Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Virus'?


  • Please log in to reply
14 replies to this topic

#1 Acadian

Acadian

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 19 July 2011 - 03:22 PM

I am working on fixing a Dell Inspiron Laptop with Windows 7 Home Premium x64. The user clicked on an e-mail that looked valid but was not. I ran Malware Bytes and it found nothing, I ran System Analyzer and it found a hefty amount of items where it said Deletion Failed. for example it has lines like this: Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\en-US\fsquirt.exe.mui and I noticed a large amount of files with a .mui extension listed on them. I have the text file report and can paste all of the information if needed. I can't find much on if the detected files are bad but you never know so I am asking for help. any responses would be fantastic

thank you so much for your time!

Edited by hamluis, 19 July 2011 - 03:49 PM.
Moved to AII from XP.


BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:08:15 PM

Posted 19 July 2011 - 03:26 PM

can you post the logs from malwarebytes?

#3 Allan

Allan

  • BC Advisor
  • 8,644 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:03:15 PM

Posted 19 July 2011 - 03:27 PM

I've asked a mod to move this to the appropriate forum. Please wait for a malware specialist to respond.

#4 Acadian

Acadian
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 19 July 2011 - 04:20 PM

Malware Bytes did not find any infections but I will paste the log in here for you. It was Norton System Analyzer that found the multitudes of detected files. let me know if you want me to paste the analyzer log:

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7204

Windows 6.1.7600 (Safe Mode)
Internet Explorer 8.0.7600.16385

7/19/2011 1:11:09 PM
mbam-log-2011-07-19 (13-11-09).txt

Scan type: Full scan (C:\|)
Objects scanned: 289690
Time elapsed: 32 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#5 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:08:15 PM

Posted 19 July 2011 - 04:24 PM

SUPERAntiSpyware:

Please download and scan with SUPERAntiSpyware Free

  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.

      Scan with SUPERAntiSpyware as follows:[list]
    • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
    • On the left, make sure you check C:\Fixed Drive.
    • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
    • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
    • Make sure everything has a checkmark next to it and click "Next".
    • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
    • If asked if you want to reboot, click "Yes" and reboot normally.
    • To retrieve the removal information after reboot, launch SUPERAntispyware again.[list]
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.

Instructions:

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


Now GMER

GMER does not work in 64bit Mode!!!!!!

Please download GMER from one of the following locations and save it to your desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic Full Scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.


All scans above should be performed in regular boot mode, and if that is not possible then I will post instructions in a follow up reply on how to get into Safe Mode to perform the scans. Also all scans should be COMPLETE and not quick unless specifically instructed to do so.

#6 Acadian

Acadian
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 20 July 2011 - 09:21 AM

Both Super Anti Spyware and GMER found no infected files.

#7 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:08:15 PM

Posted 20 July 2011 - 10:57 AM

Post the logs anyways.

#8 Acadian

Acadian
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 20 July 2011 - 11:19 AM

There were no logs that it gave me to copy and paste, unless they are saved in a specific folder somewhere. Here is part of the one from Norton System Analyzer, going over it it looks like every file in the system32 directory

Webroot System Analyzer Command Line Interface
Copyright © 1997-2008 Webroot Software inc. All rights Reserved.

System Analyzer Version : 5.6.0.122
Spyware Definition Version : 1991 (7/19/2011)
Antivirus Definition Version: 3.19.1 (7/19/2011)
Security Product Definitions: 111 (9/27/2008)

CLI Switches used: /deepmem /rootkit /removal /output /all
FileName/Path to scan: C:\

Loading Spy definitions...
Searching For Security Software...
Gathering System Information...
Gathering memory information...
Gathering hard drives information...
Gathering system details...
Searching startup applications...

Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\en-US\windowsanytimeupgradeResults.exe.mui
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\en-US\windowsanytimeupgradeResults.exe.mui
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\en-US\wisptis.exe.mui
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\en-US\wksprt.exe.mui
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\en-US\wksprt.exe.mui
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\en-US\wpcmig.dll.mui
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\en-US\wpnpinst.exe.mui
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\en-US\wsepno.dll.mui
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\en-US\wsepno.dll.mui
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\en-US\WWanMM.dll.mui
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\en-US\WWanMM.dll.mui
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\en-US\Wwanpref.dll.mui
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\en-US\Wwanpref.dll.mui
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\en-US\xlog.exe.mui
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\en-US\xrWCbgnd.dll.mui
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\en-US\xrWCtmg2.dll.mui
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\en-US\xrWPusd.dll.mui
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\en-US\batt.dll.mui
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\en-US\bthci.dll.mui
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\en-US\mctadmin.exe.mui
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\en-US\mctadmin.exe.mui
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\en-US\pnpui.dll.mui
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\en-US\pnpui.dll.mui
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\drivers\lsi_sas2.sys
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\drivers\lsi_sas2.sys
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\config\SYSTEM.LOG1
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\wmicmiplugin.dll
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\wmicmiplugin.dll
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{d22ce3aa-86f4-4794-bd11-1b5035259640}\snapshot.etl
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\drivers\amdk8.sys
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\drivers\amdk8.sys
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\drivers\GAGP30KX.SYS
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\drivers\GAGP30KX.SYS
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\spp\plugin-manifests-signed\sppobjs-spp-plugin-manifest-signed.xrm-ms
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\spp\plugin-manifests-signed\sppobjs-spp-plugin-manifest-signed.xrm-ms
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\config\COMPONENTS{563365d5-06d0-11e0-9fb9-9b71ed465bd3}.TM.blf
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\wbem\en-US\cimwin32.dll.mui
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\wbem\en-US\cimwin32.dll.mui
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\drivers\BrSerId.sys
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\drivers\BrSerId.sys
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\drivers\mrxdav.sys
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\iglhxa64.cpa
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\igfxpph.dll
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\config\SOFTWARE.LOG1
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\en-US\werconcpl.dll.mui
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\en-US\fsquirt.exe.mui
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\perfh009.dat
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\perfh009.dat
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\en-US\fverecover.dll.mui
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\WinSAT.exe
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\WinSAT.exe
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\config\SYSTEM.LOG
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\config\SYSTEM.LOG
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\config\SOFTWARE.LOG
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\config\SOFTWARE.LOG
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\config\DEFAULT.LOG
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\config\DEFAULT.LOG
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\en-US\biocpl.dll.mui
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\en-US\biocpl.dll.mui
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\en-US\sppsvc.exe.mui
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\en-US\sppsvc.exe.mui
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{38411064-3fc8-11e0-8558-89b8b415a8c9}.TM.blf
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\drivers\USBSTOR.SYS
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\wdi\{533a67eb-9fb5-473d-b884-958cf4b9c4a3}\{0fcfcb4e-7e0d-44ec-8727-96d288ea7988}\snapshot.etl
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\drivers\srvnet.sys
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{72fd0397-684f-11e0-9880-80c8ad0a55c9}.TM.blf
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\config\COMPONENTS{525ad4e1-5d64-11e0-9d75-ba0719559ad0}.TMContainer00000000000000000002.regtrans-ms
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\config\COMPONENTS{f438e9a7-7006-11e0-b3e3-eb05d7b6add5}.TMContainer00000000000000000001.regtrans-ms
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{1a513aa1-8e58-11e0-a004-b5915edafed7}.TMContainer00000000000000000002.regtrans-ms
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\config\COMPONENTS{525ad4e1-5d64-11e0-9d75-ba0719559ad0}.TM.blf
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{bd055a10-72e0-11e0-802e-a6b5a7c8c5e0}.TM.blf
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\drivers\Diskdump.sys
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{901495ec-a525-11e0-a6fe-cf600d750dd6}.TMContainer00000000000000000001.regtrans-ms
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{901495ec-a525-11e0-a6fe-cf600d750dd6}.TMContainer00000000000000000002.regtrans-ms
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{4c74c410-15cb-43c7-960c-e95a36ce2b2e}\snapshot.etl
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{1a513aa1-8e58-11e0-a004-b5915edafed7}.TM.blf
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\drivers\nvraid.sys
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{901495ec-a525-11e0-a6fe-cf600d750dd6}.TM.blf
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\wdi\SuspendPerformanceDiagnostics_SystemData_S4.bin
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\config\COMPONENTS{f438e9a7-7006-11e0-b3e3-eb05d7b6add5}.TMContainer00000000000000000002.regtrans-ms
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{72fd0397-684f-11e0-9880-80c8ad0a55c9}.TMContainer00000000000000000001.regtrans-ms
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\umpnpmgr.dll
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\config\COMPONENTS{14c6f0ca-79be-11e0-887c-f92df847b6cc}.TM.blf
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\wdi\{ffc42108-4920-4acf-a4fc-8abdcc68ada4}\{ee91380c-29e3-4fe0-a822-615112c03ae8}\snapshot.etl
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{bd055a10-72e0-11e0-802e-a6b5a7c8c5e0}.TMContainer00000000000000000002.regtrans-ms
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{7c763679-78bb-45e9-982e-e620084ddd9c}\snapshot.etl
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\config\COMPONENTS{dc642941-7002-11e0-9e56-78e400529130}.TMContainer00000000000000000001.regtrans-ms
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\config\COMPONENTS{14c6f0ca-79be-11e0-887c-f92df847b6cc}.TMContainer00000000000000000001.regtrans-ms
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{1a513aa1-8e58-11e0-a004-b5915edafed7}.TMContainer00000000000000000001.regtrans-ms
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\wbem\Performance\WmiApRpl.ini
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\wdi\LogFiles\WdiContextLog.etl.002
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\Tasks\Microsoft\Windows\Windows Activation Technologies\ValidationTask
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\Tasks\Microsoft\Windows\Windows Activation Technologies\ValidationTaskDeadline
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\drivers\srv2.sys
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\drivers\bowser.sys
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\wdi\{533a67eb-9fb5-473d-b884-958cf4b9c4a3}\{6563ce08-36d3-46e5-acad-0de7fa9087f6}\snapshot.etl
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\wdi\{ffc42108-4920-4acf-a4fc-8abdcc68ada4}\{ece8836d-832b-49b4-85b9-80760efbc81b}\snapshot.etl
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{901496b3-a525-11e0-a6fe-cf600d750dd6}.TMContainer00000000000000000001.regtrans-ms
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{b2cf2ad8-f44c-48a1-8a78-8e296864d275}\snapshot.etl
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{901496b3-a525-11e0-a6fe-cf600d750dd6}.TMContainer00000000000000000002.regtrans-ms
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\NDF\eventlog.etl
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\drivers\srv.sys
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{de359b1b-5d8d-413a-9fe1-db489e9b2832}\snapshot.etl
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\wdi\{533a67eb-9fb5-473d-b884-958cf4b9c4a3}\{440cca28-0348-40b2-89b9-1ed7d57ca66d}\snapshot.etl
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{a7baca7a-18b0-438d-bf2a-0811867e1c42}\snapshot.etl
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{6c5065fb-a2a0-490e-aac8-238600496aa0}\snapshot.etl
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\config\RegBack\SECURITY
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\drivers\nvstor.sys
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\FXSCOVER.exe
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\kdusb.dll
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\kd1394.dll
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\dnsrslvr.dll
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\kdcom.dll
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{72fd0397-684f-11e0-9880-80c8ad0a55c9}.TMContainer00000000000000000002.regtrans-ms
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\drivers\mrxsmb20.sys
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\config\RegBack\SOFTWARE
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\wdi\{ffc42108-4920-4acf-a4fc-8abdcc68ada4}\{37fe51f9-8bad-404a-99c0-1932db621110}\snapshot.etl
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\config\COMPONENTS{14c6f0ca-79be-11e0-887c-f92df847b6cc}.TMContainer00000000000000000002.regtrans-ms
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\config\COMPONENTS{525ad4e1-5d64-11e0-9d75-ba0719559ad0}.TMContainer00000000000000000001.regtrans-ms
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{c1109fd5-c172-4c38-80a6-752c3465cc47}\snapshot.etl
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\Boot\winresume.efi
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\winresume.efi
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\Boot\winload.efi
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\winload.efi
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\Boot\winresume.exe
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{43f4fddb-273f-4394-8249-c4b5c301cb5e}\snapshot.etl
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\config\RegBack\SYSTEM
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\drivers\iaStorV.sys
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\drivers\dfsc.sys
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\drivers\mrxsmb10.sys
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\config\RegBack\DEFAULT
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\win32k.sys
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\drivers\afd.sys
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\drivers\tcpip.sys
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\wdi\{533a67eb-9fb5-473d-b884-958cf4b9c4a3}\{12e7cead-b88c-49c6-8a94-0a0b018b9575}\snapshot.etl
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\perfc009.dat
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\perfc009.dat
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\wdi\{ffc42108-4920-4acf-a4fc-8abdcc68ada4}\{2db50fec-1957-4ada-b3a0-2a0ee8a616bb}\snapshot.etl
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\wdi\{533a67eb-9fb5-473d-b884-958cf4b9c4a3}\{3103b9a9-579c-4d4f-8fe6-cff735f9c570}\snapshot.etl
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\MRT.exe
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\drivers\mrxsmb.sys
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\wdi\{ffc42108-4920-4acf-a4fc-8abdcc68ada4}\{c0a5fb60-1373-4a2a-97c4-e74eb7e8e350}\snapshot.etl
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\wdi\{ffc42108-4920-4acf-a4fc-8abdcc68ada4}\{21e35f56-04ff-449a-b7b5-3c1c9b6fb5bd}\snapshot.etl
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\wdi\LogFiles\WdiContextLog.etl.001
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\oem\MakeEdocsShortcut.log
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\sysprep\Panther\setuperr.log
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\sysprep\Sysprep_succeeded.tag
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f22e410f-f947-4e08-8f2a-8f65df603f8d
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\config\RegBack\SECURITY.LOG1
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\config\RegBack\SECURITY.LOG2
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\config\RegBack\SOFTWARE.LOG1
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\config\RegBack\SOFTWARE.LOG2
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\wbem\ntfs.mof
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\wbem\ntfs.mof
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\wbem\Wdf01000Uninstall.mof
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\wbem\Wdf01000Uninstall.mof
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\wbem\Win32_EncryptableVolumeUninstall.mof
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\wbem\Win32_EncryptableVolumeUninstall.mof
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\wbem\en-US\subscrpt.mfl
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\config\COMPONENTS.LOG2
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\config\DEFAULT.LOG2
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\config\SAM.LOG2
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\config\SECURITY.LOG2
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\config\SOFTWARE.LOG2
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\config\SYSTEM.LOG2
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\config\systemprofile\ntuser.dat.LOG2
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT.LOG2
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\oobe\info\oobe.xml
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\config\RegBack\SYSTEM.LOG1
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\config\RegBack\SYSTEM.LOG2
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\Microsoft\Protect\S-1-5-18\83fe2ee9-52f5-4257-9b67-04a35eabaf4d
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\config\RegBack\DEFAULT.LOG1
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\chklogo6_faileddrivers.txt
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\restore\MachineGuid.txt
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\b86ce1ef-3049-4d0e-8529-d8fbf22dcf1f
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B90B117906B8A74C79D1BC450C2B94B1_E980C1BCB6BDE88F60C90A9C017422D9
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B90B117906B8A74C79D1BC450C2B94B1_E980C1BCB6BDE88F60C90A9C017422D9
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\7b821131-b367-431b-9355-aade75b1f2ad
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\drivers\Msft_User_WpdFs_01_09_00.Wdf
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Portable Devices\wpdlog00.sqm
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\config\RegBack\DEFAULT.LOG2
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\config\RegBack\SAM.LOG1
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\config\RegBack\SAM.LOG2
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\04774331-45f5-4f50-925c-34184a5ca330
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\GfxUI.exe.config
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\drivers\Msft_Kernel_SynTP_01009.Wdf
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\4cc02fb5-f3b4-412f-a1de-b95d928b9643
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\sysprep\Panther\IE\setuperr.log
Found(Deletion failed) System Monitor [potentially rootkit-masked files] in C:\Windows\System32\wbem\Logs\wmiprov.log
Found(Removed) Adware [rogue security products] in HKLM\software\microsoft\windows nt\currentversion\winlogon\shell

Scan Summary of: C:\
Items Scanned : 342765
Items Infected : 2589
Items Removed : 3

Scan Time: 00:45:26
C:\SystemAnalyzer>

#9 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:08:15 PM

Posted 20 July 2011 - 11:29 AM

That looks like a bunch of false positives.

Please try a free Online Scan from ESET and then post the log.

#10 Acadian

Acadian
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 20 July 2011 - 03:53 PM

Scan Results

No threats found.
Scanned Files: 138655
Infected Files: 0
Cleaned files: 0
Total scan time: 00:27:43
Scasn status: finished

#11 Acadian

Acadian
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 21 July 2011 - 12:40 PM

I have ran into some other issues and am going to restore the machine to factory defaults. If three different programs didn't find anything and one did I will go with they are False Positives. thank you for the help and ideas of what to try for next time. Can mark this as closed if need be

thank you very much!

#12 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:08:15 PM

Posted 21 July 2011 - 12:54 PM

Let us know how that goes.

#13 Acadian

Acadian
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 22 July 2011 - 01:15 PM

the reload of the OS fixed my issues and no scans found any infections or false positives. thanks again for your assistance and ideas to try next time

#14 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:08:15 PM

Posted 22 July 2011 - 01:31 PM

I got a feeling that they were not false positives.

#15 Acadian

Acadian
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 22 July 2011 - 04:08 PM

As do I :) just shocking that only one program out of 4 different ones finds the issues




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users