Dom
-
Posts
48 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by Dom
-
-
I found what looks like a fairly serious virus in the Utilu IE Bundle.
You can download it from here: http://utilu.com/IECollection/
It's a tool used by web developers to install multiple versions of IE for backwards compatibility testing. It's also fairly widely used. Could the virus I found on it be a false positive?
-
Did not occur. Probably should've done. Did you know the only place with worse internet than a tropical island is anywhere in Australia?
ComboFix 12-12-07.01 - top 12/09/2012 18:51:43.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.1878.339 [GMT 7:00]
Running from: c:\users\top\Downloads\Programs\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-11-09 to 2012-12-09 )))))))))))))))))))))))))))))))
.
.
2012-12-09 12:02 . 2012-12-09 12:02 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-12-08 11:28 . 2012-11-08 18:00 6812136 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{11E017EE-2E06-44DA-8D7D-80BF99A85206}\mpengine.dll
2012-12-06 11:08 . 2012-12-06 11:08 -------- d-----w- c:\users\top\AppData\Local\Apps
2012-12-06 11:06 . 2012-12-06 11:06 -------- d-----w- c:\users\top\AppData\Local\Apple Computer
2012-12-06 11:06 . 2012-12-06 11:13 -------- d-----w- c:\users\top\AppData\Roaming\Apple Computer
2012-12-06 11:06 . 2012-08-21 06:01 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-12-06 11:06 . 2012-12-06 11:06 -------- dc----w- c:\windows\system32\DRVSTORE
2012-12-06 11:05 . 2012-12-06 11:05 -------- d-----w- c:\program files\iPod
2012-12-06 11:05 . 2012-12-06 11:06 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2012-12-06 11:05 . 2012-12-06 11:06 -------- d-----w- c:\program files\iTunes
2012-12-06 11:05 . 2012-12-06 11:05 -------- d-----w- c:\programdata\Apple Computer
2012-12-06 11:03 . 2012-12-06 11:03 -------- d-----w- c:\users\top\AppData\Local\Apple
2012-12-06 11:03 . 2012-12-06 11:03 -------- d-----w- c:\program files\Apple Software Update
2012-12-06 11:02 . 2012-12-06 11:02 -------- d-----w- c:\program files\Bonjour
2012-12-06 11:02 . 2012-12-06 11:05 -------- d-----w- c:\program files\Common Files\Apple
2012-12-06 11:02 . 2012-12-06 11:03 -------- d-----w- c:\programdata\Apple
2012-12-05 06:25 . 2012-12-05 06:25 -------- d-----w- c:\users\top\AppData\Local\Mozilla
2012-12-05 05:48 . 2012-05-31 05:25 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-12-03 10:58 . 2012-07-26 03:39 47720 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2012-12-03 10:58 . 2012-07-26 03:39 526952 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2012-12-03 10:58 . 2012-07-26 02:46 9728 ----a-w- c:\windows\system32\Wdfres.dll
2012-12-03 10:57 . 2012-07-26 02:33 66560 ----a-w- c:\windows\system32\drivers\WUDFPf.sys
2012-12-03 10:57 . 2012-07-26 02:32 155136 ----a-w- c:\windows\system32\drivers\WUDFRd.sys
2012-12-03 10:57 . 2012-07-26 03:20 73216 ----a-w- c:\windows\system32\WUDFSvc.dll
2012-12-03 10:57 . 2012-07-26 03:20 172032 ----a-w- c:\windows\system32\WUDFPlatform.dll
2012-12-03 10:57 . 2012-07-26 03:20 38912 ----a-w- c:\windows\system32\WUDFCoinstaller.dll
2012-12-03 10:57 . 2012-07-26 03:21 196608 ----a-w- c:\windows\system32\WUDFHost.exe
2012-12-03 10:57 . 2012-07-26 03:20 613888 ----a-w- c:\windows\system32\WUDFx.dll
2012-12-03 10:53 . 2012-08-22 17:16 712048 ----a-w- c:\windows\system32\drivers\ndis.sys
2012-12-03 10:52 . 2011-04-22 19:14 27008 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2012-12-03 10:52 . 2011-01-17 05:47 161792 ----a-w- c:\windows\system32\d3d10_1.dll
2012-12-03 10:52 . 2012-01-04 08:58 442880 ----a-w- c:\windows\system32\ntshrui.dll
2012-12-03 10:48 . 2012-08-02 16:57 490496 ----a-w- c:\windows\system32\d3d10level9.dll
2012-12-03 10:47 . 2011-02-03 05:54 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2012-12-03 10:46 . 2012-05-01 04:44 164352 ----a-w- c:\windows\system32\profsvc.dll
2012-12-03 10:46 . 2012-10-09 17:40 44032 ----a-w- c:\windows\system32\dhcpcsvc6.dll
2012-12-03 10:46 . 2012-10-09 17:40 193536 ----a-w- c:\windows\system32\dhcpcore6.dll
2012-12-03 10:03 . 2011-02-19 06:30 805376 ----a-w- c:\windows\system32\FntCache.dll
2012-12-03 10:03 . 2011-02-19 06:30 739840 ----a-w- c:\windows\system32\d2d1.dll
2012-12-03 08:14 . 2012-12-03 08:14 -------- d-----w- c:\program files\Unlocker
2012-12-03 06:48 . 2012-12-03 06:48 -------- d-----w- c:\users\top\AppData\Roaming\Malwarebytes
2012-12-03 06:47 . 2012-12-03 06:47 -------- d-----w- c:\programdata\Malwarebytes
2012-12-03 06:47 . 2012-12-03 06:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-12-03 06:47 . 2012-09-29 12:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-12-01 00:45 . 2012-12-01 00:45 -------- d-----w- c:\windows\system32\Wat
2012-11-30 19:14 . 2012-03-01 05:46 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-11-30 19:14 . 2012-03-01 05:29 5120 ----a-w- c:\windows\system32\wmi.dll
2012-11-30 19:14 . 2012-03-01 05:33 159232 ----a-w- c:\windows\system32\imagehlp.dll
2012-11-30 19:10 . 2012-11-30 19:10 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2012-11-30 16:40 . 2012-10-30 22:51 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-11-30 16:40 . 2012-10-30 22:51 361032 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-11-30 16:40 . 2012-10-15 15:59 44784 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2012-11-30 16:40 . 2012-10-30 22:51 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-11-30 16:40 . 2012-10-30 22:51 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-11-30 16:39 . 2012-10-30 22:51 58680 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-11-30 16:39 . 2012-10-30 22:51 41224 ----a-w- c:\windows\avastSS.scr
2012-11-30 16:39 . 2012-10-30 22:50 227648 ----a-w- c:\windows\system32\aswBoot.exe
2012-11-30 16:39 . 2012-11-30 16:39 -------- d-----w- c:\programdata\AVAST Software
2012-11-30 16:39 . 2012-11-30 16:39 -------- d-----w- c:\program files\AVAST Software
2012-11-30 15:48 . 2012-11-30 15:48 -------- d-----w- c:\program files\Recuva
2012-11-30 13:46 . 2011-04-25 02:18 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2012-11-30 13:46 . 2011-04-29 02:46 311808 ----a-w- c:\windows\system32\drivers\srv.sys
2012-11-30 13:46 . 2011-04-29 02:46 310272 ----a-w- c:\windows\system32\drivers\srv2.sys
2012-11-30 13:46 . 2011-04-29 02:46 114688 ----a-w- c:\windows\system32\drivers\srvnet.sys
2012-11-30 13:46 . 2011-11-17 05:38 1288472 ----a-w- c:\windows\system32\ntdll.dll
2012-11-30 13:46 . 2012-08-24 16:57 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-11-30 13:46 . 2012-08-22 17:16 240496 ----a-w- c:\windows\system32\drivers\netio.sys
2012-11-30 13:46 . 2012-08-22 17:16 187760 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2012-11-30 13:44 . 2012-04-28 04:41 919040 ----a-w- c:\windows\system32\rdpcorets.dll
2012-11-30 13:43 . 2012-08-30 17:12 3968880 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-11-30 13:31 . 2012-02-17 05:34 826880 ----a-w- c:\windows\system32\rdpcore.dll
2012-11-30 13:31 . 2012-02-17 04:13 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-11-30 13:23 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-11-30 13:23 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll
2012-11-30 13:23 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-11-30 13:23 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-11-30 13:22 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll
2012-11-30 13:22 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-11-30 13:22 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-11-30 13:22 . 2012-06-02 08:19 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-11-30 13:22 . 2012-06-02 08:12 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-11-30 10:48 . 2012-11-30 10:48 -------- d-----w- c:\users\top\AppData\Roaming\ACD Systems
2012-11-30 10:06 . 2012-11-30 13:29 -------- d-----w- c:\users\top\AppData\Local\Adobe
2012-11-30 08:01 . 2012-11-30 08:24 -------- d-----w- c:\windows\AutoKMS
2012-11-30 08:00 . 2012-12-09 09:26 151552 ----a-w- c:\windows\KMSEmulator.exe
2012-11-30 07:52 . 2012-11-30 07:52 -------- d-----w- c:\program files\Microsoft Synchronization Services
2012-11-30 07:52 . 2012-12-08 11:13 -------- d-----w- c:\program files\Microsoft.NET
2012-11-30 07:52 . 2012-11-30 07:52 -------- d-----w- c:\program files\Microsoft Sync Framework
2012-11-30 07:52 . 2012-11-30 07:52 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2012-11-30 07:50 . 2012-11-30 07:50 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2012-11-30 07:49 . 2012-11-30 07:49 -------- d-----w- c:\program files\Microsoft Analysis Services
2012-11-30 07:48 . 2012-11-30 07:48 -------- d-----r- C:\MSOCache
2012-11-30 07:40 . 2012-11-30 07:40 -------- d-----w- c:\users\top\AppData\Roaming\Synaptics
2012-11-30 07:40 . 2012-11-30 07:40 -------- d-----w- c:\programdata\Synaptics
2012-11-30 07:22 . 2012-12-09 09:25 58288 ----a-w- c:\windows\system32\rpcnet.dll
2012-11-30 07:22 . 2012-11-30 07:22 58288 ------w- c:\windows\system32\rpcnet.exe
2012-11-18 11:19 . 2012-11-18 11:19 -------- d-----w- c:\programdata\CyberLink
2012-11-18 11:19 . 2012-11-18 11:19 -------- d-----w- c:\users\top\AppData\Roaming\CyberLink
2012-11-18 11:18 . 2012-11-18 11:18 -------- d-----w- c:\users\top\AppData\Local\CyberLink
2012-11-18 11:16 . 2012-11-18 11:16 -------- d-----w- C:\Intel
2012-11-18 11:14 . 2010-01-06 06:13 506368 ----a-w- c:\windows\system32\sqlite3.dll
2012-11-18 11:11 . 2012-11-18 11:11 -------- d-----w- c:\program files\Synaptics
2012-11-18 11:11 . 2009-08-07 02:49 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
2012-11-18 11:11 . 2012-03-29 13:13 323344 ----a-w- c:\windows\system32\drivers\SynTP.sys
2012-11-18 11:11 . 2012-03-29 13:13 122128 ----a-w- c:\windows\system32\SynTPCo9.dll
2012-11-18 11:11 . 2012-03-29 13:13 175376 ----a-w- c:\windows\system32\SynTPAPI.dll
2012-11-18 11:11 . 2012-03-29 13:13 146704 ----a-w- c:\windows\system32\SynGlwPadShlExt.dll
2012-11-18 11:11 . 2012-03-29 13:13 396560 ----a-w- c:\windows\system32\SynCOM.dll
2012-11-18 11:11 . 2012-03-29 13:13 228624 ----a-w- c:\windows\system32\SynCtrl.dll
2012-11-18 11:11 . 2011-09-14 11:11 1048576 ----a-w- c:\windows\system32\syndata.bin
2012-11-18 10:57 . 2012-12-01 00:49 17920 ----a-w- c:\windows\system32\rpcnetp.dll
2012-11-18 10:56 . 2012-12-09 11:34 17920 ----a-w- c:\windows\system32\rpcnetp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-18 11:14 . 2011-03-28 11:36 19696 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-10-16 07:39 . 2012-12-03 10:54 561664 ----a-w- c:\windows\apppatch\AcLayers.dll
2012-09-28 03:32 . 2012-09-28 03:32 5989776 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-09-28 03:32 . 2012-09-28 03:32 44544 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2012-04-21 01:19 . 2012-10-15 13:37 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2010-11-20 . 8626F0C30D4E3564FFDD25C90F4426F1 . 811520 . . [6.1.7601.17514] . . c:\windows\System32\user32.dll
[7] 2010-11-20 . F1DD3ACAEE5E6B4BBC69BC6DF75CEF66 . 811520 . . [6.1.7601.17514] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-10-30 22:50 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2011-05-30 16:50 21864 ----a-w- c:\program files\Internet Download Manager\IDMShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-04-05 17356424]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2012-10-15 3405208]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ACPW05EN"="c:\program files\ACD Systems\ACDSee Pro\5.0\ACDSeeProInTouch2.exe" [2011-11-16 822384]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
"MagicLinker3"="c:\program files\ThaiSoftware Enterprise\ThaiSoftware Dictionary\Bin\MagicLnk.exe" [2005-10-20 155648]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2012-03-29 2346256]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-11-28 151952]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
R3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 IDMWFP;IDMWFP;c:\windows\system32\DRIVERS\idmwfp.sys [x]
S3 k57nd60x;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [x]
S3 MEI;Intel® Management Engine Interface ;c:\windows\system32\DRIVERS\HECI.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-09 c:\windows\Tasks\AutoKMS.job
- c:\windows\AutoKMS\AutoKMS.exe [2012-11-30 08:01]
.
2012-12-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-10-15 13:37]
.
2012-12-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-10-15 13:37]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: ??????????????? IDM
IE: ??????????????????????????? IDM
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
IE: ??????????????????????????? IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: ??????????????? IDM - c:\program files\Internet Download Manager\IEExt.htm
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\top\AppData\Roaming\Mozilla\Firefox\Profiles\4dyzyjpq.default\
FF - ExtSQL: 2012-10-15 21:07; mozilla_cc@internetdownloadmanager.com; c:\users\top\AppData\Roaming\IDM\idmmzcc5
FF - ExtSQL: 2012-12-05 13:26; {DDC359D1-844A-42a7-9AA1-88A850A938A8}; c:\users\top\AppData\Roaming\Mozilla\Firefox\Profiles\4dyzyjpq.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}.xpi
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.032\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.032"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.abr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.abr"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.apd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.apd"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.arw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.arw"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bay\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.bay"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.bw"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.cr2"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.crw"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cs1\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.cs1"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dcr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.dcr"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dcx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.dcx"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.djv\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.djv"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.djvu\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.djvu"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dng\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.dng"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eps\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.eps"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.erf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.erf"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.fff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.fff"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.fpx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.fpx"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hdr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.hdr"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.icn\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.icn"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.iff"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ilbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.ilbm"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.int\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.int"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.inta\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.inta"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iw4\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.iw4"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.j2c\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.j2c"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.j2k\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.j2k"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jbr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.jbr"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.jif"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jp2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.jp2"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.jpc"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpk\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.jpk"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.jpx"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.kdc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.kdc"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.lbm"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mef\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.mef"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mos\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.mos"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mrw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.mrw"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nef\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.nef"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nrw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.nrw"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.orf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.orf"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.pbm"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pbr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.pbr"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.pcd"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pct\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.pct"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.pcx"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pef\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.pef"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pgm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.pgm"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pic\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.pic"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pict\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.pict"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pix\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.pix"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ppm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.ppm"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.psd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.psd"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.psp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.psp"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pspbrush\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.pspbrush"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pspimage\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.pspimage"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.raf"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ras\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.ras"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.raw"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rgb\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.rgb"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rgba\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.rgba"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rsb\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.rsb"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rw2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.rw2"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rwl\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.rwl"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sgi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.sgi"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sr2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.sr2"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.srf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.srf"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.srw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.srw"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tga\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.tga"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.thm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.thm"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v50po\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.v50po"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v50pp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.v50pp"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v50ppf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.v50ppf"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.wbm"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wbmp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.wbmp"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.xbm"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.xif"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xmp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.xmp"
.
[HKEY_USERS\S-1-5-21-1565109452-1158753834-2774069199-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xpm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 5.xpm"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(1844)
c:\program files\ThaiSoftware Enterprise\ThaiSoftware Dictionary\Bin\ActWndHk.dll
.
Completion time: 2012-12-09 19:06:27
ComboFix-quarantined-files.txt 2012-12-09 12:06
.
Pre-Run: 694,001,664 bytes free
Post-Run: 952,274,944 bytes free
.
- - End Of File - - 87A40DD13BE04459D31D379BC114C28F
-
Ok cool I managed to get the script to run. (Windows affixed .txt on the end of .vbs and I missed it).
It didn't work on the harddrive, Maybe because it had all already appeared? But it worked great on the memory stick and revealed all the folders.
Here's the combo fix log. I ran combo fix with both the harddrive and memory stick plugged in.
I've not checked through all the photos yet. I have around 9000 and it's taking awhile. Up to 5000, it's all good.
-
Ok so the folders have magically reappeared and I don't have the faintest idea. However there seems to be some size discrepancies; one of my jpg folders is 10.9gb but I can only see about 8 gb so I'm going to take a proper look and put down the results when I'm done. I'm also going to run combofix anyway.
-
Sorry about the delay, I'm stuck on an island in Thailand and the internet is shocking.
Unfortunately I couldn't even run the text file. I was going to post pictures however nothing is working and the picture function on the forum is failing. Hopefully descriptions will be enough.
I created the text file. I right clicked on it however the menu "Open with Command Prompt." was missing.
I clicked on "Open With".
Command Prompt was not an option so I manually went to the path C:\Windows\System32\cmd.exe and selected that.
This was apparently a bad move.
Now opening any notepad file opens up command prompt. The "Always use the selected programme to open this kind of file" check box on "Open With" is now permanently grayed out.
I think I found the relevant registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\UserChoice
Inside there is a file named Progid which contains:
Value Name: Progid
Value Data: Applications\cmd.exe
However I don't know what to change this to, to solve the problem. I tried solving the problem using the default programme options in the control panel however this didn't work.
So two new questions. 1. How do I remove this association?
2. How do I run a text file as a command prompt script when the context menu option, run as command prompt is missing.
I'm running Windows 7 32bit.
-
Hi all,
I'm currently travelling around the world, using a hard-drive to store my photos. I'd been putting them on via internet cafes, virus scanning each computer before I used it. The one time I didn't do this, my hard drive picked up a nasty virus. It turned all my jpg.s into .exe files along with my folders. It also infected two of my memory cards that were plugged in at the time.
I then rescanned the cards and the harddrive using a computer with ESET NOD 32 Anti Virus. It quarantined all the folders along with the jpg.s that were infected. The viruses found were Ramnit.F and D.Dorkbot.
I'm now backing everything up onto a laptop I bought and I'm trying to recover the photos. The space on the hard drive is still occupied however I can't view the folders.
Running command prompt and using attrib -s -h /s /d *.* hasn't worked. I get Access Denied - F:\System Volume Information
As far as I can tell the hard-drive is now disinfected although it seems peculiar that I still can't access it. I've attached a MBAM full scan of the harddrive and dds. logs.
I also suspect the copy of windows that came with the laptop isn't genuine, however I can't reinstall with my genuine copy until I get back in a couple months. Hopefully this won't be an issue.
What should be my next step?
-
Thanks very much for all the time an effort. It's really appreciated.
-
Yep that's worked great. Am I now clean and serene?
-
Good, only weird thing is windows still thinks automatic updates is turned off but when I go to the control panel it's turned on.
(This may be a double post but for some reason I can't see my previous one.
-
Nothing seems particulary weird. Only noticeable thing is windows still things automatic updates are turned off but they're on in the control panel.
-
Here is the log. Took barely any time.
2011/04/08 18:29:32.0796 3672 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/04/08 18:29:33.0015 3672 ================================================================================
2011/04/08 18:29:33.0015 3672 SystemInfo:
2011/04/08 18:29:33.0015 3672
2011/04/08 18:29:33.0015 3672 OS Version: 5.1.2600 ServicePack: 3.0
2011/04/08 18:29:33.0015 3672 Product type: Workstation
2011/04/08 18:29:33.0015 3672 ComputerName: DOMS-MACHINE
2011/04/08 18:29:33.0015 3672 UserName: Dom
2011/04/08 18:29:33.0015 3672 Windows directory: C:\WINDOWS
2011/04/08 18:29:33.0015 3672 System windows directory: C:\WINDOWS
2011/04/08 18:29:33.0015 3672 Processor architecture: Intel x86
2011/04/08 18:29:33.0015 3672 Number of processors: 2
2011/04/08 18:29:33.0015 3672 Page size: 0x1000
2011/04/08 18:29:33.0015 3672 Boot type: Normal boot
2011/04/08 18:29:33.0015 3672 ================================================================================
2011/04/08 18:29:33.0531 3672 Initialize success
2011/04/08 18:29:36.0031 2900 ================================================================================
2011/04/08 18:29:36.0031 2900 Scan started
2011/04/08 18:29:36.0031 2900 Mode: Manual;
2011/04/08 18:29:36.0031 2900 ================================================================================
2011/04/08 18:29:36.0500 2900 Aavmker4 (479c9835b91147be1a92cb76fad9c6de) C:\WINDOWS\system32\drivers\Aavmker4.sys
2011/04/08 18:29:36.0640 2900 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/04/08 18:29:36.0687 2900 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/04/08 18:29:36.0765 2900 ADIHdAudAddService (0158f4027c0808ff65ed3b3d683339c9) C:\WINDOWS\system32\drivers\ADIHdAud.sys
2011/04/08 18:29:36.0859 2900 AEAudio (358063ab6c1c4173b735525cdfa65f94) C:\WINDOWS\system32\drivers\AEAudio.sys
2011/04/08 18:29:36.0875 2900 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/04/08 18:29:36.0921 2900 AegisP (30bb1bde595ca65fd5549462080d94e5) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2011/04/08 18:29:36.0984 2900 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/04/08 18:29:37.0062 2900 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/04/08 18:29:37.0125 2900 aswFsBlk (cba53c5e29ae0a0ce76f9a2be3a40d9e) C:\WINDOWS\system32\drivers\aswFsBlk.sys
2011/04/08 18:29:37.0187 2900 aswMon2 (a1c52b822b7b8a5c2162d38f579f97b7) C:\WINDOWS\system32\drivers\aswMon2.sys
2011/04/08 18:29:37.0187 2900 aswRdr (b6e8c5874377a42756c282fac2e20836) C:\WINDOWS\system32\drivers\aswRdr.sys
2011/04/08 18:29:37.0203 2900 aswSP (b93a553c9b0f14263c8f016a44c3258c) C:\WINDOWS\system32\drivers\aswSP.sys
2011/04/08 18:29:37.0234 2900 aswTdi (1408421505257846eb336feeef33352d) C:\WINDOWS\system32\drivers\aswTdi.sys
2011/04/08 18:29:37.0265 2900 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/04/08 18:29:37.0312 2900 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/04/08 18:29:37.0359 2900 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/04/08 18:29:37.0406 2900 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/04/08 18:29:37.0453 2900 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/04/08 18:29:37.0515 2900 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/04/08 18:29:37.0546 2900 CCDECODE (fdc06e2ada8c468ebb161624e03976cf) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/04/08 18:29:37.0578 2900 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/04/08 18:29:37.0609 2900 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/04/08 18:29:37.0656 2900 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/04/08 18:29:37.0781 2900 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/04/08 18:29:37.0828 2900 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/04/08 18:29:37.0890 2900 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/04/08 18:29:37.0890 2900 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/04/08 18:29:37.0953 2900 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/04/08 18:29:37.0968 2900 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/04/08 18:29:38.0046 2900 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/04/08 18:29:38.0109 2900 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/04/08 18:29:38.0125 2900 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/04/08 18:29:38.0156 2900 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/04/08 18:29:38.0203 2900 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/04/08 18:29:38.0250 2900 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/04/08 18:29:38.0265 2900 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/04/08 18:29:38.0312 2900 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/04/08 18:29:38.0343 2900 giveio (77ebf3e9386daa51551af429052d88d0) C:\WINDOWS\system32\giveio.sys
2011/04/08 18:29:38.0375 2900 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/04/08 18:29:38.0437 2900 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/04/08 18:29:38.0484 2900 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/04/08 18:29:38.0546 2900 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/04/08 18:29:38.0593 2900 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/04/08 18:29:38.0656 2900 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/04/08 18:29:38.0718 2900 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/04/08 18:29:38.0765 2900 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/04/08 18:29:38.0781 2900 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/04/08 18:29:38.0812 2900 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/04/08 18:29:38.0859 2900 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/04/08 18:29:38.0921 2900 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/04/08 18:29:38.0937 2900 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/04/08 18:29:38.0953 2900 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/04/08 18:29:38.0968 2900 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/04/08 18:29:39.0031 2900 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/04/08 18:29:39.0078 2900 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/04/08 18:29:39.0140 2900 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/04/08 18:29:39.0187 2900 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/04/08 18:29:39.0265 2900 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/04/08 18:29:39.0312 2900 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/04/08 18:29:39.0359 2900 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/04/08 18:29:39.0375 2900 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/04/08 18:29:39.0421 2900 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/04/08 18:29:39.0437 2900 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/04/08 18:29:39.0484 2900 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/04/08 18:29:39.0500 2900 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/04/08 18:29:39.0531 2900 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/04/08 18:29:39.0578 2900 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/04/08 18:29:39.0609 2900 MSTEE (d5059366b361f0e1124753447af08aa2) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/04/08 18:29:39.0656 2900 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/04/08 18:29:39.0687 2900 NABTSFEC (ac31b352ce5e92704056d409834beb74) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/04/08 18:29:39.0734 2900 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/04/08 18:29:39.0781 2900 NdisIP (abd7629cf2796250f315c1dd0b6cf7a0) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/04/08 18:29:39.0796 2900 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/04/08 18:29:39.0843 2900 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/04/08 18:29:39.0875 2900 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/04/08 18:29:39.0906 2900 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/04/08 18:29:39.0921 2900 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/04/08 18:29:39.0937 2900 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/04/08 18:29:39.0984 2900 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/04/08 18:29:40.0000 2900 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/04/08 18:29:40.0046 2900 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/04/08 18:29:40.0078 2900 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/04/08 18:29:40.0281 2900 nv (c4267be1fa6b5dfe5a7559f804e31cf5) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/04/08 18:29:40.0515 2900 nvata (4d6c6b46b3edf6f2e219a86b61d104ae) C:\WINDOWS\system32\DRIVERS\nvata.sys
2011/04/08 18:29:40.0562 2900 NVENETFD (1b83b60541be1b6db81641c448007f21) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
2011/04/08 18:29:40.0578 2900 nvnetbus (57b669f9234604a350174b86764444b0) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
2011/04/08 18:29:40.0593 2900 NVTCP (c0e7437765a694328579c4674ef3ab20) C:\WINDOWS\system32\DRIVERS\NVTcp.sys
2011/04/08 18:29:40.0656 2900 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/04/08 18:29:40.0656 2900 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/04/08 18:29:40.0703 2900 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/04/08 18:29:40.0750 2900 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/04/08 18:29:40.0765 2900 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/04/08 18:29:40.0812 2900 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/04/08 18:29:40.0859 2900 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/04/08 18:29:40.0890 2900 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/04/08 18:29:40.0921 2900 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/04/08 18:29:41.0093 2900 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/04/08 18:29:41.0156 2900 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/04/08 18:29:41.0187 2900 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/04/08 18:29:41.0250 2900 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/04/08 18:29:41.0390 2900 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/04/08 18:29:41.0421 2900 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/04/08 18:29:41.0437 2900 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/04/08 18:29:41.0468 2900 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/04/08 18:29:41.0500 2900 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/04/08 18:29:41.0515 2900 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/04/08 18:29:41.0593 2900 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/04/08 18:29:41.0625 2900 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/04/08 18:29:41.0671 2900 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/04/08 18:29:41.0750 2900 RTLWUSB (05552e37b5c0b53b7e4b95a850447e85) C:\WINDOWS\system32\DRIVERS\RTL8187.sys
2011/04/08 18:29:41.0812 2900 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/04/08 18:29:41.0859 2900 SenFiltService (b6a6b409fda9d9ebd3aadb838d3d7173) C:\WINDOWS\system32\drivers\Senfilt.sys
2011/04/08 18:29:41.0906 2900 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/04/08 18:29:41.0921 2900 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/04/08 18:29:41.0937 2900 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/04/08 18:29:42.0000 2900 SI3132 (9604998d0c578608151b6e59266fcae1) C:\WINDOWS\system32\DRIVERS\SI3132.sys
2011/04/08 18:29:42.0015 2900 SiFilter (72cf151fb410e544904dbc7d7f29b796) C:\WINDOWS\system32\DRIVERS\SiWinAcc.sys
2011/04/08 18:29:42.0078 2900 SjyPkt (3d7ef286e806f9bd9339aa52e28dcd67) C:\WINDOWS\System32\Drivers\SjyPkt.sys
2011/04/08 18:29:42.0140 2900 SLIP (1ffc44d6787ec1ea9a2b1440a90fa5c1) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/04/08 18:29:42.0218 2900 speedfan (5d6401db90ec81b71f8e2c5c8f0fef23) C:\WINDOWS\system32\speedfan.sys
2011/04/08 18:29:42.0265 2900 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/04/08 18:29:42.0312 2900 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\system32\Drivers\sptd.sys
2011/04/08 18:29:42.0312 2900 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
2011/04/08 18:29:42.0312 2900 sptd - detected Locked file (1)
2011/04/08 18:29:42.0343 2900 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/04/08 18:29:42.0421 2900 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/04/08 18:29:42.0484 2900 streamip (a9f9fd0212e572b84edb9eb661f6bc04) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/04/08 18:29:42.0531 2900 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/04/08 18:29:42.0578 2900 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/04/08 18:29:42.0625 2900 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/04/08 18:29:42.0687 2900 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/04/08 18:29:42.0718 2900 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/04/08 18:29:42.0734 2900 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/04/08 18:29:42.0781 2900 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/04/08 18:29:42.0875 2900 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/04/08 18:29:42.0953 2900 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/04/08 18:29:43.0031 2900 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/04/08 18:29:43.0078 2900 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/04/08 18:29:43.0093 2900 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/04/08 18:29:43.0125 2900 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/04/08 18:29:43.0140 2900 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/04/08 18:29:43.0187 2900 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/04/08 18:29:43.0234 2900 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2011/04/08 18:29:43.0296 2900 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/04/08 18:29:43.0328 2900 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/04/08 18:29:43.0343 2900 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/04/08 18:29:43.0390 2900 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/04/08 18:29:43.0437 2900 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/04/08 18:29:43.0468 2900 WSTCODEC (233cdd1c06942115802eb7ce6669e099) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/04/08 18:29:43.0578 2900 ================================================================================
2011/04/08 18:29:43.0578 2900 Scan finished
2011/04/08 18:29:43.0578 2900 ================================================================================
2011/04/08 18:29:43.0593 2836 Detected object count: 1
2011/04/08 18:29:49.0093 2836 Locked file(sptd) - User select action: Skip
-
Here we go.
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
Registry value HKEY_USERS\S-1-5-21-2000478354-436374069-682003330-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
C:\Documents and Settings\Dom\Local Settings\Application Data\325cq8r6ceko405fg moved successfully.
C:\Documents and Settings\All Users\Application Data\325cq8r6ceko405fg moved successfully.
OTL by OldTimer - Version 3.2.22.3 log created on 04082011_181259
-
Here's the MBAM log and I attached the two OTL files as it was less messy.
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6311
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
08/04/2011 17:39:22
mbam-log-2011-04-08 (17-39-22).txt
Scan type: Full scan (C:\|)
Objects scanned: 234927
Time elapsed: 1 hour(s), 9 minute(s), 9 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
-
Also should be noted that windows security alerts are now turned off.
-
Ok did that and ran again found two more. Now rescanning out of safe mode
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6311
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702
08/04/2011 15:53:25
mbam-log-2011-04-08 (15-53-25).txt
Scan type: Full scan (C:\|)
Objects scanned: 234036
Time elapsed: 28 minute(s), 53 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\system volume information\_restore{9cff0015-b227-4ab7-95e7-942b2bd20ad4}\RP208\A0058071.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{9cff0015-b227-4ab7-95e7-942b2bd20ad4}\RP208\A0058072.exe (Trojan.Agent) -> Quarantined and deleted successfully.
-
Ok it's finished here are the results
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6311
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702
08/04/2011 15:17:15
mbam-log-2011-04-08 (15-17-09).txt
Scan type: Full scan (C:\|F:\|)
Objects scanned: 234093
Time elapsed: 29 minute(s), 26 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 5
Memory Processes Infected:
c:\documents and settings\Dom\local settings\application data\aan.exe (Trojan.Agent) -> 912 -> No action taken.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
Folders Infected:
(No malicious items detected)
Files Infected:
c:\documents and settings\Dom\local settings\application data\aan.exe (Trojan.Agent) -> No action taken.
c:\documents and settings\Dom\application data\Sun\Java\deployment\cache\6.0\21\1b267915-700ba47d (Trojan.Agent) -> No action taken.
c:\documents and settings\Dom\local settings\Temp\0.7747852293343608.exe (Trojan.Agent) -> No action taken.
c:\RECYCLER\s-1-5-21-2000478354-436374069-682003330-1003\Dc3.exe (Trojan.Agent) -> No action taken.
c:\system volume information\_restore{9cff0015-b227-4ab7-95e7-942b2bd20ad4}\RP206\A0057880.exe (Trojan.FakeAlert) -> No action taken.
-
That's worked. I'm just running an MBAM scan now and I'll post the logs when I'm done. Thanks very much so far!
-
Ok nothing that looks particularly like that, I would guess possibly the following?
Direct memory access controller
High precision event timer
ISAPNP Read Data Port
Micro Code Update Device
Terminal System Device Redirector
-
The error says
sed.exe can't read: C:Docume~1\Dom\Local~1\Temp\rks1.log no such file or directory
-
c:\docume~1\alluse~1\applic~1\nPl06511kCmHi06511
C:\Documents and Settings\dom\Local Settings\Application Data\drl.exe
Ok so I managed to delete these two. However I got access denied for the other one.
I cannot unfortunately turn off the rootkit which stops any programs from running. When I try to select properties for my computer nothing happens and I cannot get device manager open.
I get rkill to run but MBAM will still not run and simply opens up the spyware program again. The log is empty but there is an error on the program which im just copying down now.
-
Weird I just made a thread on exactly the same thing. Good luck on the fixing!
-
-
I've been infected by a fake Windows Security 2011 virus. However it any attempt to start any .exe file starts up the fake program aan.exe although I can then close this with task manager. I've attached the dds files but cannot run gmer. I'm running on safe mode at the moment however the virus still boots up in safe mode.
-
Reconnected to the internet seems ok, scan is also clean. Are we indeed free?
Utilu IE Bundle
in File Detections
Posted
Thanks very much for the quick response! I'll leave it be.