Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

redirect virus/cannot run anti Malware (2)


  • This topic is locked This topic is locked
12 replies to this topic

#1 camperguy

camperguy

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 10 November 2011 - 05:09 PM

EDIT: Other topic here http://www.bleepingcomputer.com/forums/topic427283.html ~Budapest

Sorry I am trying to do this right but I have not done it before. I was asked to link to a earlier post (same topic title)but I can't figure out how to do that, sorry.


Thanks, below is the DDS report, I cannot run the GMER, i tried twice and the scan runs for about 90 seconds and than the program closes.


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by counter at 15:35:59 on 2011-11-10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1278.427 [GMT -6:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\4148091121:237486344.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Cherry\CDI\CDI.exe
C:\Program Files\EPSON\EPSON Advanced Printer Driver 4\EpsonPHLog.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\explorer.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Cherry\KeyMan\KeyMan.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
"C:\WINDOWS\system32\svchost.exe"
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.dell.com
uWinlogon: Shell=c:\documents and settings\counter\local settings\application data\f1d83ef7\X
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [CherryKeyMan] "c:\program files\cherry\keyman\KeyMan.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Iratub] rundll32.exe "c:\windows\ohowupomu.dll",Startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [<NO NAME>]
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\forget~1.lnk - c:\program files\broderbund\ag creatacard\AGRemind.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: DhcpNameServer = 10.1.1.2 8.8.8.8
TCP: Interfaces\{74C09F85-3EDE-4921-A09E-14B1C29D6CA1} : DhcpNameServer = 10.1.1.2 8.8.8.8
Notify: igfxcui - igfxdev.dll
Notify: TPSvc - TPSvc.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\counter\application data\mozilla\firefox\profiles\06nvgmk0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: XULRunner: {44C2EF29-A429-430B-B9B5-8174DB0EB8FB} - c:\documents and settings\mdoughty\local settings\application data\{44C2EF29-A429-430B-B9B5-8174DB0EB8FB}
FF - Ext: XULRunner: {1DFD32A0-3D86-4600-9D4A-B271ADCF82E0} - c:\documents and settings\administrator.dicksrv.000\local settings\application data\{1DFD32A0-3D86-4600-9D4A-B271ADCF82E0}
FF - Ext: XULRunner: {51DD8DFB-BC75-47C1-AC0C-FBCE637411A5} - c:\documents and settings\administrator\local settings\application data\{51DD8DFB-BC75-47C1-AC0C-FBCE637411A5}
FF - Ext: XULRunner: {E4BD6C2C-78CB-4F84-B52C-3900033D9C8F} - c:\documents and settings\counter\local settings\application data\{E4BD6C2C-78CB-4F84-B52C-3900033D9C8F}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2006-5-24 214664]
R2 Cherry Device Interface;Cherry Device Interface;c:\program files\cherry\cdi\CDI.exe [2004-9-16 516096]
R2 EpsonPOSLog;Epson Point of Service Log Service;c:\program files\epson\epson advanced printer driver 4\EpsonPHLog.exe [2009-3-28 294912]
R3 Ch2kPS2;Cherry PS/2 Keyboard Driver (CDI);c:\windows\system32\drivers\Ch2kPS2.sys [2004-4-22 121870]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-5 135664]
S2 KodakSvc;Kodak AiO Device Service;c:\program files\kodak\printer\center\KodakSvc.exe [2007-12-13 20480]
S3 Ch2kHUB;Cherry USB Hub Driver for CDI;c:\windows\system32\drivers\Ch2kHUB.sys [2003-7-15 82048]
S3 Ch2kUSB;Cherry USB Driver for CDI;c:\windows\system32\drivers\Ch2kUSB.sys [2004-10-26 90702]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-5 135664]
S3 MfeAVFK;McAfee Inc. MfeAVFK;c:\windows\system32\drivers\mfeavfk.sys [2006-5-24 79816]
S3 MfeBOPK;McAfee Inc. MfeBOPK;c:\windows\system32\drivers\mfebopk.sys [2006-5-24 35272]
S3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\mferkdk.sys [2010-8-31 34248]
.
=============== Created Last 30 ================
.
2011-11-10 17:58:07 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-11-10 17:53:20 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-10 17:53:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-10 17:37:44 -------- d-----w- c:\documents and settings\counter\local settings\application data\Help
2011-11-10 17:37:34 -------- d-----w- c:\program files\common files\iS3
2011-11-10 17:08:35 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-11-10 17:03:54 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-11-10 16:41:41 2 --shatr- c:\windows\winstart.bat
2011-11-10 16:41:35 -------- d-----w- c:\program files\UnHackMe
2011-11-10 16:40:52 -------- d-----w- c:\program files\StartNow Toolbar
2011-11-09 23:23:12 48016 --sha-w- c:\windows\system32\c_56714.nl_
2011-11-09 17:53:38 -------- d-----w- c:\documents and settings\counter\application data\Malwarebytes
2011-11-09 17:00:55 -------- d-sh--w- c:\documents and settings\counter\local settings\application data\f1d83ef7
2011-10-19 18:12:01 -------- d-----w- c:\documents and settings\all users\application data\Epson
2011-10-19 18:12:00 -------- d-----w- c:\program files\EPSON
2011-10-19 17:52:17 -------- d-----w- c:\documents and settings\counter\application data\RVLogic
2011-10-19 17:52:10 -------- d-----w- c:\documents and settings\counter\application data\RV Logic, Inc
2011-10-17 14:04:11 -------- d-----w- c:\documents and settings\counter\application data\HpUpdate
2011-10-14 19:33:25 -------- d-----w- c:\documents and settings\counter\local settings\application data\Google
2011-10-13 19:49:53 -------- d-----w- c:\documents and settings\counter\local settings\application data\Adobe
2011-10-13 18:33:42 -------- d-----w- c:\documents and settings\counter\local settings\application data\Mozilla
2011-10-13 17:17:29 -------- d-----w- c:\documents and settings\counter\application data\DealerLogicDMS
2011-10-13 17:07:32 -------- d-----w- C:\Temp
2011-10-13 17:07:02 -------- d-----w- c:\documents and settings\counter\local settings\application data\{E4BD6C2C-78CB-4F84-B52C-3900033D9C8F}
2011-10-13 17:07:01 -------- d-----w- c:\documents and settings\counter\application data\Cherry
.
==================== Find3M ====================
.
2011-11-10 18:38:22 36352 ----a-w- c:\windows\system32\drivers\intelppm.sys
2011-11-10 18:28:19 44544 ----a-w- c:\windows\system32\drivers\fips.sys
2011-11-10 14:39:40 0 ----a-w- c:\windows\Pjajaliroquqof.bin
2011-11-10 00:01:11 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2011-11-09 23:37:35 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-11-09 23:22:38 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-10-21 13:18:35 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-26 16:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-17 21:32:17 832512 ----a-w- c:\windows\system32\wininet.dll
2011-08-17 21:32:16 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-08-17 21:32:16 1830912 ------w- c:\windows\system32\inetcpl.cpl
2011-08-17 21:32:15 17408 ------w- c:\windows\system32\corpol.dll
2011-08-17 12:22:23 389120 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 15:37:07.19 ===============

Edited by Budapest, 10 November 2011 - 05:30 PM.
Moved from Virus, Trojan, Spyware, and Malware Removal Logs ~Budapest


BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:06 PM

Posted 10 November 2011 - 10:29 PM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until Iíve given you the ďAll clear.Ē Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
Posted Image Download TDSSKiller.zip and extract TDSSKiller.exe to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found then ensure Cure is selected. Important - If there is no option to "Cure" it is critical that you select "Skip"
  • Then click Continue > Reboot now
  • Once complete, a log will be produced in c:\. It will be named for example, TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt
  • Post that log, please.
Posted Image Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please include the following in your next post:
  • TDSSKiller log
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 camperguy

camperguy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 11 November 2011 - 01:22 PM

Below are the logs you asked for. Thanks

ComboFix 11-11-11.04 - counter 11/11/2011 11:48:36.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1278.996 [GMT -6:00]
Running from: c:\documents and settings\counter\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\administrator.DICKSRV.000\Local Settings\Application Data\{1DFD32A0-3D86-4600-9D4A-B271ADCF82E0}
c:\documents and settings\administrator.DICKSRV.000\Local Settings\Application Data\{1DFD32A0-3D86-4600-9D4A-B271ADCF82E0}\chrome.manifest
c:\documents and settings\administrator.DICKSRV.000\Local Settings\Application Data\{1DFD32A0-3D86-4600-9D4A-B271ADCF82E0}\chrome\content\_cfg.js
c:\documents and settings\administrator.DICKSRV.000\Local Settings\Application Data\{1DFD32A0-3D86-4600-9D4A-B271ADCF82E0}\chrome\content\overlay.xul
c:\documents and settings\administrator.DICKSRV.000\Local Settings\Application Data\{1DFD32A0-3D86-4600-9D4A-B271ADCF82E0}\install.rdf
c:\documents and settings\Administrator\Local Settings\Application Data\{51DD8DFB-BC75-47C1-AC0C-FBCE637411A5}
c:\documents and settings\Administrator\Local Settings\Application Data\{51DD8DFB-BC75-47C1-AC0C-FBCE637411A5}\chrome.manifest
c:\documents and settings\Administrator\Local Settings\Application Data\{51DD8DFB-BC75-47C1-AC0C-FBCE637411A5}\chrome\content\_cfg.js
c:\documents and settings\Administrator\Local Settings\Application Data\{51DD8DFB-BC75-47C1-AC0C-FBCE637411A5}\chrome\content\overlay.xul
c:\documents and settings\Administrator\Local Settings\Application Data\{51DD8DFB-BC75-47C1-AC0C-FBCE637411A5}\install.rdf
c:\documents and settings\counter\Local Settings\Application Data\f1d83ef7\U
c:\documents and settings\counter\Local Settings\Application Data\f1d83ef7\U\80000000.@
c:\documents and settings\counter\Local Settings\Application Data\f1d83ef7\U\800000cb.@
c:\documents and settings\counter\Local Settings\Application Data\f1d83ef7\U\800000cf.@
c:\documents and settings\counter\Local Settings\Application Data\f1d83ef7\X
c:\documents and settings\mdoughty\Application Data\447A.E92
c:\documents and settings\mdoughty\g2mdlhlpx.exe
c:\program files\StartNow Toolbar
c:\windows\$NtUninstallKB12496$
c:\windows\$NtUninstallKB12496$\3604715448
c:\windows\$NtUninstallKB12496$\4057480951\@
c:\windows\$NtUninstallKB12496$\4057480951\L\iahonoel
c:\windows\$NtUninstallKB12496$\4057480951\loader.tlb
c:\windows\$NtUninstallKB12496$\4057480951\U\@00000001
c:\windows\$NtUninstallKB12496$\4057480951\U\@000000c0
c:\windows\$NtUninstallKB12496$\4057480951\U\@000000cb
c:\windows\$NtUninstallKB12496$\4057480951\U\@000000cf
c:\windows\$NtUninstallKB12496$\4057480951\U\@80000000
c:\windows\$NtUninstallKB12496$\4057480951\U\@800000c0
c:\windows\$NtUninstallKB12496$\4057480951\U\@800000cb
c:\windows\$NtUninstallKB12496$\4057480951\U\@800000cf
c:\windows\4148091121
c:\windows\ohowupomu.dll
c:\windows\system32\
.
Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\wuauclt.exe
.
Infected copy of c:\program files\Cherry\CDI\CDI.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1797\A0073734.exe
.
Infected copy of c:\program files\EPSON\EPSON Advanced Printer Driver 4\EpsonPHLog.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1797\A0073735.exe
.
Infected copy of c:\program files\Java\jre6\bin\jqs.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1797\A0073736.exe
.
Infected copy of c:\program files\Kodak\printer\center\KodakSvc.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1797\A0073737.exe
.
Infected copy of c:\windows\system32\HPZipm12.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1797\A0073738.exe
.
Infected copy of c:\program files\Cherry\CDI\CDI.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1797\A0073734.exe
Infected copy of c:\program files\EPSON\EPSON Advanced Printer Driver 4\EpsonPHLog.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1797\A0073735.exe
Infected copy of c:\program files\Kodak\printer\center\KodakSvc.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1797\A0073737.exe
Infected copy of c:\windows\system32\HPZipm12.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1797\A0073738.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_f1d83ef7
.
.
((((((((((((((((((((((((( Files Created from 2011-10-11 to 2011-11-11 )))))))))))))))))))))))))))))))
.
.
2011-11-10 17:58 . 2011-11-10 17:58 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-11-10 17:53 . 2011-11-10 19:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-10 17:53 . 2011-08-31 23:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-10 17:37 . 2011-11-10 17:37 -------- d-----w- c:\program files\Common Files\iS3
2011-11-10 17:08 . 2011-11-10 17:08 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-11-10 17:03 . 2011-11-10 17:35 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-11-10 16:41 . 2011-11-10 16:41 2 --shatr- c:\windows\winstart.bat
2011-11-10 16:41 . 2011-11-10 17:35 -------- d-----w- c:\program files\UnHackMe
2011-11-09 17:57 . 2011-11-09 17:57 -------- d-sh--w- c:\documents and settings\LocalService\UserData
2011-10-19 18:12 . 2011-10-19 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Epson
2011-10-19 18:12 . 2011-10-19 18:12 -------- d-----w- c:\program files\EPSON
2011-10-13 17:07 . 2011-11-11 18:11 -------- d-----w- C:\Temp
2011-10-13 17:06 . 2011-11-10 21:33 -------- d-----w- c:\documents and settings\counter
2011-10-13 17:01 . 2011-10-13 17:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\HP
2011-10-13 17:00 . 2011-10-13 17:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\Share-to-Web Upload Folder
2011-10-13 17:00 . 2011-10-13 17:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\Cherry
2011-10-13 16:55 . 2011-10-13 16:55 -------- d-----w- c:\documents and settings\administrator.DICKSRV.000
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-11 16:53 . 2005-09-08 17:56 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-11-10 18:38 . 2004-08-04 03:59 36352 ----a-w- c:\windows\system32\drivers\intelppm.sys
2011-11-10 18:28 . 2004-08-11 22:00 44544 ----a-w- c:\windows\system32\drivers\fips.sys
2011-11-10 00:01 . 2004-08-04 04:15 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2011-11-09 23:37 . 2004-08-04 03:59 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-11-09 23:22 . 2004-08-11 22:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-10-21 13:18 . 2011-07-01 13:08 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2004-08-11 22:12 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-26 16:41 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41 . 2004-08-11 22:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41 . 2004-08-11 22:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2004-08-11 22:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2004-08-11 22:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-17 21:32 . 2004-08-11 22:00 832512 ----a-w- c:\windows\system32\wininet.dll
2011-08-17 21:32 . 2004-08-11 22:00 1830912 ------w- c:\windows\system32\inetcpl.cpl
2011-08-17 21:32 . 2004-08-11 22:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-08-17 21:32 . 2004-08-11 22:00 17408 ------w- c:\windows\system32\corpol.dll
2011-08-17 12:22 . 2004-08-11 22:00 389120 ----a-w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-12 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-02-19 149280]
"CherryKeyMan"="c:\program files\Cherry\KeyMan\KeyMan.exe" [2004-05-07 176180]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Forget Me Not.lnk - c:\program files\Broderbund\AG CreataCard\AGRemind.exe [2006-1-18 323584]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"59152:UDP"= 59152:UDP:SonicWALL Compliance 59152
"59153:UDP"= 59153:UDP:SonicWALL Compliance 59153
.
R2 Cherry Device Interface;Cherry Device Interface;c:\program files\Cherry\CDI\CDI.exe [11/11/2011 11:57 AM 512046]
R2 EpsonPOSLog;Epson Point of Service Log Service;c:\program files\EPSON\EPSON Advanced Printer Driver 4\EpsonPHLog.exe [3/28/2009 6:33 AM 290816]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\Printer\Center\KodakSvc.exe [12/13/2007 10:07 AM 18944]
R3 Ch2kPS2;Cherry PS/2 Keyboard Driver (CDI);c:\windows\system32\drivers\Ch2kPS2.sys [4/22/2004 3:28 PM 121870]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2010 12:01 PM 135664]
S3 Ch2kHUB;Cherry USB Hub Driver for CDI;c:\windows\system32\drivers\Ch2kHUB.sys [7/15/2003 4:35 PM 82048]
S3 Ch2kUSB;Cherry USB Driver for CDI;c:\windows\system32\drivers\Ch2kUSB.sys [10/26/2004 2:03 PM 90702]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2010 12:01 PM 135664]
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 18:01]
.
2011-11-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 18:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
TCP: DhcpNameServer = 10.1.1.2 8.8.8.8
FF - ProfilePath - c:\documents and settings\counter\Application Data\Mozilla\Firefox\Profiles\06nvgmk0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: XULRunner: {44C2EF29-A429-430B-B9B5-8174DB0EB8FB} - c:\documents and settings\mdoughty\Local Settings\Application Data\{44C2EF29-A429-430B-B9B5-8174DB0EB8FB}
FF - Ext: XULRunner: {E4BD6C2C-78CB-4F84-B52C-3900033D9C8F} - c:\documents and settings\counter\Local Settings\Application Data\{E4BD6C2C-78CB-4F84-B52C-3900033D9C8F}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-Iratub - c:\windows\ohowupomu.dll
Notify-TPSvc - TPSvc.dll
SafeBoot-04256208.sys
SafeBoot-06730724.sys
SafeBoot-14851897.sys
SafeBoot-41899470.sys
SafeBoot-45744374.sys
SafeBoot-60181284.sys
SafeBoot-68275283.sys
SafeBoot-76417887.sys
SafeBoot-86680460.sys
SafeBoot-93992492.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-11 12:11
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion*Ijiqeja]
"Lrovonox"=hex:38,01,32,03,41,05,3f,07,4d,09,48,0b,3d,0d,37,0f,54,11,25,13,2d,
15,57,17,2c,19,22,1b,59,1d,5b,1f,62,21,64,23,11,25,1f,27,6a,29,68,2b,6e,2d,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(636)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wdfmgr.exe
c:\progra~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2011-11-11 12:16:20 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-11 18:16
.
Pre-Run: 60,894,613,504 bytes free
Post-Run: 63,044,616,192 bytes free
.
- - End Of File - - E0CEF8D5558A67B04228FD16D7769F62







10:51:43.0196 3392 TDSS rootkit removing tool 2.6.18.0 Nov 11 2011 15:47:15
10:51:43.0399 3392 ============================================================
10:51:43.0399 3392 Current date / time: 2011/11/11 10:51:43.0399
10:51:43.0399 3392 SystemInfo:
10:51:43.0399 3392
10:51:43.0399 3392 OS Version: 5.1.2600 ServicePack: 3.0
10:51:43.0399 3392 Product type: Workstation
10:51:43.0399 3392 ComputerName: RECEPTION
10:51:43.0399 3392 UserName: counter
10:51:43.0399 3392 Windows directory: C:\WINDOWS
10:51:43.0399 3392 System windows directory: C:\WINDOWS
10:51:43.0399 3392 Processor architecture: Intel x86
10:51:43.0399 3392 Number of processors: 2
10:51:43.0399 3392 Page size: 0x1000
10:51:43.0399 3392 Boot type: Normal boot
10:51:43.0399 3392 ============================================================
10:51:44.0836 3392 Initialize success
10:51:49.0445 0548 ============================================================
10:51:49.0445 0548 Scan started
10:51:49.0445 0548 Mode: Manual;
10:51:49.0445 0548 ============================================================
10:51:52.0539 0548 Abiosdsk - ok
10:51:52.0601 0548 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
10:51:52.0617 0548 abp480n5 - ok
10:51:52.0711 0548 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
10:51:52.0726 0548 ACPI - ok
10:51:52.0805 0548 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
10:51:52.0805 0548 ACPIEC - ok
10:51:52.0883 0548 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
10:51:52.0883 0548 adpu160m - ok
10:51:52.0992 0548 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
10:51:52.0992 0548 aeaudio - ok
10:51:53.0070 0548 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
10:51:53.0086 0548 aec - ok
10:51:53.0211 0548 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
10:51:53.0211 0548 AFD - ok
10:51:53.0336 0548 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
10:51:53.0336 0548 agp440 - ok
10:51:53.0414 0548 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
10:51:53.0414 0548 agpCPQ - ok
10:51:53.0508 0548 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
10:51:53.0508 0548 Aha154x - ok
10:51:53.0586 0548 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
10:51:53.0601 0548 aic78u2 - ok
10:51:53.0664 0548 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
10:51:53.0664 0548 aic78xx - ok
10:51:53.0773 0548 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
10:51:53.0773 0548 AliIde - ok
10:51:53.0867 0548 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
10:51:53.0867 0548 alim1541 - ok
10:51:54.0008 0548 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
10:51:54.0008 0548 amdagp - ok
10:51:54.0164 0548 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
10:51:54.0164 0548 amsint - ok
10:51:54.0273 0548 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
10:51:54.0273 0548 asc - ok
10:51:54.0414 0548 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
10:51:54.0414 0548 asc3350p - ok
10:51:54.0476 0548 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
10:51:54.0492 0548 asc3550 - ok
10:51:54.0601 0548 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
10:51:54.0601 0548 AsyncMac - ok
10:51:54.0695 0548 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
10:51:54.0695 0548 atapi - ok
10:51:54.0726 0548 Atdisk - ok
10:51:54.0836 0548 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
10:51:54.0836 0548 Atmarpc - ok
10:51:55.0008 0548 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
10:51:55.0008 0548 audstub - ok
10:51:55.0195 0548 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
10:51:55.0195 0548 Beep - ok
10:51:55.0305 0548 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
10:51:55.0320 0548 cbidf - ok
10:51:55.0398 0548 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
10:51:55.0398 0548 cbidf2k - ok
10:51:55.0492 0548 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
10:51:55.0492 0548 cd20xrnt - ok
10:51:55.0648 0548 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
10:51:55.0648 0548 Cdaudio - ok
10:51:55.0726 0548 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
10:51:55.0726 0548 Cdfs - ok
10:51:55.0820 0548 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
10:51:55.0820 0548 Cdrom - ok
10:51:55.0992 0548 Ch2kHUB (e7c9c3f001ebafeee3ba932e93c93fa5) C:\WINDOWS\system32\drivers\Ch2kHUB.sys
10:51:55.0992 0548 Ch2kHUB - ok
10:51:56.0086 0548 Ch2kPS2 (dc4016baae9c1a27bb45a0d080e8af6a) C:\WINDOWS\system32\DRIVERS\Ch2kPS2.sys
10:51:56.0101 0548 Ch2kPS2 - ok
10:51:56.0179 0548 Ch2kUSB (9cab6645ee3907c7af15f55671b178e5) C:\WINDOWS\system32\drivers\Ch2kUSB.sys
10:51:56.0179 0548 Ch2kUSB - ok
10:51:56.0304 0548 Changer - ok
10:51:56.0414 0548 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
10:51:56.0414 0548 CmdIde - ok
10:51:56.0539 0548 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
10:51:56.0539 0548 Cpqarray - ok
10:51:56.0633 0548 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
10:51:56.0633 0548 dac2w2k - ok
10:51:56.0711 0548 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
10:51:56.0711 0548 dac960nt - ok
10:51:56.0820 0548 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
10:51:56.0820 0548 Disk - ok
10:51:56.0914 0548 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
10:51:56.0945 0548 dmboot - ok
10:51:57.0117 0548 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
10:51:57.0117 0548 dmio - ok
10:51:57.0164 0548 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
10:51:57.0164 0548 dmload - ok
10:51:57.0242 0548 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
10:51:57.0258 0548 DMusic - ok
10:51:57.0367 0548 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
10:51:57.0367 0548 dpti2o - ok
10:51:57.0461 0548 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
10:51:57.0461 0548 drmkaud - ok
10:51:57.0633 0548 E100B (95974e66d3de4951d29e28e8bc0b644c) C:\WINDOWS\system32\DRIVERS\e100b325.sys
10:51:57.0633 0548 E100B - ok
10:51:57.0726 0548 f1d83ef7 (8f2bb1827cac01aee6a16e30a1260199) C:\WINDOWS\4148091121:237486344.exe
10:51:57.0742 0548 Suspicious file (Hidden): C:\WINDOWS\4148091121:237486344.exe. md5: 8f2bb1827cac01aee6a16e30a1260199
10:51:57.0742 0548 f1d83ef7 ( Rootkit.Win32.PMax.gen ) - infected
10:51:57.0742 0548 f1d83ef7 - detected Rootkit.Win32.PMax.gen (0)
10:51:57.0836 0548 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
10:51:57.0851 0548 Fastfat - ok
10:51:57.0929 0548 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
10:51:57.0945 0548 Fdc - ok
10:51:58.0008 0548 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
10:51:58.0008 0548 Fips - ok
10:51:58.0117 0548 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
10:51:58.0117 0548 Flpydisk - ok
10:51:58.0211 0548 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
10:51:58.0211 0548 FltMgr - ok
10:51:58.0289 0548 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
10:51:58.0289 0548 Fs_Rec - ok
10:51:58.0383 0548 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
10:51:58.0383 0548 Ftdisk - ok
10:51:58.0461 0548 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
10:51:58.0461 0548 Gpc - ok
10:51:58.0570 0548 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
10:51:58.0570 0548 HidUsb - ok
10:51:58.0648 0548 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
10:51:58.0648 0548 hpn - ok
10:51:58.0758 0548 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
10:51:58.0758 0548 HPZid412 - ok
10:51:58.0851 0548 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
10:51:58.0851 0548 HPZipr12 - ok
10:51:58.0929 0548 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
10:51:58.0929 0548 HPZius12 - ok
10:51:59.0023 0548 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
10:51:59.0039 0548 HTTP - ok
10:51:59.0226 0548 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
10:51:59.0226 0548 i2omgmt - ok
10:51:59.0304 0548 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
10:51:59.0304 0548 i2omp - ok
10:51:59.0367 0548 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
10:51:59.0367 0548 i8042prt - ok
10:51:59.0508 0548 ialm (9a883c3c4d91292c0d09de7c728e781c) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
10:51:59.0601 0548 ialm - ok
10:51:59.0773 0548 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
10:51:59.0773 0548 Imapi - ok
10:51:59.0882 0548 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
10:51:59.0882 0548 ini910u - ok
10:51:59.0976 0548 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
10:51:59.0976 0548 IntelIde - ok
10:52:00.0054 0548 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
10:52:00.0054 0548 intelppm - ok
10:52:00.0148 0548 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
10:52:00.0148 0548 Ip6Fw - ok
10:52:00.0320 0548 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
10:52:00.0320 0548 IpFilterDriver - ok
10:52:00.0398 0548 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
10:52:00.0398 0548 IpInIp - ok
10:52:00.0523 0548 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
10:52:00.0523 0548 IpNat - ok
10:52:00.0617 0548 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
10:52:00.0617 0548 IPSec - ok
10:52:00.0773 0548 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
10:52:00.0773 0548 IRENUM - ok
10:52:00.0836 0548 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
10:52:00.0836 0548 isapnp - ok
10:52:00.0961 0548 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
10:52:00.0961 0548 Kbdclass - ok
10:52:01.0039 0548 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
10:52:01.0039 0548 kbdhid - ok
10:52:01.0101 0548 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
10:52:01.0101 0548 kmixer - ok
10:52:01.0211 0548 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
10:52:01.0211 0548 KSecDD - ok
10:52:01.0289 0548 lbrtfdc - ok
10:52:01.0382 0548 MfeAVFK (32bcd2aec12cee766b2488731a78127c) C:\WINDOWS\system32\drivers\MfeAVFK.sys
10:52:01.0382 0548 MfeAVFK - ok
10:52:01.0476 0548 MfeBOPK (963abf1a4d3a19206f7b059e5a1a190b) C:\WINDOWS\system32\drivers\MfeBOPK.sys
10:52:01.0492 0548 MfeBOPK - ok
10:52:01.0648 0548 mfehidk (586a07b1fa933c340d990419d6894d7a) C:\WINDOWS\system32\drivers\mfehidk.sys
10:52:01.0664 0548 mfehidk - ok
10:52:01.0742 0548 MfeRKDK (820d6aa3f7f0cfa8a1fa8f63d3f1df04) C:\WINDOWS\system32\drivers\MfeRKDK.sys
10:52:01.0742 0548 MfeRKDK - ok
10:52:01.0851 0548 mfetdik (3812e49fa67a3f604895f0d0c2e1ef90) C:\WINDOWS\system32\drivers\mfetdik.sys
10:52:01.0851 0548 mfetdik - ok
10:52:01.0976 0548 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
10:52:01.0976 0548 mnmdd - ok
10:52:02.0086 0548 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
10:52:02.0086 0548 Modem - ok
10:52:02.0179 0548 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
10:52:02.0179 0548 Mouclass - ok
10:52:02.0257 0548 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
10:52:02.0257 0548 mouhid - ok
10:52:02.0351 0548 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
10:52:02.0351 0548 MountMgr - ok
10:52:02.0523 0548 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
10:52:02.0523 0548 mraid35x - ok
10:52:02.0679 0548 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
10:52:02.0695 0548 MRxDAV - ok
10:52:02.0882 0548 MRxSmb (31f81b9da501be5596042df6c0ffdb2d) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
10:52:02.0898 0548 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\mrxsmb.sys. Real md5: 31f81b9da501be5596042df6c0ffdb2d, Fake md5: 9933eb123d280c1ef3188a7fba320355
10:52:02.0898 0548 MRxSmb ( Rootkit.Win32.ZAccess.e ) - infected
10:52:02.0898 0548 MRxSmb - detected Rootkit.Win32.ZAccess.e (0)
10:52:03.0070 0548 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
10:52:03.0070 0548 Msfs - ok
10:52:03.0195 0548 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
10:52:03.0195 0548 MSKSSRV - ok
10:52:03.0351 0548 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
10:52:03.0351 0548 MSPCLOCK - ok
10:52:03.0429 0548 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
10:52:03.0429 0548 MSPQM - ok
10:52:03.0523 0548 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
10:52:03.0539 0548 mssmbios - ok
10:52:03.0617 0548 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
10:52:03.0617 0548 Mup - ok
10:52:03.0757 0548 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
10:52:03.0757 0548 NDIS - ok
10:52:03.0867 0548 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
10:52:03.0867 0548 NdisTapi - ok
10:52:03.0961 0548 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
10:52:03.0961 0548 Ndisuio - ok
10:52:04.0039 0548 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
10:52:04.0054 0548 NdisWan - ok
10:52:04.0132 0548 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
10:52:04.0132 0548 NDProxy - ok
10:52:04.0210 0548 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
10:52:04.0210 0548 NetBIOS - ok
10:52:04.0398 0548 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
10:52:04.0398 0548 NetBT - ok
10:52:04.0523 0548 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
10:52:04.0523 0548 Npfs - ok
10:52:04.0617 0548 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
10:52:04.0648 0548 Ntfs - ok
10:52:04.0789 0548 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
10:52:04.0789 0548 Null - ok
10:52:04.0976 0548 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
10:52:05.0023 0548 nv - ok
10:52:05.0195 0548 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
10:52:05.0195 0548 NwlnkFlt - ok
10:52:05.0289 0548 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
10:52:05.0289 0548 NwlnkFwd - ok
10:52:05.0414 0548 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
10:52:05.0414 0548 Parport - ok
10:52:05.0492 0548 Partizan - ok
10:52:05.0585 0548 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
10:52:05.0585 0548 PartMgr - ok
10:52:05.0664 0548 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
10:52:05.0664 0548 ParVdm - ok
10:52:05.0757 0548 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
10:52:05.0757 0548 PCI - ok
10:52:05.0789 0548 PCIDump - ok
10:52:05.0882 0548 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
10:52:05.0882 0548 PCIIde - ok
10:52:05.0960 0548 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
10:52:05.0960 0548 Pcmcia - ok
10:52:06.0007 0548 PDCOMP - ok
10:52:06.0070 0548 PDFRAME - ok
10:52:06.0117 0548 PDRELI - ok
10:52:06.0148 0548 PDRFRAME - ok
10:52:06.0226 0548 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
10:52:06.0226 0548 perc2 - ok
10:52:06.0304 0548 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
10:52:06.0304 0548 perc2hib - ok
10:52:06.0445 0548 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
10:52:06.0445 0548 PptpMiniport - ok
10:52:06.0539 0548 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
10:52:06.0539 0548 PSched - ok
10:52:06.0570 0548 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
10:52:06.0570 0548 Ptilink - ok
10:52:06.0632 0548 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
10:52:06.0632 0548 ql1080 - ok
10:52:06.0726 0548 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
10:52:06.0726 0548 Ql10wnt - ok
10:52:06.0820 0548 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
10:52:06.0820 0548 ql12160 - ok
10:52:06.0898 0548 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
10:52:06.0898 0548 ql1240 - ok
10:52:06.0992 0548 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
10:52:06.0992 0548 ql1280 - ok
10:52:07.0054 0548 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
10:52:07.0054 0548 RasAcd - ok
10:52:07.0179 0548 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
10:52:07.0195 0548 Rasl2tp - ok
10:52:07.0304 0548 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
10:52:07.0320 0548 RasPppoe - ok
10:52:07.0351 0548 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
10:52:07.0367 0548 Raspti - ok
10:52:07.0460 0548 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
10:52:07.0460 0548 Rdbss - ok
10:52:07.0632 0548 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
10:52:07.0632 0548 RDPCDD - ok
10:52:07.0726 0548 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
10:52:07.0726 0548 rdpdr - ok
10:52:07.0835 0548 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
10:52:07.0851 0548 RDPWD - ok
10:52:07.0960 0548 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
10:52:07.0960 0548 redbook - ok
10:52:08.0101 0548 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
10:52:08.0101 0548 Secdrv - ok
10:52:08.0273 0548 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
10:52:08.0273 0548 serenum - ok
10:52:08.0351 0548 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
10:52:08.0367 0548 Serial - ok
10:52:08.0523 0548 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
10:52:08.0523 0548 Sfloppy - ok
10:52:08.0632 0548 Simbad - ok
10:52:08.0695 0548 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
10:52:08.0710 0548 sisagp - ok
10:52:08.0882 0548 smwdm (5018a9db5eb62e3edb3110f82f556285) C:\WINDOWS\system32\drivers\smwdm.sys
10:52:08.0914 0548 smwdm - ok
10:52:09.0085 0548 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
10:52:09.0101 0548 Sparrow - ok
10:52:09.0242 0548 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
10:52:09.0242 0548 splitter - ok
10:52:09.0398 0548 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
10:52:09.0398 0548 sr - ok
10:52:09.0539 0548 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
10:52:09.0554 0548 Srv - ok
10:52:09.0757 0548 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
10:52:09.0757 0548 swenum - ok
10:52:09.0882 0548 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
10:52:09.0882 0548 swmidi - ok
10:52:10.0023 0548 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
10:52:10.0023 0548 symc810 - ok
10:52:10.0164 0548 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
10:52:10.0164 0548 symc8xx - ok
10:52:10.0367 0548 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
10:52:10.0367 0548 sym_hi - ok
10:52:10.0507 0548 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
10:52:10.0523 0548 sym_u3 - ok
10:52:10.0664 0548 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
10:52:10.0664 0548 sysaudio - ok
10:52:10.0835 0548 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
10:52:10.0851 0548 Tcpip - ok
10:52:11.0023 0548 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
10:52:11.0023 0548 TDPIPE - ok
10:52:11.0117 0548 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
10:52:11.0117 0548 TDTCP - ok
10:52:11.0273 0548 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
10:52:11.0273 0548 TermDD - ok
10:52:11.0445 0548 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
10:52:11.0445 0548 TosIde - ok
10:52:11.0554 0548 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
10:52:11.0554 0548 Udfs - ok
10:52:11.0648 0548 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
10:52:11.0648 0548 ultra - ok
10:52:11.0835 0548 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
10:52:11.0851 0548 Update - ok
10:52:12.0039 0548 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
10:52:12.0039 0548 usbccgp - ok
10:52:12.0117 0548 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
10:52:12.0117 0548 usbehci - ok
10:52:12.0195 0548 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
10:52:12.0195 0548 usbhub - ok
10:52:12.0320 0548 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
10:52:12.0320 0548 usbprint - ok
10:52:12.0367 0548 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
10:52:12.0367 0548 usbscan - ok
10:52:12.0476 0548 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
10:52:12.0476 0548 USBSTOR - ok
10:52:12.0570 0548 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
10:52:12.0570 0548 usbuhci - ok
10:52:12.0648 0548 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
10:52:12.0648 0548 VgaSave - ok
10:52:12.0726 0548 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
10:52:12.0726 0548 viaagp - ok
10:52:12.0820 0548 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
10:52:12.0820 0548 ViaIde - ok
10:52:12.0882 0548 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
10:52:12.0882 0548 VolSnap - ok
10:52:13.0023 0548 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
10:52:13.0023 0548 Wanarp - ok
10:52:13.0054 0548 WDICA - ok
10:52:13.0179 0548 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
10:52:13.0195 0548 wdmaud - ok
10:52:13.0304 0548 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
10:52:13.0429 0548 \Device\Harddisk0\DR0 - ok
10:52:13.0445 0548 MBR (0x1B8) (65e858a8a0293be11a920b0bc99d695e) \Device\Harddisk1\DR7
10:52:13.0617 0548 \Device\Harddisk1\DR7 - ok
10:52:13.0617 0548 Boot (0x1200) (d32d363f131c251bc03027ab1f0f7406) \Device\Harddisk0\DR0\Partition0
10:52:13.0617 0548 \Device\Harddisk0\DR0\Partition0 - ok
10:52:13.0632 0548 Boot (0x1200) (efbe142ad7c69a890c3ff782b7372503) \Device\Harddisk1\DR7\Partition0
10:52:13.0632 0548 \Device\Harddisk1\DR7\Partition0 - ok
10:52:13.0632 0548 ============================================================
10:52:13.0632 0548 Scan finished
10:52:13.0632 0548 ============================================================
10:52:13.0648 3356 Detected object count: 2
10:52:13.0664 3356 Actual detected object count: 2
10:52:27.0398 3356 f1d83ef7 ( Rootkit.Win32.PMax.gen ) - skipped by user
10:52:27.0398 3356 f1d83ef7 ( Rootkit.Win32.PMax.gen ) - User select action: Skip
10:52:28.0335 3356 Backup copy found, using it..
10:52:28.0351 3356 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys - will be cured on reboot
10:52:32.0148 3356 C:\WINDOWS\system32\c_56714.nls - will be deleted on reboot
10:52:32.0273 3356 C:\WINDOWS\system32\c_56714.nl_ - will be deleted on reboot
10:52:35.0757 3356 MRxSmb ( Rootkit.Win32.ZAccess.e ) - User select action: Cure
10:52:40.0944 1668 Deinitialize success

#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:06 PM

Posted 11 November 2011 - 07:23 PM

camperguy:

Please do this next:

Posted Image Click Start > Run or Press the Windows Key + R. copy and paste the following text into the run box that opens and press OK:
C:\Qoobox\Add-Remove Programs.txt

Post the contents of the text file that opens in your next reply.

Posted Image Please download Junction.zip and save it.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Go to Start > Run or press the Windows key + r Copy and paste the following command in the run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt
  • A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.
Please include the following in your next post:
  • Add/Remove Program list
  • junction log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 camperguy

camperguy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 14 November 2011 - 12:17 PM

add/remove progam list:

Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 8.3.1
AiO_Scan_CDA
aiofw
aioocr
aioscnnr
AiOSoftwareNPI
American Greetings CreataCard Gold 6
BufferChm
C3100
c3100_Help
center
Cherry JPOS Support (local edition) V2.1 Rev.2 Build 2
Cherry Tools V4.1 Rev.6 Build 2
DealerLogic
Destinations
DeviceManagementQFolder
DocProc
DocProcQFolder
EPSON APD4 Point and Print Support
eSupportQFolder
Fax_CDA
Google Toolbar for Internet Explorer
Google Update Helper
Help_CTR
helptut
helpug
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Imaging Device Functions 7.0
HP Photosmart and Deskjet 7.0.A
HP Photosmart Essential
HP Precisionscan Pro 3.1
HP Product Assistant
HP Share-to-Web
HP Solution Center 7.0
HP Update
HPPhotoSmartExpress
HPProductAssistant
InstantShareAlert
InstantShareDevicesMFC
Intel® Extreme Graphics 2 Driver
Intel® PRO Network Connections Drivers
Intel® PROSet
Java 2 Runtime Environment, SE v1.4.2_03
Java™ 6 Update 17
Java™ 6 Update 5
ksdip
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office File Validation Add-In
Microsoft Office Standard Edition 2003
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Web Publishing Wizard 1.52
Mozilla Firefox (3.6.24)
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
netbrdg
NewCopy_CDA
OCR Software by I.R.I.S 7.0
OGA Notifier 2.0.0048.0
PanoStandAlone
QFolder
Readme
RV Logic
Scan
ScannerCopy
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Windows (KB2564958)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB2416400)
Security Update for Windows Internet Explorer 7 (KB2482017)
Security Update for Windows Internet Explorer 7 (KB2497640)
Security Update for Windows Internet Explorer 7 (KB2530548)
Security Update for Windows Internet Explorer 7 (KB2544521)
Security Update for Windows Internet Explorer 7 (KB2559049)
Security Update for Windows Internet Explorer 7 (KB2586448)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SFR
SolutionCenter
Status
Toolbox
TrayApp
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Connect
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3


junction log:


Junction v1.06 - Windows junction creator and reparse point viewer
Copyright © 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com


Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\System Volume Information: Access is denied.


..
Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\11651bba8618e9a6cc19e2b8b1eac2f0_50e417e0-e461-474b-96e2-077b80325612: Access is denied.



Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\511a0f3f9e960fa97de3d0b74adfc574_50e417e0-e461-474b-96e2-077b80325612: Access is denied.


.

...

...

...

...

...

...

...

...

...

..
Failed to open \\?\c:\\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe: Access is denied.


.

...

...

.
Failed to open \\?\c:\\Program Files\Malwarebytes' Anti-Malware\mbam.exe: Access is denied.


..

...

...

...

..\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790


Failed to open \\?\c:\\WINDOWS\assembly\GAC_MSIL\Desktop.ini: Access is denied.


\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

.

...

...

...

...

...

...


Failed to open \\?\c:\\WINDOWS\system32\MRT.exe: Access is denied.


...

...

...

...

#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:06 PM

Posted 14 November 2011 - 09:42 PM

camperguy:

Please do this next:

Posted Image Please download GrantPerms.zip and save it to your desktop.
  • Unzip the file and depending on the system run GrantPerms.exe or GrantPerms64.exe
  • Copy and paste the following in the edit box:

    c:\\System Volume Information
    c:\\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\11651bba8618e9a6cc19e2b8b1eac2f0_50e417e0-e461-474b-96e2-077b80325612
    c:\\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\511a0f3f9e960fa97de3d0b74adfc574_50e417e0-e461-474b-96e2-077b80325612
    c:\\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
    c:\\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    c:\\WINDOWS\assembly\GAC_MSIL\Desktop.ini
    c:\\WINDOWS\system32\MRT.exe
  • Click Unlock. When it is done click "OK".
  • Click List Permissions and post the result (Perms.txt) that pops up. A copy of Perms.txt will be saved in the same directory the tool is run.
Posted Image You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:
  • GrantPerms log
  • MBAM log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 camperguy

camperguy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 15 November 2011 - 11:48 AM

Below are the logs you requested. Thanks


GrantPerms by Farbar
Ran by counter (administrator) at 2011-11-15 09:37:12

===============================================
\\?\c:\\System Volume Information

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)


\\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\11651bba8618e9a6cc19e2b8b1eac2f0_50e417e0-e461-474b-96e2-077b80325612

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\511a0f3f9e960fa97de3d0b74adfc574_50e417e0-e461-474b-96e2-077b80325612

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\\Program Files\Malwarebytes' Anti-Malware\mbam.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\\WINDOWS\assembly\GAC_MSIL\Desktop.ini

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\\WINDOWS\system32\MRT.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)



Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8166

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

11/15/2011 10:43:21 AM
mbam-log-2011-11-15 (10-43-21).txt

Scan type: Full scan (C:\|)
Objects scanned: 338244
Time elapsed: 59 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Qoobox\quarantine\C\documents and settings\counter\local settings\application data\f1d83ef7\U\80000000.@.vir (Trojan.Agent) -> Not selected for removal.
c:\Qoobox\quarantine\C\documents and settings\counter\local settings\application data\f1d83ef7\U\800000cb.@.vir (Backdoor.0Access) -> Not selected for removal.
c:\Qoobox\quarantine\C\documents and settings\counter\local settings\application data\f1d83ef7\U\800000cf.@.vir (Rootkit.Agent) -> Not selected for removal.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP1798\A0075811.ini (Trojan.Agent) -> Not selected for removal.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP1800\A0077855.ini (Trojan.Agent) -> Not selected for removal.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP1803\A0078217.ini (Trojan.Agent) -> Not selected for removal.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP1803\A0080230.ini (Trojan.Agent) -> Not selected for removal.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP1803\A0080235.ini (Trojan.Agent) -> Not selected for removal.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP1803\A0080246.ini (Trojan.Agent) -> Not selected for removal.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP1803\A0080267.ini (Trojan.Agent) -> Not selected for removal.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP1803\A0080295.ini (Trojan.Agent) -> Not selected for removal.
c:\WINDOWS\assembly\GAC_MSIL\Desktop.ini (Trojan.Agent) -> Quarantined and deleted successfully.

#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:06 PM

Posted 15 November 2011 - 04:00 PM

How is your computer running now? Please do this next:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Go to this page to download the latest version
  • Run the insatller you just downloaded
Posted Image Please go to here to run an online scan with ESET.
    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Click Start
    • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
    • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.
Please include the following in your next post:
  • How is the computer running now?
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 camperguy

camperguy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 15 November 2011 - 06:31 PM

The computer is running very slow, but i went to 6-7 web sites and was directed to the site I clicked on so it is not redirecting me anymore....Thank you. Below is the log of the ESET scan. Can that scan (ESET) be run on any computer at anytime?

C:\Qoobox\Quarantine\C\Documents and Settings\counter\Local Settings\Application Data\f1d83ef7\X.vir Win32/Sirefef.DD trojan
C:\Qoobox\Quarantine\C\Documents and Settings\counter\Local Settings\Application Data\f1d83ef7\U\800000cb.@.vir a variant of Win32/Agent.TEO trojan
C:\Qoobox\Quarantine\C\Documents and Settings\counter\Local Settings\Application Data\f1d83ef7\U\800000cf.@.vir probably a variant of Win32/Kryptik.JDI trojan
C:\Qoobox\Quarantine\C\Program Files\Cherry\CDI\CDI.exe.vir Win32/Patched.HN trojan
C:\Qoobox\Quarantine\C\Program Files\EPSON\EPSON Advanced Printer Driver 4\EpsonPHLog.exe.vir Win32/Patched.HN trojan
C:\Qoobox\Quarantine\C\Program Files\Java\jre6\bin\jqs.exe.vir Win32/Patched.HN trojan
C:\Qoobox\Quarantine\C\Program Files\Kodak\Printer\Center\KodakSvc.exe.vir Win32/Patched.HN trojan
C:\Qoobox\Quarantine\C\WINDOWS\4148091121.vir:237486344.exe Win32/Sirefef.CT trojan
C:\Qoobox\Quarantine\C\WINDOWS\ohowupomu.dll.vir a variant of Win32/Kryptik.MHG trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\HPZipm12.exe.vir Win32/Patched.HN trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\wuauclt.exe.vir Win32/Patched.HN trojan
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1797\A0073773.sys Win32/Sirefef.DM trojan
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1798\A0075810.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1798\A0075811.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1800\A0077852.exe a variant of Win32/Toolbar.Zugo application
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1800\A0077854.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1800\A0077855.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1802\A0077966.dll a variant of Win32/Toolbar.Zugo application
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1802\A0077967.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1803\A0078065.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1803\A0078216.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1803\A0078217.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1803\A0080229.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1803\A0080230.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1803\A0080234.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1803\A0080235.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1803\A0080245.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1803\A0080246.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1803\A0080266.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1803\A0080267.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1803\A0080294.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1803\A0080295.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1804\A0080461.dll a variant of Win32/Kryptik.MHG trojan
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1804\A0080462.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1804\A0080463.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1804\A0080464.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1804\A0080465.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1804\A0080466.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1804\A0080467.exe Win32/Patched.HN trojan

Edited by camperguy, 15 November 2011 - 06:32 PM.


#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:06 PM

Posted 16 November 2011 - 10:38 PM

camperguy:

Your logs look good - all those ESET detections are either already in quarantine or in your system restore cache. All of them will be removed when we uninstall ComboFix. All I have left for you is another update and some very important cleanup:

Posted Image Your Adobe reader needs to be updated. Please visit Adobe's site and grab the newest version. Be sure to watch for and uncheck any boxes offering to install other software.

Posted Image Uninstall ComboFix
  • Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall
Posted Image

Posted Image Delete the following tools along with any other logs you saved from our work:
  • DDS
  • GMER
  • TDSSKiller
  • Junction
  • GrantPerms
Posted Image Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean
Posted Image Finally, I'd like to make a couple of suggestions to help you stay clean in the future:
  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application and MBAM current and updated. Scan with them at least weekly.
  • Please read this post for some helpful information.
Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 camperguy

camperguy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 17 November 2011 - 09:36 AM

Everything seems to be working as it should, Thank you for your help. :thumbsup:

#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:06 PM

Posted 17 November 2011 - 06:23 PM

You're welcome, camperguy. Take care.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:06 PM

Posted 18 November 2011 - 05:17 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users