Jump to content

Recommended Posts

Starting a new topic after reading a few on here regarding the ping.exe and google redirect issues. Both seemed to happen at the same time for me, but it's only an assumption that they are related. My symptoms are pretty much the same as everyone else having these attacks.

I tried running DDS twice now but my computer locks up before it is finished. I keep forcing ping.exe closed from task manager. Not really sure why it's locking up. I'll keep trying after this posts, but not sure where to go from here.

Thanks

Link to post
Share on other sites

It's ok Speedr73, thanks for letting us know :)

We have some scans to run.

Please follow these steps:

Step 1 | Download DDS from any of the links below:

Link 1

Link 2

Link 2

--------------------------------------------------------------------

  • Save it to your desktop.
  • Please disable any anti-malware program that will block scripts from running before running DDS.
  • Double-Click on dds and a command window will appear. This is normal.
  • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt

    [*]A window will open instructing you save & post the logs.

    [*]Save the logs to a convenient place such as your desktop.

    [*]Post the contents of the DDS.txt report in your next reply.

    [*]Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.

Step 2 | Please download GMER from one of the following locations and save it to your desktop:

Main Mirror - This version will download a randomly named file (Recommended)

Zipped Mirror - This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

--------------------------------------------------------------------

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.

Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

gmer_zip.gif

  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Make sure all options are checked except:
    • IAT/EAT
    • Drives/Partition other than Systemdrive, which is typically C:\
    • Show All (This is important, so do not miss it.)

gmer_th.gif

Click the image to enlarge it

  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

Step 3 | Please download aswMBR to your desktop.

  • Double click the aswMBR icon to run it.
    Vista and Windows 7 users right click the icon and choose "Run as administrator".
  • Click the Scan button to start scan.
  • When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.

aswMBRscan-1.png

Click the image to enlarge it

Link to post
Share on other sites

Now I can't open anything. And I mean anything. I am typing this on my phone. Some executable file has started under the name of "Privacy Protection". I get a pop up window on the bottom right that says infected by W32/Blaster.worm and to activate privacy protection to protect my computer.

I can't get On the Internet, open task manager, control panel, or any exe file. I also cannot do a system restore.

Link to post
Share on other sites

As I stated originally, I'm having trouble completing the DDS log. I have posted the GMER and aswMBR below. If you have another way for me to get you the DDS log, let me know. I can't find any security, etc. running that would block it.

GMER 1.0.15.15641 - http://www.gmer.net

Rootkit scan 2011-11-29 09:58:56

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Hitachi_HTS541040G9AT00 rev.MB2OA61A

Running: yo5ehdle.exe; Driver: C:\DOCUME~1\RYANDE~1\LOCALS~1\Temp\uwloaaoc.sys

---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF75FF87E]

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF75FFBFE]

---- Kernel code sections - GMER 1.0.15 ----

.text redbook.sys F77E0000 2 Bytes [C7, 45]

.text redbook.sys F77E001D 84 Bytes [02, 00, 00, 74, 3F, 8B, 55, ...]

.text redbook.sys F77E0089 641 Bytes [02, 00, 00, 74, 22, 68, 34, ...]

.text redbook.sys F77E0397 405 Bytes [02, 00, 00, 13, CA, 8B, 55, ...]

.text redbook.sys F77E052D 91 Bytes [6A, 18, 8B, 55, 0C, 52, 8B, ...]

.text ...

? C:\WINDOWS\system32\DRIVERS\redbook.sys suspicious PE modification

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1108] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B4000A

.text C:\WINDOWS\System32\svchost.exe[1108] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00B5000A

.text C:\WINDOWS\System32\svchost.exe[1108] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B3000C

.text C:\WINDOWS\Explorer.EXE[1828] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0275000A

.text C:\WINDOWS\Explorer.EXE[1828] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0276000A

.text C:\WINDOWS\Explorer.EXE[1828] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0274000C

.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2844] USER32.dll!SetWindowLongA 7E42C29D 5 Bytes JMP 106ACCFA C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2844] USER32.dll!SetWindowLongW 7E42C2BB 5 Bytes JMP 106ACC8C C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2844] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 1045E78C C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2844] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 1045ED49 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

.text C:\Program Files\Mozilla Firefox\firefox.exe[3192] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0360000A

.text C:\Program Files\Mozilla Firefox\firefox.exe[3192] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0361000A

.text C:\Program Files\Mozilla Firefox\firefox.exe[3192] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 02C2000C

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \Fat F0F1AD20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) F6A52000-F6A71000 (126976 bytes)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB40281$\1117380544 0 bytes

File C:\WINDOWS\$NtUninstallKB40281$\1117380544\@ 2048 bytes

File C:\WINDOWS\$NtUninstallKB40281$\1117380544\bckfg.tmp 764 bytes

File C:\WINDOWS\$NtUninstallKB40281$\1117380544\cfg.ini 201 bytes

File C:\WINDOWS\$NtUninstallKB40281$\1117380544\Desktop.ini 4608 bytes

File C:\WINDOWS\$NtUninstallKB40281$\1117380544\keywords 204 bytes

File C:\WINDOWS\$NtUninstallKB40281$\1117380544\kwrd.dll 223744 bytes

File C:\WINDOWS\$NtUninstallKB40281$\1117380544\L 0 bytes

File C:\WINDOWS\$NtUninstallKB40281$\1117380544\L\odetmngk 57600 bytes

File C:\WINDOWS\$NtUninstallKB40281$\1117380544\lsflt7.ver 5176 bytes

File C:\WINDOWS\$NtUninstallKB40281$\1117380544\U 0 bytes

File C:\WINDOWS\$NtUninstallKB40281$\1117380544\U\00000001.@ 1536 bytes

File C:\WINDOWS\$NtUninstallKB40281$\1117380544\U\00000002.@ 224768 bytes

File C:\WINDOWS\$NtUninstallKB40281$\1117380544\U\00000004.@ 1024 bytes

File C:\WINDOWS\$NtUninstallKB40281$\1117380544\U\80000000.@ 1024 bytes

File C:\WINDOWS\$NtUninstallKB40281$\1117380544\U\80000004.@ 12800 bytes

File C:\WINDOWS\$NtUninstallKB40281$\1117380544\U\80000032.@ 98304 bytes

File C:\WINDOWS\$NtUninstallKB40281$\3192861059 0 bytes

---- EOF - GMER 1.0.15 ----

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software

Run date: 2011-11-29 12:40:27

-----------------------------

12:40:27.540 OS Version: Windows 5.1.2600 Service Pack 3

12:40:27.540 Number of processors: 1 586 0xD08

12:40:27.540 ComputerName: DRGREENTHUMB UserName: Ryan Deutsch

12:40:38.606 Initialize success

12:56:00.091 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

12:56:00.091 Disk 0 Vendor: Hitachi_HTS541040G9AT00 MB2OA61A Size: 38154MB BusType: 3

12:56:02.114 Disk 0 MBR read successfully

12:56:02.114 Disk 0 MBR scan

12:56:02.114 Disk 0 unknown MBR code

12:56:02.114 Disk 0 scanning sectors +78140144

12:56:02.304 Disk 0 scanning C:\WINDOWS\system32\drivers

12:56:25.528 Service scanning

12:56:32.898 Modules scanning

12:56:35.472 Module: C:\WINDOWS\system32\DRIVERS\redbook.sys **SUSPICIOUS**

12:56:40.940 Disk 0 trace - called modules:

12:56:40.960 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x870def10]<<

12:56:40.960 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8738bab8]

12:56:40.960 3 CLASSPNP.SYS[f75effd7] -> nt!IofCallDriver -> [0x871a2920]

12:56:41.290 \Driver\00001545[0x871aaf38] -> IRP_MJ_CREATE -> 0x870def10

12:56:41.290 Scan finished successfully

13:03:46.802 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Ryan Deutsch\Desktop\MBR.dat"

13:03:46.802 The log file has been saved successfully to "C:\Documents and Settings\Ryan Deutsch\Desktop\aswMBR.txt"

Link to post
Share on other sites

Let's skip the DDS scan for now. There's something nasty going on, so we will try a different alternative. Please follow these steps:

Step 1 | Please download DeFogger to your desktop.

  • Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Step 2 | Please run aswMBR again with the instructions from my previous post and and paste the log.

Step 3 | Please go to the following site to scan a file: Virus Total

  • Click on Browse, and upload the following file for analysis:
    • C:\WINDOWS\system32\DRIVERS\redbook.sys

[*]Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

[*]If it says already scanned -- click "reanalyze now"

[*]Please post the results in your next reply.

Link to post
Share on other sites

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software

Run date: 2011-11-29 12:40:27

-----------------------------

12:40:27.540 OS Version: Windows 5.1.2600 Service Pack 3

12:40:27.540 Number of processors: 1 586 0xD08

12:40:27.540 ComputerName: DRGREENTHUMB UserName: Ryan Deutsch

12:40:38.606 Initialize success

12:56:00.091 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

12:56:00.091 Disk 0 Vendor: Hitachi_HTS541040G9AT00 MB2OA61A Size: 38154MB BusType: 3

12:56:02.114 Disk 0 MBR read successfully

12:56:02.114 Disk 0 MBR scan

12:56:02.114 Disk 0 unknown MBR code

12:56:02.114 Disk 0 scanning sectors +78140144

12:56:02.304 Disk 0 scanning C:\WINDOWS\system32\drivers

12:56:25.528 Service scanning

12:56:32.898 Modules scanning

12:56:35.472 Module: C:\WINDOWS\system32\DRIVERS\redbook.sys **SUSPICIOUS**

12:56:40.940 Disk 0 trace - called modules:

12:56:40.960 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x870def10]<<

12:56:40.960 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8738bab8]

12:56:40.960 3 CLASSPNP.SYS[f75effd7] -> nt!IofCallDriver -> [0x871a2920]

12:56:41.290 \Driver\00001545[0x871aaf38] -> IRP_MJ_CREATE -> 0x870def10

12:56:41.290 Scan finished successfully

13:03:46.802 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Ryan Deutsch\Desktop\MBR.dat"

13:03:46.802 The log file has been saved successfully to "C:\Documents and Settings\Ryan Deutsch\Desktop\aswMBR.txt"

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software

Run date: 2011-11-29 15:07:41

-----------------------------

15:07:41.755 OS Version: Windows 5.1.2600 Service Pack 3

15:07:41.755 Number of processors: 1 586 0xD08

15:07:41.755 ComputerName: DRGREENTHUMB UserName: Ryan Deutsch

15:07:42.366 Initialize success

15:07:59.421 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

15:07:59.421 Disk 0 Vendor: Hitachi_HTS541040G9AT00 MB2OA61A Size: 38154MB BusType: 3

15:08:01.444 Disk 0 MBR read successfully

15:08:01.454 Disk 0 MBR scan

15:08:01.454 Disk 0 unknown MBR code

15:08:01.454 Disk 0 scanning sectors +78140144

15:08:01.634 Disk 0 scanning C:\WINDOWS\system32\drivers

15:08:12.199 Service scanning

15:08:17.988 Modules scanning

15:08:20.050 Module: C:\WINDOWS\system32\DRIVERS\redbook.sys **SUSPICIOUS**

15:08:25.308 Disk 0 trace - called modules:

15:08:25.338 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x870ebf10]<<

15:08:25.338 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87392ab8]

15:08:25.338 3 CLASSPNP.SYS[f75effd7] -> nt!IofCallDriver -> [0x871bde10]

15:08:25.669 \Driver\00001576[0x871349f8] -> IRP_MJ_CREATE -> 0x870ebf10

15:08:25.669 Scan finished successfully

15:08:33.910 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Ryan Deutsch\Desktop\MBR.dat"

15:08:33.950 The log file has been saved successfully to "C:\Documents and Settings\Ryan Deutsch\Desktop\aswMBR.txt"

Antivirus Version Last Update Result

AhnLab-V3 2011.11.29.01 2011.11.29 Backdoor/Win32.ZAccess

AntiVir 7.11.18.123 2011.11.29 TR/Rootkit.Gen2

Antiy-AVL 2.0.3.7 2011.11.29 Trojan/Win32.ZAccess.gen

Avast 6.0.1289.0 2011.11.29 Win32:Aluroot [Rtk]

AVG 10.0.0.1190 2011.11.29 BackDoor.Generic14.BQHJ

BitDefender 7.2 2011.11.29 Gen:Variant.Sirefef.11

ByteHero 1.0.0.1 2011.11.29 -

CAT-QuickHeal 12.00 2011.11.29 -

ClamAV 0.97.3.0 2011.11.29 Trojan.ZAccess-73

Commtouch 5.3.2.6 2011.11.29 W32/Zaccess.C.gen!Eldorado

Comodo 10793 2011.11.29 UnclassifiedMalware

DrWeb 5.0.2.03300 2011.11.29 -

Emsisoft 5.1.0.11 2011.11.29 Rootkit.Win32.ZAccess!IK

eSafe 7.0.17.0 2011.11.28 -

eTrust-Vet 37.0.9594 2011.11.29 Win32/ZAccess.D!generic

F-Prot 4.6.5.141 2011.11.29 W32/Zaccess.C.gen!Eldorado

F-Secure 9.0.16440.0 2011.11.29 Gen:Variant.Sirefef.11

Fortinet 4.3.370.0 2011.11.29 -

GData 22 2011.11.29 Gen:Variant.Sirefef.11

Ikarus T3.1.1.109.0 2011.11.29 Rootkit.Win32.ZAccess

Jiangmin 13.0.900 2011.11.28 Rootkit.ZAccess.zy

K7AntiVirus 9.119.5563 2011.11.29 Riskware

Kaspersky 9.0.0.837 2011.11.29 Rootkit.Win32.ZAccess.k

McAfee 5.400.0.1158 2011.11.29 Artemis!50ABA76FC937

McAfee-GW-Edition 2010.1D 2011.11.29 Artemis!50ABA76FC937

Microsoft 1.7801 2011.11.29 -

NOD32 6668 2011.11.29 a variant of Win32/Rootkit.Kryptik.FB

Norman 6.07.13 2011.11.29 W32/Suspicious_Gen2.SROKY

nProtect 2011-11-29.01 2011.11.29 Gen:Variant.Sirefef.11

Panda 10.0.3.5 2011.11.29 Suspicious file

PCTools 8.0.0.5 2011.11.29 Trojan.ADH

Prevx 3.0 2011.11.29 -

Rising 23.86.01.02 2011.11.29 -

Sophos 4.71.0 2011.11.29 -

SUPERAntiSpyware 4.40.0.1006 2011.11.29 -

Symantec 20111.2.0.82 2011.11.29 Trojan.ADH.2

TheHacker 6.7.0.1.350 2011.11.27 Trojan/Kryptik.fb

TrendMicro 9.500.0.1008 2011.11.29 -

TrendMicro-HouseCall 9.500.0.1008 2011.11.29 -

VBA32 3.12.16.4 2011.11.29 -

VIPRE 11175 2011.11.29 Trojan.Win32.Sirefef.pa (v)

ViRobot 2011.11.29.4799 2011.11.29 -

VirusBuster 14.1.91.0 2011.11.29 -

Additional information

MD5 : 50aba76fc937a3febaa3b17982cf4592

SHA1 : e5c78c9d2304427cb79f88cce463774c2ae04e74

SHA256: e5bd4a1f0284026a72d814a3e0e8c8aa9b1eb93e5ebccc14a4f2e5461c6909b7

Link to post
Share on other sites

Thank you. Some more work:

Step 1 | Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

--------------------------------------------------------------------

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    redbook.sys


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Step 2 | Please download ComboFix from one of the following locations:

Link 1

Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks
    NSIS_disclaimer_ENG.png
    NSIS_extraction.png
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Link to post
Share on other sites

Hopefully I didn't screw this step up. I followed the instructions, but AdWatch was running and I can't find where to disable it. I even uninstalled AdAware using its uninstaller and ComboFix still says it is running. There is no system tray icon like there was a few weeks ago, so nothing to right click on to "exit."

I ran ComboFix anyways hoping it would still work, and after an hour of waiting for the log to pop up, I tried to open the task manager to make sure ping.exe wasn't running causing problems with ComboFix. Task manager wouldn't open, and it seemed as if the entire desktop was locked/stuck. I just turned the computer off at that point. I started ComboFix again (second time) but saw that you said not to rerun it.

How would you like to progress from here? ComboFix is taking way longer than the 10-20 minutes it states.

Also...The first run of ComboFix had a couple pop up windows stating Rootkit/Zero Access! and that there is a Rootkit infection which will make it take longer.

SystemLook did work, and here are the results...

SystemLook 30.07.11 by jpshortstuff

Log created at 16:55 on 29/11/2011 by Ryan Deutsch

Administrator - Elevation successful

========== filefind ==========

Searching for "redbook.sys"

C:\i386\redbook.sys --a--c- 57472 bytes [15:25 09/04/2006] [04:59 04/08/2004] B31B4588E4086D8D84ADBF9845C2402B

C:\WINDOWS\$NtServicePackUninstall$\redbook.sys -----c- 57472 bytes [21:49 27/07/2009] [04:59 04/08/2004] B31B4588E4086D8D84ADBF9845C2402B

C:\WINDOWS\ServicePackFiles\i386\redbook.sys -----c- 57600 bytes [18:40 13/04/2008] [18:40 13/04/2008] F828DD7E1419B6653894A8F97A0094C5

C:\WINDOWS\system32\drivers\redbook.sys --a---- 57600 bytes [18:59 10/08/2004] [18:40 13/04/2008] 50ABA76FC937A3FEBAA3B17982CF4592

-= EOF =-

Link to post
Share on other sites

If after 60 minutes CF gives no response (like the first time you ran it), then please proceed this way:

Download TDSSKiller.zip

  • Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    tdsskiller2.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    tdsskiller3.png
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Link to post
Share on other sites

ComboFix didn't finish. I ran TDSS and posted the results below. FYI, upon reboot chkdsk ran automatically and found errors, and restored some files.

20:23:46.0081 2328 TDSS rootkit removing tool 2.6.21.0 Nov 24 2011 12:32:44

20:23:46.0462 2328 ============================================================

20:23:46.0462 2328 Current date / time: 2011/11/29 20:23:46.0462

20:23:46.0462 2328 SystemInfo:

20:23:46.0462 2328

20:23:46.0462 2328 OS Version: 5.1.2600 ServicePack: 3.0

20:23:46.0462 2328 Product type: Workstation

20:23:46.0462 2328 ComputerName: DRGREENTHUMB

20:23:46.0462 2328 UserName: Ryan Deutsch

20:23:46.0462 2328 Windows directory: C:\WINDOWS

20:23:46.0462 2328 System windows directory: C:\WINDOWS

20:23:46.0462 2328 Processor architecture: Intel x86

20:23:46.0462 2328 Number of processors: 1

20:23:46.0462 2328 Page size: 0x1000

20:23:46.0462 2328 Boot type: Normal boot

20:23:46.0462 2328 ============================================================

20:23:48.0565 2328 Initialize success

20:24:01.0534 2856 ============================================================

20:24:01.0534 2856 Scan started

20:24:01.0534 2856 Mode: Manual;

20:24:01.0534 2856 ============================================================

20:24:03.0727 2856 Abiosdsk - ok

20:24:03.0807 2856 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS

20:24:03.0807 2856 abp480n5 - ok

20:24:03.0867 2856 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

20:24:03.0867 2856 ACPI - ok

20:24:03.0927 2856 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

20:24:03.0927 2856 ACPIEC - ok

20:24:03.0967 2856 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys

20:24:03.0967 2856 adpu160m - ok

20:24:04.0007 2856 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

20:24:04.0007 2856 aec - ok

20:24:04.0077 2856 AegisP (2c5c22990156a1063e19ad162191dc1d) C:\WINDOWS\system32\DRIVERS\AegisP.sys

20:24:04.0077 2856 AegisP - ok

20:24:04.0147 2856 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

20:24:04.0147 2856 AFD - ok

20:24:04.0177 2856 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

20:24:04.0177 2856 agp440 - ok

20:24:04.0208 2856 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys

20:24:04.0208 2856 agpCPQ - ok

20:24:04.0238 2856 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys

20:24:04.0238 2856 Aha154x - ok

20:24:04.0278 2856 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys

20:24:04.0278 2856 aic78u2 - ok

20:24:04.0308 2856 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys

20:24:04.0308 2856 aic78xx - ok

20:24:04.0418 2856 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys

20:24:04.0418 2856 AliIde - ok

20:24:04.0458 2856 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys

20:24:04.0458 2856 alim1541 - ok

20:24:04.0468 2856 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys

20:24:04.0468 2856 amdagp - ok

20:24:04.0508 2856 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys

20:24:04.0508 2856 amsint - ok

20:24:04.0538 2856 ApfiltrService (090880e9bf20f928bc341f96d27c019e) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys

20:24:04.0538 2856 ApfiltrService - ok

20:24:04.0618 2856 APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS

20:24:04.0618 2856 APPDRV - ok

20:24:04.0698 2856 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys

20:24:04.0698 2856 asc - ok

20:24:04.0738 2856 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys

20:24:04.0748 2856 asc3350p - ok

20:24:04.0788 2856 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys

20:24:04.0788 2856 asc3550 - ok

20:24:04.0858 2856 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys

20:24:04.0858 2856 ASCTRM - ok

20:24:04.0949 2856 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

20:24:04.0949 2856 AsyncMac - ok

20:24:04.0979 2856 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

20:24:04.0979 2856 atapi - ok

20:24:05.0009 2856 Atdisk - ok

20:24:05.0139 2856 ati2mtag (e9ebf7dca6c5eb9c597035a10a5a6a1b) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

20:24:05.0159 2856 ati2mtag - ok

20:24:05.0299 2856 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

20:24:05.0299 2856 Atmarpc - ok

20:24:05.0399 2856 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

20:24:05.0399 2856 audstub - ok

20:24:05.0449 2856 BCM43XX (c3ab2d6954c7b5103770832a3a6a591b) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys

20:24:05.0459 2856 BCM43XX - ok

20:24:05.0489 2856 bcm4sbxp (78123f44be9e4768852a3a017e02d637) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys

20:24:05.0489 2856 bcm4sbxp - ok

20:24:05.0590 2856 bdfdll - ok

20:24:05.0630 2856 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

20:24:05.0630 2856 Beep - ok

20:24:05.0740 2856 BrScnUsb (92a964547b96d697e5e9ed43b4297f5a) C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys

20:24:05.0740 2856 BrScnUsb - ok

20:24:05.0770 2856 BrSerIf (d48c13f4a409aee8dafaddac81e34557) C:\WINDOWS\system32\Drivers\BrSerIf.sys

20:24:05.0780 2856 BrSerIf - ok

20:24:05.0810 2856 BrUsbSer (8fa0ac830a8312912a3aa0c0431cba0d) C:\WINDOWS\system32\Drivers\BrUsbSer.sys

20:24:05.0810 2856 BrUsbSer - ok

20:24:05.0830 2856 bvrp_pci - ok

20:24:05.0990 2856 catchme - ok

20:24:06.0110 2856 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys

20:24:06.0110 2856 cbidf - ok

20:24:06.0140 2856 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

20:24:06.0140 2856 cbidf2k - ok

20:24:06.0200 2856 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

20:24:06.0200 2856 CCDECODE - ok

20:24:06.0240 2856 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys

20:24:06.0240 2856 cd20xrnt - ok

20:24:06.0291 2856 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

20:24:06.0291 2856 Cdaudio - ok

20:24:06.0341 2856 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

20:24:06.0341 2856 Cdfs - ok

20:24:06.0371 2856 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

20:24:06.0371 2856 Cdrom - ok

20:24:06.0391 2856 Changer - ok

20:24:06.0441 2856 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

20:24:06.0441 2856 CmBatt - ok

20:24:06.0461 2856 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys

20:24:06.0461 2856 CmdIde - ok

20:24:06.0491 2856 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

20:24:06.0491 2856 Compbatt - ok

20:24:06.0541 2856 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys

20:24:06.0541 2856 Cpqarray - ok

20:24:06.0591 2856 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys

20:24:06.0591 2856 dac2w2k - ok

20:24:06.0631 2856 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys

20:24:06.0631 2856 dac960nt - ok

20:24:06.0691 2856 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

20:24:06.0691 2856 Disk - ok

20:24:06.0771 2856 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

20:24:06.0791 2856 dmboot - ok

20:24:06.0992 2856 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

20:24:07.0002 2856 dmio - ok

20:24:07.0042 2856 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

20:24:07.0042 2856 dmload - ok

20:24:07.0112 2856 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

20:24:07.0112 2856 DMusic - ok

20:24:07.0172 2856 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys

20:24:07.0172 2856 dpti2o - ok

20:24:07.0202 2856 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

20:24:07.0202 2856 drmkaud - ok

20:24:07.0272 2856 drvmcdb (96bc8f872f0270c10edc3931f1c03776) C:\WINDOWS\system32\drivers\drvmcdb.sys

20:24:07.0272 2856 drvmcdb - ok

20:24:07.0292 2856 drvnddm (5afbec7a6ac61b211633dfdb1d9e0c89) C:\WINDOWS\system32\drivers\drvnddm.sys

20:24:07.0292 2856 drvnddm - ok

20:24:07.0502 2856 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys

20:24:07.0512 2856 DSproct - ok

20:24:07.0572 2856 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sys

20:24:07.0572 2856 dsunidrv - ok

20:24:07.0632 2856 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys

20:24:07.0632 2856 E100B - ok

20:24:07.0713 2856 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

20:24:07.0713 2856 Fastfat - ok

20:24:07.0773 2856 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

20:24:07.0773 2856 Fdc - ok

20:24:07.0803 2856 FILESpy - ok

20:24:08.0003 2856 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

20:24:08.0013 2856 Fips - ok

20:24:08.0053 2856 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

20:24:08.0053 2856 Flpydisk - ok

20:24:08.0073 2856 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

20:24:08.0073 2856 FltMgr - ok

20:24:08.0133 2856 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

20:24:08.0133 2856 Fs_Rec - ok

20:24:08.0183 2856 FTDIBUS (7c17235845d5ae3fb33ead47b5881521) C:\WINDOWS\system32\drivers\ftdibus.sys

20:24:08.0183 2856 FTDIBUS - ok

20:24:08.0243 2856 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

20:24:08.0253 2856 Ftdisk - ok

20:24:08.0303 2856 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

20:24:08.0303 2856 GEARAspiWDM - ok

20:24:08.0343 2856 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

20:24:08.0343 2856 Gpc - ok

20:24:08.0404 2856 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

20:24:08.0404 2856 HidUsb - ok

20:24:08.0464 2856 hitmanpro35 (72472b9ce5d02e443cff49a40355455d) C:\WINDOWS\system32\drivers\hitmanpro35.sys

20:24:08.0464 2856 hitmanpro35 - ok

20:24:08.0494 2856 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys

20:24:08.0494 2856 hpn - ok

20:24:08.0564 2856 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys

20:24:08.0564 2856 HPZid412 - ok

20:24:08.0594 2856 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

20:24:08.0594 2856 HPZipr12 - ok

20:24:08.0874 2856 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys

20:24:08.0874 2856 HPZius12 - ok

20:24:08.0944 2856 HSFHWICH (c2a7d9109b7f10a455d13b2432837b16) C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys

20:24:08.0954 2856 HSFHWICH - ok

20:24:09.0024 2856 HSF_DP (9a0d0c461ef2b3d80cb7875b4b995e47) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys

20:24:09.0044 2856 HSF_DP - ok

20:24:09.0105 2856 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys

20:24:09.0115 2856 HTTP - ok

20:24:09.0165 2856 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys

20:24:09.0165 2856 i2omgmt - ok

20:24:09.0215 2856 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys

20:24:09.0215 2856 i2omp - ok

20:24:09.0275 2856 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

20:24:09.0275 2856 i8042prt - ok

20:24:09.0365 2856 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

20:24:09.0365 2856 Imapi - ok

20:24:09.0435 2856 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys

20:24:09.0445 2856 ini910u - ok

20:24:09.0505 2856 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

20:24:09.0505 2856 IntelIde - ok

20:24:09.0525 2856 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

20:24:09.0525 2856 intelppm - ok

20:24:09.0565 2856 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

20:24:09.0565 2856 Ip6Fw - ok

20:24:09.0585 2856 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

20:24:09.0595 2856 IpFilterDriver - ok

20:24:09.0615 2856 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

20:24:09.0615 2856 IpInIp - ok

20:24:09.0665 2856 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

20:24:09.0675 2856 IpNat - ok

20:24:09.0735 2856 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

20:24:09.0735 2856 IPSec - ok

20:24:09.0776 2856 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

20:24:09.0776 2856 IRENUM - ok

20:24:09.0826 2856 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

20:24:09.0826 2856 isapnp - ok

20:24:09.0856 2856 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

20:24:09.0856 2856 Kbdclass - ok

20:24:09.0926 2856 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

20:24:09.0926 2856 kmixer - ok

20:24:09.0966 2856 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys

20:24:09.0966 2856 KSecDD - ok

20:24:10.0026 2856 Lbd (336abe8721cbc3110f1c6426da633417) C:\WINDOWS\system32\DRIVERS\Lbd.sys

20:24:10.0026 2856 Lbd - ok

20:24:10.0056 2856 lbrtfdc - ok

20:24:10.0106 2856 MBAMProtector (69a6268d7f81e53d568ab4e7e991caf3) C:\WINDOWS\system32\drivers\mbam.sys

20:24:10.0116 2856 MBAMProtector - ok

20:24:10.0256 2856 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

20:24:10.0256 2856 mdmxsdk - ok

20:24:10.0326 2856 mfeavfk (bafdd5e28baea99d7f4772af2f5ec7ee) C:\WINDOWS\system32\drivers\mfeavfk.sys

20:24:10.0336 2856 mfeavfk - ok

20:24:10.0396 2856 mfebopk (1d003e3056a43d881597d6763e83b943) C:\WINDOWS\system32\drivers\mfebopk.sys

20:24:10.0396 2856 mfebopk - ok

20:24:10.0457 2856 mferkdk (41fe2f288e05a6c8ab85dd56770ffbad) C:\WINDOWS\system32\drivers\mferkdk.sys

20:24:10.0457 2856 mferkdk - ok

20:24:10.0507 2856 mfesmfk (096b52ea918aa909ba5903d79e129005) C:\WINDOWS\system32\drivers\mfesmfk.sys

20:24:10.0507 2856 mfesmfk - ok

20:24:10.0547 2856 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

20:24:10.0547 2856 mnmdd - ok

20:24:10.0587 2856 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

20:24:10.0587 2856 Modem - ok

20:24:10.0647 2856 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

20:24:10.0647 2856 Mouclass - ok

20:24:10.0707 2856 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

20:24:10.0717 2856 mouhid - ok

20:24:10.0747 2856 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

20:24:10.0757 2856 MountMgr - ok

20:24:10.0797 2856 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys

20:24:10.0797 2856 mraid35x - ok

20:24:10.0847 2856 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

20:24:10.0847 2856 MRxDAV - ok

20:24:10.0937 2856 MRxSmb (60ae98742484e7ab80c3c1450e708148) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

20:24:10.0947 2856 MRxSmb - ok

20:24:11.0047 2856 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

20:24:11.0047 2856 Msfs - ok

20:24:11.0097 2856 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

20:24:11.0097 2856 MSKSSRV - ok

20:24:11.0117 2856 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

20:24:11.0117 2856 MSPCLOCK - ok

20:24:11.0168 2856 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

20:24:11.0168 2856 MSPQM - ok

20:24:11.0188 2856 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

20:24:11.0188 2856 mssmbios - ok

20:24:11.0248 2856 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

20:24:11.0258 2856 MSTEE - ok

20:24:11.0298 2856 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

20:24:11.0298 2856 Mup - ok

20:24:11.0348 2856 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

20:24:11.0348 2856 NABTSFEC - ok

20:24:11.0378 2856 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

20:24:11.0378 2856 NDIS - ok

20:24:11.0408 2856 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

20:24:11.0408 2856 NdisIP - ok

20:24:11.0448 2856 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

20:24:11.0448 2856 NdisTapi - ok

20:24:11.0468 2856 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

20:24:11.0478 2856 Ndisuio - ok

20:24:11.0508 2856 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

20:24:11.0508 2856 NdisWan - ok

20:24:11.0528 2856 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

20:24:11.0528 2856 NDProxy - ok

20:24:11.0558 2856 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

20:24:11.0558 2856 NetBIOS - ok

20:24:11.0598 2856 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

20:24:11.0598 2856 NetBT - ok

20:24:11.0648 2856 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

20:24:11.0648 2856 Npfs - ok

20:24:11.0768 2856 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

20:24:11.0808 2856 Ntfs - ok

20:24:11.0899 2856 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

20:24:11.0909 2856 Null - ok

20:24:12.0029 2856 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

20:24:12.0069 2856 nv - ok

20:24:12.0099 2856 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

20:24:12.0099 2856 NwlnkFlt - ok

20:24:12.0129 2856 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

20:24:12.0129 2856 NwlnkFwd - ok

20:24:12.0179 2856 O2SCBUS (f06d9977a75213888804eaa9ceb8598b) C:\WINDOWS\system32\DRIVERS\ozscr.sys

20:24:12.0179 2856 O2SCBUS - ok

20:24:12.0229 2856 omci (b17228142cec9b3c222239fd935a37ca) C:\WINDOWS\system32\DRIVERS\omci.sys

20:24:12.0229 2856 omci - ok

20:24:12.0289 2856 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

20:24:12.0289 2856 Parport - ok

20:24:12.0389 2856 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

20:24:12.0389 2856 PartMgr - ok

20:24:12.0439 2856 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

20:24:12.0439 2856 ParVdm - ok

20:24:12.0479 2856 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

20:24:12.0479 2856 PCI - ok

20:24:12.0499 2856 PCIDump - ok

20:24:12.0560 2856 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

20:24:12.0560 2856 PCIIde - ok

20:24:12.0600 2856 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

20:24:12.0600 2856 Pcmcia - ok

20:24:12.0620 2856 PDCOMP - ok

20:24:12.0630 2856 PDFRAME - ok

20:24:12.0650 2856 PDRELI - ok

20:24:12.0670 2856 PDRFRAME - ok

20:24:12.0720 2856 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys

20:24:12.0720 2856 perc2 - ok

20:24:12.0760 2856 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys

20:24:12.0760 2856 perc2hib - ok

20:24:12.0820 2856 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

20:24:12.0830 2856 PptpMiniport - ok

20:24:12.0860 2856 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

20:24:12.0860 2856 PSched - ok

20:24:12.0900 2856 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

20:24:12.0900 2856 Ptilink - ok

20:24:12.0960 2856 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys

20:24:12.0960 2856 PxHelp20 - ok

20:24:13.0000 2856 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys

20:24:13.0000 2856 ql1080 - ok

20:24:13.0050 2856 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys

20:24:13.0050 2856 Ql10wnt - ok

20:24:13.0070 2856 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys

20:24:13.0070 2856 ql12160 - ok

20:24:13.0090 2856 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys

20:24:13.0090 2856 ql1240 - ok

20:24:13.0110 2856 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys

20:24:13.0110 2856 ql1280 - ok

20:24:13.0130 2856 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

20:24:13.0130 2856 RasAcd - ok

20:24:13.0190 2856 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

20:24:13.0200 2856 Rasl2tp - ok

20:24:13.0291 2856 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

20:24:13.0291 2856 RasPppoe - ok

20:24:13.0311 2856 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

20:24:13.0311 2856 Raspti - ok

20:24:13.0351 2856 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

20:24:13.0351 2856 Rdbss - ok

20:24:13.0381 2856 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

20:24:13.0381 2856 RDPCDD - ok

20:24:13.0431 2856 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

20:24:13.0441 2856 rdpdr - ok

20:24:13.0481 2856 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

20:24:13.0481 2856 RDPWD - ok

20:24:13.0521 2856 redbook (50aba76fc937a3febaa3b17982cf4592) C:\WINDOWS\system32\DRIVERS\redbook.sys

20:24:13.0521 2856 redbook ( Rootkit.Win32.ZAccess.k ) - infected

20:24:13.0521 2856 redbook - detected Rootkit.Win32.ZAccess.k (0)

20:24:13.0601 2856 REGSpy - ok

20:24:13.0711 2856 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

20:24:13.0711 2856 Secdrv - ok

20:24:13.0761 2856 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

20:24:13.0761 2856 serenum - ok

20:24:13.0811 2856 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

20:24:13.0811 2856 Serial - ok

20:24:13.0841 2856 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

20:24:13.0841 2856 Sfloppy - ok

20:24:13.0861 2856 Simbad - ok

20:24:13.0891 2856 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys

20:24:13.0911 2856 sisagp - ok

20:24:13.0962 2856 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

20:24:13.0962 2856 SLIP - ok

20:24:14.0092 2856 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys

20:24:14.0102 2856 Sparrow - ok

20:24:14.0142 2856 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

20:24:14.0152 2856 splitter - ok

20:24:14.0182 2856 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

20:24:14.0182 2856 sr - ok

20:24:14.0262 2856 Srv (3bb03f2ba89d2be417206c373d2af17c) C:\WINDOWS\system32\DRIVERS\srv.sys

20:24:14.0272 2856 Srv - ok

20:24:14.0342 2856 sscdbhk5 (98625722ad52b40305e74aaa83c93086) C:\WINDOWS\system32\drivers\sscdbhk5.sys

20:24:14.0342 2856 sscdbhk5 - ok

20:24:14.0372 2856 ssrtln (d79412e3942c8a257253487536d5a994) C:\WINDOWS\system32\drivers\ssrtln.sys

20:24:14.0372 2856 ssrtln - ok

20:24:14.0452 2856 STAC97 (5813d453ef8ce49d607c255cf128aceb) C:\WINDOWS\system32\drivers\stac97.sys

20:24:14.0462 2856 STAC97 - ok

20:24:14.0542 2856 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

20:24:14.0542 2856 streamip - ok

20:24:14.0562 2856 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

20:24:14.0562 2856 swenum - ok

20:24:14.0612 2856 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

20:24:14.0612 2856 swmidi - ok

20:24:14.0713 2856 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys

20:24:14.0713 2856 symc810 - ok

20:24:14.0953 2856 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys

20:24:14.0953 2856 symc8xx - ok

20:24:14.0973 2856 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys

20:24:14.0973 2856 sym_hi - ok

20:24:15.0003 2856 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys

20:24:15.0003 2856 sym_u3 - ok

20:24:15.0063 2856 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

20:24:15.0063 2856 sysaudio - ok

20:24:15.0143 2856 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

20:24:15.0143 2856 Tcpip - ok

20:24:15.0183 2856 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

20:24:15.0193 2856 TDPIPE - ok

20:24:15.0213 2856 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

20:24:15.0213 2856 TDTCP - ok

20:24:15.0263 2856 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

20:24:15.0273 2856 TermDD - ok

20:24:15.0384 2856 tfsnboio (d0177776e11b0b3f272eebd262a69661) C:\WINDOWS\system32\dla\tfsnboio.sys

20:24:15.0384 2856 tfsnboio - ok

20:24:15.0454 2856 tfsncofs (599804bc938b8305a5422319774da871) C:\WINDOWS\system32\dla\tfsncofs.sys

20:24:15.0454 2856 tfsncofs - ok

20:24:15.0484 2856 tfsndrct (a1902c00adc11c4d83f8e3ed947a6a32) C:\WINDOWS\system32\dla\tfsndrct.sys

20:24:15.0484 2856 tfsndrct - ok

20:24:15.0514 2856 tfsndres (d8ddb3f2b1bef15cff6728d89c042c61) C:\WINDOWS\system32\dla\tfsndres.sys

20:24:15.0514 2856 tfsndres - ok

20:24:15.0544 2856 tfsnifs (c4f2dea75300971cdaee311007de138d) C:\WINDOWS\system32\dla\tfsnifs.sys

20:24:15.0544 2856 tfsnifs - ok

20:24:15.0574 2856 tfsnopio (272925be0ea919f08286d2ee6f102b0f) C:\WINDOWS\system32\dla\tfsnopio.sys

20:24:15.0574 2856 tfsnopio - ok

20:24:15.0744 2856 tfsnpool (7b7d955e5cebc2fb88b03ef875d52a2f) C:\WINDOWS\system32\dla\tfsnpool.sys

20:24:15.0744 2856 tfsnpool - ok

20:24:15.0834 2856 tfsnudf (e3d01263109d800c1967c12c10a0b018) C:\WINDOWS\system32\dla\tfsnudf.sys

20:24:15.0844 2856 tfsnudf - ok

20:24:15.0864 2856 tfsnudfa (b9e9c377906e3a65bc74598fff7f7458) C:\WINDOWS\system32\dla\tfsnudfa.sys

20:24:15.0874 2856 tfsnudfa - ok

20:24:15.0934 2856 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys

20:24:15.0934 2856 TosIde - ok

20:24:15.0984 2856 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

20:24:15.0994 2856 Udfs - ok

20:24:16.0015 2856 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys

20:24:16.0015 2856 ultra - ok

20:24:16.0075 2856 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

20:24:16.0085 2856 Update - ok

20:24:16.0175 2856 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys

20:24:16.0175 2856 USBAAPL - ok

20:24:16.0225 2856 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys

20:24:16.0225 2856 usbaudio - ok

20:24:16.0265 2856 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

20:24:16.0265 2856 usbccgp - ok

20:24:16.0315 2856 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

20:24:16.0315 2856 usbehci - ok

20:24:16.0345 2856 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

20:24:16.0345 2856 usbhub - ok

20:24:16.0435 2856 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

20:24:16.0445 2856 usbprint - ok

20:24:16.0485 2856 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

20:24:16.0485 2856 usbscan - ok

20:24:16.0515 2856 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

20:24:16.0515 2856 USBSTOR - ok

20:24:16.0535 2856 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

20:24:16.0535 2856 usbuhci - ok

20:24:16.0615 2856 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys

20:24:16.0615 2856 usbvideo - ok

20:24:16.0986 2856 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

20:24:16.0986 2856 VgaSave - ok

20:24:17.0056 2856 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys

20:24:17.0076 2856 viaagp - ok

20:24:17.0116 2856 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

20:24:17.0126 2856 ViaIde - ok

20:24:17.0166 2856 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

20:24:17.0166 2856 VolSnap - ok

20:24:17.0186 2856 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

20:24:17.0196 2856 Wanarp - ok

20:24:17.0206 2856 wanatw - ok

20:24:17.0256 2856 wceusbsh (4a954a20a4c73d6db13c0fe25f3f1b0c) C:\WINDOWS\system32\DRIVERS\wceusbsh.sys

20:24:17.0266 2856 wceusbsh - ok

20:24:17.0296 2856 WDICA - ok

20:24:17.0316 2856 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

20:24:17.0316 2856 wdmaud - ok

20:24:17.0397 2856 winachsf (ce545a84bf3411e7516fa8da51ad9d93) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys

20:24:17.0417 2856 winachsf - ok

20:24:17.0607 2856 WpdUsb (c60dc16d4e406810fad54b98dc92d5ec) C:\WINDOWS\system32\DRIVERS\wpdusb.sys

20:24:17.0607 2856 WpdUsb - ok

20:24:17.0737 2856 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

20:24:17.0737 2856 WSTCODEC - ok

20:24:17.0807 2856 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

20:24:17.0807 2856 WudfPf - ok

20:24:17.0847 2856 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

20:24:17.0847 2856 WudfRd - ok

20:24:17.0887 2856 MBR (0x1B8) (91722e6bc3a2b40ff00222dca4a3db3e) \Device\Harddisk0\DR0

20:24:17.0927 2856 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - infected

20:24:17.0927 2856 \Device\Harddisk0\DR0 - detected Rootkit.Boot.SST.b (0)

20:24:17.0957 2856 Boot (0x1200) (b2149695601b6e572912e0cabef82f6d) \Device\Harddisk0\DR0\Partition0

20:24:17.0957 2856 \Device\Harddisk0\DR0\Partition0 - ok

20:24:17.0957 2856 ============================================================

20:24:17.0957 2856 Scan finished

20:24:17.0957 2856 ============================================================

20:24:17.0967 2312 Detected object count: 2

20:24:17.0967 2312 Actual detected object count: 2

20:24:37.0505 2312 VerifyFileNameVersionInfo: GetFileVersionInfoSizeW(C:\WINDOWS\system32\drivers\redbook.sys) error 1813

20:24:47.0630 2312 Backup copy found, using it..

20:24:47.0640 2312 C:\WINDOWS\system32\DRIVERS\redbook.sys - will be cured on reboot

20:24:50.0414 2312 redbook ( Rootkit.Win32.ZAccess.k ) - User select action: Cure

20:24:50.0474 2312 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - will be cured on reboot

20:24:50.0474 2312 \Device\Harddisk0\DR0 - ok

20:24:50.0474 2312 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - User select action: Cure

20:25:16.0421 3812 Deinitialize success

Link to post
Share on other sites

Also forgot to say that there are files that are greyed out. When I try to delete them, I get a Microsoft Visual C++ Runtime Library popup. It says Runtime Error! Program C:\WINDOWS\explorer.exe abnormal program termination.

All I'm trying to do in that instance is delete an old movie file from My Documents/Downloads/

Link to post
Share on other sites

Good afternoon :)

We are in the middle of the removal process of a difficult infection (the Zero Access rootkit, which is very popular these days), so let's first remove all of it's traces, and hopefully some of the remaining problems you are experiencing will be solved (if not, then we can focus on them later).

Please do the following:

Close any open browsers. Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

  • Please open Notepad.
  • In Notepad, Click "Format" and be certain that Word Wrap is not checked.
  • Copy and paste all the all of the text in the code box below into the Notepad, (including the URL). Do Not copy the word CODE:

http://forums.malwarebytes.org/index.php?showtopic=100114 

Collect::[133]
C:\windows\system32\drivers\tsk28.tmp

Suspect::[133]
c:\windows\system32\drivers\redbook.sys

FCopy::
C:\WINDOWS\$NtServicePackUninstall$\redbook.sys | C:\WINDOWS\system32\drivers\redbook.sys

Registry::
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\redbook]
"ImagePath"="\\SystemRoot\\System32\\drivers\\redbook.sys"

DirLook::
c:\documents and settings\Ryan Deutsch\Application Data\tTNpz8VWCQXyZ
c:\documents and settings\Ryan Deutsch\Application Data\fW6jAyPtPtnLfKd

  • In the notepad click File, Save as..., and set the Save in to your Desktop
  • In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
  • Click save.
  • Close all browser/windows first.
  • Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.
  • This will start ComboFix again.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

IMPORTANT: Do not mouseclick combofix's window while it's running. That may cause it to stall.

CFScript.gif

NOTE: When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis. Ensure you are connected to the internet and click OK on the message box.

Please post back including the Combofix log, which is usually located at C:\Combofix.txt

Link to post
Share on other sites

I have already asked a moderator to remove that post.

Thanks for the submission. Please follow these steps:

Step 1 | ComboFix - CFScript

WARNING !

This script is for THIS user and computer ONLY!

Using this tool incorrectly could damage your Operating System... preventing it from starting again!

You will not have Internet access when you execute ComboFix. All open windows will need to be closed!

Please open Notepad and copy/paste all the text below... into the window:

Folder::
c:\documents and settings\Ryan Deutsch\Application Data\tTNpz8VWCQXyZ
c:\documents and settings\Ryan Deutsch\Application Data\fW6jAyPtPtnLfKd

  1. Save it to your desktop as CFScript.txt
  2. Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
  3. Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:
    ComboFixScriptDrag.gif
    This will cause ComboFix to run again.
    Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
    Do Not touch your computer when ComboFix is running!
    When finished... Notepad will open ... ComboFix will produce a log file called "log.txt".
  4. Please copy/paste the contents of log.txt... in your next reply.

** Enable your Antivirus and Firewall, before connecting to the Internet again! **

Step 2 | Run aswMBR.

  • Double click the aswMBR icon to run it.
    Vista and Windows 7 users right click the icon and choose "Run as administrator".
  • Click the Scan button to start scan.
  • When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.

aswMBRscan-1.png

Click the image to enlarge it

Link to post
Share on other sites

During the run of ComboFix there was a popup stating PEV.exe encountered a problem and needed to close. The run completed though.

ComboFix 11-11-30.03 - Ryan Deutsch 11/30/2011 16:11:16.4.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.626 [GMT -5:00]

Running from: c:\documents and settings\Ryan Deutsch\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Ryan Deutsch\Desktop\CFScript.txt

AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Ryan Deutsch\Application Data\fW6jAyPtPtnLfKd

c:\documents and settings\Ryan Deutsch\Application Data\tTNpz8VWCQXyZ

c:\documents and settings\Ryan Deutsch\Application Data\tTNpz8VWCQXyZ\System Security 2012.ico

.

.

((((((((((((((((((((((((( Files Created from 2011-10-28 to 2011-11-30 )))))))))))))))))))))))))))))))

.

.

2011-11-30 05:23 . 2011-11-30 05:23 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-11-30 01:34 . 2011-11-30 01:34 -------- d-----w- C:\found.000

2011-11-20 09:36 . 2011-11-20 09:36 22032 ----a-w- c:\windows\DCEBoot.exe

2011-11-20 09:36 . 2011-11-20 09:36 102400 ----a-w- c:\windows\RegBootClean.exe

2011-11-20 09:19 . 2011-06-21 04:09 200976 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2011-11-20 09:12 . 2011-11-20 09:12 -------- d-----w- c:\documents and settings\Ryan Deutsch\Application Data\QuickScan

2011-11-17 18:15 . 2011-11-17 18:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple

2011-11-17 07:00 . 2011-11-17 07:00 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2011-11-17 06:59 . 2011-11-17 06:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2011-11-15 04:29 . 2011-11-15 04:29 388096 ----a-r- c:\documents and settings\Ryan Deutsch\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-11-15 03:24 . 2011-11-15 03:24 -------- d-----w- c:\windows\system32\wbem\Repository

2011-11-15 03:21 . 2011-11-15 03:21 -------- d-----w- c:\program files\All in One Converter

2011-11-08 23:27 . 2011-11-08 23:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-23 07:40 . 2011-07-23 07:40 1952768 ----a-w- c:\program files\tinyumbrella-5.00.06(2).exe

2011-11-23 17:31 . 2011-11-15 05:16 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((( SnapShot_2011-11-30_02.39.05 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-11-30 19:30 . 2011-11-30 19:30 16384 c:\windows\Temp\Perflib_Perfdata_9c.dat

+ 2004-08-10 18:59 . 2004-08-04 04:59 57472 c:\windows\system32\drivers\redbook.sys

+ 2004-08-10 18:59 . 2004-08-04 04:59 57472 c:\windows\system32\dllcache\redbook.sys

+ 2011-11-30 05:23 . 2011-11-30 05:23 247968 c:\windows\system32\Macromed\Flash\FlashUtil11e_Plugin.exe

+ 2010-01-27 01:07 . 2011-11-30 05:23 8527008 c:\windows\system32\Macromed\Flash\NPSWF32.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Ryan Deutsch\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Ryan Deutsch\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Ryan Deutsch\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Ryan Deutsch\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2009-01-30 204288]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PHOTOfunSTUDIO 5.0 HD Edition.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PHOTOfunSTUDIO 5.0 HD Edition.lnk

backup=c:\windows\pss\PHOTOfunSTUDIO 5.0 HD Edition.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Ryan Deutsch^Start Menu^Programs^Startup^Dropbox.lnk]

path=c:\documents and settings\Ryan Deutsch\Start Menu\Programs\Startup\Dropbox.lnk

backup=c:\windows\pss\Dropbox.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]

2005-04-06 01:05 339968 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]

2006-06-28 12:46 622592 ------w- c:\program files\Brother\Brmfcmon\BrMfcWnd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]

2006-06-29 17:18 77824 ----a-w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]

2007-03-15 15:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]

2009-05-21 14:55 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]

2005-05-31 09:33 122941 ----a-w- c:\windows\system32\dla\tfswctrl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]

2007-11-15 13:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]

2005-02-23 22:19 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

2005-06-10 16:44 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

2005-06-10 16:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2011-10-09 22:06 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]

2011-08-31 22:00 449608 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]

2006-02-28 19:28 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Seagate Dashboard]

2010-07-06 19:32 79112 ----a-w- c:\program files\Seagate\Seagate Dashboard\MemeoLauncher.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]

2005-01-26 23:02 49152 ----a-w- c:\program files\Brother\Brmfl06b\BrStDvPt.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

2009-07-16 19:46 25604904 ----a-r- c:\program files\Skype\Phone\Skype.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2011-04-08 16:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"MpfService"=2 (0x2)

"McSysmon"=3 (0x3)

"McShield"=2 (0x2)

"McProxy"=2 (0x2)

"McODS"=3 (0x3)

"McNASvc"=2 (0x2)

"mcmscsvc"=2 (0x2)

"iPod Service"=3 (0x3)

"gupdatem"=3 (0x3)

"gupdate"=2 (0x2)

"AresChatServer"=3 (0x3)

"sprtsvc_dellsupportcenter"=2 (0x2)

"SeagateDashboardService"=2 (0x2)

"Pml Driver HPZ12"=2 (0x2)

"MBAMService"=2 (0x2)

"Lavasoft Ad-Aware Service"=2 (0x2)

"DSBrokerService"=3 (0x3)

"bgsvcgen"=2 (0x2)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\taskmgr.exe"=

"c:\\Program Files\\Vuze\\Azureus.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=

"c:\\Program Files\\Seagate\\Seagate Dashboard\\MemeoLauncher.exe"=

"c:\\Documents and Settings\\Ryan Deutsch\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

"c:\\Program Files\\Spotify\\spotify.exe"=

"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

.

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/29/2011 11:38 PM 64512]

S0 77938054;77938054;c:\windows\system32\drivers\06314150.sys --> c:\windows\system32\drivers\06314150.sys [?]

S2 FILESpy;FILESpy;\??\c:\program files\Softwin\BitDefender9\filespy.sys --> c:\program files\Softwin\BitDefender9\filespy.sys [?]

S2 intelusb3;Intel USB3 Device Service;c:\windows\System32\svchost.exe -k intelusbs3 [8/10/2004 1:51 PM 14336]

S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [11/17/2011 2:00 AM 23624]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/14/2009 5:56 PM 22216]

S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/14/2010 6:15 PM 135664]

S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/14/2010 6:15 PM 135664]

S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]

S4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/14/2009 5:56 PM 366152]

S4 SeagateDashboardService;Seagate Dashboard Service;c:\program files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [7/6/2010 2:32 PM 14088]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

intelusbs3 REG_MULTI_SZ intelusb3

.

Contents of the 'Scheduled Tasks' folder

.

2011-11-24 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 21:57]

.

2011-11-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-14 23:15]

.

2011-11-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-14 23:15]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.ask.com/?l=dis&o=14597

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

Trusted Zone: internet

Trusted Zone: mcafee.com

TCP: DhcpNameServer = 205.152.37.23 205.152.150.23

FF - ProfilePath - c:\documents and settings\Ryan Deutsch\Application Data\Mozilla\Firefox\Profiles\bchmp033.default\

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-11-30 16:22

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(640)

c:\windows\system32\Ati2evxx.dll

c:\windows\System32\BCMLogon.dll

.

Completion time: 2011-11-30 16:24:38

ComboFix-quarantined-files.txt 2011-11-30 21:24

ComboFix2.txt 2011-11-30 19:36

ComboFix3.txt 2011-11-30 02:44

ComboFix4.txt 2009-10-15 02:41

.

Pre-Run: 8,883,945,472 bytes free

Post-Run: 8,863,305,728 bytes free

.

- - End Of File - - A0BC9A434171A00F498F8801921CF2F7

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software

Run date: 2011-11-29 12:40:27

-----------------------------

12:40:27.540 OS Version: Windows 5.1.2600 Service Pack 3

12:40:27.540 Number of processors: 1 586 0xD08

12:40:27.540 ComputerName: DRGREENTHUMB UserName: Ryan Deutsch

12:40:38.606 Initialize success

12:56:00.091 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

12:56:00.091 Disk 0 Vendor: Hitachi_HTS541040G9AT00 MB2OA61A Size: 38154MB BusType: 3

12:56:02.114 Disk 0 MBR read successfully

12:56:02.114 Disk 0 MBR scan

12:56:02.114 Disk 0 unknown MBR code

12:56:02.114 Disk 0 scanning sectors +78140144

12:56:02.304 Disk 0 scanning C:\WINDOWS\system32\drivers

12:56:25.528 Service scanning

12:56:32.898 Modules scanning

12:56:35.472 Module: C:\WINDOWS\system32\DRIVERS\redbook.sys **SUSPICIOUS**

12:56:40.940 Disk 0 trace - called modules:

12:56:40.960 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x870def10]<<

12:56:40.960 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8738bab8]

12:56:40.960 3 CLASSPNP.SYS[f75effd7] -> nt!IofCallDriver -> [0x871a2920]

12:56:41.290 \Driver\00001545[0x871aaf38] -> IRP_MJ_CREATE -> 0x870def10

12:56:41.290 Scan finished successfully

13:03:46.802 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Ryan Deutsch\Desktop\MBR.dat"

13:03:46.802 The log file has been saved successfully to "C:\Documents and Settings\Ryan Deutsch\Desktop\aswMBR.txt"

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software

Run date: 2011-11-29 15:07:41

-----------------------------

15:07:41.755 OS Version: Windows 5.1.2600 Service Pack 3

15:07:41.755 Number of processors: 1 586 0xD08

15:07:41.755 ComputerName: DRGREENTHUMB UserName: Ryan Deutsch

15:07:42.366 Initialize success

15:07:59.421 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

15:07:59.421 Disk 0 Vendor: Hitachi_HTS541040G9AT00 MB2OA61A Size: 38154MB BusType: 3

15:08:01.444 Disk 0 MBR read successfully

15:08:01.454 Disk 0 MBR scan

15:08:01.454 Disk 0 unknown MBR code

15:08:01.454 Disk 0 scanning sectors +78140144

15:08:01.634 Disk 0 scanning C:\WINDOWS\system32\drivers

15:08:12.199 Service scanning

15:08:17.988 Modules scanning

15:08:20.050 Module: C:\WINDOWS\system32\DRIVERS\redbook.sys **SUSPICIOUS**

15:08:25.308 Disk 0 trace - called modules:

15:08:25.338 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x870ebf10]<<

15:08:25.338 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87392ab8]

15:08:25.338 3 CLASSPNP.SYS[f75effd7] -> nt!IofCallDriver -> [0x871bde10]

15:08:25.669 \Driver\00001576[0x871349f8] -> IRP_MJ_CREATE -> 0x870ebf10

15:08:25.669 Scan finished successfully

15:08:33.910 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Ryan Deutsch\Desktop\MBR.dat"

15:08:33.950 The log file has been saved successfully to "C:\Documents and Settings\Ryan Deutsch\Desktop\aswMBR.txt"

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software

Run date: 2011-11-30 16:35:12

-----------------------------

16:35:12.367 OS Version: Windows 5.1.2600 Service Pack 3

16:35:12.367 Number of processors: 1 586 0xD08

16:35:12.367 ComputerName: DRGREENTHUMB UserName: Ryan Deutsch

16:35:13.178 Initialize success

16:35:24.214 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

16:35:24.214 Disk 0 Vendor: Hitachi_HTS541040G9AT00 MB2OA61A Size: 38154MB BusType: 3

16:35:26.237 Disk 0 MBR read successfully

16:35:26.237 Disk 0 MBR scan

16:35:26.237 Disk 0 unknown MBR code

16:35:26.237 Disk 0 scanning sectors +78124095

16:35:26.317 Disk 0 scanning C:\WINDOWS\system32\drivers

16:35:35.660 Service scanning

16:35:36.972 Modules scanning

16:35:42.991 Disk 0 trace - called modules:

16:35:43.001 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS

16:35:43.001 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8738fab8]

16:35:43.001 3 CLASSPNP.SYS[f75effd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x873cbd98]

16:35:43.001 Scan finished successfully

16:40:46.718 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Ryan Deutsch\Desktop\MBR.dat"

16:40:46.738 The log file has been saved successfully to "C:\Documents and Settings\Ryan Deutsch\Desktop\aswMBR.txt"

Link to post
Share on other sites

Logs look better. Your MBR is now clean and we managed to replace the infected file.

A non-legit service is showing in your latest log, so we still have some job to do:

Please run SystemLook.

--------------------------------------------------------------------

  • Copy the content of the following codebox into the main textfield:
    :filefind 
    *intelusb3*

    :regfind
    intelusb


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Link to post
Share on other sites

SystemLook 30.07.11 by jpshortstuff

Log created at 19:52 on 30/11/2011 by Ryan Deutsch

Administrator - Elevation successful

========== filefind ==========

Searching for "*intelusb3*"

No files found.

========== regfind ==========

Searching for "intelusb"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]

"intelusbs3"="intelusb3"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_INTELUSB3]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_INTELUSB3\0000]

"Service"="intelusb3"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_INTELUSB3\0000\Control]

"ActiveService"="intelusb3"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\intelusb3]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\intelusb3]

"ImagePath"="%SystemRoot%\System32\svchost.exe -k intelusbs3"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\intelusb3\Enum]

"0"="Root\LEGACY_INTELUSB3\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_INTELUSB3]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_INTELUSB3\0000]

"Service"="intelusb3"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\intelusb3]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\intelusb3]

"ImagePath"="%SystemRoot%\System32\svchost.exe -k intelusbs3"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_INTELUSB3]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_INTELUSB3\0000]

"Service"="intelusb3"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_INTELUSB3\0000\Control]

"ActiveService"="intelusb3"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\intelusb3]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\intelusb3]

"ImagePath"="%SystemRoot%\System32\svchost.exe -k intelusbs3"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\intelusb3\Enum]

"0"="Root\LEGACY_INTELUSB3\0000"

-= EOF =-

Link to post
Share on other sites

Please go to the following site to scan a file: Virus Total

  • Click on Browse, and upload the following file for analysis:
    • c:\windows\System32\svchost.exe

[*]Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

[*]If it says already scanned -- click "reanalyze now"

[*]Please post the results in your next reply.

Link to post
Share on other sites

Antivirus Version Last Update Result

AhnLab-V3 2011.12.01.00 2011.12.01 -

AntiVir 7.11.18.169 2011.12.01 -

Antiy-AVL 2.0.3.7 2011.12.01 -

Avast 6.0.1289.0 2011.12.01 -

AVG 10.0.0.1190 2011.12.01 -

BitDefender 7.2 2011.12.01 -

ByteHero 1.0.0.1 2011.11.29 -

CAT-QuickHeal 12.00 2011.12.01 -

ClamAV 0.97.3.0 2011.12.01 -

Commtouch 5.3.2.6 2011.12.01 -

Comodo 10799 2011.12.01 -

DrWeb 5.0.2.03300 2011.12.01 -

Emsisoft 5.1.0.11 2011.12.01 -

eSafe 7.0.17.0 2011.11.30 -

eTrust-Vet 37.0.9597 2011.12.01 -

F-Prot 4.6.5.141 2011.11.29 -

F-Secure 9.0.16440.0 2011.12.01 -

Fortinet 4.3.388.0 2011.12.01 -

GData 22 2011.12.01 -

Ikarus T3.1.1.109.0 2011.12.01 -

Jiangmin 13.0.900 2011.11.30 -

K7AntiVirus 9.119.5570 2011.11.30 -

Kaspersky 9.0.0.837 2011.12.01 -

McAfee 5.400.0.1158 2011.12.01 -

McAfee-GW-Edition 2010.1D 2011.12.01 -

Microsoft 1.7903 2011.12.01 -

NOD32 6668 2011.12.01 -

Norman 6.07.13 2011.12.01 -

nProtect 2011-12-01.01 2011.12.01 -

Panda 10.0.3.5 2011.11.30 -

PCTools 8.0.0.5 2011.12.01 -

Prevx 3.0 2011.12.01 -

Rising 23.86.03.01 2011.12.01 -

Sophos 4.71.0 2011.12.01 -

SUPERAntiSpyware 4.40.0.1006 2011.12.01 -

Symantec 20111.2.0.82 2011.12.01 -

TheHacker 6.7.0.1.352 2011.11.30 -

TrendMicro 9.500.0.1008 2011.12.01 -

TrendMicro-HouseCall 9.500.0.1008 2011.12.01 -

VBA32 3.12.16.4 2011.12.01 -

VIPRE 11187 2011.12.01 -

ViRobot 2011.12.1.4803 2011.12.01 -

VirusBuster 14.1.94.0 2011.12.01 -

Additional information

MD5 : 27c6d03bcdb8cfeb96b716f3d8be3e18

SHA1 : 49083ae3725a0488e0a8fbbe1335c745f70c4667

SHA256: 2910ebc692d833d949bfd56059e8106d324a276d5f165f874f3fb1b6c613cdd5

Link to post
Share on other sites

Thanks for the results. One more CFScript to run:

ComboFix - CFScript

WARNING !

This script is for THIS user and computer ONLY!

Using this tool incorrectly could damage your Operating System... preventing it from starting again!

You will not have Internet access when you execute ComboFix. All open windows will need to be closed!

Please open Notepad and copy/paste all the text below... into the window:

Driver::
intelusb3

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"intelusbs3"=-

  1. Save it to your desktop as CFScript.txt
  2. Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
  3. Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:
    ComboFixScriptDrag.gif
    This will cause ComboFix to run again.
    Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
    Do Not touch your computer when ComboFix is running!
    When finished... Notepad will open ... ComboFix will produce a log file called "log.txt".
  4. Please copy/paste the contents of log.txt... in your next reply.

** Enable your Antivirus and Firewall, before connecting to the Internet again! **

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.