-
Hi,
Run aswMBR again just to scan and post a new log please
-
aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-02-15 13:03:42
-----------------------------
13:03:42.709 OS Version: Windows x64 6.1.7601 Service Pack 1
13:03:42.709 Number of processors: 1 586 0x170A
13:03:42.709 ComputerName: MELISSA-PC UserName: melissa
13:03:43.723 Initialize success
13:04:59.021 AVAST engine defs: 12021500
13:05:00.503 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
13:05:00.503 Disk 0 Vendor: TOSHIBA_MK2556GSY LH003C Size: 238475MB BusType: 11
13:05:00.518 Disk 0 MBR read successfully
13:05:00.518 Disk 0 MBR scan
13:05:00.534 Disk 0 unknown MBR code
13:05:00.534 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 199 MB offset 2048
13:05:00.550 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 225481 MB offset 409600
13:05:00.581 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 12793 MB offset 462194688
13:05:00.581 Service scanning
13:05:01.829 Modules scanning
13:05:01.829 Disk 0 trace - called modules:
13:05:01.860 ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
13:05:01.860 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8002718600]
13:05:01.938 3 CLASSPNP.SYS[fffff880010b143f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa800226d060]
13:05:03.638 AVAST engine scan C:\Windows
13:05:05.042 AVAST engine scan C:\Windows\system32
13:29:22.462 AVAST engine scan C:\Windows\system32\drivers
13:29:40.230 AVAST engine scan C:\Users\melissa
13:32:29.288 AVAST engine scan C:\ProgramData
13:34:37.865 Scan finished successfully
14:25:42.352 Disk 0 MBR has been saved successfully to "C:\Users\melissa\Desktop\MBR.dat"
14:25:42.383 The log file has been saved successfully to "C:\Users\melissa\Desktop\aswMBR.txt"
14:25:56.951 Disk 0 MBR has been saved successfully to "C:\Users\melissa\Desktop\MBR.dat"
14:25:56.951 The log file has been saved successfully to "C:\Users\melissa\Desktop\aswMBR.txt"
-
Hi,
Outside of losing all your pictures , how are things running in General ? When where done I can link you to a windows forum that maybe able to help you get some of your files back
-
Every thing looks great. I tried show hidden files again after the last scan and they are all there except the ones labeled java files. I greatly appreciate all the time you have taken helping some one you do not know. I would love to learn how to help people like this one day.
-
FYI
C:\Windows\svchost.exe This file is legit if it was in the system32 folder but where it is in the windows folder its a virus.
You where infected with a TDL4 which is a variant of the TDSS Rootkit, not nice.
I would at this point advise you to change all your passwords for sites that you frequent, especially sites that you may shop at or do any online banking.
Post back in a few days and let me know how its going
Another FYI
http://forums.whatthetech.com/index.php?showtopic=80368
-
Already changed them when I saw she had a problem. So am I clean then sir?
-
-
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric2.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric3.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric4.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric5.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric6.zip Win32/Bagle.gen.zip worm
C:\TDSSKiller_Quarantine\14.02.2012_20.45.38\mbr0000\tdlfs0000\tsk0003.dta Win32/Olmarik.AWO trojan
C:\TDSSKiller_Quarantine\14.02.2012_20.45.38\mbr0000\tdlfs0000\tsk0004.dta Win64/Olmarik.X trojan
C:\TDSSKiller_Quarantine\14.02.2012_20.45.38\mbr0000\tdlfs0000\tsk0005.dta a variant of Win32/Rootkit.Kryptik.ID trojan
C:\TDSSKiller_Quarantine\14.02.2012_20.45.38\mbr0000\tdlfs0000\tsk0006.dta Win64/Olmarik.AC trojan
C:\TDSSKiller_Quarantine\14.02.2012_20.45.38\mbr0000\tdlfs0000\tsk0007.dta Win32/Olmarik.AWO trojan
C:\TDSSKiller_Quarantine\14.02.2012_20.45.38\mbr0000\tdlfs0000\tsk0008.dta Win64/Olmarik.Z trojan
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric2.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric3.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric4.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric5.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric6.zip Win32/Bagle.gen.zip worm
C:\Users\melissa\AppData\Local\Temp\ICReinstall\cnet_PandoraRecovery2_1_1Setup_exe.exe a variant of Win32/InstallCore.D application
-
All those files are in Quarantine from the programs we have run and are harmless where there at.
Open up Spybot and go to the recovery folder and delete it all
Any other problems ?
-
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules