leftshot
-
Posts
8 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by leftshot
-
-
Quick Question: Rogue Killer seems to be staying on "Searching for CLSID..." for a long time (5-10 minutes so far). Is that normal or have we gotten hung? I've restarted it once and am getting the same behavior.
-
Okay, I ran the fixlist and have the log posted below. I also logged into the infected user account and the bogus FBI screen no longer comes up, nor does the bogus missing dll window that was part of the malware. Is there any other clean up I need to do? Also, can you tell what this was attached to that caused the infection? The user claims they haven't installed anything lately and I don't want this to spread. I want to thank you for your help. I know you volunteer your time and am very appreciative of your efforts. I do the same in my realm, so I know how this can be both rewarding and at times thankless work. I want you to know your efforts are appreciated. Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 30-05-2013
Ran by administrator at 2013-05-31 09:49:41 Run:1
Running from C:\Documents and Settings\administrator.CCCM\Desktop
Boot Mode: Normal
==============================================
HKEY_USERS\davek.CCCM\Software\Microsoft\Windows\CurrentVersion\Run\\Adobe => Value deleted successfully.
HKEY_USERS\davek.CCCM\Software\Microsoft\Windows\CurrentVersion\Run\\Svc2dll => Value deleted successfully.
C:\Documents and Settings\davek.CCCM\Local Settings\Application Data\Apple\Adobe\njxyuv.dll => File/Directory not found.
C:\Documents and Settings\davek.CCCM\Local Settings\Application Data\svcxdcl32.exe => File/Directory not found.
C:\Documents and Settings\davek.CCCM\acrobat.exe => Moved successfully.
C:\Documents and Settings\davek.CCCM\icq.exe => Moved successfully.
C:\Documents and Settings\davek.CCCM\opera.exe => Moved successfully.
C:\Documents and Settings\davek.CCCM\skype.exe => Moved successfully.
==== End of Fixlog ====
-
Okay, here is the FRST.txt with Addition.txt attached.
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 30-05-2013
Ran by administrator (administrator) on 31-05-2013 08:59:30
Running from C:\Documents and Settings\administrator.CCCM\Desktop
Microsoft Windows XP Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal
==================== Processes (Whitelisted) ===================
(IObit) C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe
(SurfRight B.V.) C:\Program Files\HitmanPro\hmpsched.exe
(IObit) C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe
(ABBYY) C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe
(Spigot, Inc.) C:\Program Files\Application Updater\ApplicationUpdater.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(SEIKO EPSON CORPORATION) C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
(Computer Associates) C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
(Yahoo! Inc.) C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
(Microsoft Corporation) C:\WINDOWS\system32\fxssvc.exe
(SurfRight B.V.) C:\Program Files\HitmanPro\HitmanPro.exe
(SEIKO EPSON CORPORATION) C:\Program Files\Epson Software\Event Manager\EEventManager.exe
(Musicmatch, Inc.) C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
(Sun Microsystems, Inc.) C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
(Spigot, Inc.) C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe
(IObit) C:\Program Files\IObit\Advanced SystemCare 6\ASCTray.exe
(IObit) C:\Program Files\IObit\Advanced SystemCare 6\DelayLoad.exe
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64" [99840 2003-05-27] (SEIKO EPSON CORPORATION)
HKLM\...\Run: [EEventManager] "C:\Program Files\Epson Software\Event Manager\EEventManager.exe" [979328 2010-10-12] (SEIKO EPSON CORPORATION)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [98304 2006-03-30] (Apple Computer, Inc.)
HKLM\...\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [110592 2006-09-18] (Musicmatch, Inc.)
HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [144784 2008-06-10] (Sun Microsystems, Inc.)
HKLM\...\Run: [] [x]
HKLM\...\Run: [searchSettings] "C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe" [1298240 2013-05-15] (Spigot, Inc.)
HKLM\...\Winlogon: [system]
Winlogon\Notify\klogon: C:\WINDOWS\system32\klogon.dll (Kaspersky Lab)
Winlogon\Notify\WgaLogon: WgaLogon.dll (Microsoft Corporation)
HKCU\...\Run: [Advanced SystemCare 5] "C:\Program Files\IObit\Advanced SystemCare 5\ASCTray.exe" /AutoStart [x]
HKCU\...\Run: [Advanced SystemCare 6] "C:\Program Files\IObit\Advanced SystemCare 6\ASCTray.exe" /AutoStart [491840 2013-04-18] (IObit)
HKU\Administrator\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [ 2007-03-15] (Gteko Ltd.)
HKU\administrator.FPCM\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [ 2007-03-15] (Gteko Ltd.)
HKU\davek\...\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe [x]
HKU\davek\...\Run: [PopularScreensaversWallpaper] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\F3SCRCTR.DLL,LES [x]
HKU\davek\...\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P23 "EPSON Stylus C64 Series" /M "Stylus C64" /EF "HKCU" [ 2003-05-27] (SEIKO EPSON CORPORATION)
HKU\davek\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [ 2007-03-15] (Gteko Ltd.)
HKU\davek.CCCM\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [x]
HKU\davek.CCCM\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [ 2007-03-15] (Gteko Ltd.)
HKU\davek.CCCM\...\Run: [EPLTarget\P0000000000000000] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_TATIHWA.EXE /EPT "EPLTarget\P0000000000000000" /M "WorkForce 545" [ 2011-04-24] (SEIKO EPSON CORPORATION)
HKU\davek.CCCM\...\Run: [Advanced SystemCare 6] "C:\Program Files\IObit\Advanced SystemCare 6\ASCTray.exe" /AutoStart [ 2013-04-18] (IObit)
HKU\davek.CCCM\...\Run: [Adobe] rundll32 "C:\Documents and Settings\davek.CCCM\Local Settings\Application Data\Apple\Adobe\njxyuv.dll",DllRegisterServer [x]
HKU\davek.CCCM\...\Run: [svc2dll] C:\Documents and Settings\davek.CCCM\Local Settings\Application Data\svcxdcl32.exe [x]
HKU\davek.CCCM\...\Run: [] C:\Documents and Settings\davek.CCCM\opera.exe [ 2013-05-30] (FileZilla Project)
HKU\davek.CCCM\...\Policies\system: [NoDispCpl] 0
HKU\davek.CCCM\...\Policies\system: [NoDispAppearancePage] 0
HKU\davek.CCCM\...\Policies\system: [NoDispBackgroundPage] 0
HKU\davek.CCCM\...\Policies\system: [NoDispSettingsPage] 0
HKU\Default User\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [ 2007-03-15] (Gteko Ltd.)
HKU\Sue McKinney\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [ 2007-03-15] (Gteko Ltd.)
SSODL: UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll (Microsoft Corporation)
BootExecute: autocheck autochk * bootdelete
==================== Internet (Whitelisted) ====================
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co...-inc&channel=us
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co...-inc&channel=us
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co...html?channel=us
URLSearchHook: IObit Apps Toolbar - {03EB0E9C-7A91-4381-A220-9B52B641CDB1} - C:\Program Files\IObit Apps Toolbar\IE\7.1\iobitappsToolbarIE.dll (Spigot, Inc.)
URLSearchHook: YTNavAssistPlugin Class - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.c...referrer:source?}
HKCU SearchScopes: DefaultScope {FBBE751C-C2E8-49E1-AC6D-B232168155DE} URL = http://search.yahoo....&p={searchTerms}
SearchScopes: HKCU - {FBBE751C-C2E8-49E1-AC6D-B232168155DE} URL = http://search.yahoo....&p={searchTerms}
BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
BHO: IObit Apps Toolbar - {03EB0E9C-7A91-4381-A220-9B52B641CDB1} - C:\Program Files\IObit Apps Toolbar\IE\7.1\iobitappsToolbarIE.dll (Spigot, Inc.)
BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL (Sonic Solutions)
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Search.com Bar - {80987362-6216-49bc-98e4-77e6cf71a5d7} - C:\Program Files\searchcom_001\searchcom_001X.dll ()
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll (Google Inc.)
BHO: No Name - {BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} - C:\PROGRA~1\IObit\ADVANC~3\BROWER~1\ASCPLU~1.DLL (IObit)
BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll (Microsoft Corp.)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO: NetAssistant - {E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - C:\Program Files\Freeze.com\NetAssistant\NetAssistant.dll (W3i, LLC)
Toolbar: HKLM - MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll (Microsoft Corp.)
Toolbar: HKLM - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
Toolbar: HKLM - Search.com Bar - {80987362-6216-49bc-98e4-77e6cf71a5d7} - C:\Program Files\searchcom_001\searchcom_001X.dll ()
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKLM - IObit Apps Toolbar - {03EB0E9C-7A91-4381-A220-9B52B641CDB1} - C:\Program Files\IObit Apps Toolbar\IE\7.1\iobitappsToolbarIE.dll (Spigot, Inc.)
Toolbar: HKCU -Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU -No Name - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
PDF: {40F8967E-34A6-474A-837A-CEC1E7DAC54C} https://accounting.q....588/qboax9.cab
PDF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab
PDF: {B479199A-1242-4E3C-AD81-7F0DF801B4AE} http://download.micr...loadManager.cab
PDF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab
PDF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab
PDF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab
Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [245248] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 10.32.40.2
========================== Services (Whitelisted) =================
R2 ABBYY.Licensing.FineReader.Sprint.9.0; C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [759048 2009-05-14] (ABBYY)
R2 AdvancedSystemCareService6; C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe [574272 2013-04-18] (IObit)
R2 Application Updater; C:\Program Files\Application Updater\ApplicationUpdater.exe [806776 2013-05-15] (Spigot, Inc.)
S3 AVP; C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe [311680 2010-03-12] (Kaspersky Lab)
S3 CA_LIC_CLNT; C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe [77824 2002-09-20] (Computer Associates)
S3 CA_LIC_SRVR; C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe [77824 2002-09-20] (Computer Associates)
S3 DSBrokerService; C:\Program Files\DellSupport\brkrsvc.exe [76848 2007-03-07] ()
R2 EpsonCustomerParticipation; C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe [521600 2011-06-09] (SEIKO EPSON CORPORATION)
R2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [106280 2013-05-30] (SurfRight B.V.)
R2 IMFservice; C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe [820568 2011-07-20] (IObit)
R2 LogWatch; C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe [53248 2002-09-20] (Computer Associates)
S4 McAfeeFramework; C:\Program Files\McAfee\Common Framework\FrameworkService.exe [103744 2008-05-20] (McAfee, Inc.)
S3 NetSvc; C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe [147456 2004-11-19] (Intel® Corporation)
S4 HidServ; %SystemRoot%\System32\hidserv.dll [x]
R2 JavaQuickStarterService; "C:\Program Files\Java\jre7\bin\jqs.exe" -service -config "C:\Program Files\Java\jre7\lib\deploy\jqs\jqs.conf" [x]
==================== Drivers (Whitelisted) ====================
R2 ASCTRM; C:\Windows\System32\Drivers\ASCTRM.sys [8552 2006-03-30] (Windows ® 2000 DDK provider)
R2 DLABOIOM; C:\Windows\System32\DLA\DLABOIOM.SYS [25628 2005-09-08] (Sonic Solutions)
R1 DLACDBHM; C:\Windows\System32\Drivers\DLACDBHM.SYS [5628 2005-08-25] (Sonic Solutions)
R2 DLADResN; C:\Windows\System32\DLA\DLADResN.SYS [2496 2005-09-08] (Sonic Solutions)
R2 DLAIFS_M; C:\Windows\System32\DLA\DLAIFS_M.SYS [86524 2005-09-08] (Sonic Solutions)
R2 DLAOPIOM; C:\Windows\System32\DLA\DLAOPIOM.SYS [14684 2005-09-08] (Sonic Solutions)
R2 DLAPoolM; C:\Windows\System32\DLA\DLAPoolM.SYS [6364 2005-09-08] (Sonic Solutions)
R1 DLARTL_N; C:\Windows\System32\Drivers\DLARTL_N.SYS [22684 2005-08-25] (Sonic Solutions)
R2 DLAUDFAM; C:\Windows\System32\DLA\DLAUDFAM.SYS [94332 2005-09-08] (Sonic Solutions)
R2 DLAUDF_M; C:\Windows\System32\DLA\DLAUDF_M.SYS [87036 2005-09-08] (Sonic Solutions)
R2 DRVNDDM; C:\Windows\System32\Drivers\DRVNDDM.SYS [40544 2005-08-12] (Sonic Solutions)
S3 DSproct; C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys [4736 2006-10-05] (Gteko Ltd.)
R3 HDAudBus; C:\Windows\System32\DRIVERS\HDAudBus.sys [144384 2008-04-13] (Windows ® Server 2003 DDK provider)
R3 ialm; C:\Windows\System32\DRIVERS\ialmnt5.sys [1302812 2005-10-14] (Intel Corporation)
R1 kl1; C:\WINDOWS\system32\drivers\kl1.sys [126480 2009-11-12] (Kaspersky Lab)
R3 KLFLTDEV; C:\Windows\System32\DRIVERS\klfltdev.sys [24848 2009-09-03] (Kaspersky Lab)
R1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [231512 2012-04-26] (Kaspersky Lab)
R3 klim5; C:\Windows\System32\DRIVERS\klim5.sys [32272 2009-09-14] (Kaspersky Lab)
R0 SmartDefragDriver; C:\Windows\System32\Drivers\SmartDefragDriver.sys [14776 2010-11-26] ()
R3 STHDA; C:\Windows\System32\drivers\sthda.sys [1047816 2005-11-16] (SigmaTel, Inc.)
S4 Abiosdsk; No ImagePath
S4 Atdisk; No ImagePath
S1 Changer; No ImagePath
S0 hbhe; System32\drivers\qcjxbqy.sys [x]
S1 lbrtfdc; No ImagePath
S1 mferkdk; \??\C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys [x]
S1 PCIDump; No ImagePath
S3 PDCOMP; No ImagePath
S3 PDFRAME; No ImagePath
S3 PDRELI; No ImagePath
S3 PDRFRAME; No ImagePath
S4 Simbad; No ImagePath
S3 wanatw; system32\DRIVERS\wanatw4.sys [x]
S3 WDICA; No ImagePath
U1 WS2IFSL;
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2013-05-31 08:59 - 2013-05-31 08:59 - 00000000 ____D C:\FRST
2013-05-31 08:59 - 2013-05-31 08:55 - 01355557 ____A (Farbar) C:\Documents and Settings\administrator.CCCM\Desktop\FRST.exe
2013-05-30 16:46 - 2013-05-30 16:46 - 00002169 ____A C:\Documents and Settings\administrator.CCCM\Desktop\aswMBR.txt
2013-05-30 16:44 - 2013-05-30 16:44 - 00047632 ____A C:\Documents and Settings\administrator.CCCM\Desktop\Extras.Txt
2013-05-30 16:43 - 2013-05-30 16:43 - 00057268 ____A C:\Documents and Settings\administrator.CCCM\Desktop\OTL.Txt
2013-05-30 16:31 - 2013-05-30 16:30 - 04745728 ____A (AVAST Software) C:\Documents and Settings\administrator.CCCM\Desktop\aswMBR.exe
2013-05-30 16:31 - 2013-05-30 16:26 - 00602112 ____A (OldTimer Tools) C:\Documents and Settings\administrator.CCCM\Desktop\OTL.exe
2013-05-30 15:53 - 2013-05-30 15:54 - 00000000 ____D C:\Documents and Settings\administrator.CCCM\Application Data\Search Settings
2013-05-30 15:53 - 2013-05-30 15:53 - 00000000 ____D C:\Program Files\IObit Apps Toolbar
2013-05-30 15:53 - 2013-05-30 15:53 - 00000000 ____D C:\Program Files\Application Updater
2013-05-30 15:51 - 2013-05-30 15:51 - 00001610 ____A C:\Documents and Settings\All Users\Desktop\HitmanPro.lnk
2013-05-30 15:38 - 2013-05-30 15:51 - 00000000 ____D C:\Program Files\HitmanPro
2013-05-30 15:12 - 2013-05-30 15:12 - 00069688 ____A C:\Documents and Settings\administrator.CCCM\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2013-05-30 14:27 - 2013-05-30 14:26 - 00094112 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge.dll
2013-05-30 14:27 - 2013-05-30 14:25 - 00866720 ____A (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll
2013-05-30 14:27 - 2013-05-30 14:25 - 00263584 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2013-05-30 14:27 - 2013-05-30 14:25 - 00174496 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2013-05-30 14:27 - 2013-05-30 14:25 - 00174496 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2013-05-30 14:24 - 2013-05-30 14:24 - 34500608 ____A C:\Windows\System32\config\SOFTWARE.iobit
2013-05-30 14:24 - 2013-05-30 14:24 - 00299008 ____A C:\Windows\System32\config\DEFAULT.iobit
2013-05-30 14:24 - 2013-05-30 14:24 - 00061440 ____A C:\Windows\System32\config\SECURITY.iobit
2013-05-30 14:24 - 2013-05-30 14:24 - 00028672 ____A C:\Windows\System32\config\SAM.iobit
2013-05-30 14:03 - 2013-05-30 14:03 - 00015466 ____A C:\Windows\System32\.crusader
2013-05-30 13:39 - 2013-05-31 08:56 - 00000438 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{A0D0BD7C-CFB5-4954-AEA7-0E0131112830}.job
2013-05-30 13:39 - 2013-05-30 13:39 - 00000000 __SHD C:\Documents and Settings\administrator.CCCM\IECompatCache
2013-05-30 13:19 - 2013-05-30 15:38 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\HitmanPro
2013-05-30 11:16 - 2013-05-30 11:16 - 00000000 ____D C:\Documents and Settings\administrator.CCCM\Application Data\Malwarebytes
2013-05-30 09:39 - 2013-05-30 09:39 - 00096256 ____A (FileZilla Project) C:\Documents and Settings\davek.CCCM\acrobat.exe
2013-05-30 09:39 - 2013-05-30 09:39 - 00000000 ____A C:\Documents and Settings\davek.CCCM\skype.exe
2013-05-30 09:34 - 2013-05-30 09:34 - 00122368 ____A (FileZilla Project) C:\Documents and Settings\davek.CCCM\opera.exe
2013-05-30 09:34 - 2013-05-30 09:34 - 00000000 ____A C:\Documents and Settings\davek.CCCM\icq.exe
2013-05-22 11:26 - 2013-05-30 09:16 - 00000154 ____A C:\Documents and Settings\davek.CCCM\Local Settings\Application Data\svcxdcl32.dat
2013-05-20 12:31 - 2013-05-30 14:02 - 00000000 ____D C:\Documents and Settings\davek.CCCM\Application Data\wabEventSupport16
2013-05-20 11:53 - 2013-05-30 14:15 - 00054156 ___AH C:\Windows\QTFont.qfn
2013-05-20 11:53 - 2013-05-20 11:53 - 00001409 ____A C:\Windows\QTFont.for
2013-05-17 12:59 - 2013-05-17 12:59 - 00000000 ____D C:\Documents and Settings\NetworkService\Local Settings\Application Data\Folder Manager
==================== One Month Modified Files and Folders ========
2013-05-31 08:59 - 2013-05-31 08:59 - 00000000 ____D C:\FRST
2013-05-31 08:58 - 2013-01-10 10:12 - 00081809 ____A C:\Windows\setupapi.log
2013-05-31 08:57 - 2013-03-12 13:09 - 00000284 ____A C:\Windows\Tasks\ASC6_PerformanceMonitor.job
2013-05-31 08:57 - 2011-09-01 18:04 - 00000296 ____A C:\Windows\Tasks\SmartDefrag_Startup.job
2013-05-31 08:57 - 2010-02-04 15:13 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-05-31 08:57 - 2007-08-06 11:52 - 00000062 __ASH C:\Documents and Settings\administrator.CCCM\Local Settings\desktop.ini
2013-05-31 08:57 - 2004-08-11 16:00 - 00002206 ____A C:\Windows\System32\wpa.dbl
2013-05-31 08:56 - 2013-05-30 13:39 - 00000438 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{A0D0BD7C-CFB5-4954-AEA7-0E0131112830}.job
2013-05-31 08:56 - 2004-08-11 16:20 - 00032632 ____A C:\Windows\SchedLgU.Txt
2013-05-31 08:55 - 2013-05-31 08:59 - 01355557 ____A (Farbar) C:\Documents and Settings\administrator.CCCM\Desktop\FRST.exe
2013-05-31 08:54 - 2004-08-11 16:13 - 01479980 ____A C:\Windows\WindowsUpdate.log
2013-05-31 08:53 - 2007-08-06 11:50 - 00000278 __ASH C:\Documents and Settings\davek.CCCM\ntuser.ini
2013-05-31 08:53 - 2004-08-11 16:20 - 00000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini
2013-05-31 08:53 - 2004-08-11 16:20 - 00000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini
2013-05-31 08:53 - 2004-08-11 16:20 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-05-31 08:53 - 2004-08-11 16:09 - 00000159 ____A C:\Windows\wiadebug.log
2013-05-31 08:53 - 2004-08-11 16:09 - 00000049 ____A C:\Windows\wiaservc.log
2013-05-31 08:52 - 2010-02-04 15:13 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-05-31 08:52 - 2007-08-06 11:50 - 00000062 __ASH C:\Documents and Settings\davek.CCCM\Local Settings\desktop.ini
2013-05-31 08:45 - 2007-08-06 11:52 - 00000178 ___SH C:\Documents and Settings\administrator.CCCM\ntuser.ini
2013-05-31 08:44 - 2006-06-15 09:58 - 00000000 __HDC C:\Windows\$NtUninstallKB911280$
2013-05-31 08:42 - 2012-04-26 10:13 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-05-30 23:00 - 2011-11-16 18:14 - 00000314 ____A C:\Windows\Tasks\Regwork.job
2013-05-30 16:46 - 2013-05-30 16:46 - 00002169 ____A C:\Documents and Settings\administrator.CCCM\Desktop\aswMBR.txt
2013-05-30 16:44 - 2013-05-30 16:44 - 00047632 ____A C:\Documents and Settings\administrator.CCCM\Desktop\Extras.Txt
2013-05-30 16:43 - 2013-05-30 16:43 - 00057268 ____A C:\Documents and Settings\administrator.CCCM\Desktop\OTL.Txt
2013-05-30 16:30 - 2013-05-30 16:31 - 04745728 ____A (AVAST Software) C:\Documents and Settings\administrator.CCCM\Desktop\aswMBR.exe
2013-05-30 16:26 - 2013-05-30 16:31 - 00602112 ____A (OldTimer Tools) C:\Documents and Settings\administrator.CCCM\Desktop\OTL.exe
2013-05-30 15:54 - 2013-05-30 15:53 - 00000000 ____D C:\Documents and Settings\administrator.CCCM\Application Data\Search Settings
2013-05-30 15:53 - 2013-05-30 15:53 - 00000000 ____D C:\Program Files\IObit Apps Toolbar
2013-05-30 15:53 - 2013-05-30 15:53 - 00000000 ____D C:\Program Files\Application Updater
2013-05-30 15:53 - 2013-03-12 13:09 - 00000000 ____D C:\Program Files\Common Files\Spigot
2013-05-30 15:51 - 2013-05-30 15:51 - 00001610 ____A C:\Documents and Settings\All Users\Desktop\HitmanPro.lnk
2013-05-30 15:51 - 2013-05-30 15:38 - 00000000 ____D C:\Program Files\HitmanPro
2013-05-30 15:48 - 2006-04-25 13:15 - 00000000 __SHD C:\Windows\CSC
2013-05-30 15:39 - 2006-03-30 00:31 - 00000000 ____D C:\Program Files\Common Files\Java
2013-05-30 15:38 - 2013-05-30 13:19 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\HitmanPro
2013-05-30 15:38 - 2012-04-26 13:20 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-05-30 15:38 - 2007-01-17 17:46 - 00000000 ____D C:\Documents and Settings\davek.CCCM\Application Data\Sonic
2013-05-30 15:12 - 2013-05-30 15:12 - 00069688 ____A C:\Documents and Settings\administrator.CCCM\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2013-05-30 14:26 - 2013-05-30 14:27 - 00094112 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge.dll
2013-05-30 14:25 - 2013-05-30 14:27 - 00866720 ____A (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll
2013-05-30 14:25 - 2013-05-30 14:27 - 00263584 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2013-05-30 14:25 - 2013-05-30 14:27 - 00174496 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2013-05-30 14:25 - 2013-05-30 14:27 - 00174496 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2013-05-30 14:25 - 2010-05-05 19:19 - 00788896 ____A (Oracle Corporation) C:\Windows\System32\deployJava1.dll
2013-05-30 14:25 - 2007-04-16 10:49 - 00144896 ____A (Oracle Corporation) C:\Windows\System32\javacpl.cpl
2013-05-30 14:24 - 2013-05-30 14:24 - 34500608 ____A C:\Windows\System32\config\SOFTWARE.iobit
2013-05-30 14:24 - 2013-05-30 14:24 - 00299008 ____A C:\Windows\System32\config\DEFAULT.iobit
2013-05-30 14:24 - 2013-05-30 14:24 - 00061440 ____A C:\Windows\System32\config\SECURITY.iobit
2013-05-30 14:24 - 2013-05-30 14:24 - 00028672 ____A C:\Windows\System32\config\SAM.iobit
2013-05-30 14:24 - 2006-03-30 00:31 - 00000000 ____D C:\Program Files\Java
2013-05-30 14:20 - 2008-07-10 13:28 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\McAfee
2013-05-30 14:17 - 2013-03-12 10:08 - 00000925 ____A C:\Documents and Settings\All Users\Desktop\Uninstaller.lnk
2013-05-30 14:17 - 2013-03-12 10:08 - 00000874 ____A C:\Documents and Settings\All Users\Desktop\Advanced SystemCare 6.lnk
2013-05-30 14:15 - 2013-05-20 11:53 - 00054156 ___AH C:\Windows\QTFont.qfn
2013-05-30 14:03 - 2013-05-30 14:03 - 00015466 ____A C:\Windows\System32\.crusader
2013-05-30 14:02 - 2013-05-20 12:31 - 00000000 ____D C:\Documents and Settings\davek.CCCM\Application Data\wabEventSupport16
2013-05-30 13:39 - 2013-05-30 13:39 - 00000000 __SHD C:\Documents and Settings\administrator.CCCM\IECompatCache
2013-05-30 13:10 - 2012-12-02 13:12 - 00000000 ___RD C:\Documents and Settings\davek.CCCM\My Documents\Dropbox
2013-05-30 13:10 - 2012-12-02 13:02 - 00000000 ____D C:\Documents and Settings\davek.CCCM\Application Data\Dropbox
2013-05-30 13:08 - 2004-08-11 16:12 - 00000000 ____D C:\Windows\System32\Restore
2013-05-30 12:45 - 2008-10-23 20:31 - 00000000 __HDC C:\Windows\$NtUninstallKB958644$
2013-05-30 11:29 - 2009-07-21 16:03 - 00000000 __HDC C:\Windows\$NtUninstallKB961371$
2013-05-30 11:16 - 2013-05-30 11:16 - 00000000 ____D C:\Documents and Settings\administrator.CCCM\Application Data\Malwarebytes
2013-05-30 11:15 - 2011-09-01 17:42 - 00000000 ____D C:\Documents and Settings\administrator.CCCM\Application Data\IObit
2013-05-30 09:39 - 2013-05-30 09:39 - 00096256 ____A (FileZilla Project) C:\Documents and Settings\davek.CCCM\acrobat.exe
2013-05-30 09:39 - 2013-05-30 09:39 - 00000000 ____A C:\Documents and Settings\davek.CCCM\skype.exe
2013-05-30 09:34 - 2013-05-30 09:34 - 00122368 ____A (FileZilla Project) C:\Documents and Settings\davek.CCCM\opera.exe
2013-05-30 09:34 - 2013-05-30 09:34 - 00000000 ____A C:\Documents and Settings\davek.CCCM\icq.exe
2013-05-30 09:17 - 2004-08-11 16:11 - 00000000 ____D C:\Windows\System32\FxsTmp
2013-05-30 09:16 - 2013-05-22 11:26 - 00000154 ____A C:\Documents and Settings\davek.CCCM\Local Settings\Application Data\svcxdcl32.dat
2013-05-23 11:26 - 2012-11-11 13:57 - 00000000 ____D C:\Documents and Settings\davek.CCCM\My Documents\TAG
2013-05-20 17:12 - 2006-04-28 13:22 - 00000000 ____D C:\Documents and Settings\davek.CCCM\My Documents\Saftey.Scrty
2013-05-20 17:10 - 2006-04-28 13:22 - 00000000 ____D C:\Documents and Settings\davek.CCCM\My Documents\Staffing
2013-05-20 13:34 - 2012-04-30 10:15 - 00002187 ____A C:\Documents and Settings\All Users\Desktop\Safari.lnk
2013-05-20 12:00 - 2011-09-29 14:08 - 00000000 ____D C:\Program Files\Safari
2013-05-20 11:53 - 2013-05-20 11:53 - 00001409 ____A C:\Windows\QTFont.for
2013-05-20 10:06 - 2011-09-29 14:07 - 00000284 ____A C:\Windows\Tasks\AppleSoftwareUpdate.job
2013-05-17 12:59 - 2013-05-17 12:59 - 00000000 ____D C:\Documents and Settings\NetworkService\Local Settings\Application Data\Folder Manager
2013-05-17 12:42 - 2006-04-28 13:16 - 00000000 ____D C:\Documents and Settings\davek.CCCM\My Documents\MCS
2013-05-17 12:41 - 2012-10-11 11:18 - 00000000 ____D C:\Documents and Settings\davek.CCCM\My Documents\High School
2013-05-16 12:35 - 2006-04-28 13:18 - 00000000 ____D C:\Documents and Settings\davek.CCCM\My Documents\Newsletter
2013-05-14 11:42 - 2012-04-26 10:13 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2013-05-14 11:42 - 2011-08-17 10:09 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2013-05-13 11:04 - 2012-06-05 14:40 - 00000000 ____D C:\Documents and Settings\davek.CCCM\My Documents\GospelinLife
2013-05-13 11:04 - 2006-04-28 13:19 - 00000000 ____D C:\Documents and Settings\davek.CCCM\My Documents\Personal
2013-05-13 11:03 - 2012-03-08 14:04 - 00000000 ____D C:\Documents and Settings\davek.CCCM\My Documents\Tech Task Force
2013-05-13 11:03 - 2010-06-23 12:10 - 00000000 ____D C:\Documents and Settings\davek.CCCM\My Documents\Transition
2013-05-12 11:32 - 2011-09-29 14:07 - 00000000 ____D C:\Documents and Settings\davek.CCCM\Local Settings\Application Data\Apple
2013-05-08 16:50 - 2006-04-28 13:22 - 00000000 ____D C:\Documents and Settings\davek.CCCM\My Documents\Policies and Procedures
Other Malware:
===========
C:\Documents and Settings\davek.CCCM\acrobat.exe
C:\Documents and Settings\davek.CCCM\icq.exe
C:\Documents and Settings\davek.CCCM\opera.exe
C:\Documents and Settings\davek.CCCM\skype.exe
==================== Bamital & volsnap Check =================
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== End Of Log ============================
-
I have a Dell PC running Windows XP that got infected with the FBI Green Dot Moneypak Virus. This system has an administrator account that was not infected, so I used it to run MalwareBytes this morning (with all current updates). Found and removed a lot of detected problems, but alas I still get the fake FBI notice screen with the infected account. I've run Quick and Full Scans with MalwareBytes, scans with Hitman Pro (often recommended to remove this virus), and run Advanced System Care, which found one piece of malware it removed.
I had tried to remove/disable this by doing a system restore, but all recent system restore dates fail.
Bottom line is I still get the fake screen on the infected account.
How do you suggest I proceed?
-
Elise, thank you for the excellent support to a very nasty virus. Your last pieces of advice I follow on a regular basis. This problem was somewhat "self inflicted" as I trusted a site and downloaded some software that obviously had malware and a back door Trojan attached. I'm baring my soul in the hopes that others reading this benefit.
-
Well that wasn't good news. I took the precautionary steps with any account information. I decided to reinstall the operating system and then ran TDSS Killer. It found nothing, but I've uploaded the log as you requested. Let me know if there is anything else I should do before completing the rebuild of the system.
-
I've run all the tests listed in the "I'm infected - What do I do now?" post and will upload here. I'm using the avast antivirus program, so it's catching the network calls, but it's annoying and I can't get rid of the malware with your otherwise excellent MalwareBytes and need some help (which I thank you for in advance).
+++++++++++++++++++++++++++++++++++++++++++++++++++++
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6470
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702
4/29/2011 8:23:13 AM
mbam-log-2011-04-29 (08-23-13).txt
Scan type: Full scan (C:\|D:\|)
Objects scanned: 295676
Time elapsed: 1 hour(s), 1 minute(s), 29 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\WINDOWS\Temp\xmfw\setup.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\itlpfw32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
++++++++++++++++++++++++++++++++++++++++
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Jay at 12:02:43.90 on Sat 04/30/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.60 [GMT -7:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ASTSRV.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Uniblue\RegistryBooster\rbmonitor.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe
C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\AVAST Software\Avast\setup\avast.setup
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Jay\Desktop\Defogger.exe
C:\Documents and Settings\Jay\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.searchqu.com/406
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
mWinlogon: Userinit=userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Viewpoint Toolbar BHO: {a7327c09-b521-4edb-8509-7d2660c9ec98} - c:\program files\viewpoint\viewpoint toolbar\3.9.0\ViewBarBHO.dll
BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
BHO: Sopcast Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: WeCareReminder Class: {d824f0de-3d60-4f57-9eb1-66033ecd8abb} - c:\documents and settings\all users\application data\wecarereminder\IEHelperv2.5.0.dll
BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Sopcast Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [intelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [intelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} - hxxp://65.206.219.137/wfc/plugins/j2re-1_3_1_02-win.exe
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - hxxps://signin2.valueactive.eu/Register/Branding/olr3313/OCX/v1018/flashax.cab
DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - hxxps://rubyfortune.gameassists.co.uk/rubyfortune/FlashAX2.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\jay\applic~1\mozilla\firefox\profiles\3u1l7yoj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=SPC2&o=15004&locale=en_US&apn_uid=813B8677-79C0-4BFB-A4B5-6A39E52FDC71&apn_ptnrs=PW&apn_sauid=BA5D5C45-EE4F-45C0-981E-EF9E1F7A440A&apn_dtid=&q=
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - component: c:\documents and settings\jay\application data\mozilla\firefox\profiles\3u1l7yoj.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\winnt_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\documents and settings\jay\application data\mozilla\firefox\profiles\3u1l7yoj.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\components\RadioWMPCoreGecko19.dll
FF - component: c:\documents and settings\jay\application data\mozilla\firefox\profiles\3u1l7yoj.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\jay\application data\mozilla\firefox\profiles\3u1l7yoj.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\documents and settings\jay\application data\mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com
FF - Ext: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - %profile%\extensions\LogMeInClient@logmein.com
FF - Ext: Test Pilot: testpilot@labs.mozilla.com - %profile%\extensions\testpilot@labs.mozilla.com
FF - Ext: Sopcast Ask Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: ShopAtHome.com Intelligent Shopping Toolbar: toolbar@shopathome.com - %profile%\extensions\toolbar@shopathome.com
FF - Ext: We-Care Reminder: wecarereminder@bryan - %profile%\extensions\wecarereminder@bryan
FF - Ext: Firefox Sync: {340c2bbc-ce74-4362-90b5-7c26312808ef} - %profile%\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}
FF - Ext: uTorrentBar Community Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - %profile%\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\avast software\avast\webrep\FF
FF - Ext: DivX Plus Web Player HTML5 <video>: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\divx\divx plus web player\firefox\wpa
.
============= SERVICES / DRIVERS ===============
.
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2011-1-17 16024]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-3-18 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-3-18 301528]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-13 214024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-3-18 19544]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-3-5 47640]
S1 MpKsl52e58e79;MpKsl52e58e79; [x]
S1 MpKslc63f34a9;MpKslc63f34a9; [x]
S1 MpKsld4976d90;MpKsld4976d90; [x]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-7-15 34248]
S3 MosIrUsb;MosIrUsb.sys;c:\windows\system32\drivers\MosIrUsb.sys [2004-4-14 20736]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2009-6-19 17408]
S3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [2009-4-9 91830]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2011-04-17 23:48:53 60 ----a-w- c:\windows\wpd99.drv
2011-04-06 23:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 23:20:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 23:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-23 14:04:21 40648 ----a-w- c:\windows\avastSS.scr
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-16 01:40:52 229376 ----a-w- c:\windows\system32\PuranDefragS.exe
2011-02-16 01:40:52 221184 ----a-w- c:\windows\system32\PuranDC.exe
2011-02-16 01:40:52 1110016 ----a-w- c:\windows\system32\PuranFD.exe
2011-02-16 01:40:52 107008 ----a-w- c:\windows\system32\PuranDefragBT.exe
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25:52 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HTS548060M9AT00 rev.MGBOA5EA -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86F09730]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86f0fa10]; MOV EAX, [0x86f0fa8c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x86F80AB8]
3 CLASSPNP[0xF7607FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x86E7F708]
\Driver\atapi[0x86FD8F38] -> IRP_MJ_CREATE -> 0x86F09730
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { CLI ; MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; STI ; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62f; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x86F0957B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 12:22:35.64 ===============
Trouble Removing FBI Green Dot Moneypack Virus
in Resolved Malware Removal Logs
Posted
Well, Malwarebytes Anti-Rootkit found no threats the first time through and all functions seem to be working (your checklist above). Just in case, here are the logs. Once again, thank you so much for your assistance.
Malwarebytes Anti-Rootkit BETA 1.06.0.1003
www.malwarebytes.org
Database version: v2013.05.31.08
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
davek :: WS-EP1 [administrator]
5/31/2013 4:32:49 PM
mbar-log-2013-05-31 (16-32-49).txt
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: Deep Anti-Rootkit Scan | PUP
Objects scanned: 312368
Time elapsed: 24 minute(s), 17 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
Physical Sectors Detected: 0
(No malicious items detected)
(end)
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.06.0.1003
© Malwarebytes Corporation 2011-2012
OS version: 5.1.2600 Windows XP Service Pack 3 x86
Account is Administrative
Internet Explorer version: 8.0.6001.18702
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
CPU speed: 2.793000 GHz
Memory total: 526462976, free: 224141312
Downloaded database version: v2013.05.31.08
Downloaded database version: v2013.05.22.01
Initializing...
------------ Kernel report ------------
05/31/2013 15:58:03
------------ Loaded modules -----------
\WINDOWS\system32\ntkrnlpa.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
intelide.sys
MountMgr.sys
ftdisk.sys
dmload.sys
dmio.sys
PartMgr.sys
VolSnap.sys
atapi.sys
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
sr.sys
DRVMCDB.SYS
PxHelp20.sys
KSecDD.sys
Ntfs.sys
NDIS.sys
SmartDefragDriver.sys
Mup.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\ialmnt5.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\klfltdev.sys
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\e100b325.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\imapi.sys
\SystemRoot\System32\Drivers\DLACDBHM.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\redbook.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\klim5.sys
\SystemRoot\system32\DRIVERS\audstub.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\rdpdr.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\drivers\sthda.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\DRIVERS\flpydisk.sys
\SystemRoot\System32\Drivers\i2omgmt.SYS
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\klif.sys
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\Drivers\DLARTL_N.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\??\C:\WINDOWS\system32\drivers\kl1.sys
\SystemRoot\system32\DRIVERS\usbscan.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\system32\DRIVERS\usbprint.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\ipnat.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\ialmdnt5.dll
\SystemRoot\System32\ialmrnt5.dll
\SystemRoot\System32\ialmdev5.DLL
\SystemRoot\System32\ialmdd5.DLL
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\System32\Drivers\DRVNDDM.SYS
\SystemRoot\System32\DLA\DLADResN.SYS
\SystemRoot\System32\DLA\DLAIFS_M.SYS
\SystemRoot\System32\DLA\DLAOPIOM.SYS
\SystemRoot\System32\DLA\DLAPoolM.SYS
\SystemRoot\System32\DLA\DLABOIOM.SYS
\SystemRoot\System32\DLA\DLAUDFAM.SYS
\SystemRoot\System32\DLA\DLAUDF_M.SYS
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\System32\Drivers\ASCTRM.SYS
\SystemRoot\system32\DRIVERS\dsunidrv.sys
\SystemRoot\system32\DRIVERS\srv.sys
\SystemRoot\System32\Drivers\Fastfat.SYS
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\System32\Drivers\HTTP.sys
\??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
\SystemRoot\system32\drivers\kmixer.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk2\DR7
Upper Device Object: 0xffffffff81b4dab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000068\
Lower Device Object: 0xffffffff81b51a70
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR5
Upper Device Object: 0xffffffff81bd1030
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000064\
Lower Device Object: 0xffffffff81ec38e0
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff82363280
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP1T0L0-e\
Lower Device Object: 0xffffffff82365030
Lower Device Driver Name: \Driver\atapi\
<<<2>>>
Device number: 0, partition: 2
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff82363280, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff823d0020, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff82363280, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff82365030, DeviceName: \Device\Ide\IdeDeviceP1T0L0-e\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\system32\drivers...
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 41AB2316
Partition information:
Partition 0 type is Other (0xde)
Partition is NOT ACTIVE.
Partition starts at LBA: 63 Numsec = 64197
Partition 1 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 64260 Numsec = 110543265
Partition file system is NTFS
Partition is bootable
Partition 2 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 110607525 Numsec = 38813040
Partition 3 type is Other (0xdb)
Partition is NOT ACTIVE.
Partition starts at LBA: 149420565 Numsec = 6827625
Disk Size: 80000000000 bytes
Sector size: 512 bytes
Scanning physical sectors of unpartitioned space on drive 0 (1-62-156230000-156250000)...
Done!
Physical Sector Size: 0
Drive: 1, DevicePointer: 0xffffffff81bd1030, DeviceName: \Device\Harddisk1\DR5\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff81cd8678, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff81bd1030, DeviceName: \Device\Harddisk1\DR5\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff81ec53f0, DeviceName: Unknown, DriverName: \Driver\DRVMCDB\
DevicePointer: 0xffffffff81ec38e0, DeviceName: \Device\00000064\, DriverName: \Driver\USBSTOR\
------------ End ----------
Physical Sector Size: 512
Drive: 2, DevicePointer: 0xffffffff81b4dab8, DeviceName: \Device\Harddisk2\DR7\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff81b4d890, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff81b4dab8, DeviceName: \Device\Harddisk2\DR7\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8208f7d8, DeviceName: Unknown, DriverName: \Driver\DRVMCDB\
DevicePointer: 0xffffffff81b51a70, DeviceName: \Device\00000068\, DriverName: \Driver\USBSTOR\
------------ End ----------
Alternate DeviceName: \Device\Harddisk2\DR7\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
Drive 2
Scanning MBR on drive 2...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: C09EDD8C
Partition information:
Partition 0 type is Other (0xb)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 3903795
Partition file system is FAT32
Partition is not bootable
Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
Disk Size: 2004877312 bytes
Sector size: 512 bytes
Done!
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.06.0.1003
© Malwarebytes Corporation 2011-2012
OS version: 5.1.2600 Windows XP Service Pack 3 x86
Account is Administrative
Internet Explorer version: 8.0.6001.18702
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
CPU speed: 2.793000 GHz
Memory total: 526462976, free: 227880960
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.06.0.1003
© Malwarebytes Corporation 2011-2012
OS version: 5.1.2600 Windows XP Service Pack 3 x86
Account is Administrative
Internet Explorer version: 8.0.6001.18702
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
CPU speed: 2.793000 GHz
Memory total: 526462976, free: 227983360
Initializing...
------------ Kernel report ------------
05/31/2013 16:32:32
------------ Loaded modules -----------
\WINDOWS\system32\ntkrnlpa.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
intelide.sys
MountMgr.sys
ftdisk.sys
dmload.sys
dmio.sys
PartMgr.sys
VolSnap.sys
atapi.sys
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
sr.sys
DRVMCDB.SYS
PxHelp20.sys
KSecDD.sys
Ntfs.sys
NDIS.sys
SmartDefragDriver.sys
Mup.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\ialmnt5.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\klfltdev.sys
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\e100b325.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\imapi.sys
\SystemRoot\System32\Drivers\DLACDBHM.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\redbook.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\klim5.sys
\SystemRoot\system32\DRIVERS\audstub.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\rdpdr.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\drivers\sthda.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\DRIVERS\flpydisk.sys
\SystemRoot\System32\Drivers\i2omgmt.SYS
\SystemRoot\system32\DRIVERS\klif.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\Drivers\DLARTL_N.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\??\C:\WINDOWS\system32\drivers\kl1.sys
\SystemRoot\system32\DRIVERS\usbscan.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\system32\DRIVERS\usbprint.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\ipnat.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\System32\Drivers\Fastfat.SYS
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\ialmdnt5.dll
\SystemRoot\System32\ialmrnt5.dll
\SystemRoot\System32\ialmdev5.DLL
\SystemRoot\System32\ialmdd5.DLL
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\System32\Drivers\DRVNDDM.SYS
\SystemRoot\System32\DLA\DLADResN.SYS
\SystemRoot\System32\DLA\DLAIFS_M.SYS
\SystemRoot\System32\DLA\DLAOPIOM.SYS
\SystemRoot\System32\DLA\DLAPoolM.SYS
\SystemRoot\System32\DLA\DLABOIOM.SYS
\SystemRoot\System32\DLA\DLAUDFAM.SYS
\SystemRoot\System32\DLA\DLAUDF_M.SYS
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\System32\Drivers\ASCTRM.SYS
\SystemRoot\system32\DRIVERS\dsunidrv.sys
\SystemRoot\system32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\System32\Drivers\HTTP.sys
\??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
\SystemRoot\system32\drivers\kmixer.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk2\DR6
Upper Device Object: 0xffffffff81bd7860
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000067\
Lower Device Object: 0xffffffff81ebcd08
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR5
Upper Device Object: 0xffffffff81bd7030
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000065\
Lower Device Object: 0xffffffff81ec1d08
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff82374280
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP1T0L0-e\
Lower Device Object: 0xffffffff823ce030
Lower Device Driver Name: \Driver\atapi\
<<<2>>>
Device number: 0, partition: 2
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff82374280, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8235a020, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff82374280, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff823ce030, DeviceName: \Device\Ide\IdeDeviceP1T0L0-e\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\system32\drivers...
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 41AB2316
Partition information:
Partition 0 type is Other (0xde)
Partition is NOT ACTIVE.
Partition starts at LBA: 63 Numsec = 64197
Partition 1 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 64260 Numsec = 110543265
Partition file system is NTFS
Partition is bootable
Partition 2 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 110607525 Numsec = 38813040
Partition 3 type is Other (0xdb)
Partition is NOT ACTIVE.
Partition starts at LBA: 149420565 Numsec = 6827625
Disk Size: 80000000000 bytes
Sector size: 512 bytes
Scanning physical sectors of unpartitioned space on drive 0 (1-62-156230000-156250000)...
Done!
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xffffffff81bd7030, DeviceName: \Device\Harddisk1\DR5\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff81c2a3f0, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff81bd7030, DeviceName: \Device\Harddisk1\DR5\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff81ec2680, DeviceName: Unknown, DriverName: \Driver\DRVMCDB\
DevicePointer: 0xffffffff81ec1d08, DeviceName: \Device\00000065\, DriverName: \Driver\USBSTOR\
------------ End ----------
Alternate DeviceName: \Device\Harddisk1\DR5\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: C09EDD8C
Partition information:
Partition 0 type is Other (0xb)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 3903795
Partition file system is FAT32
Partition is not bootable
Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
Disk Size: 2004877312 bytes
Sector size: 512 bytes
Done!
Physical Sector Size: 0
Drive: 2, DevicePointer: 0xffffffff81bd7860, DeviceName: \Device\Harddisk2\DR6\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff81cf2e08, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff81bd7860, DeviceName: \Device\Harddisk2\DR6\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff81ebbc40, DeviceName: Unknown, DriverName: \Driver\DRVMCDB\
DevicePointer: 0xffffffff81ebcd08, DeviceName: \Device\00000067\, DriverName: \Driver\USBSTOR\
------------ End ----------
Scan finished
=======================================
Removal queue found; removal started
Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_0_i.mbam...
Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\bootstrap_0_1_64260_i.mbam...
Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_0_r.mbam...
Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_1_i.mbam...
Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\bootstrap_1_0_63_i.mbam...
Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_1_r.mbam...
Removal finished