Need to get rid of rootkit.

View previous topic View next topic Go down

Re: Need to get rid of rootkit.

Post by Uthanak on Wed Sep 07, 2011 8:04 am

ComboFix 11-09-06.03 - Maxim 10/08/2011 3:50.15.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2490 [GMT -4:00]
Running from: c:\documents and settings\Maxim\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Maxim\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\ServicePackFiles\i386\redbook.sys --> c:\windows\system32\drivers\redbook.sys
.
((((((((((((((((((((((((( Files Created from 2011-09-08 to 2011-10-08 )))))))))))))))))))))))))))))))
.
.
2011-10-04 07:00 . 2011-10-04 07:00 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help
2011-10-04 05:37 . 2011-10-04 05:37 -------- d-----w- c:\documents and settings\Maxim\Local Settings\Application Data\PCHealth
2011-10-03 18:58 . 2011-10-03 18:58 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2011-10-03 06:21 . 2011-10-03 06:25 -------- d-----w- C:\Commy
2011-10-03 06:19 . 2011-10-03 06:19 -------- d-----w- C:\ARK
2011-10-01 17:25 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-10-01 17:25 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-10-01 17:23 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-06 00:13 . 2006-02-28 12:00 42112 ----a-w- c:\windows\system32\drivers\imapi.sys
2011-10-04 07:01 . 2009-08-14 21:09 112640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCExpress\9.0\1033\ResourceCache.dll
2011-10-04 07:00 . 2009-08-14 21:09 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2011-08-28 01:16 . 2011-05-14 05:48 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29 . 2006-02-28 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2011-10-03 18:59 . 2011-05-08 01:44 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2011-10-04_07.23.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-08 07:56 . 2011-10-08 07:56 16384 c:\windows\temp\Perflib_Perfdata_658.dat
+ 2007-06-22 00:50 . 2008-04-13 18:40 57600 c:\windows\system32\dllcache\redbook.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2010-04-17 3872080]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [BU]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-03 68856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-06-15 15141768]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-10-21 29696]
"OfficeKB"="c:\progra~1\OfficeKB\OfficeKB.EXE" [2004-10-22 200704]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-27 13918208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-27 86016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Google Updater"="c:\program files\Google\Google Updater\GoogleUpdater.exe" [2011-06-12 161336]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10t_ActiveX.exe" [2011-07-09 240288]
.
c:\documents and settings\Maxim\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-6-23 450560]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2007-6-23 581632]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Apprentice\\Appr.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40kWA.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40k.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Documents and Settings\\Maxim\\Desktop\\Max\\Pokemon Game.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.8.9506-to-3.0.9.9551-enUS-downloader.exe"=
"c:\\Program Files\\Dawn of War 2\\DOW2.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\aliens vs predator\\AvP_CLI.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\transformers war for cybertron\\Binaries\\TWFC.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"c:\\Program Files\\Armagetron Advanced\\armagetronad.exe"=
"c:\\Program Files\\Sony Online Entertainment\\Installed Games\\DC Universe Online Live\\UNREAL3\\BINARIES\\WIN32\\DCGAME.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Riot Games\\League of Legends\\lol.launcher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dawn of war 2\\DOW2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dawn of war ii - retribution\\DOW2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"4000:TCP"= 4000:TCP:diablo
"8375:TCP"= 8375:TCP:League of Legends Launcher
"8375:UDP"= 8375:UDP:League of Legends Launcher
"8376:TCP"= 8376:TCP:League of Legends Launcher
"8376:UDP"= 8376:UDP:League of Legends Launcher
"8377:TCP"= 8377:TCP:League of Legends Launcher
"8377:UDP"= 8377:UDP:League of Legends Launcher
"8378:TCP"= 8378:TCP:League of Legends Launcher
"8378:UDP"= 8378:UDP:League of Legends Launcher
"8379:TCP"= 8379:TCP:League of Legends Launcher
"8379:UDP"= 8379:UDP:League of Legends Launcher
"8380:TCP"= 8380:TCP:League of Legends Launcher
"8380:UDP"= 8380:UDP:League of Legends Launcher
"8381:TCP"= 8381:TCP:League of Legends Launcher
"8381:UDP"= 8381:UDP:League of Legends Launcher
"6881:TCP"= 6881:TCP:League of Legends Launcher
"6881:UDP"= 6881:UDP:League of Legends Launcher
"8382:TCP"= 8382:TCP:League of Legends Launcher
"8382:UDP"= 8382:UDP:League of Legends Launcher
"8383:TCP"= 8383:TCP:League of Legends Launcher
"8383:UDP"= 8383:UDP:League of Legends Launcher
"8393:TCP"= 8393:TCP:League of Legends Lobby
"8393:UDP"= 8393:UDP:League of Legends Lobby
"8390:TCP"= 8390:TCP:League of Legends Game Client
"8390:UDP"= 8390:UDP:League of Legends Game Client
"6929:TCP"= 6929:TCP:League of Legends Launcher
"6929:UDP"= 6929:UDP:League of Legends Launcher
.
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [12/10/2009 3:39 AM 65536]
R2 USmsServ;Desktop Window Manager Sessions Manager;c:\windows\Desktop Manager\dwm.exe [6/10/2011 12:48 PM 142336]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2/27/2010 11:44 AM 57248]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/9/2009 6:35 PM 297752]
S3 B-Service;B-Service;c:\documents and settings\Maxim\Application Data\Mikogo\B-Service.exe [9/17/2010 12:13 PM 185640]
S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys --> c:\windows\system32\drivers\bcgame.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe" --> c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/13/2007 12:28 AM 722416]
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-08 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-07-03 14:27]
.
2011-10-07 c:\windows\Tasks\Norton Security Scan for Maxim.job
- c:\progra~1\NORTON~2\Engine\312~1.9\Nss.exe [2011-06-09 08:19]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = localhost
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.0.1
DPF: Garmin Communicator Plug-In - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Maxim\Application Data\Mozilla\Firefox\Profiles\pu9jai39.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(yahoo.ytff.general.dontshowhpoffer, true);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2011-10-08 04:00
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(160)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Logitech\SetPoint\KHALMNPR.EXE
c:\program files\OpenOffice.org 2.3\program\soffice.exe
c:\program files\OpenOffice.org 2.3\program\soffice.BIN
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-10-08 04:03:50 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-08 08:03
ComboFix2.txt 2011-10-07 08:10
ComboFix3.txt 2011-10-06 16:42
ComboFix4.txt 2011-10-06 00:46
ComboFix5.txt 2011-10-08 07:50
.
Pre-Run: 126,769,295,360 bytes free
Post-Run: 126,861,365,248 bytes free
.
- - End Of File - - CD9880FE8B9B9593E0D953C232354086

Uthanak
Intermediate
Intermediate

Posts Posts : 66
Joined Joined : 2009-08-09
OS OS : windows xp
Points Points : 27514
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Uthanak on Wed Sep 07, 2011 8:04 am

shall i run ASwmbr to see if everything is gone?

Uthanak
Intermediate
Intermediate

Posts Posts : 66
Joined Joined : 2009-08-09
OS OS : windows xp
Points Points : 27514
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Gabethebabe on Wed Sep 07, 2011 8:07 am

Sure why not.
I will run through the logs to see if I missed anything

Gabethebabe
Top Dog
Top Dog

Posts Posts : 1568
Joined Joined : 2010-03-07
Gender Gender : Male
OS OS : Win7
Points Points : 38198
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Gabethebabe on Wed Sep 07, 2011 8:12 am

Please also run TDSSKiller again and post the report and do the following:

Please download SystemLook by jpshortstuff from one of the locations below and save it to your desktop.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
  • Double-click SystemLook.exe to run it.
  • Copy the following text into the main textfield:

:filefind
imapi.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop (SystemLook.txt.)


Gabethebabe
Top Dog
Top Dog

Posts Posts : 1568
Joined Joined : 2010-03-07
Gender Gender : Male
OS OS : Win7
Points Points : 38198
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Uthanak on Wed Sep 07, 2011 5:38 pm

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-10-06 13:01:44
-----------------------------
13:01:44.734 OS Version: Windows 5.1.2600 Service Pack 3
13:01:44.734 Number of processors: 2 586 0x4B02
13:01:44.734 ComputerName: MAXIM-9C1E76C15 UserName: Maxim
13:01:45.234 Initialize success
13:02:41.390 AVAST engine defs: 11090500
13:02:58.500 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000069
13:02:58.500 Disk 0 Vendor: WDC_WD3200AAKS-00L9A0 01.03E01 Size: 305245MB BusType: 3
13:03:00.500 Disk 0 MBR read successfully
13:03:00.500 Disk 0 MBR scan
13:03:00.531 Disk 0 Windows XP default MBR code
13:03:00.531 Disk 0 scanning sectors +625137345
13:03:00.562 Disk 0 malicious Win32:MBRoot code @ sector 625137348 !
13:03:00.562 Disk 0 PE file @ sector 625137370 !
13:03:00.593 Disk 0 scanning C:\WINDOWS\system32\drivers
13:03:06.531 File: C:\WINDOWS\system32\drivers\redbook.sys **INFECTED** Win32:Alureon-AJI [Rtk]
13:03:08.656 Service scanning
13:03:09.453 Modules scanning
13:03:13.140 Disk 0 trace - called modules:
13:03:13.171 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys
13:03:13.171 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8adc6ab8]
13:03:13.171 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\0000006a[0x8ae11f18]
13:03:13.171 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\00000069[0x8adc6030]
13:03:14.046 AVAST engine scan C:\WINDOWS
13:03:53.093 AVAST engine scan C:\WINDOWS\system32
13:05:32.937 AVAST engine scan C:\WINDOWS\system32\drivers
13:05:39.125 File: C:\WINDOWS\system32\drivers\redbook.sys **INFECTED** Win32:Alureon-AJI [Rtk]
13:05:44.953 AVAST engine scan C:\Documents and Settings\Maxim
13:08:31.781 File: C:\Documents and Settings\Maxim\Application Data\Sun\Java\Deployment\cache\6.0\2\7a23e0c2-4e72f5bd **INFECTED** Win32:FakeAV-CFZ [Trj]
13:28:07.828 File: C:\Documents and Settings\Maxim\Desktop\RK_Quarantine\dwm.exe.vir **INFECTED** Win32:Malware-gen
13:32:58.375 AVAST engine scan C:\Documents and Settings\All Users
13:34:39.437 Scan finished successfully
13:35:42.796 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Maxim\Desktop\MBR.dat"
13:35:42.796 The log file has been saved successfully to "C:\Documents and Settings\Maxim\Desktop\aswMBR.txt"


aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-10-07 04:36:07
-----------------------------
04:36:07.140 OS Version: Windows 5.1.2600 Service Pack 3
04:36:07.140 Number of processors: 2 586 0x4B02
04:36:07.140 ComputerName: MAXIM-9C1E76C15 UserName: Maxim
04:36:07.796 Initialize success
04:37:33.359 AVAST engine defs: 11090501
13:32:40.312 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000069
13:32:40.312 Disk 0 Vendor: WDC_WD3200AAKS-00L9A0 01.03E01 Size: 305245MB BusType: 3
13:32:42.328 Disk 0 MBR read successfully
13:32:42.328 Disk 0 MBR scan
13:32:42.375 Disk 0 Windows XP default MBR code
13:32:42.375 Disk 0 scanning sectors +625137345
13:32:42.406 Disk 0 malicious Win32:MBRoot code @ sector 625137348 !
13:32:42.406 Disk 0 PE file @ sector 625137370 !
13:32:42.437 Disk 0 scanning C:\WINDOWS\system32\drivers
13:32:47.906 File: C:\WINDOWS\system32\drivers\redbook.sys **INFECTED** Win32:Alureon-AJI [Rtk]
13:32:51.187 Service scanning
13:32:51.968 Modules scanning
13:32:55.734 Disk 0 trace - called modules:
13:32:56.265 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys
13:32:56.265 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8addbab8]
13:32:56.265 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\0000006a[0x8adf7f18]
13:32:56.265 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\00000069[0x8addb030]
13:32:57.734 AVAST engine scan C:\WINDOWS
13:33:14.468 AVAST engine scan C:\WINDOWS\system32
13:34:46.343 AVAST engine scan C:\WINDOWS\system32\drivers
13:34:52.890 File: C:\WINDOWS\system32\drivers\redbook.sys **INFECTED** Win32:Alureon-AJI [Rtk]
13:34:59.468 AVAST engine scan C:\Documents and Settings\Maxim
13:37:48.421 File: C:\Documents and Settings\Maxim\Application Data\Sun\Java\Deployment\cache\6.0\2\7a23e0c2-4e72f5bd **INFECTED** Win32:FakeAV-CFZ [Trj]
14:02:51.968 AVAST engine scan C:\Documents and Settings\All Users
14:04:39.953 Scan finished successfully
14:06:21.953 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Maxim\Desktop\MBR.dat"
14:06:21.953 The log file has been saved successfully to "C:\Documents and Settings\Maxim\Desktop\aswMBR.txt"


aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-10-08 12:55:08
-----------------------------
12:55:08.828 OS Version: Windows 5.1.2600 Service Pack 3
12:55:08.828 Number of processors: 2 586 0x4B02
12:55:08.828 ComputerName: MAXIM-9C1E76C15 UserName: Maxim
12:55:09.218 Initialize success
12:56:53.890 AVAST engine defs: 11090700
12:58:20.234 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000069
12:58:20.234 Disk 0 Vendor: WDC_WD3200AAKS-00L9A0 01.03E01 Size: 305245MB BusType: 3
12:58:22.250 Disk 0 MBR read successfully
12:58:22.250 Disk 0 MBR scan
12:58:22.281 Disk 0 Windows XP default MBR code
12:58:22.281 Disk 0 scanning sectors +625137345
12:58:22.312 Disk 0 malicious Win32:MBRoot code @ sector 625137348 !
12:58:22.312 Disk 0 PE file @ sector 625137370 !
12:58:22.359 Disk 0 scanning C:\WINDOWS\system32\drivers
12:58:31.062 Service scanning
12:58:31.859 Modules scanning
12:58:34.984 Disk 0 trace - called modules:
12:58:35.015 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys
12:58:35.515 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8add3ab8]
12:58:35.515 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\0000006a[0x8adf7f18]
12:58:35.515 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\00000069[0x8add3030]
12:58:36.140 AVAST engine scan C:\WINDOWS
12:58:53.031 AVAST engine scan C:\WINDOWS\system32
13:00:26.703 AVAST engine scan C:\WINDOWS\system32\drivers
13:00:38.640 AVAST engine scan C:\Documents and Settings\Maxim
13:03:20.531 File: C:\Documents and Settings\Maxim\Application Data\Sun\Java\Deployment\cache\6.0\2\7a23e0c2-4e72f5bd **INFECTED** Win32:FakeAV-CFZ [Trj]
13:28:15.718 AVAST engine scan C:\Documents and Settings\All Users
13:29:56.125 Scan finished successfully
13:38:14.062 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Maxim\Desktop\MBR.dat"
13:38:14.062 The log file has been saved successfully to "C:\Documents and Settings\Maxim\Desktop\aswMBR.txt"



Uthanak
Intermediate
Intermediate

Posts Posts : 66
Joined Joined : 2009-08-09
OS OS : windows xp
Points Points : 27514
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Uthanak on Wed Sep 07, 2011 5:39 pm

2011/09/07 13:39:19.0078 1404 TDSS rootkit removing tool 2.5.19.0 Sep 6 2011 19:23:56
2011/09/07 13:39:19.0296 1404 ================================================================================
2011/09/07 13:39:19.0296 1404 SystemInfo:
2011/09/07 13:39:19.0296 1404
2011/09/07 13:39:19.0296 1404 OS Version: 5.1.2600 ServicePack: 3.0
2011/09/07 13:39:19.0296 1404 Product type: Workstation
2011/09/07 13:39:19.0296 1404 ComputerName: MAXIM-9C1E76C15
2011/09/07 13:39:19.0296 1404 UserName: Maxim
2011/09/07 13:39:19.0296 1404 Windows directory: C:\WINDOWS
2011/09/07 13:39:19.0296 1404 System windows directory: C:\WINDOWS
2011/09/07 13:39:19.0296 1404 Processor architecture: Intel x86
2011/09/07 13:39:19.0296 1404 Number of processors: 2
2011/09/07 13:39:19.0296 1404 Page size: 0x1000
2011/09/07 13:39:19.0296 1404 Boot type: Normal boot
2011/09/07 13:39:19.0296 1404 ================================================================================
2011/09/07 13:39:19.0484 1404 Initialize success
2011/09/07 13:39:24.0937 3440 ================================================================================
2011/09/07 13:39:24.0937 3440 Scan started
2011/09/07 13:39:24.0937 3440 Mode: Manual;
2011/09/07 13:39:24.0937 3440 ================================================================================
2011/09/07 13:39:26.0062 3440 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/09/07 13:39:26.0109 3440 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/09/07 13:39:26.0156 3440 ADIHdAudAddService (ab0d9669bab1009e48cc91117e59912b) C:\WINDOWS\system32\drivers\ADIHdAud.sys
2011/09/07 13:39:26.0187 3440 AEAudio (03be587e90c8b37c7ff1fe2e9c1d1c90) C:\WINDOWS\system32\drivers\AEAudio.sys
2011/09/07 13:39:26.0250 3440 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/09/07 13:39:26.0296 3440 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/09/07 13:39:26.0390 3440 AmdK8 (0a4d13b388c814560bd69c3a496ecfa8) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
2011/09/07 13:39:26.0500 3440 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/09/07 13:39:26.0531 3440 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/09/07 13:39:26.0578 3440 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/09/07 13:39:26.0609 3440 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/09/07 13:39:26.0640 3440 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/09/07 13:39:26.0671 3440 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/09/07 13:39:26.0703 3440 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/09/07 13:39:26.0703 3440 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/09/07 13:39:26.0718 3440 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/09/07 13:39:26.0843 3440 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/09/07 13:39:26.0890 3440 DKbFltr (75ad9beb6d4b6bbcb39bfaba454ea05a) C:\WINDOWS\system32\DRIVERS\DKbFltr.sys
2011/09/07 13:39:26.0968 3440 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/09/07 13:39:27.0000 3440 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/09/07 13:39:27.0015 3440 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/09/07 13:39:27.0031 3440 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/09/07 13:39:27.0062 3440 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/09/07 13:39:27.0093 3440 ENTECH (16ebd8bf1d5090923694cc972c7ce1b4) C:\WINDOWS\system32\DRIVERS\ENTECH.sys
2011/09/07 13:39:27.0109 3440 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/09/07 13:39:27.0125 3440 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/09/07 13:39:27.0171 3440 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/09/07 13:39:27.0187 3440 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/09/07 13:39:27.0187 3440 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/09/07 13:39:27.0265 3440 fssfltr (e0087225b137e57239ff40f8ae82059b) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
2011/09/07 13:39:27.0281 3440 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/09/07 13:39:27.0296 3440 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/09/07 13:39:27.0328 3440 GEARAspiWDM (5dc17164f66380cbfefd895c18467773) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/09/07 13:39:27.0359 3440 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/09/07 13:39:27.0406 3440 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/09/07 13:39:27.0453 3440 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/09/07 13:39:27.0531 3440 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/09/07 13:39:27.0562 3440 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/09/07 13:39:27.0578 3440 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/09/07 13:39:27.0625 3440 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/09/07 13:39:27.0671 3440 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/09/07 13:39:27.0687 3440 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/09/07 13:39:27.0718 3440 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/09/07 13:39:27.0734 3440 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/09/07 13:39:27.0750 3440 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/09/07 13:39:27.0765 3440 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/09/07 13:39:27.0781 3440 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/09/07 13:39:27.0796 3440 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/09/07 13:39:27.0828 3440 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/09/07 13:39:27.0890 3440 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/09/07 13:39:27.0953 3440 L8042mou (efcc6d56fe8ba50bb7ecf300b60a66a3) C:\WINDOWS\system32\DRIVERS\L8042mou.Sys
2011/09/07 13:39:27.0968 3440 LHidKe (452ecfc32a4b5d9a761e113f149e1b9e) C:\WINDOWS\system32\DRIVERS\LHidKE.Sys
2011/09/07 13:39:28.0015 3440 LHidUsbK (9c92312dd1ab42e627710fb89bbbcd1e) C:\WINDOWS\system32\Drivers\LHidUsbK.Sys
2011/09/07 13:39:28.0031 3440 LMouKE (95871e8c4aecfed95f884d2d10b8bcfb) C:\WINDOWS\system32\DRIVERS\LMouKE.Sys
2011/09/07 13:39:28.0078 3440 mcdbus (8fd868e32459ece2a1bb0169f513d31e) C:\WINDOWS\system32\DRIVERS\mcdbus.sys
2011/09/07 13:39:28.0093 3440 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/09/07 13:39:28.0125 3440 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/09/07 13:39:28.0140 3440 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/09/07 13:39:28.0171 3440 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/09/07 13:39:28.0171 3440 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/09/07 13:39:28.0203 3440 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/09/07 13:39:28.0265 3440 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/09/07 13:39:28.0281 3440 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/09/07 13:39:28.0296 3440 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/09/07 13:39:28.0312 3440 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/09/07 13:39:28.0328 3440 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/09/07 13:39:28.0375 3440 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/09/07 13:39:28.0437 3440 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
2011/09/07 13:39:28.0484 3440 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/09/07 13:39:28.0515 3440 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/09/07 13:39:28.0578 3440 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/09/07 13:39:28.0593 3440 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/09/07 13:39:28.0593 3440 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/09/07 13:39:28.0625 3440 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/09/07 13:39:28.0640 3440 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/09/07 13:39:28.0703 3440 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/09/07 13:39:28.0734 3440 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/09/07 13:39:28.0765 3440 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/09/07 13:39:28.0781 3440 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/09/07 13:39:28.0968 3440 nv (4c3696c1ed1a36629ebb348bf745a328) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/09/07 13:39:29.0109 3440 nvata (4d6c6b46b3edf6f2e219a86b61d104ae) C:\WINDOWS\system32\DRIVERS\nvata.sys
2011/09/07 13:39:29.0140 3440 NVENETFD (1b83b60541be1b6db81641c448007f21) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
2011/09/07 13:39:29.0156 3440 NVHDA (cf68bcac297b4c98c1d25b81e4011de4) C:\WINDOWS\system32\drivers\nvhda32.sys
2011/09/07 13:39:29.0187 3440 nvnetbus (57b669f9234604a350174b86764444b0) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
2011/09/07 13:39:29.0234 3440 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/09/07 13:39:29.0250 3440 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/09/07 13:39:29.0281 3440 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/09/07 13:39:29.0296 3440 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/09/07 13:39:29.0312 3440 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/09/07 13:39:29.0328 3440 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/09/07 13:39:29.0390 3440 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/09/07 13:39:29.0421 3440 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/09/07 13:39:29.0515 3440 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/09/07 13:39:29.0531 3440 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/09/07 13:39:29.0546 3440 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/09/07 13:39:29.0593 3440 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/09/07 13:39:29.0593 3440 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/09/07 13:39:29.0671 3440 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/09/07 13:39:29.0687 3440 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/09/07 13:39:29.0703 3440 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/09/07 13:39:29.0703 3440 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/09/07 13:39:29.0718 3440 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/09/07 13:39:29.0734 3440 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/09/07 13:39:29.0765 3440 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/09/07 13:39:29.0812 3440 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/09/07 13:39:29.0859 3440 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/09/07 13:39:29.0921 3440 SenFiltService (b6a6b409fda9d9ebd3aadb838d3d7173) C:\WINDOWS\system32\drivers\Senfilt.sys
2011/09/07 13:39:29.0984 3440 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/09/07 13:39:30.0000 3440 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/09/07 13:39:30.0046 3440 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/09/07 13:39:30.0109 3440 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/09/07 13:39:30.0171 3440 sptd (a80cd850d69d996c832bea37e3a6aa1e) C:\WINDOWS\system32\Drivers\sptd.sys
2011/09/07 13:39:30.0203 3440 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/09/07 13:39:30.0234 3440 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/09/07 13:39:30.0281 3440 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/09/07 13:39:30.0281 3440 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/09/07 13:39:30.0390 3440 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/09/07 13:39:30.0406 3440 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/09/07 13:39:30.0437 3440 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/09/07 13:39:30.0453 3440 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/09/07 13:39:30.0500 3440 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/09/07 13:39:30.0578 3440 tmcomm (df8444a8fa8fd38d8848bdd40a8403b3) C:\WINDOWS\system32\drivers\tmcomm.sys
2011/09/07 13:39:30.0609 3440 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/09/07 13:39:30.0656 3440 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/09/07 13:39:30.0703 3440 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/09/07 13:39:30.0718 3440 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/09/07 13:39:30.0734 3440 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/09/07 13:39:30.0750 3440 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/09/07 13:39:30.0781 3440 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/09/07 13:39:30.0812 3440 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/09/07 13:39:30.0828 3440 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/09/07 13:39:30.0875 3440 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/09/07 13:39:30.0890 3440 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/09/07 13:39:30.0921 3440 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/09/07 13:39:31.0015 3440 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/09/07 13:39:31.0046 3440 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/09/07 13:39:31.0062 3440 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/09/07 13:39:31.0093 3440 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/09/07 13:39:31.0140 3440 Boot (0x1200) (a1f9dcc0fd9defc49250b0a65e3a23b9) \Device\Harddisk0\DR0\Partition0
2011/09/07 13:39:31.0156 3440 ================================================================================
2011/09/07 13:39:31.0156 3440 Scan finished
2011/09/07 13:39:31.0156 3440 ================================================================================
2011/09/07 13:39:31.0171 3860 Detected object count: 0
2011/09/07 13:39:31.0171 3860 Actual detected object count: 0

Uthanak
Intermediate
Intermediate

Posts Posts : 66
Joined Joined : 2009-08-09
OS OS : windows xp
Points Points : 27514
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Gabethebabe on Wed Sep 07, 2011 7:57 pm

Well, looks we beat it Big Grin Big Grin

There is some trace left - you should navigate to this folder:
C:\Documents and Settings\Maxim\Application Data\Sun\Java\Deployment\cache\6.0\2

and whatever is present in that "2" folder ==> delete it.

====================

Time to uninstall used tools.

  • Go to Start > Run and type or copy/paste Combofix /uninstall (note the space before the "/").
  • Double click OTL.exe to run it again and click the CleanUp button.
  • If we used any other tools and they still remain on your desktop, please delete them manually.

====================

Do you have any more questions or do you want to see my ALORTKYCC (Awesome List Or Recommendations To Keep Your Computer Clean)?


Gabethebabe
Top Dog
Top Dog

Posts Posts : 1568
Joined Joined : 2010-03-07
Gender Gender : Male
OS OS : Win7
Points Points : 38198
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Uthanak on Thu Sep 08, 2011 6:10 am

I would like your ALORTKYCC. Also other questions may follow later, let me think about it please. Thank you for your help.

Uthanak
Intermediate
Intermediate

Posts Posts : 66
Joined Joined : 2009-08-09
OS OS : windows xp
Points Points : 27514
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Gabethebabe on Thu Sep 08, 2011 7:52 am

Allright! Here follows my ALORTKYCC (Awesome List Of Recommendations To Keep Your Computer Clean):

1) Keep your Windows up-to-date. Windows Autoupdate should be ON (see Start >> Control Panel >> Security Center). An alternative way (but more time-consuming) is to periodically visit [You must be registered and logged in to see this link.]. Hackers are looking every day for new security holes. Microsoft keeps patching them. You cannot fall behind in this race, it will make your system vulnerable.

2) For your average daily computer activities, use a limited/standard user account, not an administrator account. If you use Vista/WIN7 do not disable User Account Control (UAC). You would be amazed to know how much malware canīt touch you if you deny it admin rights. Create a separate password-protected administrator account that you use for admin activities, like (un)installing software.

3) Use a good antivirus. There are various free ones, you cannot go wrong with either of the following three:
  • [You must be registered and logged in to see this link.]. If you want your antivirus to be light on resources, I recommend Panda. Install without the toolbar.
  • [You must be registered and logged in to see this link.] has received great reviews from leading security analysts.
  • [You must be registered and logged in to see this link.] is a very complete antivirus, with modules like mailscanner and webshield.

4) If your computer has 1GB system memory or more, you should install a third party firewall, to replace the weak Windows Firewall. I recommend:
  • [You must be registered and logged in to see this link.]. Install the internet security suite, but without the antivirus and without the Hopsurf toolbar.
  • [You must be registered and logged in to see this link.]. A very smart and user friendly firewall.
  • [You must be registered and logged in to see this link.] is another rocksolid choice.

Note: you should run only ONE antivirus and ONE firewall. Running multiples of either is bad, it will cause slowdowns and/or conflicts.

5) Miscellaneous advice:
  • Stay away from cracks and keygens (look [You must be registered and logged in to see this link.] for the why). Get free software instead. [You must be registered and logged in to see this link.] is an excellent source of freeware reviews.
  • Navigate safely. [You must be registered and logged in to see this link.] is the safest browser available. However, Mozilla Firefox can be made extremely safe with the [You must be registered and logged in to see this link.] addon. Internet Explorer (always use [You must be registered and logged in to see this link.]) can be made a lot safer with [You must be registered and logged in to see this link.] (manual [You must be registered and logged in to see this link.]).
  • The [You must be registered and logged in to see this link.] addon will help you to stay on reliable webpages.
  • [You must be registered and logged in to see this link.] alerts you when changes are made in vital system areas. Especially good on light systems not running a third party firewall.
  • Make sure you have ways to recuperate your operating system and vital other data if its gets frustrated by malware and/or other problems. A Windows setup CD and recent backups/disk images will be priceless, if you find yourself in an unexpected tight spot.

Finally: did we help you? [You must be registered and logged in to see this link.]!

Gabethebabe
Top Dog
Top Dog

Posts Posts : 1568
Joined Joined : 2010-03-07
Gender Gender : Male
OS OS : Win7
Points Points : 38198
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Uthanak on Mon Sep 19, 2011 5:42 am

I think we did no fully manage the infection. Some more problems arose with my computer and i ran a MBAM scan and it found nothing, so I ran the ESEt online scanner and here is what it found:

C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\24\1b20b198-2845a65f a variant of Win32/Kryptik.SPH trojan cleaned by deleting - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\2\126b69c2-203b0280 Java/Agent.DJ trojan deleted - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\20\3b4ce654-63949c6c Java/Agent.DJ trojan deleted - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\34\27299ae2-2aad74da a variant of Win32/Kryptik.SHQ trojan cleaned by deleting - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\39\4c67b7e7-1c84e586 a variant of Win32/Kryptik.SIS trojan cleaned by deleting - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\47\276507af-3dde0e1b Java/Agent.DJ trojan deleted - quarantined
C:\iTunes\iTunesHelper.exe a variant of Win32/TrojanDownloader.Tunahlp.B trojan cleaned by deleting - quarantined
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE Win32/Patched.HN trojan error while cleaning
C:\Qoobox\Quarantine\C\Documents and Settings\Maxim\Desktop\RK_Quarantine\dwm.exe.vir.vir Win32/TrojanDownloader.Agent.QXA trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\Maxim\Local Settings\Application Data\lhh .exe.vir probably a variant of Win32/Agent.HZOPRRM trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Local Settings\Application Data\roe.exe.vir a variant of Win32/Kryptik.SIS trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\process\FC78BA656AF.exe.vir a variant of Win32/Injector.IYC trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE.vir Win32/Patched.HN trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\Program Files\iPod\bin\iPodService.exe.vir Win32/Patched.HN trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\Program Files\Java\jre6\bin\jqs.exe.vir Win32/Patched.HN trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe.vir Win32/Patched.HN trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\assembly\GAC_MSIL\desktop.ini.vir Win32/Sirefef.CH trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe.vir Win32/Patched.HN trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\nvsvc32.exe.vir Win32/Patched.HN trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\wuauclt.exe.vir Win32/Patched.HN trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\redbook.sys.vir Win32/Sirefef.CV trojan cleaned by deleting - quarantined
C:\RECYCLER\S-1-5-21-1417001333-1801674531-839522115-1004\Dc5 probably a variant of Win32/Agent.LQRXYJI trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP477\A0067861.exe probably a variant of Win32/Agent.LQRXYJI trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP479\A0074921.exe a variant of Win32/Kryptik.SHQ trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP479\A0074922.exe a variant of Win32/Kryptik.SHQ trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP481\A0077036.exe probably a variant of Win32/Agent.HZOPRRM trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP481\A0077044.exe a variant of Win32/Injector.IYC trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP483\A0079091.sys a variant of Win32/Rootkit.Kryptik.DM trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP483\A0079092.ini Win32/Sirefef.CH trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP484\A0081362.exe a variant of Win32/Kryptik.SIS trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP484\A0081363.ini Win32/Sirefef.CH trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP484\A0081368.exe Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP484\A0081369.exe Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP484\A0081370.exe Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP484\A0081371.EXE Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP484\A0082329.sys a variant of Win32/Rootkit.Kryptik.DM trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP485\A0082889.sys a variant of Win32/Rootkit.Kryptik.DM trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP486\A0083033.ini Win32/Sirefef.CH trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP486\A0083034.exe Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP486\A0083035.exe Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP486\A0083036.exe Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP486\A0083037.exe Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP486\A0083038.EXE Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP486\A0083889.sys a variant of Win32/Rootkit.Kryptik.DM trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP488\A0083973.sys a variant of Win32/Rootkit.Kryptik.DM trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP488\A0084016.ini Win32/Sirefef.CH trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP488\A0084020.exe Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP488\A0084021.exe Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP488\A0084022.exe Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP488\A0084023.exe Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP488\A0084024.exe Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP488\A0084025.EXE Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP491\A0084522.sys Win32/Sirefef.CV trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP515\A0087741.exe a variant of Win32/TrojanDownloader.Tunahlp.B trojan cleaned by deleting - quarantined
C:\WINDOWS\Desktop Manager\dwm.exe Win32/TrojanDownloader.Agent.QXA trojan cleaned by deleting - quarantined
C:\WINDOWS\temp\31.tmpj a variant of Win32/TrojanDownloader.Tunahlp.A trojan cleaned by deleting - quarantined
Operating memory Win32/Patched.HN trojan

Uthanak
Intermediate
Intermediate

Posts Posts : 66
Joined Joined : 2009-08-09
OS OS : windows xp
Points Points : 27514
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Gabethebabe on Mon Sep 19, 2011 12:13 pm

Most of that stuff are dead bodies that were already disabled, but not everything.

Weīre going to run a bunch of scans and a cleaner.

  • Please download TFC (Temp File Cleaner) by OldTimer from [You must be registered and logged in to see this link.] and save it to your desktop.
  • Close all programs before proceeding with the next step.
  • Double-click TFC.exe to start the cleaning process and allow it to run
  • Depending on the amount of files that needs to be deleted this can take seconds or up to several minutes.
  • If requested, allow TFC to reboot your computer to finish the cleaning process.

====================

Time to use ComboFix by sUBs, a powerful tool that you are advised not to run without supervision of a trained malware helper. Please visit [You must be registered and logged in to see this link.] and read the tutorial on using ComboFix very carefully. After that download the tool and save it to your desktop.

Doubleclick ComboFix.exe to run the tool. Please post its log back here.

====================

Please download aswMBR by Alwil Software from [You must be registered and logged in to see this link.] and save it to your desktop.

  • Double click aswMBR.exe to run the tool
  • Click the Scan button to start the scan
  • Donīt panic if you see any **Rootkit** entries. The tool sometimes produces false alarms
  • Once the scan finishes click Save log to save the log to your desktop
  • Copy and paste the contents of this log (aswMBR.txt) into your next reply.

====================

  • Download TDSSKiller by Kaspersky from [You must be registered and logged in to see this link.] and save it to your desktop
  • Doubleclick TDSSKiller.exe to run the tool
  • Click the Start Scan button
  • After the scan has finished, click the Close button
  • Click the Report button and copy/paste the contents of it into your next reply
  • The report can also be found in the root of your Windows drive (most likely C:\).


Gabethebabe
Top Dog
Top Dog

Posts Posts : 1568
Joined Joined : 2010-03-07
Gender Gender : Male
OS OS : Win7
Points Points : 38198
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Uthanak on Fri Sep 23, 2011 2:41 pm

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-09-23 09:31:49
-----------------------------
09:31:49.353 OS Version: Windows 5.1.2600 Service Pack 3
09:31:49.353 Number of processors: 2 586 0x4B02
09:31:49.353 ComputerName: MAXIM-9C1E76C15 UserName: Maxim
09:31:50.322 Initialize success
09:33:50.228 AVAST engine defs: 11092300
09:38:25.213 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000069
09:38:25.213 Disk 0 Vendor: WDC_WD3200AAKS-00L9A0 01.03E01 Size: 305245MB BusType: 3
09:38:27.244 Disk 0 MBR read successfully
09:38:27.244 Disk 0 MBR scan
09:38:27.291 Disk 0 Windows XP default MBR code
09:38:27.291 Disk 0 scanning sectors +625137345
09:38:27.306 Disk 0 malicious Win32:MBRoot code @ sector 625137348 !
09:38:27.306 Disk 0 PE file @ sector 625137370 !
09:38:27.353 Disk 0 scanning C:\WINDOWS\system32\drivers
09:38:35.666 Service scanning
09:38:36.588 Modules scanning
09:38:40.588 Disk 0 trace - called modules:
09:38:40.603 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys
09:38:40.603 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ad8cab8]
09:38:40.603 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\0000006a[0x8ad34f18]
09:38:40.603 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\00000069[0x8ad8c030]
09:38:41.884 AVAST engine scan C:\WINDOWS
09:39:02.759 AVAST engine scan C:\WINDOWS\system32
09:40:34.275 AVAST engine scan C:\WINDOWS\system32\drivers
09:40:49.025 AVAST engine scan C:\Documents and Settings\Maxim
10:36:11.213 AVAST engine scan C:\Documents and Settings\All Users
10:38:40.072 Scan finished successfully
10:40:59.963 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Maxim\Desktop\MBR.dat"
10:40:59.963 The log file has been saved successfully to "C:\Documents and Settings\Maxim\Desktop\aswMBR.txt"



Uthanak
Intermediate
Intermediate

Posts Posts : 66
Joined Joined : 2009-08-09
OS OS : windows xp
Points Points : 27514
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Gabethebabe on Mon Sep 26, 2011 12:35 pm

That is log 1 of 3 and it is clean.

Gabethebabe
Top Dog
Top Dog

Posts Posts : 1568
Joined Joined : 2010-03-07
Gender Gender : Male
OS OS : Win7
Points Points : 38198
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum