Jump to content

Need help in removing rootkit agent


Recommended Posts

Hello,

 

I'm having trouble removing a rootkit agent that was detected by Malwarebytes Anti-Malware. After scanning and rebooting it's still there. Things I've tried thus far: Malwarebytes Anti-Rootkit, Combofix, and rKill. Neither of these programs were able to remove it.

 

Any help would be very much appreciated. I've attached the 2 logs (FRST.txt and Addition.txt) that were requested in the instructions. Thank you.

 

 

 

Link to post
Share on other sites

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

Please post up C:\combofix.txt and the logs of MBAM as well.

Link to post
Share on other sites

Hi there,

my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

Please post up C:\combofix.txt and the logs of MBAM as well.

Marius,

 

Thank you for responding to my posting. I initially replied to your message using my Yahoo email account because that is where I first received your reply. But after doing so, I was worried that you might not receive it through Yahoo, so I decided to reply using the Malwarebyes forum, just in case.

 

I have pasted the Combofix and Malwarebytes logs below as you requested.

 

-----------------------------------------------------------------------------------------------------------------------

 

ComboFix 14-05-19.01 - User 05/21/2014 21:50:12.4.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1640 [GMT -4:00]

Running from: c:\documents and settings\User\Desktop\ComboFix.exe

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\fondjldmlgegffdolhcemggekfcichib

c:\documents and settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\fondjldmlgegffdolhcemggekfcichib\2.2\background.html

c:\documents and settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\fondjldmlgegffdolhcemggekfcichib\2.2\content.js

c:\documents and settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\fondjldmlgegffdolhcemggekfcichib\2.2\lsdb.js

c:\documents and settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\fondjldmlgegffdolhcemggekfcichib\2.2\manifest.json

c:\documents and settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\fondjldmlgegffdolhcemggekfcichib\2.2\TbQEY2hkmKH.js

c:\documents and settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

c:\documents and settings\All Users\Application Data\CostMin

c:\documents and settings\User\Application Data\LocalLow

c:\documents and settings\User\Application Data\LocalLow\Company\Product\1.0\localStorageIE.txt

c:\documents and settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\fondjldmlgegffdolhcemggekfcichib

c:\documents and settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\fondjldmlgegffdolhcemggekfcichib\2.2\background.html

c:\documents and settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\fondjldmlgegffdolhcemggekfcichib\2.2\content.js

c:\documents and settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\fondjldmlgegffdolhcemggekfcichib\2.2\lsdb.js

c:\documents and settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\fondjldmlgegffdolhcemggekfcichib\2.2\manifest.json

c:\documents and settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\fondjldmlgegffdolhcemggekfcichib\2.2\TbQEY2hkmKH.js

c:\documents and settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

c:\program files\CostMin

.

.

((((((((((((((((((((((((( Files Created from 2014-04-22 to 2014-05-22 )))))))))))))))))))))))))))))))

.

.

2014-05-16 07:53 . 2014-04-14 23:47 145408 ----a-w- c:\windows\system32\javacpl.cpl

2014-05-16 07:53 . 2014-04-15 00:13 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

2014-05-15 15:13 . 2014-05-15 15:13 -------- d-----w- c:\documents and settings\All Users\Application Data\UpdateServer

2014-05-15 15:13 . 2014-05-15 15:13 -------- d-----w- c:\program files\predm

2014-05-15 15:10 . 2014-05-15 15:10 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Company

2014-05-15 15:10 . 2014-05-15 15:10 -------- d-----w- c:\program files\Common Files\Java

2014-05-15 15:08 . 2014-05-16 23:45 -------- d-----w- c:\documents and settings\User\Application Data\6244

2014-05-15 15:07 . 2014-05-15 15:07 -------- d-----w- c:\documents and settings\All Users\Application Data\AllaboutApp

2014-05-15 15:07 . 2014-05-16 16:36 -------- d-----w- c:\program files\Supporter

2014-05-15 14:59 . 2014-05-15 14:59 -------- d-----w- c:\documents and settings\All Users\Application Data\MediaDev

2014-05-15 14:54 . 2014-05-15 14:54 -------- d-----w- c:\documents and settings\All Users\Application Data\UpdateTask

2014-05-15 14:45 . 2014-05-15 14:59 -------- d-----w- c:\documents and settings\All Users\Application Data\UpdateCommon

2014-05-15 14:45 . 2014-05-22 01:36 -------- d-----w- c:\documents and settings\User\Application Data\serv

2014-05-15 14:45 . 2014-05-15 15:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Online

2014-05-09 08:13 . 2000-01-01 00:00 27648 ------w- c:\windows\system32\agrsco64.dll

2014-05-09 08:12 . 2014-05-09 08:12 -------- d-----w- c:\program files\LSI SoftModem

2014-05-09 07:45 . 2014-05-09 07:45 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Secure Search

2014-05-09 07:45 . 2014-05-15 15:12 -------- d-----w- c:\program files\Common Files\AVG Secure Search

2014-05-09 07:44 . 2014-05-15 08:06 13464 ----a-w- c:\windows\system32\drivers\SWDUMon.sys

2014-05-09 07:34 . 2014-05-09 07:34 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\DriverToolkit

2014-05-09 07:34 . 2014-05-09 08:20 -------- d-----w- c:\program files\DriverToolkit

2014-05-08 11:46 . 2014-05-08 12:22 -------- d-----w- c:\documents and settings\User\Application Data\Audacity

2014-05-08 11:46 . 2014-05-09 00:43 -------- d-----w- c:\program files\Audacity

2014-05-06 19:18 . 2014-05-06 19:18 -------- d-----w- c:\program files\DivX

2014-05-06 19:16 . 2014-05-06 19:16 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX

2014-05-01 18:15 . 2014-05-01 18:54 -------- d-----w- c:\program files\Opera Brouzer

2014-04-27 23:37 . 2014-04-27 23:37 -------- d-----w- c:\windows\system32\wbem\Repository

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2014-05-21 08:26 . 1980-01-13 21:13 52312 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2014-05-17 12:46 . 2013-01-15 16:09 70832 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2014-05-17 12:46 . 2013-01-15 16:09 692400 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2014-04-28 07:58 . 2014-04-07 23:37 403440 ----a-w- c:\windows\system32\drivers\aswsp.sys

2014-04-07 23:37 . 2014-04-07 23:37 57672 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2014-04-07 23:37 . 2014-04-07 23:37 178304 ----a-w- c:\windows\system32\drivers\aswVmm.sys

2014-04-07 23:37 . 2014-04-07 23:37 774392 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2014-04-07 23:37 . 2014-04-07 23:37 49944 ----a-w- c:\windows\system32\drivers\aswRvrt.sys

2014-04-07 23:37 . 2014-04-07 23:37 70384 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys

2014-04-07 23:37 . 2014-04-07 23:37 35656 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2014-04-07 23:37 . 2014-04-07 23:37 54832 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2014-04-07 23:37 . 2014-04-07 23:37 269216 ----a-w- c:\windows\system32\aswBoot.exe

2014-04-07 23:37 . 2014-04-07 23:37 43152 ----a-w- c:\windows\avastSS.scr

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[7] 2013-05-29 . C79FFF367F8F567AFC9543A359556FDF . 3092992 . . [6.00.2900.6400] . . c:\windows\ie8\mshtml.dll

[-] 2011-11-04 . DD8D655E1881B70A5259A23A6018A6C2 . 5978112 . . [8.00.6001.19170] . . c:\windows\system32\mshtml.dll

[7] 2008-04-14 . A706E122B398FE1AB85CB9B75D044223 . 3066880 . . [6.00.2900.5512] . . c:\windows\$NtUninstallKB2846071$\mshtml.dll

.

[7] 2013-05-29 . C86A8A2B6920ECE64F448BFBB33B596D . 668672 . . [6.00.2900.6400] . . c:\windows\ie8\wininet.dll

[-] 2011-11-04 . 552263502EA8C24D301A0C43FF90B3ED . 916992 . . [8.00.6001.19165] . . c:\windows\system32\wininet.dll

[7] 2008-04-14 . 7A4F775ABB2F1C97DEF3E73AFA2FAEDD . 666112 . . [6.00.2900.5512] . . c:\windows\$NtUninstallKB2846071$\wininet.dll

.

[-] 2012-04-11 . 0C9E44D256948FA68AE10D67984862CE . 2069120 . . [5.1.2600.6206] . . c:\windows\Driver Cache\i386\ntkrnlpa.exe

[-] 2012-04-11 . 61CCE48F7BD00E0E4D5CDE206F2DDC1B . 2026496 . . [5.1.2600.6206] . . c:\windows\system32\ntkrnlpa.exe

.

[-] 2012-04-11 . A144D60B35E6DD14CCB9649B5E0D1092 . 2148352 . . [5.1.2600.6206] . . c:\windows\system32\ntoskrnl.exe

[-] 2012-04-11 . 536168936EBF326E36C655EC5AE34B03 . 2192640 . . [5.1.2600.6206] . . c:\windows\Driver Cache\i386\ntoskrnl.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2014-04-07 23:37 321752 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-29 1545512]

"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2014-04-07 3568312]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2000-01-01 872448]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Stickies.lnk - c:\program files\Stickies\stickies.exe [2014-1-9 1134592]

.

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]

Source= c:\documents and settings\User\My Documents\My Pictures\kronos_oblique_634593858441530000.png

FriendlyName=

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2013-01-12 15:36 12536 ----a-w- c:\windows\system32\avgrsstx.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk

backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^Dropbox.lnk]

path=c:\documents and settings\User\Start Menu\Programs\Startup\Dropbox.lnk

backup=c:\windows\pss\Dropbox.lnkStartup

.

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^HP SimpleSave Monitor.lnk]

path=c:\documents and settings\User\Start Menu\Programs\Startup\HP SimpleSave Monitor.lnk

backup=c:\windows\pss\HP SimpleSave Monitor.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2013-11-21 16:57 959904 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 04:42 15360 ----a-w- c:\windows\system32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

2009-03-13 19:57 173592 ----a-w- c:\windows\system32\hkcmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

2009-03-13 19:57 141336 ----a-w- c:\windows\system32\igfxtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]

2009-03-13 19:57 142360 ----a-w- c:\windows\system32\igfxpers.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]

2000-01-01 00:00 872448 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]

2009-07-29 21:31 1545512 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"ose"=3 (0x3)

"LightScribeService"=2 (0x2)

"avg9emc"=2 (0x2)

"AgereModemAudio"=2 (0x2)

"upnphost"=3 (0x3)

"TlntSvr"=3 (0x3)

"SSDPSRV"=3 (0x3)

"RemoteAccess"=3 (0x3)

"RDSessMgr"=3 (0x3)

"mnmsrvc"=3 (0x3)

"Messenger"=2 (0x2)

"BackupService"=2 (0x2)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Opera\\opera.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015

"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016

"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

.

R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [4/7/2014 7:37 PM 49944]

R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [4/7/2014 7:37 PM 178304]

R1 A2DDA;A2 Direct Disk Access Support Driver;c:\documents and settings\User\Desktop\AV\EmsisoftEmergencyKit\Run\a2ddax86.sys [1/13/1980 5:00 PM 22056]

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/7/2014 7:37 PM 774392]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswsp.sys [4/7/2014 7:37 PM 403440]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/7/2014 7:37 PM 35656]

R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [4/7/2014 7:37 PM 70384]

R2 HighliteApp_1017;HighliteApp Update ;c:\program files\Common Files\Services\1017\hlupdate.exe [5/15/2014 11:06 AM 103424]

R2 MediaDevSrv;MediaDevSrv;c:\documents and settings\All Users\Application Data\MediaDev\1400165987\mediadev.exe [5/15/2014 10:59 AM 366912]

R2 WinDevSrv;WinDevSrv;c:\documents and settings\All Users\Application Data\UpdateServer\1400166835\webdev.exe [5/15/2014 11:13 AM 390464]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [10/26/2010 8:59 PM 36352]

R3 NETwLx32; Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [9/4/2013 7:30 PM 6616816]

S2 40030ae4;Supporter;c:\windows\system32\rundll32.exe [4/14/2008 12:42 AM 33280]

S3 cleanhlp;cleanhlp;c:\documents and settings\User\Desktop\AV\EmsisoftEmergencyKit\Run\cleanhlp32.sys [1/13/1980 5:00 PM 50200]

S3 HP24X;HP PC Card Smart Card Reader;c:\windows\system32\drivers\HP24X.sys [9/12/2012 5:44 PM 33024]

S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [5/9/2014 3:44 AM 13464]

S4 BackupService;BackupService;c:\documents and settings\User\Application Data\HP SimpleSave Application\uUACTokenSvc.exe [1/17/2014 6:44 PM 67104]

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2009-10-16 17:49 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe

.

Contents of the 'Scheduled Tasks' folder

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = iexplore

TCP: DhcpNameServer = 192.168.3.254

.

- - - - ORPHANS REMOVED - - - -

.

BHO-{95B7759C-8C7F-4BF1-B163-73684A933233} - (no file)

HKLM-Run-fst_us_51 - (no file)

AddRemove-LSI Soft Modem - c:\windows\agrsmdel

AddRemove-{5F189DF5-2D05-472B-9091-84D9848AE48B}{40030ae4} - c:\progra~1\SUPPOR~1\SUPPOR~1.DLL

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2014-05-21 21:56

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TrueSight]

"ImagePath"="\??\"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-329068152-1935655697-1417001333-1003\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(2948)

c:\windows\system32\WININET.dll

c:\windows\system32\msi.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\AVAST Software\Avast\AvastSvc.exe

c:\windows\system32\agrsmsvc.exe

c:\program files\Java\jre7\bin\jqs.exe

c:\windows\system32\tcpsvcs.exe

.

**************************************************************************

.

Completion time: 2014-05-21 21:58:16 - machine was rebooted

ComboFix-quarantined-files.txt 2014-05-22 01:58

ComboFix2.txt 2014-01-14 11:10

ComboFix3.txt 2013-08-22 15:20

ComboFix4.txt 2013-06-29 02:03

.

Pre-Run: 62,715,584,512 bytes free

Post-Run: 62,885,605,376 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /noexecute=optin

.

- - End Of File - - 4F210967238D081950E5282D4AD5F703

8F558EB6672622401DA993E1E865C861

 

---------------------------------------------------------------------------------------------------------------------------

 

 

Malwarebytes Anti-Malware 1.75.0.1300

www.malwarebytes.org

Database version: v2014.03.07.05

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

User :: COMPUTER_1 [administrator]

5/21/2014 10:01:01 PM

mbam-log-2014-05-21 (22-01-01).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 329027

Time elapsed: 4 minute(s), 30 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 1

HKLM\System\CurrentControlSet\Enum\Root\LEGACY_WINDEVSRV (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

Scan with aswMBR

Please download aswMBR ( 4.5MB ) to your desktop.

  • Double click the aswMBR.exe icon, and click Run.
  • There will be a short delay before the next dialog box comes up. Please just wait a minute or two.
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
  • Typically this is about a 100MB download so depending on your connection speed it can take a short while to download and become ready.
  • Click the Scan button to start the scan once the update has finished downloading
  • On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.


Note: There will also be a file on your desktop named MBR.dat do not delete this for now. It is an actual backup of the MBR (master boot record).

Link to post
Share on other sites

Psychotic,

 

I just wanted to make sure you got my last message on May 26 regarding my question about aswMBR. I know your probably very busy, but I just wanted to make sure my messages were being received. When I reply, I'm using the "Quote" button at the bottom-right of each message. Please let me know if this is not the correct way to reply.

 

Just in case you didn't receive my last message, your last message had instructed me to download aswMBR to my desktop and then double click it. You then instructed me to click "Run" but there was no "Run" option when I opened the file. I only see Scan, Fixmbr, and Save Log. So I wanted to know how I should proceed at this point?

 

Thanks.

Scan with aswMBR

Please download aswMBR ( 4.5MB ) to your desktop.

  • Double click the aswMBR.exe icon, and click Run.
  • There will be a short delay before the next dialog box comes up. Please just wait a minute or two.
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
  • Typically this is about a 100MB download so depending on your connection speed it can take a short while to download and become ready.
  • Click the Scan button to start the scan once the update has finished downloading
  • On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.

Note: There will also be a file on your desktop named MBR.dat do not delete this for now. It is an actual backup of the MBR (master boot record).

 

Link to post
Share on other sites

Please hit scan! :)

I actually had already run the scan and had sent you the log file a couple days ago. I found out that my browser version wasn't downloading aswMBR correctly so I used a different version and downloaded it again and it had the run option this time. 

 

So, you should hopefully already have the log file from that scan. I'll wait to hear from you on further instructions.

 

Thanks.

Link to post
Share on other sites

  • 3 weeks later...
  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.