Jump to content

Advanced FBI Virus Infection


Recommended Posts

I have the FBI Ransom Virus. Indows 7 64bit. I did a retore to an earlier point, which appeared to work, but not long after I plugged the ethernet cable back in the virus came back. It pops up in safe mode now as well. Safe Mode w/ command prompt doesn't work either. Cannot restore to earlier point anymore as I get an error message everytime I try. I was able to access DOS prompt from Computer Repair menu and made this log with Farbar Scanner:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 09-01-2013

Ran by SYSTEM at 13-01-2013 13:12:39

Running from F:\

(X64) OS Language: English(US)

Attention: Could not load system hive.

Attention: System hive is missing.

==================== Registry (Whitelisted) ===================

Attention: Software hive is missing.

ATTENTION: Unable to load Software hive.

==================== Services (Whitelisted) ===================

==================== Drivers (Whitelisted) =====================

==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========

==================== One Month Modified Files and Folders =======

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe IS MISSING <==== ATTENTION!.

C:\Windows\System32\wininit.exe IS MISSING <==== ATTENTION!.

C:\Windows\SysWOW64\wininit.exe IS MISSING <==== ATTENTION!.

C:\Windows\explorer.exe IS MISSING <==== ATTENTION!.

C:\Windows\SysWOW64\explorer.exe IS MISSING <==== ATTENTION!.

C:\Windows\System32\svchost.exe IS MISSING <==== ATTENTION!.

C:\Windows\SysWOW64\svchost.exe IS MISSING <==== ATTENTION!.

C:\Windows\System32\services.exe IS MISSING <==== ATTENTION!.

C:\Windows\System32\User32.dll IS MISSING <==== ATTENTION!.

C:\Windows\SysWOW64\User32.dll IS MISSING <==== ATTENTION!.

C:\Windows\System32\userinit.exe IS MISSING <==== ATTENTION!.

C:\Windows\SysWOW64\userinit.exe IS MISSING <==== ATTENTION!.

C:\Windows\System32\Drivers\volsnap.sys IS MISSING <==== ATTENTION!.

c:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION!.

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: <===== ATTENTION!

HKLM\...\exefile\DefaultIcon: <===== ATTENTION!

HKLM\...\exefile\open\command: <===== ATTENTION!

==================== Restore Points =========================

==================== Memory info ===========================

Percentage of memory in use: 8%

Total physical RAM: 8191.23 MB

Available physical RAM: 7516.15 MB

Total Pagefile: 8189.38 MB

Available Pagefile: 7500.57 MB

Total Virtual: 8192 MB

Available Virtual: 8191.89 MB

==================== Partitions =============================

2 Drive d: () (Fixed) (Total:931.42 GB) (Free:851.36 GB) NTFS

4 Drive f: () (Removable) (Total:0.12 GB) (Free:0.11 GB) FAT

5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

6 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]

==================== End Of Log =============================

Link to post
Share on other sites

Welcome to the forum, you have to do it like this:

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:



    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

    [*]Select Command Prompt

    [*]In the command window type in notepad and press Enter.

    [*]The notepad opens. Under File menu select Open.

    [*]Select "Computer" and find your flash drive letter and close the notepad.

    [*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

    Note: Replace letter e with the drive letter of your flash drive.

    [*]The tool will start to run.

    [*]When the tool opens click Yes to disclaimer.

    [*]Press Scan button.

    [*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:

    services.exe

    [*]Now press the Search button

    [*]When the search is complete, search.txt will also be written to your USB

    [*]Type exit and reboot the computer normally

    [*]Please copy and paste both logs in your reply.(FRST.txt and Search.txt)

MrC

Link to post
Share on other sites

Here you go:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 09-01-2013

Ran by SYSTEM at 13-01-2013 15:03:54

Running from D:\

Windows 7 Professional (X64) OS Language: English(US)

The current controlset is ControlSet002

==================== Registry (Whitelisted) ===================

HKLM-x32\...\Run: [DelReg] C:\Program Files (x86)\MSI\DualCoreCenter\DelReg.exe [196608 2008-05-13] ()

HKLM-x32\...\Run: [LGODDFU] "C:\Program Files (x86)\lg_fwupdate\lgfw.exe" blrun [27760 2012-07-19] (Bitleader)

HKLM-x32\...\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide [2793304 2009-10-14] ()

HKLM-x32\...\Run: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1259376 2011-07-28] ()

HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-03-27] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-02] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min [348664 2012-08-13] (Avira Operations GmbH & Co. KG)

HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252296 2012-01-17] (Sun Microsystems, Inc.)

HKU\Ted\...\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2363392 2008-07-30] (Hewlett-Packard Company)

HKU\Ted\...\Run: [Google Update] "C:\Users\Ted\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2010-03-28] (Google Inc.)

HKU\Ted\...\Run: [steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent [1354736 2012-12-03] (Valve Corporation)

HKU\Ted\...\Run: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\Messenger\YahooMessenger.exe" -quiet [6595928 2012-05-25] (Yahoo! Inc.)

HKU\Ted\...\Policies\system: [DisableTaskMgr] 1

HKLM\...\Winlogon: [shell] explorer.exe, C:\Users\Ted\AppData\Roaming\unzhaza [x ] ()

HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$bdbc2f59123b460bcb7d692c1e9b3e0a\n. ATTENTION! ====> ZeroAccess

Startup: C:\Users\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

ShortcutTarget: Adobe Gamma Loader.lnk -> C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)

Startup: C:\Users\All Users\Start Menu\Programs\Startup\mLAN Manager.lnk

ShortcutTarget: mLAN Manager.lnk -> C:\Program Files (x86)\mLAN Tools\YAMAHA\mLANmanager.exe (YAMAHA CORPORATION)

Startup: C:\Users\All Users\Start Menu\Programs\Startup\NETGEAR WG111T Smart Wizard.lnk

ShortcutTarget: NETGEAR WG111T Smart Wizard.lnk -> C:\Program Files (x86)\NETGEAR\WG111T\wlan111t.exe (NETGEAR)

==================== Services (Whitelisted) ===================

2 AntiVirSchedulerService; "C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe" [86224 2012-05-01] (Avira Operations GmbH & Co. KG)

2 AntiVirService; "C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe" [110032 2012-05-01] (Avira Operations GmbH & Co. KG)

3 NMIndexingService; "C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe" [275752 2008-01-22] (Nero AG)

2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [x]

3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [x]

==================== Drivers (Whitelisted) =====================

2 avgntflt; C:\Windows\System32\Drivers\avgntflt.sys [98848 2012-04-24] (Avira GmbH)

1 avipbb; C:\Windows\System32\Drivers\avipbb.sys [132832 2012-04-27] (Avira GmbH)

1 avkmgr; C:\Windows\System32\Drivers\avkmgr.sys [27760 2012-05-02] (Avira GmbH)

3 LVPr2M64; C:\Windows\System32\Drivers\LVPr2M64.sys [30232 2009-10-06] ()

3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2M64.sys [30232 2009-10-06] ()

3 mLanBus; C:\Windows\System32\Drivers\mLanBus.sys [154240 2010-01-02] (YAMAHA CORPORATION)

3 mLanMIDI; C:\Windows\System32\Drivers\mLanMIDI.sys [19968 2010-01-02] (YAMAHA CORPORATION)

3 MsibiosDevice; \??\C:\Program Files (x86)\MSI\Live Update 4\LU4\msibios64.sys [33080 2008-12-10] (Your Corporation)

3 WG111T; C:\Windows\System32\DRIVERS\WG111Tvx.sys [1037312 2007-06-01] (Atheros Communications, Inc.)

3 WEBNTACCESS; \??\C:\Windows\system32\NTACCESS.SYS [x]

==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========

2013-01-13 13:23 - 2013-01-13 13:23 - 00000000 ____D C:\FRST

2013-01-13 09:16 - 2013-01-13 09:37 - 00177664 ____A (Eventys Co. Ltd.) C:\Users\Ted\AppData\Roaming\unzhaza.exe

2013-01-13 09:13 - 2013-01-13 09:37 - 00177664 ____A (Eventys Co. Ltd.) C:\Users\Ted\AppData\Local\unzhaza.exe

2013-01-13 09:13 - 2013-01-13 09:18 - 00177664 ____A (Eventys Co. Ltd.) C:\Users\All Users\unzhaza.exe

2013-01-11 18:15 - 2013-01-11 18:15 - 00000000 ____D C:\Windows\Sun

2012-12-24 10:19 - 2012-12-24 10:19 - 00000000 ____D C:\Users\Ted\AppData\Roaming\NVIDIA

2012-12-21 03:27 - 2012-12-16 09:11 - 00046080 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll

2012-12-21 03:27 - 2012-12-16 06:45 - 00367616 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll

2012-12-21 03:27 - 2012-12-16 06:13 - 00295424 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll

2012-12-21 03:27 - 2012-12-16 06:13 - 00034304 ____A (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll

2012-12-21 03:21 - 2012-12-21 03:25 - 105603488 ____A C:\Users\Ted\Downloads\avira_free_antivirus_en.exe

2012-12-15 15:52 - 2012-12-15 15:52 - 00000000 ____D C:\Users\Ted\AppData\Roaming\Mozilla

==================== One Month Modified Files and Folders =======

2013-01-13 13:23 - 2013-01-13 13:23 - 00000000 ____D C:\FRST

2013-01-13 09:37 - 2013-01-13 09:16 - 00177664 ____A (Eventys Co. Ltd.) C:\Users\Ted\AppData\Roaming\unzhaza.exe

2013-01-13 09:37 - 2013-01-13 09:13 - 00177664 ____A (Eventys Co. Ltd.) C:\Users\Ted\AppData\Local\unzhaza.exe

2013-01-13 09:18 - 2013-01-13 09:13 - 00177664 ____A (Eventys Co. Ltd.) C:\Users\All Users\unzhaza.exe

2013-01-13 09:18 - 2010-03-27 15:19 - 00226446 ____A C:\Windows\PFRO.log

2013-01-13 09:16 - 2012-12-11 19:42 - 00000000 ____D C:\Users\Ted\AppData\Roaming\.spotflux

2013-01-13 09:16 - 2010-12-31 12:27 - 00000000 ____D C:\Program Files (x86)\Steam

2013-01-13 09:16 - 2010-01-02 19:23 - 00000397 ____A C:\Windows\lgfwup.ini

2013-01-13 09:16 - 2010-01-02 19:23 - 00000000 ____D C:\Program Files (x86)\lg_fwupdate

2013-01-13 09:15 - 2012-11-18 00:01 - 00000000 ____D C:\Users\All Users\NVIDIA

2013-01-13 09:15 - 2012-07-07 22:01 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-01-13 09:15 - 2010-03-26 14:16 - 00000000 ____A C:\Windows\System32\Drivers\lvuvc.hs

2013-01-13 09:15 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-01-13 09:15 - 2009-07-13 20:51 - 00043528 ____A C:\Windows\setupact.log

2013-01-13 09:14 - 2009-12-13 07:32 - 01136373 ____A C:\Windows\WindowsUpdate.log

2013-01-13 09:13 - 2010-03-28 19:00 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2628660804-2913106289-2879219661-1000UA.job

2013-01-13 08:43 - 2012-07-07 22:01 - 00697864 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2013-01-13 08:43 - 2011-08-28 09:20 - 00074248 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2013-01-13 08:38 - 2010-12-30 16:59 - 00000000 ____D C:\Program Files (x86)\Google

2013-01-13 08:38 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF

2013-01-13 08:36 - 2010-03-28 19:00 - 00000000 ____D C:\Users\Ted\AppData\Local\Google

2013-01-13 08:32 - 2009-07-13 20:45 - 00020528 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-01-13 08:32 - 2009-07-13 20:45 - 00020528 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-01-13 08:29 - 2009-12-13 05:13 - 00000000 ____D C:\users\Ted

2013-01-13 08:29 - 2009-07-13 21:13 - 00726444 ____A C:\Windows\System32\PerfStringBackup.INI

2013-01-13 08:22 - 2012-07-07 22:01 - 00000000 ____D C:\Users\All Users\Yahoo! Companion

2013-01-13 08:22 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache

2013-01-13 08:22 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration

2013-01-13 08:22 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat

2013-01-13 08:20 - 2012-07-07 22:01 - 00000000 ____D C:\Users\Ted\AppData\Roaming\Yahoo!

2013-01-11 18:15 - 2013-01-11 18:15 - 00000000 ____D C:\Windows\Sun

2012-12-25 18:31 - 2010-03-28 19:00 - 00000848 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2628660804-2913106289-2879219661-1000Core.job

2012-12-24 10:19 - 2012-12-24 10:19 - 00000000 ____D C:\Users\Ted\AppData\Roaming\NVIDIA

2012-12-21 16:14 - 2009-07-13 20:45 - 00275712 ____A C:\Windows\System32\FNTCACHE.DAT

2012-12-21 03:25 - 2012-12-21 03:21 - 105603488 ____A C:\Users\Ted\Downloads\avira_free_antivirus_en.exe

2012-12-16 09:11 - 2012-12-21 03:27 - 00046080 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll

2012-12-16 06:45 - 2012-12-21 03:27 - 00367616 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll

2012-12-16 06:13 - 2012-12-21 03:27 - 00295424 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll

2012-12-16 06:13 - 2012-12-21 03:27 - 00034304 ____A (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll

2012-12-15 15:52 - 2012-12-15 15:52 - 00000000 ____D C:\Users\Ted\AppData\Roaming\Mozilla

ZeroAccess:

C:\$Recycle.Bin\S-1-5-21-2628660804-2913106289-2879219661-1000\$bdbc2f59123b460bcb7d692c1e9b3e0a

ZeroAccess:

C:\$Recycle.Bin\S-1-5-18\$bdbc2f59123b460bcb7d692c1e9b3e0a

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

testsigning: ==> Check for possible unsigned rootkit driver <===== ATTENTION!

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-12-11 19:38:47

Restore point made on: 2012-12-11 19:39:18

Restore point made on: 2012-12-11 19:42:00

Restore point made on: 2012-12-13 20:48:32

Restore point made on: 2012-12-21 03:27:51

Restore point made on: 2012-12-28 11:49:31

Restore point made on: 2013-01-09 21:09:43

Restore point made on: 2013-01-11 19:25:26

Restore point made on: 2013-01-11 19:55:17

Restore point made on: 2013-01-13 08:18:23

==================== Memory info ===========================

Percentage of memory in use: 11%

Total physical RAM: 8191.23 MB

Available physical RAM: 7274.52 MB

Total Pagefile: 8189.38 MB

Available Pagefile: 7374.59 MB

Total Virtual: 8192 MB

Available Virtual: 8191.9 MB

==================== Partitions =============================

2 Drive c: () (Fixed) (Total:931.42 GB) (Free:851.28 GB) NTFS

3 Drive d: () (Removable) (Total:0.12 GB) (Free:0.11 GB) FAT

5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

6 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 931 GB 0 B

Disk 1 Online 124 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 100 MB 1024 KB

Partition 2 Primary 931 GB 101 MB

==================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 Y System Rese NTFS Partition 100 MB Healthy

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C NTFS Partition 931 GB Healthy

=========================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 123 MB 16 KB

==================================================================================

Disk: 1

Partition 1

Type : 06

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 D FAT Removable 123 MB Healthy

=========================================================

Last Boot: 2013-01-07 08:27

==================== End Of Log =============================

Farbar Recovery Scan Tool (x64) Version: 09-01-2013

Ran by SYSTEM at 2013-01-13 15:13:06

Running from D:\

================== Search: "services.exe" ===================

====== End Of Search ======

Sorry for the delayed response. I was not expecting to hear from you so soon.

Link to post
Share on other sites

OK, here you go......Please carefully carry out this procedure!!!!!!

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

MrC

Link to post
Share on other sites

ix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 09-01-2013

Ran by SYSTEM at 2013-01-13 15:46:42 Run:1

Running from F:\

==============================================

HKEY_USERS\Ted\Software\Microsoft\Windows\CurrentVersion\Policies\system\\DisableTaskMgr Value deleted successfully.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value was restored successfully .

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default value was restored successfully .

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}] should be deleted in normal mode (if present).

C:\Users\Ted\AppData\Roaming\unzhaza.exe moved successfully.

C:\Users\Ted\AppData\Local\unzhaza.exe moved successfully.

C:\Users\All Users\unzhaza.exe moved successfully.

C:\Users\Ted\AppData\Roaming\unzhaza.exe not found.

C:\Users\Ted\AppData\Local\unzhaza.exe not found.

C:\Users\All Users\unzhaza.exe not found.

C:\$Recycle.Bin\S-1-5-21-2628660804-2913106289-2879219661-1000\$bdbc2f59123b460bcb7d692c1e9b3e0a moved successfully.

C:\$Recycle.Bin\S-1-5-18\$bdbc2f59123b460bcb7d692c1e9b3e0a moved successfully.

==== End of Fixlog ====

Link to post
Share on other sites

Rebooting wasn't part of the "Please carefully carry out this procedure!!!!!!" instructions. :) But yes, now it does reboot to Windows and I dont see the screen. Previously when I got to this point though I could not access the internet. When I fixed the connection, then the virus screen came back. Currently I have the ethernet unplugged. Would you recommend hooking back up and updateing Malwarebytes?

Link to post
Share on other sites

Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

You can reconnect and see if you can run this...............

Please create a new system restore point before running Malwarebytes Anti-Rootkit if you can.

MBAR tutorial

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot.

Verify that your system is now functioning normally.

MrC

Link to post
Share on other sites

Here are the scans. Took 2 tries. Still had Hijack.Trojan.Siredef.C after 1st try. Clear this last time.

Malwarebytes Anti-Rootkit BETA 1.01.0.1016

www.malwarebytes.org

Database version: v2013.01.13.08

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Ted :: TED-PC [administrator]

1/13/2013 4:39:29 PM

mbar-log-2013-01-13 (16-39-29).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 29452

Time elapsed: 3 minute(s), 49 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1016

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED

CPU speed: 3.100000 GHz

Memory total: 8589127680, free: 6886162432

------------ Kernel report ------------

01/13/2013 16:19:36

------------ Loaded modules -----------

\SystemRoot\system32\ntoskrnl.exe

\SystemRoot\system32\hal.dll

\SystemRoot\system32\kdcom.dll

\SystemRoot\system32\mcupdate_AuthenticAMD.dll

\SystemRoot\system32\PSHED.dll

\SystemRoot\system32\CLFS.SYS

\SystemRoot\system32\CI.dll

\SystemRoot\system32\drivers\Wdf01000.sys

\SystemRoot\system32\drivers\WDFLDR.SYS

\SystemRoot\system32\drivers\ACPI.sys

\SystemRoot\system32\drivers\WMILIB.SYS

\SystemRoot\system32\drivers\msisadrv.sys

\SystemRoot\system32\drivers\pci.sys

\SystemRoot\system32\drivers\vdrvroot.sys

\SystemRoot\System32\drivers\partmgr.sys

\SystemRoot\system32\drivers\volmgr.sys

\SystemRoot\System32\drivers\volmgrx.sys

\SystemRoot\system32\drivers\pciide.sys

\SystemRoot\system32\drivers\PCIIDEX.SYS

\SystemRoot\system32\drivers\nvraid.sys

\SystemRoot\system32\drivers\CLASSPNP.SYS

\SystemRoot\System32\drivers\mountmgr.sys

\SystemRoot\system32\drivers\vmbus.sys

\SystemRoot\system32\drivers\winhv.sys

\SystemRoot\system32\drivers\atapi.sys

\SystemRoot\system32\drivers\ataport.SYS

\SystemRoot\system32\drivers\nvstor.sys

\SystemRoot\system32\drivers\storport.sys

\SystemRoot\system32\drivers\amdxata.sys

\SystemRoot\system32\drivers\fltmgr.sys

\SystemRoot\system32\drivers\fileinfo.sys

\SystemRoot\System32\Drivers\Ntfs.sys

\SystemRoot\System32\Drivers\msrpc.sys

\SystemRoot\System32\Drivers\ksecdd.sys

\SystemRoot\System32\Drivers\cng.sys

\SystemRoot\System32\drivers\pcw.sys

\SystemRoot\System32\Drivers\Fs_Rec.sys

\SystemRoot\system32\drivers\ndis.sys

\SystemRoot\system32\drivers\NETIO.SYS

\SystemRoot\System32\Drivers\ksecpkg.sys

\SystemRoot\System32\drivers\tcpip.sys

\SystemRoot\System32\drivers\fwpkclnt.sys

\SystemRoot\system32\drivers\vmstorfl.sys

\SystemRoot\system32\drivers\volsnap.sys

\SystemRoot\System32\Drivers\spldr.sys

\SystemRoot\System32\drivers\rdyboost.sys

\SystemRoot\System32\Drivers\mup.sys

\SystemRoot\System32\drivers\hwpolicy.sys

\SystemRoot\System32\DRIVERS\fvevol.sys

\SystemRoot\system32\DRIVERS\disk.sys

\SystemRoot\system32\drivers\cdrom.sys

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\drivers\VIDEOPRT.SYS

\SystemRoot\System32\drivers\watchdog.sys

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\system32\drivers\rdpencdd.sys

\SystemRoot\system32\drivers\rdprefmp.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\tdx.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\system32\drivers\afd.sys

\SystemRoot\System32\DRIVERS\netbt.sys

\SystemRoot\system32\DRIVERS\wfplwf.sys

\SystemRoot\system32\DRIVERS\pacer.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\serial.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\system32\drivers\termdd.sys

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\drivers\nsiproxy.sys

\SystemRoot\system32\drivers\mssmbios.sys

\SystemRoot\System32\drivers\discache.sys

\SystemRoot\system32\drivers\csc.sys

\SystemRoot\System32\Drivers\dfsc.sys

\SystemRoot\system32\DRIVERS\blbdrive.sys

\SystemRoot\system32\DRIVERS\avkmgr.sys

\SystemRoot\system32\DRIVERS\avipbb.sys

\SystemRoot\system32\DRIVERS\tunnel.sys

\SystemRoot\system32\DRIVERS\amdppm.sys

\SystemRoot\system32\DRIVERS\serenum.sys

\SystemRoot\system32\DRIVERS\fdc.sys

\SystemRoot\system32\drivers\i8042prt.sys

\SystemRoot\system32\drivers\kbdclass.sys

\SystemRoot\system32\DRIVERS\usbohci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\drivers\HDAudBus.sys

\SystemRoot\system32\drivers\1394ohci.sys

\SystemRoot\system32\DRIVERS\nvm62x64.sys

\SystemRoot\system32\DRIVERS\nvlddmkm.sys

\SystemRoot\System32\drivers\dxgkrnl.sys

\SystemRoot\System32\drivers\dxgmms1.sys

\SystemRoot\system32\drivers\wmiacpi.sys

\SystemRoot\system32\drivers\CompositeBus.sys

\SystemRoot\system32\DRIVERS\AgileVpn.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\rassstp.sys

\SystemRoot\system32\DRIVERS\tap0901.sys

\SystemRoot\system32\DRIVERS\rdpbus.sys

\SystemRoot\system32\drivers\mouclass.sys

\SystemRoot\system32\drivers\swenum.sys

\SystemRoot\system32\drivers\ks.sys

\SystemRoot\system32\DRIVERS\umbus.sys

\SystemRoot\system32\DRIVERS\flpydisk.sys

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\drivers\HdAudio.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\system32\drivers\ksthunk.sys

\SystemRoot\System32\Drivers\crashdmp.sys

\SystemRoot\System32\Drivers\dump_nvraid.sys

\SystemRoot\System32\Drivers\dump_CLASSPNP.SYS

\SystemRoot\System32\Drivers\dump_dumpfve.sys

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\system32\DRIVERS\hidusb.sys

\SystemRoot\system32\DRIVERS\HIDCLASS.SYS

\SystemRoot\system32\DRIVERS\HIDPARSE.SYS

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\DRIVERS\mouhid.sys

\SystemRoot\system32\DRIVERS\monitor.sys

\SystemRoot\System32\TSDDD.dll

\SystemRoot\System32\cdd.dll

\SystemRoot\system32\drivers\luafv.sys

\SystemRoot\system32\DRIVERS\avgntflt.sys

\SystemRoot\system32\drivers\WudfPf.sys

\SystemRoot\system32\DRIVERS\lltdio.sys

\SystemRoot\system32\DRIVERS\nwifi.sys

\SystemRoot\system32\DRIVERS\ndisuio.sys

\SystemRoot\system32\DRIVERS\rspndr.sys

\SystemRoot\system32\drivers\HTTP.sys

\SystemRoot\system32\DRIVERS\bowser.sys

\SystemRoot\System32\drivers\mpsdrv.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\system32\DRIVERS\mrxsmb10.sys

\SystemRoot\system32\DRIVERS\mrxsmb20.sys

\SystemRoot\system32\drivers\peauth.sys

\SystemRoot\System32\Drivers\secdrv.SYS

\SystemRoot\System32\DRIVERS\srvnet.sys

\SystemRoot\System32\drivers\tcpipreg.sys

\SystemRoot\System32\DRIVERS\srv2.sys

\SystemRoot\System32\DRIVERS\srv.sys

\SystemRoot\System32\Drivers\fastfat.SYS

\SystemRoot\system32\DRIVERS\LVPr2M64.sys

\SystemRoot\system32\DRIVERS\asyncmac.sys

\SystemRoot\system32\DRIVERS\USBSTOR.SYS

\SystemRoot\system32\DRIVERS\WUDFRd.sys

\SystemRoot\system32\drivers\spsys.sys

\??\C:\Windows\system32\drivers\mbamchameleon.sys

\??\C:\Windows\system32\drivers\mbamswissarmy.sys

\Windows\System32\ntdll.dll

\Windows\System32\smss.exe

\Windows\System32\apisetschema.dll

\Windows\System32\autochk.exe

\Windows\System32\user32.dll

\Windows\System32\setupapi.dll

\Windows\System32\lpk.dll

\Windows\System32\Wldap32.dll

\Windows\System32\shlwapi.dll

\Windows\System32\ws2_32.dll

\Windows\System32\rpcrt4.dll

\Windows\System32\nsi.dll

\Windows\System32\ole32.dll

\Windows\System32\kernel32.dll

\Windows\System32\msctf.dll

\Windows\System32\iertutil.dll

\Windows\System32\urlmon.dll

\Windows\System32\imm32.dll

\Windows\System32\clbcatq.dll

\Windows\System32\wininet.dll

\Windows\System32\advapi32.dll

\Windows\System32\imagehlp.dll

\Windows\System32\usp10.dll

\Windows\System32\psapi.dll

\Windows\System32\sechost.dll

\Windows\System32\comdlg32.dll

\Windows\System32\shell32.dll

\Windows\System32\oleaut32.dll

\Windows\System32\normaliz.dll

\Windows\System32\msvcrt.dll

\Windows\System32\difxapi.dll

\Windows\System32\gdi32.dll

\Windows\System32\cfgmgr32.dll

\Windows\System32\wintrust.dll

\Windows\System32\comctl32.dll

\Windows\System32\devobj.dll

\Windows\System32\crypt32.dll

\Windows\System32\KernelBase.dll

\Windows\System32\msasn1.dll

\Windows\SysWOW64\normaliz.dll

----------- End -----------

<<<1>>>

Upper Device Name: \Device\Harddisk1\DR1

Upper Device Object: 0xfffffa80075c3790

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\0000007a\

Lower Device Object: 0xfffffa800753db60

Lower Device Driver Name: \Driver\USBSTOR\

Driver name found: USBSTOR

Initialization returned 0x0

Load Function returned 0x0

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xfffffa80078f2060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\0000006a\

Lower Device Object: 0xfffffa8006b31060

Lower Device Driver Name: \Driver\nvraid\

Driver name found: nvraid

Initialization returned 0x0

Load Function returned 0x0

Host not found

Downloaded database version: v2013.01.13.08

Initializing...

Done!

<<<2>>>

Device number: 0, partition: 2

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xfffffa80078f2060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa80078f2ab0, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa80078f2060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa8006b31060, DeviceName: \Device\0000006a\, DriverName: \Driver\nvraid\

------------ End ----------

Upper DeviceData: 0xfffff8a00ceb64e0, 0xfffffa80078f2060, 0xfffffa800752f560

Lower DeviceData: 0xfffff8a00ce3d930, 0xfffffa8006b31060, 0xfffffa80075ea990

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Scanning directory: C:\Windows\system32\drivers...

Done!

Drive 0

Scanning MBR on drive 0...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: 1C73957C

Partition information:

Partition 0 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 2048 Numsec = 204800

Partition file system is NTFS

Partition is bootable

Partition 1 type is Primary (0x7)

Partition is NOT ACTIVE.

Partition starts at LBA: 206848 Numsec = 1953337344

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 1000215674880 bytes

Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-1953526240-1953546240)...

Physical Sector Size: 512

Drive: 1, DevicePointer: 0xfffffa80075c3790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa8007557b90, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa80075c3790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa800753db60, DeviceName: \Device\0000007a\, DriverName: \Driver\USBSTOR\

------------ End ----------

Upper DeviceData: 0xfffff8a00c5766d0, 0xfffffa80075c3790, 0xfffffa8007155790

Lower DeviceData: 0xfffff8a00d0a3800, 0xfffffa800753db60, 0xfffffa80099d8bc0

Drive 1

Scanning MBR on drive 1...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: D0C0B0A

Partition information:

Partition 0 type is Other (0x6)

Partition is ACTIVE.

Partition starts at LBA: 32 Numsec = 253920

Partition file system is FAT

Partition is not bootable

Partition 1 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 130023936 bytes

Sector size: 512 bytes

Done!

Performing system, memory and registry scan...

Infected: HKLM\SOFTWARE\CLASSES\INTERFACE\{17DE5E5E-BFE3-4E83-8E1F-8755795359EC} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\TypeLib\{C8CECDE3-1AE1-4C4A-AD82-6D5B00212144} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\INTERFACE\{1F52A5FA-A705-4415-B975-88503B291728} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\INTERFACE\{A626CDBD-3D13-4F78-B819-440A28D7E8FC} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{1F52A5FA-A705-4415-B975-88503B291728} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{A626CDBD-3D13-4F78-B819-440A28D7E8FC} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\TypeLib\{C8CECDE3-1AE1-4C4A-AD82-6D5B00212144} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\INTERFACE\{3E720451-B472-4954-B7AA-33069EB53906} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\TypeLib\{3E720450-B472-4954-B7AA-33069EB53906} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\INTERFACE\{3E720453-B472-4954-B7AA-33069EB53906} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{3E720453-B472-4954-B7AA-33069EB53906} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\TypeLib\{3E720450-B472-4954-B7AA-33069EB53906} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\INTERFACE\{6E74766C-4D93-4CC0-96D1-47B8E07FF9CA} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\TypeLib\{F42228FB-E84E-479E-B922-FBBD096E792C} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\INTERFACE\{DE38C398-B328-4F4C-A3AD-1B5E4ED93477} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{DE38C398-B328-4F4C-A3AD-1B5E4ED93477} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\TypeLib\{F42228FB-E84E-479E-B922-FBBD096E792C} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\INTERFACE\{72EE7F04-15BD-4845-A005-D6711144D86A} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\TypeLib\{E79DFBC0-5697-4FBD-94E5-5B2A9C7C1612} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\INTERFACE\{E79DFBC9-5697-4FBD-94E5-5B2A9C7C1612} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\INTERFACE\{E79DFBCB-5697-4FBD-94E5-5B2A9C7C1612} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{E79DFBC9-5697-4FBD-94E5-5B2A9C7C1612} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{E79DFBCB-5697-4FBD-94E5-5B2A9C7C1612} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\TypeLib\{E79DFBC0-5697-4FBD-94E5-5B2A9C7C1612} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\INTERFACE\{07B18EAA-A523-4961-B6BB-170DE4475CCA} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\TypeLib\{07B18EA0-A523-4961-B6BB-170DE4475CCA} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\INTERFACE\{07B18EAC-A523-4961-B6BB-170DE4475CCA} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\INTERFACE\{8E9CF769-3D3B-40EB-9E2D-76E7A205E4D2} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\INTERFACE\{AAA9C380-E19A-4436-88F6-02942C31CC9E} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\INTERFACE\{AAA9C381-E19A-4436-88F6-02942C31CC9E} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\INTERFACE\{F87D7FB5-9DC5-4C8C-B998-D8DFE02E2978} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{07B18EAC-A523-4961-B6BB-170DE4475CCA} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{8E9CF769-3D3B-40EB-9E2D-76E7A205E4D2} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{AAA9C380-E19A-4436-88F6-02942C31CC9E} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{AAA9C381-E19A-4436-88F6-02942C31CC9E} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{F87D7FB5-9DC5-4C8C-B998-D8DFE02E2978} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\TypeLib\{07B18EA0-A523-4961-B6BB-170DE4475CCA} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\INTERFACE\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25E} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\TypeLib\{0D26BC71-A633-4E71-AD31-EADC3A1B6A3A} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\INTERFACE\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25F} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25F} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\TypeLib\{0D26BC71-A633-4E71-AD31-EADC3A1B6A3A} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\INTERFACE\{2E3537FC-CF2F-4F56-AF54-5A6A3DD375CC} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\TypeLib\{29D67D3C-509A-4544-903F-C8C1B8236554} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\INTERFACE\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\TypeLib\{29D67D3C-509A-4544-903F-C8C1B8236554} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\INTERFACE\{7473D291-B7BB-4F24-AE82-7E2CE94BB6A9} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\TypeLib\{7473D290-B7BB-4F24-AE82-7E2CE94BB6A9} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\INTERFACE\{7473D293-B7BB-4F24-AE82-7E2CE94BB6A9} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\INTERFACE\{7473D295-B7BB-4F24-AE82-7E2CE94BB6A9} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\INTERFACE\{7473D297-B7BB-4F24-AE82-7E2CE94BB6A9} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\INTERFACE\{7473D298-B7BB-4F24-AE82-7E2CE94BB6A9} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{7473D293-B7BB-4F24-AE82-7E2CE94BB6A9} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{7473D295-B7BB-4F24-AE82-7E2CE94BB6A9} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{7473D297-B7BB-4F24-AE82-7E2CE94BB6A9} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{7473D298-B7BB-4F24-AE82-7E2CE94BB6A9} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\TypeLib\{7473D290-B7BB-4F24-AE82-7E2CE94BB6A9} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\INTERFACE\{1093995A-BA37-41D2-836E-091067C4AD17} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\TypeLib\{8CA01F0E-987C-49C3-B852-2F1AC4A7094C} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\INTERFACE\{120927BF-1700-43BC-810F-FAB92549B390} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\INTERFACE\{247A115F-06C2-4FB3-967D-2D62D3CF4F0A} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\INTERFACE\{3E53E2CB-86DB-4A4A-8BD9-FFEB7A64DF82} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\INTERFACE\{90449521-D834-4703-BB4E-D3AA44042FF8} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\INTERFACE\{991AAC62-B100-47CE-8B75-253965244F69} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\INTERFACE\{BBABDC90-F3D5-4801-863A-EE6AE529862D} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\INTERFACE\{D6FF3684-AD3B-48EB-BBB4-B9E6C5A355C1} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\INTERFACE\{EB9E5C1C-B1F9-4C2B-BE8A-27D6446FDAF8} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{120927BF-1700-43BC-810F-FAB92549B390} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{247A115F-06C2-4FB3-967D-2D62D3CF4F0A} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{3E53E2CB-86DB-4A4A-8BD9-FFEB7A64DF82} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{90449521-D834-4703-BB4E-D3AA44042FF8} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{991AAC62-B100-47CE-8B75-253965244F69} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{BBABDC90-F3D5-4801-863A-EE6AE529862D} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{D6FF3684-AD3B-48EB-BBB4-B9E6C5A355C1} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{EB9E5C1C-B1F9-4C2B-BE8A-27D6446FDAF8} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\TypeLib\{8CA01F0E-987C-49C3-B852-2F1AC4A7094C} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\INTERFACE\{63D0ED2B-B45B-4458-8B3B-60C69BBBD83C} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\TypeLib\{8E6F1830-9607-4440-8530-13BE7C4B1D14} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\INTERFACE\{63D0ED2D-B45B-4458-8B3B-60C69BBBD83C} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{63D0ED2D-B45B-4458-8B3B-60C69BBBD83C} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\TypeLib\{8E6F1830-9607-4440-8530-13BE7C4B1D14} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\INTERFACE\{CF54BE1C-9359-4395-8533-1657CF209CFE} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\INTERFACE\{3E1656ED-F60E-4597-B6AA-B6A58E171495} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\TypeLib\{E47CAEE0-DEEA-464A-9326-3F2801535A4D} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\CLASSES\INTERFACE\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF} --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\TypeLib\{E47CAEE0-DEEA-464A-9326-3F2801535A4D} --> [PUP.MyWebSearch]

Infected: HKCU\SOFTWARE\APPDATALOW\SOFTWARE\MyWebSearch --> [PUP.MyWebsearch]

Infected: HKCU\SOFTWARE\CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} --> [Hijack.Trojan.Siredef.C]

Infected: HKLM\SOFTWARE\WOW6432NODE\MOZILLAPLUGINS\@mywebsearch.com/Plugin --> [PUP.MyWebSearch]

Infected: HKLM\SOFTWARE\WOW6432NODE\MOZILLA\FIREFOX\EXTENSIONS|m3ffxtbr@mywebsearch.com --> [PUP.MyWebSearch]

Infected: HKCU\SOFTWARE\CLASSES\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32| --> [Trojan.0Access]

Done!

Scan finished

Creating System Restore point...

Scheduling clean up...

<<<2>>>

Device number: 0, partition: 2

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Removal successful. No system shutdown is required.

=======================================

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1016

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED

CPU speed: 3.100000 GHz

Memory total: 8589127680, free: 7062765568

------------ Kernel report ------------

01/13/2013 16:29:25

------------ Loaded modules -----------

\SystemRoot\system32\ntoskrnl.exe

\SystemRoot\system32\hal.dll

\SystemRoot\system32\kdcom.dll

\SystemRoot\system32\mcupdate_AuthenticAMD.dll

\SystemRoot\system32\PSHED.dll

\SystemRoot\system32\CLFS.SYS

\SystemRoot\system32\CI.dll

\SystemRoot\system32\drivers\Wdf01000.sys

\SystemRoot\system32\drivers\WDFLDR.SYS

\SystemRoot\system32\drivers\ACPI.sys

\SystemRoot\system32\drivers\WMILIB.SYS

\SystemRoot\system32\drivers\msisadrv.sys

\SystemRoot\system32\drivers\pci.sys

\SystemRoot\system32\drivers\vdrvroot.sys

\SystemRoot\System32\drivers\partmgr.sys

\SystemRoot\system32\drivers\volmgr.sys

\SystemRoot\System32\drivers\volmgrx.sys

\SystemRoot\system32\drivers\pciide.sys

\SystemRoot\system32\drivers\PCIIDEX.SYS

\SystemRoot\system32\drivers\nvraid.sys

\SystemRoot\system32\drivers\CLASSPNP.SYS

\SystemRoot\System32\drivers\mountmgr.sys

\SystemRoot\system32\drivers\vmbus.sys

\SystemRoot\system32\drivers\winhv.sys

\SystemRoot\system32\drivers\atapi.sys

\SystemRoot\system32\drivers\ataport.SYS

\SystemRoot\system32\drivers\nvstor.sys

\SystemRoot\system32\drivers\storport.sys

\SystemRoot\system32\drivers\amdxata.sys

\SystemRoot\system32\drivers\fltmgr.sys

\SystemRoot\system32\drivers\fileinfo.sys

\SystemRoot\System32\Drivers\Ntfs.sys

\SystemRoot\System32\Drivers\msrpc.sys

\SystemRoot\System32\Drivers\ksecdd.sys

\SystemRoot\System32\Drivers\cng.sys

\SystemRoot\System32\drivers\pcw.sys

\SystemRoot\System32\Drivers\Fs_Rec.sys

\SystemRoot\system32\drivers\ndis.sys

\SystemRoot\system32\drivers\NETIO.SYS

\SystemRoot\System32\Drivers\ksecpkg.sys

\SystemRoot\System32\drivers\tcpip.sys

\SystemRoot\System32\drivers\fwpkclnt.sys

\SystemRoot\system32\drivers\vmstorfl.sys

\SystemRoot\system32\drivers\volsnap.sys

\SystemRoot\System32\Drivers\spldr.sys

\SystemRoot\System32\drivers\rdyboost.sys

\SystemRoot\System32\Drivers\mup.sys

\SystemRoot\System32\drivers\hwpolicy.sys

\SystemRoot\System32\DRIVERS\fvevol.sys

\SystemRoot\system32\DRIVERS\disk.sys

\SystemRoot\system32\drivers\cdrom.sys

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\drivers\VIDEOPRT.SYS

\SystemRoot\System32\drivers\watchdog.sys

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\system32\drivers\rdpencdd.sys

\SystemRoot\system32\drivers\rdprefmp.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\tdx.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\system32\drivers\afd.sys

\SystemRoot\System32\DRIVERS\netbt.sys

\SystemRoot\system32\DRIVERS\wfplwf.sys

\SystemRoot\system32\DRIVERS\pacer.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\serial.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\system32\drivers\termdd.sys

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\drivers\nsiproxy.sys

\SystemRoot\system32\drivers\mssmbios.sys

\SystemRoot\System32\drivers\discache.sys

\SystemRoot\system32\drivers\csc.sys

\SystemRoot\System32\Drivers\dfsc.sys

\SystemRoot\system32\DRIVERS\blbdrive.sys

\SystemRoot\system32\DRIVERS\avkmgr.sys

\SystemRoot\system32\DRIVERS\avipbb.sys

\SystemRoot\system32\DRIVERS\tunnel.sys

\SystemRoot\system32\DRIVERS\amdppm.sys

\SystemRoot\system32\DRIVERS\serenum.sys

\SystemRoot\system32\DRIVERS\fdc.sys

\SystemRoot\system32\drivers\i8042prt.sys

\SystemRoot\system32\drivers\kbdclass.sys

\SystemRoot\system32\DRIVERS\usbohci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\drivers\HDAudBus.sys

\SystemRoot\system32\drivers\1394ohci.sys

\SystemRoot\system32\DRIVERS\nvm62x64.sys

\SystemRoot\system32\DRIVERS\nvlddmkm.sys

\SystemRoot\System32\drivers\dxgkrnl.sys

\SystemRoot\System32\drivers\dxgmms1.sys

\SystemRoot\system32\drivers\wmiacpi.sys

\SystemRoot\system32\drivers\CompositeBus.sys

\SystemRoot\system32\DRIVERS\AgileVpn.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\rassstp.sys

\SystemRoot\system32\DRIVERS\tap0901.sys

\SystemRoot\system32\DRIVERS\rdpbus.sys

\SystemRoot\system32\drivers\mouclass.sys

\SystemRoot\system32\drivers\swenum.sys

\SystemRoot\system32\drivers\ks.sys

\SystemRoot\system32\DRIVERS\umbus.sys

\SystemRoot\system32\DRIVERS\flpydisk.sys

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\drivers\HdAudio.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\system32\drivers\ksthunk.sys

\SystemRoot\System32\Drivers\crashdmp.sys

\SystemRoot\System32\Drivers\dump_nvraid.sys

\SystemRoot\System32\Drivers\dump_CLASSPNP.SYS

\SystemRoot\System32\Drivers\dump_dumpfve.sys

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\system32\DRIVERS\hidusb.sys

\SystemRoot\system32\DRIVERS\HIDCLASS.SYS

\SystemRoot\system32\DRIVERS\HIDPARSE.SYS

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\DRIVERS\mouhid.sys

\SystemRoot\system32\DRIVERS\monitor.sys

\SystemRoot\System32\TSDDD.dll

\SystemRoot\System32\cdd.dll

\SystemRoot\system32\drivers\luafv.sys

\SystemRoot\system32\DRIVERS\avgntflt.sys

\SystemRoot\system32\drivers\WudfPf.sys

\SystemRoot\system32\DRIVERS\lltdio.sys

\SystemRoot\system32\DRIVERS\nwifi.sys

\SystemRoot\system32\DRIVERS\ndisuio.sys

\SystemRoot\system32\DRIVERS\rspndr.sys

\SystemRoot\system32\drivers\HTTP.sys

\SystemRoot\system32\DRIVERS\bowser.sys

\SystemRoot\System32\drivers\mpsdrv.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\system32\DRIVERS\mrxsmb10.sys

\SystemRoot\system32\DRIVERS\mrxsmb20.sys

\SystemRoot\system32\drivers\peauth.sys

\SystemRoot\System32\Drivers\secdrv.SYS

\SystemRoot\System32\DRIVERS\srvnet.sys

\SystemRoot\System32\drivers\tcpipreg.sys

\SystemRoot\System32\DRIVERS\srv2.sys

\SystemRoot\System32\DRIVERS\srv.sys

\SystemRoot\System32\Drivers\fastfat.SYS

\SystemRoot\system32\DRIVERS\LVPr2M64.sys

\SystemRoot\system32\DRIVERS\asyncmac.sys

\SystemRoot\system32\DRIVERS\USBSTOR.SYS

\SystemRoot\system32\DRIVERS\WUDFRd.sys

\SystemRoot\system32\DRIVERS\WSDPrint.sys

\??\C:\Windows\system32\drivers\mbamchameleon.sys

\??\C:\Windows\system32\drivers\mbamswissarmy.sys

\Windows\System32\ntdll.dll

\Windows\System32\smss.exe

\Windows\System32\apisetschema.dll

\Windows\System32\autochk.exe

\Windows\System32\user32.dll

\Windows\System32\setupapi.dll

\Windows\System32\lpk.dll

\Windows\System32\Wldap32.dll

\Windows\System32\shlwapi.dll

\Windows\System32\ws2_32.dll

\Windows\System32\rpcrt4.dll

\Windows\System32\nsi.dll

\Windows\System32\ole32.dll

\Windows\System32\kernel32.dll

\Windows\System32\msctf.dll

\Windows\System32\iertutil.dll

\Windows\System32\urlmon.dll

\Windows\System32\imm32.dll

\Windows\System32\clbcatq.dll

\Windows\System32\wininet.dll

\Windows\System32\advapi32.dll

\Windows\System32\imagehlp.dll

\Windows\System32\usp10.dll

\Windows\System32\psapi.dll

\Windows\System32\sechost.dll

\Windows\System32\comdlg32.dll

\Windows\System32\shell32.dll

\Windows\System32\oleaut32.dll

\Windows\System32\normaliz.dll

\Windows\System32\msvcrt.dll

\Windows\System32\difxapi.dll

\Windows\System32\gdi32.dll

\Windows\System32\cfgmgr32.dll

\Windows\System32\wintrust.dll

\Windows\System32\comctl32.dll

\Windows\System32\devobj.dll

\Windows\System32\crypt32.dll

\Windows\System32\KernelBase.dll

\Windows\System32\msasn1.dll

\Windows\SysWOW64\normaliz.dll

----------- End -----------

<<<1>>>

Upper Device Name: \Device\Harddisk1\DR1

Upper Device Object: 0xfffffa80075c3790

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\0000007a\

Lower Device Object: 0xfffffa800753db60

Lower Device Driver Name: \Driver\USBSTOR\

Device already Exists: 0xfffffa80099d8bc0

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xfffffa80078f2060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\0000006a\

Lower Device Object: 0xfffffa8006b31060

Lower Device Driver Name: \Driver\nvraid\

Device already Exists: 0xfffffa80075ea990

Initializing...

Done!

<<<2>>>

Device number: 0, partition: 2

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xfffffa80078f2060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa80078f2ab0, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa80078f2060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa8006b31060, DeviceName: \Device\0000006a\, DriverName: \Driver\nvraid\

------------ End ----------

Upper DeviceData: 0xfffff8a005e69f50, 0xfffffa80078f2060, 0xfffffa800752f560

Lower DeviceData: 0xfffff8a00c6311b0, 0xfffffa8006b31060, 0xfffffa80075ea990

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Scanning directory: C:\Windows\system32\drivers...

Done!

Drive 0

Scanning MBR on drive 0...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: 1C73957C

Partition information:

Partition 0 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 2048 Numsec = 204800

Partition file system is NTFS

Partition is bootable

Partition 1 type is Primary (0x7)

Partition is NOT ACTIVE.

Partition starts at LBA: 206848 Numsec = 1953337344

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 1000215674880 bytes

Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-1953526240-1953546240)...

Physical Sector Size: 512

Drive: 1, DevicePointer: 0xfffffa80075c3790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa8007557b90, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa80075c3790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa800753db60, DeviceName: \Device\0000007a\, DriverName: \Driver\USBSTOR\

------------ End ----------

Upper DeviceData: 0xfffff8a00c8bba20, 0xfffffa80075c3790, 0xfffffa8007155790

Lower DeviceData: 0xfffff8a010859270, 0xfffffa800753db60, 0xfffffa80099d8bc0

Drive 1

Scanning MBR on drive 1...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: D0C0B0A

Partition information:

Partition 0 type is Other (0x6)

Partition is ACTIVE.

Partition starts at LBA: 32 Numsec = 253920

Partition file system is FAT

Partition is not bootable

Partition 1 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 130023936 bytes

Sector size: 512 bytes

Done!

Performing system, memory and registry scan...

Infected: HKCU\SOFTWARE\CLASSES\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9} --> [Hijack.Trojan.Siredef.C]

Done!

Scan finished

Creating System Restore point...

Scheduling clean up...

<<<2>>>

Device number: 0, partition: 2

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Removal successful. No system shutdown is required.

=======================================

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1016

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED

CPU speed: 3.100000 GHz

Memory total: 8589127680, free: 7080386560

------------ Kernel report ------------

01/13/2013 16:35:36

------------ Loaded modules -----------

\SystemRoot\system32\ntoskrnl.exe

\SystemRoot\system32\hal.dll

\SystemRoot\system32\kdcom.dll

\SystemRoot\system32\mcupdate_AuthenticAMD.dll

\SystemRoot\system32\PSHED.dll

\SystemRoot\system32\CLFS.SYS

\SystemRoot\system32\CI.dll

\SystemRoot\system32\drivers\Wdf01000.sys

\SystemRoot\system32\drivers\WDFLDR.SYS

\SystemRoot\system32\drivers\ACPI.sys

\SystemRoot\system32\drivers\WMILIB.SYS

\SystemRoot\system32\drivers\msisadrv.sys

\SystemRoot\system32\drivers\pci.sys

\SystemRoot\system32\drivers\vdrvroot.sys

\SystemRoot\System32\drivers\partmgr.sys

\SystemRoot\system32\drivers\volmgr.sys

\SystemRoot\System32\drivers\volmgrx.sys

\SystemRoot\system32\drivers\pciide.sys

\SystemRoot\system32\drivers\PCIIDEX.SYS

\SystemRoot\system32\drivers\nvraid.sys

\SystemRoot\system32\drivers\CLASSPNP.SYS

\SystemRoot\System32\drivers\mountmgr.sys

\SystemRoot\system32\drivers\vmbus.sys

\SystemRoot\system32\drivers\winhv.sys

\SystemRoot\system32\drivers\atapi.sys

\SystemRoot\system32\drivers\ataport.SYS

\SystemRoot\system32\drivers\nvstor.sys

\SystemRoot\system32\drivers\storport.sys

\SystemRoot\system32\drivers\amdxata.sys

\SystemRoot\system32\drivers\fltmgr.sys

\SystemRoot\system32\drivers\fileinfo.sys

\SystemRoot\System32\Drivers\Ntfs.sys

\SystemRoot\System32\Drivers\msrpc.sys

\SystemRoot\System32\Drivers\ksecdd.sys

\SystemRoot\System32\Drivers\cng.sys

\SystemRoot\System32\drivers\pcw.sys

\SystemRoot\System32\Drivers\Fs_Rec.sys

\SystemRoot\system32\drivers\ndis.sys

\SystemRoot\system32\drivers\NETIO.SYS

\SystemRoot\System32\Drivers\ksecpkg.sys

\SystemRoot\System32\drivers\tcpip.sys

\SystemRoot\System32\drivers\fwpkclnt.sys

\SystemRoot\system32\drivers\vmstorfl.sys

\SystemRoot\system32\drivers\volsnap.sys

\SystemRoot\System32\Drivers\spldr.sys

\SystemRoot\System32\drivers\rdyboost.sys

\SystemRoot\System32\Drivers\mup.sys

\SystemRoot\System32\drivers\hwpolicy.sys

\SystemRoot\System32\DRIVERS\fvevol.sys

\SystemRoot\system32\DRIVERS\disk.sys

\SystemRoot\system32\drivers\cdrom.sys

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\drivers\VIDEOPRT.SYS

\SystemRoot\System32\drivers\watchdog.sys

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\system32\drivers\rdpencdd.sys

\SystemRoot\system32\drivers\rdprefmp.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\tdx.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\system32\drivers\afd.sys

\SystemRoot\System32\DRIVERS\netbt.sys

\SystemRoot\system32\DRIVERS\wfplwf.sys

\SystemRoot\system32\DRIVERS\pacer.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\serial.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\system32\drivers\termdd.sys

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\drivers\nsiproxy.sys

\SystemRoot\system32\drivers\mssmbios.sys

\SystemRoot\System32\drivers\discache.sys

\SystemRoot\system32\drivers\csc.sys

\SystemRoot\System32\Drivers\dfsc.sys

\SystemRoot\system32\DRIVERS\blbdrive.sys

\SystemRoot\system32\DRIVERS\avkmgr.sys

\SystemRoot\system32\DRIVERS\avipbb.sys

\SystemRoot\system32\DRIVERS\tunnel.sys

\SystemRoot\system32\DRIVERS\amdppm.sys

\SystemRoot\system32\DRIVERS\serenum.sys

\SystemRoot\system32\DRIVERS\fdc.sys

\SystemRoot\system32\drivers\i8042prt.sys

\SystemRoot\system32\drivers\kbdclass.sys

\SystemRoot\system32\DRIVERS\usbohci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\drivers\HDAudBus.sys

\SystemRoot\system32\drivers\1394ohci.sys

\SystemRoot\system32\DRIVERS\nvm62x64.sys

\SystemRoot\system32\DRIVERS\nvlddmkm.sys

\SystemRoot\System32\drivers\dxgkrnl.sys

\SystemRoot\System32\drivers\dxgmms1.sys

\SystemRoot\system32\drivers\wmiacpi.sys

\SystemRoot\system32\drivers\CompositeBus.sys

\SystemRoot\system32\DRIVERS\AgileVpn.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\rassstp.sys

\SystemRoot\system32\DRIVERS\tap0901.sys

\SystemRoot\system32\DRIVERS\rdpbus.sys

\SystemRoot\system32\drivers\mouclass.sys

\SystemRoot\system32\drivers\swenum.sys

\SystemRoot\system32\drivers\ks.sys

\SystemRoot\system32\DRIVERS\umbus.sys

\SystemRoot\system32\DRIVERS\flpydisk.sys

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\drivers\HdAudio.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\system32\drivers\ksthunk.sys

\SystemRoot\System32\Drivers\crashdmp.sys

\SystemRoot\System32\Drivers\dump_nvraid.sys

\SystemRoot\System32\Drivers\dump_CLASSPNP.SYS

\SystemRoot\System32\Drivers\dump_dumpfve.sys

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\system32\DRIVERS\hidusb.sys

\SystemRoot\system32\DRIVERS\HIDCLASS.SYS

\SystemRoot\system32\DRIVERS\HIDPARSE.SYS

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\DRIVERS\mouhid.sys

\SystemRoot\system32\DRIVERS\monitor.sys

\SystemRoot\System32\TSDDD.dll

\SystemRoot\System32\cdd.dll

\SystemRoot\system32\drivers\luafv.sys

\SystemRoot\system32\DRIVERS\avgntflt.sys

\SystemRoot\system32\drivers\WudfPf.sys

\SystemRoot\system32\DRIVERS\lltdio.sys

\SystemRoot\system32\DRIVERS\nwifi.sys

\SystemRoot\system32\DRIVERS\ndisuio.sys

\SystemRoot\system32\DRIVERS\rspndr.sys

\SystemRoot\system32\drivers\HTTP.sys

\SystemRoot\system32\DRIVERS\bowser.sys

\SystemRoot\System32\drivers\mpsdrv.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\system32\DRIVERS\mrxsmb10.sys

\SystemRoot\system32\DRIVERS\mrxsmb20.sys

\SystemRoot\system32\drivers\peauth.sys

\SystemRoot\System32\Drivers\secdrv.SYS

\SystemRoot\System32\DRIVERS\srvnet.sys

\SystemRoot\System32\drivers\tcpipreg.sys

\SystemRoot\System32\DRIVERS\srv2.sys

\SystemRoot\System32\DRIVERS\srv.sys

\SystemRoot\System32\Drivers\fastfat.SYS

\SystemRoot\system32\DRIVERS\LVPr2M64.sys

\SystemRoot\system32\DRIVERS\asyncmac.sys

\SystemRoot\system32\DRIVERS\USBSTOR.SYS

\SystemRoot\system32\DRIVERS\WUDFRd.sys

\SystemRoot\system32\DRIVERS\WSDPrint.sys

\??\C:\Windows\system32\drivers\mbamchameleon.sys

\??\C:\Windows\system32\drivers\mbamswissarmy.sys

\Windows\System32\ntdll.dll

\Windows\System32\smss.exe

\Windows\System32\apisetschema.dll

\Windows\System32\autochk.exe

\Windows\System32\user32.dll

\Windows\System32\setupapi.dll

\Windows\System32\lpk.dll

\Windows\System32\Wldap32.dll

\Windows\System32\shlwapi.dll

\Windows\System32\ws2_32.dll

\Windows\System32\rpcrt4.dll

\Windows\System32\nsi.dll

\Windows\System32\ole32.dll

\Windows\System32\kernel32.dll

\Windows\System32\msctf.dll

\Windows\System32\iertutil.dll

\Windows\System32\urlmon.dll

\Windows\System32\imm32.dll

\Windows\System32\clbcatq.dll

\Windows\System32\wininet.dll

\Windows\System32\advapi32.dll

\Windows\System32\imagehlp.dll

\Windows\System32\usp10.dll

\Windows\System32\psapi.dll

\Windows\System32\sechost.dll

\Windows\System32\comdlg32.dll

\Windows\System32\shell32.dll

\Windows\System32\oleaut32.dll

\Windows\System32\normaliz.dll

\Windows\System32\msvcrt.dll

\Windows\System32\difxapi.dll

\Windows\System32\gdi32.dll

\Windows\System32\cfgmgr32.dll

\Windows\System32\wintrust.dll

\Windows\System32\comctl32.dll

\Windows\System32\devobj.dll

\Windows\System32\crypt32.dll

\Windows\System32\KernelBase.dll

\Windows\System32\msasn1.dll

\Windows\SysWOW64\normaliz.dll

----------- End -----------

<<<1>>>

Upper Device Name: \Device\Harddisk1\DR1

Upper Device Object: 0xfffffa80075c3790

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\0000007a\

Lower Device Object: 0xfffffa800753db60

Lower Device Driver Name: \Driver\USBSTOR\

Device already Exists: 0xfffffa80099d8bc0

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xfffffa80078f2060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\0000006a\

Lower Device Object: 0xfffffa8006b31060

Lower Device Driver Name: \Driver\nvraid\

Device already Exists: 0xfffffa80075ea990

Initializing...

Done!

<<<2>>>

Device number: 0, partition: 2

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xfffffa80078f2060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa80078f2ab0, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa80078f2060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa8006b31060, DeviceName: \Device\0000006a\, DriverName: \Driver\nvraid\

------------ End ----------

Upper DeviceData: 0xfffff8a001bf0480, 0xfffffa80078f2060, 0xfffffa800752f560

Lower DeviceData: 0xfffff8a00c717e50, 0xfffffa8006b31060, 0xfffffa80075ea990

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Scanning directory: C:\Windows\system32\drivers...

Done!

Drive 0

Scanning MBR on drive 0...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: 1C73957C

Partition information:

Partition 0 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 2048 Numsec = 204800

Partition file system is NTFS

Partition is bootable

Partition 1 type is Primary (0x7)

Partition is NOT ACTIVE.

Partition starts at LBA: 206848 Numsec = 1953337344

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 1000215674880 bytes

Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-1953526240-1953546240)...

Physical Sector Size: 512

Drive: 1, DevicePointer: 0xfffffa80075c3790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa8007557b90, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa80075c3790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa800753db60, DeviceName: \Device\0000007a\, DriverName: \Driver\USBSTOR\

------------ End ----------

Upper DeviceData: 0xfffff8a003c26df0, 0xfffffa80075c3790, 0xfffffa8007155790

Lower DeviceData: 0xfffff8a002735530, 0xfffffa800753db60, 0xfffffa80099d8bc0

Drive 1

Scanning MBR on drive 1...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: D0C0B0A

Partition information:

Partition 0 type is Other (0x6)

Partition is ACTIVE.

Partition starts at LBA: 32 Numsec = 253920

Partition file system is FAT

Partition is not bootable

Partition 1 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 130023936 bytes

Sector size: 512 bytes

Done!

Performing system, memory and registry scan...

Done!

Scan finished

=======================================

Link to post
Share on other sites

Well Done, lets run ComboFix to clear up any leftovers.

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

See if you can run this:

Please download and run RogueKiller to your desktop.

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

Link to post
Share on other sites

Well, I cannot access my desktop. The link you sent me earlier warned that a reformat and reinstall was the only sure way to get rid of this and I don't think either of us needs to waste another day doing the same thing all over again. SO I guess I will follow the advice given earlier. Thank you for the trouble.

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.