Jump to content

Trouble Removing FBI Green Dot Moneypack Virus


Recommended Posts

I have a Dell PC running Windows XP that got infected with the FBI Green Dot Moneypak Virus. This system has an administrator account that was not infected, so I used it to run MalwareBytes this morning (with all current updates). Found and removed a lot of detected problems, but alas I still get the fake FBI notice screen with the infected account. I've run Quick and Full Scans with MalwareBytes, scans with Hitman Pro (often recommended to remove this virus), and run Advanced System Care, which found one piece of malware it removed.

I had tried to remove/disable this by doing a system restore, but all recent system restore dates fail.

Bottom line is I still get the fake screen on the infected account.

How do you suggest I proceed?

Link to post
Share on other sites

Welcome to the forum....

See if you can do this:

Please download Farbar Recovery Scan Tool and save it to a folder. (32bit version)

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

if not...run Kaspersky and Unlocker as outlined Here.

Let me know.....MrC

Link to post
Share on other sites

Okay, here is the FRST.txt with Addition.txt attached.

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 30-05-2013

Ran by administrator (administrator) on 31-05-2013 08:59:30

Running from C:\Documents and Settings\administrator.CCCM\Desktop

Microsoft Windows XP Service Pack 3 (X86) OS Language: English(US)

Internet Explorer Version 8

Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(IObit) C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe

(SurfRight B.V.) C:\Program Files\HitmanPro\hmpsched.exe

(IObit) C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe

(ABBYY) C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe

(Spigot, Inc.) C:\Program Files\Application Updater\ApplicationUpdater.exe

(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe

(SEIKO EPSON CORPORATION) C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe

(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe

(Computer Associates) C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe

(Yahoo! Inc.) C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

(Microsoft Corporation) C:\WINDOWS\system32\fxssvc.exe

(SurfRight B.V.) C:\Program Files\HitmanPro\HitmanPro.exe

(SEIKO EPSON CORPORATION) C:\Program Files\Epson Software\Event Manager\EEventManager.exe

(Musicmatch, Inc.) C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

(Sun Microsystems, Inc.) C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

(Spigot, Inc.) C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe

(IObit) C:\Program Files\IObit\Advanced SystemCare 6\ASCTray.exe

(IObit) C:\Program Files\IObit\Advanced SystemCare 6\DelayLoad.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64" [99840 2003-05-27] (SEIKO EPSON CORPORATION)

HKLM\...\Run: [EEventManager] "C:\Program Files\Epson Software\Event Manager\EEventManager.exe" [979328 2010-10-12] (SEIKO EPSON CORPORATION)

HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [98304 2006-03-30] (Apple Computer, Inc.)

HKLM\...\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [110592 2006-09-18] (Musicmatch, Inc.)

HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [144784 2008-06-10] (Sun Microsystems, Inc.)

HKLM\...\Run: [] [x]

HKLM\...\Run: [searchSettings] "C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe" [1298240 2013-05-15] (Spigot, Inc.)

HKLM\...\Winlogon: [system]

Winlogon\Notify\klogon: C:\WINDOWS\system32\klogon.dll (Kaspersky Lab)

Winlogon\Notify\WgaLogon: WgaLogon.dll (Microsoft Corporation)

HKCU\...\Run: [Advanced SystemCare 5] "C:\Program Files\IObit\Advanced SystemCare 5\ASCTray.exe" /AutoStart [x]

HKCU\...\Run: [Advanced SystemCare 6] "C:\Program Files\IObit\Advanced SystemCare 6\ASCTray.exe" /AutoStart [491840 2013-04-18] (IObit)

HKU\Administrator\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [ 2007-03-15] (Gteko Ltd.)

HKU\administrator.FPCM\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [ 2007-03-15] (Gteko Ltd.)

HKU\davek\...\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe [x]

HKU\davek\...\Run: [PopularScreensaversWallpaper] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\F3SCRCTR.DLL,LES [x]

HKU\davek\...\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P23 "EPSON Stylus C64 Series" /M "Stylus C64" /EF "HKCU" [ 2003-05-27] (SEIKO EPSON CORPORATION)

HKU\davek\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [ 2007-03-15] (Gteko Ltd.)

HKU\davek.CCCM\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [x]

HKU\davek.CCCM\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [ 2007-03-15] (Gteko Ltd.)

HKU\davek.CCCM\...\Run: [EPLTarget\P0000000000000000] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_TATIHWA.EXE /EPT "EPLTarget\P0000000000000000" /M "WorkForce 545" [ 2011-04-24] (SEIKO EPSON CORPORATION)

HKU\davek.CCCM\...\Run: [Advanced SystemCare 6] "C:\Program Files\IObit\Advanced SystemCare 6\ASCTray.exe" /AutoStart [ 2013-04-18] (IObit)

HKU\davek.CCCM\...\Run: [Adobe] rundll32 "C:\Documents and Settings\davek.CCCM\Local Settings\Application Data\Apple\Adobe\njxyuv.dll",DllRegisterServer [x]

HKU\davek.CCCM\...\Run: [svc2dll] C:\Documents and Settings\davek.CCCM\Local Settings\Application Data\svcxdcl32.exe [x]

HKU\davek.CCCM\...\Run: [] C:\Documents and Settings\davek.CCCM\opera.exe [ 2013-05-30] (FileZilla Project)

HKU\davek.CCCM\...\Policies\system: [NoDispCpl] 0

HKU\davek.CCCM\...\Policies\system: [NoDispAppearancePage] 0

HKU\davek.CCCM\...\Policies\system: [NoDispBackgroundPage] 0

HKU\davek.CCCM\...\Policies\system: [NoDispSettingsPage] 0

HKU\Default User\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [ 2007-03-15] (Gteko Ltd.)

HKU\Sue McKinney\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [ 2007-03-15] (Gteko Ltd.)

SSODL: UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll (Microsoft Corporation)

BootExecute: autocheck autochk * bootdelete

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co...-inc&channel=us

HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co...-inc&channel=us

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co...html?channel=us

URLSearchHook: IObit Apps Toolbar - {03EB0E9C-7A91-4381-A220-9B52B641CDB1} - C:\Program Files\IObit Apps Toolbar\IE\7.1\iobitappsToolbarIE.dll (Spigot, Inc.)

URLSearchHook: YTNavAssistPlugin Class - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)

SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.c...referrer:source?}

HKCU SearchScopes: DefaultScope {FBBE751C-C2E8-49E1-AC6D-B232168155DE} URL = http://search.yahoo....&p={searchTerms}

SearchScopes: HKCU - {FBBE751C-C2E8-49E1-AC6D-B232168155DE} URL = http://search.yahoo....&p={searchTerms}

BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)

BHO: IObit Apps Toolbar - {03EB0E9C-7A91-4381-A220-9B52B641CDB1} - C:\Program Files\IObit Apps Toolbar\IE\7.1\iobitappsToolbarIE.dll (Spigot, Inc.)

BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL (Sonic Solutions)

BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)

BHO: Search.com Bar - {80987362-6216-49bc-98e4-77e6cf71a5d7} - C:\Program Files\searchcom_001\searchcom_001X.dll ()

BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll (Google Inc.)

BHO: No Name - {BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} - C:\PROGRA~1\IObit\ADVANC~3\BROWER~1\ASCPLU~1.DLL (IObit)

BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll (Microsoft Corp.)

BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)

BHO: NetAssistant - {E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - C:\Program Files\Freeze.com\NetAssistant\NetAssistant.dll (W3i, LLC)

Toolbar: HKLM - MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll (Microsoft Corp.)

Toolbar: HKLM - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)

Toolbar: HKLM - Search.com Bar - {80987362-6216-49bc-98e4-77e6cf71a5d7} - C:\Program Files\searchcom_001\searchcom_001X.dll ()

Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

Toolbar: HKLM - IObit Apps Toolbar - {03EB0E9C-7A91-4381-A220-9B52B641CDB1} - C:\Program Files\IObit Apps Toolbar\IE\7.1\iobitappsToolbarIE.dll (Spigot, Inc.)

Toolbar: HKCU -Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

Toolbar: HKCU -No Name - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File

PDF: {40F8967E-34A6-474A-837A-CEC1E7DAC54C} https://accounting.q....588/qboax9.cab

PDF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab

PDF: {B479199A-1242-4E3C-AD81-7F0DF801B4AE} http://download.micr...loadManager.cab

PDF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab

PDF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab

PDF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab

Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [245248] (Microsoft Corporation)

Tcpip\Parameters: [DhcpNameServer] 10.32.40.2

========================== Services (Whitelisted) =================

R2 ABBYY.Licensing.FineReader.Sprint.9.0; C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [759048 2009-05-14] (ABBYY)

R2 AdvancedSystemCareService6; C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe [574272 2013-04-18] (IObit)

R2 Application Updater; C:\Program Files\Application Updater\ApplicationUpdater.exe [806776 2013-05-15] (Spigot, Inc.)

S3 AVP; C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe [311680 2010-03-12] (Kaspersky Lab)

S3 CA_LIC_CLNT; C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe [77824 2002-09-20] (Computer Associates)

S3 CA_LIC_SRVR; C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe [77824 2002-09-20] (Computer Associates)

S3 DSBrokerService; C:\Program Files\DellSupport\brkrsvc.exe [76848 2007-03-07] ()

R2 EpsonCustomerParticipation; C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe [521600 2011-06-09] (SEIKO EPSON CORPORATION)

R2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [106280 2013-05-30] (SurfRight B.V.)

R2 IMFservice; C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe [820568 2011-07-20] (IObit)

R2 LogWatch; C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe [53248 2002-09-20] (Computer Associates)

S4 McAfeeFramework; C:\Program Files\McAfee\Common Framework\FrameworkService.exe [103744 2008-05-20] (McAfee, Inc.)

S3 NetSvc; C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe [147456 2004-11-19] (Intel® Corporation)

S4 HidServ; %SystemRoot%\System32\hidserv.dll [x]

R2 JavaQuickStarterService; "C:\Program Files\Java\jre7\bin\jqs.exe" -service -config "C:\Program Files\Java\jre7\lib\deploy\jqs\jqs.conf" [x]

==================== Drivers (Whitelisted) ====================

R2 ASCTRM; C:\Windows\System32\Drivers\ASCTRM.sys [8552 2006-03-30] (Windows ® 2000 DDK provider)

R2 DLABOIOM; C:\Windows\System32\DLA\DLABOIOM.SYS [25628 2005-09-08] (Sonic Solutions)

R1 DLACDBHM; C:\Windows\System32\Drivers\DLACDBHM.SYS [5628 2005-08-25] (Sonic Solutions)

R2 DLADResN; C:\Windows\System32\DLA\DLADResN.SYS [2496 2005-09-08] (Sonic Solutions)

R2 DLAIFS_M; C:\Windows\System32\DLA\DLAIFS_M.SYS [86524 2005-09-08] (Sonic Solutions)

R2 DLAOPIOM; C:\Windows\System32\DLA\DLAOPIOM.SYS [14684 2005-09-08] (Sonic Solutions)

R2 DLAPoolM; C:\Windows\System32\DLA\DLAPoolM.SYS [6364 2005-09-08] (Sonic Solutions)

R1 DLARTL_N; C:\Windows\System32\Drivers\DLARTL_N.SYS [22684 2005-08-25] (Sonic Solutions)

R2 DLAUDFAM; C:\Windows\System32\DLA\DLAUDFAM.SYS [94332 2005-09-08] (Sonic Solutions)

R2 DLAUDF_M; C:\Windows\System32\DLA\DLAUDF_M.SYS [87036 2005-09-08] (Sonic Solutions)

R2 DRVNDDM; C:\Windows\System32\Drivers\DRVNDDM.SYS [40544 2005-08-12] (Sonic Solutions)

S3 DSproct; C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys [4736 2006-10-05] (Gteko Ltd.)

R3 HDAudBus; C:\Windows\System32\DRIVERS\HDAudBus.sys [144384 2008-04-13] (Windows ® Server 2003 DDK provider)

R3 ialm; C:\Windows\System32\DRIVERS\ialmnt5.sys [1302812 2005-10-14] (Intel Corporation)

R1 kl1; C:\WINDOWS\system32\drivers\kl1.sys [126480 2009-11-12] (Kaspersky Lab)

R3 KLFLTDEV; C:\Windows\System32\DRIVERS\klfltdev.sys [24848 2009-09-03] (Kaspersky Lab)

R1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [231512 2012-04-26] (Kaspersky Lab)

R3 klim5; C:\Windows\System32\DRIVERS\klim5.sys [32272 2009-09-14] (Kaspersky Lab)

R0 SmartDefragDriver; C:\Windows\System32\Drivers\SmartDefragDriver.sys [14776 2010-11-26] ()

R3 STHDA; C:\Windows\System32\drivers\sthda.sys [1047816 2005-11-16] (SigmaTel, Inc.)

S4 Abiosdsk; No ImagePath

S4 Atdisk; No ImagePath

S1 Changer; No ImagePath

S0 hbhe; System32\drivers\qcjxbqy.sys [x]

S1 lbrtfdc; No ImagePath

S1 mferkdk; \??\C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys [x]

S1 PCIDump; No ImagePath

S3 PDCOMP; No ImagePath

S3 PDFRAME; No ImagePath

S3 PDRELI; No ImagePath

S3 PDRFRAME; No ImagePath

S4 Simbad; No ImagePath

S3 wanatw; system32\DRIVERS\wanatw4.sys [x]

S3 WDICA; No ImagePath

U1 WS2IFSL;

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-05-31 08:59 - 2013-05-31 08:59 - 00000000 ____D C:\FRST

2013-05-31 08:59 - 2013-05-31 08:55 - 01355557 ____A (Farbar) C:\Documents and Settings\administrator.CCCM\Desktop\FRST.exe

2013-05-30 16:46 - 2013-05-30 16:46 - 00002169 ____A C:\Documents and Settings\administrator.CCCM\Desktop\aswMBR.txt

2013-05-30 16:44 - 2013-05-30 16:44 - 00047632 ____A C:\Documents and Settings\administrator.CCCM\Desktop\Extras.Txt

2013-05-30 16:43 - 2013-05-30 16:43 - 00057268 ____A C:\Documents and Settings\administrator.CCCM\Desktop\OTL.Txt

2013-05-30 16:31 - 2013-05-30 16:30 - 04745728 ____A (AVAST Software) C:\Documents and Settings\administrator.CCCM\Desktop\aswMBR.exe

2013-05-30 16:31 - 2013-05-30 16:26 - 00602112 ____A (OldTimer Tools) C:\Documents and Settings\administrator.CCCM\Desktop\OTL.exe

2013-05-30 15:53 - 2013-05-30 15:54 - 00000000 ____D C:\Documents and Settings\administrator.CCCM\Application Data\Search Settings

2013-05-30 15:53 - 2013-05-30 15:53 - 00000000 ____D C:\Program Files\IObit Apps Toolbar

2013-05-30 15:53 - 2013-05-30 15:53 - 00000000 ____D C:\Program Files\Application Updater

2013-05-30 15:51 - 2013-05-30 15:51 - 00001610 ____A C:\Documents and Settings\All Users\Desktop\HitmanPro.lnk

2013-05-30 15:38 - 2013-05-30 15:51 - 00000000 ____D C:\Program Files\HitmanPro

2013-05-30 15:12 - 2013-05-30 15:12 - 00069688 ____A C:\Documents and Settings\administrator.CCCM\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2013-05-30 14:27 - 2013-05-30 14:26 - 00094112 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge.dll

2013-05-30 14:27 - 2013-05-30 14:25 - 00866720 ____A (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll

2013-05-30 14:27 - 2013-05-30 14:25 - 00263584 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe

2013-05-30 14:27 - 2013-05-30 14:25 - 00174496 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe

2013-05-30 14:27 - 2013-05-30 14:25 - 00174496 ____A (Oracle Corporation) C:\Windows\System32\java.exe

2013-05-30 14:24 - 2013-05-30 14:24 - 34500608 ____A C:\Windows\System32\config\SOFTWARE.iobit

2013-05-30 14:24 - 2013-05-30 14:24 - 00299008 ____A C:\Windows\System32\config\DEFAULT.iobit

2013-05-30 14:24 - 2013-05-30 14:24 - 00061440 ____A C:\Windows\System32\config\SECURITY.iobit

2013-05-30 14:24 - 2013-05-30 14:24 - 00028672 ____A C:\Windows\System32\config\SAM.iobit

2013-05-30 14:03 - 2013-05-30 14:03 - 00015466 ____A C:\Windows\System32\.crusader

2013-05-30 13:39 - 2013-05-31 08:56 - 00000438 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{A0D0BD7C-CFB5-4954-AEA7-0E0131112830}.job

2013-05-30 13:39 - 2013-05-30 13:39 - 00000000 __SHD C:\Documents and Settings\administrator.CCCM\IECompatCache

2013-05-30 13:19 - 2013-05-30 15:38 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\HitmanPro

2013-05-30 11:16 - 2013-05-30 11:16 - 00000000 ____D C:\Documents and Settings\administrator.CCCM\Application Data\Malwarebytes

2013-05-30 09:39 - 2013-05-30 09:39 - 00096256 ____A (FileZilla Project) C:\Documents and Settings\davek.CCCM\acrobat.exe

2013-05-30 09:39 - 2013-05-30 09:39 - 00000000 ____A C:\Documents and Settings\davek.CCCM\skype.exe

2013-05-30 09:34 - 2013-05-30 09:34 - 00122368 ____A (FileZilla Project) C:\Documents and Settings\davek.CCCM\opera.exe

2013-05-30 09:34 - 2013-05-30 09:34 - 00000000 ____A C:\Documents and Settings\davek.CCCM\icq.exe

2013-05-22 11:26 - 2013-05-30 09:16 - 00000154 ____A C:\Documents and Settings\davek.CCCM\Local Settings\Application Data\svcxdcl32.dat

2013-05-20 12:31 - 2013-05-30 14:02 - 00000000 ____D C:\Documents and Settings\davek.CCCM\Application Data\wabEventSupport16

2013-05-20 11:53 - 2013-05-30 14:15 - 00054156 ___AH C:\Windows\QTFont.qfn

2013-05-20 11:53 - 2013-05-20 11:53 - 00001409 ____A C:\Windows\QTFont.for

2013-05-17 12:59 - 2013-05-17 12:59 - 00000000 ____D C:\Documents and Settings\NetworkService\Local Settings\Application Data\Folder Manager

==================== One Month Modified Files and Folders ========

2013-05-31 08:59 - 2013-05-31 08:59 - 00000000 ____D C:\FRST

2013-05-31 08:58 - 2013-01-10 10:12 - 00081809 ____A C:\Windows\setupapi.log

2013-05-31 08:57 - 2013-03-12 13:09 - 00000284 ____A C:\Windows\Tasks\ASC6_PerformanceMonitor.job

2013-05-31 08:57 - 2011-09-01 18:04 - 00000296 ____A C:\Windows\Tasks\SmartDefrag_Startup.job

2013-05-31 08:57 - 2010-02-04 15:13 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-05-31 08:57 - 2007-08-06 11:52 - 00000062 __ASH C:\Documents and Settings\administrator.CCCM\Local Settings\desktop.ini

2013-05-31 08:57 - 2004-08-11 16:00 - 00002206 ____A C:\Windows\System32\wpa.dbl

2013-05-31 08:56 - 2013-05-30 13:39 - 00000438 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{A0D0BD7C-CFB5-4954-AEA7-0E0131112830}.job

2013-05-31 08:56 - 2004-08-11 16:20 - 00032632 ____A C:\Windows\SchedLgU.Txt

2013-05-31 08:55 - 2013-05-31 08:59 - 01355557 ____A (Farbar) C:\Documents and Settings\administrator.CCCM\Desktop\FRST.exe

2013-05-31 08:54 - 2004-08-11 16:13 - 01479980 ____A C:\Windows\WindowsUpdate.log

2013-05-31 08:53 - 2007-08-06 11:50 - 00000278 __ASH C:\Documents and Settings\davek.CCCM\ntuser.ini

2013-05-31 08:53 - 2004-08-11 16:20 - 00000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini

2013-05-31 08:53 - 2004-08-11 16:20 - 00000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini

2013-05-31 08:53 - 2004-08-11 16:20 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-05-31 08:53 - 2004-08-11 16:09 - 00000159 ____A C:\Windows\wiadebug.log

2013-05-31 08:53 - 2004-08-11 16:09 - 00000049 ____A C:\Windows\wiaservc.log

2013-05-31 08:52 - 2010-02-04 15:13 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2013-05-31 08:52 - 2007-08-06 11:50 - 00000062 __ASH C:\Documents and Settings\davek.CCCM\Local Settings\desktop.ini

2013-05-31 08:45 - 2007-08-06 11:52 - 00000178 ___SH C:\Documents and Settings\administrator.CCCM\ntuser.ini

2013-05-31 08:44 - 2006-06-15 09:58 - 00000000 __HDC C:\Windows\$NtUninstallKB911280$

2013-05-31 08:42 - 2012-04-26 10:13 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-05-30 23:00 - 2011-11-16 18:14 - 00000314 ____A C:\Windows\Tasks\Regwork.job

2013-05-30 16:46 - 2013-05-30 16:46 - 00002169 ____A C:\Documents and Settings\administrator.CCCM\Desktop\aswMBR.txt

2013-05-30 16:44 - 2013-05-30 16:44 - 00047632 ____A C:\Documents and Settings\administrator.CCCM\Desktop\Extras.Txt

2013-05-30 16:43 - 2013-05-30 16:43 - 00057268 ____A C:\Documents and Settings\administrator.CCCM\Desktop\OTL.Txt

2013-05-30 16:30 - 2013-05-30 16:31 - 04745728 ____A (AVAST Software) C:\Documents and Settings\administrator.CCCM\Desktop\aswMBR.exe

2013-05-30 16:26 - 2013-05-30 16:31 - 00602112 ____A (OldTimer Tools) C:\Documents and Settings\administrator.CCCM\Desktop\OTL.exe

2013-05-30 15:54 - 2013-05-30 15:53 - 00000000 ____D C:\Documents and Settings\administrator.CCCM\Application Data\Search Settings

2013-05-30 15:53 - 2013-05-30 15:53 - 00000000 ____D C:\Program Files\IObit Apps Toolbar

2013-05-30 15:53 - 2013-05-30 15:53 - 00000000 ____D C:\Program Files\Application Updater

2013-05-30 15:53 - 2013-03-12 13:09 - 00000000 ____D C:\Program Files\Common Files\Spigot

2013-05-30 15:51 - 2013-05-30 15:51 - 00001610 ____A C:\Documents and Settings\All Users\Desktop\HitmanPro.lnk

2013-05-30 15:51 - 2013-05-30 15:38 - 00000000 ____D C:\Program Files\HitmanPro

2013-05-30 15:48 - 2006-04-25 13:15 - 00000000 __SHD C:\Windows\CSC

2013-05-30 15:39 - 2006-03-30 00:31 - 00000000 ____D C:\Program Files\Common Files\Java

2013-05-30 15:38 - 2013-05-30 13:19 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\HitmanPro

2013-05-30 15:38 - 2012-04-26 13:20 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware

2013-05-30 15:38 - 2007-01-17 17:46 - 00000000 ____D C:\Documents and Settings\davek.CCCM\Application Data\Sonic

2013-05-30 15:12 - 2013-05-30 15:12 - 00069688 ____A C:\Documents and Settings\administrator.CCCM\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2013-05-30 14:26 - 2013-05-30 14:27 - 00094112 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge.dll

2013-05-30 14:25 - 2013-05-30 14:27 - 00866720 ____A (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll

2013-05-30 14:25 - 2013-05-30 14:27 - 00263584 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe

2013-05-30 14:25 - 2013-05-30 14:27 - 00174496 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe

2013-05-30 14:25 - 2013-05-30 14:27 - 00174496 ____A (Oracle Corporation) C:\Windows\System32\java.exe

2013-05-30 14:25 - 2010-05-05 19:19 - 00788896 ____A (Oracle Corporation) C:\Windows\System32\deployJava1.dll

2013-05-30 14:25 - 2007-04-16 10:49 - 00144896 ____A (Oracle Corporation) C:\Windows\System32\javacpl.cpl

2013-05-30 14:24 - 2013-05-30 14:24 - 34500608 ____A C:\Windows\System32\config\SOFTWARE.iobit

2013-05-30 14:24 - 2013-05-30 14:24 - 00299008 ____A C:\Windows\System32\config\DEFAULT.iobit

2013-05-30 14:24 - 2013-05-30 14:24 - 00061440 ____A C:\Windows\System32\config\SECURITY.iobit

2013-05-30 14:24 - 2013-05-30 14:24 - 00028672 ____A C:\Windows\System32\config\SAM.iobit

2013-05-30 14:24 - 2006-03-30 00:31 - 00000000 ____D C:\Program Files\Java

2013-05-30 14:20 - 2008-07-10 13:28 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\McAfee

2013-05-30 14:17 - 2013-03-12 10:08 - 00000925 ____A C:\Documents and Settings\All Users\Desktop\Uninstaller.lnk

2013-05-30 14:17 - 2013-03-12 10:08 - 00000874 ____A C:\Documents and Settings\All Users\Desktop\Advanced SystemCare 6.lnk

2013-05-30 14:15 - 2013-05-20 11:53 - 00054156 ___AH C:\Windows\QTFont.qfn

2013-05-30 14:03 - 2013-05-30 14:03 - 00015466 ____A C:\Windows\System32\.crusader

2013-05-30 14:02 - 2013-05-20 12:31 - 00000000 ____D C:\Documents and Settings\davek.CCCM\Application Data\wabEventSupport16

2013-05-30 13:39 - 2013-05-30 13:39 - 00000000 __SHD C:\Documents and Settings\administrator.CCCM\IECompatCache

2013-05-30 13:10 - 2012-12-02 13:12 - 00000000 ___RD C:\Documents and Settings\davek.CCCM\My Documents\Dropbox

2013-05-30 13:10 - 2012-12-02 13:02 - 00000000 ____D C:\Documents and Settings\davek.CCCM\Application Data\Dropbox

2013-05-30 13:08 - 2004-08-11 16:12 - 00000000 ____D C:\Windows\System32\Restore

2013-05-30 12:45 - 2008-10-23 20:31 - 00000000 __HDC C:\Windows\$NtUninstallKB958644$

2013-05-30 11:29 - 2009-07-21 16:03 - 00000000 __HDC C:\Windows\$NtUninstallKB961371$

2013-05-30 11:16 - 2013-05-30 11:16 - 00000000 ____D C:\Documents and Settings\administrator.CCCM\Application Data\Malwarebytes

2013-05-30 11:15 - 2011-09-01 17:42 - 00000000 ____D C:\Documents and Settings\administrator.CCCM\Application Data\IObit

2013-05-30 09:39 - 2013-05-30 09:39 - 00096256 ____A (FileZilla Project) C:\Documents and Settings\davek.CCCM\acrobat.exe

2013-05-30 09:39 - 2013-05-30 09:39 - 00000000 ____A C:\Documents and Settings\davek.CCCM\skype.exe

2013-05-30 09:34 - 2013-05-30 09:34 - 00122368 ____A (FileZilla Project) C:\Documents and Settings\davek.CCCM\opera.exe

2013-05-30 09:34 - 2013-05-30 09:34 - 00000000 ____A C:\Documents and Settings\davek.CCCM\icq.exe

2013-05-30 09:17 - 2004-08-11 16:11 - 00000000 ____D C:\Windows\System32\FxsTmp

2013-05-30 09:16 - 2013-05-22 11:26 - 00000154 ____A C:\Documents and Settings\davek.CCCM\Local Settings\Application Data\svcxdcl32.dat

2013-05-23 11:26 - 2012-11-11 13:57 - 00000000 ____D C:\Documents and Settings\davek.CCCM\My Documents\TAG

2013-05-20 17:12 - 2006-04-28 13:22 - 00000000 ____D C:\Documents and Settings\davek.CCCM\My Documents\Saftey.Scrty

2013-05-20 17:10 - 2006-04-28 13:22 - 00000000 ____D C:\Documents and Settings\davek.CCCM\My Documents\Staffing

2013-05-20 13:34 - 2012-04-30 10:15 - 00002187 ____A C:\Documents and Settings\All Users\Desktop\Safari.lnk

2013-05-20 12:00 - 2011-09-29 14:08 - 00000000 ____D C:\Program Files\Safari

2013-05-20 11:53 - 2013-05-20 11:53 - 00001409 ____A C:\Windows\QTFont.for

2013-05-20 10:06 - 2011-09-29 14:07 - 00000284 ____A C:\Windows\Tasks\AppleSoftwareUpdate.job

2013-05-17 12:59 - 2013-05-17 12:59 - 00000000 ____D C:\Documents and Settings\NetworkService\Local Settings\Application Data\Folder Manager

2013-05-17 12:42 - 2006-04-28 13:16 - 00000000 ____D C:\Documents and Settings\davek.CCCM\My Documents\MCS

2013-05-17 12:41 - 2012-10-11 11:18 - 00000000 ____D C:\Documents and Settings\davek.CCCM\My Documents\High School

2013-05-16 12:35 - 2006-04-28 13:18 - 00000000 ____D C:\Documents and Settings\davek.CCCM\My Documents\Newsletter

2013-05-14 11:42 - 2012-04-26 10:13 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe

2013-05-14 11:42 - 2011-08-17 10:09 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl

2013-05-13 11:04 - 2012-06-05 14:40 - 00000000 ____D C:\Documents and Settings\davek.CCCM\My Documents\GospelinLife

2013-05-13 11:04 - 2006-04-28 13:19 - 00000000 ____D C:\Documents and Settings\davek.CCCM\My Documents\Personal

2013-05-13 11:03 - 2012-03-08 14:04 - 00000000 ____D C:\Documents and Settings\davek.CCCM\My Documents\Tech Task Force

2013-05-13 11:03 - 2010-06-23 12:10 - 00000000 ____D C:\Documents and Settings\davek.CCCM\My Documents\Transition

2013-05-12 11:32 - 2011-09-29 14:07 - 00000000 ____D C:\Documents and Settings\davek.CCCM\Local Settings\Application Data\Apple

2013-05-08 16:50 - 2006-04-28 13:22 - 00000000 ____D C:\Documents and Settings\davek.CCCM\My Documents\Policies and Procedures

Other Malware:

===========

C:\Documents and Settings\davek.CCCM\acrobat.exe

C:\Documents and Settings\davek.CCCM\icq.exe

C:\Documents and Settings\davek.CCCM\opera.exe

C:\Documents and Settings\davek.CCCM\skype.exe

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================

Addition.txt

Link to post
Share on other sites

Okay, I ran the fixlist and have the log posted below. I also logged into the infected user account and the bogus FBI screen no longer comes up, nor does the bogus missing dll window that was part of the malware. Is there any other clean up I need to do? Also, can you tell what this was attached to that caused the infection? The user claims they haven't installed anything lately and I don't want this to spread. I want to thank you for your help. I know you volunteer your time and am very appreciative of your efforts. I do the same in my realm, so I know how this can be both rewarding and at times thankless work. I want you to know your efforts are appreciated. Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 30-05-2013

Ran by administrator at 2013-05-31 09:49:41 Run:1

Running from C:\Documents and Settings\administrator.CCCM\Desktop

Boot Mode: Normal

==============================================

HKEY_USERS\davek.CCCM\Software\Microsoft\Windows\CurrentVersion\Run\\Adobe => Value deleted successfully.

HKEY_USERS\davek.CCCM\Software\Microsoft\Windows\CurrentVersion\Run\\Svc2dll => Value deleted successfully.

C:\Documents and Settings\davek.CCCM\Local Settings\Application Data\Apple\Adobe\njxyuv.dll => File/Directory not found.

C:\Documents and Settings\davek.CCCM\Local Settings\Application Data\svcxdcl32.exe => File/Directory not found.

C:\Documents and Settings\davek.CCCM\acrobat.exe => Moved successfully.

C:\Documents and Settings\davek.CCCM\icq.exe => Moved successfully.

C:\Documents and Settings\davek.CCCM\opera.exe => Moved successfully.

C:\Documents and Settings\davek.CCCM\skype.exe => Moved successfully.

==== End of Fixlog ====

Link to post
Share on other sites

We'll check through the whole system....Please do this........

Please download and run RogueKiller 32 Bit to your desktop.

RogueKiller 64 Bit <---use this one for 64 bit systems

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes)

MrC

Link to post
Share on other sites

No, skip it.

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that your system is now functioning normally.

MrC

Link to post
Share on other sites

Well, Malwarebytes Anti-Rootkit found no threats the first time through and all functions seem to be working (your checklist above). Just in case, here are the logs. Once again, thank you so much for your assistance.

Malwarebytes Anti-Rootkit BETA 1.06.0.1003

www.malwarebytes.org

Database version: v2013.05.31.08

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

davek :: WS-EP1 [administrator]

5/31/2013 4:32:49 PM

mbar-log-2013-05-31 (16-32-49).txt

Scan type: Quick scan

Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P

Scan options disabled: Deep Anti-Rootkit Scan | PUP

Objects scanned: 312368

Time elapsed: 24 minute(s), 17 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

Physical Sectors Detected: 0

(No malicious items detected)

(end)

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.06.0.1003

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED

CPU speed: 2.793000 GHz

Memory total: 526462976, free: 224141312

Downloaded database version: v2013.05.31.08

Downloaded database version: v2013.05.22.01

Initializing...

------------ Kernel report ------------

05/31/2013 15:58:03

------------ Loaded modules -----------

\WINDOWS\system32\ntkrnlpa.exe

\WINDOWS\system32\hal.dll

\WINDOWS\system32\KDCOM.DLL

\WINDOWS\system32\BOOTVID.dll

ACPI.sys

\WINDOWS\system32\DRIVERS\WMILIB.SYS

pci.sys

isapnp.sys

pciide.sys

\WINDOWS\system32\DRIVERS\PCIIDEX.SYS

intelide.sys

MountMgr.sys

ftdisk.sys

dmload.sys

dmio.sys

PartMgr.sys

VolSnap.sys

atapi.sys

disk.sys

\WINDOWS\system32\DRIVERS\CLASSPNP.SYS

fltmgr.sys

sr.sys

DRVMCDB.SYS

PxHelp20.sys

KSecDD.sys

Ntfs.sys

NDIS.sys

SmartDefragDriver.sys

Mup.sys

\SystemRoot\system32\DRIVERS\intelppm.sys

\SystemRoot\system32\DRIVERS\ialmnt5.sys

\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS

\SystemRoot\system32\DRIVERS\HDAudBus.sys

\SystemRoot\system32\DRIVERS\usbuhci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\klfltdev.sys

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\DRIVERS\e100b325.sys

\SystemRoot\system32\DRIVERS\fdc.sys

\SystemRoot\system32\DRIVERS\imapi.sys

\SystemRoot\System32\Drivers\DLACDBHM.SYS

\SystemRoot\system32\DRIVERS\cdrom.sys

\SystemRoot\system32\DRIVERS\redbook.sys

\SystemRoot\system32\DRIVERS\ks.sys

\SystemRoot\system32\DRIVERS\klim5.sys

\SystemRoot\system32\DRIVERS\audstub.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\system32\DRIVERS\psched.sys

\SystemRoot\system32\DRIVERS\msgpc.sys

\SystemRoot\system32\DRIVERS\ptilink.sys

\SystemRoot\system32\DRIVERS\raspti.sys

\SystemRoot\system32\DRIVERS\rdpdr.sys

\SystemRoot\system32\DRIVERS\termdd.sys

\SystemRoot\system32\DRIVERS\kbdclass.sys

\SystemRoot\system32\DRIVERS\mouclass.sys

\SystemRoot\system32\DRIVERS\swenum.sys

\SystemRoot\system32\DRIVERS\update.sys

\SystemRoot\system32\DRIVERS\mssmbios.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\drivers\sthda.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\system32\DRIVERS\flpydisk.sys

\SystemRoot\System32\Drivers\i2omgmt.SYS

\SystemRoot\system32\DRIVERS\usbccgp.sys

\SystemRoot\system32\DRIVERS\klif.sys

\SystemRoot\System32\Drivers\Fs_Rec.SYS

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\Drivers\DLARTL_N.SYS

\SystemRoot\system32\DRIVERS\HIDPARSE.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\Drivers\mnmdd.SYS

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\rasacd.sys

\??\C:\WINDOWS\system32\drivers\kl1.sys

\SystemRoot\system32\DRIVERS\usbscan.sys

\SystemRoot\system32\DRIVERS\ipsec.sys

\SystemRoot\system32\DRIVERS\tcpip.sys

\SystemRoot\system32\DRIVERS\usbprint.sys

\SystemRoot\system32\DRIVERS\netbt.sys

\SystemRoot\system32\DRIVERS\ipnat.sys

\SystemRoot\System32\drivers\afd.sys

\SystemRoot\system32\DRIVERS\USBSTOR.SYS

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\System32\Drivers\Fips.SYS

\SystemRoot\system32\DRIVERS\hidusb.sys

\SystemRoot\system32\DRIVERS\HIDCLASS.SYS

\SystemRoot\system32\DRIVERS\kbdhid.sys

\SystemRoot\system32\DRIVERS\mouhid.sys

\SystemRoot\System32\Drivers\Cdfs.SYS

\SystemRoot\System32\Drivers\dump_atapi.sys

\SystemRoot\System32\Drivers\dump_WMILIB.SYS

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\System32\watchdog.sys

\SystemRoot\System32\drivers\dxg.sys

\SystemRoot\System32\drivers\dxgthk.sys

\SystemRoot\System32\ialmdnt5.dll

\SystemRoot\System32\ialmrnt5.dll

\SystemRoot\System32\ialmdev5.DLL

\SystemRoot\System32\ialmdd5.DLL

\SystemRoot\System32\ATMFD.DLL

\SystemRoot\System32\Drivers\DRVNDDM.SYS

\SystemRoot\System32\DLA\DLADResN.SYS

\SystemRoot\System32\DLA\DLAIFS_M.SYS

\SystemRoot\System32\DLA\DLAOPIOM.SYS

\SystemRoot\System32\DLA\DLAPoolM.SYS

\SystemRoot\System32\DLA\DLABOIOM.SYS

\SystemRoot\System32\DLA\DLAUDFAM.SYS

\SystemRoot\System32\DLA\DLAUDF_M.SYS

\SystemRoot\system32\DRIVERS\ndisuio.sys

\SystemRoot\System32\Drivers\ASCTRM.SYS

\SystemRoot\system32\DRIVERS\dsunidrv.sys

\SystemRoot\system32\DRIVERS\srv.sys

\SystemRoot\System32\Drivers\Fastfat.SYS

\SystemRoot\system32\drivers\wdmaud.sys

\SystemRoot\system32\drivers\sysaudio.sys

\SystemRoot\System32\Drivers\HTTP.sys

\??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys

\SystemRoot\system32\drivers\kmixer.sys

\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys

\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys

\WINDOWS\system32\ntdll.dll

----------- End -----------

Done!

<<<1>>>

Upper Device Name: \Device\Harddisk2\DR7

Upper Device Object: 0xffffffff81b4dab8

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\00000068\

Lower Device Object: 0xffffffff81b51a70

Lower Device Driver Name: \Driver\USBSTOR\

<<<1>>>

Upper Device Name: \Device\Harddisk1\DR5

Upper Device Object: 0xffffffff81bd1030

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\00000064\

Lower Device Object: 0xffffffff81ec38e0

Lower Device Driver Name: \Driver\USBSTOR\

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xffffffff82363280

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP1T0L0-e\

Lower Device Object: 0xffffffff82365030

Lower Device Driver Name: \Driver\atapi\

<<<2>>>

Device number: 0, partition: 2

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xffffffff82363280, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff823d0020, DeviceName: Unknown, DriverName: \Driver\PartMgr\

DevicePointer: 0xffffffff82363280, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff82365030, DeviceName: \Device\Ide\IdeDeviceP1T0L0-e\, DriverName: \Driver\atapi\

------------ End ----------

Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

Upper DeviceData: 0x0, 0x0, 0x0

Lower DeviceData: 0x0, 0x0, 0x0

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

<<<2>>>

Device number: 0, partition: 2

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Scanning drivers directory: C:\WINDOWS\system32\drivers...

<<<2>>>

Device number: 0, partition: 2

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Done!

Drive 0

Scanning MBR on drive 0...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: 41AB2316

Partition information:

Partition 0 type is Other (0xde)

Partition is NOT ACTIVE.

Partition starts at LBA: 63 Numsec = 64197

Partition 1 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 64260 Numsec = 110543265

Partition file system is NTFS

Partition is bootable

Partition 2 type is Primary (0x7)

Partition is NOT ACTIVE.

Partition starts at LBA: 110607525 Numsec = 38813040

Partition 3 type is Other (0xdb)

Partition is NOT ACTIVE.

Partition starts at LBA: 149420565 Numsec = 6827625

Disk Size: 80000000000 bytes

Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-156230000-156250000)...

Done!

Physical Sector Size: 0

Drive: 1, DevicePointer: 0xffffffff81bd1030, DeviceName: \Device\Harddisk1\DR5\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff81cd8678, DeviceName: Unknown, DriverName: \Driver\PartMgr\

DevicePointer: 0xffffffff81bd1030, DeviceName: \Device\Harddisk1\DR5\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff81ec53f0, DeviceName: Unknown, DriverName: \Driver\DRVMCDB\

DevicePointer: 0xffffffff81ec38e0, DeviceName: \Device\00000064\, DriverName: \Driver\USBSTOR\

------------ End ----------

Physical Sector Size: 512

Drive: 2, DevicePointer: 0xffffffff81b4dab8, DeviceName: \Device\Harddisk2\DR7\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff81b4d890, DeviceName: Unknown, DriverName: \Driver\PartMgr\

DevicePointer: 0xffffffff81b4dab8, DeviceName: \Device\Harddisk2\DR7\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff8208f7d8, DeviceName: Unknown, DriverName: \Driver\DRVMCDB\

DevicePointer: 0xffffffff81b51a70, DeviceName: \Device\00000068\, DriverName: \Driver\USBSTOR\

------------ End ----------

Alternate DeviceName: \Device\Harddisk2\DR7\, DriverName: \Driver\Disk\

Upper DeviceData: 0x0, 0x0, 0x0

Lower DeviceData: 0x0, 0x0, 0x0

Drive 2

Scanning MBR on drive 2...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: C09EDD8C

Partition information:

Partition 0 type is Other (0xb)

Partition is ACTIVE.

Partition starts at LBA: 63 Numsec = 3903795

Partition file system is FAT32

Partition is not bootable

Partition 1 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 2004877312 bytes

Sector size: 512 bytes

Done!

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.06.0.1003

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED

CPU speed: 2.793000 GHz

Memory total: 526462976, free: 227880960

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.06.0.1003

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED

CPU speed: 2.793000 GHz

Memory total: 526462976, free: 227983360

Initializing...

------------ Kernel report ------------

05/31/2013 16:32:32

------------ Loaded modules -----------

\WINDOWS\system32\ntkrnlpa.exe

\WINDOWS\system32\hal.dll

\WINDOWS\system32\KDCOM.DLL

\WINDOWS\system32\BOOTVID.dll

ACPI.sys

\WINDOWS\system32\DRIVERS\WMILIB.SYS

pci.sys

isapnp.sys

pciide.sys

\WINDOWS\system32\DRIVERS\PCIIDEX.SYS

intelide.sys

MountMgr.sys

ftdisk.sys

dmload.sys

dmio.sys

PartMgr.sys

VolSnap.sys

atapi.sys

disk.sys

\WINDOWS\system32\DRIVERS\CLASSPNP.SYS

fltmgr.sys

sr.sys

DRVMCDB.SYS

PxHelp20.sys

KSecDD.sys

Ntfs.sys

NDIS.sys

SmartDefragDriver.sys

Mup.sys

\SystemRoot\system32\DRIVERS\intelppm.sys

\SystemRoot\system32\DRIVERS\ialmnt5.sys

\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS

\SystemRoot\system32\DRIVERS\HDAudBus.sys

\SystemRoot\system32\DRIVERS\usbuhci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\klfltdev.sys

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\DRIVERS\e100b325.sys

\SystemRoot\system32\DRIVERS\fdc.sys

\SystemRoot\system32\DRIVERS\imapi.sys

\SystemRoot\System32\Drivers\DLACDBHM.SYS

\SystemRoot\system32\DRIVERS\cdrom.sys

\SystemRoot\system32\DRIVERS\redbook.sys

\SystemRoot\system32\DRIVERS\ks.sys

\SystemRoot\system32\DRIVERS\klim5.sys

\SystemRoot\system32\DRIVERS\audstub.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\system32\DRIVERS\psched.sys

\SystemRoot\system32\DRIVERS\msgpc.sys

\SystemRoot\system32\DRIVERS\ptilink.sys

\SystemRoot\system32\DRIVERS\raspti.sys

\SystemRoot\system32\DRIVERS\rdpdr.sys

\SystemRoot\system32\DRIVERS\termdd.sys

\SystemRoot\system32\DRIVERS\kbdclass.sys

\SystemRoot\system32\DRIVERS\mouclass.sys

\SystemRoot\system32\DRIVERS\swenum.sys

\SystemRoot\system32\DRIVERS\update.sys

\SystemRoot\system32\DRIVERS\mssmbios.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\drivers\sthda.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\system32\DRIVERS\flpydisk.sys

\SystemRoot\System32\Drivers\i2omgmt.SYS

\SystemRoot\system32\DRIVERS\klif.sys

\SystemRoot\system32\DRIVERS\usbccgp.sys

\SystemRoot\system32\DRIVERS\USBSTOR.SYS

\SystemRoot\System32\Drivers\Fs_Rec.SYS

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\Drivers\DLARTL_N.SYS

\SystemRoot\system32\DRIVERS\HIDPARSE.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\Drivers\mnmdd.SYS

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\rasacd.sys

\??\C:\WINDOWS\system32\drivers\kl1.sys

\SystemRoot\system32\DRIVERS\usbscan.sys

\SystemRoot\system32\DRIVERS\ipsec.sys

\SystemRoot\system32\DRIVERS\tcpip.sys

\SystemRoot\system32\DRIVERS\usbprint.sys

\SystemRoot\system32\DRIVERS\netbt.sys

\SystemRoot\system32\DRIVERS\ipnat.sys

\SystemRoot\System32\drivers\afd.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\System32\Drivers\Fips.SYS

\SystemRoot\system32\DRIVERS\hidusb.sys

\SystemRoot\system32\DRIVERS\HIDCLASS.SYS

\SystemRoot\system32\DRIVERS\kbdhid.sys

\SystemRoot\system32\DRIVERS\mouhid.sys

\SystemRoot\System32\Drivers\Fastfat.SYS

\SystemRoot\System32\Drivers\dump_atapi.sys

\SystemRoot\System32\Drivers\dump_WMILIB.SYS

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\System32\watchdog.sys

\SystemRoot\System32\drivers\dxg.sys

\SystemRoot\System32\drivers\dxgthk.sys

\SystemRoot\System32\ialmdnt5.dll

\SystemRoot\System32\ialmrnt5.dll

\SystemRoot\System32\ialmdev5.DLL

\SystemRoot\System32\ialmdd5.DLL

\SystemRoot\System32\ATMFD.DLL

\SystemRoot\System32\Drivers\DRVNDDM.SYS

\SystemRoot\System32\DLA\DLADResN.SYS

\SystemRoot\System32\DLA\DLAIFS_M.SYS

\SystemRoot\System32\DLA\DLAOPIOM.SYS

\SystemRoot\System32\DLA\DLAPoolM.SYS

\SystemRoot\System32\DLA\DLABOIOM.SYS

\SystemRoot\System32\DLA\DLAUDFAM.SYS

\SystemRoot\System32\DLA\DLAUDF_M.SYS

\SystemRoot\system32\DRIVERS\ndisuio.sys

\SystemRoot\System32\Drivers\ASCTRM.SYS

\SystemRoot\system32\DRIVERS\dsunidrv.sys

\SystemRoot\system32\DRIVERS\srv.sys

\SystemRoot\system32\drivers\wdmaud.sys

\SystemRoot\system32\drivers\sysaudio.sys

\SystemRoot\System32\Drivers\HTTP.sys

\??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys

\SystemRoot\system32\drivers\kmixer.sys

\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys

\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys

\WINDOWS\system32\ntdll.dll

----------- End -----------

Done!

<<<1>>>

Upper Device Name: \Device\Harddisk2\DR6

Upper Device Object: 0xffffffff81bd7860

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\00000067\

Lower Device Object: 0xffffffff81ebcd08

Lower Device Driver Name: \Driver\USBSTOR\

<<<1>>>

Upper Device Name: \Device\Harddisk1\DR5

Upper Device Object: 0xffffffff81bd7030

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\00000065\

Lower Device Object: 0xffffffff81ec1d08

Lower Device Driver Name: \Driver\USBSTOR\

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xffffffff82374280

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP1T0L0-e\

Lower Device Object: 0xffffffff823ce030

Lower Device Driver Name: \Driver\atapi\

<<<2>>>

Device number: 0, partition: 2

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xffffffff82374280, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff8235a020, DeviceName: Unknown, DriverName: \Driver\PartMgr\

DevicePointer: 0xffffffff82374280, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff823ce030, DeviceName: \Device\Ide\IdeDeviceP1T0L0-e\, DriverName: \Driver\atapi\

------------ End ----------

Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

Upper DeviceData: 0x0, 0x0, 0x0

Lower DeviceData: 0x0, 0x0, 0x0

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

<<<2>>>

Device number: 0, partition: 2

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Scanning drivers directory: C:\WINDOWS\system32\drivers...

<<<2>>>

Device number: 0, partition: 2

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Done!

Drive 0

Scanning MBR on drive 0...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: 41AB2316

Partition information:

Partition 0 type is Other (0xde)

Partition is NOT ACTIVE.

Partition starts at LBA: 63 Numsec = 64197

Partition 1 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 64260 Numsec = 110543265

Partition file system is NTFS

Partition is bootable

Partition 2 type is Primary (0x7)

Partition is NOT ACTIVE.

Partition starts at LBA: 110607525 Numsec = 38813040

Partition 3 type is Other (0xdb)

Partition is NOT ACTIVE.

Partition starts at LBA: 149420565 Numsec = 6827625

Disk Size: 80000000000 bytes

Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-156230000-156250000)...

Done!

Physical Sector Size: 512

Drive: 1, DevicePointer: 0xffffffff81bd7030, DeviceName: \Device\Harddisk1\DR5\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff81c2a3f0, DeviceName: Unknown, DriverName: \Driver\PartMgr\

DevicePointer: 0xffffffff81bd7030, DeviceName: \Device\Harddisk1\DR5\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff81ec2680, DeviceName: Unknown, DriverName: \Driver\DRVMCDB\

DevicePointer: 0xffffffff81ec1d08, DeviceName: \Device\00000065\, DriverName: \Driver\USBSTOR\

------------ End ----------

Alternate DeviceName: \Device\Harddisk1\DR5\, DriverName: \Driver\Disk\

Upper DeviceData: 0x0, 0x0, 0x0

Lower DeviceData: 0x0, 0x0, 0x0

Drive 1

Scanning MBR on drive 1...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: C09EDD8C

Partition information:

Partition 0 type is Other (0xb)

Partition is ACTIVE.

Partition starts at LBA: 63 Numsec = 3903795

Partition file system is FAT32

Partition is not bootable

Partition 1 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 2004877312 bytes

Sector size: 512 bytes

Done!

Physical Sector Size: 0

Drive: 2, DevicePointer: 0xffffffff81bd7860, DeviceName: \Device\Harddisk2\DR6\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff81cf2e08, DeviceName: Unknown, DriverName: \Driver\PartMgr\

DevicePointer: 0xffffffff81bd7860, DeviceName: \Device\Harddisk2\DR6\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff81ebbc40, DeviceName: Unknown, DriverName: \Driver\DRVMCDB\

DevicePointer: 0xffffffff81ebcd08, DeviceName: \Device\00000067\, DriverName: \Driver\USBSTOR\

------------ End ----------

Scan finished

=======================================

Removal queue found; removal started

Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_0_i.mbam...

Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\bootstrap_0_1_64260_i.mbam...

Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_0_r.mbam...

Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_1_i.mbam...

Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\bootstrap_1_0_63_i.mbam...

Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_1_r.mbam...

Removal finished

Link to post
Share on other sites

Good....Next:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.