PDA

View Full Version : HELP NEEDED: Infection by Service Safeboot C:\...\SafeBoot.sys **LOCKED** 32


Iamabot
2014-05-20, 13:42
Hello,

Service SafeBoot C:\WINDOWS\System32\Drivers\SafeBoot.sys **LOCKED** 32

I wonder whether this - as detected by aswMBR.exe - is really a rootkit or not.

Can anybody assist me on that ?

Logs are:

aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2014-05-20 09:08:49
-----------------------------
09:08:49.375 OS Version: Windows 5.1.2600 Service Pack 3
09:08:49.375 Number of processors: 2 586 0x1706
09:08:49.375 ComputerName: _____ UserName: [user1]
09:08:50.515 Initialize success
09:09:27.015 AVAST engine defs: 14051900
09:10:03.953 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-12
09:10:03.953 Disk 0 Vendor: ST9200420AS 3.BHA Size: 190782MB BusType: 3
09:10:03.953 Disk 1 \Device\Harddisk1\DR7 -> \Device\000000b3
09:10:03.968 Disk 1 Vendor: RICOH 01 Size: 3776MB BusType: 0
09:10:04.140 Disk 0 MBR read successfully
09:10:04.140 Disk 0 MBR scan
09:10:04.187 Disk 0 unknown MBR code
09:10:04.203 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 42000 MB offset 63
09:10:04.218 Disk 0 Partition 2 80 (A) 83 Linux 477 MB offset 86018048
09:10:04.250 Disk 0 Partition 3 00 82 Linux swap 7629 MB offset 86994944
09:10:04.250 Disk 0 Partition - 00 05 Extended 128277 MB offset 102621182
09:10:04.265 Disk 0 Partition 4 00 83 Linux 19072 MB offset 102621184
09:10:04.281 Disk 0 Partition - 00 05 Extended 97275 MB offset 141680640
09:10:04.296 Disk 0 scanning sectors +365332480
09:10:04.375 Disk 0 scanning C:\WINDOWS\system32\drivers
09:10:22.531 Service scanning
09:10:41.765 Service SafeBoot C:\WINDOWS\System32\Drivers\SafeBoot.sys **LOCKED** 32
09:10:48.937 Modules scanning
09:10:54.453 Disk 0 trace - called modules:
09:10:54.468 ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll ACPI.sys atapi.sys pciide.sys PCIIDEX.SYS
09:10:54.468 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ad90ab8]
09:10:54.468 3 CLASSPNP.SYS[f74f7fd7] -> nt!IofCallDriver -> [0x8ad91950]
09:10:54.484 5 hpdskflt.sys[f7518ffd] -> nt!IofCallDriver -> \Device\0000009b[0x8adbf9e8]
09:10:54.484 7 ACPI.sys[f735d620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-12[0x8ad21940]
09:10:55.218 AVAST engine scan C:\WINDOWS
09:11:09.359 AVAST engine scan C:\WINDOWS\system32
09:19:36.828 AVAST engine scan C:\WINDOWS\system32\drivers
09:20:06.281 AVAST engine scan C:\Documents and Settings\[user1]
09:32:11.718 AVAST engine scan C:\Documents and Settings\All Users
09:34:00.312 Scan finished successfully
09:47:16.703 Disk 0 MBR has been saved successfully to "D:\____\Logs\MBR.dat"
09:47:16.796 The log file has been saved successfully to "D:\____\Logs\log20140520_aswMBR.txt"
_____________________________________
The 2 DDS logs are attached.

Thanks a lot.

Edit
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 10.51.2
Run by C.B. at 10:24:45 on 2014-05-20
#Option Extended Search is enabled.
Microsoft Windows XP Professional 5.1.2600.3.1252.353.3082.18.3071.914 [GMT 2:00]
.
AV: AVG AntiVirus Free Edition 2014 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ================
.
C:\Archivos de programa\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
C:\Archivos de programa\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Archivos de programa\Intel\AMT\atchksrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Bonjour\mDNSResponder.exe
C:\Archivos de programa\Intel\AMT\atchk.exe
C:\Archivos de programa\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Archivos de programa\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Archivos de programa\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\AccelerometerSt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ifxspmgt.exe
C:\Archivos de programa\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HPQ\HP Connection Manager\WaHelper.exe
C:\WINDOWS\system32\ifxtcs.exe
C:\Archivos de programa\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Archivos de programa\Archivos comunes\InterVideo\RegMgr\iviRegMgr.exe
C:\Archivos de programa\Java\jre7\bin\jqs.exe
C:\Archivos de programa\Archivos comunes\LightScribe\LSSrvc.exe
C:\Archivos de programa\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Archivos de programa\Intel\AMT\LMS.exe
C:\Archivos de programa\Intel\Wireless\bin\ZCfgSvc.exe
C:\Archivos de programa\Intel\Wireless\Bin\ifrmewrk.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
C:\Archivos de programa\Analog Devices\Core\smax4pnp.exe
C:\Archivos de programa\DivX\DivX Update\DivXUpdate.exe
C:\Archivos de programa\Apple\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Archivos de programa\Ext2Fsd\Ext2Mgr.exe
C:\WINDOWS\system32\IfxPsdSv.exe
C:\Archivos de programa\Intel\Wireless\Bin\RegSrvc.exe
C:\Archivos de programa\Archivos comunes\LightScribe\LightScribeControlPanel.exe
C:\WINDOWS\System32\snmp.exe
C:\Archivos de programa\Skype\Phone\Skype.exe
C:\Archivos de programa\uTorrent\uTorrent.exe
C:\Archivos de programa\BirdieSync\BirdieSync.exe
C:\Archivos de programa\Intel\AMT\UNS.exe
C:\Archivos de programa\System-explorer\SystemExplorer.exe
C:\Archivos de programa\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Archivos de programa\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Archivos de programa\Mozilla\Thunderbird\thunderbird.exe
C:\Archivos de programa\Mozilla\Firefox\firefox.exe
C:\Archivos de programa\LibreOffice 4\program\soffice.exe
C:\Archivos de programa\LibreOffice 4\program\soffice.bin
C:\Archivos de programa\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Archivos de programa\Hewlett-Packard\Embedded Security Software\PSDrt.exe
C:\Archivos de programa\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Archivos de programa\BirdieSync\Android\Adb\1.0.31\adb.exe
C:\Archivos de programa\BirdieSync\Android\Adb\1.0.31\adb.exe
C:\Archivos de programa\Mozilla\Firefox\plugin-container.exe
G:\aswmbr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k Cognizance
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\archivos de programa\java\jre7\bin\ssv.dll
BHO: {95B7759C-8C7F-4BF1-B163-73684A933233} - <orphaned>
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\archivos de programa\java\jre7\bin\jp2ssv.dll
BHO: Credential Manager for HP ProtectTools: {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\archivos de programa\hewlett-packard\iam\bin\ItIEAddIn.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [LightScribe Control Panel] c:\archivos de programa\archivos comunes\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [Google Update] "c:\documents and settings\[user]\configuración local\datos de programa\google\update\GoogleUpdate.exe" /c
uRun: [Skype] "c:\archivos de programa\skype\phone\Skype.exe" /nosplash /minimized
uRun: [uTorrent] "c:\archivos de programa\utorrent\uTorrent.exe" /MINIMIZED
uRun: [BirdieSync] "c:\archivos de programa\birdiesync\BirdieSync.exe" -minimized
uRun: [SystemExplorerAutoStart] "c:\archivos de programa\system-explorer\SystemExplorer.exe" /TRAY
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SoundMAX] c:\archivos de programa\analog devices\soundmax\Smax4.exe /tray
mRun: [atchk] "c:\archivos de programa\intel\amt\atchk.exe"
mRun: [PTHOSTTR] c:\archivos de programa\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start
mRun: [IFXSPMGT] c:\windows\system32\ifxspmgt.exe /NotifyLogon
mRun: [CognizanceTS] rundll32.exe c:\archiv~1\hewlet~1\iam\bin\ASTSVCC.dll,RegisterModule
mRun: [AccelerometerSysTrayApplet] c:\windows\system32\AccelerometerSt.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] nwiz.exe /installquiet /nodetect
mRun: [HP Software Update] c:\archivos de programa\hp\hp software update\HPWuSchd2.exe
mRun: [AirCardEnabler] <no file>
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\c[...]~1\menini~1\progra~1\inicio\libreo~1.lnk - c:\archivos de programa\libreoffice 4\program\quickstart.exe
StartupFolder: c:\docume~1\c[...]~1\menini~1\progra~1\inicio\mozill~1.lnk - c:\archivos de programa\mozilla\firefox\firefox.exe
StartupFolder: c:\docume~1\alluse~1\menini~1\progra~1\inicio\bttray.lnk - c:\archivos de programa\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\menini~1\progra~1\inicio\mozill~1.lnk - c:\archivos de programa\mozilla\thunderbird\thunderbird.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: Senden an &Bluetooth - c:\archivos de programa\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\archivos de programa\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\archivos de programa\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{DD9A033E-C522-4A91-820A-CF4173C2BDDA} : DHCPNameServer = 192.168.1.1
Notify: DeviceNP - DeviceNP.dll
Notify: OneCard - c:\archivos de programa\hewlett-packard\iam\bin\ASWLNPkg.dll
AppInit_DLLs= APSHook.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 nwprovau
LSA: Notification Packages = SbHpNp scecli ASWLNPkg
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\archivos de programa\archivos comunes\lightscribe\LSRunOnce.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\[user]\datos de programa\mozilla\firefox\profiles\kgpub68j.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.dw.de/themen/s-9077|http://dict.leo.org/#/search=&searchLoc=0&resultOrder=basic&multiwordShowSingle=on|http://www.chinese-tools.com/tools/dictionary.html|http://www.franceculture.fr/
FF - plugin: c:\archivos de programa\apple\itunes\mozilla plugins\npitunes.dll
FF - plugin: c:\archivos de programa\apple\quicktime\plugins\npqtplugin.dll
FF - plugin: c:\archivos de programa\apple\quicktime\plugins\npqtplugin2.dll
FF - plugin: c:\archivos de programa\apple\quicktime\plugins\npqtplugin3.dll
FF - plugin: c:\archivos de programa\apple\quicktime\plugins\npqtplugin4.dll
FF - plugin: c:\archivos de programa\apple\quicktime\plugins\npqtplugin5.dll
FF - plugin: c:\archivos de programa\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\archivos de programa\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\archivos de programa\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\archivos de programa\google\update\1.3.24.7\npGoogleUpdate3.dll
FF - plugin: c:\archivos de programa\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\archivos de programa\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\documents and settings\[user]\configuraciã³n local\datos de programa\google\update\1.3.24.7\npGoogleUpdate3.dll
FF - plugin: c:\documents and settings\[user]\datos de programa\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\[user]\datos de programa\mozilla\plugins\npo1d.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_13_0_0_206.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2014-3-27 149784]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2014-3-27 237848]
R0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2014-3-31 107288]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2014-3-27 27416]
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2007-4-26 100095]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [2006-10-9 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2007-3-29 13696]
R1 Avgdiskx;AVG Disk Driver;c:\windows\system32\drivers\avgdiskx.sys [2014-3-27 122136]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2014-4-18 198936]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2014-3-27 21272]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2014-3-27 192280]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2014-3-31 210200]
R1 Ext2Fsd;Linux ext2 file system driver;c:\windows\system32\drivers\ext2fsd.sys [2014-5-14 686360]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2007-4-18 39080]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2007-4-26 5808]
R2 ASChannel;Canal de comunicación local;c:\windows\system32\svchost.exe -k Cognizance [2006-3-2 14336]
R2 AVGIDSAgent;AVGIDSAgent;c:\archivos de programa\avg\avg2014\avgidsagent.exe [2014-5-13 3644432]
R2 avgwd;AVG WatchDog;c:\archivos de programa\avg\avg2014\avgwdsvc.exe [2014-5-13 292424]
R2 HpFkCryptService;Drive Encryption Service;c:\archivos de programa\hewlett-packard\drive encryption\HpFkCrypt.exe [2007-4-27 221184]
R2 SWIHPWMI;SWIHPWMI;c:\archivos de programa\hpq\shared\sierra wireless\win32\unicode\SWIHPWMI.exe [2006-12-4 292384]
R2 UNS;Intel(R) Active Management Technology User Notification Service;c:\archivos de programa\intel\amt\UNS.EXE [2013-5-24 1489688]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2013-5-24 41216]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2013-5-24 47616]
S2 ASBroker;Broker de inicio de sesión;c:\windows\system32\svchost.exe -k Cognizance [2006-3-2 14336]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [2007-4-23 30008]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [2013-5-27 83168]
S3 FLCDLOCK;HP ProtectTools Gerätesperre/Überwachung;c:\windows\system32\flcdlock.exe [2007-4-30 172131]
S3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [2013-5-27 181344]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
.
=============== File Associations ===============
.
FileExt: .ini: inifile=c:\windows\system32\NOTEPAD.EXE %1 [UserChoice]
ShellExec: pdfvista.exe: Open="c:\archivos de programa\pdf complete\pdfvista.exe"
ShellExec: pdfvista.exe: Read="c:\archivos de programa\pdf complete\pdfvista.exe"
.
=============== Created Last 60 ================
.
2014-05-18 07:15:44 -------- d-----w- c:\documents and settings\[user]\datos de programa\AVG2014
2014-05-18 07:11:33 -------- d-----w- c:\documents and settings\all users\datos de programa\AVG2014
2014-05-14 16:04:14 -------- d-----w- c:\documents and settings\[user]\datos de programa\LibreOffice
2014-05-14 15:46:29 -------- d-----w- c:\archivos de programa\LibreOffice 4
2014-05-14 08:50:21 -------- d-----w- c:\archivos de programa\ext4Plugin
2014-05-14 08:40:31 545 ----a-w- c:\windows\UC.PIF
2014-05-14 08:40:31 545 ----a-w- c:\windows\RAR.PIF
2014-05-14 08:40:31 545 ----a-w- c:\windows\PKZIP.PIF
2014-05-14 08:40:31 545 ----a-w- c:\windows\PKUNZIP.PIF
2014-05-14 08:40:31 545 ----a-w- c:\windows\LHA.PIF
2014-05-14 08:40:31 545 ----a-w- c:\windows\ARJ.PIF
2014-05-14 08:40:30 -------- d-----w- c:\archivos de programa\totalcmd
2014-05-14 07:44:11 686360 ----a-w- c:\windows\system32\drivers\ext2fsd.sys
2014-05-14 07:44:11 -------- d-----w- c:\archivos de programa\Ext2Fsd
2014-05-12 17:52:45 -------- d-----w- c:\archivos de programa\Junction Link Magic
2014-05-12 17:32:29 374784 ----a-w- c:\windows\ln.exe
2014-05-12 16:55:59 -------- d-----w- c:\archivos de programa\Link
2014-05-12 14:27:57 150392 ----a-w- c:\windows\junction.exe
2014-05-12 08:46:06 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2014-05-12 08:43:32 -------- d-----w- c:\archivos de programa\iPod
2014-05-12 08:43:12 -------- d-----w- c:\documents and settings\all users\datos de programa\188F1432-103A-4ffb-80F1-36B633C5C9E1
2014-05-12 08:40:40 6112864 ----a-w- c:\windows\system32\usbaaplrc.dll
2014-05-12 08:40:40 45056 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2014-05-12 08:38:56 -------- d-----w- c:\archivos de programa\archivos comunes\Apple
2014-05-07 11:17:21 -------- d-----w- c:\documents and settings\[user]\datos de programa\.purple_bak
2014-05-07 10:59:25 -------- d-----w- c:\archivos de programa\Pidgin
2014-05-06 08:39:41 -------- d-----w- c:\windows\system32\NtmsData
2014-05-06 08:00:29 -------- d-----w- C:\Usr-data
2014-05-06 07:44:32 -------- d-----w- C:\Downloads
2014-05-06 07:28:26 -------- d-----w- C:\TEMP
2014-05-06 06:44:43 -------- d-----w- c:\documents and settings\[user]\is-VJVFO.tmp
2014-05-05 07:05:54 -------- d-----w- c:\archivos de programa\JkDefragPortable
2014-05-04 15:20:17 -------- d-----w- c:\windows\pss
2014-05-03 15:23:20 -------- d-----w- c:\archivos de programa\WinMd5Sum
2014-05-01 14:58:14 773968 ----a-w- c:\windows\system32\msvcr100.dll
2014-05-01 14:58:14 421200 ----a-w- c:\windows\system32\msvcp100.dll
2014-04-18 13:02:04 198936 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys
2014-04-16 03:02:58 354656 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
2014-04-10 14:32:58 -------- d--h--w- c:\windows\system32\GroupPolicy
2014-04-09 06:37:05 -------- d-----w- c:\windows\system32\FxsTmp
2014-04-09 06:37:00 5632 -c--a-w- c:\windows\system32\dllcache\write.exe
2014-04-09 06:37:00 5632 ----a-w- c:\windows\system32\write.exe
2014-04-04 07:56:34 -------- d-----w- c:\archivos de programa\Apple
2014-04-04 07:46:28 145408 ----a-w- c:\windows\system32\javacpl.cpl
2014-04-02 09:17:26 -------- d-----w- c:\documents and settings\all users\datos de programa\Malwarebytes
2014-04-02 09:17:12 107224 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-04-02 09:17:12 -------- d-----w- c:\documents and settings\all users\datos de programa\Malwarebytes' Anti-Malware (portable)
2014-04-02 09:13:49 52312 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-03-31 14:11:58 210200 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2014-03-27 20:15:18 192280 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2014-03-27 20:14:40 122136 ----a-w- c:\windows\system32\drivers\avgdiskx.sys
2014-03-27 20:04:22 149784 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2014-03-27 20:04:02 237848 ----a-w- c:\windows\system32\drivers\avglogx.sys
2014-03-27 20:03:22 27416 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2014-03-27 20:03:20 21272 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys
.
==================== Find6M ====================
.
2014-05-06 19:25:03 70832 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-05-06 19:25:03 692400 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-04-04 07:46:02 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-02-25 03:30:28 81920 ----a-w- c:\windows\system32\ieencode.dll
2014-02-25 03:30:28 671232 ----a-w- c:\windows\system32\wininet.dll
2014-02-25 03:30:28 61952 ----a-w- c:\windows\system32\tdc.ocx
2014-02-25 03:29:37 371200 ----a-w- c:\windows\system32\html.iec
2014-02-07 06:36:26 1879168 ----a-w- c:\windows\system32\win32k.sys
2014-02-05 08:54:56 563712 ----a-w- c:\windows\system32\qedit.dll
2014-01-17 14:24:12 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2014-01-17 14:24:12 69632 ----a-w- c:\windows\system32\QuickTime.qts
2014-01-08 12:06:50 41223056 ----a-w- C:\sp32883.exe
2013-12-31 00:45:16 434176 ----a-w- c:\windows\system32\vbscript.dll
2013-12-05 11:26:00 1172992 ----a-w- c:\windows\system32\msxml3.dll
2013-11-27 20:21:06 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2012-10-21 18:55:20 6643200 ----a-w- c:\archivos de programa\BabelMap.exe
2008-01-09 13:38:42 148520 ----a-w- c:\archivos de programa\Tcpview.exe
.
============= FINISH: 10:26:05,59 ===============
shelf life
2014-05-21, 04:56
hi,

Locked means that aswmbr could not scan it. Some processes/files are not accessible to AV/Malware scanners and are flagged as being Locked (not scanned).
Iamabot
2014-05-21, 10:15
Locked means that aswmbr could not scan it. Some processes/files are not accessible to AV/Malware scanners and are flagged as being Locked (not scanned).

Hello shelf life and thank you for that titbit. :thanks:
I had no clue, even though I did take a look at what's there on the net about the matter.
But to close the matter, does you also mean to say that this is unimportant and usual, that it it is not a rootkit and that I should not give it more thought ?
Note that Bootkitremoval, rkill and tdsskiller did not seem to care about it... Should I ?
Cheers.
shelf life
2014-05-22, 03:47
I wouldnt worry about it. It appears to be a leftover from a Mcafee product that was installed at one time? It you go to start and type in the search field:
services.msc
the Windows service console will open. In the list look for: SafeBoot
Right click on it and select properties and check that the service is stopped (not running). Since theres no need for it to be running now.
Iamabot
2014-05-22, 09:13
I wouldnt worry about it. It appears to be a leftover from a Mcafee product that was installed at one time? It you go to start and type in the search field: services.msc The Windows service console will open. In the list look for: SafeBoot
Right click on it and select properties and check that the service is stopped (not running). Since theres no need for it to be running now.

The problem is:
1) I never had anything from McAfee on that machine,
2) There is no trace of Safeboot in my services (stopped or not), as you can see in this txt view of the console GUI 11500.
(Sorry, but the OS is localized in Spain).
In a nutshell, I find this safeboot affair a little strange.
shelf life
2014-05-23, 02:15
Navigate to the Drivers folder and take a look for SafeBoot.sys:

C:\WINDOWS\System32\Drivers\
Iamabot
2014-05-23, 16:48
Navigate to the Drivers folder and take a look for SafeBoot.sys:
C:\WINDOWS\System32\Drivers\

Yes indeed. I have a driver file called Safeboot.sys following the path you gave me.
So something from McAfee must have come in contact with this OS.... strange but possible.

That closes the matter I guess. Thanks very much again for allaying unfounded fears of being infected by a rootkit.

[SOLVED & CLOSED]
shelf life
2014-05-24, 05:25
ok Good. Your Welcome. Just for another check you could go here (http://virusscan.jotti.org/en) and browse for the file on your computer then upload it to the site using the send file button. It will be checked by a dozen or so anitvirus apps.