-
First try running Rkill, it wont remove anything but may stop the infection from running Combofix
- Please download rkill (Courtesy of Bleepingcomputer.com).
- There are 5 different versions of this tool. If one of them will not run, please try the next one in the list.
- Note: Vista and Windows 7 Users must right click and select "Run as Administrator" to run the tool.
- Note: You only need to get one of the tools to run, not all of them.
- Note: You will likely see a message from this rogue telling you the file is infected. Ignore the message. Leave the message OPEN, do not close the message.
Run rkill repeatedly until it's able to do it's job. This may take a few tries.
You'll be able to tell rkill has done it's job when your desktop (explorer.exe) cycles off and then on again.
Then try running CF again
-
I tried version 1 about 10 times and thought I saw the desktop cycle but during the Combofix scan another windows shut down occured. I restarted and tried version 2 about 15 times and noticed that at the start it lists C:\windows\ehome\ehRecvr.exe and C:\windows\ehome\mcrdsvc.exe are listed with "2 processes terminated" directly underneath EACH TIME Rkill runs. After Rkill completes I do get a message window pop up that says "You should now be able to run your normal security programs so you can scan for computer infections" but the desktop is not cycling on/off.
-
Have you tried running Combofix again ?
If it still wont run then reboot your system and lets run this program
You dont need the 64 Bit version so download the other one
--RogueKiller--
- Download & SAVE to your Desktop RogueKiller or 32 BIT
- Quit all programs that you may have started.
- Please disconnect any USB or external drives from the computer before you run this scan!
- For Vista or Windows 7, right-click and select "Run as Administrator to start"
- For Windows XP, double-click to start.
- Wait until Prescan has finished ...
- Then Click on "Scan" button
- Wait until the Status box shows "Scan Finished"
- Click on "Report" and copy/paste the content of the Notepad into your next reply.
- The log should be found in RKreport[1].txt on your Desktop
- Exit/Close RogueKiller+
-
Yes I did try combofix in the normal NOT special run and windows shut down a couple more times. RogueKiller ran fine, here is the log...
RogueKiller V8.8.4 [Jan 27 2014] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Kevin [Admin rights]
Mode : Scan -- Date : 01/28/2014 08:06:33
| ARK || FAK || MBR |
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 4 ¤¤¤
[HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Scheduled tasks : 0 ¤¤¤
¤¤¤ Startup Entries : 0 ¤¤¤
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ Browser Addons : 0 ¤¤¤
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [LOADED] ¤¤¤
[Inline] IAT @explorer.exe (FindNextFileW) : KERNEL32.dll -> HOOKED (Unknown @ 0x01E40C5E)
[Inline] IAT @explorer.exe (ReadProcessMemory) : KERNEL32.dll -> HOOKED (Unknown @ 0x01510682)
[Inline] IAT @explorer.exe (OpenProcess) : KERNEL32.dll -> HOOKED (Unknown @ 0x0151060B)
[Inline] IAT @explorer.exe (LoadLibraryA) : KERNEL32.dll -> HOOKED (Unknown @ 0x01510AB1)
[Inline] IAT @explorer.exe (CreateProcessW) : KERNEL32.dll -> HOOKED (Unknown @ 0x01E405DC)
[Inline] IAT @explorer.exe (LoadLibraryW) : KERNEL32.dll -> HOOKED (Unknown @ 0x015101DC)
[Inline] IAT @explorer.exe (ShellExecuteExW) : SHELL32.dll -> HOOKED (Unknown @ 0x01E40BE7)
[Inline] IAT @explorer.exe (LoadImageW) : USER32.dll -> HOOKED (Unknown @ 0x01E40B70)
[Inline] EAT @explorer.exe (LdrGetProcedureAddress) : ntdll.dll -> HOOKED (Unknown @ 0x015102CA)
[Inline] EAT @explorer.exe (LdrLoadDll) : ntdll.dll -> HOOKED (Unknown @ 0x01E40400)
[Inline] EAT @explorer.exe (NtProtectVirtualMemory) : ntdll.dll -> HOOKED (Unknown @ 0x01510341)
[Inline] EAT @explorer.exe (NtSetSecurityObject) : ntdll.dll -> HOOKED (Unknown @ 0x01E40477)
[Inline] EAT @explorer.exe (ZwProtectVirtualMemory) : ntdll.dll -> HOOKED (Unknown @ 0x01510341)
[Inline] EAT @explorer.exe (ZwSetSecurityObject) : ntdll.dll -> HOOKED (Unknown @ 0x01E40477)
[Inline] EAT @explorer.exe (CreateFileA) : kernel32.dll -> HOOKED (Unknown @ 0x01E40F28)
[Inline] EAT @explorer.exe (CreatePipe) : kernel32.dll -> HOOKED (Unknown @ 0x01510077)
[Inline] EAT @explorer.exe (CreateProcessA) : kernel32.dll -> HOOKED (Unknown @ 0x01510594)
[Inline] EAT @explorer.exe (CreateProcessW) : kernel32.dll -> HOOKED (Unknown @ 0x01E405DC)
[Inline] EAT @explorer.exe (CreateRemoteThread) : kernel32.dll -> HOOKED (Unknown @ 0x015106F9)
[Inline] EAT @explorer.exe (FindNextFileW) : kernel32.dll -> HOOKED (Unknown @ 0x01E40C5E)
[Inline] EAT @explorer.exe (GetPrivateProfileSectionW) : kernel32.dll -> HOOKED (Unknown @ 0x01E4082F)
[Inline] EAT @explorer.exe (GetStartupInfoA) : kernel32.dll -> HOOKED (Unknown @ 0x015100EE)
[Inline] EAT @explorer.exe (HeapCreate) : kernel32.dll -> HOOKED (Unknown @ 0x01510770)
[Inline] EAT @explorer.exe (LoadLibraryA) : kernel32.dll -> HOOKED (Unknown @ 0x01510AB1)
[Inline] EAT @explorer.exe (LoadLibraryW) : kernel32.dll -> HOOKED (Unknown @ 0x015101DC)
[Inline] EAT @explorer.exe (LoadModule) : kernel32.dll -> HOOKED (Unknown @ 0x01510253)
[Inline] EAT @explorer.exe (OpenProcess) : kernel32.dll -> HOOKED (Unknown @ 0x0151060B)
[Inline] EAT @explorer.exe (PeekNamedPipe) : kernel32.dll -> HOOKED (Unknown @ 0x01510000)
[Inline] EAT @explorer.exe (ReadProcessMemory) : kernel32.dll -> HOOKED (Unknown @ 0x01510682)
[Inline] EAT @explorer.exe (VirtualAllocEx) : kernel32.dll -> HOOKED (Unknown @ 0x0151051D)
[Inline] EAT @explorer.exe (VirtualProtect) : kernel32.dll -> HOOKED (Unknown @ 0x0151042F)
[Inline] EAT @explorer.exe (VirtualProtectEx) : kernel32.dll -> HOOKED (Unknown @ 0x015104A6)
[Inline] EAT @explorer.exe (WinExec) : kernel32.dll -> HOOKED (Unknown @ 0x015103B8)
[Inline] EAT @explorer.exe (NdrServerInitialize) : RPCRT4.dll -> HOOKED (Unknown @ 0x01E40CD5)
[Inline] EAT @explorer.exe (NdrStubCall2) : RPCRT4.dll -> HOOKED (Unknown @ 0x01E40D4C)
[Inline] EAT @explorer.exe (CreateDIBPatternBrushPt) : GDI32.dll -> HOOKED (Unknown @ 0x01E40AF9)
[Inline] EAT @explorer.exe (Escape) : GDI32.dll -> HOOKED (Unknown @ 0x01E407B8)
[Inline] EAT @explorer.exe (GetDIBits) : GDI32.dll -> HOOKED (Unknown @ 0x01E40A0B)
[Inline] EAT @explorer.exe (PlayEnhMetaFileRecord) : GDI32.dll -> HOOKED (Unknown @ 0x01E406CA)
[Inline] EAT @explorer.exe (PlayMetaFileRecord) : GDI32.dll -> HOOKED (Unknown @ 0x01E40653)
[Inline] EAT @explorer.exe (StretchDIBits) : GDI32.dll -> HOOKED (Unknown @ 0x01E40A82)
[Inline] EAT @explorer.exe (LoadImageW) : USER32.dll -> HOOKED (Unknown @ 0x01E40B70)
[Inline] EAT @explorer.exe (SetWindowsHookExA) : USER32.dll -> HOOKED (Unknown @ 0x01E404EE)
[Inline] EAT @explorer.exe (SetWindowsHookExW) : USER32.dll -> HOOKED (Unknown @ 0x01E40565)
[Inline] EAT @explorer.exe (system) : msvcrt.dll -> HOOKED (Unknown @ 0x015107E7)
[Inline] EAT @explorer.exe (CoGetClassObject) : ole32.dll -> HOOKED (Unknown @ 0x01E40994)
[Inline] EAT @explorer.exe (UrlUnescapeA) : SHLWAPI.dll -> HOOKED (Unknown @ 0x01E408A6)
[Inline] EAT @explorer.exe (InternetOpenA) : WININET.dll -> HOOKED (Unknown @ 0x01E40EB1)
[Inline] EAT @explorer.exe (InternetOpenUrlA) : WININET.dll -> HOOKED (Unknown @ 0x01E40E3A)
[Inline] EAT @explorer.exe (InternetReadFile) : WININET.dll -> HOOKED (Unknown @ 0x01E40DC3)
[Inline] EAT @explorer.exe (ShellExecuteExW) : SHELL32.dll -> HOOKED (Unknown @ 0x01E40BE7)
[Inline] EAT @explorer.exe (bind) : WS2_32.dll -> HOOKED (Unknown @ 0x01510B28)
[Inline] EAT @explorer.exe (gethostbyname) : WS2_32.dll -> HOOKED (Unknown @ 0x01E4091D)
[Inline] EAT @explorer.exe (recv) : WS2_32.dll -> HOOKED (Unknown @ 0x01510A3A)
[Inline] EAT @explorer.exe (select) : WS2_32.dll -> HOOKED (Unknown @ 0x015109C3)
[Inline] EAT @explorer.exe (send) : WS2_32.dll -> HOOKED (Unknown @ 0x0151094C)
[Inline] EAT @explorer.exe (socket) : WS2_32.dll -> HOOKED (Unknown @ 0x015108D5)
[Inline] EAT @explorer.exe (CompatFlagsFromClsid) : urlmon.dll -> HOOKED (Unknown @ 0x01E40741)
[Inline] EAT @explorer.exe (system) : MSVCR90.dll -> HOOKED (Unknown @ 0x01510B9F)
[Inline] EAT @explorer.exe (system) : MSVCR80.dll -> HOOKED (Unknown @ 0x01510C16)
[Inline] IAT @firefox.exe (GetProcAddress) : KERNEL32.dll -> HOOKED (Unknown @ 0x003D0A0B)
[Inline] EAT @firefox.exe (LdrGetProcedureAddress) : ntdll.dll -> HOOKED (Unknown @ 0x003D0B70)
[Inline] EAT @firefox.exe (NtProtectVirtualMemory) : ntdll.dll -> HOOKED (Unknown @ 0x003D0BE7)
[Inline] EAT @firefox.exe (NtSetSecurityObject) : ntdll.dll -> HOOKED (Unknown @ 0x003D0477)
[Inline] EAT @firefox.exe (ZwProtectVirtualMemory) : ntdll.dll -> HOOKED (Unknown @ 0x003D0BE7)
[Inline] EAT @firefox.exe (ZwSetSecurityObject) : ntdll.dll -> HOOKED (Unknown @ 0x003D0477)
[Inline] EAT @firefox.exe (CreateFileA) : kernel32.dll -> HOOKED (Unknown @ 0x003D082F)
[Inline] EAT @firefox.exe (CreatePipe) : kernel32.dll -> HOOKED (Unknown @ 0x003D091D)
[Inline] EAT @firefox.exe (CreateProcessA) : kernel32.dll -> HOOKED (Unknown @ 0x003D05DC)
[Inline] EAT @firefox.exe (CreateProcessW) : kernel32.dll -> HOOKED (Unknown @ 0x003D0653)
[Inline] EAT @firefox.exe (CreateRemoteThread) : kernel32.dll -> HOOKED (Unknown @ 0x003D0F28)
[Inline] EAT @firefox.exe (GetProcAddress) : kernel32.dll -> HOOKED (Unknown @ 0x003D0A0B)
[Inline] EAT @firefox.exe (GetStartupInfoA) : kernel32.dll -> HOOKED (Unknown @ 0x003D0994)
[Inline] EAT @firefox.exe (HeapCreate) : kernel32.dll -> HOOKED (Unknown @ 0x008B0000)
[Inline] EAT @firefox.exe (LoadLibraryA) : kernel32.dll -> HOOKED (Unknown @ 0x008B0077)
[Inline] EAT @firefox.exe (LoadLibraryW) : kernel32.dll -> HOOKED (Unknown @ 0x003D0A82)
[Inline] EAT @firefox.exe (LoadModule) : kernel32.dll -> HOOKED (Unknown @ 0x003D0AF9)
[Inline] EAT @firefox.exe (OpenProcess) : kernel32.dll -> HOOKED (Unknown @ 0x003D0E3A)
[Inline] EAT @firefox.exe (PeekNamedPipe) : kernel32.dll -> HOOKED (Unknown @ 0x003D08A6)
[Inline] EAT @firefox.exe (ReadProcessMemory) : kernel32.dll -> HOOKED (Unknown @ 0x003D0EB1)
[Inline] EAT @firefox.exe (VirtualAllocEx) : kernel32.dll -> HOOKED (Unknown @ 0x003D0DC3)
[Inline] EAT @firefox.exe (VirtualProtect) : kernel32.dll -> HOOKED (Unknown @ 0x003D0CD5)
[Inline] EAT @firefox.exe (VirtualProtectEx) : kernel32.dll -> HOOKED (Unknown @ 0x003D0D4C)
[Inline] EAT @firefox.exe (WinExec) : kernel32.dll -> HOOKED (Unknown @ 0x003D0C5E)
[Inline] EAT @firefox.exe (SetClipboardData) : USER32.dll -> HOOKED (Unknown @ 0x003D06CA)
[Inline] EAT @firefox.exe (SetWindowsHookExA) : USER32.dll -> HOOKED (Unknown @ 0x003D04EE)
[Inline] EAT @firefox.exe (SetWindowsHookExW) : USER32.dll -> HOOKED (Unknown @ 0x003D0565)
[Inline] EAT @firefox.exe (NdrServerInitialize) : RPCRT4.dll -> HOOKED (Unknown @ 0x003D0741)
[Inline] EAT @firefox.exe (NdrStubCall2) : RPCRT4.dll -> HOOKED (Unknown @ 0x003D07B8)
[Inline] EAT @firefox.exe (bind) : WS2_32.dll -> HOOKED (Unknown @ 0x008B042F)
[Inline] EAT @firefox.exe (gethostbyname) : WS2_32.dll -> HOOKED (Unknown @ 0x008B01DC)
[Inline] EAT @firefox.exe (recv) : WS2_32.dll -> HOOKED (Unknown @ 0x008B03B8)
[Inline] EAT @firefox.exe (select) : WS2_32.dll -> HOOKED (Unknown @ 0x008B0341)
[Inline] EAT @firefox.exe (send) : WS2_32.dll -> HOOKED (Unknown @ 0x008B02CA)
[Inline] EAT @firefox.exe (socket) : WS2_32.dll -> HOOKED (Unknown @ 0x008B0253)
[Inline] EAT @firefox.exe (system) : msvcrt.dll -> HOOKED (Unknown @ 0x008B00EE)
[Inline] EAT @firefox.exe (ShellExecuteExW) : SHELL32.dll -> HOOKED (Unknown @ 0x008B04A6)
[Inline] EAT @firefox.exe (InternetOpenA) : WININET.dll -> HOOKED (Unknown @ 0x008B060B)
[Inline] EAT @firefox.exe (InternetOpenUrlA) : WININET.dll -> HOOKED (Unknown @ 0x008B0594)
[Inline] EAT @firefox.exe (InternetReadFile) : WININET.dll -> HOOKED (Unknown @ 0x008B051D)
¤¤¤ External Hives: ¤¤¤
¤¤¤ Infection : ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.100888290cs.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 www.10sek.com
127.0.0.1 10sek.com
127.0.0.1 www.123topsearch.com
127.0.0.1 123topsearch.com
127.0.0.1 www.132.com
[...]
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ST500DM002-1BD142 +++++
--- User ---
[MBR] bbc983f42a18ea03e3efc9484103ea40
[BSP] eee412d08b57fde5247af09a76484fcb : MBR Code unknown
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 2048 | Size: 102 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 210944 | Size: 467321 Mo
2 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 957284352 | Size: 9516 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[0]_S_01282014_080633.txt >>
-
Lets do this
Please create a new system restore point before running Malwarebytes Anti-Rootkit if you can.
Download Malwarebytes Anti-Rootkit from Here
- Unzip the contents to a folder in a convenient location.
- Open the folder where the contents were unzipped and run mbar.exe
- Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
- Click on the Cleanup button to remove any threats and reboot if prompted to do so.
- Wait while the system shuts down and the cleanup process is performed.
- Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
- When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
-
I was able to create a restore point. here is the mbar log... the system log in next reply.
Malwarebytes Anti-Rootkit BETA 1.07.0.1009
www.malwarebytes.org
Database version: v2014.01.28.06
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.2180
:: TOYBOX [administrator]
1/28/2014 11:02:07 AM
mbar-log-2014-01-28 (11-02-07).txt
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 272421
Time elapsed: 1 hour(s), 3 minute(s), 12 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
Physical Sectors Detected: 0
(No malicious items detected)
(end)
-
system log
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1009
(c) Malwarebytes Corporation 2011-2012
OS version: 5.1.2600 Windows XP Service Pack 3 x86
Account is Administrative
Internet Explorer version: 6.0.2900.2180
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.793000 GHz
Memory total: 2145480704, free: 1156231168
Downloaded database version: v2014.01.28.05
Downloaded database version: v2013.12.18.01
=======================================
------------ Kernel report ------------
01/28/2014 09:20:08
------------ Loaded modules -----------
\WINDOWS\system32\ntkrnlpa.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
vsflt53.sys
compbatt.sys
\WINDOWS\system32\DRIVERS\BATTC.SYS
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
MountMgr.sys
ftdisk.sys
dmload.sys
dmio.sys
PartMgr.sys
VolSnap.sys
atapi.sys
iastor.sys
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
sr.sys
DRVMCDB.SYS
KSecDD.sys
WudfPf.sys
Ntfs.sys
NDIS.sys
vididr.sys
timntr.sys
snapman.sys
Mup.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\ati2mtag.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\e1e5132.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\HSFHWBS2.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\HSF_DP.sys
\SystemRoot\system32\DRIVERS\HSF_CNXT.sys
\SystemRoot\System32\Drivers\Modem.SYS
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\imapi.sys
\SystemRoot\system32\drivers\iviaspi.sys
\SystemRoot\System32\Drivers\DLACDBHM.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\redbook.sys
\SystemRoot\system32\DRIVERS\serscan.sys
\SystemRoot\system32\DRIVERS\audstub.sys
\SystemRoot\system32\DRIVERS\mfendisk.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\System32\Drivers\Pcouffin.sys
\SystemRoot\system32\DRIVERS\rdpdr.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\system32\drivers\WmBEnum.sys
\SystemRoot\system32\drivers\WmXlCore.sys
\SystemRoot\system32\drivers\MODEMCSA.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\sthda.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\System32\Drivers\i2omgmt.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\Drivers\DLARTL_N.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\system32\drivers\mfetdi2k.sys
\SystemRoot\system32\DRIVERS\ipnat.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\System32\drivers\ws2ifsl.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\System32\DRIVERS\ELmou.sys
\SystemRoot\System32\DRIVERS\ELmon.sys
\SystemRoot\System32\DRIVERS\ELkbd.sys
\SystemRoot\System32\DRIVERS\ELhid.sys
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\usbscan.sys
\SystemRoot\system32\DRIVERS\usbprint.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\System32\Drivers\LHidUsb.Sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\System32\Drivers\dump_iastor.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\ati2dvag.dll
\SystemRoot\System32\ati2cqag.dll
\SystemRoot\System32\atikvmag.dll
\SystemRoot\System32\ati3duag.dll
\SystemRoot\System32\ativvaxx.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\drivers\mfehidk.sys
\SystemRoot\system32\drivers\mfeavfk.sys
\SystemRoot\system32\drivers\mfefirek.sys
\SystemRoot\system32\DRIVERS\mfencbdc.sys
\SystemRoot\System32\Drivers\DRVNDDM.SYS
\SystemRoot\System32\DLA\DLADResN.SYS
\SystemRoot\System32\DLA\DLAIFS_M.SYS
\SystemRoot\System32\DLA\DLAOPIOM.SYS
\SystemRoot\System32\DLA\DLAPoolM.SYS
\SystemRoot\System32\DLA\DLABOIOM.SYS
\SystemRoot\System32\DLA\DLAUDFAM.SYS
\SystemRoot\System32\DLA\DLAUDF_M.SYS
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\System32\Drivers\Aspi32.SYS
\SystemRoot\system32\DRIVERS\atksgt.sys
\SystemRoot\system32\DRIVERS\dsunidrv.sys
\SystemRoot\System32\Drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\lirsgt.sys
\SystemRoot\system32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\mdmxsdk.sys
\SystemRoot\system32\drivers\mfeapfk.sys
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\system32\drivers\cfwids.sys
\SystemRoot\system32\drivers\HipShieldK.sys
\SystemRoot\System32\Drivers\Fastfat.SYS
\SystemRoot\system32\DRIVERS\asyncmac.sys
\SystemRoot\system32\drivers\kmixer.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR4
Upper Device Object: 0xffffffff896cdab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000080\
Lower Device Object: 0xffffffff896d38e8
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff8a62dab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-0\
Lower Device Object: 0xffffffff8a111030
Lower Device Driver Name: \Driver\iastor\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff8a62dab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8a62e900, DeviceName: Unknown, DriverName: \Driver\snapman\
DevicePointer: 0xffffffff8a68e908, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8a62dab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8a62ea10, DeviceName: Unknown, DriverName: \Driver\vidsflt53\
DevicePointer: 0xffffffff8a111030, DeviceName: \Device\Ide\IAAStorageDevice-0\, DriverName: \Driver\iastor\
------------ End ----------
Alternate DeviceName: Unknown, DriverName: \Driver\PartMgr\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Read File: File "C:\WINDOWS\system32\drivers\del200f.cty" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\del200f.cty" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\netwlan5.img" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\netwlan5.img" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\gm.dls" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\gm.dls" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\gmreadme.txt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\gmreadme.txt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\1028_Dell_XPS_DXPO51.mrk" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\1028_Dell_XPS_DXPO51.mrk" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\inetx026.img" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\inetx026.img" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ativmc20.cod" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\ativmc20.cod" is compressed (flags = 1)
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: C08F172
Partition information:
Partition 0 type is Other (0xde)
Partition is NOT ACTIVE.
Partition starts at LBA: 2048 Numsec = 208896
Partition 1 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 210944 Numsec = 957073408
Partition file system is NTFS
Partition is bootable
Partition 2 type is Other (0xdb)
Partition is NOT ACTIVE.
Partition starts at LBA: 957284352 Numsec = 19488768
Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
Disk Size: 500107862016 bytes
Sector size: 512 bytes
Scanning physical sectors of unpartitioned space on drive 0 (1-2047-976753168-976773168)...
Done!
Physical Sector Size: 0
Drive: 1, DevicePointer: 0xffffffff896cdab8, DeviceName: \Device\Harddisk1\DR4\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff89712f10, DeviceName: Unknown, DriverName: \Driver\snapman\
DevicePointer: 0xffffffff896d2870, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff896cdab8, DeviceName: \Device\Harddisk1\DR4\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8977df10, DeviceName: Unknown, DriverName: \Driver\vidsflt53\
DevicePointer: 0xffffffff896d38e8, DeviceName: \Device\00000080\, DriverName: \Driver\USBSTOR\
------------ End ----------
Read File: File "C:\Documents and Settings\All Users\Application Data\McAfee\MSK\MSKWMDB.dat" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat" is compressed (flags = 1)
Infected: C:\Documents and Settings\Kevin\Desktop\uSeRiNiT.exe --> [Heuristics.Reserved.Word.Exploit]
Infected: C:\Documents and Settings\Kevin\Desktop\WiNlOgOn.exe --> [Heuristics.Reserved.Word.Exploit]
Scan finished
Creating System Restore point...
Cleaning up...
Removal scheduling successful. System shutdown needed.
System shutdown occurred
=======================================
Removal queue found; removal started
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\VBR-0-1-210944-i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1009
(c) Malwarebytes Corporation 2011-2012
OS version: 5.1.2600 Windows XP Service Pack 3 x86
Account is Administrative
Internet Explorer version: 6.0.2900.2180
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.793000 GHz
Memory total: 2145480704, free: 1203961856
=======================================
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1009
(c) Malwarebytes Corporation 2011-2012
OS version: 5.1.2600 Windows XP Service Pack 3 x86
Account is Administrative
Internet Explorer version: 6.0.2900.2180
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.793000 GHz
Memory total: 2145480704, free: 1241186304
Downloaded database version: v2014.01.28.06
Downloaded database version: v2013.12.18.01
Initializing...
======================
------------ Kernel report ------------
01/28/2014 10:24:56
------------ Loaded modules -----------
\WINDOWS\system32\ntkrnlpa.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
imofugc.sys
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
vsflt53.sys
compbatt.sys
\WINDOWS\system32\DRIVERS\BATTC.SYS
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
MountMgr.sys
ftdisk.sys
dmload.sys
dmio.sys
PartMgr.sys
VolSnap.sys
atapi.sys
iastor.sys
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
sr.sys
DRVMCDB.SYS
KSecDD.sys
WudfPf.sys
Ntfs.sys
NDIS.sys
vididr.sys
timntr.sys
snapman.sys
Mup.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\ati2mtag.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\e1e5132.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\HSFHWBS2.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\HSF_DP.sys
\SystemRoot\system32\DRIVERS\HSF_CNXT.sys
\SystemRoot\System32\Drivers\Modem.SYS
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\imapi.sys
\SystemRoot\system32\drivers\iviaspi.sys
\SystemRoot\System32\Drivers\DLACDBHM.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\redbook.sys
\SystemRoot\system32\DRIVERS\serscan.sys
\SystemRoot\system32\DRIVERS\audstub.sys
\SystemRoot\system32\DRIVERS\mfendisk.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\System32\Drivers\Pcouffin.sys
\SystemRoot\system32\DRIVERS\rdpdr.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\system32\drivers\WmBEnum.sys
\SystemRoot\system32\drivers\WmXlCore.sys
\SystemRoot\system32\drivers\MODEMCSA.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\sthda.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\System32\Drivers\i2omgmt.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\Drivers\DLARTL_N.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\system32\drivers\mfetdi2k.sys
\SystemRoot\system32\DRIVERS\ipnat.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\System32\drivers\ws2ifsl.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\System32\DRIVERS\ELmou.sys
\SystemRoot\System32\DRIVERS\ELmon.sys
\SystemRoot\System32\DRIVERS\ELkbd.sys
\SystemRoot\System32\DRIVERS\ELhid.sys
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\usbscan.sys
\SystemRoot\system32\DRIVERS\usbprint.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\System32\Drivers\LHidUsb.Sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\System32\Drivers\dump_iastor.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\ati2dvag.dll
\SystemRoot\System32\ati2cqag.dll
\SystemRoot\System32\atikvmag.dll
\SystemRoot\System32\ati3duag.dll
\SystemRoot\System32\ativvaxx.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\drivers\mfehidk.sys
\SystemRoot\system32\drivers\mfeavfk.sys
\SystemRoot\system32\drivers\mfefirek.sys
\SystemRoot\system32\DRIVERS\mfencbdc.sys
\SystemRoot\System32\Drivers\DRVNDDM.SYS
\SystemRoot\System32\DLA\DLADResN.SYS
\SystemRoot\System32\DLA\DLAIFS_M.SYS
\SystemRoot\System32\DLA\DLAOPIOM.SYS
\SystemRoot\System32\DLA\DLAPoolM.SYS
\SystemRoot\System32\DLA\DLABOIOM.SYS
\SystemRoot\System32\DLA\DLAUDFAM.SYS
\SystemRoot\System32\DLA\DLAUDF_M.SYS
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\System32\Drivers\Aspi32.SYS
\SystemRoot\system32\DRIVERS\atksgt.sys
\SystemRoot\system32\DRIVERS\dsunidrv.sys
\SystemRoot\System32\Drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\lirsgt.sys
\SystemRoot\system32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\mdmxsdk.sys
\SystemRoot\system32\drivers\mfeapfk.sys
\SystemRoot\system32\drivers\cfwids.sys
\SystemRoot\system32\drivers\HipShieldK.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR4
Upper Device Object: 0xffffffff89896030
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000080\
Lower Device Object: 0xffffffff8990a030
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff8a82bab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-0\
Lower Device Object: 0xffffffff8a883030
Lower Device Driver Name: \Driver\iastor\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff8a82bab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8a80f900, DeviceName: Unknown, DriverName: \Driver\snapman\
DevicePointer: 0xffffffff8a7fc908, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8a82bab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8a80fa10, DeviceName: Unknown, DriverName: \Driver\vidsflt53\
DevicePointer: 0xffffffff8a883030, DeviceName: \Device\Ide\IAAStorageDevice-0\, DriverName: \Driver\iastor\
------------ End ----------
Alternate DeviceName: Unknown, DriverName: \Driver\PartMgr\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Read File: File "C:\WINDOWS\system32\drivers\del200f.cty" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\del200f.cty" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\netwlan5.img" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\netwlan5.img" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\gm.dls" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\gm.dls" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\gmreadme.txt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\gmreadme.txt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\1028_Dell_XPS_DXPO51.mrk" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\1028_Dell_XPS_DXPO51.mrk" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\inetx026.img" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\inetx026.img" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ativmc20.cod" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\ativmc20.cod" is compressed (flags = 1)
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: C08F172
Partition information:
Partition 0 type is Other (0xde)
Partition is NOT ACTIVE.
Partition starts at LBA: 2048 Numsec = 208896
Partition 1 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 210944 Numsec = 957073408
Partition file system is NTFS
Partition is bootable
Partition 2 type is Other (0xdb)
Partition is NOT ACTIVE.
Partition starts at LBA: 957284352 Numsec = 19488768
Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
Disk Size: 500107862016 bytes
Sector size: 512 bytes
Scanning physical sectors of unpartitioned space on drive 0 (1-2047-976753168-976773168)...
Done!
Physical Sector Size: 0
Drive: 1, DevicePointer: 0xffffffff89896030, DeviceName: \Device\Harddisk1\DR4\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff898c5440, DeviceName: Unknown, DriverName: \Driver\snapman\
DevicePointer: 0xffffffff8986c220, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff89896030, DeviceName: \Device\Harddisk1\DR4\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8a85c418, DeviceName: Unknown, DriverName: \Driver\vidsflt53\
DevicePointer: 0xffffffff8990a030, DeviceName: \Device\00000080\, DriverName: \Driver\USBSTOR\
------------ End ----------
Read File: File "C:\Documents and Settings\All Users\Application Data\McAfee\MSK\MSKWMDB.dat" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat" is compressed (flags = 1)
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1009
(c) Malwarebytes Corporation 2011-2012
OS version: 5.1.2600 Windows XP Service Pack 3 x86
Account is Administrative
Internet Explorer version: 6.0.2900.2180
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.793000 GHz
Memory total: 2145480704, free: 1322848256
Initializing...
======================
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR4
Upper Device Object: 0xffffffff89896030
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000080\
Lower Device Object: 0xffffffff8990a030
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff8a82bab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-0\
Lower Device Object: 0xffffffff8a883030
Lower Device Driver Name: \Driver\iastor\
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Read File: File "C:\WINDOWS\system32\drivers\del200f.cty" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\del200f.cty" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\netwlan5.img" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\netwlan5.img" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\gm.dls" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\gm.dls" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\gmreadme.txt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\gmreadme.txt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\1028_Dell_XPS_DXPO51.mrk" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\1028_Dell_XPS_DXPO51.mrk" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\inetx026.img" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\inetx026.img" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ativmc20.cod" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\drivers\ativmc20.cod" is compressed (flags = 1)
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: C08F172
Partition information:
Partition 0 type is Other (0xde)
Partition is NOT ACTIVE.
Partition starts at LBA: 2048 Numsec = 208896
Partition 1 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 210944 Numsec = 957073408
Partition file system is NTFS
Partition is bootable
Partition 2 type is Other (0xdb)
Partition is NOT ACTIVE.
Partition starts at LBA: 957284352 Numsec = 19488768
Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
Disk Size: 500107862016 bytes
Sector size: 512 bytes
Scanning physical sectors of unpartitioned space on drive 0 (1-2047-976753168-976773168)...
Done!
Physical Sector Size: 0
Drive: 1, DevicePointer: 0xffffffff89896030, DeviceName: \Device\Harddisk1\DR4\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff898c5440, DeviceName: Unknown, DriverName: \Driver\snapman\
DevicePointer: 0xffffffff8986c220, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff89896030, DeviceName: \Device\Harddisk1\DR4\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8a85c418, DeviceName: Unknown, DriverName: \Driver\vidsflt53\
DevicePointer: 0xffffffff8990a030, DeviceName: \Device\00000080\, DriverName: \Driver\USBSTOR\
------------ End ----------
Read File: File "C:\Documents and Settings\All Users\Application Data\McAfee\MSK\MSKWMDB.dat" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat" is compressed (flags = 1)
Scan finished
=======================================
Removal queue found; removal started
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\VBR-0-1-210944-i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished
-
It looks like it found a couple of infected files and removed them.
How is your system behaving now ?
Drag Combofix to the trash and lets grab a updated copy and give it one more try, make sure to download it to your desktop
Download ComboFix from one of these locations:
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
- See this Link for programs that need to be disabled and instruction on how to disable them.
- Remember to re-enable them when we're done.
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
-
My computer is not unusually slow or experiencing weird behavior except for mcafee... I followed the link you provided but they do not match my options. I clicked on the help link on McAfee Security Center and read how to turn off the realtime scanning but the box to check is not there on mine??? Not sure how I should proceed...Also the text in the settings page is cut off and there is no scroll bar or anyway I can see to change the window size.
-
OK, you should be able to just right click on the Mcfee Icon in the system tray, down on the right by the clock and disable it, if not then just give Combofix a shot as is, and if it dont work then run a new scan with OTL and post the log please
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
