Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

windows cannot access the specified device, path, or file


  • Please log in to reply
31 replies to this topic

#1 mc51

mc51

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 10 September 2011 - 04:49 PM

Hi, my computer is acting weird. When I run .exe files, it shows "windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." When I click on any link in Google it will return an invalid url. In the processes tab in windows task manager, I see a process named 174926236:1675006709.exe. Kaspersky shows that file is infected by backdoor.zaccess.ob.

I cannot run gmer.exe because of the virus. Please advice. Thanks.


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Run by Jimmy at 6:11:41 on 2011-09-11
Microsoft Windows XP Professional 5.1.2600.3.950.886.1033.18.2047.1279 [GMT 8:00]
.
AV: Kaspersky Anti-Virus *Enabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\174926236:1675006709.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\xampp\mysql\bin\mysqld.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\Program Files\D4\D4.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATITool\ATITool.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\conime.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = local;*.local
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 7\SnagItBHO.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.3.7.16.dll
BHO: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Thunder Browser Helper: {889d2feb-5411-4565-8998-1dd2c5261283} - c:\program files\xunlei\thunder.v5.9.19.1390\comdlls\xunleiBHO_Now.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: FlashGet: {e0e899ab-f487-11d5-8d29-0050ba6940e3} - c:\program files\flashget\fgiebar.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 7\SnagItIEAddin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Qsaxalanun] rundll32.exe "c:\windows\mverwiof.dll",Startup
mRun: [JMB36X Configure] c:\windows\system32\JMRaidTool.exe boot
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [PHIMETIPSYNC] c:\program files\common files\microsoft shared\ime\imtc65\phonetic\TINTLCFG.EXE /PHIMETIPSync
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [Start WingMan Profiler] c:\program files\logitech\gaming software\LWEMon.exe /noui
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [Dimension4] c:\program files\d4\D4.exe
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 7.0\avp.exe"
mRun: [QuickTime Task] "c:\program files\k-lite codec pack\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ATITool] "c:\program files\atitool\ATITool.exe" -s
mRun: [SoundMax] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
IE: &Clean Traces - c:\program files\dap\privacy package\dapcleanerie.htm
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Foxy ?? - c:\program files\foxy\Foxy.exe/download.htm
IE: Foxy U∏ - c:\program files\foxy\Foxy.exe/download.htm
IE: Foxy ∑jM - c:\program files\foxy\Foxy.exe/search.htm
IE: ≥πpU∏ - c:\program files\xunlei\thunder.v5.9.19.1390\program\geturl.htm
IE: ≥πpU∏˛≥≥s≤ - c:\program files\xunlei\thunder.v5.9.19.1390\program\getallurl.htm
IE: ≥πpU? - c:\documents and settings\jimmy\desktop\th
IE: ≥πpU?˛≥? - c:\documents and settings\jimmy\desktop\thu
IE: ≥πp√?U? - c:\program files\xunlei\thunder.v5.9.19.1390\program\OfflineDownload.htm
IE: ≤K[QQ̱ - c:\program files\tencent\qq\bin\AddEmotion.htm
IE: ≥]∞ messenger live Yπ≥ - \SetMSNDP.htm
IE: {d18a0b52-d63c-4ed0-afc6-c1e3dc1af43a} - res://c:\program files\bitcomet\tools\BitCometBHO_1.3.7.16.dll/206
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\progra~1\flashget\flashget.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 7.0\SCIEPlgn.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: afe-solutions.com\g2stock
DPF: {0cca191d-13a6-4e29-b746-314dee697d83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1280229273546
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1285927271173
DPF: {82774781-8f4e-11d1-ab1c-0000f8773bf0} - hxxps://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8de6ab9c-8c62-486b-8c06-5c9ad6fd06f1} - hxxp://txn02.hkjc.com/BetSlip/object/eWinCtl.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} - hxxp://www.gogobox.com.tw/neo.fld/GNowStarter.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {d821dc4a-0814-435e-9820-661c543a4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
DPF: {e2883e8f-472f-4fb0-9522-ac9bf37916a7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} - hxxp://www.auctiva.com/hostedimages/activex/xupload/XUpload.ocx
DPF: {ef0d1a14-1033-41a2-a589-240c01edc078} - hxxp://xz1.pplive.com/config/pplite/pluginsetup.cab
DPF: {FB5BAB59-BF6B-4DE9-B790-C2F0CBF6804F} - hxxp://g2stock.afe-solutions.com/i-trade/G2SFiTrade.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{F9BFC143-BC81-45C1-9A15-8ABBBAAE5BAD} : DhcpNameServer = 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: klogon - c:\windows\system32\klogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\jimmy\application data\mozilla\firefox\profiles\kvvp0zxq.default\
FF - component: c:\program files\dap\dapfirefox\components\DAPFireFox.dll
FF - plugin: c:\documents and settings\jimmy\application data\mozilla\firefox\profiles\kvvp0zxq.default\extensions\{4d144bc3-23fb-47de-90c5-63ccb0139ccf}\plugins\npww.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin2.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin3.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin4.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin5.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin6.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin7.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npaliedit.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Download Accelerator Plus Integration: {F17C1572-C9EC-4e5c-A542-D05CBB5C5A08} - c:\program files\dap\DAPFireFox
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: TradeManager-Plugin: {4D144BC3-23FB-47de-90C5-63CCB0139CCF} - %profile%\extensions\{4D144BC3-23FB-47de-90C5-63CCB0139CCF}
.
============= SERVICES / DRIVERS ===============
.
R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2007-4-28 110360]
R1 klif;Klif;c:\windows\system32\drivers\klif.sys [2007-6-27 186640]
R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [2010-8-26 33824]
R2 AVP;Kaspersky Anti-Virus 7.0;c:\program files\kaspersky lab\kaspersky anti-virus 7.0\avp.exe [2007-6-28 212992]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-21 50704]
R3 alidevice;alidevice;c:\windows\system32\drivers\alidevice.sys [2009-12-15 6656]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2005-11-25 31896]
R3 eumusdesignvirtualaudiocablewdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [2010-3-14 40576]
R3 IPvE;IPvE Adapter Driver;c:\windows\system32\drivers\IPvE.sys [2009-4-27 16160]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2007-4-4 24344]
R3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [2008-1-7 25088]
S1 53aee5f;53aee5f;c:\windows\system32\drivers\53aee5f.sys [2009-7-15 0]
S2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [2010-10-18 20480]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-3-18 166912]
S3 arusb(TP-LINK);TP-LINK TL-WN821N 11N Wireless Adapter Service(TP-LINK);c:\windows\system32\drivers\arusb.sys [2008-12-7 418304]
S3 revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-3-11 27064]
S3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2007-12-6 92160]
S3 tccrystalcpuinfo;TCCrystalCpuInfo;\??\c:\docume~1\jimmy\locals~1\temp\tccpuinfo.sys --> c:\docume~1\jimmy\locals~1\temp\TCCpuInfo.sys [?]
S3 WinRing0_1_1_1;WinRing0_1_1_1;c:\documents and settings\jimmy\desktop\oc\realtemp_2.70\WinRing0.sys [2008-10-3 13904]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 OracleJobSchedulerXE;OracleJobSchedulerXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\extjob.exe xe --> c:\oraclexe\app\oracle\product\10.2.0\server\bin\extjob.exe XE [?]
S4 OracleServiceXE;OracleServiceXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\oracle.exe xe --> c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE [?]
S4 OracleXETNSListener;OracleXETNSListener;c:\oraclexe\app\oracle\product\10.2.0\server\bin\TNSLSNR.EXE [2006-2-2 204800]
.
=============== File Associations ===============
.
chm.file="hh.exe" %1
txtfile=c:\windows\notepad.exe %1
.
=============== Created Last 30 ================
.
2011-08-19 06:09:19 -------- d-----w- c:\program files\UltraVNC
.
==================== Find3M ====================
.
2011-09-10 20:20:29 602112 ----a-w- c:\windows\system32\ati2evxx.exe
2011-09-10 20:20:29 53248 ----a-w- c:\windows\system32\AstSrv.exe
2011-09-10 20:20:29 466944 ----a-w- c:\windows\system32\acs.exe
2011-09-07 01:32:50 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-07 15:37:28 53760 ----a-w- c:\windows\system32\OVDecode.dll
2011-07-07 15:37:06 43520 ----a-w- c:\windows\system32\OpenCL.dll
2011-07-07 15:36:46 13904896 ----a-w- c:\windows\system32\amdocl.dll
2011-06-15 19:34:06 79872 ----a-w- c:\windows\system32\SlotMaximizerAg.dll
2011-06-15 19:34:06 2117632 ----a-w- c:\windows\system32\SlotMaximizerBe.dll
.
============= FINISH: 6:13:40.41 ===============

Edited by mc51, 10 September 2011 - 05:22 PM.


BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:10:15 PM

Posted 10 September 2011 - 10:45 PM

mc51,

The information provided does show the characteristics of the ZeroAccess Rootkit.

First, let's take care of this file:
C:\WINDOWS\1407388332:1408572588.exe

It throws a wrench in the works, and programs will not run successfully...

Please download DummyCreator.zip

Unzip the folder:
Right-click and select: Extract all
Follow the prompts to extract

Open the new folder that appears on the Desktop:
Double-click DummyCreator/DummyMaker to run the tool.

Now, copy/paste the following into the blank area:

C:\WINDOWS\174926236

Press the Create button.

Save the content of the Result.txt to your Desktop, and post it in your reply.

Next, restart the computer!


Please do not run any malware removal programs while we are in the process of making repairs. Doing so may just make matters worse, and that, you do not want!

Thanks!

Old duck...


#3 mc51

mc51
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 10 September 2011 - 11:43 PM

Ran DummyCreator, but the result.txt seems to be too short. Thanks for your help.

DummyCreator by Farbar
Ran by Jimmy (administrator) on 11-09-2011 at 12:41:08
**************************************************************

C:\WINDOWS\174926236 [11-09-2011 12:39:39]

== End of log ==

#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:10:15 PM

Posted 11 September 2011 - 12:27 AM

mc51,

That is the result we want. :thumbup2:



Please do the following:

If you have ComboFix (CF) already on your Desktop, please remove it! We'll download an updated version.

Download ComboFix

Save ComboFix.exe to your Desktop!!

Make sure you temporarily disable your AntiVirus, Firewall, and any other AntiSpyware applications, usually via a right clicking on the System Tray icon. They may interfere with the running of CF.

Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link


Double-click on ComboFix.exe to run the program.

When given the option, DO install the Recovery Console . This program can come in very handy at times.

Click on Yes, to continue scanning for malware.

When finished, CF produces a report.

Please provide a copy of the C:\ComboFix.txt in your reply.


Notes:

1.Do not mouse-click the ComboFix window while it is running.
This action may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.

3. CF disconnects your machine from the internet. However, the connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



Signing off for tonight.

Will return Sunday o/a 11:00AM Central Time - USA.

Old duck...


#5 mc51

mc51
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 11 September 2011 - 01:16 AM

Hi, I had an old version ComboFix in my desktop, but I am not able to delete it due to the rootkit. I downloaded the updated version to c:\combofix and run it. It ran at first and quitted before I can perform a scan. Now I cannot run it anymore. Seems the rootkit is still blocking exe files. I ran msconfig and found out that there is a suspicous startup item called mverwiof, rundll.exe "C:\WINDOWS\mverwiof.dll", Startup.

Thanks.

Edited by mc51, 11 September 2011 - 01:17 AM.


#6 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:10:15 PM

Posted 11 September 2011 - 11:37 AM

That is not unusual with ZeroAccess. We need to scan the system with a special tool that will give us a path to eventually allow access to certain files, like to the previous ComboFix that you cannot use.


Lets scan the system with this special tool: Junction.zip

Save to the Desktop.
Unzip the file and save junction.exe in the Windows directory (C:\Windows). No need to run it.
Now, please run Notepad (start > All Programs > Accessories > Notepad)
Copy/paste the text in the code box to Notepad:

@ECHO OFF
junction -s >log.txt
start log.txt

  • Go to the File menu at the top of the Notepad and select Save as.
  • Select Save in: Desktop
  • File name: look.bat
  • Save as type: All file types (*.*)
  • Click: Save.
  • Close Notepad.
  • Locate look.bat on the Desktop.
  • XP - double click the file to run it.
  • The command prompt opens, and then Notepad opens


Please copy/paste the content (log.txt) in your reply.

Edited by Aaflac, 11 September 2011 - 11:39 AM.

Old duck...


#7 mc51

mc51
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 11 September 2011 - 01:01 PM

Ok I followed the instruction. Thanks.


Junction v1.06 - Windows junction creator and reparse point viewer
Copyright © 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com


Failed to open \\?\C:\Documents and Settings\Jimmy\Desktop\ComboFix.exe: Access is denied.
...

...

...

No reparse points found.

#8 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:10:15 PM

Posted 11 September 2011 - 03:06 PM

mc51, :thumbup2:

Please download GrantPerms.zip:
http://download.bleepingcomputer.com/farbar/GrantPerms.zip

Save it to your Desktop.

Unzip the file, and depending on the system, run GrantPerms.exe or GrantPerms64.exe
(Run GrantPerms64.exe only if you have a 64-bit Operating System!)

Copy and paste the following text inside the code box into the tools blank area:

C:\Documents and Settings\Jimmy\Desktop\ComboFix.exe

Click: Unlock
When done, click: OK

Click List Permissions and post the result (Perms.txt) in your reply.
(A copy of Perms.txt is saved in the same directory where the tool is run.)


Now, please remove ComboFix, download a fresh version of the program, and follow the instructions in Post #4

Thanks!

Old duck...


#9 mc51

mc51
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 11 September 2011 - 10:18 PM

Hi, I am wondering if the new ComboFix will quit itself as last time I performed step #4. Please advice. Thanks.

#10 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:10:15 PM

Posted 12 September 2011 - 12:41 PM

mc51,

If you are able to remove the old copy of ComboFix, then, go to Post #4, download an updated version of CF, and run it.

If it does not run, we'll try a different approach.

Old duck...


#11 mc51

mc51
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 12 September 2011 - 03:14 PM

Hi I used GrantPerms and got the following reply.

GrantPerms by Farbar
Ran by Jimmy at 2011-09-13 04:08:14

===============================================
\\?\C:\Documents and Settings\Jimmy\Desktop\ComboFix.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Power Users READ ALLOW (NI)
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


I deleted the old ComboFix.exe and ran the new one. It still quit itself during the loading screen and I was not able to run it again. Please advice. Thanks.

#12 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:10:15 PM

Posted 12 September 2011 - 04:32 PM

mc51,

"Plan B"...

Please remove any previous download of TDSSKiller (if used) and download the latest version: TDSSKiller.exe

Execute the file:
XP - Double-click tdsskiller.exe

Press the button: Start Scan

The tool scans and detects two object types:
Malicious (where the malware has been identified)
Suspicious (where the malware cannot be identified)

When the scan is over, the tool outputs a list of detected objects (Malicious or Suspicious) with their description.

It automatically selects an action (Cure or Delete) for Malicious objects. Leave the setting as it is.

It also prompts the User to select an action to apply to Suspicious objects (Skip, by default). Leave the setting as it is.

After clicking 'Next/Continue', the tool applies the selected actions.


A Reboot Required prompt may appear after a disinfection. Please reboot.


By default, the tool outputs its log to the system disk root folder (the disk with the Windows operating system, normally C:\).

Logs have a name like:
C:\TDSSKiller.2.4.7_23.07.2010_15.31.43_log.txt

Please post the TDSSKiller log in your reply.



Need to see the following in your reply:
**The TDSSKiller log
**Whether TDSSKiller needed a reboot

Old duck...


#13 mc51

mc51
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 12 September 2011 - 11:45 PM

TDSKiller executed successfully. It reported there was a file infected by zaccess, and asked me to reboot the machine so it could clean the rootkit. Heres the log. Thanks.

2011/09/13 12:27:53.0533 2492 TDSS rootkit removing tool 2.5.21.0 Sep 10 2011 21:07:05
2011/09/13 12:27:54.0033 2492 ================================================================================
2011/09/13 12:27:54.0033 2492 SystemInfo:
2011/09/13 12:27:54.0033 2492
2011/09/13 12:27:54.0033 2492 OS Version: 5.1.2600 ServicePack: 3.0
2011/09/13 12:27:54.0033 2492 Product type: Workstation
2011/09/13 12:27:54.0033 2492 ComputerName: JIMMY-130665392
2011/09/13 12:27:54.0033 2492 UserName: Jimmy
2011/09/13 12:27:54.0033 2492 Windows directory: C:\WINDOWS
2011/09/13 12:27:54.0033 2492 System windows directory: C:\WINDOWS
2011/09/13 12:27:54.0033 2492 Processor architecture: Intel x86
2011/09/13 12:27:54.0033 2492 Number of processors: 2
2011/09/13 12:27:54.0033 2492 Page size: 0x1000
2011/09/13 12:27:54.0033 2492 Boot type: Normal boot
2011/09/13 12:27:54.0033 2492 ================================================================================
2011/09/13 12:27:54.0564 2492 Initialize success
2011/09/13 12:28:01.0017 4036 ================================================================================
2011/09/13 12:28:01.0017 4036 Scan started
2011/09/13 12:28:01.0017 4036 Mode: Manual;
2011/09/13 12:28:01.0017 4036 ================================================================================
2011/09/13 12:28:03.0955 4036 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/09/13 12:28:04.0642 4036 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/09/13 12:28:06.0002 4036 ADIHdAudAddService (3637d692b25a842fb4bb7ea75b39184f) C:\WINDOWS\system32\drivers\ADIHdAud.sys
2011/09/13 12:28:07.0330 4036 AEAudio (e8694fc1dac061ad989506b470552415) C:\WINDOWS\system32\drivers\AEAudio.sys
2011/09/13 12:28:08.0002 4036 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/09/13 12:28:08.0689 4036 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/09/13 12:28:11.0314 4036 alidevice (2f17c06cda54bfbe13c4046b19055f7b) C:\WINDOWS\system32\drivers\alidevice.sys
2011/09/13 12:28:13.0298 4036 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/09/13 12:28:13.0986 4036 arusb(TP-LINK) (f19123c0d662003d2781e5ca97c8b719) C:\WINDOWS\system32\DRIVERS\arusb.sys
2011/09/13 12:28:16.0642 4036 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/09/13 12:28:17.0330 4036 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/09/13 12:28:18.0767 4036 ati2mtag (c0b86ecb324e50f6bbd529f9d5c6b24b) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/09/13 12:28:19.0470 4036 ATIAVAIW (fed003fd00011946b0e4f8fb7a8b4307) C:\WINDOWS\system32\DRIVERS\atinavt2.sys
2011/09/13 12:28:20.0205 4036 ATITool (0e4bb35c5305099ac82053ac992e3e0e) C:\WINDOWS\system32\DRIVERS\ATITool.sys
2011/09/13 12:28:20.0892 4036 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/09/13 12:28:21.0595 4036 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/09/13 12:28:22.0283 4036 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/09/13 12:28:22.0970 4036 BrScnUsb (92a964547b96d697e5e9ed43b4297f5a) C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys
2011/09/13 12:28:24.0330 4036 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/09/13 12:28:25.0002 4036 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/09/13 12:28:26.0345 4036 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/09/13 12:28:27.0017 4036 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/09/13 12:28:27.0720 4036 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/09/13 12:28:31.0627 4036 DefragFS (0a114c0aaaf023a319333226aae9dfef) C:\WINDOWS\system32\drivers\DefragFS.sys
2011/09/13 12:28:32.0314 4036 dfmirage (d8cd6a2a94f545858eec6117f0d5dff4) C:\WINDOWS\system32\DRIVERS\dfmirage.sys
2011/09/13 12:28:32.0986 4036 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/09/13 12:28:33.0705 4036 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/09/13 12:28:34.0408 4036 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/09/13 12:28:35.0048 4036 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/09/13 12:28:35.0705 4036 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/09/13 12:28:37.0064 4036 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/09/13 12:28:37.0752 4036 ENTECH (fd9fc82f134b1c91004ffc76a5ae494b) C:\WINDOWS\system32\DRIVERS\ENTECH.sys
2011/09/13 12:28:38.0439 4036 eumusdesignvirtualaudiocablewdm (78847678315e7acaee4d08c2f886ed01) C:\WINDOWS\system32\DRIVERS\vrtaucbl.sys
2011/09/13 12:28:39.0158 4036 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/09/13 12:28:39.0830 4036 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/09/13 12:28:40.0502 4036 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/09/13 12:28:41.0158 4036 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/09/13 12:28:41.0861 4036 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/09/13 12:28:42.0517 4036 FsVga (455f778ee14368468560bd7cb8c854d0) C:\WINDOWS\system32\DRIVERS\fsvga.sys
2011/09/13 12:28:43.0158 4036 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/09/13 12:28:43.0814 4036 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/09/13 12:28:44.0517 4036 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/09/13 12:28:45.0127 4036 giveio (77ebf3e9386daa51551af429052d88d0) C:\WINDOWS\system32\giveio.sys
2011/09/13 12:28:45.0892 4036 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/09/13 12:28:46.0580 4036 Hardlock (d95554949082fd29a04d351b58396718) C:\WINDOWS\system32\drivers\hardlock.sys
2011/09/13 12:28:47.0267 4036 hdaudaddservice (f58d2900c66a1e773e3375098e0e9337) C:\WINDOWS\system32\drivers\HdAudio.sys
2011/09/13 12:28:47.0955 4036 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/09/13 12:28:48.0658 4036 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/09/13 12:28:49.0986 4036 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/09/13 12:28:51.0986 4036 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/09/13 12:28:52.0673 4036 iaStor (e5a0034847537eaee3c00349d5c34c5f) C:\WINDOWS\system32\drivers\iaStor.sys
2011/09/13 12:28:53.0361 4036 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/09/13 12:28:55.0392 4036 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/09/13 12:28:56.0064 4036 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/09/13 12:28:56.0752 4036 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/09/13 12:28:57.0455 4036 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/09/13 12:28:58.0158 4036 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/09/13 12:28:58.0845 4036 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/09/13 12:28:59.0517 4036 IPvE (e1a8f8b1f541ba8ec853e939be97e9c8) C:\WINDOWS\system32\DRIVERS\IPvE.sys
2011/09/13 12:29:00.0252 4036 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/09/13 12:29:00.0923 4036 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/09/13 12:29:01.0580 4036 JGOGO (c995c0e8b4503fac38793bb0236ad246) C:\WINDOWS\system32\DRIVERS\JGOGO.sys
2011/09/13 12:29:02.0252 4036 JRAID (6242e8dd2e43e8a0dda517d62c9680e6) C:\WINDOWS\system32\DRIVERS\jraid.sys
2011/09/13 12:29:02.0939 4036 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/09/13 12:29:03.0611 4036 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/09/13 12:29:04.0345 4036 kl1 (27fa2734cf49da74b2ac9c16dc38dd88) C:\WINDOWS\system32\drivers\kl1.sys
2011/09/13 12:29:05.0080 4036 klif (c6a8ad1c9698e5b7b4dd8c19257456e8) C:\WINDOWS\system32\drivers\klif.sys
2011/09/13 12:29:05.0830 4036 klim5 (967e2224217431b21f1d04fbb4c68a4b) C:\WINDOWS\system32\DRIVERS\klim5.sys
2011/09/13 12:29:06.0502 4036 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/09/13 12:29:07.0205 4036 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/09/13 12:29:08.0548 4036 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/09/13 12:29:09.0252 4036 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/09/13 12:29:09.0970 4036 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/09/13 12:29:10.0627 4036 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/09/13 12:29:11.0330 4036 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/09/13 12:29:12.0002 4036 MPE (c0f8e0c2c3c0437cf37c6781896dc3ec) C:\WINDOWS\system32\DRIVERS\MPE.sys
2011/09/13 12:29:13.0345 4036 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/09/13 12:29:14.0017 4036 MRxSmb (116b84fd2e18c16defc50e714b85134f) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/09/13 12:29:14.0017 4036 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\mrxsmb.sys. Real md5: 116b84fd2e18c16defc50e714b85134f, Fake md5: f3aefb11abc521122b67095044169e98
2011/09/13 12:29:14.0033 4036 MRxSmb - detected Rootkit.Win32.ZAccess.e (0)
2011/09/13 12:29:14.0705 4036 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/09/13 12:29:15.0392 4036 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/09/13 12:29:16.0064 4036 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/09/13 12:29:16.0752 4036 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/09/13 12:29:17.0439 4036 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/09/13 12:29:18.0142 4036 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/09/13 12:29:18.0814 4036 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
2011/09/13 12:29:19.0486 4036 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/09/13 12:29:20.0173 4036 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/09/13 12:29:20.0861 4036 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/09/13 12:29:21.0564 4036 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/09/13 12:29:22.0252 4036 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/09/13 12:29:22.0923 4036 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/09/13 12:29:23.0595 4036 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/09/13 12:29:24.0298 4036 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/09/13 12:29:24.0970 4036 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/09/13 12:29:25.0736 4036 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/09/13 12:29:26.0455 4036 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/09/13 12:29:27.0189 4036 npf (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\drivers\npf.sys
2011/09/13 12:29:27.0861 4036 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/09/13 12:29:28.0548 4036 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/09/13 12:29:29.0252 4036 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/09/13 12:29:29.0908 4036 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/09/13 12:29:30.0564 4036 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/09/13 12:29:31.0252 4036 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/09/13 12:29:31.0939 4036 oreans32 (b99575d16f887883b821d372ff292c20) C:\WINDOWS\system32\drivers\oreans32.sys
2011/09/13 12:29:32.0627 4036 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/09/13 12:29:33.0314 4036 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/09/13 12:29:33.0970 4036 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/09/13 12:29:34.0658 4036 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/09/13 12:29:36.0064 4036 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/09/13 12:29:36.0767 4036 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/09/13 12:29:41.0345 4036 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/09/13 12:29:42.0017 4036 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/09/13 12:29:42.0627 4036 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/09/13 12:29:46.0611 4036 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/09/13 12:29:47.0283 4036 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/09/13 12:29:47.0970 4036 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/09/13 12:29:48.0642 4036 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/09/13 12:29:49.0330 4036 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/09/13 12:29:49.0986 4036 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/09/13 12:29:50.0783 4036 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/09/13 12:29:51.0470 4036 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/09/13 12:29:52.0142 4036 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/09/13 12:29:52.0845 4036 revoflt (8b5b8a11306190c6963d3473f052d3c8) C:\WINDOWS\system32\DRIVERS\revoflt.sys
2011/09/13 12:29:53.0064 4036 SbieDrv (abdd914c82cc7d6436ef3348b022aba1) C:\Program Files\Sandboxie\SbieDrv.sys
2011/09/13 12:29:53.0767 4036 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/09/13 12:29:54.0470 4036 senfiltservice (b6a6b409fda9d9ebd3aadb838d3d7173) C:\WINDOWS\system32\drivers\Senfilt.sys
2011/09/13 12:29:55.0158 4036 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/09/13 12:29:55.0845 4036 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/09/13 12:29:56.0533 4036 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/09/13 12:29:57.0877 4036 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/09/13 12:29:59.0205 4036 speedfan (5d6401db90ec81b71f8e2c5c8f0fef23) C:\WINDOWS\system32\speedfan.sys
2011/09/13 12:29:59.0955 4036 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/09/13 12:30:00.0658 4036 sptd (d390675b8ce45e5fb359338e5e649329) C:\WINDOWS\system32\Drivers\sptd.sys
2011/09/13 12:30:00.0658 4036 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: d390675b8ce45e5fb359338e5e649329
2011/09/13 12:30:00.0658 4036 sptd - detected LockedFile.Multi.Generic (1)
2011/09/13 12:30:01.0345 4036 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/09/13 12:30:02.0017 4036 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/09/13 12:30:02.0705 4036 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/09/13 12:30:03.0392 4036 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/09/13 12:30:04.0095 4036 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/09/13 12:30:07.0439 4036 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/09/13 12:30:08.0830 4036 Tcpip (418a05ec487d63b84c87be77279834e1) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/09/13 12:30:09.0533 4036 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/09/13 12:30:10.0267 4036 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/09/13 12:30:10.0970 4036 teamviewervpn (9101fffcfccd1a30e870a5b8a9091b10) C:\WINDOWS\system32\DRIVERS\teamviewervpn.sys
2011/09/13 12:30:11.0658 4036 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/09/13 12:30:13.0017 4036 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/09/13 12:30:14.0392 4036 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/09/13 12:30:15.0111 4036 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/09/13 12:30:15.0783 4036 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/09/13 12:30:16.0486 4036 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/09/13 12:30:17.0189 4036 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/09/13 12:30:17.0877 4036 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/09/13 12:30:18.0564 4036 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/09/13 12:30:19.0252 4036 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/09/13 12:30:19.0939 4036 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/09/13 12:30:20.0642 4036 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/09/13 12:30:22.0002 4036 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/09/13 12:30:22.0705 4036 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/09/13 12:30:24.0173 4036 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/09/13 12:30:24.0423 4036 WinRing0_1_1_1 (57fbced72f6ebee6c5e5776e08768ee8) C:\Documents and Settings\Jimmy\Desktop\oc\RealTemp_2.70\WinRing0.sys
2011/09/13 12:30:25.0127 4036 WmBEnum (38932c4649f8baad6ce1000ac6503d5b) C:\WINDOWS\system32\drivers\WmBEnum.sys
2011/09/13 12:30:25.0798 4036 WmFilter (58b3adab903fa1a78c86e6a42b80fe76) C:\WINDOWS\system32\drivers\WmFilter.sys
2011/09/13 12:30:26.0486 4036 WmHidLo (be1951c6919efb86e95f8ef331e39c50) C:\WINDOWS\system32\drivers\WmHidLo.sys
2011/09/13 12:30:27.0205 4036 WmVirHid (e45f01f4014d7ab13b8a0c41ebf48a3d) C:\WINDOWS\system32\drivers\WmVirHid.sys
2011/09/13 12:30:27.0892 4036 WmXlCore (0398265dd65aae2ece180fa9d1e7b5bb) C:\WINDOWS\system32\drivers\WmXlCore.sys
2011/09/13 12:30:28.0595 4036 WSIMD (913b2b92b8e8ba55d8d27317bd2e81c3) C:\WINDOWS\system32\DRIVERS\wsimd.sys
2011/09/13 12:30:29.0267 4036 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/09/13 12:30:29.0955 4036 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/09/13 12:30:30.0705 4036 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/09/13 12:30:31.0408 4036 yukonwxp (228d0403f0210d6d67a9acf907597efe) C:\WINDOWS\system32\DRIVERS\yk51x86.sys
2011/09/13 12:30:31.0439 4036 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/09/13 12:30:31.0548 4036 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1
2011/09/13 12:30:31.0611 4036 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk2\DR4
2011/09/13 12:30:42.0298 4036 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk3\DR6
2011/09/13 12:30:42.0314 4036 Boot (0x1200) (14b22122a8fc8341d82d705517e449fb) \Device\Harddisk0\DR0\Partition0
2011/09/13 12:30:42.0330 4036 Boot (0x1200) (9a24a4e1c0a8c8a12c75cab127f8a63a) \Device\Harddisk1\DR1\Partition0
2011/09/13 12:30:42.0361 4036 Boot (0x1200) (c0efa25938f1822d17ff3ba3547ad097) \Device\Harddisk2\DR4\Partition0
2011/09/13 12:30:42.0392 4036 Boot (0x1200) (d74e9c92998e499e3497ed4e8f0f1c7c) \Device\Harddisk3\DR6\Partition0
2011/09/13 12:30:42.0392 4036 ================================================================================
2011/09/13 12:30:42.0392 4036 Scan finished
2011/09/13 12:30:42.0392 4036 ================================================================================
2011/09/13 12:30:42.0392 1272 Detected object count: 2
2011/09/13 12:30:42.0392 1272 Actual detected object count: 2
2011/09/13 12:36:18.0377 1272 MRxSmb (116b84fd2e18c16defc50e714b85134f) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/09/13 12:36:18.0377 1272 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\mrxsmb.sys. Real md5: 116b84fd2e18c16defc50e714b85134f, Fake md5: f3aefb11abc521122b67095044169e98
2011/09/13 12:36:19.0173 1272 Backup copy found, using it..
2011/09/13 12:36:19.0189 1272 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys - will be cured after reboot
2011/09/13 12:36:19.0189 1272 Rootkit.Win32.ZAccess.e(MRxSmb) - User select action: Cure
2011/09/13 12:36:19.0189 1272 LockedFile.Multi.Generic(sptd) - User select action: Skip
2011/09/13 12:36:38.0080 4024 Deinitialize success

#14 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:10:15 PM

Posted 13 September 2011 - 10:08 AM

mc51,

:thumbup2:

Now, try to run ComboFix.

Old duck...


#15 mc51

mc51
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 13 September 2011 - 01:06 PM

Hi Aaflac,

this time ComboFix executed without problems. Attached is the report, thanks.

Edited by mc51, 13 September 2011 - 09:33 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users