Jump to content

liv

Members
 View Profile  See their activity

  • Posts

    15

  • Joined

  • Last visited

 Content Type 

Everything posted by liv

  1. liv
    ah ha! got it! thanks very much guys. Hopefully it won't pop up again. any clue where that b.exe come from so I can avoid it?
  2. liv
    I can't find b.exe anywhere in task scheduler =/
  3. liv
    "Silent Runners.vbs", revision 61, http://www.silentrunners.org/ Operating System: Windows Vista SP1 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "Sidebar" = "C:\Program Files\Windows Sidebar\sidebar.exe /autoRun" [MS] "AMP WinOFF" = "c:\program files\amp winoff\winoff.exe -quiet" ["Alberto Mart
  4. liv
    how do you run it. double click keeps opening it in notepad
  5. liv
    OTL logfile created on: 4/17/2010 1:18:12 PM - Run 2 OTL by OldTimer - Version 3.2.1.1 Folder = C:\Users\Vi\Desktop Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18904) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 57.00% Memory free 6.00 Gb Paging File | 5.00 Gb Available in Paging File | 76.00% Paging File free Paging file location(s): c:\pagefile.sys 3055 5000 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 363.75 Gb Total Space | 166.99 Gb Free Space | 45.91% Space Free | Partition Type: NTFS Drive D: | 8.86 Gb Total Space | 1.35 Gb Free Space | 15.29% Space Free | Partition Type: NTFS E: Drive not present or media not loaded Drive F: | 1397.26 Gb Total Space | 1284.09 Gb Free Space | 91.90% Space Free | Partition Type: NTFS Drive G: | 48.83 Gb Total Space | 2.38 Gb Free Space | 4.87% Space Free | Partition Type: NTFS H: Drive not present or media not loaded Drive I: | 48.83 Gb Total Space | 13.20 Gb Free Space | 27.03% Space Free | Partition Type: NTFS Drive O: | 51.39 Gb Total Space | 43.14 Gb Free Space | 83.95% Space Free | Partition Type: NTFS Drive P: | 39.06 Gb Total Space | 27.44 Gb Free Space | 70.26% Space Free | Partition Type: NTFS Drive Q: | 35.47 Gb Total Space | 26.18 Gb Free Space | 73.80% Space Free | Partition Type: NTFS Computer Name: VIL Current User Name: Vi Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Standard ========== Custom Scans ========== < %SYSTEMROOT%\b.exe /s > < hklm\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|b.exe /RS > < hklm\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|b.exe /RS > < hkcu\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|b.exe /RS > < End of report >
  6. liv
    Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Database version: 3930 Windows 6.0.6001 Service Pack 1 Internet Explorer 8.0.6001.18904 4/16/2010 8:07:14 AM mbam-log-2010-04-16 (08-07-14).txt Scan type: Quick scan Objects scanned: 131957 Time elapsed: 5 minute(s), 27 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ====================================== and this is from the protection log 07:26:57 Vi MESSAGE Protection started successfully 07:27:00 Vi MESSAGE IP Protection started successfully 07:44:39 Vi IP-BLOCK 89.28.71.210 08:00:14 Vi DETECTION C:\Users\Vi\AppData\Local\Temp\b.exe Trojan.Dropper QUARANTINE 08:00:15 Vi ERROR Quarantine failed: UtilityReadFile failed with error code 2 08:04:08 Vi IP-BLOCK 72.233.114.171 08:04:14 Vi MESSAGE IP Protection stopped it happens at every start up
  7. liv
    Malwarebyte keeps picking up b.exe as a trojan.dropper every start up, but unable to quarantine or remove. I scanned with malwarebytes and avast, yet found none. b.exe is not shown in startup option. I followed the directory(shown hidden files) to the b.exe, but I can't find it either. I haven't notice any changes or problem with my computer yet, but it is quite annoying that malwarebytes keep pops up message prompting me to quarantine, but won't do the job. Please help on b.exe removal
  8. liv
    all done. thank you
  9. liv
    I could not uninstalled Ask toolbar, it gives me the following error "specified module could not be found" Java i don't see JRE6 update 15, but i installed JRE 6 update 16 instead other than that, all went as instructed All processes killed ========== PROCESSES ========== No active process named explorer.exe was found! ========== FILES ========== File/Folder C:\Program Files\AskSBar not found. ========== REGISTRY ========== Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}\ deleted successfully. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA}\ deleted successfully. ========== COMMANDS ========== [EMPTYTEMP] User: Administrator ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 67 bytes User: All Users User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 32768 bytes User: JimEllen ->Temp folder emptied: 77085305 bytes ->Temporary Internet Files folder emptied: 1499127 bytes ->Java cache emptied: 41659220 bytes User: LocalService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 770249 bytes User: NetworkService ->Temp folder emptied: 0 bytes File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot. ->Temporary Internet Files folder emptied: 33170 bytes User: Owner ->Temp folder emptied: 0 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 19569 bytes %systemroot%\System32 .tmp files removed: 7246353 bytes File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_b60.dat scheduled to be deleted on reboot. Windows Temp folder emptied: 73937 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 122.47 mb OTM by OldTimer - Version 3.0.0.6 log created on 08112009_183048 Files moved on Reboot... File C:\WINDOWS\temp\Perflib_Perfdata_b60.dat not found! Registry entries deleted on Reboot...
  10. liv
    here you go info.txt log.txt info.txt log.txt
  11. liv
    for some reasons, i cannot start the kaspersky web scanner. It says "check license failed" when installing update. anyway, i rescan with malwarebytes and mcafee full scan. no malwares found. I guess the pc is all cleaned up. everything seems to be back to normal now. thank you very much for the support.
  12. liv
    hey, thank you very much for the help. malwarebytes says that it is succesfully removed. I'm taking a break now. I will scan online with kaspersky tomorrow and post its log later. So here's malwarebytes' log: Malwarebytes' Anti-Malware 1.40 Database version: 2551 Windows 5.1.2600 Service Pack 3 8/10/2009 9:44:36 PM mbam-log-2009-08-10 (21-44-36).txt Scan type: Quick Scan Objects scanned: 94626 Time elapsed: 10 minute(s), 7 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
  13. liv
    ComboFix 09-08-10.01 - JimEllen 08/10/2009 20:34.2.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.238 [GMT -4:00] Running from: E:\ComboFix.exe Command switches used :: E:\CFScript.txt AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE :: "c:\windows\system32\668A0AE9C1.sys" file zipped: c:\windows\system32\uacinit.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . ? c:\program files\AskSBar . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_PNSSRYTORJZOH -------\Service_pnssrytorjzoh ((((((((((((((((((((((((( Files Created from 2009-07-11 to 2009-08-11 ))))))))))))))))))))))))))))))) . 2009-08-11 00:05 . 2009-08-11 00:05 -------- d-s---w- c:\windows\Cookies 2009-08-10 20:16 . 2009-08-10 20:16 -------- d-----w- c:\documents and settings\JimEllen\Local Settings\Application Data\Downloaded Installations 2009-08-10 18:47 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-10 18:47 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-10 18:13 . 2009-08-10 18:23 2730 ----a-w- c:\windows\system32\tmp.reg 2009-08-10 17:48 . 2009-08-10 17:49 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy 2009-08-10 17:36 . 2009-08-10 17:36 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-08-10 16:09 . 2009-08-10 16:11 16455 ----a-w- c:\windows\metafile.dat 2009-08-10 14:16 . 2009-08-10 14:17 -------- d-----w- C:\3379528461cdc5d9c9381d8c 2009-08-10 13:38 . 2009-08-10 13:37 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys 2009-08-10 13:36 . 2009-08-10 17:54 -------- d-----w- c:\documents and settings\JimEllen\.housecall6.6 2009-08-10 13:15 . 2009-08-10 13:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth 2009-08-07 19:34 . 2009-08-07 19:36 -------- d-----w- c:\documents and settings\JimEllen\Application Data\U3 2009-08-07 19:28 . 2009-08-07 19:28 -------- d-----w- c:\documents and settings\JimEllen\Local Settings\Application Data\PCHealth 2009-08-07 13:59 . 2009-08-07 13:59 -------- d-----w- c:\documents and settings\JimEllen\Application Data\Malwarebytes 2009-08-07 13:58 . 2009-08-07 13:58 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes 2009-08-07 13:58 . 2009-08-10 18:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-06 22:17 . 2009-08-06 22:17 -------- d-----w- c:\program files\Alwil Software 2009-08-06 22:00 . 2009-08-06 22:00 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google 2009-08-06 21:21 . 2009-08-06 21:21 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\avg8 2009-08-06 20:35 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys 2009-08-06 20:35 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys 2009-08-06 20:35 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys 2009-08-06 20:35 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\dllcache\hidusb.sys 2009-08-06 18:33 . 2004-08-04 11:00 185344 ----a-w- c:\windows\system32\Thawbrkr.dll 2009-08-06 18:33 . 2004-08-04 11:00 185344 ----a-w- c:\windows\system32\dllcache\thawbrkr.dll 2009-08-06 18:33 . 2004-08-04 11:00 10752 ----a-w- c:\windows\system32\dllcache\c_iscii.dll 2009-08-06 18:33 . 2004-08-04 11:00 10752 ----a-w- c:\windows\system32\c_iscii.dll 2009-08-06 18:33 . 2004-08-04 11:00 5632 ----a-w- c:\windows\system32\kbdusa.dll 2009-08-06 18:33 . 2004-08-04 11:00 5632 ----a-w- c:\windows\system32\dllcache\kbdusa.dll 2009-08-06 18:33 . 2004-08-04 11:00 6144 ----a-w- c:\windows\system32\ftlx041e.dll 2009-08-06 18:33 . 2004-08-04 11:00 6144 ----a-w- c:\windows\system32\dllcache\ftlx041e.dll 2009-07-27 02:42 . 2009-08-07 15:30 -------- d-sh--w- c:\docume~1\ALLUSE~1\APPLIC~1\fe390bf 2009-07-25 07:51 . 2009-07-25 07:51 -------- d-----w- C:\9920ba37f743a8ff2420 2009-07-25 04:36 . 2009-08-11 00:34 5952 ----a-w- c:\windows\system32\uacinit.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-10 15:26 . 2006-03-11 18:54 55104 -c--a-w- c:\documents and settings\JimEllen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-10 15:24 . 2009-03-20 20:35 -------- d-----w- c:\program files\McAfee 2009-07-14 12:09 . 2009-03-20 20:25 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\McAfee 2009-06-26 16:50 . 2004-08-10 18:51 666624 ----a-w- c:\windows\system32\wininet.dll 2009-06-26 16:50 . 2004-08-10 18:51 81920 ----a-w- c:\windows\system32\ieencode.dll 2009-06-16 14:36 . 2004-08-10 18:51 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-16 14:36 . 2004-08-10 18:51 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-06-03 19:09 . 2004-08-10 18:51 1291264 ----a-w- c:\windows\system32\quartz.dll 2009-06-02 23:22 . 2007-05-27 13:59 4652 --sha-w- c:\windows\system32\KGyGaAvL.sys 2009-06-02 23:22 . 2007-05-27 13:59 104 --sh--r- c:\windows\system32\668A0AE9C1.sys 2006-08-20 23:17 . 2006-08-20 23:19 774144 ----a-w- c:\program files\RngInterstitial.dll . ((((((((((((((((((((((((((((( SnapShot@2009-08-10_23.58.20 ))))))))))))))))))))))))))))))))))))))))) . + 2009-08-11 00:41 . 2009-08-11 00:41 16384 c:\windows\Temp\Temporary Internet Files\Content.IE5\index.dat + 2009-08-11 00:41 . 2009-08-11 00:41 16384 c:\windows\Temp\History\History.IE5\index.dat + 2009-08-11 00:41 . 2009-08-11 00:41 16384 c:\windows\Temp\Cookies\index.dat + 2009-08-11 00:39 . 2009-08-11 00:39 53248 c:\windows\ERDNT\subs\Users\00000005\NTUSER.DAT + 2009-08-11 00:39 . 2009-08-11 00:39 49152 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT + 2009-08-11 00:05 . 2009-08-11 00:08 16384 c:\windows\Cookies\index.dat + 2009-08-11 00:39 . 2009-08-11 00:39 8192 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat + 2009-08-11 00:39 . 2009-08-11 00:39 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat + 2009-08-11 00:39 . 2009-08-11 00:39 352256 c:\windows\ERDNT\subs\Users\00000006\UsrClass.dat + 2009-08-11 00:39 . 2009-08-11 00:39 233472 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947] "Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-09-01 684032] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-02-21 98304] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035] "MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-09 8192] "MMTray"="c:\progra~1\MUSICM~1\MUSICM~3\mm_tray.exe" [2005-09-09 110592] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-02-21 169472] "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-12-10 188416] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-05-12 185896] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496] "SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-09-10 393216] c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-2-21 24576] NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2006-4-4 118784] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "EditLevel"= 0 (0x0) "NoCommonGroups"= 0 (0x0) [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "EditLevel"= 0 (0x0) "NoCommonGroups"= 0 (0x0) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys] @="Driver" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [3/20/2009 4:41 PM 210216] . . ------- Supplementary Scan ------- . Trusted Zone: musicmatch.com\online . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-10 20:42 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(776) c:\windows\System32\BCMLogon.dll - - - - - - - > 'explorer.exe'(1104) c:\program files\McAfee\SiteAdvisor\saHook.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\WLTRYSVC.EXE c:\windows\system32\BCMWLTRY.EXE c:\progra~1\McAfee\MSC\mcmscsvc.exe c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe c:\program files\McAfee\MPF\MpfSrv.exe c:\program files\McAfee\MSK\msksrver.exe c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe c:\windows\system32\wdfmgr.exe c:\progra~1\McAfee.com\Agent\mcagent.exe c:\windows\system32\igfxsrvc.exe c:\windows\system32\WLTRAY.EXE c:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exe c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe c:\program files\Google\Google Desktop Search\GoogleDesktopDisplay.exe c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe . ************************************************************************** . Completion time: 2009-08-11 20:48 - machine was rebooted ComboFix-quarantined-files.txt 2009-08-11 00:48 ComboFix2.txt 2009-08-11 00:01 Pre-Run: 25,887,416,320 bytes free Post-Run: 25,790,353,408 bytes free 185 --- E O F --- 2009-08-10 19:56
  14. liv
    thanks for answering I don't see the 7 boxes option in rootrepeal, but anyway, here's the log ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/08/10 20:06 Program Version: Version 1.3.3.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: ACPI.sys Image Path: ACPI.sys Address: 0xF8443000 Size: 187776 File Visible: - Signed: - Status: - Name: ACPI_HAL Image Path: \Driver\ACPI_HAL Address: 0x804D7000 Size: 2066048 File Visible: - Signed: - Status: - Name: AegisP.sys Image Path: C:\WINDOWS\system32\DRIVERS\AegisP.sys Address: 0xA9FF3000 Size: 15968 File Visible: - Signed: - Status: - Name: afd.sys Image Path: C:\WINDOWS\System32\drivers\afd.sys Address: 0xAA2B8000 Size: 138496 File Visible: - Signed: - Status: - Name: APPDRV.SYS Image Path: C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS Address: 0xF8A2E000 Size: 16128 File Visible: - Signed: - Status: - Name: atapi.sys Image Path: atapi.sys Address: 0xF83FB000 Size: 96512 File Visible: - Signed: - Status: - Name: ATMFD.DLL Image Path: C:\WINDOWS\System32\ATMFD.DLL Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: - Status: - Name: audstub.sys Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys Address: 0xF8C5B000 Size: 3072 File Visible: - Signed: - Status: - Name: BATTC.SYS Image Path: C:\WINDOWS\system32\DRIVERS\BATTC.SYS Address: 0xF898A000 Size: 16384 File Visible: - Signed: - Status: - Name: bcm4sbxp.sys Image Path: C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys Address: 0xF87C2000 Size: 45312 File Visible: - Signed: - Status: - Name: bcmwl5.sys Image Path: C:\WINDOWS\system32\DRIVERS\bcmwl5.sys Address: 0xF8076000 Size: 369024 File Visible: - Signed: - Status: - Name: Beep.SYS Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS Address: 0xF8AAC000 Size: 4224 File Visible: - Signed: - Status: - Name: BOOTVID.dll Image Path: C:\WINDOWS\system32\BOOTVID.dll Address: 0xF8982000 Size: 12288 File Visible: - Signed: - Status: - Name: catchme.sys Image Path: C:\ComboFix\catchme.sys Address: 0xF8972000 Size: 31744 File Visible: No Signed: - Status: - Name: Cdfs.SYS Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS Address: 0xA90D2000 Size: 63744 File Visible: - Signed: - Status: - Name: cdrom.sys Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys Address: 0xF85F2000 Size: 62976 File Visible: - Signed: - Status: - Name: CLASSPNP.SYS Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS Address: 0xF85B2000 Size: 53248 File Visible: - Signed: - Status: - Name: CmBatt.sys Image Path: C:\WINDOWS\system32\DRIVERS\CmBatt.sys Address: 0xF8A46000 Size: 13952 File Visible: - Signed: - Status: - Name: Combo-Fix.sys Image Path: Combo-Fix.sys Address: 0xF85D2000 Size: 60416 File Visible: No Signed: - Status: - Name: compbatt.sys Image Path: compbatt.sys Address: 0xF8986000 Size: 10240 File Visible: - Signed: - Status: - Name: disk.sys Image Path: disk.sys Address: 0xF85A2000 Size: 36352 File Visible: - Signed: - Status: - Name: drmk.sys Image Path: C:\WINDOWS\system32\drivers\drmk.sys Address: 0xF8692000 Size: 61440 File Visible: - Signed: - Status: - Name: drvmcdb.sys Image Path: drvmcdb.sys Address: 0xF83B4000 Size: 85344 File Visible: - Signed: - Status: - Name: drvnddm.sys Image Path: C:\WINDOWS\system32\drivers\drvnddm.sys Address: 0xAA740000 Size: 38240 File Visible: - Signed: - Status: - Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xAA05F000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF8AC0000 Size: 8192 File Visible: No Signed: - Status: - Name: Dxapi.sys Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys Address: 0xF7FC3000 Size: 12288 File Visible: - Signed: - Status: - Name: dxg.sys Image Path: C:\WINDOWS\System32\drivers\dxg.sys Address: 0xBF000000 Size: 73728 File Visible: - Signed: - Status: - Name: dxgthk.sys Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys Address: 0xF8CA3000 Size: 4096 File Visible: - Signed: - Status: - Name: Fastfat.SYS Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS Address: 0xAA077000 Size: 143744 File Visible: - Signed: - Status: - Name: Fips.SYS Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS Address: 0xF86F2000 Size: 44544 File Visible: - Signed: - Status: - Name: fltmgr.sys Image Path: fltmgr.sys Address: 0xF83DB000 Size: 129792 File Visible: - Signed: - Status: - Name: Fs_Rec.SYS Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS Address: 0xF8AAA000 Size: 7936 File Visible: - Signed: - Status: - Name: ftdisk.sys Image Path: ftdisk.sys Address: 0xF8413000 Size: 125056 File Visible: - Signed: - Status: - Name: hal.dll Image Path: C:\WINDOWS\system32\hal.dll Address: 0x806D0000 Size: 131840 File Visible: - Signed: - Status: - Name: HDAudBus.sys Image Path: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys Address: 0xF80F5000 Size: 163840 File Visible: - Signed: - Status: - Name: HSF_CNXT.sys Image Path: C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys Address: 0xAA3FD000 Size: 717952 File Visible: - Signed: - Status: - Name: HSF_DPV.sys Image Path: C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys Address: 0xAA4AD000 Size: 1035008 File Visible: - Signed: - Status: - Name: HSFHWAZL.sys Image Path: C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys Address: 0xAA5AA000 Size: 201600 File Visible: - Signed: - Status: - Name: HTTP.sys Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys Address: 0xA926A000 Size: 264832 File Visible: - Signed: - Status: - Name: i2omgmt.SYS Image Path: C:\WINDOWS\System32\Drivers\i2omgmt.SYS Address: 0xF827C000 Size: 8576 File Visible: - Signed: - Status: - Name: i8042prt.sys Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys Address: 0xF87D2000 Size: 52480 File Visible: - Signed: - Status: - Name: ialmdd5.DLL Image Path: C:\WINDOWS\System32\ialmdd5.DLL Address: 0xBF077000 Size: 929792 File Visible: - Signed: - Status: - Name: ialmdev5.DLL Image Path: C:\WINDOWS\System32\ialmdev5.DLL Address: 0xBF042000 Size: 217088 File Visible: - Signed: - Status: - Name: ialmdnt5.dll Image Path: C:\WINDOWS\System32\ialmdnt5.dll Address: 0xBF020000 Size: 139264 File Visible: - Signed: - Status: - Name: ialmnt5.sys Image Path: C:\WINDOWS\system32\DRIVERS\ialmnt5.sys Address: 0xF8131000 Size: 1302688 File Visible: - Signed: - Status: - Name: ialmrnt5.dll Image Path: C:\WINDOWS\System32\ialmrnt5.dll Address: 0xBF012000 Size: 57344 File Visible: - Signed: - Status: - Name: imapi.sys Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys Address: 0xF87E2000 Size: 42112 File Visible: - Signed: - Status: - Name: intelide.sys Image Path: intelide.sys Address: 0xF8A76000 Size: 5504 File Visible: - Signed: - Status: - Name: intelppm.sys Image Path: C:\WINDOWS\system32\DRIVERS\intelppm.sys Address: 0xF87B2000 Size: 36352 File Visible: - Signed: - Status: - Name: ipfltdrv.sys Image Path: C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys Address: 0xF86C2000 Size: 32896 File Visible: - Signed: - Status: - Name: ipnat.sys Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys Address: 0xAA19C000 Size: 152832 File Visible: - Signed: - Status: - Name: ipsec.sys Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys Address: 0xAA382000 Size: 75264 File Visible: - Signed: - Status: - Name: isapnp.sys Image Path: isapnp.sys Address: 0xF8572000 Size: 37248 File Visible: - Signed: - Status: - Name: kbdclass.sys Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys Address: 0xF88BA000 Size: 24576 File Visible: - Signed: - Status: - Name: KDCOM.DLL Image Path: C:\WINDOWS\system32\KDCOM.DLL Address: 0xF8A72000 Size: 8192 File Visible: - Signed: - Status: - Name: kmixer.sys Image Path: C:\WINDOWS\system32\drivers\kmixer.sys Address: 0xA8FBF000 Size: 172416 File Visible: - Signed: - Status: - Name: ks.sys Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys Address: 0xF8024000 Size: 143360 File Visible: - Signed: - Status: - Name: KSecDD.sys Image Path: KSecDD.sys Address: 0xF839D000 Size: 92288 File Visible: - Signed: - Status: - Name: mdmxsdk.sys Image Path: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys Address: 0xA9C16000 Size: 11840 File Visible: - Signed: - Status: - Name: mfeavfk.sys Image Path: C:\WINDOWS\system32\drivers\mfeavfk.sys Address: 0xA92FB000 Size: 73152 File Visible: - Signed: - Status: - Name: mfebopk.sys Image Path: C:\WINDOWS\system32\drivers\mfebopk.sys Address: 0xF88EA000 Size: 28544 File Visible: - Signed: - Status: - Name: mfehidk.sys Image Path: C:\WINDOWS\system32\drivers\mfehidk.sys Address: 0xAA1EA000 Size: 207296 File Visible: - Signed: - Status: - Name: mferkdk.sys Image Path: C:\WINDOWS\system32\drivers\mferkdk.sys Address: 0xF8842000 Size: 27488 File Visible: - Signed: - Status: - Name: mfesmfk.sys Image Path: C:\WINDOWS\system32\drivers\mfesmfk.sys Address: 0xA9B90000 Size: 33824 File Visible: - Signed: - Status: - Name: mnmdd.SYS Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS Address: 0xF8AAE000 Size: 4224 File Visible: - Signed: - Status: - Name: Modem.SYS Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS Address: 0xF88F2000 Size: 30080 File Visible: - Signed: - Status: - Name: mouclass.sys Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys Address: 0xF88B2000 Size: 23040 File Visible: - Signed: - Status: - Name: MountMgr.sys Image Path: MountMgr.sys Address: 0xF8582000 Size: 42368 File Visible: - Signed: - Status: - Name: Mpfp.sys Image Path: C:\WINDOWS\System32\Drivers\Mpfp.sys Address: 0xAA302000 Size: 159744 File Visible: - Signed: - Status: - Name: mrxdav.sys Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys Address: 0xA9CF2000 Size: 180608 File Visible: - Signed: - Status: - Name: mrxsmb.sys Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys Address: 0xAA21D000 Size: 455296 File Visible: - Signed: - Status: - Name: Msfs.SYS Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS Address: 0xF8912000 Size: 19072 File Visible: - Signed: - Status: - Name: msgpc.sys Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys Address: 0xF8642000 Size: 35072 File Visible: - Signed: - Status: - Name: mssmbios.sys Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys Address: 0xF8A62000 Size: 15488 File Visible: - Signed: - Status: - Name: Mup.sys Image Path: Mup.sys Address: 0xF82C9000 Size: 105344 File Visible: - Signed: - Status: - Name: NDIS.sys Image Path: NDIS.sys Address: 0xF82E3000 Size: 182656 File Visible: - Signed: - Status: - Name: ndistapi.sys Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys Address: 0xF8A52000 Size: 10112 File Visible: - Signed: - Status: - Name: ndisuio.sys Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys Address: 0xA9FEF000 Size: 14592 File Visible: - Signed: - Status: - Name: ndiswan.sys Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys Address: 0xF7FFC000 Size: 91520 File Visible: - Signed: - Status: - Name: NDProxy.SYS Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS Address: 0xF8662000 Size: 40576 File Visible: - Signed: - Status: - Name: netbios.sys Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys Address: 0xF86D2000 Size: 34688 File Visible: - Signed: - Status: - Name: netbt.sys Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys Address: 0xAA2DA000 Size: 162816 File Visible: - Signed: - Status: - Name: Npfs.SYS Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS Address: 0xF891A000 Size: 30848 File Visible: - Signed: - Status: - Name: Ntfs.sys Image Path: Ntfs.sys Address: 0xF8310000 Size: 574976 File Visible: - Signed: - Status: - Name: ntkrnlpa.exe Image Path: C:\WINDOWS\system32\ntkrnlpa.exe Address: 0x804D7000 Size: 2066048 File Visible: - Signed: - Status: - Name: Null.SYS Image Path: C:\WINDOWS\System32\Drivers\Null.SYS Address: 0xF8B8D000 Size: 2944 File Visible: - Signed: - Status: - Name: PartMgr.sys Image Path: PartMgr.sys Address: 0xF87FA000 Size: 19712 File Visible: - Signed: - Status: - Name: pci.sys Image Path: pci.sys Address: 0xF8432000 Size: 68224 File Visible: - Signed: - Status: - Name: pciide.sys Image Path: pciide.sys Address: 0xF8B3A000 Size: 3328 File Visible: - Signed: - Status: - Name: PCIIDEX.SYS Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS Address: 0xF87F2000 Size: 28672 File Visible: - Signed: - Status: - Name: pfc.sys Image Path: C:\WINDOWS\system32\drivers\pfc.sys Address: 0xF8A4A000 Size: 10368 File Visible: - Signed: - Status: - Name: PnpManager Image Path: \Driver\PnpManager Address: 0x804D7000 Size: 2066048 File Visible: - Signed: - Status: - Name: portcls.sys Image Path: C:\WINDOWS\system32\drivers\portcls.sys Address: 0xAA5DC000 Size: 147456 File Visible: - Signed: - Status: - Name: PROCEXP90.SYS Image Path: C:\WINDOWS\system32\Drivers\PROCEXP90.SYS Address: 0xF8B24000 Size: 6464 File Visible: No Signed: - Status: - Name: psched.sys Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys Address: 0xF7FEB000 Size: 69120 File Visible: - Signed: - Status: - Name: ptilink.sys Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys Address: 0xF88CA000 Size: 17792 File Visible: - Signed: - Status: - Name: PxHelp20.sys Image Path: PxHelp20.sys Address: 0xF85C2000 Size: 36320 File Visible: - Signed: - Status: - Name: rasacd.sys Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys Address: 0xF8270000 Size: 8832 File Visible: - Signed: - Status: - Name: rasl2tp.sys Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys Address: 0xF8612000 Size: 51328 File Visible: - Signed: - Status: - Name: raspppoe.sys Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys Address: 0xF8622000 Size: 41472 File Visible: - Signed: - Status: - Name: raspptp.sys Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys Address: 0xF8632000 Size: 48384 File Visible: - Signed: - Status: - Name: raspti.sys Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys Address: 0xF88D2000 Size: 16512 File Visible: - Signed: - Status: - Name: RAW Image Path: \FileSystem\RAW Address: 0x804D7000 Size: 2066048 File Visible: - Signed: - Status: - Name: rdbss.sys Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys Address: 0xAA28D000 Size: 175744 File Visible: - Signed: - Status: - Name: RDPCDD.sys Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys Address: 0xF8AB0000 Size: 4224 File Visible: - Signed: - Status: - Name: redbook.sys Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys Address: 0xF8602000 Size: 57600 File Visible: - Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xA8F5F000 Size: 49152 File Visible: No Signed: - Status: - Name: sr.sys Image Path: sr.sys Address: 0xF83C9000 Size: 73472 File Visible: - Signed: - Status: - Name: srv.sys Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys Address: 0xA9BB0000 Size: 333952 File Visible: - Signed: - Status: - Name: sscdbhk5.sys Image Path: C:\WINDOWS\system32\drivers\sscdbhk5.sys Address: 0xF8A94000 Size: 5568 File Visible: - Signed: - Status: - Name: ssrtln.sys Image Path: C:\WINDOWS\system32\drivers\ssrtln.sys Address: 0xF8902000 Size: 23488 File Visible: - Signed: - Status: - Name: sthda.sys Image Path: C:\WINDOWS\system32\drivers\sthda.sys Address: 0xAA600000 Size: 999552 File Visible: - Signed: - Status: - Name: swenum.sys Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys Address: 0xF8A96000 Size: 4352 File Visible: - Signed: - Status: - Name: SynTP.sys Image Path: C:\WINDOWS\system32\DRIVERS\SynTP.sys Address: 0xF8047000 Size: 191936 File Visible: - Signed: - Status: - Name: sysaudio.sys Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys Address: 0xA9BA0000 Size: 60800 File Visible: - Signed: - Status: - Name: tcpip.sys Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys Address: 0xAA329000 Size: 361600 File Visible: - Signed: - Status: - Name: TDI.SYS Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS Address: 0xF88C2000 Size: 20480 File Visible: - Signed: - Status: - Name: termdd.sys Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys Address: 0xF8652000 Size: 40704 File Visible: - Signed: - Status: - Name: tfsnboio.sys Image Path: C:\WINDOWS\system32\dla\tfsnboio.sys Address: 0xF894A000 Size: 25824 File Visible: - Signed: - Status: - Name: tfsncofs.sys Image Path: C:\WINDOWS\system32\dla\tfsncofs.sys Address: 0xAA730000 Size: 34784 File Visible: - Signed: - Status: - Name: tfsndrct.sys Image Path: C:\WINDOWS\system32\dla\tfsndrct.sys Address: 0xF8BC7000 Size: 4064 File Visible: - Signed: - Status: - Name: tfsndres.sys Image Path: C:\WINDOWS\system32\dla\tfsndres.sys Address: 0xF8BC6000 Size: 2176 File Visible: - Signed: - Status: - Name: tfsnifs.sys Image Path: C:\WINDOWS\system32\dla\tfsnifs.sys Address: 0xA9FA9000 Size: 86528 File Visible: - Signed: - Status: - Name: tfsnopio.sys Image Path: C:\WINDOWS\system32\dla\tfsnopio.sys Address: 0xAA053000 Size: 15168 File Visible: - Signed: - Status: - Name: tfsnpool.sys Image Path: C:\WINDOWS\system32\dla\tfsnpool.sys Address: 0xF8AC4000 Size: 6304 File Visible: - Signed: - Status: - Name: tfsnudf.sys Image Path: C:\WINDOWS\system32\dla\tfsnudf.sys Address: 0xA9F90000 Size: 98656 File Visible: - Signed: - Status: - Name: tfsnudfa.sys Image Path: C:\WINDOWS\system32\dla\tfsnudfa.sys Address: 0xA9F77000 Size: 100544 File Visible: - Signed: - Status: - Name: tmcomm.sys Image Path: C:\WINDOWS\system32\drivers\tmcomm.sys Address: 0xA96A5000 Size: 97280 File Visible: - Signed: - Status: - Name: update.sys Image Path: C:\WINDOWS\system32\DRIVERS\update.sys Address: 0xF7F2B000 Size: 384768 File Visible: - Signed: - Status: - Name: USBD.SYS Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS Address: 0xF8A92000 Size: 8192 File Visible: - Signed: - Status: - Name: usbehci.sys Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys Address: 0xF88AA000 Size: 30208 File Visible: - Signed: - Status: - Name: usbhub.sys Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys Address: 0xF86B2000 Size: 59520 File Visible: - Signed: - Status: - Name: USBPORT.SYS Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS Address: 0xF80D1000 Size: 147456 File Visible: - Signed: - Status: - Name: USBSTOR.SYS Image Path: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS Address: 0xF883A000 Size: 26368 File Visible: - Signed: - Status: - Name: usbuhci.sys Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys Address: 0xF88A2000 Size: 20608 File Visible: - Signed: - Status: - Name: vga.sys Image Path: C:\WINDOWS\System32\drivers\vga.sys Address: 0xF890A000 Size: 20992 File Visible: - Signed: - Status: - Name: VIDEOPRT.SYS Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS Address: 0xF811D000 Size: 81920 File Visible: - Signed: - Status: - Name: VolSnap.sys Image Path: VolSnap.sys Address: 0xF8592000 Size: 52352 File Visible: - Signed: - Status: - Name: wanarp.sys Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys Address: 0xF8712000 Size: 34560 File Visible: - Signed: - Status: - Name: watchdog.sys Image Path: C:\WINDOWS\System32\watchdog.sys Address: 0xF893A000 Size: 20480 File Visible: - Signed: - Status: - Name: wdmaud.sys Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys Address: 0xA9993000 Size: 83072 File Visible: - Signed: - Status: - Name: Win32k Image Path: \Driver\Win32k Address: 0xBF800000 Size: 1847296 File Visible: - Signed: - Status: - Name: win32k.sys Image Path: C:\WINDOWS\System32\win32k.sys Address: 0xBF800000 Size: 1847296 File Visible: - Signed: - Status: - Name: WMILIB.SYS Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS Address: 0xF8A74000 Size: 8192 File Visible: - Signed: - Status: - Name: WMIxWDM Image Path: \Driver\WMIxWDM Address: 0x804D7000 Size: 2066048 File Visible: - Signed: - Status: - Name: ws2ifsl.sys Image Path: C:\WINDOWS\System32\drivers\ws2ifsl.sys Address: 0xF8A12000 Size: 12032 File Visible: - Signed: - Status: - I have read other posts and do a Combofix scan. so here is the log for combofix ComboFix 09-08-10.01 - JimEllen 08/10/2009 19:45.1.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.207 [GMT -4:00] Running from: E:\ComboFix.exe AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . ? . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_UACd.sys -------\Legacy_UACd.sys ((((((((((((((((((((((((( Files Created from 2009-07-10 to 2009-08-10 ))))))))))))))))))))))))))))))) . 2009-08-10 20:16 . 2009-08-10 20:16 -------- d-----w- c:\documents and settings\JimEllen\Local Settings\Application Data\Downloaded Installations 2009-08-10 18:47 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-10 18:47 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-10 18:13 . 2009-08-10 18:23 2730 ----a-w- c:\windows\system32\tmp.reg 2009-08-10 17:48 . 2009-08-10 17:49 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy 2009-08-10 17:36 . 2009-08-10 17:36 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-08-10 16:09 . 2009-08-10 16:11 16455 ----a-w- c:\windows\metafile.dat 2009-08-10 14:16 . 2009-08-10 14:17 -------- d-----w- C:\3379528461cdc5d9c9381d8c 2009-08-10 13:38 . 2009-08-10 13:37 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys 2009-08-10 13:36 . 2009-08-10 17:54 -------- d-----w- c:\documents and settings\JimEllen\.housecall6.6 2009-08-10 13:15 . 2009-08-10 13:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth 2009-08-07 19:34 . 2009-08-07 19:36 -------- d-----w- c:\documents and settings\JimEllen\Application Data\U3 2009-08-07 19:28 . 2009-08-07 19:28 -------- d-----w- c:\documents and settings\JimEllen\Local Settings\Application Data\PCHealth 2009-08-07 13:59 . 2009-08-07 13:59 -------- d-----w- c:\documents and settings\JimEllen\Application Data\Malwarebytes 2009-08-07 13:58 . 2009-08-07 13:58 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes 2009-08-07 13:58 . 2009-08-10 18:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-06 22:17 . 2009-08-06 22:17 -------- d-----w- c:\program files\Alwil Software 2009-08-06 22:00 . 2009-08-06 22:00 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google 2009-08-06 21:21 . 2009-08-06 21:21 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\avg8 2009-08-06 20:35 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys 2009-08-06 20:35 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys 2009-08-06 20:35 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys 2009-08-06 20:35 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\dllcache\hidusb.sys 2009-08-06 18:33 . 2004-08-04 11:00 185344 ----a-w- c:\windows\system32\Thawbrkr.dll 2009-08-06 18:33 . 2004-08-04 11:00 185344 ----a-w- c:\windows\system32\dllcache\thawbrkr.dll 2009-08-06 18:33 . 2004-08-04 11:00 10752 ----a-w- c:\windows\system32\dllcache\c_iscii.dll 2009-08-06 18:33 . 2004-08-04 11:00 10752 ----a-w- c:\windows\system32\c_iscii.dll 2009-08-06 18:33 . 2004-08-04 11:00 5632 ----a-w- c:\windows\system32\kbdusa.dll 2009-08-06 18:33 . 2004-08-04 11:00 5632 ----a-w- c:\windows\system32\dllcache\kbdusa.dll 2009-08-06 18:33 . 2004-08-04 11:00 6144 ----a-w- c:\windows\system32\ftlx041e.dll 2009-08-06 18:33 . 2004-08-04 11:00 6144 ----a-w- c:\windows\system32\dllcache\ftlx041e.dll 2009-07-27 02:42 . 2009-08-07 15:30 -------- d-sh--w- c:\docume~1\ALLUSE~1\APPLIC~1\fe390bf 2009-07-25 07:51 . 2009-07-25 07:51 -------- d-----w- C:\9920ba37f743a8ff2420 2009-07-25 04:36 . 2009-08-10 17:47 5952 ------w- c:\windows\system32\uacinit.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-10 15:26 . 2006-03-11 18:54 55104 -c--a-w- c:\documents and settings\JimEllen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-10 15:24 . 2009-03-20 20:35 -------- d-----w- c:\program files\McAfee 2009-07-14 12:09 . 2009-03-20 20:25 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\McAfee 2009-06-26 16:50 . 2004-08-10 18:51 666624 ----a-w- c:\windows\system32\wininet.dll 2009-06-26 16:50 . 2004-08-10 18:51 81920 ----a-w- c:\windows\system32\ieencode.dll 2009-06-16 14:36 . 2004-08-10 18:51 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-16 14:36 . 2004-08-10 18:51 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-06-03 19:09 . 2004-08-10 18:51 1291264 ----a-w- c:\windows\system32\quartz.dll 2009-06-02 23:22 . 2007-05-27 13:59 4652 --sha-w- c:\windows\system32\KGyGaAvL.sys 2009-06-02 23:22 . 2007-05-27 13:59 104 --sh--r- c:\windows\system32\668A0AE9C1.sys 2006-08-20 23:17 . 2006-08-20 23:19 774144 ----a-w- c:\program files\RngInterstitial.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-07-18 66912] [HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}] 2008-07-18 01:57 66912 ----a-w- c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947] "Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-09-01 684032] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-02-21 98304] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035] "MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-09 8192] "MMTray"="c:\progra~1\MUSICM~1\MUSICM~3\mm_tray.exe" [2005-09-09 110592] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-02-21 169472] "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-12-10 188416] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-05-12 185896] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496] "SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-09-10 393216] c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-2-21 24576] NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2006-4-4 118784] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "EditLevel"= 0 (0x0) "NoCommonGroups"= 0 (0x0) [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "EditLevel"= 0 (0x0) "NoCommonGroups"= 0 (0x0) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys] @="Driver" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"="0x00000000" "UpdatesDisableNotify"="0x00000000" "FirewallDisableNotify"="0x00000000" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [3/20/2009 4:41 PM 210216] S2 pnssrytorjzoh;pnssrytorjzoh; [x] . - - - - ORPHANS REMOVED - - - - HKLM-Run-LELA - c:\program files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe SafeBoot-mfehidk SafeBoot-mferkdk SafeBoot-mfetdik SafeBoot-mfetdik.sys . ------- Supplementary Scan ------- . Trusted Zone: musicmatch.com\online . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-10 19:58 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(776) c:\windows\System32\BCMLogon.dll . Completion time: 2009-08-10 20:01 ComboFix-quarantined-files.txt 2009-08-11 00:01 Pre-Run: 25,677,328,384 bytes free Post-Run: 25,861,386,240 bytes free 158 --- E O F --- 2009-08-10 19:56
  15. liv
    Here's the log from malwarebytes. I tried many times but still cannot remove uacinit.dll Malwarebytes' Anti-Malware 1.40 Database version: 2551 Windows 5.1.2600 Service Pack 3 8/7/2009 1:24:41 PM mbam-log-2009-08-07 (13-24-41).txt Scan type: Full Scan (C:\|E:\|) Objects scanned: 169160 Time elapsed: 31 minute(s), 51 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_USERS\S-1-5-19\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.Search) -> Bad: (http://search-gala.com/?&uid=164&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.