Jump to content

Malware Stops Malwarebytes from scanning PC


Recommended Posts

Hello

I have a strange malware problem. I downloaded and installed Malwarebytes but a few seconds into the scan it disappears. Same story with HijackThis as well as a few other antivirus programs i have tried. I tried renaming the mbam.exe file, but that didnt work either. i have tried running in both safe mode as well as in normal mode both to no avail.

I have tried running an online scanner, with the thought that iexplorer.exe will be on the viruses white list, but all this did was to corrupt my ie8 exe file. Also, clicking links on a search page always causes a redirect to another site. And, of course, no matter how often I scan and delete with the programs that will run, it is still there. I am running windows Xp with SP3.

Help would be so appreciated!

Link to post
Share on other sites

Hello and :welcome:

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.

    [*]Double click on the DDS icon, allow it to run.

    [*]A small box will open, with an explaination about the tool. No input is needed, the scan is running.

    [*]Notepad will open with the results.

    [*]Follow the instructions that pop up for posting the results.

    [*]Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Link to post
Share on other sites

Hello, unfortunately you have a nasty rootkit on board. Read the following information first.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Link to post
Share on other sites

Hi Elise,

Do you suggest a re-format and reinstall of the PC, it is an office PC and can contain sensitive infomation. If so what is the best way to back-up all my data before the re-install to ensure that the backdoor is not 'hiding' in one of the backed up files

Kind Regards

Link to post
Share on other sites

Hello,

I have tried to run ComboFix in normal mode but as soon as the exe gets to about 75% of the extraction it crashes. I have also tried to rename the the file from ComboFix.exe to Combo-Fix.exe but this also failed. Both times the exe was run from my desktop. The exe files on my desktop could not be removed, so I used Malwarebytes file assassin to delete the files off my desktop. I then started up in safe mode and tried again but it still failed. In both modes that I tried to install the program I noticed that the programs process (checked in the task manager) had been started "NirCmd.cfxxe"

Link to post
Share on other sites

Hi again, please try this.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

We need to scan the system with this special tool:

* Please download and save:

Junction.zip

* Unzip it and place Junction.exe in the Windows directory (C:\Windows).

* Go to Start => Run... => Copy and paste the following command in the Run box and click OK:

cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

A command window opens starting to scan the system. Wait until a log file opens. Copy and paste the log in your next reply.

Link to post
Share on other sites

Hi Elise,

Firstly I want to thank you for your quick feedback and honetly I would have been completly lost if i didnt have you guys to turn too so thank you.

Below are the logs first is TDSSKiller

2011/08/23 13:23:27.0437 0376 TDSS rootkit removing tool 2.5.17.0 Aug 22 2011 15:46:57

2011/08/23 13:23:29.0453 0376 ================================================================================

2011/08/23 13:23:29.0453 0376 SystemInfo:

2011/08/23 13:23:29.0453 0376

2011/08/23 13:23:29.0453 0376 OS Version: 5.1.2600 ServicePack: 3.0

2011/08/23 13:23:29.0453 0376 Product type: Workstation

2011/08/23 13:23:29.0453 0376 ComputerName: DIGSILEN-AAFD50

2011/08/23 13:23:29.0453 0376 UserName: dau67

2011/08/23 13:23:29.0453 0376 Windows directory: C:\WINDOWS

2011/08/23 13:23:29.0453 0376 System windows directory: C:\WINDOWS

2011/08/23 13:23:29.0453 0376 Processor architecture: Intel x86

2011/08/23 13:23:29.0453 0376 Number of processors: 2

2011/08/23 13:23:29.0453 0376 Page size: 0x1000

2011/08/23 13:23:29.0453 0376 Boot type: Normal boot

2011/08/23 13:23:29.0453 0376 ================================================================================

2011/08/23 13:23:31.0156 0376 Initialize success

2011/08/23 13:23:35.0218 2568 ================================================================================

2011/08/23 13:23:35.0218 2568 Scan started

2011/08/23 13:23:35.0218 2568 Mode: Manual;

2011/08/23 13:23:35.0218 2568 ================================================================================

2011/08/23 13:23:36.0593 2568 6c3f0126 (8f2bb1827cac01aee6a16e30a1260199) C:\WINDOWS\637615980:2478898905.exe

2011/08/23 13:23:37.0859 2568 Suspicious file (Hidden): C:\WINDOWS\637615980:2478898905.exe. md5: 8f2bb1827cac01aee6a16e30a1260199

2011/08/23 13:23:37.0875 2568 6c3f0126 - detected HiddenFile.Multi.Generic (1)

2011/08/23 13:23:38.0015 2568 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/08/23 13:23:38.0062 2568 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys

2011/08/23 13:23:38.0109 2568 ADIHdAudAddService (7356eff52ad50b8946d346002118ce62) C:\WINDOWS\system32\drivers\ADIHdAud.sys

2011/08/23 13:23:38.0156 2568 AEAudio (fff87a9b1ab36ee4b7bec98a4cb01b79) C:\WINDOWS\system32\drivers\AEAudio.sys

2011/08/23 13:23:38.0234 2568 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/08/23 13:23:38.0296 2568 AFD (adaade4335def381a0fe77970d42d425) C:\WINDOWS\System32\drivers\afd.sys

2011/08/23 13:23:38.0312 2568 Suspicious file (Forged): C:\WINDOWS\System32\drivers\afd.sys. Real md5: adaade4335def381a0fe77970d42d425, Fake md5: 355556d9e580915118cd7ef736653a89

2011/08/23 13:23:38.0312 2568 AFD - detected Rootkit.Win32.ZAccess.c (0)

2011/08/23 13:23:38.0421 2568 AgereSoftModem (3712986cc3abf0dc656b43525b9d1279) C:\WINDOWS\system32\DRIVERS\AGRSM.sys

2011/08/23 13:23:38.0609 2568 akshasp (3f9f42085ab5b6a55498a539c54575ab) C:\WINDOWS\system32\DRIVERS\akshasp.sys

2011/08/23 13:23:38.0656 2568 aksusb (d2b95315cc47f9230006fdbcba394d8d) C:\WINDOWS\system32\DRIVERS\aksusb.sys

2011/08/23 13:23:38.0859 2568 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/08/23 13:23:38.0906 2568 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/08/23 13:23:38.0968 2568 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/08/23 13:23:39.0046 2568 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/08/23 13:23:39.0140 2568 AVGIDSDriver (c403e7f715bb0a851a9dfae16ec4ae42) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys

2011/08/23 13:23:39.0203 2568 AVGIDSEH (1af676db3f3d4cc709cfab2571cf5fc3) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys

2011/08/23 13:23:39.0265 2568 AVGIDSFilter (4c51e233c87f9ec7598551de554bc99d) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys

2011/08/23 13:23:39.0312 2568 AVGIDSShim (c3fc426e54f55c1cc3219e415b88e10c) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys

2011/08/23 13:23:39.0359 2568 Avgldx86 (4e796d3d2c3182b13b3e3b5a2ad4ef0a) C:\WINDOWS\system32\DRIVERS\avgldx86.sys

2011/08/23 13:23:39.0390 2568 Avgmfx86 (5639de66b37d02bd22df4cf3155fba60) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys

2011/08/23 13:23:39.0421 2568 Avgrkx86 (d1baf652eda0ae70896276a1fb32c2d4) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys

2011/08/23 13:23:39.0484 2568 Avgtdix (aaf0ebcad95f2164cffb544e00392498) C:\WINDOWS\system32\DRIVERS\avgtdix.sys

2011/08/23 13:23:39.0546 2568 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/08/23 13:23:39.0625 2568 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/08/23 13:23:39.0671 2568 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/08/23 13:23:39.0750 2568 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/08/23 13:23:39.0796 2568 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/08/23 13:23:39.0859 2568 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2011/08/23 13:23:39.0921 2568 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2011/08/23 13:23:40.0046 2568 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/08/23 13:23:40.0125 2568 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2011/08/23 13:23:40.0171 2568 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2011/08/23 13:23:40.0187 2568 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/08/23 13:23:40.0250 2568 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2011/08/23 13:23:40.0328 2568 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/08/23 13:23:40.0390 2568 e1express (8942419786970adb32b05bb7950aee72) C:\WINDOWS\system32\DRIVERS\e1e5132.sys

2011/08/23 13:23:40.0468 2568 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/08/23 13:23:40.0500 2568 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2011/08/23 13:23:40.0515 2568 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2011/08/23 13:23:40.0531 2568 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2011/08/23 13:23:40.0562 2568 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2011/08/23 13:23:40.0593 2568 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/08/23 13:23:40.0609 2568 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/08/23 13:23:40.0640 2568 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/08/23 13:23:40.0718 2568 Hardlock (d95554949082fd29a04d351b58396718) C:\WINDOWS\system32\drivers\hardlock.sys

2011/08/23 13:23:40.0828 2568 HBtnKey (407e41ddb2bfece109132aec296e0d98) C:\WINDOWS\system32\DRIVERS\cpqbttn.sys

2011/08/23 13:23:40.0859 2568 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2011/08/23 13:23:40.0890 2568 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/08/23 13:23:40.0968 2568 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/08/23 13:23:41.0062 2568 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/08/23 13:23:41.0281 2568 ialm (42caa789a21014aa809a8ff59b3ccfd9) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys

2011/08/23 13:23:41.0500 2568 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/08/23 13:23:41.0625 2568 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/08/23 13:23:41.0671 2568 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2011/08/23 13:23:41.0718 2568 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/08/23 13:23:41.0750 2568 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/08/23 13:23:41.0796 2568 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/08/23 13:23:41.0828 2568 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/08/23 13:23:41.0875 2568 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/08/23 13:23:41.0921 2568 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/08/23 13:23:41.0953 2568 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/08/23 13:23:42.0000 2568 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2011/08/23 13:23:42.0046 2568 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2011/08/23 13:23:42.0093 2568 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/08/23 13:23:42.0218 2568 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/08/23 13:23:42.0281 2568 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2011/08/23 13:23:42.0343 2568 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/08/23 13:23:42.0390 2568 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/08/23 13:23:42.0421 2568 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/08/23 13:23:42.0484 2568 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/08/23 13:23:42.0546 2568 MRxSmb (0dc719e9b15e902346e87e9dcd5751fa) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/08/23 13:23:42.0609 2568 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2011/08/23 13:23:42.0671 2568 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/08/23 13:23:42.0718 2568 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/08/23 13:23:42.0734 2568 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/08/23 13:23:42.0796 2568 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/08/23 13:23:42.0828 2568 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys

2011/08/23 13:23:42.0875 2568 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2011/08/23 13:23:42.0921 2568 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/08/23 13:23:42.0953 2568 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/08/23 13:23:42.0984 2568 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/08/23 13:23:43.0015 2568 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/08/23 13:23:43.0046 2568 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/08/23 13:23:43.0078 2568 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/08/23 13:23:43.0265 2568 NETw5x32 (05743fffc2bc88cc8e426321bc6a762e) C:\WINDOWS\system32\DRIVERS\NETw5x32.sys

2011/08/23 13:23:43.0437 2568 nmwcd (cfe3462a9e94a57dcd9676f6b7fe7f67) C:\WINDOWS\system32\drivers\ccdcmb.sys

2011/08/23 13:23:43.0484 2568 nmwcdc (8f2a94f991f8c73cec26b4b5620d1edc) C:\WINDOWS\system32\drivers\ccdcmbo.sys

2011/08/23 13:23:43.0531 2568 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2011/08/23 13:23:43.0593 2568 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/08/23 13:23:43.0640 2568 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/08/23 13:23:43.0718 2568 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/08/23 13:23:43.0734 2568 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/08/23 13:23:43.0812 2568 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys

2011/08/23 13:23:43.0828 2568 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/08/23 13:23:43.0890 2568 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/08/23 13:23:43.0953 2568 pccsmcfd (fd2041e9ba03db7764b2248f02475079) C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys

2011/08/23 13:23:43.0968 2568 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/08/23 13:23:44.0015 2568 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/08/23 13:23:44.0078 2568 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2011/08/23 13:23:44.0265 2568 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/08/23 13:23:44.0281 2568 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/08/23 13:23:44.0296 2568 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/08/23 13:23:44.0390 2568 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/08/23 13:23:44.0421 2568 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/08/23 13:23:44.0437 2568 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/08/23 13:23:44.0453 2568 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/08/23 13:23:44.0484 2568 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/08/23 13:23:44.0500 2568 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/08/23 13:23:44.0531 2568 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2011/08/23 13:23:44.0578 2568 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/08/23 13:23:44.0609 2568 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/08/23 13:23:44.0687 2568 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/08/23 13:23:44.0750 2568 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys

2011/08/23 13:23:44.0781 2568 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/08/23 13:23:44.0875 2568 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2011/08/23 13:23:44.0937 2568 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/08/23 13:23:44.0968 2568 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/08/23 13:23:45.0031 2568 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys

2011/08/23 13:23:45.0062 2568 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/08/23 13:23:45.0140 2568 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2011/08/23 13:23:45.0265 2568 SynTP (926e0bb4cac05d9a0c3b59dc16fe2f1c) C:\WINDOWS\system32\DRIVERS\SynTP.sys

2011/08/23 13:23:45.0296 2568 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/08/23 13:23:45.0359 2568 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/08/23 13:23:45.0406 2568 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/08/23 13:23:45.0437 2568 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/08/23 13:23:45.0468 2568 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/08/23 13:23:45.0562 2568 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/08/23 13:23:45.0656 2568 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2011/08/23 13:23:45.0718 2568 upperdev (ec01da44b090d2651fc032c8b9257232) C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys

2011/08/23 13:23:45.0812 2568 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/08/23 13:23:45.0875 2568 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/08/23 13:23:45.0906 2568 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/08/23 13:23:45.0953 2568 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2011/08/23 13:23:46.0000 2568 usbser (1c888b000c2f9492f4b15b5b6b84873e) C:\WINDOWS\system32\drivers\usbser.sys

2011/08/23 13:23:46.0031 2568 UsbserFilt (4abd37cfbd710e64f01f9da8710c73f7) C:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys

2011/08/23 13:23:46.0062 2568 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/08/23 13:23:46.0093 2568 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/08/23 13:23:46.0140 2568 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2011/08/23 13:23:46.0187 2568 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/08/23 13:23:46.0234 2568 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/08/23 13:23:46.0296 2568 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys

2011/08/23 13:23:46.0406 2568 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/08/23 13:23:46.0484 2568 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys

2011/08/23 13:23:46.0578 2568 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys

2011/08/23 13:23:46.0656 2568 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2011/08/23 13:23:46.0687 2568 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2011/08/23 13:23:46.0750 2568 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0

2011/08/23 13:23:46.0906 2568 MBR (0x1B8) (874cda44e33bb316d94c504fedd003fb) \Device\Harddisk1\DR2

2011/08/23 13:23:47.0265 2568 Boot (0x1200) (4a5028e6d7ad1af6c3851958dafe58af) \Device\Harddisk0\DR0\Partition0

2011/08/23 13:23:47.0281 2568 ================================================================================

2011/08/23 13:23:47.0281 2568 Scan finished

2011/08/23 13:23:47.0281 2568 ================================================================================

2011/08/23 13:23:47.0296 0888 Detected object count: 2

2011/08/23 13:23:47.0296 0888 Actual detected object count: 2

2011/08/23 13:24:54.0375 0888 HKLM\SYSTEM\ControlSet001\services\6c3f0126 - will be deleted after reboot

2011/08/23 13:24:54.0375 0888 HKLM\SYSTEM\ControlSet003\services\6c3f0126 - will be deleted after reboot

2011/08/23 13:24:54.0718 0888 C:\WINDOWS\637615980:2478898905.exe - will be deleted after reboot

2011/08/23 13:24:54.0718 0888 HiddenFile.Multi.Generic(6c3f0126) - User select action: Delete

2011/08/23 13:24:54.0843 0888 AFD (adaade4335def381a0fe77970d42d425) C:\WINDOWS\System32\drivers\afd.sys

2011/08/23 13:24:54.0843 0888 Suspicious file (Forged): C:\WINDOWS\System32\drivers\afd.sys. Real md5: adaade4335def381a0fe77970d42d425, Fake md5: 355556d9e580915118cd7ef736653a89

2011/08/23 13:24:55.0625 0888 Backup copy found, using it..

2011/08/23 13:24:55.0640 0888 C:\WINDOWS\System32\drivers\afd.sys - will be cured after reboot

2011/08/23 13:24:55.0640 0888 Rootkit.Win32.ZAccess.c(AFD) - User select action: Cure

2011/08/23 13:25:04.0515 2084 Deinitialize success

Next is juction

Junction v1.06 - Windows junction creator and reparse point viewer

Copyright © 2000-2010 Mark Russinovich

Sysinternals - www.sysinternals.com

Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.

Failed to open \\?\c:\\System Volume Information: Access is denied.

...

..

Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Scans\History\CacheManager\MpScanCache-1.bin: Access is denied.

.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

..

Failed to open \\?\c:\\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe: Access is denied.

.

.

Failed to open \\?\c:\\Program Files\Internet Explorer\iexplore.exe: Access is denied.

..

...

...

.

Failed to open \\?\c:\\Program Files\Windows Defender\MsMpEng.exe: Access is denied.

.\\?\c:\\WINDOWS\$NtUninstallKB37606$: SYMBOLIC LINK

Print Name : c:\windows\system32\setup

Substitute Name: \Device\svchost.exe\setup

.

...

...

...

Failed to open \\?\c:\\WINDOWS\assembly\GAC_MSIL\Desktop(2)(2).ini: Access is denied.

Failed to open \\?\c:\\WINDOWS\assembly\GAC_MSIL\Desktop.ini: Access is denied.

...

...

...

...

...

...

...

...

...

...

Failed to open \\?\c:\\WINDOWS\system32\MRT.exe: Access is denied.

...

...

..

Regards,

Link to post
Share on other sites

Hi again,

Please download GrantPerms.zip and save it to your desktop.

Unzip the file and depending on the system run GrantPerms.exe or GrantPerms64.exe

Copy and paste the following in the edit box:

c:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe
c:\Program Files\Internet Explorer\iexplore.exe
c:\Program Files\Windows Defender\MsMpEng.exe
c:\WINDOWS\system32\MRT.exe

Click Unlock. When it is done click "OK".

Click List Permissions and post the result (Perms.txt) that pops up. A copy of Perms.txt will be saved in the same directory the tool is run.

When done, please rerun combofix and post me the new log.

Link to post
Share on other sites

Below is the new log from TDSSkiller, it would seem that TDSSkiller is stopping all the instances of the rootkit/virus but not the root location of where the rootkit/virus as actually stored so all that happens is on reboot the rootkit/virus just re-infects the machine, do you think that it has infected the Kernal? If so how is it able to do that, is the windows kernal not protected?

2011/08/24 09:23:42.0718 0412 TDSS rootkit removing tool 2.5.17.0 Aug 22 2011 15:46:57

2011/08/24 09:23:43.0718 0412 ================================================================================

2011/08/24 09:23:43.0718 0412 SystemInfo:

2011/08/24 09:23:43.0718 0412

2011/08/24 09:23:43.0718 0412 OS Version: 5.1.2600 ServicePack: 3.0

2011/08/24 09:23:43.0718 0412 Product type: Workstation

2011/08/24 09:23:43.0718 0412 ComputerName: DIGSILEN-AAFD50

2011/08/24 09:23:43.0718 0412 UserName: dau67

2011/08/24 09:23:43.0718 0412 Windows directory: C:\WINDOWS

2011/08/24 09:23:43.0718 0412 System windows directory: C:\WINDOWS

2011/08/24 09:23:43.0718 0412 Processor architecture: Intel x86

2011/08/24 09:23:43.0718 0412 Number of processors: 2

2011/08/24 09:23:43.0718 0412 Page size: 0x1000

2011/08/24 09:23:43.0718 0412 Boot type: Normal boot

2011/08/24 09:23:43.0718 0412 ================================================================================

2011/08/24 09:23:44.0921 0412 Initialize success

2011/08/24 09:23:46.0625 2220 ================================================================================

2011/08/24 09:23:46.0625 2220 Scan started

2011/08/24 09:23:46.0625 2220 Mode: Manual;

2011/08/24 09:23:46.0625 2220 ================================================================================

2011/08/24 09:23:47.0718 2220 6c3f0126 (8f2bb1827cac01aee6a16e30a1260199) C:\WINDOWS\637615980:2478898905.exe

2011/08/24 09:23:48.0640 2220 Suspicious file (Hidden): C:\WINDOWS\637615980:2478898905.exe. md5: 8f2bb1827cac01aee6a16e30a1260199

2011/08/24 09:23:48.0640 2220 6c3f0126 - detected HiddenFile.Multi.Generic (1)

2011/08/24 09:23:48.0796 2220 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/08/24 09:23:48.0859 2220 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys

2011/08/24 09:23:48.0921 2220 ADIHdAudAddService (7356eff52ad50b8946d346002118ce62) C:\WINDOWS\system32\drivers\ADIHdAud.sys

2011/08/24 09:23:48.0953 2220 AEAudio (fff87a9b1ab36ee4b7bec98a4cb01b79) C:\WINDOWS\system32\drivers\AEAudio.sys

2011/08/24 09:23:49.0000 2220 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/08/24 09:23:49.0078 2220 AFD (adaade4335def381a0fe77970d42d425) C:\WINDOWS\System32\drivers\afd.sys

2011/08/24 09:23:49.0078 2220 Suspicious file (Forged): C:\WINDOWS\System32\drivers\afd.sys. Real md5: adaade4335def381a0fe77970d42d425, Fake md5: 355556d9e580915118cd7ef736653a89

2011/08/24 09:23:49.0078 2220 AFD - detected Rootkit.Win32.ZAccess.c (0)

2011/08/24 09:23:49.0156 2220 AgereSoftModem (3712986cc3abf0dc656b43525b9d1279) C:\WINDOWS\system32\DRIVERS\AGRSM.sys

2011/08/24 09:23:49.0375 2220 akshasp (3f9f42085ab5b6a55498a539c54575ab) C:\WINDOWS\system32\DRIVERS\akshasp.sys

2011/08/24 09:23:49.0453 2220 aksusb (d2b95315cc47f9230006fdbcba394d8d) C:\WINDOWS\system32\DRIVERS\aksusb.sys

2011/08/24 09:23:49.0625 2220 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/08/24 09:23:49.0671 2220 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/08/24 09:23:49.0718 2220 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/08/24 09:23:49.0796 2220 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/08/24 09:23:50.0046 2220 AVGIDSDriver (c403e7f715bb0a851a9dfae16ec4ae42) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys

2011/08/24 09:23:50.0281 2220 AVGIDSEH (1af676db3f3d4cc709cfab2571cf5fc3) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys

2011/08/24 09:23:50.0375 2220 AVGIDSFilter (4c51e233c87f9ec7598551de554bc99d) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys

2011/08/24 09:23:50.0546 2220 AVGIDSShim (c3fc426e54f55c1cc3219e415b88e10c) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys

2011/08/24 09:23:50.0593 2220 Avgldx86 (4e796d3d2c3182b13b3e3b5a2ad4ef0a) C:\WINDOWS\system32\DRIVERS\avgldx86.sys

2011/08/24 09:23:50.0640 2220 Avgmfx86 (5639de66b37d02bd22df4cf3155fba60) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys

2011/08/24 09:23:50.0656 2220 Avgrkx86 (d1baf652eda0ae70896276a1fb32c2d4) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys

2011/08/24 09:23:50.0734 2220 Avgtdix (aaf0ebcad95f2164cffb544e00392498) C:\WINDOWS\system32\DRIVERS\avgtdix.sys

2011/08/24 09:23:50.0828 2220 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/08/24 09:23:50.0953 2220 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/08/24 09:23:51.0093 2220 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/08/24 09:23:51.0156 2220 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/08/24 09:23:51.0343 2220 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/08/24 09:23:51.0593 2220 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2011/08/24 09:23:51.0640 2220 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2011/08/24 09:23:52.0046 2220 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/08/24 09:23:52.0093 2220 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2011/08/24 09:23:52.0171 2220 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2011/08/24 09:23:52.0187 2220 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/08/24 09:23:52.0250 2220 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2011/08/24 09:23:52.0343 2220 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/08/24 09:23:52.0421 2220 e1express (8942419786970adb32b05bb7950aee72) C:\WINDOWS\system32\DRIVERS\e1e5132.sys

2011/08/24 09:23:52.0500 2220 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/08/24 09:23:52.0515 2220 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2011/08/24 09:23:52.0578 2220 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2011/08/24 09:23:52.0593 2220 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2011/08/24 09:23:52.0625 2220 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2011/08/24 09:23:52.0640 2220 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/08/24 09:23:52.0656 2220 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/08/24 09:23:52.0687 2220 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/08/24 09:23:52.0765 2220 Hardlock (d95554949082fd29a04d351b58396718) C:\WINDOWS\system32\drivers\hardlock.sys

2011/08/24 09:23:52.0859 2220 HBtnKey (407e41ddb2bfece109132aec296e0d98) C:\WINDOWS\system32\DRIVERS\cpqbttn.sys

2011/08/24 09:23:52.0875 2220 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2011/08/24 09:23:52.0937 2220 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/08/24 09:23:53.0031 2220 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/08/24 09:23:53.0109 2220 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/08/24 09:23:53.0281 2220 ialm (42caa789a21014aa809a8ff59b3ccfd9) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys

2011/08/24 09:23:53.0484 2220 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/08/24 09:23:53.0562 2220 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/08/24 09:23:53.0593 2220 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2011/08/24 09:23:53.0625 2220 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/08/24 09:23:53.0671 2220 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/08/24 09:23:53.0734 2220 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/08/24 09:23:53.0750 2220 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/08/24 09:23:53.0796 2220 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/08/24 09:23:53.0828 2220 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/08/24 09:23:53.0875 2220 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/08/24 09:23:53.0921 2220 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2011/08/24 09:23:53.0968 2220 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2011/08/24 09:23:54.0078 2220 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/08/24 09:23:54.0203 2220 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/08/24 09:23:54.0265 2220 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2011/08/24 09:23:54.0312 2220 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/08/24 09:23:54.0359 2220 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/08/24 09:23:54.0437 2220 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/08/24 09:23:54.0468 2220 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/08/24 09:23:54.0531 2220 MRxSmb (0dc719e9b15e902346e87e9dcd5751fa) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/08/24 09:23:54.0578 2220 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2011/08/24 09:23:54.0640 2220 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/08/24 09:23:54.0656 2220 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/08/24 09:23:54.0671 2220 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/08/24 09:23:54.0718 2220 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/08/24 09:23:54.0750 2220 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys

2011/08/24 09:23:54.0812 2220 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2011/08/24 09:23:54.0843 2220 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/08/24 09:23:54.0859 2220 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/08/24 09:23:54.0890 2220 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/08/24 09:23:54.0921 2220 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/08/24 09:23:54.0937 2220 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/08/24 09:23:54.0984 2220 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/08/24 09:23:55.0140 2220 NETw5x32 (05743fffc2bc88cc8e426321bc6a762e) C:\WINDOWS\system32\DRIVERS\NETw5x32.sys

2011/08/24 09:23:55.0265 2220 nmwcd (cfe3462a9e94a57dcd9676f6b7fe7f67) C:\WINDOWS\system32\drivers\ccdcmb.sys

2011/08/24 09:23:55.0312 2220 nmwcdc (8f2a94f991f8c73cec26b4b5620d1edc) C:\WINDOWS\system32\drivers\ccdcmbo.sys

2011/08/24 09:23:55.0359 2220 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2011/08/24 09:23:55.0390 2220 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/08/24 09:23:55.0421 2220 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/08/24 09:23:55.0500 2220 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/08/24 09:23:55.0515 2220 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/08/24 09:23:55.0593 2220 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys

2011/08/24 09:23:55.0609 2220 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/08/24 09:23:55.0640 2220 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/08/24 09:23:55.0687 2220 pccsmcfd (fd2041e9ba03db7764b2248f02475079) C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys

2011/08/24 09:23:55.0718 2220 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/08/24 09:23:55.0765 2220 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/08/24 09:23:55.0796 2220 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2011/08/24 09:23:55.0953 2220 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/08/24 09:23:55.0968 2220 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/08/24 09:23:56.0000 2220 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/08/24 09:23:56.0093 2220 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/08/24 09:23:56.0109 2220 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/08/24 09:23:56.0140 2220 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/08/24 09:23:56.0218 2220 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/08/24 09:23:56.0281 2220 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/08/24 09:23:56.0312 2220 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/08/24 09:23:56.0343 2220 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2011/08/24 09:23:56.0390 2220 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/08/24 09:23:56.0437 2220 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/08/24 09:23:56.0546 2220 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/08/24 09:23:56.0593 2220 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys

2011/08/24 09:23:56.0625 2220 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/08/24 09:23:56.0734 2220 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2011/08/24 09:23:56.0765 2220 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/08/24 09:23:56.0828 2220 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/08/24 09:23:56.0875 2220 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys

2011/08/24 09:23:56.0906 2220 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/08/24 09:23:56.0937 2220 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2011/08/24 09:23:57.0078 2220 SynTP (926e0bb4cac05d9a0c3b59dc16fe2f1c) C:\WINDOWS\system32\DRIVERS\SynTP.sys

2011/08/24 09:23:57.0109 2220 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/08/24 09:23:57.0203 2220 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/08/24 09:23:57.0265 2220 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/08/24 09:23:57.0312 2220 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/08/24 09:23:57.0343 2220 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/08/24 09:23:57.0390 2220 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/08/24 09:23:57.0453 2220 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2011/08/24 09:23:57.0500 2220 upperdev (ec01da44b090d2651fc032c8b9257232) C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys

2011/08/24 09:23:57.0562 2220 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/08/24 09:23:57.0578 2220 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/08/24 09:23:57.0640 2220 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/08/24 09:23:57.0671 2220 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2011/08/24 09:23:57.0703 2220 usbser (1c888b000c2f9492f4b15b5b6b84873e) C:\WINDOWS\system32\drivers\usbser.sys

2011/08/24 09:23:57.0718 2220 UsbserFilt (4abd37cfbd710e64f01f9da8710c73f7) C:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys

2011/08/24 09:23:57.0812 2220 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/08/24 09:23:57.0875 2220 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/08/24 09:23:57.0921 2220 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2011/08/24 09:23:57.0984 2220 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/08/24 09:23:58.0046 2220 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/08/24 09:23:58.0109 2220 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys

2011/08/24 09:23:58.0203 2220 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/08/24 09:23:58.0281 2220 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys

2011/08/24 09:23:58.0359 2220 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys

2011/08/24 09:23:58.0437 2220 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2011/08/24 09:23:58.0468 2220 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2011/08/24 09:23:58.0531 2220 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0

2011/08/24 09:23:58.0625 2220 Boot (0x1200) (4a5028e6d7ad1af6c3851958dafe58af) \Device\Harddisk0\DR0\Partition0

2011/08/24 09:23:58.0625 2220 ================================================================================

2011/08/24 09:23:58.0625 2220 Scan finished

2011/08/24 09:23:58.0625 2220 ================================================================================

2011/08/24 09:23:58.0640 0724 Detected object count: 2

2011/08/24 09:23:58.0640 0724 Actual detected object count: 2

2011/08/24 09:24:13.0890 0724 HKLM\SYSTEM\ControlSet001\services\6c3f0126 - will be deleted after reboot

2011/08/24 09:24:13.0890 0724 HKLM\SYSTEM\ControlSet003\services\6c3f0126 - will be deleted after reboot

2011/08/24 09:24:13.0906 0724 C:\WINDOWS\637615980:2478898905.exe - will be deleted after reboot

2011/08/24 09:24:13.0906 0724 HiddenFile.Multi.Generic(6c3f0126) - User select action: Delete

2011/08/24 09:24:14.0250 0724 AFD (adaade4335def381a0fe77970d42d425) C:\WINDOWS\System32\drivers\afd.sys

2011/08/24 09:24:14.0250 0724 Suspicious file (Forged): C:\WINDOWS\System32\drivers\afd.sys. Real md5: adaade4335def381a0fe77970d42d425, Fake md5: 355556d9e580915118cd7ef736653a89

2011/08/24 09:24:15.0171 0724 Backup copy found, using it..

2011/08/24 09:24:15.0187 0724 C:\WINDOWS\System32\drivers\afd.sys - will be cured after reboot

2011/08/24 09:24:15.0187 0724 Rootkit.Win32.ZAccess.c(AFD) - User select action: Cure

2011/08/24 09:24:19.0640 0416 Deinitialize success

Link to post
Share on other sites

Junction v1.06 - Windows junction creator and reparse point viewer

Copyright © 2000-2010 Mark Russinovich

Sysinternals - www.sysinternals.com

Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.

Failed to open \\?\c:\\System Volume Information: Access is denied.

...

.

Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Scans\History\CacheManager\MpScanCache-1.bin: Access is denied.

..

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

..

Failed to open \\?\c:\\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe: Access is denied.

.

.

Failed to open \\?\c:\\Program Files\Internet Explorer\iexplore.exe: Access is denied.

..

...

...

Failed to open \\?\c:\\Program Files\Windows Defender\MsMpEng.exe: Access is denied.

.\\?\c:\\WINDOWS\$NtUninstallKB37606$: SYMBOLIC LINK

Print Name : c:\windows\system32\setup

Substitute Name: \Device\svchost.exe\setup

..

...

...

...

Failed to open \\?\c:\\WINDOWS\assembly\GAC_MSIL\Desktop(2)(2).ini: Access is denied.

Failed to open \\?\c:\\WINDOWS\assembly\GAC_MSIL\Desktop.ini: Access is denied.

...

...

...

...

...

...

...

...

...

...

...

...

..

Link to post
Share on other sites

Hi again,

Please download GrantPerms.zip and save it to your desktop.

Unzip the file and depending on the system run GrantPerms.exe or GrantPerms64.exe

Copy and paste the following in the edit box:


c:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe
c:\Program Files\Internet Explorer\iexplore.exe
c:\Program Files\Windows Defender\MsMpEng.exe: Access is denied.
c:\WINDOWS\$NtUninstallKB37606$

Click Unlock. When it is done click "OK".

Click List Permissions and post the result (Perms.txt) that pops up. A copy of Perms.txt will be saved in the same directory the tool is run.

Please try to run combofix immediately after running this fix.

Link to post
Share on other sites

Hi Elise,

Not sure who Lewdew is but attached is the log from GrantPerms ComboFix is still not running after is have run GrantPerms.

GrantPerms by Farbar

Ran by dau67 at 2011-08-24 17:52:55

===============================================

ERROR: Parsing the SD of <\\?\c:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe > failed with: The system cannot find the file specified.

Operating system error message: The system cannot find the file specified.

ERROR: Parsing the SD of <\\?\c:\Program Files\Internet Explorer\iexplore.exe > failed with: The system cannot find the file specified.

Operating system error message: The system cannot find the file specified.

ERROR: Parsing the SD of <\\?\c:\Program Files\Windows Defender\MsMpEng.exe: Access is denied> failed with: The system cannot find the file specified.

Operating system error message: The system cannot find the file specified.

\\?\c:\WINDOWS\$NtUninstallKB37606$

Owner: BUILTIN\Administrators

DACL(NP)(AI):

BUILTIN\Administrators FULL ALLOW (CI)(OI)

NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)

BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)

BUILTIN\Users READ/EXECUTE ALLOW (I)

BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(IO)(I)

BUILTIN\Power Users change ALLOW (I)

BUILTIN\Power Users change ALLOW (CI)(OI)(IO)(I)

BUILTIN\Administrators FULL ALLOW (I)

BUILTIN\Administrators FULL ALLOW (CI)(OI)(IO)(I)

NT AUTHORITY\SYSTEM FULL ALLOW (I)

NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)

CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)

Link to post
Share on other sites

Hi

Tried to run ComboFix again and it is still is not running.

GrantPerms by Farbar

Ran by dau67 at 2011-08-25 16:43:23

===============================================

ERROR: Parsing the SD of <\\?\c:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe > failed with: The system cannot find the file specified.

Operating system error message: The system cannot find the file specified.

ERROR: Parsing the SD of <\\?\c:\Program Files\Internet Explorer\iexplore.exe > failed with: The system cannot find the file specified.

Operating system error message: The system cannot find the file specified.

\\?\c:\Program Files\Windows Defender\MsMpEng.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):

BUILTIN\Administrators FULL ALLOW (NI)

NT AUTHORITY\SYSTEM FULL ALLOW (NI)

BUILTIN\Users READ/EXECUTE ALLOW (NI)

\\?\c:\WINDOWS\$NtUninstallKB37606$

Owner: BUILTIN\Administrators

DACL(NP)(AI):

BUILTIN\Administrators FULL ALLOW (CI)(OI)

NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)

BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)

BUILTIN\Users READ/EXECUTE ALLOW (I)

BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(IO)(I)

BUILTIN\Power Users change ALLOW (I)

BUILTIN\Power Users change ALLOW (CI)(OI)(IO)(I)

BUILTIN\Administrators FULL ALLOW (I)

BUILTIN\Administrators FULL ALLOW (CI)(OI)(IO)(I)

NT AUTHORITY\SYSTEM FULL ALLOW (I)

NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)

CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)

Link to post
Share on other sites

Hi Elise,

Finally some headway i had to change the code for GrantPerms from what you gave me:

c:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe

c:\Program Files\Internet Explorer\iexplore.exe

c:\Program Files\Windows Defender\MsMpEng.exe: Access is denied.

c:\WINDOWS\$NtUninstallKB37606$

I changed this to

c:/Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe

c:/Program Files\Internet Explorer\iexplore.exe

c:/Program Files\Windows Defender\MsMpEng.exe: Access is denied.

c:/WINDOWS\$NtUninstallKB37606$

GrantPerms then created the log below;

GrantPerms by Farbar

Ran by dau67 at 2011-08-26 12:53:56

===============================================

c:/Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):

BUILTIN\Administrators FULL ALLOW (NI)

NT AUTHORITY\SYSTEM FULL ALLOW (NI)

BUILTIN\Users READ/EXECUTE ALLOW (NI)

c:/Program Files\Internet Explorer\iexplore.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):

BUILTIN\Administrators FULL ALLOW (NI)

NT AUTHORITY\SYSTEM FULL ALLOW (NI)

BUILTIN\Users READ/EXECUTE ALLOW (NI)

c:/Program Files\Windows Defender\MsMpEng.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):

BUILTIN\Administrators FULL ALLOW (NI)

NT AUTHORITY\SYSTEM FULL ALLOW (NI)

BUILTIN\Users READ/EXECUTE ALLOW (NI)

c:/WINDOWS\$NtUninstallKB37606$

Owner: BUILTIN\Administrators

DACL(NP)(AI):

BUILTIN\Administrators FULL ALLOW (CI)(OI)

NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)

BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)

BUILTIN\Users READ/EXECUTE ALLOW (I)

BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(IO)(I)

BUILTIN\Power Users change ALLOW (I)

BUILTIN\Power Users change ALLOW (CI)(OI)(IO)(I)

BUILTIN\Administrators FULL ALLOW (I)

BUILTIN\Administrators FULL ALLOW (CI)(OI)(IO)(I)

NT AUTHORITY\SYSTEM FULL ALLOW (I)

NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)

CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)

I then ran ComboFix and it ran correctly below is the log file that it created

ComboFix 11-08-25.05 - dau67 2011/08/26 13:04:35.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1698 [GMT 2:00]

Running from: c:\documents and settings\dau67\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\dau67\WINDOWS

C:\install.exe

C:\RECYCLE

c:\recycle\X-5-4-27-2345678318-4567890223-4234567884-2341\Desktop.ini

c:\windows\$NtUninstallKB37606$

c:\windows\$NtUninstallKB37606$\1816068390\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}

c:\windows\$NtUninstallKB37606$\1816068390\click.tlb

c:\windows\$NtUninstallKB37606$\1816068390\L\dnoicana

c:\windows\$NtUninstallKB37606$\1816068390\loader(10)(2).tlb

c:\windows\$NtUninstallKB37606$\1816068390\loader(11)(2).tlb

c:\windows\$NtUninstallKB37606$\1816068390\loader(12)(2).tlb

c:\windows\$NtUninstallKB37606$\1816068390\loader(13)(2).tlb

c:\windows\$NtUninstallKB37606$\1816068390\loader(14)(2).tlb

c:\windows\$NtUninstallKB37606$\1816068390\loader(2)(2).tlb

c:\windows\$NtUninstallKB37606$\1816068390\loader(3)(2).tlb

c:\windows\$NtUninstallKB37606$\1816068390\loader(4)(2).tlb

c:\windows\$NtUninstallKB37606$\1816068390\loader(5)(2).tlb

c:\windows\$NtUninstallKB37606$\1816068390\loader(6)(2).tlb

c:\windows\$NtUninstallKB37606$\1816068390\loader(7)(2).tlb

c:\windows\$NtUninstallKB37606$\1816068390\loader(8)(2).tlb

c:\windows\$NtUninstallKB37606$\1816068390\loader(9)(2).tlb

c:\windows\$NtUninstallKB37606$\1816068390\loader.tlb

c:\windows\$NtUninstallKB37606$\1816068390\U\@00000001

c:\windows\$NtUninstallKB37606$\1816068390\U\@000000c0

c:\windows\$NtUninstallKB37606$\1816068390\U\@000000cb

c:\windows\$NtUninstallKB37606$\1816068390\U\@000000cf

c:\windows\$NtUninstallKB37606$\1816068390\U\@80000000

c:\windows\$NtUninstallKB37606$\1816068390\U\@800000c0

c:\windows\$NtUninstallKB37606$\1816068390\U\@800000cb

c:\windows\$NtUninstallKB37606$\1816068390\U\@800000cf

c:\windows\$NtUninstallKB37606$\2251951407

c:\windows\system32\c_92522.nls

c:\windows\system32\UNWISE.EXE

.

Infected copy of c:\windows\system32\drivers\netbt.sys was found and disinfected

Restored copy from - The cat found it :)

Infected copy of c:\digsilent\License Server b14.1\diglise.exe was found and disinfected

Restored copy from - c:\system volume information\_restore{C0233F87-BAA5-4CBF-A053-3605F9A3780F}\RP301\A0058040.exe

.

c:\program files\HP\HP LaserJet M1210 MFP Series\ReceiveFaxUtility.exe . . . is infected!!

.

Infected copy of c:\windows\system32\HPSIsvc.exe was found and disinfected

Restored copy from - c:\system volume information\_restore{C0233F87-BAA5-4CBF-A053-3605F9A3780F}\RP301\A0058038.exe

.

Infected copy of c:\program files\Java\jre6\bin\jqs.exe was found and disinfected

Restored copy from - c:\system volume information\_restore{C0233F87-BAA5-4CBF-A053-3605F9A3780F}\RP301\A0058037.exe

.

Infected copy of c:\windows\system32\SearchIndexer.exe was found and disinfected

Restored copy from - c:\system volume information\_restore{C0233F87-BAA5-4CBF-A053-3605F9A3780F}\RP303\A0058243.exe

.

Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected

Restored copy from - c:\windows\system32\dllcache\wuauclt.exe

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_6c3f0126

.

.

((((((((((((((((((((((((( Files Created from 2011-07-26 to 2011-08-26 )))))))))))))))))))))))))))))))

.

.

2011-08-26 11:01 . 2008-04-13 22:51 162816 -c--a-w- c:\windows\system32\dllcache\netbt.sys

2011-08-26 11:01 . 2008-04-13 22:51 162816 ----a-w- c:\windows\system32\drivers\netbt.sys

2011-08-26 10:27 . 2011-07-06 17:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-08-26 10:27 . 2011-08-26 10:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-08-26 10:27 . 2011-07-06 17:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-23 11:29 . 2010-09-07 13:39 150392 ----a-w- c:\windows\junction.exe

2011-08-22 12:37 . 2011-08-25 12:57 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll

2011-08-22 12:37 . 2011-08-25 12:57 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll

2011-08-22 07:12 . 2011-08-22 07:21 -------- d-----w- c:\program files\Windows Defender

2011-08-18 15:49 . 2011-08-18 15:50 -------- d-----w- c:\documents and settings\dau67\Application Data\QuickScan

2011-08-18 13:52 . 2011-08-18 13:52 -------- d-----w- c:\program files\ESET

2011-08-18 13:10 . 2009-08-06 17:23 215920 ----a-w- c:\windows\system32\muweb.dll

2011-08-18 13:10 . 2009-08-06 17:23 274288 ----a-w- c:\windows\system32\mucltui.dll

2011-08-18 13:06 . 2011-08-18 13:06 -------- d-----w- c:\windows\system32\wbem\Repository

2011-08-18 13:00 . 2011-08-18 13:02 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2011-08-18 13:00 . 2011-08-18 13:01 -------- d-----w- c:\windows\system32\drivers\AVG

2011-08-18 12:58 . 2011-08-18 12:58 -------- d-----w- c:\documents and settings\dau67\Application Data\Windows Desktop Search

2011-08-18 12:42 . 2011-08-18 12:46 -------- d-----w- c:\windows\LastGood(3)

2011-08-18 12:22 . 2011-08-18 12:55 -------- d-----w- c:\windows\LastGood(2)

2011-08-18 11:29 . 2011-08-18 11:29 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software

2011-08-18 10:04 . 2011-08-24 07:25 43408 --sha-w- c:\windows\system32\c_92522.nl_

2011-08-18 07:50 . 2011-08-18 07:50 -------- d-----w- c:\documents and settings\dau67\Application Data\Malwarebytes

2011-08-18 07:50 . 2011-08-18 07:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-08-17 14:59 . 2011-08-18 07:21 -------- d-----w- c:\program files\KillProcess

2011-08-17 12:15 . 2011-08-17 12:21 -------- d-----w- c:\program files\Stellar Phoenix Zip Recovery

2011-08-16 14:53 . 2011-08-16 14:53 1409 ----a-w- c:\windows\QTFont.for

2011-08-15 08:00 . 2011-08-18 13:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Mobile Partner

2011-08-15 07:59 . 2011-08-18 13:02 -------- d-----w- c:\program files\Mobile Partner

2011-08-15 07:59 . 2011-08-18 13:02 -------- d-----w- c:\documents and settings\All Users\Application Data\DatacardService

2011-08-08 07:22 . 2011-08-08 07:22 -------- d-----w- c:\documents and settings\dau67\Application Data\Nokia Ovi Suite

2011-08-08 07:22 . 2011-08-08 07:22 -------- d-----w- c:\documents and settings\dau67\Application Data\Nokia

2011-08-04 15:45 . 2011-08-18 13:05 -------- d-----w- c:\program files\Unrar

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-08-24 07:25 . 2004-08-04 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2011-08-23 12:03 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-08-23 11:56 . 2004-08-04 12:00 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys

2011-08-18 11:59 . 2010-01-14 13:19 106496 ----a-w- c:\windows\DUMP5767.tmp

2011-08-18 11:58 . 2010-01-14 13:19 106496 ----a-w- c:\windows\DUMP5af1.tmp

2011-06-23 12:05 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec

2011-06-22 23:08 . 2011-05-19 07:29 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-02 14:02 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-08-25 12:57 . 2011-06-02 14:41 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2006-05-03 09:06 163328 --sh--r- c:\windows\system32\flvDX.dll

2007-02-21 10:47 31232 --sh--r- c:\windows\system32\msfDX.dll

2008-03-16 12:30 216064 --sh--r- c:\windows\system32\nbDX.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-24 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-24 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-24 137752]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-27 1040384]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Program Files\\Common Files\\Java\\Java Update\\jusched.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\MFAData\\SelfUpd\\avgmfapx.exe"=

"c:\\Program Files\\ESET\\ESET Online Scanner\\OnlineCmdLineScanner.exe"=

"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Documents and Settings\\dau67\\Desktop\\TDSSKiller.exe"=

"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=

"c:\\Program Files\\Common Files\\Adobe\\Updater6\\Adobe_Updater.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"9100:TCP"= 9100:TCP:Advanced TCP/IP Printer Port

"427:TCP"= 427:TCP:Advanced TCP/IP SLP Port

"161:TCP"= 161:TCP:Advanced TCP/IP SNMP Port

.

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010/09/13 04:27 PM 22992]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010/09/07 03:48 AM 32592]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010/09/07 03:49 AM 297168]

R2 DIgLiseService;DIgLiseService;c:\digsilent\License Server b14.1\diglise.exe [2011/06/15 11:47 PM 1166160]

R2 HPM1210RcvFaxSrvc;HP LaserJet Professional M1210 MFP Series Receive Fax Service;c:\program files\HP\HP LaserJet M1210 MFP Series\ReceiveFaxUtility.exe [2009/11/18 11:18 AM 245760]

R2 HPSIService;HP SI Service;c:\windows\system32\HPSIsvc.exe [2011/05/05 12:01 PM 99896]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011/08/26 12:27 PM 366640]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010/08/19 09:42 PM 134480]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010/08/19 09:42 PM 24144]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010/08/19 09:42 PM 27216]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011/08/26 12:27 PM 22712]

S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010/09/07 03:48 AM 248656]

S2 AVGIDSAgent;AVGIDSAgent; [x]

S2 avgwd;AVG WatchDog; [x]

S3 MatrikonOPC Server for Simulation and Testing;MatrikonOPC Server for Simulation and Testing;c:\program files\Matrikon\OPC\Simulation\OPCSim.exe [2009/07/20 07:10 PM 1761280]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011/08/26 12:27 PM 41272]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Contents of the 'Scheduled Tasks' folder

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.za/webhp?rls=ig

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = 127.0.0.1:4001

TCP: DhcpNameServer = 168.210.2.2

FF - ProfilePath - c:\documents and settings\dau67\Application Data\Mozilla\Firefox\Profiles\mz2v3ymw.default\

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

Toolbar-Locked - (no file)

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

SafeBoot-16648909.sys

SafeBoot-23311304.sys

SafeBoot-29178190.sys

SafeBoot-62092356.sys

SafeBoot-74864174.sys

SafeBoot-97839672.sys

AddRemove-Agere Systems Soft Modem - c:\windows\agrsmdel

AddRemove-Hardlock Device Drivers - c:\windows\system32\UNWISE.EXE

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-08-26 13:19

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(3564)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Nokia\MPlatform\NokiaMServer.exe

c:\windows\system32\igfxsrvc.exe

.

**************************************************************************

.

Completion time: 2011-08-26 13:23:49 - machine was rebooted

ComboFix-quarantined-files.txt 2011-08-26 11:23

.

Pre-Run: 155,928,154,112 bytes free

Post-Run: 157,663,404,032 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - 48D6E5DF167930BF29BB2569FF77B8DD

Link to post
Share on other sites

Hi, that is looking a lot better! How are things running now?

CF-SCRIPT

-------------

We need to execute a CF-script.

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:


DDS::
uInternet Settings,ProxyServer = 127.0.0.1:4001

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

Hi Elise,

Wow my PC is running so so much better now, below is the ComboFix log,

ComboFix 11-08-25.05 - dau67 2011/08/26 13:59:17.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1432 [GMT 2:00]

Running from: c:\documents and settings\dau67\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\dau67\Desktop\CFScript.txt

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\program files\HP\HP LaserJet M1210 MFP Series\ReceiveFaxUtility.exe . . . is infected!!

.

.

((((((((((((((((((((((((( Files Created from 2011-07-26 to 2011-08-26 )))))))))))))))))))))))))))))))

.

.

2011-08-26 11:01 . 2008-04-13 22:51 162816 -c--a-w- c:\windows\system32\dllcache\netbt.sys

2011-08-26 11:01 . 2008-04-13 22:51 162816 ----a-w- c:\windows\system32\drivers\netbt.sys

2011-08-26 10:27 . 2011-07-06 17:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-08-26 10:27 . 2011-08-26 10:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-08-26 10:27 . 2011-07-06 17:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-23 11:29 . 2010-09-07 13:39 150392 ----a-w- c:\windows\junction.exe

2011-08-22 12:37 . 2011-08-25 12:57 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll

2011-08-22 12:37 . 2011-08-25 12:57 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll

2011-08-22 07:12 . 2011-08-22 07:21 -------- d-----w- c:\program files\Windows Defender

2011-08-18 15:49 . 2011-08-18 15:50 -------- d-----w- c:\documents and settings\dau67\Application Data\QuickScan

2011-08-18 13:52 . 2011-08-18 13:52 -------- d-----w- c:\program files\ESET

2011-08-18 13:10 . 2009-08-06 17:23 215920 ----a-w- c:\windows\system32\muweb.dll

2011-08-18 13:10 . 2009-08-06 17:23 274288 ----a-w- c:\windows\system32\mucltui.dll

2011-08-18 13:06 . 2011-08-18 13:06 -------- d-----w- c:\windows\system32\wbem\Repository

2011-08-18 13:00 . 2011-08-18 13:02 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2011-08-18 13:00 . 2011-08-18 13:01 -------- d-----w- c:\windows\system32\drivers\AVG

2011-08-18 12:58 . 2011-08-18 12:58 -------- d-----w- c:\documents and settings\dau67\Application Data\Windows Desktop Search

2011-08-18 12:42 . 2011-08-18 12:46 -------- d-----w- c:\windows\LastGood(3)

2011-08-18 12:22 . 2011-08-18 12:55 -------- d-----w- c:\windows\LastGood(2)

2011-08-18 11:29 . 2011-08-18 11:29 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software

2011-08-18 10:04 . 2011-08-24 07:25 43408 --sha-w- c:\windows\system32\c_92522.nl_

2011-08-18 07:50 . 2011-08-18 07:50 -------- d-----w- c:\documents and settings\dau67\Application Data\Malwarebytes

2011-08-18 07:50 . 2011-08-18 07:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-08-17 14:59 . 2011-08-18 07:21 -------- d-----w- c:\program files\KillProcess

2011-08-17 12:15 . 2011-08-17 12:21 -------- d-----w- c:\program files\Stellar Phoenix Zip Recovery

2011-08-16 14:53 . 2011-08-16 14:53 1409 ----a-w- c:\windows\QTFont.for

2011-08-15 08:00 . 2011-08-18 13:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Mobile Partner

2011-08-15 07:59 . 2011-08-18 13:02 -------- d-----w- c:\program files\Mobile Partner

2011-08-15 07:59 . 2011-08-18 13:02 -------- d-----w- c:\documents and settings\All Users\Application Data\DatacardService

2011-08-08 07:22 . 2011-08-08 07:22 -------- d-----w- c:\documents and settings\dau67\Application Data\Nokia Ovi Suite

2011-08-08 07:22 . 2011-08-08 07:22 -------- d-----w- c:\documents and settings\dau67\Application Data\Nokia

2011-08-04 15:45 . 2011-08-18 13:05 -------- d-----w- c:\program files\Unrar

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-08-24 07:25 . 2004-08-04 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2011-08-23 12:03 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-08-23 11:56 . 2004-08-04 12:00 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys

2011-08-18 11:59 . 2010-01-14 13:19 106496 ----a-w- c:\windows\DUMP5767.tmp

2011-08-18 11:58 . 2010-01-14 13:19 106496 ----a-w- c:\windows\DUMP5af1.tmp

2011-06-23 12:05 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec

2011-06-22 23:08 . 2011-05-19 07:29 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-02 14:02 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-08-25 12:57 . 2011-06-02 14:41 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2006-05-03 09:06 163328 --sh--r- c:\windows\system32\flvDX.dll

2007-02-21 10:47 31232 --sh--r- c:\windows\system32\msfDX.dll

2008-03-16 12:30 216064 --sh--r- c:\windows\system32\nbDX.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-24 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-24 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-24 137752]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-27 1040384]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Program Files\\Common Files\\Java\\Java Update\\jusched.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\MFAData\\SelfUpd\\avgmfapx.exe"=

"c:\\Program Files\\ESET\\ESET Online Scanner\\OnlineCmdLineScanner.exe"=

"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=

"c:\\Program Files\\Common Files\\Adobe\\Updater6\\Adobe_Updater.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"9100:TCP"= 9100:TCP:Advanced TCP/IP Printer Port

"427:TCP"= 427:TCP:Advanced TCP/IP SLP Port

"161:TCP"= 161:TCP:Advanced TCP/IP SNMP Port

.

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010/09/13 04:27 PM 22992]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010/09/07 03:48 AM 32592]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010/09/07 03:49 AM 297168]

R2 HPM1210RcvFaxSrvc;HP LaserJet Professional M1210 MFP Series Receive Fax Service;c:\program files\HP\HP LaserJet M1210 MFP Series\ReceiveFaxUtility.exe [2009/11/18 11:18 AM 245760]

R2 HPSIService;HP SI Service;c:\windows\system32\HPSIsvc.exe [2011/05/05 12:01 PM 99896]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011/08/26 12:27 PM 366640]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010/08/19 09:42 PM 134480]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010/08/19 09:42 PM 24144]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010/08/19 09:42 PM 27216]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011/08/26 12:27 PM 22712]

S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010/09/07 03:48 AM 248656]

S2 AVGIDSAgent;AVGIDSAgent; [x]

S2 avgwd;AVG WatchDog; [x]

S2 DIgLiseService;DIgLiseService;c:\digsilent\License Server b14.1\diglise.exe [2011/06/15 11:47 PM 1166160]

S3 MatrikonOPC Server for Simulation and Testing;MatrikonOPC Server for Simulation and Testing;c:\program files\Matrikon\OPC\Simulation\OPCSim.exe [2009/07/20 07:10 PM 1761280]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011/08/26 12:27 PM 41272]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.za/webhp?rls=ig

uInternet Settings,ProxyOverride = <local>

TCP: DhcpNameServer = 168.210.2.2

FF - ProfilePath - c:\documents and settings\dau67\Application Data\Mozilla\Firefox\Profiles\mz2v3ymw.default\

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-08-26 14:04

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(3660)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2011-08-26 14:05:12

ComboFix-quarantined-files.txt 2011-08-26 12:05

ComboFix2.txt 2011-08-26 11:23

.

Pre-Run: 157,665,345,536 bytes free

Post-Run: 157,652,201,472 bytes free

.

- - End Of File - - CECCBCE57A13EEC77ABCDB92FDEC1877

Thank you

Link to post
Share on other sites

Can you now please see if you can update MBAM and run a full scan. Post me the resulting log.

Please visit www.virustotal.com and upload the following file: c:\program files\HP\HP LaserJet M1210 MFP Series\ReceiveFaxUtility.exe

Please link me to the scan results.

Link to post
Share on other sites

Hi Elise,

I am not really sure what you mean by linking you to the results but i have copied the results and the url from www.virustotal.com below,

http://www.virustotal.com/file-scan/report.html?id=9cfb1298dc90251705aa22c76c6468bff125b666bc41be70313ebf1033ee39de-1314364180

VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.

File name: ReceiveFaxUtility.exe

Submission date: 2011-08-26 13:09:40 (UTC)

Current status: queued queued analysing finished

Result: 1/ 43 (2.3%)

VT Community

not reviewed

Safety score: -

Compact Print results Antivirus Version Last Update Result

AhnLab-V3 2011.08.26.00 2011.08.26 -

AntiVir 7.11.13.254 2011.08.26 -

Antiy-AVL 2.0.3.7 2011.08.26 -

Avast 4.8.1351.0 2011.08.26 -

Avast5 5.0.677.0 2011.08.26 -

AVG 10.0.0.1190 2011.08.26 -

BitDefender 7.2 2011.08.26 -

ByteHero 1.0.0.1 2011.08.22 Trojan.Malware.Win32.xPack.m

CAT-QuickHeal 11.00 2011.08.26 -

ClamAV 0.97.0.0 2011.08.26 -

Commtouch 5.3.2.6 2011.08.26 -

Comodo 9880 2011.08.26 -

Emsisoft 5.1.0.10 2011.08.26 -

eSafe 7.0.17.0 2011.08.25 -

eTrust-Vet 36.1.8524 2011.08.26 -

F-Prot 4.6.2.117 2011.08.26 -

F-Secure 9.0.16440.0 2011.08.26 -

Fortinet 4.2.257.0 2011.08.25 -

GData 22 2011.08.26 -

Ikarus T3.1.1.107.0 2011.08.26 -

Jiangmin 13.0.900 2011.08.25 -

K7AntiVirus 9.111.5056 2011.08.25 -

Kaspersky 9.0.0.837 2011.08.26 -

McAfee 5.400.0.1158 2011.08.26 -

McAfee-GW-Edition 2010.1D 2011.08.26 -

Microsoft 1.7604 2011.08.26 -

NOD32 6412 2011.08.26 -

Norman 6.07.10 2011.08.26 -

nProtect 2011-08-26.02 2011.08.26 -

Panda 10.0.3.5 2011.08.26 -

PCTools 8.0.0.5 2011.08.26 -

Prevx 3.0 2011.08.26 -

Rising 23.72.04.03 2011.08.26 -

Sophos 4.68.0 2011.08.26 -

SUPERAntiSpyware 4.40.0.1006 2011.08.26 -

Symantec 20111.2.0.82 2011.08.26 -

TheHacker 6.7.0.1.284 2011.08.25 -

TrendMicro 9.500.0.1008 2011.08.25 -

TrendMicro-HouseCall 9.500.0.1008 2011.08.26 -

VBA32 3.12.16.4 2011.08.26 -

VIPRE 10274 2011.08.26 -

ViRobot 2011.8.26.4641 2011.08.26 -

VirusBuster 14.0.186.0 2011.08.26 -

Additional informationShow all

MD5 : db254206d0bf1bd864b84bdf2a40ab2a

SHA1 : ab6808476d0a171fadfa5b24aff7beff8f1fdaaf

SHA256: 9cfb1298dc90251705aa22c76c6468bff125b666bc41be70313ebf1033ee39de

ssdeep: 6144:ymIojy/qBkgLgF7pUSo3jj+YQbz1DFyI5y:Zty/F7ptZYQv1DFyI

File size : 245760 bytes

First seen: 2011-08-26 13:09:40

Last seen : 2011-08-26 13:09:40

TrID:

Win64 Executable Generic (59.6%)

Win32 Executable MS Visual C++ (generic) (26.2%)

Win32 Executable Generic (5.9%)

Win32 Dynamic Link Library (generic) (5.2%)

Generic Win/DOS Executable (1.3%)

sigcheck:

publisher....: Marvell

copyright....: © Marvell. All rights reserved.

product......: HP LaserJet Professional M1210 MFP Series Fax Receive Utility

description..: HP LaserJet Professional M1210 MFP Series Fax Receive Utility

original name: ReceiveFaxUtility.exe

internal name: ReceiveFaxUtility.exe

file version.: 6.0.5.8

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

PEInfo: PE structure information

[[ basic data ]]

entrypointaddress: 0x14DAD

timedatestamp....: 0x4B036797 (Wed Nov 18 03:18:47 2009)

machinetype......: 0x14c (I386)

[[ 4 section(s) ]]

name, viradd, virsiz, rawdsiz, ntropy, md5

.text, 0x1000, 0x27EE5, 0x28000, 6.68, 534c1866849b79fd66646913f3b0af5f

.rdata, 0x29000, 0x8CE6, 0x9000, 4.92, 4f72cab99424a808ae15da935faf476c

.data, 0x32000, 0x8398, 0x5000, 1.97, 4b554042add220471acbab71fb0afaec

.rsrc, 0x3B000, 0x4788, 0x5000, 3.14, de19e9408e99930cffd475a231adb2b5

[[ 12 import(s) ]]

SETUPAPI.dll: CM_Get_Child, CM_Get_Parent, SetupDiGetDeviceInterfaceDetailW, SetupDiEnumDeviceInterfaces, SetupDiGetClassDevsW, SetupDiDestroyDeviceInfoList, SetupDiOpenDevRegKey, SetupDiOpenDeviceInfoW, CM_Get_Device_IDW, CM_Get_Sibling, SetupDiCreateDeviceInfoList

PSAPI.DLL: EnumProcessModules, GetModuleBaseNameW, EnumProcesses

RPCRT4.dll: UuidCreate, UuidToStringW, RpcStringFreeW

KERNEL32.dll: ReadFile, SetFilePointer, FlushFileBuffers, GetCurrentProcess, WritePrivateProfileStringW, SetErrorMode, GetStartupInfoW, RtlUnwind, RaiseException, GetThreadLocale, ExitThread, CreateThread, ExitProcess, HeapSize, SetUnhandledExceptionFilter, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, HeapDestroy, HeapCreate, VirtualFree, QueryPerformanceCounter, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, IsDebuggerPresent, VirtualAlloc, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetConsoleCP, GetConsoleMode, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, InterlockedIncrement, GetModuleHandleA, GlobalFlags, InterlockedDecrement, TlsFree, DeleteCriticalSection, LocalReAlloc, TlsSetValue, TlsAlloc, InitializeCriticalSection, GlobalHandle, GlobalReAlloc, EnterCriticalSection, TlsGetValue, LeaveCriticalSection, LocalAlloc, lstrlenA, GetCurrentProcessId, GetCurrentThread, ConvertDefaultLocale, GetModuleFileNameW, GetVersion, EnumResourceLanguagesW, lstrcmpA, GetLocaleInfoW, InterlockedExchange, SuspendThread, ResumeThread, SetThreadPriority, GlobalFree, GlobalAlloc, GlobalLock, GlobalUnlock, FormatMessageW, LocalFree, lstrlenW, GetCurrentThreadId, GlobalAddAtomW, GlobalFindAtomW, GlobalDeleteAtom, FreeLibrary, LoadLibraryA, lstrcmpW, GetProcAddress, GetVersionExA, SystemTimeToFileTime, GetSystemTime, RemoveDirectoryW, DeleteFileW, CompareFileTime, FindNextFileW, MoveFileExW, FindFirstFileW, MultiByteToWideChar, FindClose, GetTickCount, Sleep, WaitForSingleObject, OpenProcess, CreateNamedPipeW, ConnectNamedPipe, WriteFile, SetEvent, ResetEvent, WaitForMultipleObjects, SetWaitableTimer, CreateWaitableTimerW, CreateEventW, CloseHandle, GetExitCodeProcess, WideCharToMultiByte, FindResourceW, LoadResource, LockResource, SizeofResource, GetModuleHandleW, LoadLibraryW, HeapFree, GetProcessHeap, HeapAlloc, GetLastError, SetLastError, HeapReAlloc

USER32.dll: LoadCursorW, GetSysColorBrush, ReleaseDC, GetDC, GrayStringW, DrawTextExW, DrawTextW, TabbedTextOutW, DestroyMenu, ClientToScreen, ShowWindow, SetWindowTextW, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, LoadBitmapW, ModifyMenuW, EnableMenuItem, CheckMenuItem, GetWindowThreadProcessId, IsWindowEnabled, PostQuitMessage, SetCursor, GetMessageW, TranslateMessage, GetActiveWindow, GetCursorPos, ValidateRect, GetMenuState, RegisterWindowMessageW, LoadIconW, WinHelpW, GetCapture, CallNextHookEx, GetClassLongW, GetClassNameW, GetPropW, RemovePropW, GetFocus, GetWindowTextW, GetForegroundWindow, GetLastActivePopup, DispatchMessageW, GetDlgItem, GetTopWindow, DestroyWindow, UnhookWindowsHookEx, GetMessageTime, GetMessagePos, PeekMessageW, MapWindowPoints, UnregisterClassA, GetKeyState, SetForegroundWindow, IsWindowVisible, GetClientRect, GetMenu, PostMessageW, GetSubMenu, GetMenuItemID, GetMenuItemCount, MessageBoxW, CreateWindowExW, GetClassInfoExW, GetClassInfoW, RegisterClassW, GetSysColor, AdjustWindowRectEx, GetParent, CopyRect, PtInRect, GetDlgCtrlID, SendMessageW, SetWindowsHookExW, DefWindowProcW, CallWindowProcW, GetWindowLongW, SetWindowLongW, SetWindowPos, SystemParametersInfoA, IsIconic, GetWindowPlacement, GetWindowRect, GetSystemMetrics, GetWindow, EnableWindow, UnregisterClassW, IsWindow, SetPropW

GDI32.dll: OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowExtEx, ScaleWindowExtEx, DeleteDC, GetStockObject, SetViewportOrgEx, SelectObject, Escape, TextOutW, RectVisible, PtVisible, RestoreDC, SaveDC, ExtTextOutW, DeleteObject, CreateBitmap, GetDeviceCaps, SetBkColor, SetTextColor, GetClipBox, SetMapMode

WINSPOOL.DRV: EnumPrintersW, ClosePrinter, DocumentPropertiesW, OpenPrinterW

ADVAPI32.dll: RegCreateKeyExW, RegQueryValueW, RegEnumKeyW, RegDeleteKeyW, RegOpenKeyW, RegSetValueExW, SetServiceStatus, RegisterServiceCtrlHandlerExW, StartServiceCtrlDispatcherW, DeleteService, ControlService, QueryServiceStatusEx, OpenServiceW, CloseServiceHandle, StartServiceW, CreateServiceW, OpenSCManagerW, DuplicateTokenEx, OpenProcessToken, CreateProcessAsUserW, RegCloseKey, RegQueryValueExW, RegOpenKeyExW

SHELL32.dll: SHGetFolderPathW

SHLWAPI.dll: PathFindFileNameW, PathFindExtensionW, PathAppendW

ole32.dll: OleRun, CoUninitialize, CoInitializeEx, CoCreateInstance

OLEAUT32.dll: -, -, -, -, -, -, -

ExifTool:

file metadata

CharacterSet: Windows, Latin1

CodeSize: 163840

CompanyName: Marvell

EntryPoint: 0x14dad

FileDescription: HP LaserJet Professional M1210 MFP Series Fax Receive Utility

FileFlagsMask: 0x003f

FileOS: Win32

FileSize: 240 kB

FileSubtype: 0

FileType: Win32 EXE

FileVersion: 6.0.5.8

FileVersionNumber: 6.0.5.8

ImageVersion: 0.0

InitializedDataSize: 77824

InternalName: ReceiveFaxUtility.exe

LanguageCode: English (U.S.)

LegalCopyright: © Marvell. All rights reserved.

LinkerVersion: 8.0

MIMEType: application/octet-stream

MachineType: Intel 386 or later, and compatibles

OSVersion: 5.1

ObjectFileType: Executable application

OriginalFilename: ReceiveFaxUtility.exe

PEType: PE32

ProductName: HP LaserJet Professional M1210 MFP Series Fax Receive Utility

ProductVersion: 6.0.5.8

ProductVersionNumber: 6.0.5.8

Subsystem: Windows GUI

SubsystemVersion: 4.0

TimeStamp: 2009:11:18 04:18:47+01:00

UninitializedDataSize: 0

Symantec reputation:Suspicious.Insight

Here is the Malwarebits log file

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7576

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

2011/08/26 03:10:57 PM

mbam-log-2011-08-26 (15-10-57).txt

Scan type: Full scan (C:\|)

Objects scanned: 146492

Time elapsed: 25 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.