Jump to content

Malwarebyte closes after a few seconds


Recommended Posts

Hi everyone

I seem to have picked up a virus or malware. I noticed it when the icon for my McCaffee antivirus changed and said "on access scan is currently disabled" when I hovered the mouse over it.

So as I usually do in these situations I opened my trusty Malwarebytes and set it to run. :) However after a few seconds it closed, and when I tried to re-open it I got the message "Windows cannot access the specified drive, path or file. You may not have the appropriate permissions to access the item." :(

Unfortunately thats the extent of my computer knowledge, so I did a quick search and foundc this site. I have run the Win32Diag.exe and dds.scr and have pasted/attached the results below. I would really appreciate any help as my only other recourse would be to re-install the entire machine.

Thanks,

Renegade

Win32Diag

Running from: C:\Documents and Settings\danielo\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\danielo\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Cannot access: C:\WINDOWS\assembly\GAC_MSIL\Desktop(2).ini

Attempting to restore permissions of : C:\WINDOWS\assembly\GAC_MSIL\Desktop(2).ini

Cannot access: C:\WINDOWS\assembly\GAC_MSIL\Desktop.ini

Attempting to restore permissions of : C:\WINDOWS\assembly\GAC_MSIL\Desktop.ini

Finished!

dds.txt

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22

Run by danielo at 8:46:10 on 2011-09-12

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1471.865 [GMT 1:00]

.

AV: McAfee® Security-as-a-Service Anti-virus *Disabled/Outdated* {8C354827-2F54-4E28-90DC-AD391E77808C}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\3423871622:2044586803.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\LSI SoftModem\agrsmsvc.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\WINDOWS\system32\mfevtps.exe

C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe

C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe

C:\WINDOWS\system32\NLSSRV32.EXE

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\VTTimer.exe

C:\Program Files\McAfee\Managed VirusScan\DesktopUI\XTray.exe

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\Program Files\Desktop Calendar\Desktop Calendar.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe

C:\Documents and Settings\danielo\Application Data\Dropbox\bin\Dropbox.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\McAfee Security Scan\2.0.181\McUICnt.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.co.uk/

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110831085636.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [Desktop Calendar] c:\program files\desktop calendar\Desktop Calendar.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [VTTimer] VTTimer.exe

mRun: [MVS Splash] "c:\program files\mcafee\managed virusscan\desktopui\XTray.exe"

mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

StartupFolder: c:\docume~1\danielo\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\danielo\application data\dropbox\bin\Dropbox.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

LSP: mswsock.dll

Trusted Zone: ea-babylone.net\www

Trusted Zone: marsh.com\online

Trusted Zone: premiumfirst.com\ifinance

Trusted Zone: //about.htm/

Trusted Zone: //Exclude.htm/

Trusted Zone: //LanguageSelection.htm/

Trusted Zone: //Message.htm/

Trusted Zone: //MyAgttryCmd.htm/

Trusted Zone: //MyAgttryNag.htm/

Trusted Zone: //MyNotification.htm/

Trusted Zone: //NOCLessUpdate.htm/

Trusted Zone: //quarantine.htm/

Trusted Zone: //ScanNow.htm/

Trusted Zone: //strings.vbs/

Trusted Zone: //Template.htm/

Trusted Zone: //Update.htm/

Trusted Zone: //VirFound.htm/

Trusted Zone: mcafee.com\*

Trusted Zone: mcafeeasap.com\betavscan

Trusted Zone: mcafeeasap.com\vs

Trusted Zone: mcafeeasap.com\www

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1266313952884

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {FD0EBBED-0C42-4D0F-82DA-44399B5C420A} - hxxp://downloads.virginmedia.com/CST/ver1/xp_mail.cab

TCP: Interfaces\{73BE2624-2DF6-48AC-92D5-FF6B358C28A2} : NameServer = 192.168.10.249

Handler: myrm - {4D034FC3-013F-4b95-B544-44D49ABE3E76} - c:\program files\mcafee\managed virusscan\agent\MyRmProt5.0.0.811.dll

Notify: LMIinit - LMIinit.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\danielo\application data\mozilla\firefox\profiles\adh4h33b.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

.

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

.

============= SERVICES / DRIVERS ===============

.

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-2-17 461864]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-8-12 89624]

R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-9-30 374152]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-1-27 12856]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-9-20 47640]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-11-16 148520]

R2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\mcafee\managed virusscan\agent\myAgtSvc.exe [2011-8-31 291064]

R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\nitro pdf\professional\NitroPDFDriverService.exe [2011-1-12 196928]

R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [2011-1-12 68928]

R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2011-2-11 35088]

R2 RumorServer;McAfee Peer Distribution Service;c:\program files\mcafee\managed virusscan\agent\myAgtSvc.exe [2011-8-31 291064]

R3 MfeAVFK;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-2-17 180008]

R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-8-9 41272]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-11-16 166024]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]

S3 MfeBOPK;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-2-17 59288]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-8-12 87808]

S3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\mferkdk.sys [2010-2-17 34248]

S3 PSSDK42;PSSDK42;c:\windows\system32\drivers\pssdk42.sys [2011-3-15 38976]

S3 splunkdrv;splunkdrv;\??\c:\program files\splunk\bin\splunkdrv.sys --> c:\program files\splunk\bin\splunkdrv.sys [?]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2006-2-28 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S4 LMIRfsClientNP;LMIRfsClientNP; [x]

.

=============== Created Last 30 ================

.

2011-09-12 07:28:05 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-09-12 07:28:05 -------- d-----w- c:\windows\system32\wbem\Repository

2011-09-01 09:12:31 -------- d-----w- c:\program files\Hotspot Shield

2011-08-31 07:56:36 28504 ----a-w- c:\program files\mozilla firefox\ScriptFF.dll

.

==================== Find3M ====================

.

2011-08-23 07:24:01 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-08-03 15:56:32 74848 ----a-w- c:\windows\system32\MfeOtlkAddin.dll

2011-08-03 15:56:28 22816 ----a-w- c:\windows\system32\MFEOtlk.dll

2011-07-19 08:57:00 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2011-07-19 08:57:00 89624 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys

2011-07-19 08:57:00 87808 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2011-07-19 08:57:00 59288 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2011-07-19 08:57:00 461864 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2011-07-19 08:57:00 180008 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2011-07-19 08:57:00 148520 ----a-w- c:\windows\system32\mfevtps.exe

2011-07-19 08:57:00 119808 ----a-w- c:\windows\system32\drivers\mfeapfk.sys

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-07-06 18:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-06 18:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-06 15:32:48 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll

2011-07-06 15:32:36 53632 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll

2011-07-06 15:32:28 87424 ----a-w- c:\windows\system32\LMIinit.dll

2011-07-06 15:32:28 29568 ----a-w- c:\windows\system32\LMIport.dll

2011-07-05 17:37:00 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2011-07-05 17:37:00 69632 ----a-w- c:\windows\system32\QuickTime.qts

2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05:13 385024 ------w- c:\windows\system32\html.iec

2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-06-18 10:03:10 717296 ----a-w- c:\windows\system32\drivers\sptd.sys

2011-06-17 07:21:39 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak

2011-06-17 07:21:38 87424 ----a-w- c:\windows\system32\LMIinit.dll.000.bak

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: WDC_WD800BB-22JHA0 rev.05.01C05 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-1b

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x88884790]<<

_asm { MOV EAX, [ESP+0x4]; MOV ECX, [EAX+0x28]; PUSH EBP; MOV EBP, [ECX+0x4]; PUSH ESI; MOV ESI, [ESP+0x10]; PUSH EDI; MOV EDI, [ESI+0x60]; MOV AL, [EDI]; CMP AL, 0x16; JNZ 0x36; PUSH ESI; }

1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x897D2AB8]

3 CLASSPNP[0xF7657FD7] -> nt!IofCallDriver[0x804E37D5] -> [0x88D0B808]

\Driver\00001668[0x88DD2B10] -> IRP_MJ_CREATE -> 0x88884790

error: Read A device attached to the system is not functioning.

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; }

detected disk devices:

detected hooks:

\Driver\atapi DriverStartIo -> 0x8970431B

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

.

============= FINISH: 8:46:38.13 ===============

Link to post
Share on other sites

Hello RenegadeMaster ! Welcome to Malwarebytes Forums! :welcome:

My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

IMPORTANT NOTE: One or more of the identified infections is related to the rootkit ZeroAccess. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used be the attacker for malicious purposes. Rootkits are used be Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bepasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:

If your computer was used for online banking, has credit card information or other sensitive data on it, you should stay disconnected from the Internet until your system is fully cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:

Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you decide to continue please do this:

Backup Your Registry with ERUNT

  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.

Open Erunt.exe. Follow the prompts leaving the values at default.

Note: to restore your registry, go to the folder and start ERDNT.exe

Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    tdsskiller1.jpg
  • If an malicious object is detected, the default action will be Cure, click on Continue.
    tdsskiller2.jpg
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
  • Select Skip to the sptd.sys.
    image002c.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    1102171200c5c8b17578a60.jpg
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Regards,

Georgi

Link to post
Share on other sites

Hi Georgi

The results of the scan are:

2011/09/12 14:14:50.0531 1580 TDSS rootkit removing tool 2.5.21.0 Sep 10 2011 21:07:05

2011/09/12 14:14:51.0703 1580 ================================================================================

2011/09/12 14:14:51.0703 1580 SystemInfo:

2011/09/12 14:14:51.0703 1580

2011/09/12 14:14:51.0718 1580 OS Version: 5.1.2600 ServicePack: 3.0

2011/09/12 14:14:51.0718 1580 Product type: Workstation

2011/09/12 14:14:51.0718 1580 ComputerName: PC02

2011/09/12 14:14:51.0718 1580 UserName: danielo

2011/09/12 14:14:51.0718 1580 Windows directory: C:\WINDOWS

2011/09/12 14:14:51.0718 1580 System windows directory: C:\WINDOWS

2011/09/12 14:14:51.0718 1580 Processor architecture: Intel x86

2011/09/12 14:14:51.0718 1580 Number of processors: 1

2011/09/12 14:14:51.0718 1580 Page size: 0x1000

2011/09/12 14:14:51.0718 1580 Boot type: Safe boot with network

2011/09/12 14:14:51.0718 1580 ================================================================================

2011/09/12 14:14:54.0171 1580 Initialize success

2011/09/12 14:14:58.0265 0232 ================================================================================

2011/09/12 14:14:58.0265 0232 Scan started

2011/09/12 14:14:58.0265 0232 Mode: Manual;

2011/09/12 14:14:58.0265 0232 ================================================================================

2011/09/12 14:15:00.0359 0232 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/09/12 14:15:00.0593 0232 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2011/09/12 14:15:00.0906 0232 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/09/12 14:15:01.0046 0232 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys

2011/09/12 14:15:01.0343 0232 AgereSoftModem (7560f465f1ce69c53bf17559ee195548) C:\WINDOWS\system32\DRIVERS\AGRSM.sys

2011/09/12 14:15:01.0828 0232 ALCXWDM (8d6c30e515717248e0e52b85fd7ac466) C:\WINDOWS\system32\drivers\ALCXWDM.SYS

2011/09/12 14:15:02.0156 0232 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys

2011/09/12 14:15:02.0484 0232 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2011/09/12 14:15:03.0109 0232 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/09/12 14:15:03.0171 0232 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/09/12 14:15:03.0484 0232 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/09/12 14:15:03.0687 0232 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/09/12 14:15:03.0859 0232 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/09/12 14:15:04.0062 0232 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/09/12 14:15:04.0218 0232 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

2011/09/12 14:15:04.0515 0232 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/09/12 14:15:04.0656 0232 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/09/12 14:15:05.0609 0232 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/09/12 14:15:05.0734 0232 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2011/09/12 14:15:05.0968 0232 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2011/09/12 14:15:06.0140 0232 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/09/12 14:15:06.0328 0232 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2011/09/12 14:15:06.0656 0232 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/09/12 14:15:06.0906 0232 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/09/12 14:15:07.0046 0232 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2011/09/12 14:15:07.0296 0232 FET5X86V (4580f83e94774aa1724179a6a97e25e6) C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys

2011/09/12 14:15:07.0421 0232 FETNDIS (e9648254056bce81a85380c0c3647dc4) C:\WINDOWS\system32\DRIVERS\fetnd5.sys

2011/09/12 14:15:07.0640 0232 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2011/09/12 14:15:07.0703 0232 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2011/09/12 14:15:07.0875 0232 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2011/09/12 14:15:08.0140 0232 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/09/12 14:15:08.0296 0232 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/09/12 14:15:08.0437 0232 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/09/12 14:15:08.0593 0232 hamachi (833051c6c6c42117191935f734cfbd97) C:\WINDOWS\system32\DRIVERS\hamachi.sys

2011/09/12 14:15:08.0781 0232 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/09/12 14:15:09.0031 0232 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/09/12 14:15:09.0359 0232 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys

2011/09/12 14:15:09.0593 0232 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/09/12 14:15:09.0968 0232 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2011/09/12 14:15:10.0140 0232 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/09/12 14:15:10.0312 0232 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/09/12 14:15:10.0484 0232 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/09/12 14:15:10.0609 0232 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/09/12 14:15:10.0781 0232 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/09/12 14:15:10.0968 0232 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/09/12 14:15:11.0187 0232 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/09/12 14:15:11.0312 0232 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2011/09/12 14:15:11.0468 0232 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2011/09/12 14:15:11.0593 0232 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/09/12 14:15:12.0109 0232 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys

2011/09/12 14:15:12.0359 0232 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys

2011/09/12 14:15:12.0687 0232 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys

2011/09/12 14:15:12.0906 0232 LVUSBSta (9e9306063ecd8aa91b3fb76678d3cee2) C:\WINDOWS\system32\drivers\LVUSBSta.sys

2011/09/12 14:15:13.0187 0232 mfeapfk (37364b530339ff0b0ababc8df1c532c3) C:\WINDOWS\system32\drivers\mfeapfk.sys

2011/09/12 14:15:13.0375 0232 MfeAVFK (cd2a8a43bd6b0d15a3255829b1778285) C:\WINDOWS\system32\drivers\mfeavfk.sys

2011/09/12 14:15:13.0593 0232 MfeBOPK (2cd52e91ba338f10ba14d3f90bbda5e8) C:\WINDOWS\system32\drivers\mfebopk.sys

2011/09/12 14:15:13.0734 0232 mfehidk (cf669582f5f98c4ba79d59cfe169198b) C:\WINDOWS\system32\drivers\mfehidk.sys

2011/09/12 14:15:13.0968 0232 mferkdet (42f84c2a82a057d74c54ef70e0cf0a2c) C:\WINDOWS\system32\drivers\mferkdet.sys

2011/09/12 14:15:14.0187 0232 MfeRKDK (820d6aa3f7f0cfa8a1fa8f63d3f1df04) C:\WINDOWS\system32\drivers\MfeRKDK.sys

2011/09/12 14:15:14.0375 0232 mfetdi2k (03b2b8bd4d0a2d3636be9248b5dce33a) C:\WINDOWS\system32\drivers\mfetdi2k.sys

2011/09/12 14:15:14.0531 0232 mfetdik (3812e49fa67a3f604895f0d0c2e1ef90) C:\WINDOWS\system32\drivers\mfetdik.sys

2011/09/12 14:15:14.0765 0232 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/09/12 14:15:14.0875 0232 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2011/09/12 14:15:15.0031 0232 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/09/12 14:15:15.0140 0232 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/09/12 14:15:15.0343 0232 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/09/12 14:15:15.0625 0232 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/09/12 14:15:15.0750 0232 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/09/12 14:15:16.0046 0232 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2011/09/12 14:15:16.0187 0232 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/09/12 14:15:16.0375 0232 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/09/12 14:15:16.0484 0232 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/09/12 14:15:16.0703 0232 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/09/12 14:15:16.0890 0232 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

2011/09/12 14:15:17.0031 0232 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys

2011/09/12 14:15:17.0250 0232 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

2011/09/12 14:15:17.0406 0232 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2011/09/12 14:15:17.0609 0232 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

2011/09/12 14:15:17.0750 0232 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/09/12 14:15:17.0937 0232 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/09/12 14:15:18.0093 0232 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/09/12 14:15:18.0281 0232 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/09/12 14:15:18.0406 0232 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/09/12 14:15:18.0640 0232 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/09/12 14:15:18.0812 0232 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2011/09/12 14:15:19.0140 0232 npf (b48dc6abcd3aeff8618350ccbdc6b09a) C:\WINDOWS\system32\drivers\npf.sys

2011/09/12 14:15:19.0265 0232 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2011/09/12 14:15:19.0468 0232 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/09/12 14:15:19.0671 0232 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/09/12 14:15:19.0796 0232 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/09/12 14:15:20.0000 0232 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/09/12 14:15:20.0093 0232 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2011/09/12 14:15:20.0328 0232 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2011/09/12 14:15:20.0437 0232 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/09/12 14:15:20.0640 0232 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/09/12 14:15:20.0750 0232 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/09/12 14:15:21.0062 0232 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/09/12 14:15:21.0250 0232 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2011/09/12 14:15:21.0812 0232 pepifilter (d30eda6e1ab3c8c82f2ca085ab79040a) C:\WINDOWS\system32\DRIVERS\lv302af.sys

2011/09/12 14:15:22.0390 0232 PID_PEPI (0da6c5e0c8da6cebe52daacfe7ae9de6) C:\WINDOWS\system32\DRIVERS\LV302V32.SYS

2011/09/12 14:15:22.0562 0232 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/09/12 14:15:22.0750 0232 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/09/12 14:15:22.0937 0232 PSSDK42 (c8eb36910d3bd582891977e80925e21e) C:\WINDOWS\system32\Drivers\pssdk42.sys

2011/09/12 14:15:23.0125 0232 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/09/12 14:15:23.0593 0232 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/09/12 14:15:23.0750 0232 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/09/12 14:15:23.0968 0232 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/09/12 14:15:24.0109 0232 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/09/12 14:15:24.0265 0232 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/09/12 14:15:24.0468 0232 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/09/12 14:15:24.0625 0232 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2011/09/12 14:15:24.0796 0232 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/09/12 14:15:25.0031 0232 redbook (f1f8ee9570078585254f2552bd21398d) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/09/12 14:15:25.0062 0232 redbook - detected Rootkit.Win32.ZAccess.e (0)

2011/09/12 14:15:25.0390 0232 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/09/12 14:15:25.0500 0232 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2011/09/12 14:15:25.0703 0232 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2011/09/12 14:15:26.0046 0232 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/09/12 14:15:26.0359 0232 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

2011/09/12 14:15:26.0671 0232 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2011/09/12 14:15:27.0015 0232 sptd (71e276f6d189413266ea22171806597b) C:\WINDOWS\system32\Drivers\sptd.sys

2011/09/12 14:15:27.0015 0232 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: 71e276f6d189413266ea22171806597b

2011/09/12 14:15:27.0031 0232 sptd - detected LockedFile.Multi.Generic (1)

2011/09/12 14:15:27.0234 0232 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/09/12 14:15:27.0421 0232 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/09/12 14:15:27.0656 0232 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys

2011/09/12 14:15:27.0875 0232 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

2011/09/12 14:15:28.0015 0232 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/09/12 14:15:28.0218 0232 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2011/09/12 14:15:28.0718 0232 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/09/12 14:15:28.0937 0232 taphss (0c3b2a9c4bd2dd9a6c2e4084314dd719) C:\WINDOWS\system32\DRIVERS\taphss.sys

2011/09/12 14:15:29.0093 0232 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/09/12 14:15:29.0359 0232 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/09/12 14:15:29.0484 0232 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/09/12 14:15:29.0703 0232 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/09/12 14:15:30.0031 0232 uagp35 (d85938f272d1bcf3db3a31fc0a048928) C:\WINDOWS\system32\DRIVERS\uagp35.sys

2011/09/12 14:15:30.0171 0232 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/09/12 14:15:30.0500 0232 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2011/09/12 14:15:30.0796 0232 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\WINDOWS\system32\Drivers\usbaapl.sys

2011/09/12 14:15:30.0921 0232 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys

2011/09/12 14:15:31.0156 0232 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/09/12 14:15:31.0218 0232 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/09/12 14:15:31.0421 0232 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/09/12 14:15:31.0625 0232 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2011/09/12 14:15:31.0734 0232 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/09/12 14:15:31.0937 0232 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/09/12 14:15:32.0125 0232 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2011/09/12 14:15:32.0328 0232 viagfx (949f86f5a8e493574bbb830c3d18e4a9) C:\WINDOWS\system32\DRIVERS\vtmini.sys

2011/09/12 14:15:32.0531 0232 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

2011/09/12 14:15:32.0625 0232 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/09/12 14:15:32.0859 0232 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/09/12 14:15:33.0156 0232 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/09/12 14:15:33.0578 0232 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

2011/09/12 14:15:33.0812 0232 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2011/09/12 14:15:34.0015 0232 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2011/09/12 14:15:34.0140 0232 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0

2011/09/12 14:15:34.0328 0232 Boot (0x1200) (a3dd2d96b9cc15f2ffd7b5057e9061ff) \Device\Harddisk0\DR0\Partition0

2011/09/12 14:15:34.0343 0232 ================================================================================

2011/09/12 14:15:34.0343 0232 Scan finished

2011/09/12 14:15:34.0343 0232 ================================================================================

2011/09/12 14:15:34.0375 0424 Detected object count: 2

2011/09/12 14:15:34.0375 0424 Actual detected object count: 2

2011/09/12 14:15:52.0234 0424 redbook (f1f8ee9570078585254f2552bd21398d) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/09/12 14:15:52.0234 0424 VerifyFileNameVersionInfo: GetFileVersionInfoSizeW(C:\WINDOWS\system32\drivers\redbook.sys) error 1813

2011/09/12 14:15:56.0109 0424 Backup copy found, using it..

2011/09/12 14:15:56.0156 0424 C:\WINDOWS\system32\DRIVERS\redbook.sys - will be cured after reboot

2011/09/12 14:15:56.0156 0424 Rootkit.Win32.ZAccess.e(redbook) - User select action: Cure

2011/09/12 14:15:56.0156 0424 LockedFile.Multi.Generic(sptd) - User select action: Skip

2011/09/12 14:16:50.0062 1004 Deinitialize success

I also earlier managed to get Malwarebytes running and performed a scan. This found 81 problems and fixed them. A second scan with Malwarebytes shows zero problems. However I still can's seem to get my McCaffee to work so assume there is still a problem.

Cheers

Dan

Link to post
Share on other sites

Hi Dan,

Some notes before we proceed.

Please don't do more then I ask you to.

Doing so can render your computer unbootable.

Keep calm, removing malware isn't a quick process.

Can you also post me the latest MBAM log to see what was removed ?

Please download ComboFix from the link below:

Combofix

Save it to your Desktop <-- Important!!!

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.
  • Double click it & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

Regards,

Georgi

Link to post
Share on other sites

Hey Georgi

Not doing to well with the combofix, downloaded it to desktop and ran it, it got about half way then closed. Now I can't reopen it. :angry:

The MBAM log is:

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7698

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

12/09/2011 13:21:26

mbam-log-2011-09-12 (13-21-26).txt

Scan type: Full scan (C:\|)

Objects scanned: 322230

Time elapsed: 37 minute(s), 49 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 19

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\862214cc (Backdoor.0Access) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\3423871622:2044586803.exe (Backdoor.0Access) -> Quarantined and deleted successfully.

c:\documents and settings\danielo\application data\Sun\Java\deployment\cache\6.0\20\44175314-796458d2 (Trojan.Downloader.adb) -> Quarantined and deleted successfully.

c:\documents and settings\danielo\local settings\Temp\0.5257411642712513.exe (Trojan.Downloader.adb) -> Quarantined and deleted successfully.

c:\system volume information\_restore{c4fc6fd0-cdf9-42de-a85f-7a5e77952ebc}\RP610\A0069404.ini (Backdoor.0Access) -> Quarantined and deleted successfully.

c:\system volume information\_restore{c4fc6fd0-cdf9-42de-a85f-7a5e77952ebc}\RP610\A0069431.ini (Backdoor.0Access) -> Quarantined and deleted successfully.

c:\system volume information\_restore{c4fc6fd0-cdf9-42de-a85f-7a5e77952ebc}\RP610\A0069445.ini (Backdoor.0Access) -> Quarantined and deleted successfully.

c:\system volume information\_restore{c4fc6fd0-cdf9-42de-a85f-7a5e77952ebc}\RP611\A0069462.ini (Backdoor.0Access) -> Quarantined and deleted successfully.

c:\system volume information\_restore{c4fc6fd0-cdf9-42de-a85f-7a5e77952ebc}\RP611\A0069466.ini (Backdoor.0Access) -> Quarantined and deleted successfully.

c:\system volume information\_restore{c4fc6fd0-cdf9-42de-a85f-7a5e77952ebc}\RP611\A0069474.ini (Backdoor.0Access) -> Quarantined and deleted successfully.

c:\system volume information\_restore{c4fc6fd0-cdf9-42de-a85f-7a5e77952ebc}\RP611\A0069480.ini (Backdoor.0Access) -> Quarantined and deleted successfully.

c:\system volume information\_restore{c4fc6fd0-cdf9-42de-a85f-7a5e77952ebc}\RP612\A0069553.exe (Trojan.PWS) -> Quarantined and deleted successfully.

c:\system volume information\_restore{c4fc6fd0-cdf9-42de-a85f-7a5e77952ebc}\RP612\A0069554.exe (Trojan.PWS) -> Quarantined and deleted successfully.

c:\system volume information\_restore{c4fc6fd0-cdf9-42de-a85f-7a5e77952ebc}\RP612\A0069555.exe (Trojan.PWS) -> Quarantined and deleted successfully.

c:\system volume information\_restore{c4fc6fd0-cdf9-42de-a85f-7a5e77952ebc}\RP613\A0069842.ini (Backdoor.0Access) -> Quarantined and deleted successfully.

c:\system volume information\_restore{c4fc6fd0-cdf9-42de-a85f-7a5e77952ebc}\RP613\A0069869.ini (Backdoor.0Access) -> Quarantined and deleted successfully.

c:\WINDOWS\assembly\GAC_MSIL\desktop(2).ini (Backdoor.0Access) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\drivers\cdrom.sys (Trojan.Patched) -> Quarantined and deleted successfully.

c:\documents and settings\danielo\application data\Adobe\shed\thr1.chm (Malware.Trace) -> Quarantined and deleted successfully.

c:\documents and settings\danielo\application data\Adobe\plugs\mmc261972046.txt (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

Dan

Link to post
Share on other sites

Hi Dan,

Let's take a deeper look:

STEP 1

We need to scan the system with this special tool.

  • Please download Junction.zip and save it.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Go to Start => Run... => Copy and paste the following command in the run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

    A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.

STEP 2

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :Filefind
    cdrom.*

    :reg
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom
    HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.cdrom


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Regards,

Georgi

Link to post
Share on other sites

Junction log

Junction v1.06 - Windows junction creator and reparse point viewer

Copyright © 2000-2010 Mark Russinovich

Sysinternals - www.sysinternals.com

Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.

Failed to open \\?\c:\\System Volume Information: Access is denied.

Failed to open \\?\c:\\062de85886cf30e429fe3a37d39f2a\amd64: Access is denied.

Failed to open \\?\c:\\062de85886cf30e429fe3a37d39f2a\i386: Access is denied.

...

...

...

...

...

...

...

Failed to open \\?\c:\\Documents and Settings\danielo\Desktop\ComboFix.exe: Access is denied.

Failed to open \\?\c:\\Documents and Settings\danielo\Desktop\fixxer.exe: Access is denied.

...

...

...

..

Failed to open \\?\c:\\Documents and Settings\danielo\Local Settings\Application Data\Microsoft\CardSpace\CardSpaceSP2.db: Access is denied.

Failed to open \\?\c:\\Documents and Settings\danielo\Local Settings\Application Data\Microsoft\CardSpace\CardSpaceSP2.db.shadow: Access is denied.

.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

Failed to open \\?\c:\\Documents and Settings\danielo\My Documents\Downloads\ComboFix.exe: Access is denied.

...

...

...

...

...

...

...

...

..

Failed to open \\?\c:\\Program Files\Malwarebytes' Anti-Malware\iexplore.com: Access is denied.

Failed to open \\?\c:\\Program Files\Malwarebytes' Anti-Malware\mbam.exe: Access is denied.

.

...

...

...

Failed to open \\?\c:\\WINDOWS\$NtUninstallKB27921$: Access is denied.

...

...

...

..\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION

Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

Failed to open \\?\c:\\WINDOWS\assembly\GAC_MSIL\Desktop.ini: Access is denied.

\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION

Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

.

...

...

...\\?\c:\\WINDOWS\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a: JUNCTION

Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492

Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492

...

...

...

...

...

...

...

System Look

SystemLook 30.07.11 by jpshortstuff

Log created at 16:23 on 12/09/2011 by danielo

Administrator - Elevation successful

========== Filefind ==========

Searching for "cdrom.*"

C:\Documents and Settings\Dan Ody\My Documents\My Downloads\Nero\Nero\CDROM.CFG ------- 235188 bytes [11:46 16/02/2010] [05:03 08/04/2003] F777464E530671F260084C904D5F11ED

C:\Documents and Settings\Dan Ody\My Documents\My Downloads\Nero\Nero\CDROM.dll ------- 192512 bytes [11:46 16/02/2010] [06:36 30/05/2003] 0C12421CA7F58E3D10C5D8F9B4310161

C:\Documents and Settings\danielo\Desktop\Backup\My Documents\My Downloads\Nero\Nero\CDROM.CFG ------- 235188 bytes [17:06 16/02/2010] [05:03 08/04/2003] F777464E530671F260084C904D5F11ED

C:\Documents and Settings\danielo\Desktop\Backup\My Documents\My Downloads\Nero\Nero\CDROM.dll ------- 192512 bytes [17:06 16/02/2010] [06:36 30/05/2003] 0C12421CA7F58E3D10C5D8F9B4310161

C:\Program Files\Ahead\Nero\CDROM.CFG ------- 235188 bytes [10:16 27/02/2010] [05:03 08/04/2003] F777464E530671F260084C904D5F11ED

C:\Program Files\Ahead\Nero\CDROM.dll ------- 192512 bytes [10:16 27/02/2010] [06:36 30/05/2003] 0C12421CA7F58E3D10C5D8F9B4310161

C:\WINDOWS\$NtServicePackUninstall$\cdrom.sys -----c- 49536 bytes [10:13 16/02/2010] [12:00 28/02/2006] AF9C19B3100FE010496B1A27181FBF72

C:\WINDOWS\inf\cdrom.inf ------- 35450 bytes [12:00 28/02/2006] [12:00 28/02/2006] 9BAA6F3637647C25A05F0AC694F5C5E6

C:\WINDOWS\inf\cdrom.PNF ------- 56516 bytes [09:18 16/02/2010] [09:59 16/02/2010] 40CEE6F2C7031B01EF459D45232D3314

C:\WINDOWS\ServicePackFiles\i386\cdrom.inf ------- 35450 bytes [10:09 16/02/2010] [12:00 28/02/2006] 9BAA6F3637647C25A05F0AC694F5C5E6

C:\WINDOWS\ServicePackFiles\i386\cdrom.sys ------- 62976 bytes [18:40 13/04/2008] [18:40 13/04/2008] 1F4260CC5B42272D71F79E570A27A4FE

========== reg ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]

"DependOnGroup"="SCSI miniport"

"ErrorControl"= 0x0000000001 (1)

"Group"="SCSI CDROM Class"

"Start"= 0x0000000001 (1)

"Tag"= 0x0000000002 (2)

"Type"= 0x0000000001 (1)

"DisplayName"="CD-ROM Driver"

"ImagePath"="system32\DRIVERS\cdrom.sys"

"AutoRun"= 0x0000000001 (1)

"AutoRunAlwaysDisable"="NEC MBR-7 NEC MBR-7.4 PIONEER CHANGR DRM-1804X PIONEER CD-ROM DRM-6324X PIONEER CD-ROM DRM-624X TORiSAN CD-ROM CDR_C36"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.cdrom]

"Type"= 0x0000000001 (1)

"Start"= 0x0000000003 (3)

"ImagePath"="\*"

-= EOF =-

Link to post
Share on other sites

Hi Dan,

STEP 1

We need to reset the permissions altered by the malware on some files:

  • Download this tool and save it to the desktop:
  • Make sure Inherit.exe is placed on your desktop.
  • Go to Start => Run => Copy and paste the first line of the following lines in the run box and click OK:
    "%userprofile%\desktop\inherit.exe" "c:\062de85886cf30e429fe3a37d39f2a\amd64"
    "%userprofile%\desktop\inherit.exe" "c:\062de85886cf30e429fe3a37d39f2a\i386"
    "%userprofile%\desktop\inherit.exe" "c:\Documents and Settings\danielo\Desktop\ComboFix.exe"
    "%userprofile%\desktop\inherit.exe" "c:\Documents and Settings\danielo\Desktop\fixxer.exe"
    "%userprofile%\desktop\inherit.exe" "c:\Documents and Settings\danielo\My Documents\Downloads\ComboFix.exe"
    "%userprofile%\desktop\inherit.exe" "c:\Program Files\Malwarebytes' Anti-Malware\iexplore.com"
    "%userprofile%\desktop\inherit.exe" "c:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
  • If you get a security warning select Run.
  • You will get a "Finish" popup. Click OK.
  • Do the same for the rest of the lines until you have run all the above commands one by one.

STEP 2

Delete your copy of Combofix and download a fresh one from here.

I want you to rename Combofix.exe as you download it to svchost.exe

Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

Close any open browsers.

Double click on the renamed combofix.exe on your desktop (svchost.exe) & follow the prompts.

When finished, it will produce a logfile located at C:\ComboFix.txt

Post the log in your next reply.

Regards,

Georgi

Link to post
Share on other sites

Hi Georgi

I'd like to thank you for taking the time out to try and help me, I really do appreciate it.

However, I have been thinking about this overnight (to be honest I haven't slept much through worrying about it) and having read the links you posted with regard to rootkits I have decided to stop trying to fix my PC, and just reinstall the OS instead. This is mainly because this is a business machine which is used partially for processing credit card payments, and I am worried about it's continue vulnerablity even if I do manage to fix it.

I have backed up everyting of importance to an external drive and will scan it before re-installing.

Thanks again for your time and patience.

Dan

Link to post
Share on other sites

Hi Dan,

You had to mention that at the beginning.

This is the best decision for a business PC.

I strongly recommend you to ask your IT suppport/network Administrator to fix this. After all they are paid to do so.

Personally I avoid to fix a business PC for several reasons:

  • There may be restrictions and modifications installed on such machines that could be damaged or altered by the actions we take to remove Malware.
  • Any infection could jump terminals in a computer network.
  • There may also be legal issues regarding any loss of business data that I do not wish to deal with.
  • Some people who come here use their computers for work, and the computers may contain the patient records of a physician or the financial records of an accountant's clients or credit card and bank account information of their employer's customers.
  • There may be tremendous risks and legal liability for such users for not fully securing the computer. We will not know this unless we ask. We do not want to be accidentally putting those we help in vulnerable positions for law suits.
  • Business factors outweigh technical factors in making the reformat and reinstall decision. Sometimes friends give missing CDs or lack of expertise as a reason for not doing a reformat and reinstall.
  • The cost of replacing missing Windows XP and MS Office CDs and getting an Microsoft Certified Systems Engineer to come in for 3 hours to do the reinstall and apply all the critical updates, is trivial compared with the potential cost of a multi-million dollar lawsuit for breach of trust if confidential client or patient information is disclosed.
  • In specific situations where highly confidential information about others is on the computer, and a backdoor virus or trojan is found, we are helping people more by identifying that they have a backdoor trojan which puts them in a particularly vulnerable situation and sending them to seek local professional help from a Microsoft Certified Systems Engineer or Certified Information Systems Security Professional or Global Information Assurance Certification Certified Security Expert or Certified Computing Professional or Internet Service Provider than we would be trying to fully resolve their problems long distance.

After you wipe and reinstall the OS, I would suggest the very first thing you do is set up your firewall and antivirus program immediately.

Keep your antivirus software turned on and up-to-date

  • Make sure your antivirus software is turned on and up-to-date.
  • New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Note:
  • You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

Visit Microsoft's Windows Update Site Frequently

It is important that you visit Windows Update regularly.

This will ensure your computer has always the latest security updates available installed on your computer.

If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you.

Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities.

You can check these by scanning with Secunia Software Inspector.

Change all your passwords !

Since your computer was infected with a rootkit for peace of mind, I would however advise you that all your passwords be changed immediately !!

Inform your financial institutions that you may be a victim of identity theft and to put a watch on all your accounts and passwords or change them.

Take any other steps that you may think is necessary to prevent financial distress due to identity theft.

Practice Safe Internet

One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will. Below are a list of simple precautions to take to keep your computer clean and running securely:

  1. If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
  2. If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.
  3. If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.
  4. If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article:
    Foistware, And how to avoid it.
    There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. For a list of these types of programs we recommend you visit this link: Rogue/Suspect Anti-Spyware Products & Web Sites
  5. Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you. We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake.
  6. Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.
  7. When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.
  8. Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.
  9. Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site.
  10. DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.

Don't use pirated software !!!

Avoid using cracks and unknown programs from sources you don't trust. There are MANY alternative open-source applications.

Malware writers just love cracks and keygens, and will often attach malicious code into them. By using cracks and/or keygens, you are asking for problems.

So my advice is - stay away from them!

Follow this list and your potential for being infected again will reduce dramatically.

Safe Surfing ! ;)

Regards,

Georgi

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.