Jump to content

Malwarebytes won't run


Recommended Posts

Noticed three symptoms

1. The same pop-up leading me to a sight for a 'prize'

2. Google redirect

3. Large svchost.exe process that hogs all CPU use

Was able to download and install Malwarebytes, but can only get it to run while operating in Safe Mode without network connections. System (XP sp3)still retained all issues after running Malwarebytes twice. Have followed all the steps in the "I'm infected - What do I do now?" forum without any improvement. Here are the Malwarebytes logs:

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 7622

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

10/7/2011 9:21:27 AM

mbam-log-2011-10-07 (09-21-15).txt

Scan type: Quick scan

Objects scanned: 255762

Time elapsed: 48 minute(s), 16 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 6

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\ADMIN\my documents\downloads\IWON.exe (Adware.FunWeb) -> No action taken.

c:\documents and settings\ADMIN\my documents\downloads\mightymagoosetup.exe (Adware.Gamevance) -> No action taken.

c:\documents and settings\ADMIN\my documents\downloads\setupplaypickle.exe (Adware.Gamevance) -> No action taken.

c:\program files\HPZUCI12.DLL (Spyware.OnlineGames) -> No action taken.

c:\program files\tls704d.dll (Spyware.OnlineGames) -> No action taken.

c:\documents and settings\ADMIN\local settings\Temp\0.6288565234024981.exe (Exploit.Drop.2) -> No action taken.

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 7965

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

10/17/2011 11:07:51 AM

mbam-log-2011-10-17 (11-07-51).txt

Scan type: Quick scan

Objects scanned: 278531

Time elapsed: 50 minute(s), 4 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\ADMIN\local settings\temporary internet files\Content.IE5\1C8VT7P8\file[1].exe (Backdoor.Bot) -> Quarantined and deleted successfully.

Link to post
Share on other sites

I was able to download, install and update MBAM in Safe Mode NO Networking. I then ran DDS. Here are the logs:

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8010

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

10/24/2011 9:03:14 AM

mbam-log-2011-10-24 (09-03-14).txt

Scan type: Quick scan

Objects scanned: 271865

Time elapsed: 47 minute(s), 51 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23

Run by ADMIN at 9:10:53 on 2011-10-24

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.632 [GMT -5:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\273371727:2964174063.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKAiO2MUI.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\taskmgr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Safari\Safari.exe

C:\WINDOWS\system32\NOTEPAD.EXE

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://my.juno.com/

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Conime] %windir%\system32\conime.exe

mRun: [EKAIO2StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKAiO2MUI.exe

dRunOnce: [RunNarrator] Narrator.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc2~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpobnz08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

LSP: mswsock.dll

DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.3.13.0.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{3DE65939-53B1-4088-9BC9-D07015FC1117} : DhcpNameServer = 192.168.1.1

Handler: junomsg - {C4D10830-379D-11d4-9B2D-00C04F1579A5} - c:\program files\juno\bin\jmsgpph.dll

Notify: igfxcui - igfxdev.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\admin\application data\mozilla\firefox\profiles\3nkgfuh9.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.wgbh.org/

FF - prefs.js: network.proxy.type - 1

FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

.

============= SERVICES / DRIVERS ===============

.

R3 TotRec8;Total Recorder WDM audio filter driver;c:\windows\system32\drivers\TotRec8.sys [2010-12-26 91216]

R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-10-24 41272]

S0 cerc6;cerc6; [x]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-24 136176]

S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-11-24 136176]

S4 Winip2kmc;Winip2kmc;c:\windows\system32\mscdexnt.exe [2008-4-14 817]

.

=============== Created Last 30 ================

.

2011-10-24 14:06:10 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-10-17 14:45:57 221184 ----a-w- c:\windows\system32\wmpns.dll

2011-10-11 13:46:09 -------- d-----w- c:\documents and settings\admin\application data\Temp

2011-10-11 13:23:32 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-10-11 13:23:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-10-07 13:31:51 -------- d-----w- c:\documents and settings\admin\application data\Malwarebytes

2011-10-05 13:25:27 48640 ----a-r- c:\windows\system32\spool\prtprocs\w32x86\EKAiO2PPR.dll

2011-10-05 13:25:22 604672 ----a-r- c:\windows\system32\EKAiO2MON.dll

2011-10-05 13:25:20 124416 ----a-r- c:\windows\system32\EKAiO2COI02.dll

2011-10-05 13:20:13 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-10-05 13:20:13 -------- d-----w- c:\windows\system32\wbem\Repository

2011-10-03 19:55:30 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

.

==================== Find3M ====================

.

2003-04-22 15:46:52 2719744 ------w- c:\program files\aiodrv.msi

2003-04-22 15:42:04 2588672 ------w- c:\program files\aiosw.msi

2003-04-09 18:13:50 577536 ----a-w- c:\program files\Setup.exe

2003-03-10 02:30:44 184320 ----a-w- c:\program files\hpzscr07.dll

2003-03-10 02:30:42 274432 ----a-w- c:\program files\hpzglu07.exe

2003-03-10 02:30:42 237568 ----a-w- c:\program files\hpzc3212.dll

2002-09-09 23:48:20 22608 ----a-w- c:\program files\usbprint.sys

2002-09-09 23:48:12 12288 ----a-w- c:\program files\usbmon.dll

2002-09-09 23:47:52 254005 ----a-w- c:\program files\msvcrt.dll

2002-09-09 23:47:44 70656 ----a-w- c:\program files\msvcirt.dll

2002-09-09 23:47:00 212992 ----a-w- c:\program files\hpzpnp07.dll

2002-09-09 23:46:50 49212 ----a-w- c:\program files\hpzjvp01.dll

2002-09-09 23:46:42 249913 ----a-w- c:\program files\hpzjut01.dll

2002-09-09 23:46:32 417849 ----a-w- c:\program files\hpzjpp01.dll

2002-09-09 23:46:24 28722 ----a-w- c:\program files\hpzjlog.dll

2002-09-06 15:54:56 995383 ----a-w- c:\program files\MFC42.DLL

.

============= FINISH: 9:11:25.53 ===============

Though MBAM did not detect the virus(s) I still have the Google redirect and MBAM will still not run in regular Windows mode.

Link to post
Share on other sites

  • Staff

Hi,

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Thank you so much for the help!

All programs ran without problems, including MBAM. Initial use of system good, no sign of the Google Redirect, pop-ups, or svchost.exe. The following are the logs in order of execution (please note that there isn't a MBAM log here. I did run it after TDSS, and it found no infected files, but I cannot seem to locate it's log. I'll run it now, but might not have time to post the log until later):

07:47:45.0687 3696 TDSS rootkit removing tool 2.6.14.0 Oct 28 2011 11:11:01

07:47:46.0015 3696 ============================================================

07:47:46.0015 3696 Current date / time: 2011/10/29 07:47:46.0015

07:47:46.0015 3696 SystemInfo:

07:47:46.0015 3696

07:47:46.0015 3696 OS Version: 5.1.2600 ServicePack: 3.0

07:47:46.0015 3696 Product type: Workstation

07:47:46.0015 3696 ComputerName: QTZYL2

07:47:46.0015 3696 UserName: ADMIN

07:47:46.0015 3696 Windows directory: C:\WINDOWS

07:47:46.0015 3696 System windows directory: C:\WINDOWS

07:47:46.0015 3696 Processor architecture: Intel x86

07:47:46.0015 3696 Number of processors: 2

07:47:46.0015 3696 Page size: 0x1000

07:47:46.0015 3696 Boot type: Normal boot

07:47:46.0015 3696 ============================================================

07:47:49.0484 3696 Initialize success

07:47:50.0859 3764 ============================================================

07:47:50.0859 3764 Scan started

07:47:50.0859 3764 Mode: Manual;

07:47:50.0859 3764 ============================================================

07:47:53.0421 3764 4f524b10 (fe18217d8e98465dd4723ceaf8bf8aa7) C:\WINDOWS\273371727:2964174063.exe

07:47:53.0421 3764 Suspicious file (Hidden): C:\WINDOWS\273371727:2964174063.exe. md5: fe18217d8e98465dd4723ceaf8bf8aa7

07:47:53.0421 3764 4f524b10 ( Rootkit.Win32.PMax.gen ) - infected

07:47:53.0421 3764 4f524b10 - detected Rootkit.Win32.PMax.gen (0)

07:47:53.0531 3764 Abiosdsk - ok

07:47:53.0546 3764 abp480n5 - ok

07:47:53.0625 3764 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

07:47:53.0625 3764 ACPI - ok

07:47:53.0656 3764 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

07:47:53.0656 3764 ACPIEC - ok

07:47:53.0703 3764 ADIHdAudAddService (62afc64108bbdb8d3ca32aad559e5af1) C:\WINDOWS\system32\drivers\ADIHdAud.sys

07:47:53.0718 3764 ADIHdAudAddService - ok

07:47:53.0718 3764 adpu160m - ok

07:47:53.0750 3764 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

07:47:53.0765 3764 aec - ok

07:47:54.0031 3764 AFD (322d0e36693d6e24a2398bee62a268cd) C:\WINDOWS\System32\drivers\afd.sys

07:47:54.0140 3764 AFD - ok

07:47:54.0296 3764 Aha154x - ok

07:47:54.0296 3764 aic78u2 - ok

07:47:54.0312 3764 aic78xx - ok

07:47:54.0328 3764 AliIde - ok

07:47:54.0328 3764 amsint - ok

07:47:54.0343 3764 asc - ok

07:47:54.0359 3764 asc3350p - ok

07:47:54.0359 3764 asc3550 - ok

07:47:54.0406 3764 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

07:47:54.0406 3764 AsyncMac - ok

07:47:54.0437 3764 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

07:47:54.0437 3764 atapi - ok

07:47:54.0453 3764 Atdisk - ok

07:47:54.0484 3764 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

07:47:54.0484 3764 Atmarpc - ok

07:47:54.0531 3764 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

07:47:54.0531 3764 audstub - ok

07:47:54.0625 3764 b57w2k (d0692f7b8217e3b82d2bfac535816117) C:\WINDOWS\system32\DRIVERS\b57xp32.sys

07:47:54.0625 3764 b57w2k - ok

07:47:54.0656 3764 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

07:47:54.0656 3764 Beep - ok

07:47:54.0812 3764 BVRPMPR5 (248dfa5762dde38dfddbbd44149e9d7a) C:\WINDOWS\system32\drivers\BVRPMPR5.SYS

07:47:54.0812 3764 BVRPMPR5 - ok

07:47:54.0828 3764 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

07:47:54.0843 3764 cbidf2k - ok

07:47:54.0859 3764 cd20xrnt - ok

07:47:54.0906 3764 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

07:47:54.0906 3764 Cdaudio - ok

07:47:54.0937 3764 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

07:47:54.0937 3764 Cdfs - ok

07:47:54.0953 3764 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

07:47:54.0953 3764 Cdrom - ok

07:47:55.0078 3764 cerc6 - ok

07:47:55.0203 3764 Changer - ok

07:47:55.0359 3764 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

07:47:55.0359 3764 CmBatt - ok

07:47:55.0359 3764 CmdIde - ok

07:47:55.0375 3764 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

07:47:55.0375 3764 Compbatt - ok

07:47:55.0390 3764 Cpqarray - ok

07:47:55.0515 3764 cpudrv (d01f685f8b4598d144b0cce9ff95d8d5) C:\Program Files\SystemRequirementsLab\cpudrv.sys

07:47:55.0531 3764 cpudrv - ok

07:47:55.0531 3764 dac2w2k - ok

07:47:55.0562 3764 dac960nt - ok

07:47:55.0562 3764 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

07:47:55.0562 3764 Disk - ok

07:47:55.0609 3764 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

07:47:55.0640 3764 dmboot - ok

07:47:55.0671 3764 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

07:47:55.0671 3764 dmio - ok

07:47:55.0687 3764 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

07:47:55.0687 3764 dmload - ok

07:47:55.0734 3764 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

07:47:55.0734 3764 DMusic - ok

07:47:55.0750 3764 dpti2o - ok

07:47:55.0765 3764 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

07:47:55.0765 3764 drmkaud - ok

07:47:55.0796 3764 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

07:47:55.0796 3764 Fastfat - ok

07:47:55.0812 3764 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

07:47:55.0812 3764 Fdc - ok

07:47:55.0828 3764 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

07:47:55.0828 3764 Fips - ok

07:47:55.0828 3764 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

07:47:55.0828 3764 Flpydisk - ok

07:47:55.0859 3764 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys

07:47:55.0859 3764 FltMgr - ok

07:47:55.0875 3764 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

07:47:55.0875 3764 Fs_Rec - ok

07:47:55.0890 3764 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

07:47:55.0890 3764 Ftdisk - ok

07:47:55.0921 3764 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

07:47:55.0921 3764 GEARAspiWDM - ok

07:47:55.0953 3764 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

07:47:55.0953 3764 Gpc - ok

07:47:56.0015 3764 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

07:47:56.0015 3764 HDAudBus - ok

07:47:56.0078 3764 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

07:47:56.0078 3764 HidUsb - ok

07:47:56.0093 3764 hpn - ok

07:47:56.0125 3764 HPZid412 (863cc3a82c63c9f60acf2e85d5310620) C:\WINDOWS\system32\DRIVERS\HPZid412.sys

07:47:56.0140 3764 HPZid412 - ok

07:47:56.0281 3764 HPZipr12 (08cb72e95dd75b61f2966b311d0e4366) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

07:47:56.0281 3764 HPZipr12 - ok

07:47:56.0343 3764 HPZius12 (ca990306ed4ef732af9695bff24fc96f) C:\WINDOWS\system32\DRIVERS\HPZius12.sys

07:47:56.0343 3764 HPZius12 - ok

07:47:56.0390 3764 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys

07:47:56.0406 3764 HTTP - ok

07:47:56.0406 3764 i2omgmt - ok

07:47:56.0421 3764 i2omp - ok

07:47:56.0468 3764 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

07:47:56.0468 3764 i8042prt - ok

07:47:56.0546 3764 ialm (6fcb904910da07c9dc2593d66438fa29) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys

07:47:56.0625 3764 ialm - ok

07:47:56.0640 3764 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

07:47:56.0640 3764 Imapi - ok

07:47:56.0640 3764 ini910u - ok

07:47:56.0656 3764 IntelIde - ok

07:47:56.0687 3764 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

07:47:56.0687 3764 intelppm - ok

07:47:56.0734 3764 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys

07:47:56.0734 3764 Ip6Fw - ok

07:47:56.0750 3764 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

07:47:56.0750 3764 IpFilterDriver - ok

07:47:56.0765 3764 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

07:47:56.0765 3764 IpInIp - ok

07:47:56.0812 3764 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

07:47:56.0812 3764 IpNat - ok

07:47:56.0843 3764 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

07:47:56.0843 3764 IPSec - ok

07:47:56.0875 3764 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

07:47:56.0875 3764 IRENUM - ok

07:47:56.0890 3764 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

07:47:56.0890 3764 isapnp - ok

07:47:56.0890 3764 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

07:47:56.0890 3764 Kbdclass - ok

07:47:56.0921 3764 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

07:47:56.0921 3764 kbdhid - ok

07:47:56.0968 3764 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

07:47:56.0968 3764 kmixer - ok

07:47:56.0984 3764 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys

07:47:56.0984 3764 KSecDD - ok

07:47:57.0000 3764 lbrtfdc - ok

07:47:57.0015 3764 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

07:47:57.0015 3764 mnmdd - ok

07:47:57.0046 3764 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

07:47:57.0062 3764 Modem - ok

07:47:57.0093 3764 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

07:47:57.0093 3764 Mouclass - ok

07:47:57.0125 3764 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

07:47:57.0125 3764 mouhid - ok

07:47:57.0156 3764 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

07:47:57.0156 3764 MountMgr - ok

07:47:57.0156 3764 mraid35x - ok

07:47:57.0203 3764 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

07:47:57.0203 3764 MRxDAV - ok

07:47:57.0593 3764 MRxSmb (9a16c5dc45cc398a67eeec6de8401b56) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

07:47:57.0625 3764 MRxSmb ( Rootkit.Win32.ZAccess.j ) - infected

07:47:57.0625 3764 MRxSmb - detected Rootkit.Win32.ZAccess.j (0)

07:47:57.0703 3764 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

07:47:57.0703 3764 Msfs - ok

07:47:57.0765 3764 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

07:47:57.0765 3764 MSKSSRV - ok

07:47:57.0781 3764 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

07:47:57.0781 3764 MSPCLOCK - ok

07:47:57.0796 3764 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

07:47:57.0796 3764 MSPQM - ok

07:47:57.0828 3764 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

07:47:57.0828 3764 mssmbios - ok

07:47:57.0843 3764 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

07:47:57.0843 3764 Mup - ok

07:47:57.0859 3764 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

07:47:57.0875 3764 NDIS - ok

07:47:57.0875 3764 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

07:47:57.0875 3764 NdisTapi - ok

07:47:57.0890 3764 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

07:47:57.0890 3764 Ndisuio - ok

07:47:57.0906 3764 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

07:47:57.0906 3764 NdisWan - ok

07:47:57.0921 3764 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

07:47:57.0937 3764 NDProxy - ok

07:47:57.0953 3764 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

07:47:57.0953 3764 NetBIOS - ok

07:47:57.0968 3764 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

07:47:57.0968 3764 NetBT - ok

07:47:57.0984 3764 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

07:47:57.0984 3764 Npfs - ok

07:47:58.0015 3764 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

07:47:58.0015 3764 Ntfs - ok

07:47:58.0031 3764 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

07:47:58.0046 3764 Null - ok

07:47:58.0078 3764 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

07:47:58.0078 3764 NwlnkFlt - ok

07:47:58.0125 3764 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

07:47:58.0125 3764 NwlnkFwd - ok

07:47:58.0156 3764 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

07:47:58.0156 3764 Parport - ok

07:47:58.0156 3764 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

07:47:58.0156 3764 PartMgr - ok

07:47:58.0203 3764 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

07:47:58.0203 3764 ParVdm - ok

07:47:58.0234 3764 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

07:47:58.0234 3764 PCI - ok

07:47:58.0250 3764 PCIDump - ok

07:47:58.0312 3764 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

07:47:58.0312 3764 PCIIde - ok

07:47:58.0359 3764 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

07:47:58.0359 3764 Pcmcia - ok

07:47:58.0375 3764 PDCOMP - ok

07:47:58.0375 3764 PDFRAME - ok

07:47:58.0390 3764 PDRELI - ok

07:47:58.0390 3764 PDRFRAME - ok

07:47:58.0406 3764 perc2 - ok

07:47:58.0406 3764 perc2hib - ok

07:47:58.0437 3764 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

07:47:58.0437 3764 PptpMiniport - ok

07:47:58.0468 3764 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

07:47:58.0468 3764 PSched - ok

07:47:58.0468 3764 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

07:47:58.0468 3764 Ptilink - ok

07:47:58.0484 3764 ql1080 - ok

07:47:58.0484 3764 Ql10wnt - ok

07:47:58.0500 3764 ql12160 - ok

07:47:58.0500 3764 ql1240 - ok

07:47:58.0515 3764 ql1280 - ok

07:47:58.0531 3764 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

07:47:58.0531 3764 RasAcd - ok

07:47:58.0546 3764 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

07:47:58.0546 3764 Rasl2tp - ok

07:47:58.0562 3764 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

07:47:58.0562 3764 RasPppoe - ok

07:47:58.0562 3764 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

07:47:58.0562 3764 Raspti - ok

07:47:58.0578 3764 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

07:47:58.0593 3764 Rdbss - ok

07:47:58.0625 3764 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

07:47:58.0625 3764 RDPCDD - ok

07:47:58.0671 3764 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

07:47:58.0687 3764 rdpdr - ok

07:47:58.0859 3764 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

07:47:58.0875 3764 RDPWD - ok

07:47:58.0921 3764 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

07:47:58.0921 3764 redbook - ok

07:47:58.0968 3764 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

07:47:58.0968 3764 Secdrv - ok

07:47:59.0015 3764 SenFiltService (b6a6b409fda9d9ebd3aadb838d3d7173) C:\WINDOWS\system32\drivers\Senfilt.sys

07:47:59.0031 3764 SenFiltService - ok

07:47:59.0062 3764 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

07:47:59.0062 3764 Serenum - ok

07:47:59.0125 3764 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

07:47:59.0125 3764 Serial - ok

07:47:59.0171 3764 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

07:47:59.0187 3764 Sfloppy - ok

07:47:59.0187 3764 Simbad - ok

07:47:59.0203 3764 Sparrow - ok

07:47:59.0234 3764 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

07:47:59.0234 3764 splitter - ok

07:47:59.0250 3764 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

07:47:59.0250 3764 sr - ok

07:47:59.0312 3764 Srv (5252605079810904e31c332e241cd59b) C:\WINDOWS\system32\DRIVERS\srv.sys

07:47:59.0312 3764 Srv - ok

07:47:59.0375 3764 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

07:47:59.0375 3764 swenum - ok

07:47:59.0390 3764 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

07:47:59.0390 3764 swmidi - ok

07:47:59.0390 3764 symc810 - ok

07:47:59.0406 3764 symc8xx - ok

07:47:59.0421 3764 sym_hi - ok

07:47:59.0421 3764 sym_u3 - ok

07:47:59.0468 3764 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

07:47:59.0468 3764 sysaudio - ok

07:47:59.0515 3764 Tcpip (93ea8d04ec73a85db02eb8805988f733) C:\WINDOWS\system32\DRIVERS\tcpip.sys

07:47:59.0531 3764 Tcpip - ok

07:47:59.0562 3764 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

07:47:59.0562 3764 TDPIPE - ok

07:47:59.0578 3764 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

07:47:59.0578 3764 TDTCP - ok

07:47:59.0578 3764 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

07:47:59.0578 3764 TermDD - ok

07:47:59.0593 3764 TosIde - ok

07:47:59.0656 3764 TotRec8 (00796fdaa93da500f5ea449c16dc227d) C:\WINDOWS\system32\drivers\TotRec8.sys

07:47:59.0656 3764 TotRec8 - ok

07:47:59.0687 3764 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

07:47:59.0687 3764 Udfs - ok

07:47:59.0703 3764 ultra - ok

07:47:59.0734 3764 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

07:47:59.0750 3764 Update - ok

07:47:59.0812 3764 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys

07:47:59.0812 3764 USBAAPL - ok

07:47:59.0828 3764 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

07:47:59.0828 3764 usbccgp - ok

07:47:59.0859 3764 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

07:47:59.0859 3764 usbehci - ok

07:47:59.0875 3764 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

07:47:59.0875 3764 usbhub - ok

07:47:59.0906 3764 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

07:47:59.0906 3764 usbprint - ok

07:48:00.0125 3764 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

07:48:00.0140 3764 usbscan - ok

07:48:00.0218 3764 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

07:48:00.0218 3764 USBSTOR - ok

07:48:00.0250 3764 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

07:48:00.0250 3764 usbuhci - ok

07:48:00.0312 3764 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

07:48:00.0312 3764 VgaSave - ok

07:48:00.0328 3764 ViaIde - ok

07:48:00.0375 3764 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

07:48:00.0375 3764 VolSnap - ok

07:48:00.0390 3764 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

07:48:00.0390 3764 Wanarp - ok

07:48:00.0390 3764 WDICA - ok

07:48:00.0453 3764 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

07:48:00.0453 3764 wdmaud - ok

07:48:00.0562 3764 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys

07:48:00.0562 3764 WmiAcpi - ok

07:48:00.0609 3764 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0

07:48:00.0609 3764 \Device\Harddisk0\DR0 - ok

07:48:00.0625 3764 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk1\DR2

07:48:00.0625 3764 \Device\Harddisk1\DR2 - ok

07:48:00.0625 3764 Boot (0x1200) (9f6236640ff833d4af0e8a11c9e661b0) \Device\Harddisk0\DR0\Partition0

07:48:00.0625 3764 \Device\Harddisk0\DR0\Partition0 - ok

07:48:00.0640 3764 Boot (0x1200) (f67046f6b6d34412ce25246252427d9e) \Device\Harddisk1\DR2\Partition0

07:48:00.0640 3764 \Device\Harddisk1\DR2\Partition0 - ok

07:48:00.0640 3764 ============================================================

07:48:00.0640 3764 Scan finished

07:48:00.0640 3764 ============================================================

07:48:00.0656 3716 Detected object count: 2

07:48:00.0656 3716 Actual detected object count: 2

07:48:42.0265 3716 HKLM\SYSTEM\ControlSet001\services\4f524b10 - will be deleted on reboot

07:48:42.0281 3716 HKLM\SYSTEM\ControlSet002\services\4f524b10 - will be deleted on reboot

07:48:42.0281 3716 HKLM\SYSTEM\ControlSet003\services\4f524b10 - will be deleted on reboot

07:48:42.0296 3716 C:\WINDOWS\273371727:2964174063.exe - will be deleted on reboot

07:48:42.0296 3716 4f524b10 ( Rootkit.Win32.PMax.gen ) - User select action: Delete

07:48:42.0578 3716 VerifyFileNameVersionInfo: GetFileVersionInfoSizeW(C:\WINDOWS\system32\drivers\mrxsmb.sys) error 1813

07:48:49.0906 3716 Backup copy found, using it..

07:48:49.0968 3716 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys - will be cured on reboot

07:48:49.0968 3716 MRxSmb ( Rootkit.Win32.ZAccess.j ) - User select action: Cure

07:49:29.0484 3700 Deinitialize success

ComboFix 11-10-29.03 - ADMIN 10/29/2011 9:07.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.758 [GMT -5:00]

Running from: c:\documents and settings\ADMIN\Desktop\ComboFix.exe

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\ADMIN\My Documents\~WRL0003.tmp

c:\documents and settings\ADMIN\My Documents\DPE.DUS

c:\documents and settings\ADMIN\WINDOWS

c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk

c:\program files\autorun.inf

c:\program files\Setup.exe

c:\windows\$NtUninstallKB64445$

c:\windows\$NtUninstallKB64445$\1330793232\@

c:\windows\$NtUninstallKB64445$\1330793232\bckfg.tmp

c:\windows\$NtUninstallKB64445$\1330793232\cfg.ini

c:\windows\$NtUninstallKB64445$\1330793232\Desktop.ini

c:\windows\$NtUninstallKB64445$\1330793232\keywords

c:\windows\$NtUninstallKB64445$\1330793232\kwrd.dll

c:\windows\$NtUninstallKB64445$\1330793232\L\lhaaoxvv

c:\windows\$NtUninstallKB64445$\1330793232\lsflt7.ver

c:\windows\$NtUninstallKB64445$\1330793232\U\00000001.@

c:\windows\$NtUninstallKB64445$\1330793232\U\00000002.@

c:\windows\$NtUninstallKB64445$\1330793232\U\80000000.@

c:\windows\$NtUninstallKB64445$\1330793232\U\80000032.@

c:\windows\$NtUninstallKB64445$\4273815538

c:\windows\273371727

c:\windows\system32\d3d9caps.dat

c:\windows\system32\rnaph.dll

c:\windows\winhelp.ini

.

.

((((((((((((((((((((((((( Files Created from 2011-09-28 to 2011-10-29 )))))))))))))))))))))))))))))))

.

.

2011-10-29 12:46 . 2011-10-29 12:46 -------- d-----w- c:\program files\tdsskiller

2011-10-17 14:45 . 2008-04-14 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll

2011-10-17 14:45 . 2011-10-17 16:13 -------- d-----w- c:\documents and settings\Malware

2011-10-11 13:46 . 2011-10-11 13:46 -------- d-----w- c:\documents and settings\ADMIN\Application Data\Temp

2011-10-11 13:27 . 2011-10-11 13:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2011-10-11 13:23 . 2011-10-29 12:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-10-11 13:23 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-10-07 13:31 . 2011-10-11 13:46 -------- d-----w- c:\documents and settings\ADMIN\Application Data\Malwarebytes

2011-10-05 13:25 . 2010-12-13 09:19 48640 ----a-r- c:\windows\system32\Spool\prtprocs\w32x86\EKAiO2PPR.dll

2011-10-05 13:25 . 2010-12-13 09:19 604672 ----a-r- c:\windows\system32\EKAiO2MON.dll

2011-10-05 13:25 . 2010-12-13 09:19 124416 ----a-r- c:\windows\system32\EKAiO2COI02.dll

2011-10-05 13:20 . 2011-10-05 13:20 -------- d-----w- c:\windows\system32\wbem\Repository

2011-10-04 15:05 . 2011-10-04 15:05 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2011-10-03 19:55 . 2011-10-03 19:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-10-03 19:09 . 2011-10-03 19:09 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-10-29 12:50 . 2008-04-14 12:00 456576 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2003-04-22 15:46 . 2003-04-22 15:46 2719744 ------w- c:\program files\aiodrv.msi

2003-04-22 15:42 . 2003-04-22 15:42 2588672 ------w- c:\program files\aiosw.msi

2003-03-10 02:30 . 2003-03-10 02:30 184320 ----a-w- c:\program files\hpzscr07.dll

2003-03-10 02:30 . 2003-03-10 02:30 274432 ----a-w- c:\program files\hpzglu07.exe

2003-03-10 02:30 . 2003-03-10 02:30 237568 ----a-w- c:\program files\hpzc3212.dll

2002-09-09 23:48 . 2002-09-09 23:48 22608 ----a-w- c:\program files\usbprint.sys

2002-09-09 23:48 . 2002-09-09 23:48 12288 ----a-w- c:\program files\usbmon.dll

2002-09-09 23:47 . 2002-09-09 23:47 254005 ----a-w- c:\program files\msvcrt.dll

2002-09-09 23:47 . 2002-09-09 23:47 70656 ----a-w- c:\program files\msvcirt.dll

2002-09-09 23:47 . 2002-09-09 23:47 212992 ----a-w- c:\program files\hpzpnp07.dll

2002-09-09 23:46 . 2002-09-09 23:46 49212 ----a-w- c:\program files\hpzjvp01.dll

2002-09-09 23:46 . 2002-09-09 23:46 249913 ----a-w- c:\program files\hpzjut01.dll

2002-09-09 23:46 . 2002-09-09 23:46 417849 ----a-w- c:\program files\hpzjpp01.dll

2002-09-09 23:46 . 2002-09-09 23:46 28722 ----a-w- c:\program files\hpzjlog.dll

2002-09-06 15:54 . 2002-09-06 15:54 995383 ----a-w- c:\program files\MFC42.DLL

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]

"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2010-11-08 193880]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-10-07 98304]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-10-07 114688]

"Persistence"="c:\windows\system32\igfxpers.exe" [2006-10-07 94208]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]

"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]

"EKAIO2StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKAiO2MUI.exe" [2010-12-13 2415104]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2008-04-14 53760]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-4-9 323646]

.

[HKLM\~\startupfolder\C:^Documents and Settings^ADMIN^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\ADMIN\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkStartup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk

backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]

2010-11-08 20:27 193880 ----a-w- c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=

"c:\\Program Files\\Juno\\bin\\juno.exe"=

"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=

"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

R3 TotRec8;Total Recorder WDM audio filter driver;c:\windows\system32\drivers\TotRec8.sys [12/26/2010 11:56 AM 91216]

S0 cerc6;cerc6; [x]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/24/2010 7:21 AM 136176]

S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 11:58 AM 11336]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [11/24/2010 7:21 AM 136176]

S4 Winip2kmc;Winip2kmc;c:\windows\system32\mscdexnt.exe [4/14/2008 7:00 AM 817]

.

Contents of the 'Scheduled Tasks' folder

.

2010-10-18 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 2170 series272A572217594EBCF1CEE215E352B92AD073FDE4279124911.job

- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 22:56]

.

2011-10-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-24 12:21]

.

2011-10-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-24 12:21]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://my.juno.com/

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\documents and settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\3nkgfuh9.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.wgbh.org/

FF - prefs.js: network.proxy.type - 1

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

.

- - - - ORPHANS REMOVED - - - -

.

SafeBoot-51570075.sys

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-10-29 09:30

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(3256)

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\OneX.DLL

c:\windows\system32\eappprxy.dll

c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe

c:\windows\system32\wscntfy.exe

c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2011-10-29 09:36:04 - machine was rebooted

ComboFix-quarantined-files.txt 2011-10-29 14:35

.

Pre-Run: 7,201,140,736 bytes free

Post-Run: 10,981,441,536 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - B115EDE1E8D8EBAD7A181C0E2346ADC2

Link to post
Share on other sites

Located MBAM log:

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8040

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

10/29/2011 8:39:22 AM

mbam-log-2011-10-29 (08-39-22).txt

Scan type: Quick scan

Objects scanned: 230511

Time elapsed: 43 minute(s), 9 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Staff

Hi,

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

Link to post
Share on other sites

  • 2 weeks later...
  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.