14:56.0281 1624 CmdIde - ok
    08:14:58.0531 1624 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
    08:14:59.0078 1624 Compbatt - ok
    08:15:01.0843 1624 COMSysApp - ok
    08:15:02.0109 1624 Cpqarray - ok
    08:15:02.0437 1624 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
    08:15:04.0656 1624 CryptSvc - ok
    08:15:04.0812 1624 dac2w2k - ok
    08:15:04.0984 1624 dac960nt - ok
    08:15:05.0375 1624 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
    08:15:07.0312 1624 DcomLaunch - ok
    08:15:07.0968 1624 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
    08:15:08.0937 1624 Dhcp - ok
    08:15:09.0500 1624 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    08:15:09.0843 1624 Disk - ok
    08:15:10.0031 1624 dmadmin - ok
    08:15:34.0343 1624 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    08:18:09.0953 1624 dmboot - ok
    08:18:29.0750 1624 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    08:20:54.0031 1624 dmio - ok
    08:21:03.0921 1624 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    08:21:27.0828 1624 dmload - ok
    08:21:33.0093 1624 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
    08:21:35.0203 1624 dmserver - ok
    08:21:59.0437 1624 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    08:21:59.0750 1624 DMusic - ok
    08:22:00.0531 1624 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
    08:22:02.0546 1624 Dnscache - ok
    08:22:03.0171 1624 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
    08:22:05.0265 1624 Dot3svc - ok
    08:22:05.0843 1624 dpti2o - ok
    08:22:06.0171 1624 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    08:22:06.0468 1624 drmkaud - ok
    08:22:06.0890 1624 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
    08:22:07.0890 1624 EapHost - ok
    08:22:08.0765 1624 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
    08:22:09.0187 1624 ERSvc - ok
    08:22:10.0984 1624 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
    08:22:12.0656 1624 Eventlog - ok
    08:22:12.0984 1624 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
    08:22:14.0234 1624 EventSystem - ok
    08:22:16.0218 1624 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    08:22:16.0609 1624 Fastfat - ok
    08:22:17.0093 1624 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
    08:22:17.0562 1624 FastUserSwitchingCompatibility - ok
    08:22:18.0218 1624 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
    08:22:18.0687 1624 Fdc - ok
    08:22:20.0031 1624 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    08:22:20.0296 1624 Fips - ok
    08:22:20.0984 1624 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
    08:22:21.0343 1624 Flpydisk - ok
    08:22:22.0656 1624 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    08:22:22.0937 1624 FltMgr - ok
    08:22:23.0812 1624 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    08:22:24.0031 1624 Fs_Rec - ok
    08:22:24.0984 1624 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    08:22:25.0421 1624 Ftdisk - ok
    08:22:26.0328 1624 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
    08:22:26.0656 1624 GEARAspiWDM - ok
    08:22:27.0156 1624 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    08:22:27.0671 1624 Gpc - ok
    08:22:28.0453 1624 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    08:22:28.0796 1624 HDAudBus - ok
    08:22:29.0203 1624 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
    08:22:29.0609 1624 helpsvc - ok
    08:22:29.0984 1624 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
    08:22:30.0296 1624 HidServ - ok
    08:22:30.0953 1624 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    08:22:31.0218 1624 HidUsb - ok
    08:22:33.0578 1624 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
    08:22:34.0125 1624 hkmsvc - ok
    08:22:35.0781 1624 hpn - ok
    08:22:36.0750 1624 HSF_DPV (e8ec1767ea315a39a0dd8989952ca0e9) C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys
    08:22:38.0171 1624 HSF_DPV - ok
    08:22:39.0531 1624 HSXHWAZL (61478fa42ee04562e7f11f4dca87e9c8) C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys
    08:22:40.0062 1624 HSXHWAZL - ok
    08:22:42.0046 1624 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    08:22:42.0750 1624 HTTP - ok
    08:22:43.0734 1624 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
    08:22:44.0015 1624 HTTPFilter - ok
    08:22:44.0750 1624 i2omgmt - ok
    08:22:45.0781 1624 i2omp - ok
    08:22:46.0171 1624 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    08:22:46.0671 1624 i8042prt - ok
    08:22:48.0171 1624 ialm (cc449157474d5e43daea7e20f52c635a) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
    08:22:50.0015 1624 ialm - ok
    08:22:51.0906 1624 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    08:22:52.0125 1624 Imapi - ok
    08:22:52.0812 1624 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
    08:22:53.0421 1624 ImapiService - ok
    08:22:54.0203 1624 ini910u - ok
    08:22:54.0984 1624 IntelIde - ok
    08:22:56.0515 1624 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    08:22:56.0750 1624 intelppm - ok
    08:22:58.0328 1624 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    08:22:58.0578 1624 Ip6Fw - ok
    08:22:59.0125 1624 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    08:22:59.0484 1624 IpFilterDriver - ok
    08:23:00.0500 1624 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    08:23:00.0843 1624 IpInIp - ok
    08:23:01.0156 1624 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    08:23:01.0328 1624 IpNat - ok
    08:23:02.0781 1624 iPod Service (f62c69376a95795fe7cdb1c778edaca4) C:\Program Files\iPod\bin\iPodService.exe
    08:23:06.0000 1624 iPod Service - ok
    08:23:06.0734 1624 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    08:23:07.0140 1624 IPSec - ok
    08:23:08.0890 1624 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    08:23:09.0093 1624 IRENUM - ok
    08:23:10.0578 1624 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    08:23:10.0921 1624 isapnp - ok
    08:23:17.0640 1624 JavaQuickStarterService (9aa67569d5257462e230767510b0c815) C:\Program Files\Java\jre6\bin\jqs.exe
    08:23:20.0359 1624 JavaQuickStarterService - ok
    08:23:21.0281 1624 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    08:23:21.0484 1624 Kbdclass - ok
    08:23:25.0484 1624 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    08:23:25.0953 1624 kmixer - ok
    08:23:33.0625 1624 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    08:23:34.0093 1624 KSecDD - ok
    08:23:35.0343 1624 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
    08:23:35.0765 1624 lanmanserver - ok
    08:23:37.0250 1624 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
    08:23:37.0656 1624 lanmanworkstation - ok
    08:23:38.0703 1624 lbrtfdc - ok
    08:23:40.0484 1624 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
    08:23:54.0187 1624 LmHosts - ok
    08:23:55.0671 1624 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
    08:23:55.0843 1624 mdmxsdk - ok
    08:23:55.0937 1624 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
    08:23:56.0125 1624 Messenger - ok
    08:23:56.0171 1624 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    08:23:56.0390 1624 mnmdd - ok
    08:23:56.0437 1624 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
    08:23:57.0078 1624 mnmsrvc - ok
    08:23:57.0203 1624 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    08:23:57.0453 1624 Modem - ok
    08:23:57.0515 1624 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    08:23:57.0718 1624 Mouclass - ok
    08:23:58.0000 1624 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    08:23:58.0171 1624 mouhid - ok
    08:23:58.0296 1624 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    08:23:58.0468 1624 MountMgr - ok
    08:23:58.0593 1624 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
    08:23:58.0875 1624 MpFilter - ok
    08:23:59.0109 1624 MpKslfe37dca4 (a69630d039c38018689190234f866d77) c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{563D876A-1A9B-458C-8DC3-1C982277ED9D}\MpKslfe37dca4.sys
    08:23:59.0406 1624 MpKslfe37dca4 - ok
    08:23:59.0500 1624 mraid35x - ok
    08:23:59.0640 1624 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    08:23:59.0828 1624 MRxDAV - ok
    08:24:00.0015 1624 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    08:24:00.0359 1624 MRxSmb - ok
    08:24:00.0718 1624 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
    08:24:01.0812 1624 MSDTC - ok
    08:24:02.0890 1624 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    08:24:03.0062 1624 Msfs - ok
    08:24:03.0625 1624 MSIServer - ok
    08:24:04.0062 1624 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    08:24:04.0328 1624 MSKSSRV - ok
    08:24:05.0250 1624 MsMpSvc (cfce43b70ca0cc4dcc8adb62b792b173) c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    08:24:05.0500 1624 MsMpSvc - ok
    08:24:06.0687 1624 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    08:24:07.0265 1624 MSPCLOCK - ok
    08:24:09.0375 1624 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    08:24:09.0687 1624 MSPQM - ok
    08:24:10.0500 1624 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    08:24:10.0687 1624 mssmbios - ok
    08:24:10.0968 1624 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
    08:24:11.0390 1624 Mup - ok
    08:24:12.0046 1624 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
    08:24:13.0796 1624 napagent - ok
    08:24:14.0187 1624 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    08:24:15.0390 1624 NDIS - ok
    08:24:17.0187 1624 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    08:24:17.0343 1624 NdisTapi - ok
    08:24:18.0984 1624 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    08:24:29.0187 1624 Ndisuio - ok
    08:24:30.0593 1624 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    08:24:36.0390 1624 NdisWan - ok
    08:24:40.0250 1624 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    08:24:44.0328 1624 NDProxy - ok
    08:24:53.0734 1624 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    08:25:11.0265 1624 NetBIOS - ok
    08:25:14.0265 1624 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    08:25:15.0984 1624 NetBT - ok
    08:25:16.0218 1624 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
    08:25:23.0546 1624 NetDDE - ok
    08:25:23.0609 1624 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
    08:25:23.0843 1624 NetDDEdsdm - ok
    08:25:23.0937 1624 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
    08:25:24.0140 1624 Netlogon - ok
    08:25:24.0250 1624 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
    08:25:25.0046 1624 Netman - ok
    08:25:25.0171 1624 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
    08:25:25.0578 1624 Nla - ok
    08:25:25.0781 1624 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    08:25:25.0984 1624 Npfs - ok
    08:25:26.0171 1624 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    08:25:26.0406 1624 Ntfs - ok
    08:25:26.0515 1624 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
    08:25:26.0656 1624 NtLmSsp - ok
    08:25:26.0890 1624 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
    08:25:27.0796 1624 NtmsSvc - ok
    08:25:27.0906 1624 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    08:25:28.0140 1624 Null - ok
    08:25:28.0250 1624 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    08:25:28.0453 1624 NwlnkFlt - ok
    08:25:28.0531 1624 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    08:25:28.0781 1624 NwlnkFwd - ok
    08:25:28.0968 1624 odserv (785f487a64950f3cb8e9f16253ba3b7b) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
    08:25:29.0609 1624 odserv - ok
    08:25:29.0796 1624 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
    08:25:29.0921 1624 OMCI ( UnsignedFile.Multi.Generic ) - warning
    08:25:29.0968 1624 OMCI - detected UnsignedFile.Multi.Generic (1)
    08:25:30.0109 1624 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
    08:25:30.0453 1624 ose - ok
    08:25:30.0578 1624 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    08:25:30.0828 1624 Parport - ok
    08:25:30.0859 1624 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    08:25:31.0015 1624 PartMgr - ok
    08:25:31.0156 1624 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    08:25:31.0312 1624 ParVdm - ok
    08:25:31.0359 1624 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    08:25:31.0546 1624 PCI - ok
    08:25:31.0562 1624 PCIDump - ok
    08:25:31.0593 1624 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    08:25:31.0765 1624 PCIIde - ok
    08:25:31.0921 1624 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
    08:25:32.0156 1624 Pcmcia - ok
    08:25:32.0218 1624 PDCOMP - ok
    08:25:32.0234 1624 PDFRAME - ok
    08:25:32.0250 1624 PDRELI - ok
    08:25:32.0265 1624 PDRFRAME - ok
    08:25:32.0281 1624 perc2 - ok
    08:25:32.0296 1624 perc2hib - ok
    08:25:32.0359 1624 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
    08:25:32.0656 1624 PlugPlay - ok
    08:25:32.0750 1624 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
    08:25:32.0968 1624 PolicyAgent - ok
    08:25:33.0078 1624 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    08:25:33.0218 1624 PptpMiniport - ok
    08:25:33.0421 1624 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
    08:25:33.0546 1624 ProtectedStorage - ok
    08:25:33.0750 1624 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    08:25:34.0000 1624 PSched - ok
    08:25:34.0140 1624 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    08:25:34.0343 1624 Ptilink - ok
    08:25:34.0375 1624 ql1080 - ok
    08:25:34.0437 1624 Ql10wnt - ok
    08:25:34.0453 1624 ql12160 - ok
    08:25:34.0515 1624 ql1240 - ok
    08:25:34.0531 1624 ql1280 - ok
    08:25:34.0578 1624 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    08:25:34.0859 1624 RasAcd - ok
    08:25:34.0921 1624 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
    08:25:35.0750 1624 RasAuto - ok
    08:25:36.0265 1624 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    08:25:36.0546 1624 Rasl2tp - ok
    08:25:37.0093 1624 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
    08:25:37.0515 1624 RasMan - ok
    08:25:37.0640 1624 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    08:25:37.0921 1624 RasPppoe - ok
    08:25:39.0312 1624 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    08:25:39.0500 1624 Raspti - ok
    08:25:40.0203 1624 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    08:25:40.0906 1624 Rdbss - ok
    08:25:41.0687 1624 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    08:25:41.0859 1624 RDPCDD - ok
    08:25:41.0953 1624 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    08:25:42.0156 1624 rdpdr - ok
    08:25:42.0218 1624 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
    08:25:42.0390 1624 RDPWD - ok
    08:25:42.0640 1624 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
    08:25:43.0531 1624 RDSessMgr - ok
    08:25:43.0953 1624 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    08:25:44.0218 1624 redbook - ok
    08:25:44.0296 1624 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
    08:25:44.0515 1624 RemoteAccess - ok
    08:25:44.0640 1624 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
    08:25:44.0812 1624 RemoteRegistry - ok
    08:25:44.0843 1624 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
    08:25:45.0109 1624 RpcLocator - ok
    08:25:45.0265 1624 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
    08:25:45.0421 1624 RpcSs - ok
    08:25:45.0484 1624 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
    08:25:45.0734 1624 RSVP - ok
    08:25:45.0765 1624 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
    08:25:45.0906 1624 SamSs - ok
    08:25:46.0093 1624 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
    08:25:46.0343 1624 SCardSvr - ok
    08:25:46.0453 1624 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
    08:25:46.0718 1624 Schedule - ok
    08:25:46.0843 1624 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    08:25:47.0015 1624 Secdrv - ok
    08:25:47.0406 1624 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
    08:25:48.0265 1624 seclogon - ok
    08:25:48.0453 1624 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
    08:25:48.0640 1624 SENS - ok
    08:25:48.0796 1624 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    08:25:48.0937 1624 serenum - ok
    08:25:49.0390 1624 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    08:25:49.0593 1624 Serial - ok
    08:25:49.0718 1624 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    08:25:49.0921 1624 Sfloppy - ok
    08:25:50.0328 1624 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
    08:25:52.0125 1624 SharedAccess - ok
    08:25:52.0953 1624 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
    08:25:53.0156 1624 ShellHWDetection - ok
    08:25:55.0156 1624 Simbad - ok
    08:25:56.0296 1624 Sparrow - ok
    08:25:57.0687 1624 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    08:25:57.0937 1624 splitter - ok
    08:25:58.0250 1624 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
    08:25:58.0453 1624 Spooler - ok
    08:25:59.0140 1624 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    08:25:59.0500 1624 sr - ok
    08:26:00.0093 1624 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
    08:26:00.0656 1624 srservice - ok
    08:26:01.0218 1624 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
    08:26:01.0968 1624 Srv - ok
    08:26:02.0171 1624 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
    08:26:02.0562 1624 SSDPSRV - ok
    08:26:03.0093 1624 STHDA (3ad78e22210d3fbd9f76de84a8df19b5) C:\WINDOWS\system32\drivers\sthda.sys
    08:26:03.0390 1624 STHDA - ok
    08:26:03.0875 1624 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
    08:26:04.0593 1624 stisvc - ok
    08:26:04.0718 1624 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    08:26:05.0687 1624 swenum - ok
    08:26:06.0156 1624 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    08:26:06.0328 1624 swmidi - ok
    08:26:06.0546 1624 SwPrv - ok
    08:26:06.0718 1624 symc810 - ok
    08:26:06.0765 1624 symc8xx - ok
    08:26:06.0781 1624 sym_hi - ok
    08:26:06.0906 1624 sym_u3 - ok
    08:26:07.0031 1624 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    08:26:07.0250 1624 sysaudio - ok
    08:26:07.0281 1624 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
    08:26:07.0671 1624 SysmonLog - ok
    08:26:07.0859 1624 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
    08:26:08.0156 1624 TapiSrv - ok
    08:26:08.0625 1624 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    08:26:08.0859 1624 Tcpip - ok
    08:26:08.0953 1624 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    08:26:09.0125 1624 TDPIPE - ok
    08:26:09.0203 1624 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    08:26:09.0437 1624 TDTCP - ok
    08:26:09.0515 1624 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    08:26:09.0687 1624 TermDD - ok
    08:26:09.0796 1624 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
    08:26:10.0046 1624 TermService - ok
    08:26:10.0140 1624 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
    08:26:10.0234 1624 Themes - ok
    08:26:10.0281 1624 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
    08:26:10.0609 1624 TlntSvr - ok
    08:26:10.0625 1624 TosIde - ok
    08:26:10.0703 1624 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
    08:26:10.0843 1624 TrkWks - ok
    08:26:10.0890 1624 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    08:26:11.0093 1624 Udfs - ok
    08:26:11.0125 1624 UIUSys - ok
    08:26:11.0140 1624 ultra - ok
    08:26:11.0218 1624 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    08:26:11.0421 1624 Update - ok
    08:26:11.0531 1624 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
    08:26:11.0750 1624 upnphost - ok
    08:26:11.0843 1624 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
    08:26:12.0093 1624 UPS - ok
    08:26:12.0250 1624 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
    08:26:12.0375 1624 USBAAPL - ok
    08:26:12.0453 1624 USBCCID (6b5e4d5e6e5ecd6acd14aed59768ce5c) C:\WINDOWS\system32\DRIVERS\usbccid.sys
    08:26:12.0546 1624 USBCCID - ok
    08:26:12.0593 1624 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    08:26:12.0765 1624 usbehci - ok
    08:26:12.0812 1624 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    08:26:13.0000 1624 usbhub - ok
    08:26:13.0078 1624 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    08:26:13.0234 1624 usbscan - ok
    08:26:13.0296 1624 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    08:26:13.0453 1624 USBSTOR - ok
    08:26:13.0546 1624 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    08:26:13.0718 1624 usbuhci - ok
    08:26:14.0468 1624 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    08:26:14.0640 1624 VgaSave - ok
    08:26:14.0703 1624 ViaIde - ok
    08:26:14.0781 1624 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    08:26:15.0062 1624 VolSnap - ok
    08:26:15.0265 1624 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
    08:26:16.0468 1624 VSS - ok
    08:26:17.0031 1624 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
    08:26:17.0375 1624 W32Time - ok
    08:26:20.0484 1624 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    08:26:20.0687 1624 Wanarp - ok
    08:26:21.0140 1624 WDICA - ok
    08:26:21.0390 1624 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    08:26:21.0640 1624 wdmaud - ok
    08:26:21.0828 1624 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
    08:26:22.0093 1624 WebClient - ok
    08:26:22.0671 1624 winachsf (ba6b6fb242a6ba4068c8b763063beb63) C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys
    08:26:22.0843 1624 winachsf - ok
    08:26:23.0000 1624 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
    08:26:23.0296 1624 winmgmt - ok
    08:26:23.0406 1624 wltrysvc - ok
    08:26:23.0468 1624 WmdmPmSN (c7e39ea41233e9f5b86c8da3a9f1e4a8) C:\WINDOWS\system32\mspmsnsv.dll
    08:26:23.0671 1624 WmdmPmSN - ok
    08:26:23.0765 1624 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
    08:26:24.0234 1624 Wmi - ok
    08:26:24.0359 1624 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
    08:26:24.0500 1624 WmiAcpi - ok
    08:26:24.0609 1624 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
    08:26:24.0906 1624 WmiApSrv - ok
    08:26:25.0031 1624 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
    08:26:25.0281 1624 wscsvc - ok
    08:26:25.0343 1624 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
    08:26:25.0500 1624 wuauserv - ok
    08:26:25.0593 1624 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    08:26:25.0796 1624 WudfPf - ok
    08:26:25.0875 1624 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    08:26:26.0000 1624 WudfRd - ok
    08:26:26.0078 1624 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
    08:26:26.0218 1624 WudfSvc - ok
    08:26:26.0296 1624 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
    08:26:26.0656 1624 WZCSVC - ok
    08:26:26.0984 1624 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
    08:26:27.0156 1624 xmlprov - ok
    08:26:27.0218 1624 MBR (0x1B8) (faee7e40dfb0440ad2cfc39befa1f4c2) \Device\Harddisk0\DR0
    08:26:27.0265 1624 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
    08:26:27.0281 1624 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
    08:26:27.0375 1624 \Device\Harddisk0\DR0 ( TDSS File System ) - warning
    08:26:27.0375 1624 \Device\Harddisk0\DR0 - detected TDSS File System (1)
    08:26:27.0375 1624 Boot (0x1200) (c54b50610ab89d8fbf934a77ccb25f96) \Device\Harddisk0\DR0\Partition0
    08:26:27.0390 1624 \Device\Harddisk0\DR0\Partition0 - ok
    08:26:27.0390 1624 ============================================================
    08:26:27.0390 1624 Scan finished
    08:26:27.0390 1624 ============================================================
    08:26:28.0953 3044 Detected object count: 4
    08:26:28.0968 3044 Actual detected object count: 4
    08:35:06.0890 3044 cercsr6 ( UnsignedFile.Multi.Generic ) - skipped by user
    08:35:07.0062 3044 cercsr6 ( UnsignedFile.Multi.Generic ) - User select action: Skip
    08:35:07.0062 3044 OMCI ( UnsignedFile.Multi.Generic ) - skipped by user
    08:35:07.0062 3044 OMCI ( UnsignedFile.Multi.Generic ) - User select action: Skip
    08:35:35.0296 3044 \Device\Harddisk0\DR0\# - copied to quarantine
    08:35:41.0234 3044 \Device\Harddisk0\DR0 - copied to quarantine
    08:36:06.0015 3044 \Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine
    08:36:07.0140 3044 \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
    08:36:24.0750 3044 \Device\Harddisk0\DR0\TDLFS\phx.dll - copied to quarantine
    08:36:26.0937 3044 \Device\Harddisk0\DR0\TDLFS\sub.dll - copied to quarantine
    08:36:27.0250 3044 \Device\Harddisk0\DR0\TDLFS\subx.dll - copied to quarantine
    08:36:28.0234 3044 \Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine
    08:36:31.0484 3044 \Device\Harddisk0\DR0\TDLFS\phdx - copied to quarantine
    08:36:32.0109 3044 \Device\Harddisk0\DR0\TDLFS\phs - copied to quarantine
    08:36:32.0187 3044 \Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine
    08:36:32.0218 3044 \Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine
    08:36:32.0593 3044 \Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine
    08:36:33.0156 3044 \Device\Harddisk0\DR0\TDLFS\phlx - copied to quarantine
    08:36:33.0406 3044 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
    08:36:33.0406 3044 \Device\Harddisk0\DR0 - ok
    08:36:33.0515 3044 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
    08:36:33.0515 3044 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
    08:36:33.0515 3044 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip
    08:40:21.0843 3212 Deinitialize success

  4. #4
    Senior Member
    Join Date
    Sep 2010
    Posts
    631

    Default

    Hi mla34,


    AVs are notorious for detecting things after the fact.

    Please rerun TDSKiller. This time when presented with these lines

    08:26:27.0375 1624 \Device\Harddisk0\DR0 ( TDSS File System ) - warning
    08:26:27.0375 1624 \Device\Harddisk0\DR0 - detected TDSS File System (1)
    use the dropdown menu and select delete.

    MSE still detecting anything?


    Next


    Download aswMBR.exe to your desktop.

    Double click the aswMBR.exe to run it. If asked to download Avast's database please do so.

    Click the "Scan" button to start scan


    On completion of the scan click save log, save it to your desktop and post in your next reply


    There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.


    Please post back with
    • TDSK log
    • aswMBR log
    • MBR.zip (attached)
    How's the computer?
    Member of UNITE and ASAP

  5. #5
    Senior Member
    Join Date
    Jan 2010
    Posts
    115

    Default

    Should I change the parameters this time, like I did the last time, before I run the scan?

  6. #6
    Senior Member
    Join Date
    Sep 2010
    Posts
    631

    Default

    Hi mla34,

    Yes set it up like you did before.
    Member of UNITE and ASAP

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •