Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with max++x86.dll rootkit


  • This topic is locked This topic is locked
44 replies to this topic

#1 mzd

mzd

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 05 February 2010 - 03:43 PM

Hello. First off, let me thank you all in advance.
Ok. Windows XP sp3
on 1/20/2010 I was infected with IS2010.exe, installed without my knowledge. I was able to regain access to regedit and I removed it. Ran Malwarebytes and it found a persistent key in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\{F9197A7E-CE10-458e-85F8-5B0CE6DF2BBE} (Trojan.Agent)
Every time I delete it, it comes back.
Current symptoms are occasional google search redirects. And system freezes around 11:30-Noon each day.
With more research, I suspected some sort of rootkit.
GMER found \\74.117.114.86\max++.86.dll in most of the system files running (svchosts, winlogon, inetinfo, VPTray, etc).
I won't run anything else until instructed to do so.
Thanks again!

- DDS, RootRepeal logs attached -

DDS (Ver_09-12-01.01) - NTFSx86
Run by mgsherry at 14:10:43.76 on Fri 02/05/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2014.1134 [GMT -6:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\mgsherry\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://seconline.org/
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4080616
uSearch Bar =
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uWindow Title = Windows Internet Explorer provided by WCER
uInternet Settings,ProxyOverride = <local>
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
dRunOnce: [RunNarrator] Narrator.exe
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: MaxRecentDocs = 15 (0xf)
uPolicies-system: ConnectHomeDirToRoot = 0 (0x0)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232988150837
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232988089614
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://ccsso.webex.com/client/T26L/event/ieatgpc.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mgsherry\applic~1\mozilla\firefox\profiles\evf59t1d.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-1-21 64288]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-1-23 133968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2007-5-29 192104]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2007-5-29 169576]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-10-7 116664]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-10-7 1822648]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100205.002\naveng.sys [2010-2-5 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100205.002\navex15.sys [2010-2-5 1324720]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-11 14336]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000]

=============== Created Last 30 ================

2010-02-02 20:32:48 0 d-----w- C:\VundoFix Backups
2010-01-26 17:53:37 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-01-25 18:11:49 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-01-25 18:11:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-01-22 15:48:28 0 d-----w- c:\program files\CCleaner
2010-01-21 22:55:42 0 d-----w- c:\docume~1\mgsherry\applic~1\Malwarebytes
2010-01-21 22:55:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-21 22:55:36 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-21 22:55:36 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-21 22:55:36 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-21 17:22:36 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-21 17:12:47 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-21 17:11:06 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-21 17:10:52 0 d-----w- c:\program files\Lavasoft
2010-01-21 15:10:17 2206 ----a-w- c:\windows\system32\wpa.dbl
2010-01-21 15:10:13 0 ----a-w- c:\windows\system32\ativvaxx.cap

==================== Find3M ====================

2009-12-23 18:12:55 81800 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-17 23:14:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-11 08:38:55 69120 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-11-21 15:51:04 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

============= FINISH: 14:10:55.02 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:23 AM

Posted 06 February 2010 - 11:17 AM

Hi mzd,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Please post the GMER log to your reply.

Tell me also if Wondows Recovery Console installed on your computer or if you have the Windows installation CD.

#3 mzd

mzd
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 07 February 2010 - 05:08 PM

Hello farbar,
Sorry for not getting back to you sooner, for some reason I am not getting thread notifications.
I agree to not making any system changes unless instructed to do so. I have the Windows XP installation discs (but they are not SP2) and it does not look like Windows Recovery Console is installed on my computer.
My previous GMER scan crashed so I am running one now and will post results when it is finished. It does take a while on this computer though.
Thanks for your help!

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:23 AM

Posted 07 February 2010 - 05:22 PM

In order to be notified via email when your topic has a reply you need to enable topic notifications. To enable topic notifications you should do the following:
  • Click on the My Controls link at the top of the page to enter your control panel.
  • Scroll down to the Options category in the left hand side menu bar and click on the Email Settings link.
  • Put a checkmark in the checkbox labeled Enable 'Email Notification' by default?.
  • Set the If ticked, choose default type: menu option to Immediate Email Notification to have an email sent immediately when someone replies.


#5 mzd

mzd
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 07 February 2010 - 09:51 PM

Here is the GMER log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-07 20:28:45
Windows 5.1.2600 Service Pack 3
Running: fz0kujy9.exe; Driver: C:\DOCUME~1\mgsherry\LOCALS~1\Temp\kxddqfob.sys


---- System - GMER 1.0.15 ----

SSDT 8935D218 ZwAlertResumeThread
SSDT 89256EA8 ZwAlertThread
SSDT 890E1418 ZwAllocateVirtualMemory
SSDT 8906E218 ZwConnectPort
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xBA0F887E]
SSDT 89E090D0 ZwCreateMutant
SSDT 891B8D38 ZwCreateThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0x9D587350]
SSDT 891CE6F0 ZwFreeVirtualMemory
SSDT 893626C8 ZwImpersonateAnonymousToken
SSDT 89389960 ZwImpersonateThread
SSDT 89034150 ZwMapViewOfSection
SSDT 89145008 ZwOpenEvent
SSDT 891CA670 ZwOpenProcessToken
SSDT 891C5618 ZwOpenThreadToken
SSDT 890AE0C0 ZwQueryValueKey
SSDT 88D56E00 ZwResumeThread
SSDT 891F4DC0 ZwSetContextThread
SSDT 89DAB0E8 ZwSetInformationProcess
SSDT 89098038 ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0x9D587580]
SSDT 89094068 ZwSuspendProcess
SSDT 891BD888 ZwSuspendThread
SSDT 891C6B60 ZwTerminateProcess
SSDT 89D72E50 ZwTerminateThread
SSDT 893DBE58 ZwUnmapViewOfSection
SSDT 893DEEA0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2F54 805047F0 8 Bytes CALL B8DA22A5 \SystemRoot\system32\DRIVERS\ati2mtag.sys (ATI Radeon WindowsNT Miniport Driver/ATI Technologies Inc.)
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB8BF4000, 0x1A3F84, 0xE8000020]
.text usbhub.sys B4589000 25 Bytes [06, 18, 00, 66, C7, 46, 02, ...]
.text usbhub.sys B458901A 43 Bytes [00, 56, 8B, D8, FF, 15, 1C, ...]
.text usbhub.sys B4589046 65 Bytes [EC, 83, EC, 18, 53, 56, 57, ...]
.text usbhub.sys B4589088 143 Bytes [EB, 2F, 8B, 48, 60, 89, 79, ...]
.text usbhub.sys B4589118 22 Bytes [75, 11, 56, 56, 56, 6A, 05, ...]
.text ...
init C:\WINDOWS\system32\drivers\Senfilt.sys entry point in "init" section [0x9D645A00]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[2464] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\inetsrv\inetinfo.exe[216] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [356729F4] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\inetsrv\inetinfo.exe[216] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [3567297E] \\74.117.114.86\max++.x86.dll
IAT C:\Program Files\Java\jre6\bin\jqs.exe[340] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [356729F4] \\74.117.114.86\max++.x86.dll
IAT C:\Program Files\Java\jre6\bin\jqs.exe[340] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [3567297E] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[744] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [356729F4] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[744] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [3567297E] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\winlogon.exe[788] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [356729F4] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\winlogon.exe[788] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [3567297E] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\lsass.exe[844] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [356729F4] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\lsass.exe[844] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [3567297E] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1136] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [356729F4] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1136] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [3567297E] \\74.117.114.86\max++.x86.dll
IAT C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1212] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [356729F4] \\74.117.114.86\max++.x86.dll
IAT C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1212] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [3567297E] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1244] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [356729F4] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1244] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [3567297E] \\74.117.114.86\max++.x86.dll
IAT C:\Program Files\Symantec AntiVirus\SavRoam.exe[1300] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [356729F4] \\74.117.114.86\max++.x86.dll
IAT C:\Program Files\Symantec AntiVirus\SavRoam.exe[1300] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [3567297E] \\74.117.114.86\max++.x86.dll
IAT C:\Program Files\Bonjour\mDNSResponder.exe[1324] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [356729F4] \\74.117.114.86\max++.x86.dll
IAT C:\Program Files\Bonjour\mDNSResponder.exe[1324] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [3567297E] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1332] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [356729F4] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1332] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [3567297E] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1448] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [356729F4] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1448] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [3567297E] \\74.117.114.86\max++.x86.dll
IAT C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1848] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [356729F4] \\74.117.114.86\max++.x86.dll
IAT C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1848] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [3567297E] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\spoolsv.exe[1988] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [356729F4] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\spoolsv.exe[1988] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [3567297E] \\74.117.114.86\max++.x86.dll
IAT C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2108] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [356729F4] \\74.117.114.86\max++.x86.dll
IAT C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2108] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [3567297E] \\74.117.114.86\max++.x86.dll
IAT C:\Program Files\Symantec AntiVirus\Rtvscan.exe[2228] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [356729F4] \\74.117.114.86\max++.x86.dll
IAT C:\Program Files\Symantec AntiVirus\Rtvscan.exe[2228] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [3567297E] \\74.117.114.86\max++.x86.dll
IAT C:\Program Files\iTunes\iTunesHelper.exe[2708] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [356729F4] \\74.117.114.86\max++.x86.dll
IAT C:\Program Files\iTunes\iTunesHelper.exe[2708] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [3567297E] \\74.117.114.86\max++.x86.dll
IAT C:\Program Files\Common Files\Symantec Shared\ccApp.exe[3048] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [356729F4] \\74.117.114.86\max++.x86.dll
IAT C:\Program Files\Common Files\Symantec Shared\ccApp.exe[3048] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [3567297E] \\74.117.114.86\max++.x86.dll
IAT C:\PROGRA~1\SYMANT~1\VPTray.exe[3212] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [356729F4] \\74.117.114.86\max++.x86.dll
IAT C:\PROGRA~1\SYMANT~1\VPTray.exe[3212] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [3567297E] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\System32\alg.exe[3280] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [356729F4] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\System32\alg.exe[3280] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [3567297E] \\74.117.114.86\max++.x86.dll
IAT C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE[3788] @ C:\WINDOWS\system32\KERNEL32.dll [ntdll.dll!NtWriteFile] [356729F4] \\74.117.114.86\max++.x86.dll
IAT C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE[3788] @ C:\WINDOWS\system32\KERNEL32.dll [ntdll.dll!LdrGetProcedureAddress] [3567297E] \\74.117.114.86\max++.x86.dll
IAT C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[5572] @ C:\WINDOWS\system32\KERNEL32.dll [ntdll.dll!NtWriteFile] [356729F4] \\74.117.114.86\max++.x86.dll
IAT C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[5572] @ C:\WINDOWS\system32\KERNEL32.dll [ntdll.dll!LdrGetProcedureAddress] [3567297E] \\74.117.114.86\max++.x86.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device rdpdr.sys (Microsoft RDP Device redirector/Microsoft Corporation)
Device 98F6BD20

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Driver\Disk \GLOBAL??\C2CAD972#4079#4fd3#A68D#AD34CC121074 BA422BDE
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- Threads - GMER 1.0.15 ----

Thread System [4:200] BA42393A
---- Processes - GMER 1.0.15 ----

Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\inetsrv\inetinfo.exe [216] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [340] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [744] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [788] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\lsass.exe [844] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1136] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [1212] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1244] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\Program Files\Symantec AntiVirus\SavRoam.exe [1300] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\Program Files\Bonjour\mDNSResponder.exe [1324] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1332] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1448] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [1848] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1988] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2108] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\Program Files\Symantec AntiVirus\Rtvscan.exe [2228] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\Program Files\iTunes\iTunesHelper.exe [2708] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\Program Files\Common Files\Symantec Shared\ccApp.exe [3048] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\PROGRA~1\SYMANT~1\VPTray.exe [3212] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [3280] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE [3788] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\Program Files\ATI Technologies\ATI.ACE\cli.exe [5572] 0x35670000

---- EOF - GMER 1.0.15 ----


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:23 AM

Posted 08 February 2010 - 02:24 AM

  1. Please download maxlook and save the file to your desktop.
    • Double click maxlook.exe to run it. Note - you must run it only once!
    • As instructed when the tool runs, restart the computer and logon to the Recovery Console.

  2. Start the Recovery Console directly from the Windows XP CD by do the following:
    • Insert the Windows XP cd in your computer.
    • Restart your computer so you are booting off of the CD.
    • When the Welcome to Setup screen appears, press the R button on your keyboard to start the Recovery Console.
    • The Recovery Console will start and ask you which Windows installation you would like to log on to. If you have multiple Windows installations, it will list each one, and you would enter the number associated with the installation you would like to work on and press enter. If you have just one Windows installation, type 1 and press enter.
    • It will then prompt you for the Administrator's password. If there is no password, simply press enter. Otherwise type in the password and then press enter. If you do not know your password then see this.
    • If you entered the correct password you will now be presented with a C:\Windows> prompt and you can start using the Recovery Console.

  3. Type the following bolded command at the C:\windows> prompt and press Enter:
      batch look.bat
    • You will see "1 file(s) copied" many times then return to the c:\windows> prompt.
    • Type Exit and press Enter to restart your computer then logon in normal mode.

  4. Please run maxlook.exe again now. Note - you must run it only once!
    • It will produce looklog.txt on the desktop.
    • Please post the results here.


#7 mzd

mzd
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 08 February 2010 - 10:56 AM

I downloaded maxlook and ran it, but I get a Stop error when I try to boot off the CD. The initial drivers load, but once the screen says "Starting Windows..." it blue screens.

STOP: 0x000007B (0xF78DA63C, 0xC0000034, 0x00000000, 0x00000000)

(assuming the Recovery Console is on XP disk 1 and not disk 2 (Diagnostic)?)

Edited by mzd, 08 February 2010 - 10:57 AM.


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:23 AM

Posted 08 February 2010 - 12:20 PM

Let see if we can run ComboFix, it will install the Recovery Console on the computer.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#9 mzd

mzd
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 08 February 2010 - 01:00 PM

ComboFix 10-02-07.08 - mgsherry 02/08/2010 11:42:15.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2014.1356 [GMT -6:00]
Running from: c:\documents and settings\mgsherry\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\recycler\S-1-5-21-100250181-3737726536-2642719548-500
c:\recycler\S-1-5-21-254694263-1723142912-105296233-500
c:\windows\look.bat
c:\windows\system32\Cache
c:\windows\system32\config\nyddaneq.sav
c:\windows\system32\twain_32.dll

----- BITS: Possible infected sites -----

hxxp://soe-wsus.ad.education.wisc.edu:8530
hxxp://soe-b9:8530
Infected copy of c:\windows\system32\DRIVERS\usbhub.sys was found and disinfected
Restored copy from - The cat ate it tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-01-08 to 2010-02-08 )))))))))))))))))))))))))))))))
.

2010-02-08 17:14 . 2010-02-08 17:19 -------- d-----w- c:\windows\system32\NtmsData
2010-02-08 15:32 . 2010-02-08 15:32 -------- d-----w- c:\windows\maxdriver
2010-02-02 20:32 . 2010-02-02 20:32 -------- d-----w- C:\VundoFix Backups
2010-01-27 17:12 . 2010-01-27 17:12 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-01-27 17:12 . 2010-01-27 17:12 163728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2010-01-27 17:12 . 2010-01-27 17:12 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2010-01-27 17:12 . 2010-01-27 17:12 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2010-01-26 17:53 . 2010-01-26 17:53 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-01-25 18:11 . 2010-01-25 18:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-25 18:11 . 2010-01-25 18:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-25 17:44 . 2010-01-25 17:44 61440 ----a-w- c:\documents and settings\mgsherry\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-49d6d8f6-n\decora-sse.dll
2010-01-25 17:44 . 2010-01-25 17:44 503808 ----a-w- c:\documents and settings\mgsherry\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-49564e23-n\msvcp71.dll
2010-01-25 17:44 . 2010-01-25 17:44 499712 ----a-w- c:\documents and settings\mgsherry\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-49564e23-n\jmc.dll
2010-01-25 17:44 . 2010-01-25 17:44 348160 ----a-w- c:\documents and settings\mgsherry\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-49564e23-n\msvcr71.dll
2010-01-25 17:44 . 2010-01-25 17:44 12800 ----a-w- c:\documents and settings\mgsherry\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-49d6d8f6-n\decora-d3d.dll
2010-01-22 15:48 . 2010-01-22 15:48 -------- d-----w- c:\program files\CCleaner
2010-01-21 22:55 . 2010-01-21 22:55 -------- d-----w- c:\documents and settings\mgsherry\Application Data\Malwarebytes
2010-01-21 22:55 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-21 22:55 . 2010-01-21 22:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-21 22:55 . 2010-01-21 22:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-21 22:55 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-21 19:29 . 2010-01-21 19:30 -------- d-----w- c:\program files\Windows Live Safety Center
2010-01-21 17:22 . 2009-12-02 13:19 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-21 17:12 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-21 17:12 . 2010-01-27 17:12 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-01-21 17:12 . 2010-01-27 17:12 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-01-21 17:12 . 2010-01-27 17:12 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-01-21 17:12 . 2010-01-27 17:12 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2010-01-21 17:12 . 2010-02-04 17:12 389784 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-01-21 17:12 . 2010-01-27 17:12 8 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2010-01-21 17:12 . 2010-01-27 17:12 6296864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-01-21 17:11 . 2010-01-27 17:12 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-01-21 17:11 . 2010-02-04 17:12 3803208 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-01-21 17:11 . 2010-01-27 17:12 816784 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-01-21 17:11 . 2010-02-04 17:12 823928 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-01-21 17:11 . 2010-01-27 17:12 1643272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-01-21 17:11 . 2010-01-27 17:12 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-01-21 17:11 . 2010-02-04 17:12 1181328 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-01-21 17:11 . 2010-01-21 17:11 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-21 17:11 . 2009-12-07 14:10 2953352 -c--a-w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
2010-01-21 17:10 . 2010-01-21 17:10 -------- d-----w- c:\program files\Lavasoft
2010-01-21 17:10 . 2010-01-21 17:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-21 15:30 . 2010-01-21 16:42 -------- d-----w- c:\documents and settings\mgsherry\Application Data\Lavasoft
2010-01-20 22:43 . 2010-01-20 22:43 503808 ----a-w- c:\documents and settings\mgsherry\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-3d64fa88-n\msvcp71.dll
2010-01-20 22:43 . 2010-01-20 22:43 348160 ----a-w- c:\documents and settings\mgsherry\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-3d64fa88-n\msvcr71.dll
2010-01-20 22:43 . 2010-01-20 22:43 499712 ----a-w- c:\documents and settings\mgsherry\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-3d64fa88-n\jmc.dll
2010-01-20 22:43 . 2010-01-20 22:43 61440 ----a-w- c:\documents and settings\mgsherry\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-3d64fa88-n\decora-sse.dll
2010-01-20 22:43 . 2010-01-20 22:43 315392 ----a-w- c:\documents and settings\mgsherry\Application Data\Sun\Java\Deployment\SystemCache\6.0\62\6baea4fe-1db72b24-n\jogl.dll
2010-01-20 22:43 . 2010-01-20 22:43 20480 ----a-w- c:\documents and settings\mgsherry\Application Data\Sun\Java\Deployment\SystemCache\6.0\62\6baea4fe-1db72b24-n\jogl_awt.dll
2010-01-20 22:43 . 2010-01-20 22:43 20480 ----a-w- c:\documents and settings\mgsherry\Application Data\Sun\Java\Deployment\SystemCache\6.0\45\4f710eed-55970a74-n\gluegen-rt.dll
2010-01-20 22:43 . 2010-01-20 22:43 12800 ----a-w- c:\documents and settings\mgsherry\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-3d64fa88-n\decora-d3d.dll
2010-01-20 22:43 . 2010-01-20 22:43 114688 ----a-w- c:\documents and settings\mgsherry\Application Data\Sun\Java\Deployment\SystemCache\6.0\62\6baea4fe-1db72b24-n\jogl_cg.dll
2010-01-20 22:34 . 2010-01-20 22:34 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2010-01-20 16:51 . 2010-01-20 16:51 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-01-20 16:51 . 2010-01-20 16:51 -------- d-sh--w- c:\documents and settings\NetworkService\IECompatCache
2010-01-11 21:48 . 2010-01-11 21:48 -------- d-----w- c:\documents and settings\mgsherry\Application Data\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-08 17:43 . 2008-07-30 19:18 -------- d-----w- c:\program files\Symantec AntiVirus
2010-02-08 16:06 . 2008-07-31 14:50 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-02-05 19:19 . 2008-07-30 19:18 -------- d-----w- c:\program files\Symantec
2010-01-29 18:33 . 2008-07-30 21:41 -------- d-----w- c:\program files\Windows Media Connect 2
2010-01-25 19:43 . 2009-07-31 14:18 -------- d-----w- c:\program files\Safari
2010-01-22 16:11 . 2009-09-25 15:59 -------- d-----w- c:\documents and settings\mgsherry\Application Data\WebEx
2010-01-21 17:26 . 2009-11-12 18:23 -------- d-----w- c:\program files\Coupons
2010-01-20 22:43 . 2008-06-16 14:37 -------- d-----w- c:\program files\Common Files\Java
2010-01-20 22:43 . 2008-06-16 14:37 -------- d-----w- c:\program files\Java
2010-01-20 22:25 . 2009-11-09 15:16 79488 ----a-w- c:\documents and settings\mgsherry\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-19 23:00 . 2008-07-30 22:00 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-14 15:14 . 2008-08-25 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-23 18:12 . 2009-07-31 14:30 81800 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-21 19:14 . 2004-08-11 21:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-17 23:14 . 2008-12-02 14:55 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-17 22:45 . 2008-06-16 14:42 103224 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-21 15:51 . 2004-08-11 21:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-15 09:00 . 2009-11-16 15:26 259440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ede02.vdb\ECMSVR32.DLL
2009-11-10 22:48 . 2009-11-16 15:26 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ede02.vdb\NAVEX32A.DLL
2009-11-10 22:48 . 2009-11-16 15:26 84912 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ede02.vdb\NAVENG.SYS
2009-11-10 22:48 . 2009-11-16 15:26 177520 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ede02.vdb\NAVENG32.DLL
2009-11-10 22:48 . 2009-11-16 15:26 1323568 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ede02.vdb\NAVEX15.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-10-08 125368]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-09-24 1036288]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"ConnectHomeDirToRoot"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"MaxRecentDocs"= 15 (0xf)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-796845957-1390067357-1644491937-11484\Scripts\Logon\0\0]
"Script"=mapdrive.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-796845957-1390067357-1644491937-11484\Scripts\Logon\1\0]
"Script"=AddAdmin.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-796845957-1390067357-1644491937-16217\Scripts\Logon\0\0]
"Script"=mapdrive.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-796845957-1390067357-1644491937-16217\Scripts\Logon\1\0]
"Script"=AddAdmin.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-796845957-1390067357-1644491937-9157\Scripts\Logon\0\0]
"Script"=ChangeVLKeySP1.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-796845957-1390067357-1644491937-9157\Scripts\Logon\1\0]
"Script"=mapdrive.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/21/2010 11:12 AM 64288]
R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [1/23/2007 1:58 AM 133968]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [10/7/2007 7:48 PM 116664]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/5/2010 11:47 AM 102448]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 7:19 AM 1181328]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/11/2004 3:00 PM 14336]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 5:17 AM 2805000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder

2010-02-08 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 17:12]

2010-02-08 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 17:12]

2010-02-08 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 17:12]

2010-02-08 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 17:12]

2010-02-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 17:12]

2010-02-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2010-01-05 c:\windows\Tasks\Remove Chart FX Temp files daily.job
- c:\program files\Chart FX Internet 6.2\Util\SfxRemove.exe [1998-11-06 17:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://seconline.org/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\mgsherry\Application Data\Mozilla\Firefox\Profiles\evf59t1d.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-08 11:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\mgsherry\LOCALS~1\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0xBA452BDE]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9f11852
\Driver\iaStor -> iaStor.sys @ 0xb9e7e002
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Intel® 82566DM-2 Gigabit Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xb9d3ebb0
PacketIndicateHandler -> NDIS.sys @ 0xb9d4ba21
SendHandler -> NDIS.sys @ 0xb9d2987b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(792)
c:\windows\system32\Ati2evxx.dll
max++.00.x86 35670000 49152 \\74.117.114.86\max++.x86.dll
c:\windows\system32\jscript.dll
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'lsass.exe'(848)
max++.00.x86 35670000 49152 \\74.117.114.86\max++.x86.dll
c:\windows\system32\jscript.dll
c:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2010-02-08 11:49:33
ComboFix-quarantined-files.txt 2010-02-08 17:49

Pre-Run: 14,619,308,032 bytes free
Post-Run: 16,359,882,752 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - BC997029FCFBBF6344BFD046E71A652F


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:23 AM

Posted 08 February 2010 - 02:27 PM

Combofix removed some and disinfected a rootkit. But also removed look.bat which is a part of Maxtool. We will restore while doing other fixes.

It seems the computer is infected with multiple rootkits.
  1. Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • If DeFogger ask to reboot the machine - click OK
    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

    Do not re-enable these drivers until otherwise instructed.

  2. We are going to run this special tool.
    • Please download TDSSKiller.zip and save it to your desktop.
    • Extract the zip file to your desktop.
    • Double-Click TDSSKiller.exe to run it.
    • When it finished press any key to continue.
    • Let reboot if needed and tell me how it went.


  3. Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:


    CODE
    @ECHO OFF
    mbr.exe -t
    sc query type= driver group= "SCSI Miniport" > Log.txt
    type mbr.log >>log.txt
    copy c:\qoobox\quarantine\c\windows\look.bat.vir c:\windows\look.bat >> log.txt
    Start Log.txt

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: dirlook.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate dirlook.bat on the desktop. It should look like this:
    • In Windows XP double-click to run it. In Windows Vista right-click to run it as administrator.
    • A notepad opens, copy and paste the content (log.txt) to your reply.


#11 mzd

mzd
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 08 February 2010 - 02:46 PM

I have run Defogger, it didn't require a reboot? But it ran with no errors. The Disable window is still open on my screen though.
TDSSKiller ran fine as well.
Here is the log from dirlook.bat

SERVICE_NAME: atapi
DISPLAY_NAME: Standard IDE/ESDI Hard Disk Controller
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: iaStor
DISPLAY_NAME: Intel AHCI Controller
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0xBA452BDE]<<
kernel: MBR read successfully
user & kernel MBR OK
1 file(s) copied.

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:23 AM

Posted 08 February 2010 - 03:18 PM

You may close the DeFrogger open window.

Go to start > Run copy/paste the following line in the run box and click OK.

cmd /c (dir /oe /a /s "C:\atapi.*" & dir /a /s /oe "C:\iastor.*") >log.txt&log.txt

Wait until a text file (log.txt) will be open. Please post its content to your reply.

Edited by farbar, 08 February 2010 - 03:21 PM.


#13 mzd

mzd
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 08 February 2010 - 03:21 PM

Volume in drive C has no label.
Volume Serial Number is E8EA-C851

Directory of C:\cmdcons

08/03/2004 10:59 PM 49,558 ATAPI.SY_
1 File(s) 49,558 bytes

Directory of C:\dell

05/26/2004 11:23 PM 28,672 ATAPI.EXE
1 File(s) 28,672 bytes

Directory of C:\i386

08/28/2006 12:02 AM 95,872 atapi.sys
1 File(s) 95,872 bytes

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/27/2006 07:02 PM 95,872 atapi.sys.000
08/27/2006 07:02 PM 95,872 atapi.sys
2 File(s) 191,744 bytes

Directory of C:\WINDOWS\ERDNT\cache

04/13/2008 12:40 PM 96,512 atapi.sys
1 File(s) 96,512 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 12:40 PM 96,512 atapi.sys
1 File(s) 96,512 bytes

Directory of C:\WINDOWS\system32\drivers

04/13/2008 12:40 PM 96,512 atapi.sys
1 File(s) 96,512 bytes

Total Files Listed:
8 File(s) 655,382 bytes
0 Dir(s) 16,388,198,400 bytes free
Volume in drive C has no label.
Volume Serial Number is E8EA-C851

Directory of C:\drivers\storage\R173412

12/03/2007 07:11 PM 11,694 iastor.cat
12/03/2007 07:11 PM 7,676 iastor.inf
06/16/2008 08:28 AM 13,084 iastor.PNF
12/03/2007 07:11 PM 308,248 IaStor.sys
4 File(s) 340,702 bytes

Directory of C:\i386

12/03/2007 07:11 PM 308,248 iaStor.sys
1 File(s) 308,248 bytes

Directory of C:\Program Files\Intel\Intel Matrix Storage Manager\Driver

10/17/2007 07:32 PM 11,694 iastor.cat
09/29/2007 07:38 PM 7,676 iastor.inf
09/29/2007 09:03 PM 308,248 IaStor.sys
3 File(s) 327,618 bytes

Directory of C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64

10/17/2007 07:32 PM 11,694 iastor.cat
09/29/2007 07:38 PM 7,676 iastor.inf
09/29/2007 09:03 PM 384,024 IaStor.sys
3 File(s) 403,394 bytes

Directory of C:\WINDOWS\system32\drivers

12/03/2007 07:11 PM 308,248 iaStor.sys
1 File(s) 308,248 bytes

Total Files Listed:
12 File(s) 1,688,210 bytes
0 Dir(s) 16,388,198,400 bytes free


#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:23 AM

Posted 08 February 2010 - 04:10 PM

Let's see if you can get to Recovery Console. In case you could enter it wait as we have more to do than the step 2 outlined before. Let me know if you are there.

Start the Recovery Console by doing the following:
  • Reboot your computer and as Windows starts it will present you with your startup options: 1. Microsoft Windows Professional 2. Microsoft Recovery Console.
  • With the arrows keys on your keyboard select the option listed as Microsoft Windows Recovery Console and press the enter key on your keyboard.
  • The Recovery Console will start and ask you which Windows installation you would like to log on to. If you have multiple Windows installations, it will list each one, and you would enter the number associated with the installation you would like to work on and press enter. If you have just one Windows installation, type 1 and press Enter.
  • It will then prompt you for the Administrator's password. If there is no password, simply press enter. Otherwise type in the password and then press enter.
  • If you entered the correct password you will now be presented with a C:\Windows> prompt and you can start using the Recovery Console.


#15 mzd

mzd
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 08 February 2010 - 04:20 PM

I'm still getting the stop error when starting Recover Console. But now I also get a blue screen when booting Windows normally too.

usbhub.sys
driver_unloaded_without_cancelling_pending_operations





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users