Need to get rid of rootkit.

Page 2 of 2 Previous  1, 2

View previous topic View next topic Go down

Need to get rid of rootkit.

Post by Uthanak on Thu 01 Sep 2011, 3:56 pm

First topic message reminder :

Hello, I came here as a last resort, because I have done a good portion of the disinfection so far, but a rootkit remains and I cannot Find it. I ran OTL and will pot the log below. AswMBR.exe closes down after running for a short while, and I cannot reopen after because it says windows does not have access to it. But I saw before it closed down that it had found Orajeon.rootkit or something like that, which other disinfection tools had not found so far. I also have a security check log that I will post below. Basically as of right now the virus opens new tab as I click on a link while websurfing which says in the new tab congratulation, you have won something.

OTL log:

OTL logfile created on: 10/2/2011 12:23:12 AM - Run 3
OTL by OldTimer - Version 3.2.26.7 Folder = C:\Documents and Settings\Maxim\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.25 Gb Total Physical Memory | 2.74 Gb Available Physical Memory | 84.21% Memory free
5.09 Gb Paging File | 4.69 Gb Available in Paging File | 92.21% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.09 Gb Total Space | 118.71 Gb Free Space | 39.82% Space Free | Partition Type: NTFS
Drive D: | 1.13 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
Drive E: | 245.23 Mb Total Space | 110.27 Mb Free Space | 44.97% Space Free | Partition Type: FAT
Drive F: | 1.29 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: MAXIM-9C1E76C15 | User Name: Maxim | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/10/02 00:22:28 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Maxim\Desktop\OTL.com
PRC - [2011/06/10 13:04:22 | 000,142,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Desktop Manager\dwm.exe
PRC - [2009/12/10 03:39:04 | 000,065,536 | ---- | M] (PostgreSQL Global Development Group) -- C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
PRC - [2009/12/10 03:37:16 | 003,690,496 | ---- | M] (PostgreSQL Global Development Group) -- C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/11/13 19:51:24 | 002,510,848 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.3\program\soffice.bin
PRC - [2007/11/13 19:49:22 | 002,359,296 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
PRC - [2007/05/28 12:57:54 | 000,275,968 | ---- | M] (Rocket Division Software) -- C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
PRC - [2004/10/28 09:29:48 | 000,581,632 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\SetPoint\KEM.exe
PRC - [2004/10/21 13:28:40 | 000,029,696 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\SetPoint\KHALMNPR.exe


========== Modules (No Company Name) ==========

MOD - [2010/02/05 14:27:45 | 001,291,776 | ---- | M] () -- C:\WINDOWS\system32\quartz.dll
MOD - [2008/04/13 20:11:59 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll
MOD - [2008/04/13 20:11:51 | 000,059,904 | ---- | M] () -- C:\WINDOWS\system32\devenum.dll
MOD - [2007/08/08 19:15:02 | 000,828,416 | ---- | M] () -- C:\Program Files\OpenOffice.org 2.3\program\libxml2.dll
MOD - [2004/10/28 09:27:18 | 000,086,016 | ---- | M] () -- C:\Program Files\Logitech\SetPoint\lgscroll.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (NMIndexingService)
SRV - File not found [On_Demand | Stopped] -- -- (McComponentHostService)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/06/10 13:04:22 | 000,142,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\Desktop Manager\dwm.exe -- (USmsServ)
SRV - [2010/09/17 12:13:10 | 000,185,640 | ---- | M] () [On_Demand | Stopped] -- C:\Documents and Settings\Maxim\Application Data\Mikogo\B-Service.exe -- (B-Service)
SRV - [2009/12/10 03:39:04 | 000,065,536 | ---- | M] (PostgreSQL Global Development Group) [Auto | Running] -- C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe -- (pgsql-8.3)
SRV - [2009/08/09 18:35:32 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Stopped] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)
SRV - [2007/05/28 12:57:54 | 000,275,968 | ---- | M] (Rocket Division Software) [Auto | Running] -- C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe -- (StarWindServiceAE)
SRV - [2002/12/17 17:26:22 | 007,520,337 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe -- (MSSQL$SONY_MEDIAMGR)
SRV - [2002/12/17 17:23:30 | 000,311,872 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE -- (SQLAgent$SONY_MEDIAMGR)


========== Driver Services (SafeList) ==========

DRV - [2011/07/06 19:52:42 | 000,041,272 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2010/04/28 07:44:02 | 000,054,760 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr)
DRV - [2009/08/21 16:24:10 | 000,057,248 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvhda32.sys -- (NVHDA)
DRV - [2009/08/17 09:38:37 | 000,722,416 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd)
DRV - [2009/06/05 13:23:27 | 000,102,664 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2009/02/24 18:42:14 | 000,116,736 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mcdbus.sys -- (mcdbus)
DRV - [2006/09/11 07:45:38 | 000,019,968 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2006/09/11 07:45:36 | 000,057,856 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2006/08/21 06:24:28 | 000,105,344 | R--- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvata.sys -- (nvata)
DRV - [2006/06/18 23:37:34 | 000,036,864 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2006/03/17 06:18:58 | 000,392,960 | R--- | M] (Sensaura) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (SenFiltService)
DRV - [2004/10/21 13:31:14 | 000,038,691 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LHidUsbK.sys -- (LHidUsbK)
DRV - [2004/10/21 13:31:06 | 000,054,851 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\L8042mou.Sys -- (L8042mou)
DRV - [2004/10/21 13:30:56 | 000,071,535 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LMouKE.Sys -- (LMouKE)
DRV - [2004/10/21 13:30:38 | 000,024,671 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LHidKE.Sys -- (LHidKe)
DRV - [2004/08/12 22:56:20 | 000,005,810 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Bing"
FF - prefs.js..browser.search.defaultthis.engineName: "Veoh Web Player Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2653012&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.search.param.yahoo-fr: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-type: "${8}"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.ca/"
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:2
FF - prefs.js..extensions.enabledItems: 4
FF - prefs.js..extensions.enabledItems: 9
FF - prefs.js..extensions.enabledItems: 1
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:5.0.0.6906
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:2.1.0.2
FF - prefs.js..extensions.enabledItems: {cd90bf73-20f6-44ef-993d-bb920303bd2e}:3.3.3.2
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:3.3.3.2
FF - prefs.js..keyword.URL: "http://www.bing.com/search?FORM=IEFM1&q="
FF - prefs.js..network.proxy.type: 0


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll (DivX, Inc)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8117.0416: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=14: C:\Program Files\Google\Google Updater\2.4.1908.5032\npCIDetect14.dll (Google)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll File not found
FF - HKLM\Software\MozillaPlugins\@veetle.com/vbp;version=0.9.17: C:\Program Files\Veetle\VLCBroadcast\npvbp.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetleCorePlugin,version=0.9.17: C:\Program Files\Veetle\plugins\npVeetle.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetlePlayerPlugin,version=0.9.17: C:\Program Files\Veetle\Player\npvlc.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=0.9.8a: C:\Program Files\VideoLAN\VLC\npvlc.dll (the VideoLAN Team)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=8: C:\Documents and Settings\Maxim\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Documents and Settings\Maxim\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/08/16 23:56:54 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/07/01 14:18:21 | 000,000,000 | ---D | M]

[2008/08/26 16:23:40 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Maxim\Application Data\Mozilla\Extensions
[2011/09/30 12:44:30 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Maxim\Application Data\Mozilla\Firefox\Profiles\pu9jai39.default\extensions
[2010/05/14 17:23:56 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Maxim\Application Data\Mozilla\Firefox\Profiles\pu9jai39.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/06/10 12:47:07 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\Maxim\Application Data\Mozilla\Firefox\Profiles\pu9jai39.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2011/08/16 23:56:57 | 000,000,000 | ---D | M] (Veoh Web Player Community Toolbar) -- C:\Documents and Settings\Maxim\Application Data\Mozilla\Firefox\Profiles\pu9jai39.default\extensions\{cd90bf73-20f6-44ef-993d-bb920303bd2e}
[2011/04/25 12:38:59 | 000,000,000 | ---D | M] (Conduit Engine) -- C:\Documents and Settings\Maxim\Application Data\Mozilla\Firefox\Profiles\pu9jai39.default\extensions\engine@conduit.com
[2010/01/03 00:17:37 | 000,000,000 | ---D | M] (TVU Web Player) -- C:\Documents and Settings\Maxim\Application Data\Mozilla\Firefox\Profiles\pu9jai39.default\extensions\firefox@tvunetworks.com
[2010/05/09 21:48:45 | 000,001,490 | ---- | M] () -- C:\Documents and Settings\Maxim\Application Data\Mozilla\Firefox\Profiles\pu9jai39.default\searchplugins\AOL Search.xml
[2010/07/25 02:57:04 | 000,001,819 | ---- | M] () -- C:\Documents and Settings\Maxim\Application Data\Mozilla\Firefox\Profiles\pu9jai39.default\searchplugins\bing.xml
[2010/06/29 18:22:34 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\Maxim\Application Data\Mozilla\Firefox\Profiles\pu9jai39.default\searchplugins\conduit.xml
[2011/05/14 01:49:54 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2007/06/22 16:38:17 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2011/06/10 13:23:12 | 000,000,000 | ---D | M] (Skype extension) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2007/12/13 21:50:58 | 000,000,000 | ---D | M] (AdVantage) -- C:\Program Files\Mozilla Firefox\extensions\{A89AED22-9133-424c-88E7-C8235C5FF302}
() (No name found) -- C:\DOCUMENTS AND SETTINGS\MAXIM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\PU9JAI39.DEFAULT\EXTENSIONS\{73A6FE31-595D-460B-A920-FCC0F8843232}.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\MAXIM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\PU9JAI39.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
[2009/04/29 15:51:34 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/08/16 23:56:54 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2008/11/11 02:54:07 | 000,221,184 | ---- | M] (CNN) -- C:\Program Files\mozilla firefox\plugins\NPTURNMED.dll
[2010/05/09 21:48:45 | 000,001,490 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\AOL Search.xml
[2011/05/07 21:44:41 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011/10/01 14:18:08 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll (Google Inc.)
O4 - HKLM..\Run: [Adobe ARM] File not found
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] File not found
O4 - HKLM..\Run: [Google Updater] File not found
O4 - HKLM..\Run: [iTunesHelper] File not found
O4 - HKLM..\Run: [Logitech Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [OfficeKB] File not found
O4 - HKLM..\Run: [QuickTime Task] File not found
O4 - HKLM..\Run: [SoundMAXPnP] File not found
O4 - HKCU..\Run: [AlcoholAutomount] File not found
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] File not found
O4 - HKCU..\Run: [LDM] File not found
O4 - HKCU..\Run: [swg] File not found
O4 - HKCU..\Run: [UU9W7W0EWIWEVHXDLTEVZ] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe (Logitech)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe (Logitech Inc.)
O4 - Startup: C:\Documents and Settings\Maxim\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - File not found
O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - File not found
O15 - HKCU\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: sony.com ([]* in Trusted sites)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} [You must be registered and logged in to see this link.] (MSN Photo Upload Tool)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} [You must be registered and logged in to see this link.] (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_18)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [You must be registered and logged in to see this link.] (Shockwave Flash Object)
O16 - DPF: Garmin Communicator Plug-In [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Maxim\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Maxim\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/06/21 00:56:20 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/04/30 06:03:45 | 000,000,045 | R--- | M] () - F:\AUTORUN.INF -- [ CDFS ]
O32 - AutoRun File - [2008/06/25 02:50:03 | 000,152,848 | R--- | M] (KOEI Co., Ltd.) - F:\AutoRun.exe -- [ CDFS ]
O32 - AutoRun File - [2008/07/01 06:35:52 | 000,914,704 | R--- | M] (KOEI Co., Ltd.) - F:\AutoRunInstall.exe -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found


SafeBootMin: AppMgmt - File not found
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: AppMgmt - File not found
SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: {1a3e09be-1e45-494b-9174-d7385b45bbf5} -
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A3320D6-C805-4280-B423-B665BDE33D8F} - Microsoft .NET Framework 1.1 Security Update (KB979906)
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {2F6EFCE6-10DF-49F9-9E64-9AE3775B2588} - Microsoft .NET Framework 1.1 Security Update (KB2416447)
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.7
ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Security Update for Windows XP (KB923789)
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {B508B3F1-A24A-32C0-B310-85786919EF28} - .NET Framework
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {EF289A85-8E57-408d-BE47-73B55609861A} - RootsUpdate
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
ActiveX: Microsoft Base Smart Card Crypto Provider Package -

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.lhacm - C:\WINDOWS\System32\lhacm.acm (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)
Drivers32: VIDC.FPS1 - C:\WINDOWS\System32\frapsvid.dll (Beepa P/L)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.tscc - C:\WINDOWS\system32\tsccvid.dll (TechSmith Corporation)
Drivers32: vidc.yv12 - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2011/10/01 13:36:29 | 004,191,448 | R--- | C] (Swearware) -- C:\Documents and Settings\Maxim\Desktop\Commy.exe
[2011/10/01 13:10:33 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/10/01 13:10:33 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/10/01 13:10:33 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/10/01 13:10:33 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/10/01 13:06:57 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Maxim\Start Menu\Programs\Administrative Tools
[2011/09/30 01:51:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/09/28 14:35:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2011/09/28 13:10:02 | 002,322,184 | ---- | C] (ESET) -- C:\Documents and Settings\Maxim\Desktop\esetsmartinstaller_enu.exe
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/10/02 00:22:28 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Maxim\Desktop\OTL.com
[2011/10/02 00:20:54 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/10/02 00:20:53 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2011/10/02 00:20:41 | 000,249,230 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2011/10/02 00:20:33 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/10/02 00:08:38 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/10/01 15:51:51 | 000,000,402 | -H-- | M] () -- C:\WINDOWS\tasks\Norton Security Scan for Maxim.job
[2011/10/01 14:18:08 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/10/01 13:35:49 | 004,191,448 | R--- | M] (Swearware) -- C:\Documents and Settings\Maxim\Desktop\Commy.exe
[2011/09/28 14:38:26 | 000,001,200 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\04c43552oyhi36rm1b1my06173a47xha7xadku6ggt56
[2011/09/28 13:09:32 | 000,000,112 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\xLp3TL.dat
[2011/09/28 13:09:19 | 002,322,184 | ---- | M] (ESET) -- C:\Documents and Settings\Maxim\Desktop\esetsmartinstaller_enu.exe
[2011/09/28 06:20:40 | 000,000,844 | -HS- | M] () -- C:\Documents and Settings\Maxim\Local Settings\Application Data\tr6fsajl1433id65s1m04rqrtw5pt462o58343y618vh
[2011/09/28 06:20:40 | 000,000,844 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\tr6fsajl1433id65s1m04rqrtw5pt462o58343y618vh
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

Uthanak

Rookie Surfer
Rookie Surfer

Posts : 66
Joined : 2009-08-10
Operating System : windows xp

View user profile

Back to top Go down


Re: Need to get rid of rootkit.

Post by Uthanak on Wed 07 Sep 2011, 7:04 pm

ComboFix 11-09-06.03 - Maxim 10/08/2011 3:50.15.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2490 [GMT -4:00]
Running from: c:\documents and settings\Maxim\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Maxim\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\ServicePackFiles\i386\redbook.sys --> c:\windows\system32\drivers\redbook.sys
.
((((((((((((((((((((((((( Files Created from 2011-09-08 to 2011-10-08 )))))))))))))))))))))))))))))))
.
.
2011-10-04 07:00 . 2011-10-04 07:00 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help
2011-10-04 05:37 . 2011-10-04 05:37 -------- d-----w- c:\documents and settings\Maxim\Local Settings\Application Data\PCHealth
2011-10-03 18:58 . 2011-10-03 18:58 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2011-10-03 06:21 . 2011-10-03 06:25 -------- d-----w- C:\Commy
2011-10-03 06:19 . 2011-10-03 06:19 -------- d-----w- C:\ARK
2011-10-01 17:25 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-10-01 17:25 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-10-01 17:23 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-06 00:13 . 2006-02-28 12:00 42112 ----a-w- c:\windows\system32\drivers\imapi.sys
2011-10-04 07:01 . 2009-08-14 21:09 112640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCExpress\9.0\1033\ResourceCache.dll
2011-10-04 07:00 . 2009-08-14 21:09 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2011-08-28 01:16 . 2011-05-14 05:48 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29 . 2006-02-28 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2011-10-03 18:59 . 2011-05-08 01:44 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2011-10-04_07.23.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-08 07:56 . 2011-10-08 07:56 16384 c:\windows\temp\Perflib_Perfdata_658.dat
+ 2007-06-22 00:50 . 2008-04-13 18:40 57600 c:\windows\system32\dllcache\redbook.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2010-04-17 3872080]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [BU]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-03 68856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-06-15 15141768]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-10-21 29696]
"OfficeKB"="c:\progra~1\OfficeKB\OfficeKB.EXE" [2004-10-22 200704]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-27 13918208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-27 86016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Google Updater"="c:\program files\Google\Google Updater\GoogleUpdater.exe" [2011-06-12 161336]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10t_ActiveX.exe" [2011-07-09 240288]
.
c:\documents and settings\Maxim\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-6-23 450560]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2007-6-23 581632]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Apprentice\\Appr.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40kWA.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40k.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Documents and Settings\\Maxim\\Desktop\\Max\\Pokemon Game.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.8.9506-to-3.0.9.9551-enUS-downloader.exe"=
"c:\\Program Files\\Dawn of War 2\\DOW2.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\aliens vs predator\\AvP_CLI.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\transformers war for cybertron\\Binaries\\TWFC.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"c:\\Program Files\\Armagetron Advanced\\armagetronad.exe"=
"c:\\Program Files\\Sony Online Entertainment\\Installed Games\\DC Universe Online Live\\UNREAL3\\BINARIES\\WIN32\\DCGAME.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Riot Games\\League of Legends\\lol.launcher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dawn of war 2\\DOW2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dawn of war ii - retribution\\DOW2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"4000:TCP"= 4000:TCP:diablo
"8375:TCP"= 8375:TCP:League of Legends Launcher
"8375:UDP"= 8375:UDP:League of Legends Launcher
"8376:TCP"= 8376:TCP:League of Legends Launcher
"8376:UDP"= 8376:UDP:League of Legends Launcher
"8377:TCP"= 8377:TCP:League of Legends Launcher
"8377:UDP"= 8377:UDP:League of Legends Launcher
"8378:TCP"= 8378:TCP:League of Legends Launcher
"8378:UDP"= 8378:UDP:League of Legends Launcher
"8379:TCP"= 8379:TCP:League of Legends Launcher
"8379:UDP"= 8379:UDP:League of Legends Launcher
"8380:TCP"= 8380:TCP:League of Legends Launcher
"8380:UDP"= 8380:UDP:League of Legends Launcher
"8381:TCP"= 8381:TCP:League of Legends Launcher
"8381:UDP"= 8381:UDP:League of Legends Launcher
"6881:TCP"= 6881:TCP:League of Legends Launcher
"6881:UDP"= 6881:UDP:League of Legends Launcher
"8382:TCP"= 8382:TCP:League of Legends Launcher
"8382:UDP"= 8382:UDP:League of Legends Launcher
"8383:TCP"= 8383:TCP:League of Legends Launcher
"8383:UDP"= 8383:UDP:League of Legends Launcher
"8393:TCP"= 8393:TCP:League of Legends Lobby
"8393:UDP"= 8393:UDP:League of Legends Lobby
"8390:TCP"= 8390:TCP:League of Legends Game Client
"8390:UDP"= 8390:UDP:League of Legends Game Client
"6929:TCP"= 6929:TCP:League of Legends Launcher
"6929:UDP"= 6929:UDP:League of Legends Launcher
.
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [12/10/2009 3:39 AM 65536]
R2 USmsServ;Desktop Window Manager Sessions Manager;c:\windows\Desktop Manager\dwm.exe [6/10/2011 12:48 PM 142336]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2/27/2010 11:44 AM 57248]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/9/2009 6:35 PM 297752]
S3 B-Service;B-Service;c:\documents and settings\Maxim\Application Data\Mikogo\B-Service.exe [9/17/2010 12:13 PM 185640]
S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys --> c:\windows\system32\drivers\bcgame.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe" --> c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/13/2007 12:28 AM 722416]
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-08 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-07-03 14:27]
.
2011-10-07 c:\windows\Tasks\Norton Security Scan for Maxim.job
- c:\progra~1\NORTON~2\Engine\312~1.9\Nss.exe [2011-06-09 08:19]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = localhost
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.0.1
DPF: Garmin Communicator Plug-In - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Maxim\Application Data\Mozilla\Firefox\Profiles\pu9jai39.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(yahoo.ytff.general.dontshowhpoffer, true);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2011-10-08 04:00
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(160)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Logitech\SetPoint\KHALMNPR.EXE
c:\program files\OpenOffice.org 2.3\program\soffice.exe
c:\program files\OpenOffice.org 2.3\program\soffice.BIN
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-10-08 04:03:50 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-08 08:03
ComboFix2.txt 2011-10-07 08:10
ComboFix3.txt 2011-10-06 16:42
ComboFix4.txt 2011-10-06 00:46
ComboFix5.txt 2011-10-08 07:50
.
Pre-Run: 126,769,295,360 bytes free
Post-Run: 126,861,365,248 bytes free
.
- - End Of File - - CD9880FE8B9B9593E0D953C232354086

Uthanak

Rookie Surfer
Rookie Surfer

Posts : 66
Joined : 2009-08-10
Operating System : windows xp

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Uthanak on Wed 07 Sep 2011, 7:04 pm

shall i run ASwmbr to see if everything is gone?

Uthanak

Rookie Surfer
Rookie Surfer

Posts : 66
Joined : 2009-08-10
Operating System : windows xp

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Gabethebabe on Wed 07 Sep 2011, 7:07 pm

Sure why not.
I will run through the logs to see if I missed anything

Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Gabethebabe on Wed 07 Sep 2011, 7:12 pm

Please also run TDSSKiller again and post the report and do the following:

Please download SystemLook by jpshortstuff from one of the locations below and save it to your desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the following text into the main textfield:

:filefind
imapi.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop (SystemLook.txt.)


Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Uthanak on Thu 08 Sep 2011, 4:38 am

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-10-06 13:01:44
-----------------------------
13:01:44.734 OS Version: Windows 5.1.2600 Service Pack 3
13:01:44.734 Number of processors: 2 586 0x4B02
13:01:44.734 ComputerName: MAXIM-9C1E76C15 UserName: Maxim
13:01:45.234 Initialize success
13:02:41.390 AVAST engine defs: 11090500
13:02:58.500 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000069
13:02:58.500 Disk 0 Vendor: WDC_WD3200AAKS-00L9A0 01.03E01 Size: 305245MB BusType: 3
13:03:00.500 Disk 0 MBR read successfully
13:03:00.500 Disk 0 MBR scan
13:03:00.531 Disk 0 Windows XP default MBR code
13:03:00.531 Disk 0 scanning sectors +625137345
13:03:00.562 Disk 0 malicious Win32:MBRoot code @ sector 625137348 !
13:03:00.562 Disk 0 PE file @ sector 625137370 !
13:03:00.593 Disk 0 scanning C:\WINDOWS\system32\drivers
13:03:06.531 File: C:\WINDOWS\system32\drivers\redbook.sys **INFECTED** Win32:Alureon-AJI [Rtk]
13:03:08.656 Service scanning
13:03:09.453 Modules scanning
13:03:13.140 Disk 0 trace - called modules:
13:03:13.171 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys
13:03:13.171 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8adc6ab8]
13:03:13.171 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\0000006a[0x8ae11f18]
13:03:13.171 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\00000069[0x8adc6030]
13:03:14.046 AVAST engine scan C:\WINDOWS
13:03:53.093 AVAST engine scan C:\WINDOWS\system32
13:05:32.937 AVAST engine scan C:\WINDOWS\system32\drivers
13:05:39.125 File: C:\WINDOWS\system32\drivers\redbook.sys **INFECTED** Win32:Alureon-AJI [Rtk]
13:05:44.953 AVAST engine scan C:\Documents and Settings\Maxim
13:08:31.781 File: C:\Documents and Settings\Maxim\Application Data\Sun\Java\Deployment\cache\6.0\2\7a23e0c2-4e72f5bd **INFECTED** Win32:FakeAV-CFZ [Trj]
13:28:07.828 File: C:\Documents and Settings\Maxim\Desktop\RK_Quarantine\dwm.exe.vir **INFECTED** Win32:Malware-gen
13:32:58.375 AVAST engine scan C:\Documents and Settings\All Users
13:34:39.437 Scan finished successfully
13:35:42.796 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Maxim\Desktop\MBR.dat"
13:35:42.796 The log file has been saved successfully to "C:\Documents and Settings\Maxim\Desktop\aswMBR.txt"


aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-10-07 04:36:07
-----------------------------
04:36:07.140 OS Version: Windows 5.1.2600 Service Pack 3
04:36:07.140 Number of processors: 2 586 0x4B02
04:36:07.140 ComputerName: MAXIM-9C1E76C15 UserName: Maxim
04:36:07.796 Initialize success
04:37:33.359 AVAST engine defs: 11090501
13:32:40.312 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000069
13:32:40.312 Disk 0 Vendor: WDC_WD3200AAKS-00L9A0 01.03E01 Size: 305245MB BusType: 3
13:32:42.328 Disk 0 MBR read successfully
13:32:42.328 Disk 0 MBR scan
13:32:42.375 Disk 0 Windows XP default MBR code
13:32:42.375 Disk 0 scanning sectors +625137345
13:32:42.406 Disk 0 malicious Win32:MBRoot code @ sector 625137348 !
13:32:42.406 Disk 0 PE file @ sector 625137370 !
13:32:42.437 Disk 0 scanning C:\WINDOWS\system32\drivers
13:32:47.906 File: C:\WINDOWS\system32\drivers\redbook.sys **INFECTED** Win32:Alureon-AJI [Rtk]
13:32:51.187 Service scanning
13:32:51.968 Modules scanning
13:32:55.734 Disk 0 trace - called modules:
13:32:56.265 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys
13:32:56.265 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8addbab8]
13:32:56.265 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\0000006a[0x8adf7f18]
13:32:56.265 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\00000069[0x8addb030]
13:32:57.734 AVAST engine scan C:\WINDOWS
13:33:14.468 AVAST engine scan C:\WINDOWS\system32
13:34:46.343 AVAST engine scan C:\WINDOWS\system32\drivers
13:34:52.890 File: C:\WINDOWS\system32\drivers\redbook.sys **INFECTED** Win32:Alureon-AJI [Rtk]
13:34:59.468 AVAST engine scan C:\Documents and Settings\Maxim
13:37:48.421 File: C:\Documents and Settings\Maxim\Application Data\Sun\Java\Deployment\cache\6.0\2\7a23e0c2-4e72f5bd **INFECTED** Win32:FakeAV-CFZ [Trj]
14:02:51.968 AVAST engine scan C:\Documents and Settings\All Users
14:04:39.953 Scan finished successfully
14:06:21.953 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Maxim\Desktop\MBR.dat"
14:06:21.953 The log file has been saved successfully to "C:\Documents and Settings\Maxim\Desktop\aswMBR.txt"


aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-10-08 12:55:08
-----------------------------
12:55:08.828 OS Version: Windows 5.1.2600 Service Pack 3
12:55:08.828 Number of processors: 2 586 0x4B02
12:55:08.828 ComputerName: MAXIM-9C1E76C15 UserName: Maxim
12:55:09.218 Initialize success
12:56:53.890 AVAST engine defs: 11090700
12:58:20.234 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000069
12:58:20.234 Disk 0 Vendor: WDC_WD3200AAKS-00L9A0 01.03E01 Size: 305245MB BusType: 3
12:58:22.250 Disk 0 MBR read successfully
12:58:22.250 Disk 0 MBR scan
12:58:22.281 Disk 0 Windows XP default MBR code
12:58:22.281 Disk 0 scanning sectors +625137345
12:58:22.312 Disk 0 malicious Win32:MBRoot code @ sector 625137348 !
12:58:22.312 Disk 0 PE file @ sector 625137370 !
12:58:22.359 Disk 0 scanning C:\WINDOWS\system32\drivers
12:58:31.062 Service scanning
12:58:31.859 Modules scanning
12:58:34.984 Disk 0 trace - called modules:
12:58:35.015 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys
12:58:35.515 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8add3ab8]
12:58:35.515 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\0000006a[0x8adf7f18]
12:58:35.515 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\00000069[0x8add3030]
12:58:36.140 AVAST engine scan C:\WINDOWS
12:58:53.031 AVAST engine scan C:\WINDOWS\system32
13:00:26.703 AVAST engine scan C:\WINDOWS\system32\drivers
13:00:38.640 AVAST engine scan C:\Documents and Settings\Maxim
13:03:20.531 File: C:\Documents and Settings\Maxim\Application Data\Sun\Java\Deployment\cache\6.0\2\7a23e0c2-4e72f5bd **INFECTED** Win32:FakeAV-CFZ [Trj]
13:28:15.718 AVAST engine scan C:\Documents and Settings\All Users
13:29:56.125 Scan finished successfully
13:38:14.062 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Maxim\Desktop\MBR.dat"
13:38:14.062 The log file has been saved successfully to "C:\Documents and Settings\Maxim\Desktop\aswMBR.txt"



Uthanak

Rookie Surfer
Rookie Surfer

Posts : 66
Joined : 2009-08-10
Operating System : windows xp

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Uthanak on Thu 08 Sep 2011, 4:39 am

2011/09/07 13:39:19.0078 1404 TDSS rootkit removing tool 2.5.19.0 Sep 6 2011 19:23:56
2011/09/07 13:39:19.0296 1404 ================================================================================
2011/09/07 13:39:19.0296 1404 SystemInfo:
2011/09/07 13:39:19.0296 1404
2011/09/07 13:39:19.0296 1404 OS Version: 5.1.2600 ServicePack: 3.0
2011/09/07 13:39:19.0296 1404 Product type: Workstation
2011/09/07 13:39:19.0296 1404 ComputerName: MAXIM-9C1E76C15
2011/09/07 13:39:19.0296 1404 UserName: Maxim
2011/09/07 13:39:19.0296 1404 Windows directory: C:\WINDOWS
2011/09/07 13:39:19.0296 1404 System windows directory: C:\WINDOWS
2011/09/07 13:39:19.0296 1404 Processor architecture: Intel x86
2011/09/07 13:39:19.0296 1404 Number of processors: 2
2011/09/07 13:39:19.0296 1404 Page size: 0x1000
2011/09/07 13:39:19.0296 1404 Boot type: Normal boot
2011/09/07 13:39:19.0296 1404 ================================================================================
2011/09/07 13:39:19.0484 1404 Initialize success
2011/09/07 13:39:24.0937 3440 ================================================================================
2011/09/07 13:39:24.0937 3440 Scan started
2011/09/07 13:39:24.0937 3440 Mode: Manual;
2011/09/07 13:39:24.0937 3440 ================================================================================
2011/09/07 13:39:26.0062 3440 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/09/07 13:39:26.0109 3440 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/09/07 13:39:26.0156 3440 ADIHdAudAddService (ab0d9669bab1009e48cc91117e59912b) C:\WINDOWS\system32\drivers\ADIHdAud.sys
2011/09/07 13:39:26.0187 3440 AEAudio (03be587e90c8b37c7ff1fe2e9c1d1c90) C:\WINDOWS\system32\drivers\AEAudio.sys
2011/09/07 13:39:26.0250 3440 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/09/07 13:39:26.0296 3440 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/09/07 13:39:26.0390 3440 AmdK8 (0a4d13b388c814560bd69c3a496ecfa8) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
2011/09/07 13:39:26.0500 3440 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/09/07 13:39:26.0531 3440 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/09/07 13:39:26.0578 3440 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/09/07 13:39:26.0609 3440 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/09/07 13:39:26.0640 3440 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/09/07 13:39:26.0671 3440 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/09/07 13:39:26.0703 3440 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/09/07 13:39:26.0703 3440 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/09/07 13:39:26.0718 3440 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/09/07 13:39:26.0843 3440 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/09/07 13:39:26.0890 3440 DKbFltr (75ad9beb6d4b6bbcb39bfaba454ea05a) C:\WINDOWS\system32\DRIVERS\DKbFltr.sys
2011/09/07 13:39:26.0968 3440 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/09/07 13:39:27.0000 3440 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/09/07 13:39:27.0015 3440 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/09/07 13:39:27.0031 3440 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/09/07 13:39:27.0062 3440 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/09/07 13:39:27.0093 3440 ENTECH (16ebd8bf1d5090923694cc972c7ce1b4) C:\WINDOWS\system32\DRIVERS\ENTECH.sys
2011/09/07 13:39:27.0109 3440 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/09/07 13:39:27.0125 3440 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/09/07 13:39:27.0171 3440 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/09/07 13:39:27.0187 3440 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/09/07 13:39:27.0187 3440 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/09/07 13:39:27.0265 3440 fssfltr (e0087225b137e57239ff40f8ae82059b) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
2011/09/07 13:39:27.0281 3440 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/09/07 13:39:27.0296 3440 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/09/07 13:39:27.0328 3440 GEARAspiWDM (5dc17164f66380cbfefd895c18467773) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/09/07 13:39:27.0359 3440 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/09/07 13:39:27.0406 3440 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/09/07 13:39:27.0453 3440 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/09/07 13:39:27.0531 3440 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/09/07 13:39:27.0562 3440 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/09/07 13:39:27.0578 3440 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/09/07 13:39:27.0625 3440 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/09/07 13:39:27.0671 3440 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/09/07 13:39:27.0687 3440 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/09/07 13:39:27.0718 3440 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/09/07 13:39:27.0734 3440 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/09/07 13:39:27.0750 3440 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/09/07 13:39:27.0765 3440 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/09/07 13:39:27.0781 3440 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/09/07 13:39:27.0796 3440 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/09/07 13:39:27.0828 3440 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/09/07 13:39:27.0890 3440 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/09/07 13:39:27.0953 3440 L8042mou (efcc6d56fe8ba50bb7ecf300b60a66a3) C:\WINDOWS\system32\DRIVERS\L8042mou.Sys
2011/09/07 13:39:27.0968 3440 LHidKe (452ecfc32a4b5d9a761e113f149e1b9e) C:\WINDOWS\system32\DRIVERS\LHidKE.Sys
2011/09/07 13:39:28.0015 3440 LHidUsbK (9c92312dd1ab42e627710fb89bbbcd1e) C:\WINDOWS\system32\Drivers\LHidUsbK.Sys
2011/09/07 13:39:28.0031 3440 LMouKE (95871e8c4aecfed95f884d2d10b8bcfb) C:\WINDOWS\system32\DRIVERS\LMouKE.Sys
2011/09/07 13:39:28.0078 3440 mcdbus (8fd868e32459ece2a1bb0169f513d31e) C:\WINDOWS\system32\DRIVERS\mcdbus.sys
2011/09/07 13:39:28.0093 3440 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/09/07 13:39:28.0125 3440 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/09/07 13:39:28.0140 3440 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/09/07 13:39:28.0171 3440 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/09/07 13:39:28.0171 3440 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/09/07 13:39:28.0203 3440 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/09/07 13:39:28.0265 3440 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/09/07 13:39:28.0281 3440 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/09/07 13:39:28.0296 3440 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/09/07 13:39:28.0312 3440 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/09/07 13:39:28.0328 3440 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/09/07 13:39:28.0375 3440 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/09/07 13:39:28.0437 3440 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
2011/09/07 13:39:28.0484 3440 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/09/07 13:39:28.0515 3440 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/09/07 13:39:28.0578 3440 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/09/07 13:39:28.0593 3440 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/09/07 13:39:28.0593 3440 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/09/07 13:39:28.0625 3440 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/09/07 13:39:28.0640 3440 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/09/07 13:39:28.0703 3440 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/09/07 13:39:28.0734 3440 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/09/07 13:39:28.0765 3440 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/09/07 13:39:28.0781 3440 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/09/07 13:39:28.0968 3440 nv (4c3696c1ed1a36629ebb348bf745a328) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/09/07 13:39:29.0109 3440 nvata (4d6c6b46b3edf6f2e219a86b61d104ae) C:\WINDOWS\system32\DRIVERS\nvata.sys
2011/09/07 13:39:29.0140 3440 NVENETFD (1b83b60541be1b6db81641c448007f21) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
2011/09/07 13:39:29.0156 3440 NVHDA (cf68bcac297b4c98c1d25b81e4011de4) C:\WINDOWS\system32\drivers\nvhda32.sys
2011/09/07 13:39:29.0187 3440 nvnetbus (57b669f9234604a350174b86764444b0) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
2011/09/07 13:39:29.0234 3440 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/09/07 13:39:29.0250 3440 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/09/07 13:39:29.0281 3440 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/09/07 13:39:29.0296 3440 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/09/07 13:39:29.0312 3440 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/09/07 13:39:29.0328 3440 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/09/07 13:39:29.0390 3440 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/09/07 13:39:29.0421 3440 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/09/07 13:39:29.0515 3440 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/09/07 13:39:29.0531 3440 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/09/07 13:39:29.0546 3440 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/09/07 13:39:29.0593 3440 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/09/07 13:39:29.0593 3440 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/09/07 13:39:29.0671 3440 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/09/07 13:39:29.0687 3440 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/09/07 13:39:29.0703 3440 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/09/07 13:39:29.0703 3440 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/09/07 13:39:29.0718 3440 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/09/07 13:39:29.0734 3440 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/09/07 13:39:29.0765 3440 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/09/07 13:39:29.0812 3440 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/09/07 13:39:29.0859 3440 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/09/07 13:39:29.0921 3440 SenFiltService (b6a6b409fda9d9ebd3aadb838d3d7173) C:\WINDOWS\system32\drivers\Senfilt.sys
2011/09/07 13:39:29.0984 3440 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/09/07 13:39:30.0000 3440 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/09/07 13:39:30.0046 3440 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/09/07 13:39:30.0109 3440 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/09/07 13:39:30.0171 3440 sptd (a80cd850d69d996c832bea37e3a6aa1e) C:\WINDOWS\system32\Drivers\sptd.sys
2011/09/07 13:39:30.0203 3440 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/09/07 13:39:30.0234 3440 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/09/07 13:39:30.0281 3440 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/09/07 13:39:30.0281 3440 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/09/07 13:39:30.0390 3440 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/09/07 13:39:30.0406 3440 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/09/07 13:39:30.0437 3440 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/09/07 13:39:30.0453 3440 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/09/07 13:39:30.0500 3440 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/09/07 13:39:30.0578 3440 tmcomm (df8444a8fa8fd38d8848bdd40a8403b3) C:\WINDOWS\system32\drivers\tmcomm.sys
2011/09/07 13:39:30.0609 3440 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/09/07 13:39:30.0656 3440 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/09/07 13:39:30.0703 3440 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/09/07 13:39:30.0718 3440 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/09/07 13:39:30.0734 3440 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/09/07 13:39:30.0750 3440 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/09/07 13:39:30.0781 3440 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/09/07 13:39:30.0812 3440 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/09/07 13:39:30.0828 3440 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/09/07 13:39:30.0875 3440 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/09/07 13:39:30.0890 3440 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/09/07 13:39:30.0921 3440 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/09/07 13:39:31.0015 3440 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/09/07 13:39:31.0046 3440 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/09/07 13:39:31.0062 3440 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/09/07 13:39:31.0093 3440 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/09/07 13:39:31.0140 3440 Boot (0x1200) (a1f9dcc0fd9defc49250b0a65e3a23b9) \Device\Harddisk0\DR0\Partition0
2011/09/07 13:39:31.0156 3440 ================================================================================
2011/09/07 13:39:31.0156 3440 Scan finished
2011/09/07 13:39:31.0156 3440 ================================================================================
2011/09/07 13:39:31.0171 3860 Detected object count: 0
2011/09/07 13:39:31.0171 3860 Actual detected object count: 0

Uthanak

Rookie Surfer
Rookie Surfer

Posts : 66
Joined : 2009-08-10
Operating System : windows xp

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Gabethebabe on Thu 08 Sep 2011, 6:57 am

Well, looks we beat it

There is some trace left - you should navigate to this folder:
C:\Documents and Settings\Maxim\Application Data\Sun\Java\Deployment\cache\6.0\2

and whatever is present in that "2" folder ==> delete it.

====================

Time to uninstall used tools.

  • Go to Start > Run and type or copy/paste Combofix /uninstall (note the space before the "/").
  • Double click OTL.exe to run it again and click the CleanUp button.
  • If we used any other tools and they still remain on your desktop, please delete them manually.

====================

Do you have any more questions or do you want to see my ALORTKYCC (Awesome List Or Recommendations To Keep Your Computer Clean)?


Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Uthanak on Thu 08 Sep 2011, 5:10 pm

I would like your ALORTKYCC. Also other questions may follow later, let me think about it please. Thank you for your help.

Uthanak

Rookie Surfer
Rookie Surfer

Posts : 66
Joined : 2009-08-10
Operating System : windows xp

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Gabethebabe on Thu 08 Sep 2011, 6:52 pm

Allright! Here follows my ALORTKYCC (Awesome List Of Recommendations To Keep Your Computer Clean):

1) Keep your Windows up-to-date. Windows Autoupdate should be ON (see Start >> Control Panel >> Security Center). An alternative way (but more time-consuming) is to periodically visit [You must be registered and logged in to see this link.]. Hackers are looking every day for new security holes. Microsoft keeps patching them. You cannot fall behind in this race, it will make your system vulnerable.

2) For your average daily computer activities, use a limited/standard user account, not an administrator account. If you use Vista/WIN7 do not disable User Account Control (UAC). You would be amazed to know how much malware canīt touch you if you deny it admin rights. Create a separate password-protected administrator account that you use for admin activities, like (un)installing software.

3) Use a good antivirus. There are various free ones, you cannot go wrong with either of the following three:
  • Panda Cloud Antivirus. If you want your antivirus to be light on resources, I recommend Panda. Install without the toolbar.
  • Ad-Aware Free Internet Security has received great reviews from leading security analysts.
  • Avast! is a very complete antivirus, with modules like mailscanner and webshield.

4) If your computer has 1GB system memory or more, you should install a third party firewall, to replace the weak Windows Firewall. I recommend:
  • Comodo Firewall. Install the internet security suite, but without the antivirus and without the Hopsurf toolbar.
  • Online Armor. A very smart and user friendly firewall.
  • Outpost Firewall is another rocksolid choice.

Note: you should run only ONE antivirus and ONE firewall. Running multiples of either is bad, it will cause slowdowns and/or conflicts.

5) Miscellaneous advice:
  • Stay away from cracks and keygens (look [You must be registered and logged in to see this link.] for the why). Get free software instead. Gizmo is an excellent source of freeware reviews.
  • Navigate safely. Google Chrome is the safest browser available. However, Mozilla Firefox can be made extremely safe with the NoScript addon. Internet Explorer (always use the last version) can be made a lot safer with Spywareblaster (manual here).
  • The WOT (Webs Of Trust) addon will help you to stay on reliable webpages.
  • WinPatrol alerts you when changes are made in vital system areas. Especially good on light systems not running a third party firewall.
  • Make sure you have ways to recuperate your operating system and vital other data if its gets frustrated by malware and/or other problems. A Windows setup CD and recent backups/disk images will be priceless, if you find yourself in an unexpected tight spot.

Finally: did we help you? [You must be registered and logged in to see this link.]!

Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Uthanak on Mon 19 Sep 2011, 4:42 pm

I think we did no fully manage the infection. Some more problems arose with my computer and i ran a MBAM scan and it found nothing, so I ran the ESEt online scanner and here is what it found:

C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\24\1b20b198-2845a65f a variant of Win32/Kryptik.SPH trojan cleaned by deleting - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\2\126b69c2-203b0280 Java/Agent.DJ trojan deleted - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\20\3b4ce654-63949c6c Java/Agent.DJ trojan deleted - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\34\27299ae2-2aad74da a variant of Win32/Kryptik.SHQ trojan cleaned by deleting - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\39\4c67b7e7-1c84e586 a variant of Win32/Kryptik.SIS trojan cleaned by deleting - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\47\276507af-3dde0e1b Java/Agent.DJ trojan deleted - quarantined
C:\iTunes\iTunesHelper.exe a variant of Win32/TrojanDownloader.Tunahlp.B trojan cleaned by deleting - quarantined
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE Win32/Patched.HN trojan error while cleaning
C:\Qoobox\Quarantine\C\Documents and Settings\Maxim\Desktop\RK_Quarantine\dwm.exe.vir.vir Win32/TrojanDownloader.Agent.QXA trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\Maxim\Local Settings\Application Data\lhh .exe.vir probably a variant of Win32/Agent.HZOPRRM trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Local Settings\Application Data\roe.exe.vir a variant of Win32/Kryptik.SIS trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\process\FC78BA656AF.exe.vir a variant of Win32/Injector.IYC trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE.vir Win32/Patched.HN trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\Program Files\iPod\bin\iPodService.exe.vir Win32/Patched.HN trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\Program Files\Java\jre6\bin\jqs.exe.vir Win32/Patched.HN trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe.vir Win32/Patched.HN trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\assembly\GAC_MSIL\desktop.ini.vir Win32/Sirefef.CH trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe.vir Win32/Patched.HN trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\nvsvc32.exe.vir Win32/Patched.HN trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\wuauclt.exe.vir Win32/Patched.HN trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\redbook.sys.vir Win32/Sirefef.CV trojan cleaned by deleting - quarantined
C:\RECYCLER\S-1-5-21-1417001333-1801674531-839522115-1004\Dc5 probably a variant of Win32/Agent.LQRXYJI trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP477\A0067861.exe probably a variant of Win32/Agent.LQRXYJI trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP479\A0074921.exe a variant of Win32/Kryptik.SHQ trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP479\A0074922.exe a variant of Win32/Kryptik.SHQ trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP481\A0077036.exe probably a variant of Win32/Agent.HZOPRRM trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP481\A0077044.exe a variant of Win32/Injector.IYC trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP483\A0079091.sys a variant of Win32/Rootkit.Kryptik.DM trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP483\A0079092.ini Win32/Sirefef.CH trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP484\A0081362.exe a variant of Win32/Kryptik.SIS trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP484\A0081363.ini Win32/Sirefef.CH trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP484\A0081368.exe Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP484\A0081369.exe Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP484\A0081370.exe Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP484\A0081371.EXE Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP484\A0082329.sys a variant of Win32/Rootkit.Kryptik.DM trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP485\A0082889.sys a variant of Win32/Rootkit.Kryptik.DM trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP486\A0083033.ini Win32/Sirefef.CH trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP486\A0083034.exe Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP486\A0083035.exe Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP486\A0083036.exe Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP486\A0083037.exe Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP486\A0083038.EXE Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP486\A0083889.sys a variant of Win32/Rootkit.Kryptik.DM trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP488\A0083973.sys a variant of Win32/Rootkit.Kryptik.DM trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP488\A0084016.ini Win32/Sirefef.CH trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP488\A0084020.exe Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP488\A0084021.exe Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP488\A0084022.exe Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP488\A0084023.exe Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP488\A0084024.exe Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP488\A0084025.EXE Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP491\A0084522.sys Win32/Sirefef.CV trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP515\A0087741.exe a variant of Win32/TrojanDownloader.Tunahlp.B trojan cleaned by deleting - quarantined
C:\WINDOWS\Desktop Manager\dwm.exe Win32/TrojanDownloader.Agent.QXA trojan cleaned by deleting - quarantined
C:\WINDOWS\temp\31.tmpj a variant of Win32/TrojanDownloader.Tunahlp.A trojan cleaned by deleting - quarantined
Operating memory Win32/Patched.HN trojan

Uthanak

Rookie Surfer
Rookie Surfer

Posts : 66
Joined : 2009-08-10
Operating System : windows xp

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Gabethebabe on Mon 19 Sep 2011, 11:13 pm

Most of that stuff are dead bodies that were already disabled, but not everything.

Weīre going to run a bunch of scans and a cleaner.

  • Please download TFC (Temp File Cleaner) by OldTimer from here and save it to your desktop.
  • Close all programs before proceeding with the next step.
  • Double-click TFC.exe to start the cleaning process and allow it to run
  • Depending on the amount of files that needs to be deleted this can take seconds or up to several minutes.
  • If requested, allow TFC to reboot your computer to finish the cleaning process.

====================

Time to use ComboFix by sUBs, a powerful tool that you are advised not to run without supervision of a trained malware helper. Please visit this webpage and read the tutorial on using ComboFix very carefully. After that download the tool and save it to your desktop.

Doubleclick ComboFix.exe to run the tool. Please post its log back here.

====================

Please download aswMBR by Alwil Software from here and save it to your desktop.

  • Double click aswMBR.exe to run the tool
  • Click the Scan button to start the scan
  • Donīt panic if you see any **Rootkit** entries. The tool sometimes produces false alarms
  • Once the scan finishes click Save log to save the log to your desktop
  • Copy and paste the contents of this log (aswMBR.txt) into your next reply.

====================

  • Download TDSSKiller by Kaspersky from here and save it to your desktop
  • Doubleclick TDSSKiller.exe to run the tool
  • Click the Start Scan button
  • After the scan has finished, click the Close button
  • Click the Report button and copy/paste the contents of it into your next reply
  • The report can also be found in the root of your Windows drive (most likely C:\).


Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Uthanak on Sat 24 Sep 2011, 1:41 am

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-09-23 09:31:49
-----------------------------
09:31:49.353 OS Version: Windows 5.1.2600 Service Pack 3
09:31:49.353 Number of processors: 2 586 0x4B02
09:31:49.353 ComputerName: MAXIM-9C1E76C15 UserName: Maxim
09:31:50.322 Initialize success
09:33:50.228 AVAST engine defs: 11092300
09:38:25.213 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000069
09:38:25.213 Disk 0 Vendor: WDC_WD3200AAKS-00L9A0 01.03E01 Size: 305245MB BusType: 3
09:38:27.244 Disk 0 MBR read successfully
09:38:27.244 Disk 0 MBR scan
09:38:27.291 Disk 0 Windows XP default MBR code
09:38:27.291 Disk 0 scanning sectors +625137345
09:38:27.306 Disk 0 malicious Win32:MBRoot code @ sector 625137348 !
09:38:27.306 Disk 0 PE file @ sector 625137370 !
09:38:27.353 Disk 0 scanning C:\WINDOWS\system32\drivers
09:38:35.666 Service scanning
09:38:36.588 Modules scanning
09:38:40.588 Disk 0 trace - called modules:
09:38:40.603 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys
09:38:40.603 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ad8cab8]
09:38:40.603 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\0000006a[0x8ad34f18]
09:38:40.603 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\00000069[0x8ad8c030]
09:38:41.884 AVAST engine scan C:\WINDOWS
09:39:02.759 AVAST engine scan C:\WINDOWS\system32
09:40:34.275 AVAST engine scan C:\WINDOWS\system32\drivers
09:40:49.025 AVAST engine scan C:\Documents and Settings\Maxim
10:36:11.213 AVAST engine scan C:\Documents and Settings\All Users
10:38:40.072 Scan finished successfully
10:40:59.963 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Maxim\Desktop\MBR.dat"
10:40:59.963 The log file has been saved successfully to "C:\Documents and Settings\Maxim\Desktop\aswMBR.txt"



Uthanak

Rookie Surfer
Rookie Surfer

Posts : 66
Joined : 2009-08-10
Operating System : windows xp

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Gabethebabe on Mon 26 Sep 2011, 11:35 pm

That is log 1 of 3 and it is clean.

Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Sponsored content Today at 10:59 am


Sponsored content


Back to top Go down

Page 2 of 2 Previous  1, 2

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum