Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Do i have rootkit?


  • This topic is locked This topic is locked
38 replies to this topic

#1 Wolverine 7

Wolverine 7

  • Members
  • 746 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bournemouth,UK
  • Local time:03:37 PM

Posted 08 February 2012 - 08:16 AM

Hi,
Have been cleaning and setting up my system,Win xp sp3,can you look at gmer log for me and check for rootkit presence
Cant analyze it effectively yet
Thanks in advance for any help
Gmer log follows

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-02-08 12:04:39
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 IC25N020ATMR04-0 rev.MO1OAD0A
Running: HDL0lSga.com; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\awacakog.sys


---- System - GMER 1.0.15 ----

SSDT 829FD6A0 ZwCreateKey
SSDT 829F7420 ZwCreateMutant
SSDT 829FC4A0 ZwCreateProcess
SSDT 829FC7A0 ZwCreateProcessEx
SSDT 829F77E0 ZwCreateSymbolicLinkObject
SSDT 829FEF40 ZwCreateThread
SSDT 829FDCA0 ZwDeleteKey
SSDT 829FE5A0 ZwDeleteValueKey
SSDT 829F79C0 ZwDuplicateObject
SSDT 829F7120 ZwLoadDriver
SSDT 829FCAA0 ZwOpenProcess
SSDT 829FEB80 ZwOpenSection
SSDT 829FCDA0 ZwOpenThread
SSDT 829FDFA0 ZwRenameKey
SSDT 829FE2A0 ZwRestoreKey
SSDT 829F7600 ZwSetSystemInformation
SSDT 829FD9A0 ZwSetValueKey
SSDT 829FD0A0 ZwTerminateProcess
SSDT 829FD3A0 ZwTerminateThread
SSDT 829FED60 ZwWriteVirtualMemory

---- User code sections - GMER 1.0.15 ----

.text F:\Pale Moon\Bin\Palemoon\plugin-container.exe[1480] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 1051CB76 F:\Pale Moon\Bin\Palemoon\xul.dll (Mozilla Foundation)
.text F:\Pale Moon\Bin\Palemoon\plugin-container.exe[1480] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 1051CF85 F:\Pale Moon\Bin\Palemoon\xul.dll (Mozilla Foundation)
.text F:\Pale Moon\Bin\Palemoon\Palemoon.exe[4012] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 011C6D90 F:\Pale Moon\Bin\Palemoon\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mdvrmng.sys
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,528 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:37 AM

Posted 11 February 2012 - 09:29 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Your log is clean.

Why are you asking if you have a rootkit infection?

Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
Please note: You may have to disable any script protection running if the scan fails to run.

Please just paste the contents of the DDS.txt log in your next post. DO NOT attach the log.
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please post the logs and let me know of any issues with this computer.

#3 Wolverine 7

Wolverine 7
  • Topic Starter

  • Members
  • 746 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bournemouth,UK
  • Local time:03:37 PM

Posted 12 February 2012 - 09:32 PM

Hi nasdaq ,
thanks for ur assist
-good to know the gmer log is clean-asking cos i dont find it easy to analyse yet,had my own
computer a year now.del latitude d505 xp sp3 with external drive
system is fully updated(regulaly)etc-recently caught a virus so wondered about rkits(prevention is better than cure
sometimes,im getting better at file and system analysis but it takes time)
DDS froze my system twice?(no script blocking,i use simple scripts for cleaning )
Kaperky antivirus with SAS,Hitman,gmerMWBytes,and other scanners in portable
here is security check log
thanks again for your help

Results of screen317's Security Check version 0.99.31
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Kaspersky Internet Security 2012
Trend Micro™ Titanium™
```````````````````````````````
Anti-malware/Other Utilities Check:

Free Internet Window Washer
Java™ 6 Update 30
Adobe Flash Player 11.1.102.55
````````````````````````````````
Process Check:
objlist.exe by Laurent

Kaspersky Lab Kaspersky Internet Security 2012 avp.exe
``````````End of Log````````````

#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,528 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:37 AM

Posted 13 February 2012 - 10:46 AM

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.
===

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

Note: You may be asked if you want to download Avast Free Antivirus I suggest you deny this download unless you do not have any Antivirus protection on the computer.
===

Quoted from the Security check

Antivirus/Firewall Check:
Kaspersky Internet Security 2012
Trend Micro™ Titanium™


Are both Kaspersky and Trend micro enable.
It's not recommended to have two Virust protection programs running simultaneously.
It will slow down your system.

#5 Wolverine 7

Wolverine 7
  • Topic Starter

  • Members
  • 746 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bournemouth,UK
  • Local time:03:37 PM

Posted 14 February 2012 - 02:45 PM

Hi nasdaq,
Thanks again for ur assist,
here are tdss,avasr mbr logs and attached avast mbr zip as requestedAttached File  MBR.zip   499bytes   0 downloads
(Only Kaperskly AV is installed trend micro shows from rolling back the reg i think)
Kind regards
W7

19:31:44.0590 1732 TDSS rootkit removing tool 2.7.12.0 Feb 11 2012 16:58:52
19:31:45.0221 1732 ============================================================
19:31:45.0221 1732 Current date / time: 2012/02/14 19:31:45.0221
19:31:45.0221 1732 SystemInfo:
19:31:45.0221 1732
19:31:45.0221 1732 OS Version: 5.1.2600 ServicePack: 3.0
19:31:45.0221 1732 Product type: Workstation
19:31:45.0221 1732 ComputerName: OWNER-EEC90E075
19:31:45.0221 1732 UserName: Owner
19:31:45.0221 1732 Windows directory: C:\WINDOWS
19:31:45.0221 1732 System windows directory: C:\WINDOWS
19:31:45.0221 1732 Processor architecture: Intel x86
19:31:45.0221 1732 Number of processors: 1
19:31:45.0221 1732 Page size: 0x1000
19:31:45.0221 1732 Boot type: Normal boot
19:31:45.0221 1732 ============================================================
19:31:49.0067 1732 Drive \Device\Harddisk0\DR0 - Size: 0x4A8530000 (18.63 Gb), SectorSize: 0x200, Cylinders: 0x980, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
19:31:49.0077 1732 Drive \Device\Harddisk1\DR2 - Size: 0x1DD738000 (7.46 Gb), SectorSize: 0x200, Cylinders: 0x3CD, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
19:31:49.0097 1732 \Device\Harddisk0\DR0:
19:31:49.0097 1732 MBR used
19:31:49.0097 1732 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x2542902
19:31:49.0097 1732 \Device\Harddisk1\DR2:
19:31:49.0097 1732 MBR used
19:31:49.0097 1732 \Device\Harddisk1\DR2\Partition0: MBR, Type 0xB, StartLBA 0x1F80, BlocksNum 0xEE9A40
19:31:49.0127 1732 Initialize success
19:31:49.0127 1732 ============================================================
19:31:51.0290 1100 ============================================================
19:31:51.0290 1100 Scan started
19:31:51.0290 1100 Mode: Manual;
19:31:51.0290 1100 ============================================================
19:31:52.0482 1100 Abiosdsk - ok
19:31:52.0502 1100 abp480n5 - ok
19:31:52.0562 1100 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
19:31:52.0602 1100 ACPI - ok
19:31:52.0732 1100 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
19:31:52.0742 1100 ACPIEC - ok
19:31:52.0862 1100 adpu160m - ok
19:31:52.0932 1100 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
19:31:53.0032 1100 aec - ok
19:31:53.0173 1100 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
19:31:53.0193 1100 AFD - ok
19:31:53.0303 1100 Aha154x - ok
19:31:53.0353 1100 aic78u2 - ok
19:31:53.0373 1100 aic78xx - ok
19:31:53.0413 1100 AliIde - ok
19:31:53.0433 1100 amsint - ok
19:31:53.0523 1100 AR5523 (5af581bb431fb7a952216ad01795ef4e) C:\WINDOWS\system32\DRIVERS\ar5523.sys
19:31:53.0543 1100 AR5523 - ok
19:31:53.0643 1100 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
19:31:53.0663 1100 Arp1394 - ok
19:31:53.0743 1100 asc - ok
19:31:53.0774 1100 asc3350p - ok
19:31:53.0794 1100 asc3550 - ok
19:31:53.0904 1100 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
19:31:53.0904 1100 AsyncMac - ok
19:31:54.0024 1100 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
19:31:54.0024 1100 atapi - ok
19:31:54.0114 1100 Atdisk - ok
19:31:54.0174 1100 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
19:31:54.0184 1100 Atmarpc - ok
19:31:54.0314 1100 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
19:31:54.0314 1100 audstub - ok
19:31:54.0535 1100 BCM43XX (69f940672be0ecee5bd1e905706ba8ce) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
19:31:54.0555 1100 BCM43XX - ok
19:31:54.0695 1100 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
19:31:54.0695 1100 Beep - ok
19:31:54.0855 1100 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
19:31:54.0865 1100 cbidf2k - ok
19:31:54.0955 1100 cd20xrnt - ok
19:31:55.0015 1100 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
19:31:55.0015 1100 Cdaudio - ok
19:31:55.0125 1100 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
19:31:55.0135 1100 Cdfs - ok
19:31:55.0246 1100 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
19:31:55.0256 1100 Cdrom - ok
19:31:55.0336 1100 Changer - ok
19:31:55.0416 1100 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
19:31:55.0426 1100 CmBatt - ok
19:31:55.0496 1100 CmdIde - ok
19:31:55.0556 1100 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
19:31:55.0556 1100 Compbatt - ok
19:31:55.0656 1100 Cpqarray - ok
19:31:55.0696 1100 cpuz134 - ok
19:31:55.0826 1100 dac2w2k - ok
19:31:55.0907 1100 dac960nt - ok
19:31:56.0017 1100 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
19:31:56.0027 1100 Disk - ok
19:31:56.0187 1100 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
19:31:56.0217 1100 dmboot - ok
19:31:56.0327 1100 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
19:31:56.0337 1100 dmio - ok
19:31:56.0487 1100 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
19:31:56.0487 1100 dmload - ok
19:31:56.0558 1100 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
19:31:56.0558 1100 DMusic - ok
19:31:56.0658 1100 dpti2o - ok
19:31:56.0728 1100 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
19:31:56.0728 1100 drmkaud - ok
19:31:56.0948 1100 E100B (ac9cf17ee2ae003c98eb4f5336c38058) C:\WINDOWS\system32\DRIVERS\e100b325.sys
19:31:56.0968 1100 E100B - ok
19:31:57.0098 1100 EUBAKUP (40f272bc66a4692c4e5a07008b3c428d) C:\WINDOWS\system32\drivers\eubakup.sys
19:31:57.0108 1100 EUBAKUP - ok
19:31:57.0218 1100 EUBKMON (d6dd9e76f2d084292d3a032aa7ce9aec) C:\WINDOWS\system32\drivers\EUBKMON.sys
19:31:57.0229 1100 EUBKMON - ok
19:31:57.0329 1100 EUDSKACS (b5a6d8ffb1be1ea333c96f8788c6a909) C:\WINDOWS\system32\drivers\eudskacs.sys
19:31:57.0329 1100 EUDSKACS - ok
19:31:57.0389 1100 EUFDDISK (a67bf5bb59c6c15fab47c771dbe00c20) C:\WINDOWS\system32\drivers\EuFdDisk.sys
19:31:57.0389 1100 EUFDDISK - ok
19:31:57.0529 1100 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
19:31:57.0599 1100 Fastfat - ok
19:31:57.0759 1100 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
19:31:57.0769 1100 Fdc - ok
19:31:57.0950 1100 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
19:31:57.0960 1100 Fips - ok
19:31:58.0070 1100 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
19:31:58.0070 1100 Flpydisk - ok
19:31:58.0150 1100 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
19:31:58.0170 1100 FltMgr - ok
19:31:58.0300 1100 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
19:31:58.0310 1100 Fs_Rec - ok
19:31:59.0301 1100 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
19:31:59.0322 1100 Ftdisk - ok
19:31:59.0432 1100 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
19:31:59.0432 1100 Gpc - ok
19:31:59.0532 1100 hpn - ok
19:31:59.0612 1100 HSFHWICH (d1eecce82eaea46125e1ecbba10226ae) C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
19:31:59.0622 1100 HSFHWICH - ok
19:31:59.0842 1100 HSF_DPV (cbf6831420a97e8fbb91e5f52b707ef7) C:\WINDOWS\system32\DRIVERS\HSF_DPV.SYS
19:31:59.0902 1100 HSF_DPV - ok
19:32:00.0033 1100 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
19:32:00.0083 1100 HTTP - ok
19:32:00.0163 1100 i2omgmt - ok
19:32:00.0183 1100 i2omp - ok
19:32:00.0243 1100 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
19:32:00.0243 1100 i8042prt - ok
19:32:00.0483 1100 ialm (da91f5385cfc8ba0f110f2fde112b563) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
19:32:00.0563 1100 ialm - ok
19:32:00.0693 1100 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
19:32:00.0693 1100 Imapi - ok
19:32:00.0834 1100 ini910u - ok
19:32:00.0894 1100 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
19:32:00.0904 1100 IntelIde - ok
19:32:00.0994 1100 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
19:32:01.0004 1100 intelppm - ok
19:32:01.0034 1100 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
19:32:01.0034 1100 Ip6Fw - ok
19:32:01.0144 1100 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
19:32:01.0144 1100 IpFilterDriver - ok
19:32:01.0204 1100 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
19:32:01.0204 1100 IpInIp - ok
19:32:01.0314 1100 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
19:32:01.0324 1100 IpNat - ok
19:32:01.0455 1100 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
19:32:01.0455 1100 IPSec - ok
19:32:01.0565 1100 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
19:32:01.0565 1100 IRENUM - ok
19:32:01.0625 1100 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
19:32:01.0625 1100 isapnp - ok
19:32:01.0735 1100 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
19:32:01.0745 1100 Kbdclass - ok
19:32:01.0815 1100 KL1 (186b54479d98e48aee0e9ada4b3c4d31) C:\WINDOWS\system32\DRIVERS\kl1.sys
19:32:01.0825 1100 KL1 - ok
19:32:02.0065 1100 kl2 (bf485bfba13c0ab116701fd9c55324d0) C:\WINDOWS\system32\DRIVERS\kl2.sys
19:32:02.0065 1100 kl2 - ok
19:32:02.0226 1100 KLIF (5d92a03045a6a98708975b3d77b39a36) C:\WINDOWS\system32\DRIVERS\klif.sys
19:32:02.0246 1100 KLIF - ok
19:32:02.0366 1100 klim5 (96a7ec308a93da26dfe481308baac2a2) C:\WINDOWS\system32\DRIVERS\klim5.sys
19:32:02.0366 1100 klim5 - ok
19:32:02.0506 1100 klmouflt (3959530f69e19da56f1f24f2c89f1e2c) C:\WINDOWS\system32\DRIVERS\klmouflt.sys
19:32:02.0506 1100 klmouflt - ok
19:32:02.0636 1100 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
19:32:02.0636 1100 kmixer - ok
19:32:02.0786 1100 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
19:32:02.0797 1100 KSecDD - ok
19:32:02.0907 1100 lbrtfdc - ok
19:32:02.0987 1100 massfilter (09721f2c56681a83c93ecdfab8b102a9) C:\WINDOWS\system32\drivers\massfilter.sys
19:32:03.0007 1100 massfilter - ok
19:32:03.0087 1100 MBAMProtector - ok
19:32:03.0147 1100 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
19:32:03.0147 1100 mdmxsdk - ok
19:32:03.0267 1100 mdvrmng (4e10e84320a8ec1c12bd0d00973b22ab) C:\WINDOWS\system32\drivers\mdvrmng.sys
19:32:03.0287 1100 mdvrmng - ok
19:32:03.0397 1100 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
19:32:03.0407 1100 mnmdd - ok
19:32:03.0467 1100 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
19:32:03.0477 1100 Modem - ok
19:32:03.0568 1100 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
19:32:03.0578 1100 Mouclass - ok
19:32:03.0608 1100 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
19:32:03.0618 1100 MountMgr - ok
19:32:03.0688 1100 mraid35x - ok
19:32:03.0748 1100 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
19:32:03.0748 1100 MRxDAV - ok
19:32:03.0938 1100 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
19:32:04.0018 1100 MRxSmb - ok
19:32:04.0138 1100 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
19:32:04.0148 1100 Msfs - ok
19:32:04.0219 1100 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
19:32:04.0219 1100 MSKSSRV - ok
19:32:04.0319 1100 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
19:32:04.0319 1100 MSPCLOCK - ok
19:32:04.0349 1100 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
19:32:04.0349 1100 MSPQM - ok
19:32:04.0499 1100 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
19:32:04.0509 1100 mssmbios - ok
19:32:04.0619 1100 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
19:32:04.0629 1100 Mup - ok
19:32:04.0669 1100 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
19:32:04.0679 1100 NDIS - ok
19:32:04.0819 1100 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
19:32:04.0859 1100 NdisTapi - ok
19:32:05.0060 1100 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
19:32:05.0060 1100 Ndisuio - ok
19:32:05.0140 1100 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
19:32:05.0140 1100 NdisWan - ok
19:32:05.0240 1100 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
19:32:05.0260 1100 NDProxy - ok
19:32:05.0390 1100 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
19:32:05.0390 1100 NetBIOS - ok
19:32:05.0430 1100 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
19:32:05.0440 1100 NetBT - ok
19:32:05.0611 1100 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
19:32:05.0611 1100 NIC1394 - ok
19:32:05.0641 1100 NPF - ok
19:32:05.0691 1100 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
19:32:05.0701 1100 Npfs - ok
19:32:05.0861 1100 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
19:32:05.0901 1100 Ntfs - ok
19:32:06.0031 1100 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
19:32:06.0041 1100 Null - ok
19:32:06.0081 1100 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
19:32:06.0091 1100 NwlnkFlt - ok
19:32:06.0211 1100 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
19:32:06.0211 1100 NwlnkFwd - ok
19:32:06.0261 1100 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
19:32:06.0261 1100 ohci1394 - ok
19:32:06.0402 1100 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
19:32:06.0502 1100 Parport - ok
19:32:06.0612 1100 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
19:32:06.0612 1100 PartMgr - ok
19:32:06.0732 1100 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
19:32:06.0732 1100 ParVdm - ok
19:32:06.0993 1100 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
19:32:07.0003 1100 PCI - ok
19:32:07.0083 1100 PCIDump - ok
19:32:07.0143 1100 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
19:32:07.0153 1100 PCIIde - ok
19:32:07.0263 1100 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
19:32:07.0273 1100 Pcmcia - ok
19:32:07.0333 1100 PDCOMP - ok
19:32:07.0363 1100 PDFRAME - ok
19:32:07.0383 1100 PDRELI - ok
19:32:07.0403 1100 PDRFRAME - ok
19:32:07.0423 1100 perc2 - ok
19:32:07.0443 1100 perc2hib - ok
19:32:07.0563 1100 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
19:32:07.0563 1100 PptpMiniport - ok
19:32:07.0714 1100 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
19:32:07.0724 1100 PSched - ok
19:32:07.0874 1100 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
19:32:07.0874 1100 Ptilink - ok
19:32:07.0964 1100 ql1080 - ok
19:32:07.0994 1100 Ql10wnt - ok
19:32:08.0014 1100 ql12160 - ok
19:32:08.0034 1100 ql1240 - ok
19:32:08.0064 1100 ql1280 - ok
19:32:08.0104 1100 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
19:32:08.0104 1100 RasAcd - ok
19:32:08.0234 1100 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
19:32:08.0234 1100 Rasl2tp - ok
19:32:08.0274 1100 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
19:32:08.0284 1100 RasPppoe - ok
19:32:08.0405 1100 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
19:32:08.0475 1100 Raspti - ok
19:32:09.0256 1100 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
19:32:09.0266 1100 Rdbss - ok
19:32:09.0386 1100 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
19:32:09.0386 1100 RDPCDD - ok
19:32:09.0446 1100 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
19:32:09.0456 1100 RDPWD - ok
19:32:09.0616 1100 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
19:32:09.0626 1100 redbook - ok
19:32:10.0017 1100 SASDIFSV (39763504067962108505bff25f024345) C:\DOCUME~1\Owner\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS
19:32:10.0027 1100 SASDIFSV - ok
19:32:10.0187 1100 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\DOCUME~1\Owner\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS
19:32:10.0187 1100 SASKUTIL - ok
19:32:10.0317 1100 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
19:32:10.0317 1100 Secdrv - ok
19:32:10.0468 1100 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
19:32:10.0468 1100 serenum - ok
19:32:10.0578 1100 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
19:32:10.0578 1100 Serial - ok
19:32:10.0718 1100 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
19:32:10.0728 1100 Sfloppy - ok
19:32:10.0828 1100 Simbad - ok
19:32:10.0858 1100 Sparrow - ok
19:32:10.0918 1100 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
19:32:10.0918 1100 splitter - ok
19:32:11.0038 1100 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
19:32:11.0048 1100 sr - ok
19:32:11.0179 1100 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
19:32:11.0199 1100 Srv - ok
19:32:11.0339 1100 STAC97 (5813d453ef8ce49d607c255cf128aceb) C:\WINDOWS\system32\drivers\stac97.sys
19:32:11.0349 1100 STAC97 - ok
19:32:11.0479 1100 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
19:32:11.0479 1100 swenum - ok
19:32:11.0579 1100 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
19:32:11.0589 1100 swmidi - ok
19:32:11.0619 1100 symc810 - ok
19:32:11.0639 1100 symc8xx - ok
19:32:11.0659 1100 sym_hi - ok
19:32:11.0689 1100 sym_u3 - ok
19:32:11.0719 1100 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
19:32:11.0729 1100 sysaudio - ok
19:32:11.0910 1100 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
19:32:11.0920 1100 Tcpip - ok
19:32:12.0030 1100 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
19:32:12.0060 1100 TDPIPE - ok
19:32:12.0100 1100 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
19:32:12.0130 1100 TDTCP - ok
19:32:12.0260 1100 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
19:32:12.0290 1100 TermDD - ok
19:32:12.0440 1100 tmtdi - ok
19:32:12.0470 1100 TosIde - ok
19:32:12.0541 1100 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
19:32:12.0551 1100 Udfs - ok
19:32:12.0631 1100 UIUSys - ok
19:32:12.0651 1100 ultra - ok
19:32:12.0741 1100 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
19:32:12.0781 1100 Update - ok
19:32:13.0011 1100 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
19:32:13.0061 1100 usbccgp - ok
19:32:13.0171 1100 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
19:32:13.0171 1100 usbehci - ok
19:32:13.0211 1100 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
19:32:13.0211 1100 usbhub - ok
19:32:13.0332 1100 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
19:32:13.0362 1100 USBSTOR - ok
19:32:13.0912 1100 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
19:32:13.0912 1100 usbuhci - ok
19:32:14.0033 1100 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
19:32:14.0043 1100 VgaSave - ok
19:32:14.0123 1100 ViaIde - ok
19:32:14.0183 1100 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
19:32:14.0183 1100 VolSnap - ok
19:32:14.0313 1100 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
19:32:14.0323 1100 Wanarp - ok
19:32:14.0413 1100 WDICA - ok
19:32:14.0453 1100 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
19:32:14.0463 1100 wdmaud - ok
19:32:14.0624 1100 winachsf (59d043485a6eda2ed2685c81489ae5bd) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
19:32:14.0654 1100 winachsf - ok
19:32:14.0874 1100 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
19:32:14.0904 1100 WudfPf - ok
19:32:15.0044 1100 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
19:32:15.0054 1100 WudfRd - ok
19:32:15.0184 1100 ZTEusbmdm6k (616b411bfc0e9f535a436759f19b79d8) C:\WINDOWS\system32\DRIVERS\ZTEusbmdm6k.sys
19:32:15.0214 1100 ZTEusbmdm6k - ok
19:32:15.0365 1100 ZTEusbnmea (616b411bfc0e9f535a436759f19b79d8) C:\WINDOWS\system32\DRIVERS\ZTEusbnmea.sys
19:32:15.0375 1100 ZTEusbnmea - ok
19:32:15.0505 1100 ZTEusbser6k (616b411bfc0e9f535a436759f19b79d8) C:\WINDOWS\system32\DRIVERS\ZTEusbser6k.sys
19:32:15.0505 1100 ZTEusbser6k - ok
19:32:15.0575 1100 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
19:32:15.0785 1100 \Device\Harddisk0\DR0 - ok
19:32:15.0805 1100 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR2
19:32:15.0805 1100 \Device\Harddisk1\DR2 - ok
19:32:15.0825 1100 Boot (0x1200) (caba808f655418248bf949f4635a880f) \Device\Harddisk0\DR0\Partition0
19:32:15.0825 1100 \Device\Harddisk0\DR0\Partition0 - ok
19:32:15.0835 1100 Boot (0x1200) (0890746fe51bf549465f3fdfd9b52a6f) \Device\Harddisk1\DR2\Partition0
19:32:15.0835 1100 \Device\Harddisk1\DR2\Partition0 - ok
19:32:15.0845 1100 ============================================================
19:32:15.0845 1100 Scan finished
19:32:15.0845 1100 ============================================================
19:32:15.0875 3692 Detected object count: 0
19:32:15.0875 3692 Actual detected object count: 0
19:32:20.0762 3208 Deinitialize success

aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-14 19:15:51
-----------------------------
19:15:51.610 OS Version: Windows 5.1.2600 Service Pack 3
19:15:51.610 Number of processors: 1 586 0x905
19:15:51.620 ComputerName: OWNER-EEC90E075 UserName: Owner
19:15:53.332 Initialize success
19:16:02.476 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
19:16:02.476 Disk 0 Vendor: IC25N020ATMR04-0 MO1OAD0A Size: 19077MB BusType: 3
19:16:02.536 Disk 0 MBR read successfully
19:16:02.536 Disk 0 MBR scan
19:16:02.536 Disk 0 Windows XP default MBR code
19:16:02.536 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 19077 MB offset 63
19:16:02.546 Disk 0 scanning sectors +39070017
19:16:02.776 Disk 0 scanning C:\WINDOWS\system32\drivers
19:16:16.406 Service scanning
19:16:18.439 Service KL1 C:\WINDOWS\system32\DRIVERS\kl1.sys **LOCKED** 5
19:16:18.439 Service kl2 C:\WINDOWS\system32\DRIVERS\kl2.sys **LOCKED** 5
19:16:18.449 Service klim5 C:\WINDOWS\system32\DRIVERS\klim5.sys **LOCKED** 5
19:16:18.449 Service klmouflt C:\WINDOWS\system32\DRIVERS\klmouflt.sys **LOCKED** 5
19:16:19.350 Modules scanning
19:16:39.138 Disk 0 trace - called modules:
19:16:39.158 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
19:16:39.158 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82f93ab8]
19:16:39.158 3 CLASSPNP.SYS[f8697fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x82f82d98]
19:16:39.168 Scan finished successfully
19:17:43.691 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\Avast MBR\MBR.dat"
19:17:43.701 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\Avast MBR\aswMBR.txt"

#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,528 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:37 AM

Posted 15 February 2012 - 08:56 AM

Your logs are clean.

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

#7 Wolverine 7

Wolverine 7
  • Topic Starter

  • Members
  • 746 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bournemouth,UK
  • Local time:03:37 PM

Posted 15 February 2012 - 12:32 PM

Hi again
disabled kapersky av,windows firewall and ran combofix
combofix froze(45mns)
powered off and ran again and it froze again(didnt move mouse or do anything)?
sorry about this,dont know if this is a problem or CF just wont run on this machine?
thanks again for your help

#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,528 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:37 AM

Posted 15 February 2012 - 04:00 PM

Click the Posted Image button. > Run - copy and paste this command in the box ComboFix /nombr then click OK.

#9 Wolverine 7

Wolverine 7
  • Topic Starter

  • Members
  • 746 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bournemouth,UK
  • Local time:03:37 PM

Posted 15 February 2012 - 04:58 PM

Hi,
I assume ur telling me to uninstall combofix,in the thread im seing you,ve put run,copy and paste but not told me
what to copy and paste?
will uninstall cfix and await any further instructions
appreciate ur help

#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,528 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:37 AM

Posted 16 February 2012 - 09:39 AM

Look at my instructions.

Copy and paste the following in the Start > run box.

ComboFix /nombr

If you have remove ComboFix please download it again then follow my instructions.
This will start ComboFix and will not check your Master Boot Record.

Post the log if you can.

#11 Wolverine 7

Wolverine 7
  • Topic Starter

  • Members
  • 746 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bournemouth,UK
  • Local time:03:37 PM

Posted 16 February 2012 - 02:13 PM

Oh yes,i see.sorry long day
wondered what the cf run command was:)
please find log below
thanks again

2012-02-16 c:\windows\Tasks\update-sys.job
- c:\program files\Skillbrains\Updater\Updater.exe [2012-01-24 22:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2012\ie_banner_deny.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {{09E90109-A9AA-4980-BCEF-76F8D924E902} - c:\program files\Bywifi\bywifici.exe
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-{95174FE5-D61C-48F1-B427-9F9F8DC416C7} - c:\docume~1\ALLUSE~1\APPLIC~1\TARMAI~1\{95174~1\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-16 18:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2932)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2012-02-16 19:00:45 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-16 19:00
.
Pre-Run: 9,034,551,296 bytes free
Post-Run: 8,965,738,496 bytes free
.
- - End Of File - - DE99CF46FFD1B4FFE06DDC3DDB0EDD0C

#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,528 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:37 AM

Posted 16 February 2012 - 02:25 PM

Are you now able to run ComboFix normally and post a log?

#13 Wolverine 7

Wolverine 7
  • Topic Starter

  • Members
  • 746 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bournemouth,UK
  • Local time:03:37 PM

Posted 16 February 2012 - 05:26 PM

No CFix will only run from the run command?(log from that posted above)?
Running from exe just freezes again

#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,528 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:37 AM

Posted 17 February 2012 - 10:02 AM

Execute the following attentively. If at any time you need help please ask.

You will need two new CD to complete the task.

Preferably from a clean computer, I need you to download: gparted-live-0.10.0-3.iso (115.1 MB) and
Windows XP Recovery Console rc.iso

Create a bootable CD, 1 for Gparted and 1 for the Windows XP Recovery Console, from the ISO images. You can use ImgBurn do this.

This may help burning the iso image(s) to a CD.
http://www.imgburn.com/index.php?act=screenshots#isowrite
===


Now boot off of the newly created Gparted CD.

Posted Image
You should be here...
Press ENTER

Posted Image
By default, "do not touch keymap" is highlighted. Leave this setting alone and just press ENTER.

Posted Image
Choose your language and press ENTER. English is default [33]

Posted Image
Once again, at this prompt, press ENTER

You will now be taken to the main GUI screen below
Posted Image

I would like to see that last screen.

To do print screen follow these steps:

* Press Alt and Print Screen button on your keyboard
* Open Paint program
* From the menu choose Edit then Paste
* Now save the picture and attach it here for me to review.

Exit all programs.

#15 Wolverine 7

Wolverine 7
  • Topic Starter

  • Members
  • 746 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bournemouth,UK
  • Local time:03:37 PM

Posted 17 February 2012 - 01:16 PM

hi,thanks for your continued assist on this
-can do the process if necessary as long as computer will do it,your obviously seeing a pos problem here?
i have a system image made just after install with todo backup,would i be
better off re-imaging?(back up files regularly,so no prob there)
not trying to be lazy here just a bit pushed for time and space at present and wondered
your opinion?
as said happy to creat cd,s if nessesary
thanks
W7




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users