Jump to content

ssh118

Members
  • Posts

    15
  • Joined

  • Last visited

Everything posted by ssh118

  1. Ok then I'll try Avira, unless you recommend something else. Thanks again for staying with this issue. Probably see you next time around! And I promise to keep up with updates!!!
  2. Thanks again! Created new restore point. So far today did not pick up an alert from Malwarebytes. Yeah! Things seem to be back to "normal". Which anti-virus do you recommend: AVG or Avira?
  3. Here's what I've got done so far: Uninstalled ComboFix. Ran OTL Clean up. Installed latest Java. Can not complete a clean restore point. Restore is on. Get error message "could not create new checkpoint". Updated Windows and IE with automatic updates from microsoft. Working on clean up and which programs start with windows. Think I might dump McAfee soon and go with Avira. Malwarebytes Anti-malware also identified and deleted another Trojan.dropper on windows startup today. I believe it was successful all by itself!
  4. Ok. It might take me 24 hrs or so to complete this and get back to you. And thanks again!
  5. First of all I want to sincerely thank you for your help! Back to running in normal windows mode, although didn't try that until yesterday midday. Got the work done I need to (printing) and shut it down. Started machine again and went to normal windows without issues. Slowly went to internet with an eye on the status bar. Things seemed fine. Then this happened: was reading news reports on my homepage (Earthlink) and then here it came: a quick download from an address only identified with an ip address. The hard drive sounded like it was running hard and then a Windows pop-up stated that the system has recovered from a serious error. Clicking don't send or send report did not make the window go away; it just kept reappearing. In windows normal mode now and the system seems stable.
  6. OTL logfile created on: 9/5/2009 8:41:15 AM - Run 2 OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\Owner\Desktop Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 6.0.2900.2180) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 238.73 Mb Total Physical Memory | 117.78 Mb Available Physical Memory | 49.34% Memory free 585.47 Mb Paging File | 505.64 Mb Available in Paging File | 86.36% Paging File free Paging file location(s): C:\pagefile.sys 360 720 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files Drive C: | 76.33 Gb Total Space | 55.77 Gb Free Space | 73.07% Space Free | Partition Type: NTFS D: Drive not present or media not loaded E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: S0030303645 Current User Name: Owner Logged in as Administrator. Current Boot Mode: SafeMode with Networking Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Minimal ========== Processes (SafeList) ========== PRC - C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.) PRC - C:\WINNT\Explorer.EXE (Microsoft Corporation) PRC - c:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.) PRC - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools) ========== Win32 Services (SafeList) ========== SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINNT\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation) SRV - (C-DillaCdaC11BA [Auto | Stopped]) -- C:\WINNT\System32\drivers\CDAC11BA.EXE (Macrovision) SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINNT\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation) SRV - (EarthLinkMonitor [Auto | Stopped]) -- C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe (Boingo Wireless, Inc.) SRV - (GoToAssist [On_Demand | Stopped]) -- C:\Program Files\Citrix\GoToAssist\516\g2aservice.exe (Citrix Online, a division of Citrix Systems, Inc.) SRV - (helpsvc [Auto | Running]) -- C:\WINNT\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation) SRV - (IDriverT [On_Demand | Stopped]) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (Macrovision Corporation) SRV - (IntuitUpdateService [Auto | Stopped]) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe (Intuit Inc.) SRV - (mcmscsvc [Auto | Running]) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.) SRV - (McNASvc [Auto | Stopped]) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.) SRV - (McODS [On_Demand | Stopped]) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.) SRV - (McProxy [Auto | Stopped]) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.) SRV - (McShield [unknown | Stopped]) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.) SRV - (McSysmon [On_Demand | Stopped]) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.) SRV - (NetSvc [On_Demand | Stopped]) -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe (Intel® Corporation) SRV - (Pervasive.SQL Workgroup Engine [Auto | Stopped]) -- C:\WINNT\System32\srvany.exe () SRV - (UMWdf [Auto | Stopped]) -- C:\WINNT\System32\wdfmgr.exe (Microsoft Corporation) SRV - (Viewpoint Manager Service [Auto | Stopped]) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation) SRV - (WANMiniportService [Auto | Stopped]) -- C:\WINNT\wanmpsvc.exe (America Online, Inc.) ========== Driver Services (SafeList) ========== DRV - (ac97intc [On_Demand | Stopped]) -- C:\WINNT\System32\drivers\ac97intc.sys (Intel Corporation) DRV - (aeaudio [On_Demand | Stopped]) -- C:\WINNT\System32\drivers\aeaudio.sys (Andrea Electronics Corporation) DRV - (ASCTRM [Auto | Stopped]) -- C:\WINNT\System32\drivers\asctrm.sys (Windows ® 2000 DDK provider) DRV - (ATWPKT2 [On_Demand | Stopped]) -- C:\Program Files\America Online 8.0\ATWPKT2.SYS (America Online) DRV - (BCMModem [On_Demand | Stopped]) -- C:\WINNT\System32\DRIVERS\BCMDM.sys (BCM) DRV - (BW2NDIS5 [On_Demand | Stopped]) -- C:\WINNT\System32\Drivers\BW2NDIS5.sys (Printing Communications Assoc., Inc. (PCAUSA)) DRV - (CdaC15BA [Auto | Stopped]) -- C:\WINNT\System32\drivers\CdaC15BA.SYS () DRV - (Cdr4_xp [system | Running]) -- C:\WINNT\System32\drivers\cdr4_xp.sys (Roxio) DRV - (Cdralw2k [system | Running]) -- C:\WINNT\System32\drivers\cdralw2k.sys (Roxio) DRV - (cdudf_xp [system | Running]) -- C:\WINNT\System32\drivers\cdudf_xp.sys (Roxio) DRV - (dvd_2K [On_Demand | Stopped]) -- C:\WINNT\System32\drivers\Dvd_2k.sys (Roxio) DRV - (E100B [On_Demand | Running]) -- C:\WINNT\System32\DRIVERS\e100b325.sys (Intel Corporation) DRV - (GTWModem [On_Demand | Stopped]) -- C:\WINNT\System32\DRIVERS\GWMDM.sys (GTW) DRV - (ialm [On_Demand | Stopped]) -- C:\WINNT\System32\DRIVERS\ialmnt5.sys (Intel Corporation) DRV - (iaStor [boot | Running]) -- C:\WINNT\System32\DRIVERS\iaStor.sys (Intel Corporation) DRV - (mfeavfk [On_Demand | Stopped]) -- C:\WINNT\System32\drivers\mfeavfk.sys (McAfee, Inc.) DRV - (mfebopk [On_Demand | Stopped]) -- C:\WINNT\System32\drivers\mfebopk.sys (McAfee, Inc.) DRV - (mfehidk [system | Stopped]) -- C:\WINNT\System32\drivers\mfehidk.sys (McAfee, Inc.) DRV - (mferkdk [On_Demand | Stopped]) -- C:\WINNT\System32\drivers\mferkdk.sys (McAfee, Inc.) DRV - (mfesmfk [On_Demand | Stopped]) -- C:\WINNT\System32\drivers\mfesmfk.sys (McAfee, Inc.) DRV - (mmc_2K [On_Demand | Stopped]) -- C:\WINNT\System32\drivers\Mmc_2k.sys (Roxio) DRV - (MODEMCSA [On_Demand | Stopped]) -- C:\WINNT\System32\drivers\MODEMCSA.sys (Microsoft Corporation) DRV - (MPFP [system | Running]) -- C:\WINNT\System32\Drivers\Mpfp.sys (McAfee, Inc.) DRV - (MxlW2k [On_Demand | Running]) -- C:\WINNT\System32\drivers\MxlW2k.sys (MusicMatch, Inc.) DRV - (nv [On_Demand | Stopped]) -- C:\WINNT\System32\DRIVERS\nv4_mini.sys (NVIDIA Corporation) DRV - (PalmUSBD [On_Demand | Stopped]) -- C:\WINNT\System32\drivers\PalmUSBD.sys (PalmSource, Inc.) DRV - (PCDRSRVC [On_Demand | Stopped]) -- C:\WINNT\System32\drivers\PCDRSRVC.sys (PC-Doctor, Inc.) DRV - (Ptilink [On_Demand | Running]) -- C:\WINNT\System32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.) DRV - (pwd_2k [system | Running]) -- C:\WINNT\System32\drivers\pwd_2K.sys (Roxio) DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINNT\System32\DRIVERS\secdrv.sys () DRV - (Sk99202k [On_Demand | Running]) -- C:\WINNT\System32\DRIVERS\Sk99202k.sys (Silitek Corp.) DRV - (Sk9920nt [system | Stopped]) -- C:\WINNT\System32\DRIVERS\Sk9920nt.sys (Silitek Corp.) DRV - (smwdm [On_Demand | Stopped]) -- C:\WINNT\System32\drivers\smwdm.sys (Analog Devices, Inc.) DRV - (UdfReadr_xp [system | Running]) -- C:\WINNT\System32\drivers\udfreadr_xp.sys (Roxio) DRV - (ultra [boot | Running]) -- C:\WINNT\System32\DRIVERS\ultra.sys (Promise Technology, Inc.) DRV - (wanatw [On_Demand | Running]) -- C:\WINNT\System32\DRIVERS\wanatw4.sys (America Online, Inc.) DRV - ({6080A529-897E-4629-A488-ABA0C29B635E} [On_Demand | Stopped]) -- C:\WINNT\System32\drivers\ialmsbw.sys (Intel Corporation) DRV - ({D31A0762-0CEB-444e-ACFF-B049A1F6FE91} [On_Demand | Stopped]) -- C:\WINNT\System32\drivers\ialmkchw.sys (Intel Corporation) ========== Standard Registry (All) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/ IE - URLSearchHook: {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll (EarthLink, Inc.) IE - URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINNT\System32\shdocvw.dll (Microsoft Corporation) IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = :0 O1 HOSTS File: (734 bytes) - C:\WINNT\System32\drivers\etc\Hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll (Microsoft Corporation) O2 - BHO: (ElnkPubBHO Class) - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPub.dll (EarthLink, Inc.) O2 - BHO: (IE_PopupBlocker Class) - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll (Propel Software Corporation) O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (Sun Microsystems, Inc.) O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.) O2 - BHO: (ElnkProtectionBHO Class) - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll (EarthLink, Inc.) O2 - BHO: (ElnkLegacyUninstBHO Class) - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll (EarthLink, Inc.) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No CLSID value found. O3 - HKLM\..\Toolbar: (EarthLink Toolbar) - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll (EarthLink, Inc.) O3 - HKCU\..\Toolbar\ShellBrowser: (EarthLink Toolbar) - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll (EarthLink, Inc.) O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINNT\System32\browseui.dll (Microsoft Corporation) O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINNT\System32\SHELL32.dll (Microsoft Corporation) O3 - HKCU\..\Toolbar\WebBrowser: (EarthLink Toolbar) - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll (EarthLink, Inc.) O4 - HKLM..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe (Roxio) O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated) O4 - HKLM..\Run: [GWMDMMSG] C:\WINNT\GWMDMMSG.exe (GTW) O4 - HKLM..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe () O4 - HKLM..\Run: [Hot Key Kbd 9910 Daemon] C:\WINNT\System32\SK9910DM.EXE (Silitek Corporation) O4 - HKLM..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe (Intel Corporation) O4 - HKLM..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exe (Intel Corporation) O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.) O4 - HKLM..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe (Microsoft
  7. Malwarebytes' Anti-Malware 1.40 Database version: 2742 Windows 5.1.2600 Service Pack 2 (Safe Mode) 9/4/2009 5:59:38 PM mbam-log-2009-09-04 (17-59-38).txt Scan type: Full Scan (C:\|) Objects scanned: 210286 Time elapsed: 33 minute(s), 29 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 4 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Qoobox\Quarantine\C\WINNT\system32\kbiwkmnideqdnn.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINNT\system32\kbiwkmvrevpfdx.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{CFD349DB-5C75-4B5F-8494-8047861A9A02}\RP275\A0087461.dll (Rootkit.TDSS) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{CFD349DB-5C75-4B5F-8494-8047861A9A02}\RP275\A0087462.dll (Rootkit.TDSS) -> Quarantined and deleted successfully. Kaspersky Scan had no results in the report. It took almost 3 hours, found no threats and the report area was blank.
  8. ComboFix 09-09-02.02 - Owner 09/03/2009 8:09.1.2 - NTFSx86 NETWORK Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.239.128 [GMT -4:00] Running from: C:\kahd.exe AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\winnt\Fonts\AatrixMICR.ttf c:\winnt\system32\drivers\kbiwkmoextavbw.sys c:\winnt\system32\kbiwkmnideqdnn.dll c:\winnt\system32\kbiwkmpmbimoyq.dat c:\winnt\system32\kbiwkmsmtxtcof.dat c:\winnt\system32\kbiwkmvrevpfdx.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_kbiwkmmxbehwek -------\Legacy_kbiwkmmxbehwek ((((((((((((((((((((((((( Files Created from 2009-08-03 to 2009-09-03 ))))))))))))))))))))))))))))))) . 2009-09-03 11:48 . 2009-09-03 11:48 3191196 ----a-r- C:\kahd.exe 2009-09-03 00:25 . 2009-09-03 00:25 288768 ----a-w- C:\o7psdi2c.exe 2009-09-02 23:34 . 2009-09-02 23:34 -------- d-----w- c:\program files\Trend Micro 2009-08-31 22:01 . 2009-08-31 22:01 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes 2009-08-31 22:01 . 2009-08-03 17:36 38160 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys 2009-08-31 22:01 . 2009-08-31 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-08-31 22:00 . 2009-08-31 22:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-31 22:00 . 2009-08-03 17:36 19096 ----a-w- c:\winnt\system32\drivers\mbam.sys 2009-08-25 12:10 . 2009-08-25 12:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix 2009-08-25 12:04 . 2009-08-25 12:04 -------- d-----w- c:\program files\Citrix 2009-08-25 11:56 . 2009-08-25 11:56 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Citrix 2009-08-25 11:56 . 2009-08-25 11:56 61224 ----a-w- c:\documents and settings\Owner\GoToAssistDownloadHelper.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-13 23:54 . 2008-04-29 00:15 -------- d-----w- c:\program files\McAfee 2009-08-01 19:52 . 2008-04-01 02:28 68688 ----a-w- c:\documents and settings\Sue\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-07-10 21:37 . 2006-08-04 12:41 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\winnt\System32\igfxtray.exe" [2003-03-11 155648] "HotKeysCmds"="c:\winnt\System32\hkcmd.exe" [2003-03-11 114688] "GWMDMpi"="c:\winnt\GWMDMpi.exe" [2002-08-06 53248] "AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-10-03 684032] "Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-17 28672] "PeachtreePrefetcher.exe"="c:\progra~1\SAGESO~1\PEACHT~1\PeachtreePrefetcher.exe" [2007-09-24 32768] "TomTomHOME.exe"="c:\program files\TomTom HOME\TomTomHOME.exe" [2007-03-14 3770024] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696] "pdfFactory Pro Dispatcher v3"="c:\winnt\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2008-07-31 565248] "Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" - c:\winnt\system32\SK9910DM.EXE [2001-01-03 66048] "GWMDMMSG"="GWMDMMSG.exe" - c:\winnt\GWMDMMSG.exe [2002-08-06 90112] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist] 2009-08-25 11:57 10536 ----a-w- c:\program files\Citrix\GoToAssist\516\g2awinlogon.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\pvsw\\bin\\w3dbsmgr.exe"= S2 EarthLinkMonitor;EarthLink Monitor Service;c:\program files\EarthLink TotalAccess\WENGINE\wmonitor.exe [1/26/2005 11:47 AM 65604] S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088] S2 Pervasive.SQL Workgroup Engine;Pervasive.SQL Workgroup Engine;c:\winnt\system32\srvany.exe [7/15/2007 10:11 PM 13864] S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/28/2007 6:15 PM 24652] S3 BW2NDIS5;BW2NDIS5;c:\winnt\system32\drivers\BW2NDIS5.SYS [11/1/2004 2:16 PM 17536] S3 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\Qctest\PCDoc\PCDRDRV.sys --> c:\atf\Qctest\PCDoc\PCDRDRV.sys [?] . Contents of the 'Scheduled Tasks' folder 2009-06-11 c:\winnt\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34] 2003-06-15 c:\winnt\Tasks\ISP signup reminder 2.job - c:\winnt\System32\OOBE\oobebaln.exe [2003-04-08 07:56] 2003-06-15 c:\winnt\Tasks\ISP signup reminder 3.job - c:\winnt\System32\OOBE\oobebaln.exe [2003-04-08 07:56] 2008-04-29 c:\winnt\Tasks\McDefragTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-16 15:53] 2008-06-01 c:\winnt\Tasks\McQcTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-16 15:53] . - - - - ORPHANS REMOVED - - - - URLSearchHooks-~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) HKCU-Run-SpySweeper - (no file) HKLM-Run-Keyboard Preload Check - c:\oemdrvrs\KEYB\Preload.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://start.earthlink.net/ uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html mStart Page = hxxp://www.gateway.net IE: EarthLink Google Search - c:\program files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html LSP: c:\program files\EarthLink TotalAccess\Accelerator\prplsf.dll Trusted Zone: turbotax.com DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab DPF: {0F04992B-E661-4DB9-B223-903AB628225D} - file://c:\program files\gateway\Do More\DoMoreRunExe.CAB DPF: {511073AD-BE56-4D43-AE68-93390514385E} - hcp://system/TechTools.CAB . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-03 08:28 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(648) c:\program files\Citrix\GoToAssist\516\G2AWinLogon.dll c:\winnt\system32\l3codecx.acm . Completion time: 2009-09-03 8:32 ComboFix-quarantined-files.txt 2009-09-03 12:32 Pre-Run: 59,026,071,552 bytes free Post-Run: 59,969,003,520 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINNT [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn 136 --- E O F --- 2009-03-10 03:00
  9. ComboFix 09-09-02.02 - Owner 09/03/2009 8:09.1.2 - NTFSx86 NETWORK Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.239.128 [GMT -4:00] Running from: C:\kahd.exe AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\winnt\Fonts\AatrixMICR.ttf c:\winnt\system32\drivers\kbiwkmoextavbw.sys c:\winnt\system32\kbiwkmnideqdnn.dll c:\winnt\system32\kbiwkmpmbimoyq.dat c:\winnt\system32\kbiwkmsmtxtcof.dat c:\winnt\system32\kbiwkmvrevpfdx.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_kbiwkmmxbehwek -------\Legacy_kbiwkmmxbehwek ((((((((((((((((((((((((( Files Created from 2009-08-03 to 2009-09-03 ))))))))))))))))))))))))))))))) . 2009-09-03 11:48 . 2009-09-03 11:48 3191196 ----a-r- C:\kahd.exe 2009-09-03 00:25 . 2009-09-03 00:25 288768 ----a-w- C:\o7psdi2c.exe 2009-09-02 23:34 . 2009-09-02 23:34 -------- d-----w- c:\program files\Trend Micro 2009-08-31 22:01 . 2009-08-31 22:01 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes 2009-08-31 22:01 . 2009-08-03 17:36 38160 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys 2009-08-31 22:01 . 2009-08-31 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-08-31 22:00 . 2009-08-31 22:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-31 22:00 . 2009-08-03 17:36 19096 ----a-w- c:\winnt\system32\drivers\mbam.sys 2009-08-25 12:10 . 2009-08-25 12:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix 2009-08-25 12:04 . 2009-08-25 12:04 -------- d-----w- c:\program files\Citrix 2009-08-25 11:56 . 2009-08-25 11:56 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Citrix 2009-08-25 11:56 . 2009-08-25 11:56 61224 ----a-w- c:\documents and settings\Owner\GoToAssistDownloadHelper.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
  10. Maybe this is the baddie: Rootkit quick scan 2009-09-02 20:33:27 Windows 5.1.2600 Service Pack 2 ---- System - GMER 1.0.15 ---- Code 819C2450 ZwEnumerateKey Code 819C2418 ZwFlushInstructionCache Code 819C28DE ZwSaveKey Code 819C2486 ZwSaveKeyEx Code 819C2916 IofCallDriver Code 81A22EB6 IofCompleteRequest ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) ---- Services - GMER 1.0.15 ---- Service C:\WINNT\system32\drivers\kbiwkmoextavbw.sys (*** hidden *** ) [sYSTEM] kbiwkmmxbehwek <-- ROOTKIT !!! ---- EOF - GMER 1.0.15 ----
  11. Here's the contents of Otl.txt OTL logfile created on: 9/2/2009 8:01:23 PM - Run 1 OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\Owner\Desktop Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 6.0.2900.2180) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 238.73 Mb Total Physical Memory | 112.60 Mb Available Physical Memory | 47.17% Memory free 585.47 Mb Paging File | 492.70 Mb Available in Paging File | 84.15% Paging File free Paging file location(s): C:\pagefile.sys 360 720 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files Drive C: | 76.33 Gb Total Space | 55.01 Gb Free Space | 72.08% Space Free | Partition Type: NTFS D: Drive not present or media not loaded E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: S0030303645 Current User Name: Owner Logged in as Administrator. Current Boot Mode: SafeMode with Networking Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Minimal ========== Processes (SafeList) ========== PRC - C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.) PRC - C:\WINNT\Explorer.EXE (Microsoft Corporation) PRC - c:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.) PRC - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools) ========== Win32 Services (SafeList) ========== SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINNT\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation) SRV - (C-DillaCdaC11BA [Auto | Stopped]) -- C:\WINNT\System32\drivers\CDAC11BA.EXE (Macrovision) SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINNT\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation) SRV - (EarthLinkMonitor [Auto | Stopped]) -- C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe (Boingo Wireless, Inc.) SRV - (GoToAssist [On_Demand | Stopped]) -- C:\Program Files\Citrix\GoToAssist\516\g2aservice.exe (Citrix Online, a division of Citrix Systems, Inc.) SRV - (helpsvc [Auto | Running]) -- C:\WINNT\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation) SRV - (IDriverT [On_Demand | Stopped]) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (Macrovision Corporation) SRV - (IntuitUpdateService [Auto | Stopped]) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe (Intuit Inc.) SRV - (mcmscsvc [Auto | Running]) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.) SRV - (McNASvc [Auto | Stopped]) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.) SRV - (McODS [On_Demand | Stopped]) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.) SRV - (McProxy [Auto | Stopped]) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.) SRV - (McShield [unknown | Stopped]) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.) SRV - (McSysmon [On_Demand | Stopped]) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.) SRV - (NetSvc [On_Demand | Stopped]) -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe (Intel® Corporation) SRV - (Pervasive.SQL Workgroup Engine [Auto | Stopped]) -- C:\WINNT\System32\srvany.exe () SRV - (UMWdf [Auto | Stopped]) -- C:\WINNT\System32\wdfmgr.exe (Microsoft Corporation) SRV - (Viewpoint Manager Service [Auto | Stopped]) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation) SRV - (WANMiniportService [Auto | Stopped]) -- C:\WINNT\wanmpsvc.exe (America Online, Inc.) ========== Driver Services (SafeList) ========== DRV - (ac97intc [On_Demand | Stopped]) -- C:\WINNT\System32\drivers\ac97intc.sys (Intel Corporation) DRV - (aeaudio [On_Demand | Stopped]) -- C:\WINNT\System32\drivers\aeaudio.sys (Andrea Electronics Corporation) DRV - (ASCTRM [Auto | Stopped]) -- C:\WINNT\System32\drivers\asctrm.sys (Windows ® 2000 DDK provider) DRV - (ATWPKT2 [On_Demand | Stopped]) -- C:\Program Files\America Online 8.0\ATWPKT2.SYS (America Online) DRV - (BCMModem [On_Demand | Stopped]) -- C:\WINNT\System32\DRIVERS\BCMDM.sys (BCM) DRV - (BW2NDIS5 [On_Demand | Stopped]) -- C:\WINNT\System32\Drivers\BW2NDIS5.sys (Printing Communications Assoc., Inc. (PCAUSA)) DRV - (CdaC15BA [Auto | Stopped]) -- C:\WINNT\System32\drivers\CdaC15BA.SYS () DRV - (Cdr4_xp [system | Running]) -- C:\WINNT\System32\drivers\cdr4_xp.sys (Roxio) DRV - (Cdralw2k [system | Running]) -- C:\WINNT\System32\drivers\cdralw2k.sys (Roxio) DRV - (cdudf_xp [system | Running]) -- C:\WINNT\System32\drivers\cdudf_xp.sys (Roxio) DRV - (dvd_2K [On_Demand | Stopped]) -- C:\WINNT\System32\drivers\Dvd_2k.sys (Roxio) DRV - (E100B [On_Demand | Running]) -- C:\WINNT\System32\DRIVERS\e100b325.sys (Intel Corporation) DRV - (GTWModem [On_Demand | Stopped]) -- C:\WINNT\System32\DRIVERS\GWMDM.sys (GTW) DRV - (ialm [On_Demand | Stopped]) -- C:\WINNT\System32\DRIVERS\ialmnt5.sys (Intel Corporation) DRV - (iaStor [boot | Running]) -- C:\WINNT\System32\DRIVERS\iaStor.sys (Intel Corporation) DRV - (mfeavfk [On_Demand | Stopped]) -- C:\WINNT\System32\drivers\mfeavfk.sys (McAfee, Inc.) DRV - (mfebopk [On_Demand | Stopped]) -- C:\WINNT\System32\drivers\mfebopk.sys (McAfee, Inc.) DRV - (mfehidk [system | Running]) -- C:\WINNT\System32\drivers\mfehidk.sys (McAfee, Inc.) DRV - (mferkdk [On_Demand | Stopped]) -- C:\WINNT\System32\drivers\mferkdk.sys (McAfee, Inc.) DRV - (mfesmfk [On_Demand | Stopped]) -- C:\WINNT\System32\drivers\mfesmfk.sys (McAfee, Inc.) DRV - (mmc_2K [On_Demand | Stopped]) -- C:\WINNT\System32\drivers\Mmc_2k.sys (Roxio) DRV - (MODEMCSA [On_Demand | Stopped]) -- C:\WINNT\System32\drivers\MODEMCSA.sys (Microsoft Corporation) DRV - (MPFP [system | Running]) -- C:\WINNT\System32\Drivers\Mpfp.sys (McAfee, Inc.) DRV - (MxlW2k [On_Demand | Running]) -- C:\WINNT\System32\drivers\MxlW2k.sys (MusicMatch, Inc.) DRV - (nv [On_Demand | Stopped]) -- C:\WINNT\System32\DRIVERS\nv4_mini.sys (NVIDIA Corporation) DRV - (PalmUSBD [On_Demand | Stopped]) -- C:\WINNT\System32\drivers\PalmUSBD.sys (PalmSource, Inc.) DRV - (PCDRSRVC [On_Demand | Stopped]) -- C:\WINNT\System32\drivers\PCDRSRVC.sys (PC-Doctor, Inc.) DRV - (Ptilink [On_Demand | Running]) -- C:\WINNT\System32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.) DRV - (pwd_2k [system | Running]) -- C:\WINNT\System32\drivers\pwd_2K.sys (Roxio) DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINNT\System32\DRIVERS\secdrv.sys () DRV - (Sk99202k [On_Demand | Running]) -- C:\WINNT\System32\DRIVERS\Sk99202k.sys (Silitek Corp.) DRV - (Sk9920nt [system | Stopped]) -- C:\WINNT\System32\DRIVERS\Sk9920nt.sys (Silitek Corp.) DRV - (smwdm [On_Demand | Stopped]) -- C:\WINNT\System32\drivers\smwdm.sys (Analog Devices, Inc.) DRV - (UdfReadr_xp [system | Running]) -- C:\WINNT\System32\drivers\udfreadr_xp.sys (Roxio) DRV - (ultra [boot | Running]) -- C:\WINNT\System32\DRIVERS\ultra.sys (Promise Technology, Inc.) DRV - (wanatw [On_Demand | Running]) -- C:\WINNT\System32\DRIVERS\wanatw4.sys (America Online, Inc.) DRV - ({6080A529-897E-4629-A488-ABA0C29B635E} [On_Demand | Stopped]) -- C:\WINNT\System32\drivers\ialmsbw.sys (Intel Corporation) DRV - ({D31A0762-0CEB-444e-ACFF-B049A1F6FE91} [On_Demand | Stopped]) -- C:\WINNT\System32\drivers\ialmkchw.sys (Intel Corporation) ========== Standard Registry (All) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie...ton/search.html IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/ IE - URLSearchHook: {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll (EarthLink, Inc.) IE - URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINNT\System32\shdocvw.dll (Microsoft Corporation) IE - URLSearchHook: ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = :0 O1 HOSTS File: (734 bytes) - C:\WINNT\System32\drivers\etc\Hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll (Microsoft Corporation) O2 - BHO: (ElnkPubBHO Class) - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPub.dll (EarthLink, Inc.) O2 - BHO: (IE_PopupBlocker Class) - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll (Propel Software Corporation) O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (Sun Microsystems, Inc.) O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.) O2 - BHO: (ElnkProtectionBHO Class) - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll (EarthLink, Inc.) O2 - BHO: (ElnkLegacyUninstBHO Class) - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll (EarthLink, Inc.) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No CLSID value found. O3 - HKLM\..\Toolbar: (EarthLink Toolbar) - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll (EarthLink, Inc.) O3 - HKCU\..\Toolbar\ShellBrowser: (EarthLink Toolbar) - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll (EarthLink, Inc.) O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINNT\System32\browseui.dll (Microsoft Corporation) O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINNT\System32\SHELL32.dll (Microsoft Corporation) O3 - HKCU\..\Toolbar\WebBrowser: (EarthLink Toolbar) - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll (EarthLink, Inc.) O4 - HKLM..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe (Roxio) O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated) O4 - HKLM..\Run: [GWMDMMSG] C:\WINNT\GWMDMMSG.exe (GTW) O4 - HKLM..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe () O4 - HKLM..\Run: [Hot Key Kbd 9910 Daemon] C:\WINNT\System32\SK9910DM.EXE (Silitek Corporation) O4 - HKLM..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe (Intel Corporation) O4 - HKLM..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exe (Intel Corporation) O4 - HKLM..\Run: [KernelFaultCheck] File not found O4 - HKLM..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe File not found O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.) O4 - HKLM..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe (Microsoft
  12. Here's where I'm at with this one: Computer continuously reboots shortly after windows xp loads. Downloaded and ran Malware 1.40 in safe mode with networking. Caught 13 items and removed them. McAfee scan reveals that "NTOSKRNL-HOOK Generic Rootkit.d! rootkit" "5" is still in the system. Purchased Malware and ran it again and came up clean. Machine still reboots and McAfee still displays infection but can't fix it. Got any suggestions? Malwarebytes' Anti-Malware 1.40 Database version: 2723 Windows 5.1.2600 Service Pack 2 (Safe Mode) 8/31/2009 6:34:14 PM mbam-log-2009-08-31 (18-34-14).txt Scan type: Quick Scan Objects scanned: 164697 Time elapsed: 27 minute(s), 12 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 6 Files Infected: 5 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Adsl Software Ltd (Trojan.FakeAlert) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\BASE (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\DELETED (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\SAVED (Rogue.Multiple) -> Quarantined and deleted successfully. Files Infected: C:\WINNT\system32\drivers\pulbdrbvxyntspry.sys (Rootkit.TDSS) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temp\785.exe (Rootkit.TDSS) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temp\phoixncvbv.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\Winspywareprotect.exe (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG\20080709204020593.log (Rogue.Multiple) -> Quarantined and deleted successfully. Malwarebytes' Anti-Malware 1.40 Database version: 2723 Windows 5.1.2600 Service Pack 2 (Safe Mode) 8/31/2009 8:08:33 PM mbam-log-2009-08-31 (20-08-33).txt Scan type: Full Scan (C:\|) Objects scanned: 268540 Time elapsed: 1 hour(s), 15 minute(s), 33 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Malwarebytes' Anti-Malware 1.40 Database version: 2731 Windows 5.1.2600 Service Pack 2 (Safe Mode) 9/2/2009 3:19:47 PM mbam-log-2009-09-02 (15-19-47).txt Scan type: Quick Scan Objects scanned: 165263 Time elapsed: 27 minute(s), 38 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) The following is from McAfee's log (scan paused to capture name only; full scan just shows one rootkit) 8/24/2009 8:31:57 PM Scan Started: 08/24/2009 08:31:57 PM 8/24/2009 8:32:11 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5" 8/24/2009 8:37:47 PM Total objects scanned: 2629 8/24/2009 8:37:47 PM Objects detected: 1 8/24/2009 8:37:47 PM Scan Done: 08/24/2009 08:37:47 PM 8/24/2009 8:49:34 PM Scan Started: 08/24/2009 08:49:34 PM 8/24/2009 8:49:46 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5" 8/24/2009 9:58:10 PM Total objects scanned: 73033 8/24/2009 9:58:10 PM Objects detected: 1 8/24/2009 9:58:10 PM Scan Done: 08/24/2009 09:58:10 PM 8/24/2009 10:31:18 PM Scan Started: 08/24/2009 10:31:18 PM 8/24/2009 10:31:31 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5" 8/24/2009 10:35:17 PM Total objects scanned: 2632 8/24/2009 10:35:17 PM Objects detected: 1 8/24/2009 10:35:17 PM Scan Done: 08/24/2009 10:35:17 PM 8/25/2009 11:27:14 AM Scan Started: 08/25/2009 11:27:14 AM 8/25/2009 11:27:29 AM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5" 8/25/2009 11:32:57 AM Total objects scanned: 2630 8/25/2009 11:32:57 AM Objects detected: 1 8/25/2009 11:32:57 AM Scan Done: 08/25/2009 11:32:57 AM 8/25/2009 1:00:44 PM Scan Started: 08/25/2009 01:00:44 PM 8/25/2009 1:00:56 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5" 8/25/2009 1:04:37 PM Total objects scanned: 929 8/25/2009 1:04:37 PM Objects detected: 1 8/25/2009 1:04:37 PM Scan Done: 08/25/2009 01:04:37 PM 8/25/2009 1:06:22 PM Scan Started: 08/25/2009 01:06:22 PM 8/25/2009 1:06:35 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5" 8/25/2009 1:10:40 PM Total objects scanned: 2629 8/25/2009 1:10:40 PM Objects detected: 1 8/25/2009 1:10:40 PM Scan Done: 08/25/2009 01:10:40 PM 8/25/2009 2:02:12 PM Scan Started: 08/25/2009 02:02:12 PM 8/25/2009 2:02:23 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5" 8/25/2009 2:03:34 PM Total objects scanned: 231 8/25/2009 2:03:34 PM Objects detected: 1 8/25/2009 2:03:34 PM Scan Done: 08/25/2009 02:03:34 PM 8/29/2009 9:20:28 AM Scan Started: 08/29/2009 09:20:28 AM 8/29/2009 9:20:40 AM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5" 8/29/2009 9:21:55 AM Total objects scanned: 777 8/29/2009 9:21:55 AM Objects detected: 1 8/29/2009 9:21:55 AM Scan Done: 08/29/2009 09:21:55 AM 8/29/2009 9:25:14 AM Scan Started: 08/29/2009 09:25:14 AM 8/29/2009 9:25:26 AM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5" 8/29/2009 9:30:51 AM Total objects scanned: 2960 8/29/2009 9:30:51 AM Objects detected: 1 8/29/2009 9:30:51 AM Scan Done: 08/29/2009 09:30:51 AM 8/30/2009 8:59:31 AM Scan Started: 08/30/2009 08:59:31 AM 8/30/2009 8:59:38 AM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5" 8/30/2009 9:01:34 AM Total objects scanned: 784 8/30/2009 9:01:34 AM Objects detected: 1 8/30/2009 9:01:34 AM Scan Done: 08/30/2009 09:01:34 AM 8/31/2009 8:11:47 PM Scan Started: 08/31/2009 08:11:47 PM 8/31/2009 8:11:57 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5" 8/31/2009 8:17:20 PM Total objects scanned: 2630 8/31/2009 8:17:20 PM Objects detected: 1 8/31/2009 8:17:20 PM Scan Done: 08/31/2009 08:17:20 PM 8/31/2009 9:10:06 PM Scan Started: 08/31/2009 09:10:06 PM 8/31/2009 9:10:19 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5" 8/31/2009 9:10:42 PM Total objects scanned: 24 8/31/2009 9:10:42 PM Objects detected: 1 8/31/2009 9:10:42 PM Scan Done: 08/31/2009 09:10:42 PM 8/31/2009 9:12:35 PM Scan Started: 08/31/2009 09:12:35 PM 8/31/2009 9:12:46 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5" 8/31/2009 9:13:29 PM Total objects scanned: 174 8/31/2009 9:13:29 PM Objects detected: 1 8/31/2009 9:13:29 PM Scan Done: 08/31/2009 09:13:29 PM 9/2/2009 3:28:37 PM Scan Started: 09/02/2009 03:28:37 PM 9/2/2009 3:28:52 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5" 9/2/2009 3:29:24 PM Total objects scanned: 29 9/2/2009 3:29:24 PM Objects detected: 1 9/2/2009 3:29:24 PM Scan Done: 09/02/2009 03:29:24 PM
  13. Malwarebytes' Anti-Malware 1.40 Database version: 2723 Windows 5.1.2600 Service Pack 2 (Safe Mode) 8/31/2009 6:34:14 PM mbam-log-2009-08-31 (18-34-14).txt Scan type: Quick Scan Objects scanned: 164697 Time elapsed: 27 minute(s), 12 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 6 Files Infected: 5 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Adsl Software Ltd (Trojan.FakeAlert) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\BASE (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\DELETED (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\SAVED (Rogue.Multiple) -> Quarantined and deleted successfully. Files Infected: C:\WINNT\system32\drivers\pulbdrbvxyntspry.sys (Rootkit.TDSS) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temp\785.exe (Rootkit.TDSS) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temp\phoixncvbv.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\Winspywareprotect.exe (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG\20080709204020593.log (Rogue.Multiple) -> Quarantined and deleted successfully. Malwarebytes' Anti-Malware 1.40 Database version: 2723 Windows 5.1.2600 Service Pack 2 (Safe Mode) 8/31/2009 8:08:33 PM mbam-log-2009-08-31 (20-08-33).txt Scan type: Full Scan (C:\|) Objects scanned: 268540 Time elapsed: 1 hour(s), 15 minute(s), 33 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Malwarebytes' Anti-Malware 1.40 Database version: 2731 Windows 5.1.2600 Service Pack 2 (Safe Mode) 9/2/2009 3:19:47 PM mbam-log-2009-09-02 (15-19-47).txt Scan type: Quick Scan Objects scanned: 165263 Time elapsed: 27 minute(s), 38 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) 8/24/2009 8:31:57 PM Scan Started: 08/24/2009 08:31:57 PM 8/24/2009 8:32:11 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5" 8/24/2009 8:37:47 PM Total objects scanned: 2629 8/24/2009 8:37:47 PM Objects detected: 1 8/24/2009 8:37:47 PM Scan Done: 08/24/2009 08:37:47 PM 8/24/2009 8:49:34 PM Scan Started: 08/24/2009 08:49:34 PM 8/24/2009 8:49:46 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5" 8/24/2009 9:58:10 PM Total objects scanned: 73033 8/24/2009 9:58:10 PM Objects detected: 1 8/24/2009 9:58:10 PM Scan Done: 08/24/2009 09:58:10 PM 8/24/2009 10:31:18 PM Scan Started: 08/24/2009 10:31:18 PM 8/24/2009 10:31:31 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5" 8/24/2009 10:35:17 PM Total objects scanned: 2632 8/24/2009 10:35:17 PM Objects detected: 1 8/24/2009 10:35:17 PM Scan Done: 08/24/2009 10:35:17 PM 8/25/2009 11:27:14 AM Scan Started: 08/25/2009 11:27:14 AM 8/25/2009 11:27:29 AM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5" 8/25/2009 11:32:57 AM Total objects scanned: 2630 8/25/2009 11:32:57 AM Objects detected: 1 8/25/2009 11:32:57 AM Scan Done: 08/25/2009 11:32:57 AM 8/25/2009 1:00:44 PM Scan Started: 08/25/2009 01:00:44 PM 8/25/2009 1:00:56 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5" 8/25/2009 1:04:37 PM Total objects scanned: 929 8/25/2009 1:04:37 PM Objects detected: 1 8/25/2009 1:04:37 PM Scan Done: 08/25/2009 01:04:37 PM 8/25/2009 1:06:22 PM Scan Started: 08/25/2009 01:06:22 PM 8/25/2009 1:06:35 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5" 8/25/2009 1:10:40 PM Total objects scanned: 2629 8/25/2009 1:10:40 PM Objects detected: 1 8/25/2009 1:10:40 PM Scan Done: 08/25/2009 01:10:40 PM 8/25/2009 2:02:12 PM Scan Started: 08/25/2009 02:02:12 PM 8/25/2009 2:02:23 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5" 8/25/2009 2:03:34 PM Total objects scanned: 231 8/25/2009 2:03:34 PM Objects detected: 1 8/25/2009 2:03:34 PM Scan Done: 08/25/2009 02:03:34 PM 8/29/2009 9:20:28 AM Scan Started: 08/29/2009 09:20:28 AM 8/29/2009 9:20:40 AM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5" 8/29/2009 9:21:55 AM Total objects scanned: 777 8/29/2009 9:21:55 AM Objects detected: 1 8/29/2009 9:21:55 AM Scan Done: 08/29/2009 09:21:55 AM 8/29/2009 9:25:14 AM Scan Started: 08/29/2009 09:25:14 AM 8/29/2009 9:25:26 AM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5" 8/29/2009 9:30:51 AM Total objects scanned: 2960 8/29/2009 9:30:51 AM Objects detected: 1 8/29/2009 9:30:51 AM Scan Done: 08/29/2009 09:30:51 AM 8/30/2009 8:59:31 AM Scan Started: 08/30/2009 08:59:31 AM 8/30/2009 8:59:38 AM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5" 8/30/2009 9:01:34 AM Total objects scanned: 784 8/30/2009 9:01:34 AM Objects detected: 1 8/30/2009 9:01:34 AM Scan Done: 08/30/2009 09:01:34 AM 8/31/2009 8:11:47 PM Scan Started: 08/31/2009 08:11:47 PM 8/31/2009 8:11:57 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5" 8/31/2009 8:17:20 PM Total objects scanned: 2630 8/31/2009 8:17:20 PM Objects detected: 1 8/31/2009 8:17:20 PM Scan Done: 08/31/2009 08:17:20 PM 8/31/2009 9:10:06 PM Scan Started: 08/31/2009 09:10:06 PM 8/31/2009 9:10:19 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5" 8/31/2009 9:10:42 PM Total objects scanned: 24 8/31/2009 9:10:42 PM Objects detected: 1 8/31/2009 9:10:42 PM Scan Done: 08/31/2009 09:10:42 PM 8/31/2009 9:12:35 PM Scan Started: 08/31/2009 09:12:35 PM 8/31/2009 9:12:46 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5" 8/31/2009 9:13:29 PM Total objects scanned: 174 8/31/2009 9:13:29 PM Objects detected: 1 8/31/2009 9:13:29 PM Scan Done: 08/31/2009 09:13:29 PM 9/2/2009 3:28:37 PM Scan Started: 09/02/2009 03:28:37 PM 9/2/2009 3:28:52 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5" 9/2/2009 3:29:24 PM Total objects scanned: 29 9/2/2009 3:29:24 PM Objects detected: 1 9/2/2009 3:29:24 PM Scan Done: 09/02/2009 03:29:24 PM mbam_log_2009_08_31__18_34_14_.txt
  14. Here's where I'm at with this one: Computer continuously reboots shortly after windows xp loads. Downloaded and ran Malware 1.40 in safe mode with networking. Caught 13 items and removed them. McAfee scan reveals that "NTOSKRNL-HOOK Generic Rootkit.d! rootkit" "5" is still in the system. Purchased Malware and ran it again and came up clean. Machine still reboots and McAfee still displays infection but can't fix it. Got any suggestions?
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.