Jump to content

unable to remove infected object


Recommended Posts

I encounter the following problem:

After running Malwarebytes' AntiMalware one infected object is found.

When I select "remove" I get a message that the object could not be deleted completely. After restarting the computer, Malwarebytes' will always again find the same infected object.

Here is the log-file I get:

[begin of logfile:]

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

22.03.2011 09:10:48

mbam-log-2011-03-22 (09-10-48).txt

Scan type: Quick scan

Objects scanned: 86683

Time elapsed: 3 minute(s), 51 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\forceclassiccontrolpanel (Hijack.ControlPanelStyle) -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[end of logfile]

What is there to do?

Thank you in advance for any help!

Link to post
Share on other sites

Welcome to the forum.

The version of MBAM that you are using is way out of date:

Malwarebytes' Anti-Malware 1.45 <------should be 1.50

www.malwarebytes.org

You can download the latest version from the link below:

http://www.malwarebytes.org/mbam.php

-----------------------

Then update and run a scan with MBAM, post back the ,log, MrC

Link to post
Share on other sites

I have now the newest version of Malwarebytes, same result, cannot be removed, neither after reboot (see log below).

I don't know if this info is important: Recently I opened a new account without administrator rights on my computer. It is only on this account that the infected object is found, not when running Malwarebytes on the account with administrator rights.

Here the new log:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6131

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

22.03.2011 14:24:57

mbam-log-2011-03-22 (14-24-57).txt

Scan type: Quick scan

Objects scanned: 122071

Time elapsed: 3 minute(s), 21 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Value: ForceClassicControlPanel -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[end of log.]

Is there anything else I could do know?

Link to post
Share on other sites

OK....please do this:

Go Start > Run > copy and paste this in > Gpedit.msc > OK

Click the + in front of User Configuration > and Administrator Templates > click on the Control Panel folder

Double click on > Force Classic Style Control Panel

Set it to Not Configured > OK your way out.

Let me know, MrC

Link to post
Share on other sites

This should work, I tried it on my XP computer and it deleted that reg value:

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

Save it to your desktop.

Double click on the icon on your desktop.

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :REG
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    "ForceClassicControlPanel"=-


  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

To check and see if it's gone, just run that bat file again.

Let me know, MrC

Link to post
Share on other sites

I fear it failed:

[log file of OTL:

========== REGISTRY ==========

Registry delete failed. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\ForceClassicControlPanel scheduled to be deleted on reboot.

Unable to create HKLM\Software\OldTimer Tools\OTL key.

OTL by OldTimer - Version 3.2.22.3 log created on 03222011_181141

[end. log file of bat:]

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

"NoDriveTypeAutoRun"=dword:00000091

"ForceClassicControlPanel"=dword:00000001

"NoSMConfigurePrograms"=dword:00000001

Link to post
Share on other sites

OK, we have to check a little deeper, please do this:

Download TDSSKiller to your Desktop.

Doubleclick on TDSSKiller.exe to run the application, then click on Start Scan.

Don't Change These Settings:

If an infected file is detected, the default action will be Cure, click on Continue.

If a suspicious file is detected, the default action will be Skip, click on Continue.

You may be asked you to reboot the computer to complete the process. Click on Reboot Now

To view the report:

Click the Report button and copy/paste the contents of it into your next reply.

Note:It will also create a log in the C:\ directory and look something like this:

TDSSKiller.2.4.17.0_12.02.2011_14.35.56_log.txt

---------------------------------------

Please download and run ComboFix:

A few notes first:

[*]ComboFix is compatible exclusively with XP and W2K (32-bit only) <===> Vista and Windows 7 (32-bit and 64-bit)

[*]ComboFix must be run from an Administrative account.

[*]Vista and W7 users - Right click, choose "Run as Administrator"

[*]It must be downloaded to and run from your desktop.

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can and will interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". (see below)

[*]ComboFix Guide <---please read!

Download ComboFix from one of these locations: (you may have to use right click > save target as)

[*]Link 1

[*]Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon and choose disable/exit.

More info HERE<-------

They may interfere with the running of ComboFix.

Note: If you have AVG or CA Internet Security Suite installed, due to recent changes in how these AV's target the tool's internal files, they must be uninstalled before running ComboFix. If you have difficulty uninstalling the AV, download and run Opswat AppRemover

[*]Double click on ComboFix.exe & follow the prompts.

[*]Note: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.

[*] Note: If you have SP3, use the SP2 package.

If Vista or Windows 7, skip the Recovery Console part

[*]ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

[*]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

[*]1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

[*]2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

[*]3. Combofix permanently prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun ASAP!.

[*]4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If a reboot doesn't restore your connection, please try this:

Check HERE

For XP systems download and run WinSockFix and Here

Vista users: Check HERE

Windows 7 systems: Download and run this Winsockfix.bat

[*]5.Give ComboFix at least 20-30 minutes to finish if needed.

MrC

Link to post
Share on other sites

[Here the TDSSKiller log, the other will follow:]

2011/03/22 18:57:22.0437 3060 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28

2011/03/22 18:57:22.0828 3060 ================================================================================

2011/03/22 18:57:22.0828 3060 SystemInfo:

2011/03/22 18:57:22.0828 3060

2011/03/22 18:57:22.0828 3060 OS Version: 5.1.2600 ServicePack: 3.0

2011/03/22 18:57:22.0828 3060 Product type: Workstation

2011/03/22 18:57:22.0828 3060 ComputerName: WINDOWS-9AF3735

2011/03/22 18:57:22.0828 3060 UserName: Windows XP

2011/03/22 18:57:22.0828 3060 Windows directory: C:\WINDOWS

2011/03/22 18:57:22.0828 3060 System windows directory: C:\WINDOWS

2011/03/22 18:57:22.0828 3060 Processor architecture: Intel x86

2011/03/22 18:57:22.0828 3060 Number of processors: 2

2011/03/22 18:57:22.0828 3060 Page size: 0x1000

2011/03/22 18:57:22.0828 3060 Boot type: Normal boot

2011/03/22 18:57:22.0828 3060 ================================================================================

2011/03/22 18:57:22.0984 3060 Initialize success

2011/03/22 18:57:24.0828 3812 ================================================================================

2011/03/22 18:57:24.0828 3812 Scan started

2011/03/22 18:57:24.0828 3812 Mode: Manual;

2011/03/22 18:57:24.0828 3812 ================================================================================

2011/03/22 18:57:25.0515 3812 ACPI (ac407f1a62c3a300b4f2b5a9f1d55b2c) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/03/22 18:57:25.0562 3812 ACPIEC (9e1ca3160dafb159ca14f83b1e317f75) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys

2011/03/22 18:57:25.0656 3812 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/03/22 18:57:25.0734 3812 AFD (38d7b715504da4741df35e3594fe2099) C:\WINDOWS\System32\drivers\afd.sys

2011/03/22 18:57:25.0953 3812 AR5416 (864160f5f4fbdd97b6a686854bfebd86) C:\WINDOWS\system32\DRIVERS\athw.sys

2011/03/22 18:57:26.0109 3812 ASMMAP (7b4d08d2017ac06689d422e06c43f0aa) C:\Programme\ATKGFNEX\ASMMAP.sys

2011/03/22 18:57:26.0187 3812 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/03/22 18:57:26.0218 3812 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\drivers\atapi.sys

2011/03/22 18:57:26.0296 3812 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/03/22 18:57:26.0375 3812 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/03/22 18:57:26.0484 3812 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Programme\Avira\AntiVir Desktop\avgio.sys

2011/03/22 18:57:26.0546 3812 avgntflt (47b879406246ffdced59e18d331a0e7d) C:\WINDOWS\system32\DRIVERS\avgntflt.sys

2011/03/22 18:57:26.0609 3812 avipbb (5fedef54757b34fb611b9ec8fb399364) C:\WINDOWS\system32\DRIVERS\avipbb.sys

2011/03/22 18:57:26.0687 3812 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/03/22 18:57:26.0765 3812 BrPar (2fe6d5be0629f706197b30c0aa05de30) C:\WINDOWS\System32\drivers\BrPar.sys

2011/03/22 18:57:26.0796 3812 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/03/22 18:57:26.0843 3812 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

2011/03/22 18:57:26.0906 3812 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/03/22 18:57:26.0984 3812 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/03/22 18:57:27.0000 3812 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/03/22 18:57:27.0078 3812 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2011/03/22 18:57:27.0109 3812 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2011/03/22 18:57:27.0187 3812 CRFILTER (d18893845ae1c5833b5b2ea9b7f5c670) C:\WINDOWS\system32\DRIVERS\CRFILTER.sys

2011/03/22 18:57:27.0265 3812 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/03/22 18:57:27.0328 3812 dmboot (0dcfc8395a99fecbb1ef771cec7fe4ea) C:\WINDOWS\system32\drivers\dmboot.sys

2011/03/22 18:57:27.0343 3812 dmio (53720ab12b48719d00e327da470a619a) C:\WINDOWS\system32\drivers\dmio.sys

2011/03/22 18:57:27.0390 3812 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/03/22 18:57:27.0453 3812 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2011/03/22 18:57:27.0484 3812 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/03/22 18:57:27.0578 3812 ETD (bf3afa622bc91f28d682d0c6e65107a6) C:\WINDOWS\system32\DRIVERS\ETD.sys

2011/03/22 18:57:27.0671 3812 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/03/22 18:57:27.0765 3812 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2011/03/22 18:57:27.0781 3812 Fips (b0678a548587c5f1967b0d70bacad6c1) C:\WINDOWS\system32\drivers\Fips.sys

2011/03/22 18:57:27.0796 3812 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2011/03/22 18:57:27.0890 3812 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys

2011/03/22 18:57:27.0968 3812 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/03/22 18:57:28.0015 3812 Ftdisk (8f1955ce42e1484714b542f341647778) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/03/22 18:57:28.0062 3812 ftsata2 (65b50b303ff74a5517117ba3d25dbe7f) C:\WINDOWS\system32\drivers\ftsata2.sys

2011/03/22 18:57:28.0171 3812 ghaio (31b40f40e09513addc460f6a297ad474) C:\Programme\ASUS\NB Probe\SPM\ghaio.sys

2011/03/22 18:57:28.0281 3812 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/03/22 18:57:28.0375 3812 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2011/03/22 18:57:28.0468 3812 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/03/22 18:57:28.0578 3812 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/03/22 18:57:28.0718 3812 i8042prt (e283b97cfbeb86c1d86baed5f7846a92) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/03/22 18:57:28.0906 3812 ialm (4889622b81a6bcc34bb4b972bc7d9f14) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys

2011/03/22 18:57:29.0046 3812 iaStor (de7c12e59605ea7ea0cf6345afeb0f07) C:\WINDOWS\system32\DRIVERS\iaStor.sys

2011/03/22 18:57:29.0125 3812 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/03/22 18:57:29.0203 3812 intelppm (4c7d2750158ed6e7ad642d97bffae351) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/03/22 18:57:29.0234 3812 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys

2011/03/22 18:57:29.0296 3812 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/03/22 18:57:29.0328 3812 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/03/22 18:57:29.0390 3812 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/03/22 18:57:29.0421 3812 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/03/22 18:57:29.0468 3812 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/03/22 18:57:29.0515 3812 isapnp (6dfb88f64135c525433e87648bda30de) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/03/22 18:57:29.0609 3812 Kbdclass (1704d8c4c8807b889e43c649b478a452) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/03/22 18:57:29.0671 3812 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2011/03/22 18:57:29.0765 3812 KSecDD (c6ebf1d6ad71df30db49b8d3287e1368) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/03/22 18:57:29.0843 3812 L1e (1c2eed062dc77b0c16eb4f3ed58f044b) C:\WINDOWS\system32\DRIVERS\l1e51x86.sys

2011/03/22 18:57:29.0906 3812 Lbd (419590ebe7855215bb157ea0cf0d0531) C:\WINDOWS\system32\DRIVERS\Lbd.sys

2011/03/22 18:57:30.0046 3812 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/03/22 18:57:30.0093 3812 Modem (6fb74ebd4ec57a6f1781de3852cc3362) C:\WINDOWS\system32\drivers\Modem.sys

2011/03/22 18:57:30.0187 3812 monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\monfilt.sys

2011/03/22 18:57:30.0265 3812 Mouclass (b24ce8005deab254c0251e15cb71d802) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/03/22 18:57:30.0328 3812 mouhid (66a6f73c74e1791464160a7065ce711a) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/03/22 18:57:30.0390 3812 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/03/22 18:57:30.0421 3812 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/03/22 18:57:30.0468 3812 MRxSmb (d09b9f0b9960dd41e73127b7814c115f) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/03/22 18:57:30.0500 3812 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2011/03/22 18:57:30.0546 3812 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/03/22 18:57:30.0593 3812 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/03/22 18:57:30.0609 3812 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/03/22 18:57:30.0671 3812 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/03/22 18:57:30.0734 3812 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

2011/03/22 18:57:30.0765 3812 MTsensor (1c0f480b7c6136ddb5fb909995af014a) C:\WINDOWS\system32\DRIVERS\ATKACPI.sys

2011/03/22 18:57:30.0796 3812 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2011/03/22 18:57:30.0875 3812 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

2011/03/22 18:57:30.0953 3812 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2011/03/22 18:57:31.0000 3812 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

2011/03/22 18:57:31.0031 3812 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/03/22 18:57:31.0062 3812 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/03/22 18:57:31.0078 3812 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/03/22 18:57:31.0140 3812 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/03/22 18:57:31.0203 3812 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/03/22 18:57:31.0234 3812 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/03/22 18:57:31.0328 3812 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2011/03/22 18:57:31.0343 3812 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/03/22 18:57:31.0421 3812 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/03/22 18:57:31.0468 3812 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/03/22 18:57:31.0515 3812 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/03/22 18:57:31.0593 3812 Parport (f84785660305b9b903fb3bca8ba29837) C:\WINDOWS\system32\drivers\Parport.sys

2011/03/22 18:57:31.0625 3812 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/03/22 18:57:31.0718 3812 ParVdm (c2bf987829099a3eaa2ca6a0a90ecb4f) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/03/22 18:57:31.0750 3812 PCI (387e8dedc343aa2d1efbc30580273acd) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/03/22 18:57:31.0828 3812 Pcmcia (a2a966b77d61847d61a3051df87c8c97) C:\WINDOWS\system32\drivers\Pcmcia.sys

2011/03/22 18:57:32.0015 3812 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/03/22 18:57:32.0031 3812 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/03/22 18:57:32.0062 3812 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/03/22 18:57:32.0109 3812 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2011/03/22 18:57:32.0234 3812 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/03/22 18:57:32.0265 3812 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/03/22 18:57:32.0296 3812 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/03/22 18:57:32.0312 3812 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/03/22 18:57:32.0343 3812 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/03/22 18:57:32.0359 3812 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/03/22 18:57:32.0453 3812 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2011/03/22 18:57:32.0500 3812 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/03/22 18:57:32.0546 3812 redbook (ed761d453856f795a7fe056e42c36365) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/03/22 18:57:32.0640 3812 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/03/22 18:57:32.0687 3812 Serial (cf24eb4f0412c82bcd1f4f35a025e31d) C:\WINDOWS\system32\drivers\Serial.sys

2011/03/22 18:57:32.0765 3812 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/03/22 18:57:32.0843 3812 Si3112 (2525f35d0a0e94bb0ca7b4b68117b453) C:\WINDOWS\system32\drivers\Si3112.sys

2011/03/22 18:57:32.0890 3812 Si3114r5 (87d406c592327ded095ff314427a4fa7) C:\WINDOWS\system32\drivers\Si3114r5.sys

2011/03/22 18:57:32.0906 3812 Si3124 (aaaa385ffbaaf3fd89f8ce26ff0d0751) C:\WINDOWS\system32\drivers\Si3124.sys

2011/03/22 18:57:32.0921 3812 Si3132 (7d494c2000287595d87b9ff6b080d3ff) C:\WINDOWS\system32\drivers\Si3132.sys

2011/03/22 18:57:32.0937 3812 Si3132r5 (f6dd3f9474afd65acd4861f57d40b8ab) C:\WINDOWS\system32\drivers\Si3132r5.sys

2011/03/22 18:57:33.0000 3812 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

2011/03/22 18:57:33.0078 3812 SNP2UVC (060f51141b20b8156804446a04ab8b2a) C:\WINDOWS\system32\DRIVERS\snp2uvc.sys

2011/03/22 18:57:33.0171 3812 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2011/03/22 18:57:33.0250 3812 Sr (50fa898f8c032796d3b1b9951bb5a90f) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/03/22 18:57:33.0296 3812 Srv (70cd8b8dd2a680b128617c19eb0ab94f) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/03/22 18:57:33.0375 3812 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys

2011/03/22 18:57:33.0421 3812 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

2011/03/22 18:57:33.0484 3812 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/03/22 18:57:33.0546 3812 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2011/03/22 18:57:33.0656 3812 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/03/22 18:57:33.0734 3812 Tcpip (e88631e21a9caca06104802f9e915115) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/03/22 18:57:33.0781 3812 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/03/22 18:57:33.0796 3812 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/03/22 18:57:33.0843 3812 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/03/22 18:57:33.0921 3812 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/03/22 18:57:33.0968 3812 ulsata2 (97e68ff0db46e3cff9928131a44a1dbe) C:\WINDOWS\system32\drivers\ulsata2.sys

2011/03/22 18:57:34.0031 3812 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2011/03/22 18:57:34.0078 3812 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/03/22 18:57:34.0156 3812 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/03/22 18:57:34.0187 3812 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/03/22 18:57:34.0218 3812 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2011/03/22 18:57:34.0265 3812 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2011/03/22 18:57:34.0328 3812 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/03/22 18:57:34.0406 3812 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/03/22 18:57:34.0468 3812 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys

2011/03/22 18:57:34.0546 3812 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2011/03/22 18:57:34.0593 3812 VIAHdAudAddService (bcd82dd4870000fc34be215fd116d371) C:\WINDOWS\system32\drivers\viahduaa.sys

2011/03/22 18:57:34.0656 3812 VolSnap (a5a712f4e880874a477af790b5186e1d) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/03/22 18:57:34.0828 3812 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/03/22 18:57:34.0953 3812 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/03/22 18:57:35.0046 3812 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

2011/03/22 18:57:35.0109 3812 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2011/03/22 18:57:35.0125 3812 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2011/03/22 18:57:35.0359 3812 ================================================================================

2011/03/22 18:57:35.0359 3812 Scan finished

2011/03/22 18:57:35.0359 3812 ================================================================================

[Combofix log will follow]

Link to post
Share on other sites

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
     
    :filefind
    tcpip.sys
    sfcfiles.dll


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

MrC

Link to post
Share on other sites

SystemLook 04.09.10 by jpshortstuff

Log created at 20:00 on 22/03/2011 by Anna Maria

(Limited User)

========== filefind ==========

Searching for "tcpip.sys"

C:\WINDOWS\system32\drivers\tcpip.sys --a---- 361600 bytes [14:55 07/12/2008] [14:55 07/12/2008] E88631E21A9CACA06104802F9E915115

Searching for "sfcfiles.dll"

C:\WINDOWS\system32\sfcfiles.dll --a---- 1571840 bytes [15:01 07/12/2008] [15:01 07/12/2008] 5B278532D1544E4CF246EEA4465F088B

-= EOF =-

Link to post
Share on other sites

done again from administrator account:

SystemLook 04.09.10 by jpshortstuff

Log created at 20:03 on 22/03/2011 by Windows XP

Administrator - Elevation successful

========== filefind ==========

Searching for "tcpip.sys"

C:\WINDOWS\system32\drivers\tcpip.sys --a---- 361600 bytes [14:55 07/12/2008] [14:55 07/12/2008] E88631E21A9CACA06104802F9E915115

Searching for "sfcfiles.dll"

C:\WINDOWS\system32\sfcfiles.dll --a---- 1571840 bytes [15:01 07/12/2008] [15:01 07/12/2008] 5B278532D1544E4CF246EEA4465F088B

-= EOF =-

Link to post
Share on other sites

There's nothing bad about the registry value we are trying to delete.

ComboFix has spotted some system files that are not what they are supposed to be:

------- Sigcheck -------

.

[-] 2008-12-07 . E88631E21A9CACA06104802F9E915115 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys

.

[-] 2008-12-07 . 5B278532D1544E4CF246EEA4465F088B . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

.

You should have legitimate backup copies on the system, you don't. Sometimes this is an indication of an illegal version of Windows.

If you have a legal Windows cd we can copy the files off it.

Have you ever gone to Windows update and installed any and all updates recommended?

MrC

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.