Jump to content


Photo
- - - - -

Possible rootkit.0access infection


  • This topic is locked This topic is locked
65 replies to this topic

#1 ba5852

ba5852

    Member

  • Members
  • PipPipPip
  • 81 posts

Posted 14 January 2012 - 01:15 PM

I removed Norton Antivirus Corporate Edition (old version) and installed Norton Internet Security (new version). When I tried to run a scan NIS started but then suddenly stopped in the beginning of the scan and disappeared. The NIS icon also disappeared from the taskbar. After that subsequent attempts to run NIS resulted in the same error message as below.

Ran Malwarebytes in chameleon mode and found 11 files labeled as Rootkit.0access. Malwarebytes stated that it successfully quarantined and deleted all 11 files. Ran Malwarebytes again and found no other infected files.

When I try to run Malwarebytes, superantispyware or Norton Internet Security I get the following message:

"Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

Therefore I am unable to run any antivirus or antimalware software at this point. Would appreciate any help you might be able to render.

#2 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,234 posts

Posted 14 January 2012 - 01:47 PM

Download DDS and save it to your desktop from here
Right click on dds.scr and choose to "Run as Admin" if running Vista or Windows 7 to run it, double click on dds.scr if running other OS
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt

Save both reports to your desktop. Post them back to this topic.

Do you want to post your own HijackThis log?
Follow the instructions posted Here

Not required, but if you would like to donate to help my fight against malware
Click Here


#3 ba5852

ba5852

    Member

  • Members
  • PipPipPip
  • 81 posts

Posted 14 January 2012 - 01:54 PM

dds.txt

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Bruce at 13:04:57 on 2012-01-14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.414 [GMT -5:00]
.
AV: Norton Security Suite *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Enabled*
.
============== Running Processes ===============
.
"\\.\globalroot\Device\svchost.exe\svchost.exe"
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\ULI5289\ALi5289.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\A4Tech\Mouse\Amoumain.exe
C:\Program Files\Common Files\AOL\1228527480\ee\AOLSoftware.exe
C:\Program Files\Maxtor\ManagerApp\msssort.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
mRun: [ALi5289] "c:\program files\uli5289\ALi5289.exe"
mRun: [SoundMan] "SOUNDMAN.EXE"
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] "nwiz.exe" /install
mRun: [NvMediaCenter] "RUNDLL32.EXE" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NeroCheck] "c:\windows\system32\NeroCheck.exe"
mRun: [EasyTuneV] "c:\program files\gigabyte\et5\GUI.exe"
mRun: [WheelMouse] Amoumain.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [OCAudioIni] "c:\program files\one-click audio converter\OCAudioIni.exe"
mRun: [HostManager] "c:\program files\common files\aol\1228527480\ee\AOLSoftware.exe"
mRun: [mssSort] "c:\program files\maxtor\managerapp\msssort.exe"
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [<NO NAME>]
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\printk~1.lnk - c:\program files\printkey2000\Printkey2000.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151899614577
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{4C667E55-A13A-427B-9BB2-9028CB4ACB7E} : DhcpNameServer = 192.168.0.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\bruce\application data\mozilla\firefox\profiles\9o218xc0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R0 m5289;m5289;c:\windows\system32\drivers\m5289.sys [2006-7-2 51840]
R0 uliagpkx;ULi AGP Bus Filter Driver;c:\windows\system32\drivers\AGPKX.SYS [2006-7-2 45056]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 Maxtor Sync Services;Maxtor Service;c:\program files\maxtor\sync\SyncServices.exe [2008-4-1 161120]
R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2002-6-19 29184]
R2 StarWindService;StarWind iSCSI Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindService.exe [2005-4-1 217600]
R3 Amps2prt;A4Tech PS/2 Port Mouse Filter Driver;c:\windows\system32\drivers\Amps2prt.sys [2006-7-3 10195]
R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2012-1-13 24064]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-1-14 40776]
R3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [2006-8-6 223128]
S2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;"c:\program files\webroot\security\current\plugins\antimalware\aei.exe" --> c:\program files\webroot\security\current\plugins\antimalware\AEI.exe [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-1-13 106104]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 NAVAP;NAVAP;c:\program files\symantec_client_security\symantec antivirus\Navap.sys [2002-6-19 218112]
S3 Norton AntiVirus Server;Symantec AntiVirus Client;c:\program files\symantec_client_security\symantec antivirus\Rtvscan.exe [2002-7-30 573440]
.
=============== Created Last 30 ================
.
2012-01-14 14:46:48 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-01-14 04:42:26 24064 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-01-13 21:49:18 -------- d-----w- c:\documents and settings\bruce\application data\Tific
2012-01-13 20:40:25 -------- d-----w- c:\windows\Internet Logs
2012-01-13 20:37:04 -------- d-----w- c:\documents and settings\all users\application data\NortonInstaller
2012-01-13 20:34:36 -------- d-----w- c:\documents and settings\all users\application data\Norton
2012-01-13 20:13:03 -------- d-----w- c:\documents and settings\all users\application data\IsolatedStorage
2012-01-13 20:13:00 -------- d-----w- c:\documents and settings\bruce\local settings\application data\ID Vault
2012-01-13 20:11:18 -------- d-----w- c:\documents and settings\bruce\application data\ID Vault
2012-01-13 20:09:11 -------- d-----w- c:\program files\Constant Guard Protection Suite
2012-01-13 20:06:04 -------- d-----w- c:\windows\system32\XPSViewer
2012-01-13 20:05:34 27648 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2012-01-13 20:05:12 14048 ------w- c:\windows\system32\spmsg2.dll
2012-01-13 20:01:32 -------- d-----w- c:\documents and settings\all users\application data\White Sky, Inc
.
==================== Find3M ====================
.
2012-01-13 22:27:36 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2012-01-13 22:27:36 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-12-10 20:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe >>UNKNOWN [0x86F99BF8]<<
_asm { MOV EAX, 0x86f99b18; XCHG [ESP], EAX; PUSH EAX; PUSH 0x86fa0c94; RET ; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk1\DR1[0x86F66AB8]
\Driver\Disk[0x86F68940] -> IRP_MJ_CREATE -> 0x86F99BF8
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\Disk -> 0x86f99bf8
user & kernel MBR OK
Warning: possible MBR rootkit infection !
.
============= FINISH: 13:05:21.01 ===============


attach.txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume4
Install Date: 7/2/2006 11:55:05 AM
System Uptime: 1/14/2012 12:18:41 AM (13 hours ago)
.
Motherboard: Gigabyte Technology Co., Ltd. | | M1689D
Processor: AMD Athlon™ 64 Processor 3300+ | Socket 7 | 2411/200mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 148 GiB total, 74.997 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is FIXED (FAT32) - 6 GiB total, 4.323 GiB free.
G: is FIXED (NTFS) - 4 GiB total, 0.271 GiB free.
I: is CDROM ()
J: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
A4Tech iWheelWorks V7.0
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20030807.3)
Athlon 64 Processor Driver
BitTorrent
CamStudio
Critical Update for Windows Media Player 11 (KB959772)
dBpowerAMP FLAC Codec
dBpowerAMP Music Converter
dBpowerAMP Ogg Vorbis Codec
DNA
EasyTune5
FLAC Installer 1.1.2a (remove only)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Officejet Pro 8500 A910 Basic Device Software
HP Officejet Pro 8500 A910 Help
HP Officejet Pro 8500 A910 Product Improvement Study
HP Update
I.R.I.S. OCR
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java™ 6 Update 13
Java™ 6 Update 3
Java™ 6 Update 7
Learn2 Player (Uninstall Only)
LiveUpdate 1.7 (Symantec Corporation)
Malwarebytes Anti-Malware version 1.60.0.1800
Marketsplash Shortcuts
Maxtor Central Axis Manager
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Premium
Microsoft Plus! for Windows XP
Microsoft Reader
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Mozilla Firefox 6.0.1 (x86 en-US)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB954459)
Nero - Burning Rom
NVIDIA Drivers
One-click Audio Converter Uninstall
PrintKey2000
QuickTime
RealPlayer Basic
Realtek AC'97 Audio
REALTEK Gigabit and Fast Ethernet NIC Driver
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Spybot - Search & Destroy
SUPERAntiSpyware
Symantec AntiVirus Client
TeamViewer 6
TorrentMan Toolbar
ULi M5289 SATA Controller Driver
ULi PCI to AGP Controller Driver
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB969497)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC 9.0 Runtime
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Vuze
WebFldrs XP
Windows Communication Foundation
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live ID Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Service Pack 3
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0
.
==== Event Viewer Messages From Past Week ========
.
1/13/2012 5:32:55 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .
1/13/2012 5:32:55 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Norton Security Suite\Engine\5.0.0.125\coIEPlg.dll. Reference error message: The operation completed successfully. .
1/13/2012 5:32:55 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
1/13/2012 5:16:08 PM, error: Service Control Manager [7000] - The CGPS Service service failed to start due to the following error: The system cannot find the file specified.
1/13/2012 4:58:45 PM, error: Service Control Manager [7000] - The Norton Security Suite service failed to start due to the following error: Access is denied.
1/13/2012 4:45:44 PM, error: Service Control Manager [7031] - The Norton Security Suite service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
1/13/2012 4:37:07 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
1/13/2012 4:36:30 PM, error: Service Control Manager [7000] - The Webroot Spy Sweeper Engine service failed to start due to the following error: The system cannot find the path specified.
1/13/2012 4:36:09 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000043' while processing the file 'cdrom.sys' on the volume 'HarddiskVolume4'. It has stopped monitoring the volume.
1/13/2012 4:22:39 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'cdrom.sys' on the volume 'HarddiskVolume4'. It has stopped monitoring the volume.
1/13/2012 4:10:29 PM, error: Service Control Manager [7000] - The Webroot Spy Sweeper Engine service failed to start due to the following error: Access is denied.
1/13/2012 4:10:29 PM, error: DCOM [10005] - DCOM got error "%5" attempting to start the service WebrootSpySweeperService with arguments "" in order to run the server: {2302C9AF-7F45-4A95-94F8-575F962090AC}
1/13/2012 3:42:34 PM, error: Service Control Manager [7034] - The Webroot Spy Sweeper Engine service terminated unexpectedly. It has done this 1 time(s).
1/13/2012 10:49:38 PM, error: Service Control Manager [7031] - The DCOM Server Process Launcher service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
1/13/2012 10:43:38 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK8 eeCtrl Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip
1/13/2012 10:43:38 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
1/13/2012 10:43:38 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/13/2012 10:43:38 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/13/2012 10:43:38 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
1/13/2012 10:43:18 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
1/13/2012 10:42:42 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
.
==== End Of File ===========================

#4 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,234 posts

Posted 14 January 2012 - 02:05 PM

Download ComboFix from the following location

Link 1
Save it ONLY to your Desktop

--------------------------------------------------------------------


  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply

NOTE: Do not mouseclick inside ComboFix window as it's running, it may cause it to stall
ComboFix will/may run again on startup, it will prompt that it's creating a log
This process could take up to 10 minutes, let it run uninterrupted please

Do you want to post your own HijackThis log?
Follow the instructions posted Here

Not required, but if you would like to donate to help my fight against malware
Click Here


#5 ba5852

ba5852

    Member

  • Members
  • PipPipPip
  • 81 posts

Posted 14 January 2012 - 02:51 PM

I attempted to run ComboFix but got this error message.


"ComboFix has detected the following real time scanner(s) to be active:

antivirus: Norton Security Suite

Antivirus and intrusion prevention programs are known to interfere
with ComboFix's running. This may lead to unpredictable results or possible machine damage.

Please disable these scaners before clicking 'OK'."


I had previously installed and uninstalled Norton Internet Security in an attempt to get it to load properly. It is currently uninstalled but it seems to think it's still there.

I noticed that Norton Antivirus Corporate Edition ver 8 is program list. It has somehow been disabled so that it does not run on boot up. Just for the heck of it I ran it from the Start Menu ran a scan. The scan completed and it did not find any problems.

I have not clicked OK on the warning message.

#6 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,234 posts

Posted 14 January 2012 - 02:58 PM

It's probably the infection causing the problem with ComboFix
Can you do the following please
Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then double click on it to run it

Click the START SCAN, when done
If TDSSKiller alerts you that the system needs to reboot, please consent.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Then try running ComboFix again

Edit: I was posting when you were possibly editing your above reply?
Not sure, but please carry on with these instructions please if not to late
If you have carried on with running ComboFix, post it's log then we will carry on

Edited by guestolo, 14 January 2012 - 03:03 PM.

Do you want to post your own HijackThis log?
Follow the instructions posted Here

Not required, but if you would like to donate to help my fight against malware
Click Here


#7 ba5852

ba5852

    Member

  • Members
  • PipPipPip
  • 81 posts

Posted 14 January 2012 - 03:11 PM

It's probably the infection causing the problem with ComboFix
Can you do the following please
Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then double click on it to run it

Click the START SCAN, when done
If TDSSKiller alerts you that the system needs to reboot, please consent.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Then try running ComboFix again

Edit: I was posting when you were possibly editing your above reply?
Not sure, but please carry on with these instructions please if not to late
If you have carried on with running ComboFix, post it's log then we will carry on



#8 ba5852

ba5852

    Member

  • Members
  • PipPipPip
  • 81 posts

Posted 14 January 2012 - 03:14 PM

It's probably the infection causing the problem with ComboFix
Can you do the following please
Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then double click on it to run it

Click the START SCAN, when done
If TDSSKiller alerts you that the system needs to reboot, please consent.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Then try running ComboFix again

Edit: I was posting when you were possibly editing your above reply?
Not sure, but please carry on with these instructions please if not to late
If you have carried on with running ComboFix, post it's log then we will carry on



How do you insert dialogue boxes showing error messages in this editor. When I try I get a page of code instead of the image I'm trying to send.

#9 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,234 posts

Posted 14 January 2012 - 03:25 PM

If your trying to post a link to an Image
you should upload to something like Photobucket or Imageshack and link to it
I think that's what you mean
Anyway's, can you carry on with my previous reply please

Do you want to post your own HijackThis log?
Follow the instructions posted Here

Not required, but if you would like to donate to help my fight against malware
Click Here


#10 ba5852

ba5852

    Member

  • Members
  • PipPipPip
  • 81 posts

Posted 14 January 2012 - 09:57 PM

22:44:02.0328 2848 TDSS rootkit removing tool 2.7.1.0 Jan 13 2012 15:24:05
22:44:02.0671 2848 ============================================================
22:44:02.0671 2848 Current date / time: 2012/01/14 22:44:02.0671
22:44:02.0671 2848 SystemInfo:
22:44:02.0671 2848
22:44:02.0671 2848 OS Version: 5.1.2600 ServicePack: 3.0
22:44:02.0671 2848 Product type: Workstation
22:44:02.0671 2848 ComputerName: AMD3300
22:44:02.0671 2848 UserName: Bruce
22:44:02.0671 2848 Windows directory: C:\WINDOWS
22:44:02.0671 2848 System windows directory: C:\WINDOWS
22:44:02.0671 2848 Processor architecture: Intel x86
22:44:02.0671 2848 Number of processors: 1
22:44:02.0671 2848 Page size: 0x1000
22:44:02.0671 2848 Boot type: Normal boot
22:44:02.0671 2848 ============================================================
22:44:03.0484 2848 Drive \Device\Harddisk0\DR0 - Size: 0x4C54C7E00, SectorSize: 0x200, Cylinders: 0x9BB, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K', Flags 0x00000054
22:44:03.0500 2848 Drive \Device\Harddisk1\DR1 - Size: 0x3A38B2DC00, SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K', Flags 0x00000058
22:44:03.0656 2848 Initialize success
22:44:21.0859 0948 ============================================================
22:44:21.0859 0948 Scan started
22:44:21.0859 0948 Mode: Manual;
22:44:21.0859 0948 ============================================================
22:44:22.0531 0948 Abiosdsk - ok
22:44:22.0687 0948 abp480n5 - ok
22:44:22.0937 0948 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
22:44:23.0031 0948 ACPI - ok
22:44:23.0312 0948 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
22:44:23.0343 0948 ACPIEC - ok
22:44:23.0500 0948 adpu160m - ok
22:44:23.0546 0948 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
22:44:23.0546 0948 aec - ok
22:44:23.0593 0948 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
22:44:23.0609 0948 AFD - ok
22:44:23.0625 0948 Aha154x - ok
22:44:23.0656 0948 aic78u2 - ok
22:44:23.0671 0948 aic78xx - ok
22:44:23.0781 0948 ALCXWDM (f5d4d3899e16e1f75398297844386226) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
22:44:23.0828 0948 ALCXWDM - ok
22:44:23.0890 0948 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
22:44:23.0890 0948 AliIde - ok
22:44:23.0921 0948 AmdK8 (59301936898ae62245a6f09c0aba9475) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
22:44:23.0921 0948 AmdK8 - ok
22:44:23.0968 0948 Amps2prt (8e14139857d820b54f27aa2ec24cddff) C:\WINDOWS\system32\Drivers\Amps2prt.sys
22:44:23.0968 0948 Amps2prt - ok
22:44:24.0000 0948 amsint - ok
22:44:24.0015 0948 asc - ok
22:44:24.0031 0948 asc3350p - ok
22:44:24.0062 0948 asc3550 - ok
22:44:24.0109 0948 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys
22:44:24.0109 0948 ASCTRM - ok
22:44:24.0171 0948 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
22:44:24.0171 0948 AsyncMac - ok
22:44:24.0203 0948 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
22:44:24.0203 0948 atapi - ok
22:44:24.0218 0948 Atdisk - ok
22:44:24.0250 0948 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
22:44:24.0265 0948 Atmarpc - ok
22:44:24.0296 0948 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
22:44:24.0296 0948 audstub - ok
22:44:24.0343 0948 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
22:44:24.0343 0948 Beep - ok
22:44:24.0390 0948 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
22:44:24.0390 0948 cbidf2k - ok
22:44:24.0406 0948 cd20xrnt - ok
22:44:24.0437 0948 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
22:44:24.0437 0948 Cdaudio - ok
22:44:24.0453 0948 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
22:44:24.0453 0948 Cdfs - ok
22:44:24.0500 0948 Cdrom (89bd2e81c34dbf16cc2bcec90a912781) C:\WINDOWS\system32\DRIVERS\cdrom.sys
22:44:24.0500 0948 Cdrom ( Rootkit.Win32.ZAccess.e ) - infected
22:44:24.0500 0948 Cdrom - detected Rootkit.Win32.ZAccess.e (0)
22:44:24.0515 0948 Changer - ok
22:44:24.0546 0948 CmdIde - ok
22:44:24.0578 0948 Cpqarray - ok
22:44:24.0609 0948 dac2w2k - ok
22:44:24.0625 0948 dac960nt - ok
22:44:24.0656 0948 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
22:44:24.0656 0948 Disk - ok
22:44:24.0718 0948 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
22:44:24.0734 0948 dmboot - ok
22:44:24.0765 0948 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
22:44:24.0765 0948 dmio - ok
22:44:24.0781 0948 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
22:44:24.0781 0948 dmload - ok
22:44:24.0828 0948 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
22:44:24.0828 0948 DMusic - ok
22:44:24.0859 0948 dpti2o - ok
22:44:24.0875 0948 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
22:44:24.0875 0948 drmkaud - ok
22:44:24.0937 0948 dtscsi (12aca694b50ea53563c1e7c99e7bb27d) C:\WINDOWS\System32\Drivers\dtscsi.sys
22:44:24.0937 0948 Suspicious file (NoAccess): C:\WINDOWS\System32\Drivers\dtscsi.sys. md5: 12aca694b50ea53563c1e7c99e7bb27d
22:44:24.0937 0948 dtscsi ( LockedFile.Multi.Generic ) - warning
22:44:24.0937 0948 dtscsi - detected LockedFile.Multi.Generic (1)
22:44:25.0046 0948 eeCtrl (75e8b69f28c813675b16db357f20720f) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
22:44:25.0046 0948 eeCtrl - ok
22:44:25.0078 0948 EraserUtilRebootDrv (720b18d76de9e603b626dfcd6f1fca7c) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
22:44:25.0078 0948 EraserUtilRebootDrv - ok
22:44:25.0125 0948 ET5Drv (57af1036880449056dd8adac9f2d1fe1) C:\WINDOWS\system32\Drivers\ET5Drv.sys
22:44:25.0140 0948 ET5Drv - ok
22:44:25.0187 0948 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
22:44:25.0187 0948 Fastfat - ok
22:44:25.0218 0948 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
22:44:25.0218 0948 Fdc - ok
22:44:25.0234 0948 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
22:44:25.0234 0948 Fips - ok
22:44:25.0265 0948 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
22:44:25.0265 0948 Flpydisk - ok
22:44:25.0281 0948 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
22:44:25.0296 0948 FltMgr - ok
22:44:25.0312 0948 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
22:44:25.0312 0948 Fs_Rec - ok
22:44:25.0343 0948 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
22:44:25.0343 0948 Ftdisk - ok
22:44:25.0359 0948 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
22:44:25.0375 0948 gameenum - ok
22:44:25.0390 0948 gdrv (36cf9048cee590c13fa8f007d1cb45ff) C:\WINDOWS\gdrv.sys
22:44:25.0671 0948 gdrv - ok
22:44:25.0781 0948 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
22:44:25.0781 0948 Gpc - ok
22:44:25.0859 0948 HCF_MSFT (4236e014632f4163f53ebb717f41594c) C:\WINDOWS\system32\DRIVERS\HCF_MSFT.sys
22:44:25.0890 0948 HCF_MSFT - ok
22:44:25.0921 0948 hpn - ok
22:44:25.0937 0948 hpt3xx - ok
22:44:26.0000 0948 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
22:44:26.0000 0948 HTTP - ok
22:44:26.0015 0948 i2omgmt - ok
22:44:26.0046 0948 i2omp - ok
22:44:26.0078 0948 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
22:44:26.0078 0948 i8042prt - ok
22:44:26.0109 0948 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
22:44:26.0109 0948 Imapi - ok
22:44:26.0140 0948 ini910u - ok
22:44:26.0171 0948 IntelIde - ok
22:44:26.0203 0948 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
22:44:26.0203 0948 ip6fw - ok
22:44:26.0234 0948 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
22:44:26.0250 0948 IpFilterDriver - ok
22:44:26.0265 0948 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
22:44:26.0281 0948 IpInIp - ok
22:44:26.0312 0948 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
22:44:26.0312 0948 IpNat - ok
22:44:26.0343 0948 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
22:44:26.0343 0948 IPSec - ok
22:44:26.0375 0948 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
22:44:26.0375 0948 IRENUM - ok
22:44:26.0421 0948 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
22:44:26.0421 0948 isapnp - ok
22:44:26.0453 0948 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
22:44:26.0453 0948 Kbdclass - ok
22:44:26.0484 0948 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
22:44:26.0500 0948 kmixer - ok
22:44:26.0531 0948 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
22:44:26.0531 0948 KSecDD - ok
22:44:26.0578 0948 Lavasoft Kernexplorer - ok
22:44:26.0609 0948 lbrtfdc - ok
22:44:26.0656 0948 m5289 (2424b13987360840b4bf4e5fb5a66d3f) C:\WINDOWS\system32\drivers\m5289.sys
22:44:26.0656 0948 m5289 - ok
22:44:26.0687 0948 mbamchameleon (7ffd29fafcde7aaf89b689b6e156d5b0) C:\WINDOWS\system32\drivers\mbamchameleon.sys
22:44:26.0687 0948 mbamchameleon - ok
22:44:26.0718 0948 MBAMSwissArmy (0db7527db188c7d967a37bb51bbf3963) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
22:44:26.0718 0948 MBAMSwissArmy - ok
22:44:26.0750 0948 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
22:44:26.0750 0948 mnmdd - ok
22:44:26.0796 0948 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
22:44:26.0796 0948 Modem - ok
22:44:26.0828 0948 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
22:44:26.0828 0948 Mouclass - ok
22:44:26.0859 0948 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
22:44:26.0859 0948 MountMgr - ok
22:44:26.0875 0948 mraid35x - ok
22:44:26.0890 0948 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
22:44:26.0906 0948 MRxDAV - ok
22:44:26.0968 0948 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
22:44:26.0984 0948 MRxSmb - ok
22:44:27.0000 0948 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
22:44:27.0000 0948 Msfs - ok
22:44:27.0062 0948 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
22:44:27.0062 0948 MSKSSRV - ok
22:44:27.0078 0948 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
22:44:27.0093 0948 MSPCLOCK - ok
22:44:27.0109 0948 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
22:44:27.0109 0948 MSPQM - ok
22:44:27.0156 0948 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
22:44:27.0156 0948 mssmbios - ok
22:44:27.0187 0948 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
22:44:27.0187 0948 Mup - ok
22:44:27.0296 0948 NAVAP (70c4d2474833b6ef16342e5d33359ff6) C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAP.sys
22:44:27.0312 0948 NAVAP - ok
22:44:27.0328 0948 NAVAPEL (f81a56a1be2c0ea8c2ff320cd5dc9aad) C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS
22:44:27.0328 0948 NAVAPEL - ok
22:44:27.0375 0948 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
22:44:27.0390 0948 NDIS - ok
22:44:27.0437 0948 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
22:44:27.0437 0948 NdisTapi - ok
22:44:27.0468 0948 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
22:44:27.0484 0948 Ndisuio - ok
22:44:27.0500 0948 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
22:44:27.0500 0948 NdisWan - ok
22:44:27.0531 0948 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
22:44:27.0531 0948 NDProxy - ok
22:44:27.0562 0948 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
22:44:27.0562 0948 NetBIOS - ok
22:44:27.0593 0948 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
22:44:27.0593 0948 NetBT - ok
22:44:27.0656 0948 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
22:44:27.0656 0948 Npfs - ok
22:44:27.0703 0948 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
22:44:27.0718 0948 Ntfs - ok
22:44:27.0750 0948 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
22:44:27.0750 0948 Null - ok
22:44:27.0875 0948 nv (7fe3f1721856365c882dae13f3600223) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
22:44:27.0937 0948 nv - ok
22:44:27.0984 0948 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
22:44:27.0984 0948 NwlnkFlt - ok
22:44:28.0000 0948 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
22:44:28.0000 0948 NwlnkFwd - ok
22:44:28.0046 0948 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
22:44:28.0062 0948 Parport - ok
22:44:28.0078 0948 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
22:44:28.0078 0948 PartMgr - ok
22:44:28.0125 0948 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
22:44:28.0140 0948 ParVdm - ok
22:44:28.0156 0948 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
22:44:28.0156 0948 PCI - ok
22:44:28.0171 0948 PCIDump - ok
22:44:28.0187 0948 PCIIde - ok
22:44:28.0234 0948 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
22:44:28.0234 0948 Pcmcia - ok
22:44:28.0250 0948 PDCOMP - ok
22:44:28.0281 0948 PDFRAME - ok
22:44:28.0296 0948 PDRELI - ok
22:44:28.0312 0948 PDRFRAME - ok
22:44:28.0328 0948 perc2 - ok
22:44:28.0343 0948 perc2hib - ok
22:44:28.0421 0948 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
22:44:28.0421 0948 PptpMiniport - ok
22:44:28.0437 0948 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
22:44:28.0453 0948 Processor - ok
22:44:28.0468 0948 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
22:44:28.0468 0948 PSched - ok
22:44:28.0484 0948 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
22:44:28.0500 0948 Ptilink - ok
22:44:28.0515 0948 ql1080 - ok
22:44:28.0531 0948 Ql10wnt - ok
22:44:28.0546 0948 ql12160 - ok
22:44:28.0578 0948 ql1240 - ok
22:44:28.0593 0948 ql1280 - ok
22:44:28.0609 0948 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
22:44:28.0609 0948 RasAcd - ok
22:44:28.0640 0948 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
22:44:28.0640 0948 Rasl2tp - ok
22:44:28.0671 0948 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
22:44:28.0671 0948 RasPppoe - ok
22:44:28.0687 0948 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
22:44:28.0687 0948 Raspti - ok
22:44:28.0750 0948 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
22:44:28.0750 0948 Rdbss - ok
22:44:28.0781 0948 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
22:44:28.0781 0948 RDPCDD - ok
22:44:28.0812 0948 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
22:44:28.0828 0948 rdpdr - ok
22:44:28.0890 0948 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
22:44:28.0890 0948 RDPWD - ok
22:44:28.0921 0948 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
22:44:28.0921 0948 redbook - ok
22:44:29.0000 0948 RTL8023xp (cf84b1f0e8b14d4120aaf9cf35cbb265) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
22:44:29.0000 0948 RTL8023xp - ok
22:44:29.0046 0948 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
22:44:29.0046 0948 rtl8139 - ok
22:44:29.0156 0948 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
22:44:29.0156 0948 SASDIFSV - ok
22:44:29.0156 0948 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
22:44:29.0171 0948 SASKUTIL - ok
22:44:29.0218 0948 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
22:44:29.0218 0948 Secdrv - ok
22:44:29.0265 0948 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
22:44:29.0265 0948 serenum - ok
22:44:29.0296 0948 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
22:44:29.0296 0948 Serial - ok
22:44:29.0328 0948 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
22:44:29.0343 0948 Sfloppy - ok
22:44:29.0359 0948 Simbad - ok
22:44:29.0390 0948 Sparrow - ok
22:44:29.0406 0948 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
22:44:29.0406 0948 splitter - ok
22:44:29.0500 0948 sptd (1669769eb21ba54c217b2764a31b58d0) C:\WINDOWS\system32\Drivers\sptd.sys
22:44:29.0500 0948 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: 1669769eb21ba54c217b2764a31b58d0
22:44:29.0500 0948 sptd ( LockedFile.Multi.Generic ) - warning
22:44:29.0500 0948 sptd - detected LockedFile.Multi.Generic (1)
22:44:29.0515 0948 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\System32\DRIVERS\sr.sys
22:44:29.0515 0948 sr - ok
22:44:29.0562 0948 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
22:44:29.0578 0948 Srv - ok
22:44:29.0625 0948 SSKBFD (8564bc9598be1705477b7fa61d657c2b) C:\WINDOWS\system32\Drivers\sskbfd.sys
22:44:29.0625 0948 SSKBFD - ok
22:44:29.0687 0948 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
22:44:29.0687 0948 StillCam - ok
22:44:29.0703 0948 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
22:44:29.0718 0948 swenum - ok
22:44:29.0750 0948 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
22:44:29.0750 0948 swmidi - ok
22:44:29.0781 0948 symc810 - ok
22:44:29.0796 0948 symc8xx - ok
22:44:29.0859 0948 SymEvent (ab33c3b196197ca467cbdda717860dba) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
22:44:29.0859 0948 SymEvent - ok
22:44:29.0875 0948 sym_hi - ok
22:44:29.0890 0948 sym_u3 - ok
22:44:29.0921 0948 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
22:44:29.0921 0948 sysaudio - ok
22:44:30.0000 0948 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
22:44:30.0015 0948 Tcpip - ok
22:44:30.0046 0948 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
22:44:30.0046 0948 TDPIPE - ok
22:44:30.0078 0948 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
22:44:30.0078 0948 TDTCP - ok
22:44:30.0109 0948 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
22:44:30.0109 0948 TermDD - ok
22:44:30.0140 0948 TosIde - ok
22:44:30.0187 0948 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
22:44:30.0187 0948 Udfs - ok
22:44:30.0234 0948 uliagpkx (67ab641cc203081780e8483faa959549) C:\WINDOWS\system32\DRIVERS\agpkx.sys
22:44:30.0234 0948 uliagpkx - ok
22:44:30.0250 0948 ultra - ok
22:44:30.0281 0948 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
22:44:30.0296 0948 Update - ok
22:44:30.0328 0948 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
22:44:30.0328 0948 usbehci - ok
22:44:30.0359 0948 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
22:44:30.0359 0948 usbhub - ok
22:44:30.0375 0948 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
22:44:30.0375 0948 usbohci - ok
22:44:30.0406 0948 vaxscsi (92cebc2bc7be2c8d49391b365569f306) C:\WINDOWS\System32\Drivers\vaxscsi.sys
22:44:30.0406 0948 Suspicious file (NoAccess): C:\WINDOWS\System32\Drivers\vaxscsi.sys. md5: 92cebc2bc7be2c8d49391b365569f306
22:44:30.0406 0948 vaxscsi ( LockedFile.Multi.Generic ) - warning
22:44:30.0406 0948 vaxscsi - detected LockedFile.Multi.Generic (1)
22:44:30.0437 0948 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
22:44:30.0437 0948 VgaSave - ok
22:44:30.0453 0948 ViaIde - ok
22:44:30.0468 0948 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
22:44:30.0484 0948 VolSnap - ok
22:44:30.0531 0948 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
22:44:30.0531 0948 Wanarp - ok
22:44:30.0593 0948 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
22:44:30.0593 0948 wanatw - ok
22:44:30.0609 0948 WDICA - ok
22:44:30.0640 0948 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
22:44:30.0656 0948 wdmaud - ok
22:44:30.0765 0948 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
22:44:30.0765 0948 WudfPf - ok
22:44:30.0796 0948 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
22:44:30.0796 0948 WudfRd - ok
22:44:30.0843 0948 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
22:44:31.0015 0948 \Device\Harddisk0\DR0 - ok
22:44:31.0031 0948 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1
22:44:31.0187 0948 \Device\Harddisk1\DR1 - ok
22:44:31.0203 0948 Boot (0x1200) (48e13a6aaacad536e1ae907175eac47b) \Device\Harddisk0\DR0\Partition0
22:44:31.0203 0948 \Device\Harddisk0\DR0\Partition0 - ok
22:44:31.0250 0948 Boot (0x1200) (b0bace90a67378428fdc1cd3d096194e) \Device\Harddisk0\DR0\Partition1
22:44:31.0250 0948 \Device\Harddisk0\DR0\Partition1 - ok
22:44:31.0281 0948 Boot (0x1200) (b1e27aa018409de6bfd73f8afb883a65) \Device\Harddisk0\DR0\Partition2
22:44:31.0281 0948 \Device\Harddisk0\DR0\Partition2 - ok
22:44:31.0281 0948 Boot (0x1200) (4e418a58d367408e286c4310b75e2d34) \Device\Harddisk1\DR1\Partition0
22:44:31.0281 0948 \Device\Harddisk1\DR1\Partition0 - ok
22:44:31.0281 0948 ============================================================
22:44:31.0281 0948 Scan finished
22:44:31.0296 0948 ============================================================
22:44:31.0312 0764 Detected object count: 4
22:44:31.0312 0764 Actual detected object count: 4
22:46:52.0046 0764 VerifyFileNameVersionInfo: GetFileVersionInfoSizeW(C:\WINDOWS\system32\drivers\cdrom.sys) error 1813
22:46:53.0421 0764 Backup copy found, using it..
22:46:53.0421 0764 C:\WINDOWS\system32\DRIVERS\cdrom.sys - will be cured on reboot
22:46:55.0046 0764 Cdrom ( Rootkit.Win32.ZAccess.e ) - User select action: Cure
22:46:55.0046 0764 dtscsi ( LockedFile.Multi.Generic ) - skipped by user
22:46:55.0046 0764 dtscsi ( LockedFile.Multi.Generic ) - User select action: Skip
22:46:55.0062 0764 sptd ( LockedFile.Multi.Generic ) - skipped by user
22:46:55.0062 0764 sptd ( LockedFile.Multi.Generic ) - User select action: Skip
22:46:55.0062 0764 vaxscsi ( LockedFile.Multi.Generic ) - skipped by user
22:46:55.0062 0764 vaxscsi ( LockedFile.Multi.Generic ) - User select action: Skip
22:47:10.0468 2948 Deinitialize success

I tried to run ComboFix after this but I get the same warning message as earlier saying that it detected Norton Security Suite and asking me to disable it before clicking OK.

#11 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,234 posts

Posted 14 January 2012 - 10:07 PM

Just OK it and let ComboFix carry on

Do you want to post your own HijackThis log?
Follow the instructions posted Here

Not required, but if you would like to donate to help my fight against malware
Click Here


#12 ba5852

ba5852

    Member

  • Members
  • PipPipPip
  • 81 posts

Posted 14 January 2012 - 10:49 PM

Finally was able to run ComboFix. Here is the log.

ComboFix 12-01-13.05 - Bruce 01/14/2012 23:30:44.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.752 [GMT -5:00]
Running from: c:\documents and settings\Bruce\Desktop\ComboFix.exe
AV: Norton Security Suite *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Bruce\WINDOWS
c:\windows\$NtUninstallKB54814$
c:\windows\$NtUninstallKB54814$\1740983844\Desktop.ini
c:\windows\$NtUninstallKB54814$\1740983844\L\akygdmgo
c:\windows\$NtUninstallKB54814$\3673378331
c:\windows\alcrmv.exe
c:\windows\system32\install.exe
c:\windows\system32\SET309.tmp
c:\windows\system32\SET30C.tmp
c:\windows\system32\SET310.tmp
c:\windows\system32\SET311.tmp
c:\windows\system32\SET318.tmp
c:\windows\system32\SET31A.tmp
.
c:\windows\system32\drivers\dtscsi.sys . . . is infected!! . . . Failed to find a valid replacement.
.
((((((((((((((((((((((((( Files Created from 2011-12-15 to 2012-01-15 )))))))))))))))))))))))))))))))
.
.
2012-01-14 14:46 . 2012-01-14 14:46 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-01-14 04:42 . 2012-01-14 05:23 24064 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-01-14 03:43 . 2012-01-14 03:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2012-01-14 03:43 . 2012-01-14 03:43 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2012-01-13 21:49 . 2012-01-13 21:49 -------- d-----w- c:\documents and settings\Bruce\Application Data\Tific
2012-01-13 21:06 . 2012-01-13 21:06 -------- d-----w- c:\program files\Windows Sidebar
2012-01-13 20:40 . 2012-01-13 20:40 -------- d-----w- c:\windows\Internet Logs
2012-01-13 20:34 . 2012-01-13 23:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2012-01-13 20:32 . 2012-01-13 20:32 -------- d-----w- c:\documents and settings\LocalService\Application Data\ID Vault
2012-01-13 20:13 . 2012-01-13 20:13 -------- d-----w- c:\documents and settings\All Users\Application Data\IsolatedStorage
2012-01-13 20:13 . 2012-01-13 20:23 -------- d-----w- c:\documents and settings\Bruce\Local Settings\Application Data\ID Vault
2012-01-13 20:11 . 2012-01-13 23:13 -------- d-----w- c:\documents and settings\Bruce\Application Data\ID Vault
2012-01-13 20:09 . 2012-01-13 23:13 -------- d-----w- c:\program files\Constant Guard Protection Suite
2012-01-13 20:08 . 2012-01-13 20:08 -------- d-----w- c:\program files\MSBuild
2012-01-13 20:06 . 2012-01-13 20:06 -------- d-----w- c:\windows\system32\XPSViewer
2012-01-13 20:05 . 2012-01-13 20:05 -------- d-----w- c:\program files\Reference Assemblies
2012-01-13 20:05 . 2006-10-14 21:43 27648 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2012-01-13 20:05 . 2006-06-29 18:07 14048 ------w- c:\windows\system32\spmsg2.dll
2012-01-13 20:01 . 2012-01-13 20:01 -------- d-----w- c:\documents and settings\All Users\Application Data\White Sky, Inc
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-15 03:48 . 2001-08-23 22:09 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-01-13 22:27 . 2006-07-03 14:00 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2012-01-13 22:27 . 2006-07-03 14:00 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-12-10 20:24 . 2010-01-02 13:05 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-02 20:22 . 2011-04-26 14:00 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-22 323392]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ALi5289"="c:\program files\ULI5289\ALi5289.exe" [2005-03-10 405504]
"SoundMan"="SOUNDMAN.EXE" [2004-12-22 77824]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2005-07-21 7110656]
"nwiz"="nwiz.exe" [2005-07-21 1519616]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2005-07-21 86016]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-08-07 155648]
"EasyTuneV"="c:\program files\Gigabyte\ET5\GUI.exe" [2007-05-22 207680]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-07-03 77824]
"OCAudioIni"="c:\program files\One-click Audio Converter\OCAudioIni.exe" [2006-01-23 57344]
"HostManager"="c:\program files\Common Files\AOL\1228527480\ee\AOLSoftware.exe" [2008-06-24 41824]
"mssSort"="c:\program files\Maxtor\ManagerApp\msssort.exe" [2008-04-01 1647960]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-04-01 169312]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Printkey2000.lnk - c:\program files\PrintKey2000\Printkey2000.exe [2009-11-25 869376]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Gigabyte\\ET5\\update.exe"=
"c:\\Program Files\\America Online 9.0\\wEmail Removedexe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
.
R0 m5289;m5289;c:\windows\system32\drivers\m5289.sys [7/2/2006 5:40 PM 51840]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/6/2006 10:01 AM 642560]
R0 uliagpkx;ULi AGP Bus Filter Driver;c:\windows\system32\drivers\AGPKX.SYS [7/2/2006 11:01 PM 45056]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R2 Maxtor Sync Services;Maxtor Service;c:\program files\Maxtor\Sync\SyncServices.exe [4/1/2008 1:46 PM 161120]
R3 Amps2prt;A4Tech PS/2 Port Mouse Filter Driver;c:\windows\system32\drivers\Amps2prt.sys [7/3/2006 10:19 AM 10195]
R3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [8/6/2006 10:33 AM 223128]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [1/13/2012 4:06 PM 106104]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [1/13/2012 11:42 PM 24064]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [1/14/2012 9:46 AM 40776]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-14 c:\windows\Tasks\At1.job
- c:\program files\HP\HP Officejet Pro 8500 A910\Bin\HPCustPartic.exe [2010-06-14 21:07]
.
2012-01-15 c:\windows\Tasks\At2.job
- c:\program files\HP\HP Officejet Pro 8500 A910\Bin\HPCustPartic.exe [2010-06-14 21:07]
.
2012-01-14 c:\windows\Tasks\At3.job
- c:\program files\HP\HP Officejet Pro 8500 A910\Bin\HPCustPartic.exe [2010-06-14 21:07]
.
2012-01-14 c:\windows\Tasks\At4.job
- c:\program files\HP\HP Officejet Pro 8500 A910\Bin\HPCustPartic.exe [2010-06-14 21:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\Bruce\Application Data\Mozilla\Firefox\Profiles\9o218xc0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{7c5c0f58-e061-457d-9033-77307f5ed00c} - (no file)
ShellIconOverlayIdentifiers-{b75ab0c8-03d5-4592-9821-a48d54d66b14} - MssShellExt.dll
HKLM-Run-WheelMouse - Amoumain.exe
SafeBoot-38145882.sys
SafeBoot-svcWRSSSDK
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-14 23:38
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(716)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3228)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\nvsvc32.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\windows\wanmpsvc.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2012-01-14 23:44:17 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-15 04:44
.
Pre-Run: 80,458,866,688 bytes free
Post-Run: 80,410,353,664 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 92BCC7EA291BF945EF8B700F0E4B5C84

#13 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,234 posts

Posted 15 January 2012 - 12:04 AM

Are things now running better?
A legit file from Alcohol 120 may have been removed

Can you do the following:

Download TFC by Old Timer and save it to your desktop.
http://oldtimer.geekstogo.com/TFC.exe
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it.

Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately.

Back in Windows
If possible, disable your AntiVirus scanner so it won't interrupt the next scan
Download and save to desktop the installer to Eset Online Scanner from here
esetsmartinstaller_enu.exe

Double click on the file to run it, check YES to accept the agreement
Ensure "Remove Found Threats" and "Scan Archives" are both checked
Then click START>> It should now download virus signature database
Once the scan is completed, you may close the window
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

Do you want to post your own HijackThis log?
Follow the instructions posted Here

Not required, but if you would like to donate to help my fight against malware
Click Here


#14 ba5852

ba5852

    Member

  • Members
  • PipPipPip
  • 81 posts

Posted 15 January 2012 - 10:01 AM

Computer seems to be running a little faster than before but I am still unable to open any Malwarebytes, SuperAntiSpyware, etc. Every time I try I keep getting the same error message as before.

"Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

I'll go ahead and follow your last instructions.


#15 ba5852

ba5852

    Member

  • Members
  • PipPipPip
  • 81 posts

Posted 15 January 2012 - 12:18 PM

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=4d342da963de634fa08a236829d7f3d5
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-01-15 06:13:06
# local_time=2012-01-15 01:13:06 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# compatibility_mode=9730 16764926 0 8 70165 63228839 0 0
# scanned=96210
# found=2
# cleaned=2
# scan_time=7309
C:\Documents and Settings\All Users\Documents\Torrent Downloads\Pinnacle Studio Plus v.10 Titanium Edition\Pinnacle.Studio.Plus.v10.5.1.Titanium.Edition.Multilanguage CD1.ISO a variant of Win32/Keygen.AZ application (deleted - quarantined) 00000000000000000000000000000000 C
G:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KPQROPQR\searchit[1].htm JS/AdWare.SearchPage.A virus (deleted - quarantined) 00000000000000000000000000000000 C

#16 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,234 posts

Posted 15 January 2012 - 12:29 PM

Download aswMBR.exe to your desktop.
  • Double click the aswMBR.exe to run it
  • If prompted to download Avast AV free edition, simply select NO
  • Click the "Scan" button to start the scan
Posted Image


On completion of the scan click save log, save it to your desktop and post in your next reply
Posted Image

In addition:
download Junction.zip and save it
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Go to Start > Run, alternatively, press the Windows key + r Copy and paste the following command in the run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

  • A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the contents of it.

Do you want to post your own HijackThis log?
Follow the instructions posted Here

Not required, but if you would like to donate to help my fight against malware
Click Here


#17 ba5852

ba5852

    Member

  • Members
  • PipPipPip
  • 81 posts

Posted 15 January 2012 - 12:41 PM

aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-15 13:38:09
-----------------------------
13:38:09.015 OS Version: Windows 5.1.2600 Service Pack 3
13:38:09.015 Number of processors: 1 586 0x40A
13:38:09.015 ComputerName: AMD3300 UserName: Bruce
13:38:09.437 Initialize success
13:39:24.062 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-3
13:39:24.062 Disk 0 Vendor: Maxtor_32049H3 BAC51KJ0 Size: 19540MB BusType: 3
13:39:24.062 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Scsi\m52891Port2Path0Target0Lun0
13:39:24.062 Disk 1 Vendor: VT10 Size: 238475MB BusType: 1
13:39:24.062 Device \Driver\m5289 -> DriverStartIo SPTD1725.SYS f733640e
13:39:24.062 Device \Driver\m5289 -> MajorFunction 86f99e30
13:39:24.078 Disk 1 MBR read successfully
13:39:24.078 Disk 1 MBR scan
13:39:24.078 Disk 1 Windows XP default MBR code
13:39:24.078 Disk 1 Partition 1 80 (A) 07 HPFS/NTFS NTFS 151801 MB offset 63
13:39:24.078 Disk 1 scanning sectors +310889880
13:39:24.125 Disk 1 scanning C:\WINDOWS\system32\drivers
13:39:29.312 Service scanning
13:39:29.609 Service dtscsi C:\WINDOWS\System32\Drivers\dtscsi.sys **LOCKED** 32
13:39:30.250 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 32
13:39:30.265 Service vaxscsi C:\WINDOWS\System32\Drivers\vaxscsi.sys **LOCKED** 32
13:39:30.796 Modules scanning
13:39:44.765 Disk 1 trace - called modules:
13:39:44.781 ntkrnlpa.exe >>UNKNOWN [0x86f99b78]<<
13:39:44.781 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0x86f11ab8]
13:39:44.781 \Driver\Disk[0x86ec5940] -> IRP_MJ_CREATE -> 0x86f99b78
13:39:44.781 Scan finished successfully
13:40:17.843 Disk 1 MBR has been saved successfully to "C:\Documents and Settings\Bruce\Desktop\MBR.dat"
13:40:17.843 The log file has been saved successfully to "C:\Documents and Settings\Bruce\Desktop\aswMBR.txt"

You didn't give me a link to Junction.zip so I was unable to download it.

#18 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,234 posts

Posted 15 January 2012 - 12:50 PM

You didn't give me a link to Junction.zip so I was unable to download it.


Woops, sorry about that
Let's do the following instead please
Download AntiZeroAccess to Desktop
  • Double click on AntiZeroAccess to run it
  • Type y and press enter to run the scan
  • Please attach the AntiZeroAccess_Log.txt log to your next message. This file is saved in the same location as AntiZeroAccess program.

Let's try the following again after you have ran AntiZeroAccess
Download Junction.zip and save it
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Go to Start > Run, alternatively, press the Windows key + r Copy and paste the following command in the run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

  • A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the contents of it.

Do you want to post your own HijackThis log?
Follow the instructions posted Here

Not required, but if you would like to donate to help my fight against malware
Click Here


#19 ba5852

ba5852

    Member

  • Members
  • PipPipPip
  • 81 posts

Posted 15 January 2012 - 01:01 PM

Webroot AntiZeroAccess 0.8 Log File
Execution time: 15/01/2012 - 14:00
Host operation System: Windows Xp X86 version 5.1.2600 Service Pack 3
14:00:33 - CheckSystem - Begin to check system...
14:00:33 - OpenRootDrive - Opening system root volume and physical drive....
14:00:33 - C Root Drive: Disk number: 1 Start sector: 0x0000003F Partition Size: 0x1287CD59 sectors.
14:00:33 - PrevX Main driver extracted in "C:\WINDOWS\system32\drivers\ZeroAccess.sys".
14:00:33 - InstallAndStartDriver - Main driver was installed and now is running.
14:00:33 - CheckSystem - Warning! Disk class driver is INFECTED.
14:00:34 - CheckFile - Unable to read "dtscsi.sys" file. CreateFile last eror: 0x00000020.
14:00:35 - CheckFile - Unable to read "sptd.sys" file. CreateFile last eror: 0x00000020.
14:00:35 - CheckFile - Unable to read "sptd1725.sys" file. CreateFile last eror: 0x00000020.
14:00:36 - CheckFile - Unable to read "vaxscsi.sys" file. CreateFile last eror: 0x00000020.
14:00:36 - StopAndRemoveDriver - AntiZeroAccess Driver is stopped and removed.
14:00:36 - StopAndRemoveDriver - File "ZeroAccess.sys" was deleted!
14:00:36 - Execution Ended!

#20 ba5852

ba5852

    Member

  • Members
  • PipPipPip
  • 81 posts

Posted 15 January 2012 - 01:08 PM

Junction v1.06 - Windows junction creator and reparse point viewer
Copyright © 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com


Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


...

...

...

...

...

.
Failed to open \\?\c:\\Documents and Settings\Bruce\Desktop\OTL.exe: Access is denied.


..

...

...

...

...

...

...
Failed to open \\?\c:\\Program Files\Malwarebytes' Anti-Malware\mbam.exe: Access is denied.




...

..
Failed to open \\?\c:\\Program Files\Spybot - Search & Destroy\SpybotSD.exe: Access is denied.



Failed to open \\?\c:\\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe: Access is denied.


.
Failed to open \\?\c:\\Qoobox\BackEnv: Access is denied.




...

...

...

...

...

...

...\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790



\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

...

...

...

...

...

...

...

.
Failed to open \\?\c:\\WINDOWS\system32\MRT.exe: Access is denied.


..

...

...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users