Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Boot.Mebroot virus


  • This topic is locked This topic is locked
2 replies to this topic

#1 cshoulder

cshoulder

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 27 November 2009 - 12:41 AM

On November 21, at 8:03pm I was browsing scrapetorrent, and evidently some scripts got through my SAV Corp and pop-up blocker and I was infected with a virus. Within minutes, my pc slowed to a crawl, and was becoming unresponsive when doing nothing more than browsing sites. Soon, the browser window would lockup, could move the mouse, but could not open task manager, start button, or anything else and the harddrive was working extremely hard. Soon after the mouse would not respond to any key clicks, and the entire system would lock up, and the internal speaker in the pc would play a never ending tone. I could reboot the pc normally, and after anywhere from 30 sec to 5 min the process would repeat. I put in my Hiren's boot cd, ran a hardware check on memory, cpu, hdd, video, etc and all came back pass. I then booted into mini-xp, ran kaspersky, and some other tools and was not coming back with any results.

I was getting nowhere after 48 hours, and was on the brink of a reformat when a buddy of mine said he had recently heard of a svchost.exe virus going around. I checked the svchost.exe processes, found i had 6 running, and then traced one to a folder that didn't belong and was created at the same time all the issues started (in a erdt cache folder). I moved it, rebooted, and found the computer more responsive, and the pc would no longer lockup in 5 min. Now I could actually install software before the system locked up, and found a trojan, and a little bit of spyware, but the system would still lock up eventually (after a 6 hour scan it locked up).

I then ran malwarebytes, CCleaner, Kaspersky, Clamwin AV, Adaware Professional SE, Spybot S&D, Spyware Terminator, and finally SAV Corp 10. The system no longer locks up, and would seem to be running normally for the most part, however, SAV Corp is finding a Boot.Mebroot in the MBR of the hd. I can clean it, however, 2 seconds later the rundll32.exe process runs for about 3 seconds, and then rewrites it into the MBR. I did some research and found a few sites claiming that if the icon of rundll32.exe was a page icon instead of a gear icon that meant the file was affected by a virus, though it may not actually contain a virus. I scanned the file with jotti's malware scan, and the file came back clean. I can't say if this is a pre-existing issue or if this developed as a result of the issue on Nov 21st, but I can say that SAV Corp 10 never found anything in the MBR prior to that event as I always scan every file I download and now I can scan any file, including desktop shortcuts, and the Boot.Mebroot will show up.

So as of this moment, "i think" i got rid of the original virus that was giving me the major issues, but I can't be sure, and I feel my system is not secure at this moment. I found your forum, and then set up my system for a RootRepeal scan, but that took over 40 hours and just finished in the last hour. Is a 40 hour scan for RootRepeal normal?

I realize its the holidays, and that may prevent me from getting help in a timely manner; however, I have finals coming up in about a week, and I MUST have this system running securely before that time. If I can't get this resolved before Nov 30th, I'm most likely going to have to reformat in preparation for my classes resuming on Dec 1st.

For your consideration I have included a HJT log with everything asked for on the prep forum, since I see many of your users being asked to do so and I hope this will save a little time.


DDS (Ver_09-11-24.02) - NTFSx86
Run by Joel at 1:16:47.31 on Wed 11/25/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2814.1875 [GMT -6:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\Logitech\G35\G35.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
D:\HBCD\WinTools\Autorun.exe
C:\DOCUME~1\Joel\LOCALS~1\Temp\RootkitRevealer.exe
C:\DOCUME~1\Joel\LOCALS~1\Temp\DYYMWJ.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe
C:\Documents and Settings\Joel\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\ntunecmd.exe" boot "c:\documents and settings\joel\local settings\application data\nvidia corporation\ntune\profiles\osbootpf.nsu"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpywareTerminatorUpdate] "c:\program files\spyware terminator\SpywareTerminatorUpdate.exe"
mRun: [Launch LGDCore] "c:\program files\logitech\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [Launch LCDMon] "c:\program files\logitech\g-series software\LCDMon.exe"
mRun: [Logitech G35] c:\program files\logitech\g35\G35.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon
dRunOnce: [RunNarrator] Narrator.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1212960111686
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1213051158827
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\joel\applic~1\mozilla\firefox\profiles\25cwr6fl.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\docume~1\joel\locals~1\temp\superantispyware\SASDIFSV.SYS [2009-11-21 9968]
R1 SASKUTIL;SASKUTIL;c:\docume~1\joel\locals~1\temp\superantispyware\SASKUTIL.sys [2009-11-21 74480]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2009-11-24 142592]
R2 HMuKstE8;Kensington SlimBlade Trackball USB HID Device Filter Driver;c:\windows\system32\drivers\HMuKstE8.sys [2009-7-8 38024]
R3 DYYMWJ;DYYMWJ;c:\docume~1\joel\locals~1\temp\DYYMWJ.exe [2009-11-24 588672]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-30 102448]
R3 LADF_DHP2;G35 DHP2 Filter Driver;c:\windows\system32\drivers\ladfDHP2i386.sys [2009-7-30 53520]
R3 LADF_SBVM;G35 SBVM Filter Driver;c:\windows\system32\drivers\ladfSBVMi386.sys [2009-7-30 334992]
S3 CM1083264;C-Media CM108 Like Sound UDAX Interface;c:\windows\system32\drivers\cm108.sys --> c:\windows\system32\drivers\CM108.sys [?]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;e:\dragon age\bin_ship\daupdatersvc.service.exe --> e:\dragon age\bin_ship\DAUpdaterSvc.Service.exe [?]
S3 SASENUM;SASENUM;c:\docume~1\joel\locals~1\temp\superantispyware\SASENUM.SYS [2009-11-21 7408]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-10-7 116664]

=============== Created Last 30 ================

2009-11-24 06:50:36 0 d-----w- c:\docume~1\joel\applic~1\.clamwin
2009-11-24 06:50:30 0 d-----w- c:\program files\ClamWin
2009-11-24 06:50:30 0 d-----w- c:\documents and settings\all users\.clamwin
2009-11-24 06:32:00 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2009-11-24 06:31:59 0 d-----w- c:\docume~1\joel\applic~1\Spyware Terminator
2009-11-24 06:31:58 0 d-----w- c:\program files\Spyware Terminator
2009-11-24 06:31:58 0 d-----w- c:\docume~1\alluse~1\applic~1\Spyware Terminator
2009-11-24 06:09:06 0 d-----w- c:\program files\Rundll Errors Fix Wizard
2009-11-23 09:30:09 0 d-----w- c:\program files\CCleaner
2009-11-23 08:22:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-23 08:22:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-23 08:22:54 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-23 08:03:10 0 d-----w- c:\program files\COD4 Backup
2009-11-23 06:07:35 244 ---ha-w- C:\sqmnoopt01.sqm
2009-11-23 06:07:35 232 ---ha-w- C:\sqmdata01.sqm
2009-11-22 02:39:36 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-11-22 02:39:33 0 d-----w- c:\docume~1\joel\applic~1\SUPERAntiSpyware.com
2009-11-22 02:06:09 164896 ----a-w- c:\windows\system32\drivers\nvgts.sys
2009-11-22 02:06:08 96512 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2009-11-22 02:06:08 96512 ------w- c:\windows\system32\drivers\atapi.sys
2009-11-22 02:06:08 63360 ----a-w- c:\windows\system32\drivers\jraid.sys
2009-11-22 02:05:12 77312 ----a-w- c:\windows\MBR.exe
2009-11-22 02:05:11 98816 ----a-w- c:\windows\sed.exe
2009-11-22 02:05:11 260608 ----a-w- c:\windows\PEV.exe
2009-11-22 02:05:11 161792 ----a-w- c:\windows\SWREG.exe
2009-11-22 02:05:06 0 d-----w- C:\ComboFix
2009-11-22 01:46:38 0 d-----w- c:\docume~1\joel\applic~1\Malwarebytes
2009-11-22 01:46:37 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-21 06:11:41 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-21 06:11:41 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-11-14 06:32:32 0 d-----w- c:\docume~1\alluse~1\applic~1\BioWare
2009-11-14 06:13:48 0 d-----w- c:\program files\common files\BioWare
2009-11-14 06:08:27 0 d-----w- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2009-11-14 06:08:18 0 d-----w- c:\program files\DAEMON Tools Toolbar
2009-11-14 06:08:15 0 d-----w- c:\program files\DAEMON Tools Lite
2009-11-14 06:04:29 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-11-14 06:04:23 0 d-----w- c:\docume~1\joel\applic~1\DAEMON Tools Lite
2009-11-04 02:47:48 701440 ----a-w- c:\windows\system32\cohelper.dll
2009-11-04 02:47:47 6789 ----a-w- c:\windows\system32\nvnrm.nvu
2009-11-04 02:47:47 485920 ----a-w- c:\windows\system32\nvunrm.exe
2009-10-30 03:46:02 0 d-----w- c:\program files\iPod
2009-10-30 03:45:58 0 d-----w- c:\program files\iTunes

==================== Find3M ====================

2009-11-09 05:25:18 215104 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-11-09 00:25:18 138576 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-09-28 00:20:04 2173544 ----a-w- c:\windows\system32\nvcplui.exe
2009-09-28 00:20:00 81920 ----a-w- c:\windows\system32\nvwddi.dll
2009-09-28 00:19:52 3166208 ----a-w- c:\windows\system32\nvwss.dll
2009-09-28 00:19:50 4026368 ----a-w- c:\windows\system32\nvvitvs.dll
2009-09-28 00:19:48 3547136 ----a-w- c:\windows\system32\nvgames.dll
2009-09-28 00:19:48 188416 ----a-w- c:\windows\system32\nvmccss.dll
2009-09-28 00:19:48 1286144 ----a-w- c:\windows\system32\nvmobls.dll
2009-09-28 00:19:46 86016 ----a-w- c:\windows\system32\nvmctray.dll
2009-09-28 00:19:46 4935680 ----a-w- c:\windows\system32\nvdisps.dll
2009-09-28 00:19:46 172100 ----a-w- c:\windows\system32\nvsvc32.exe
2009-09-28 00:19:46 143360 ----a-w- c:\windows\system32\nvcolor.exe
2009-09-28 00:19:46 13918208 ----a-w- c:\windows\system32\nvcpl.dll
2009-09-28 00:19:40 229376 ----a-w- c:\windows\system32\nvmccs.dll
2009-09-27 22:12:22 888832 ----a-w- c:\windows\system32\nvapi.dll
2009-09-27 22:12:22 7655872 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-09-27 22:12:22 5900416 ----a-w- c:\windows\system32\nv4_disp.dll
2009-09-27 22:12:22 490088 ----a-w- c:\windows\system32\nvudisp.exe
2009-09-27 22:12:22 2194024 ----a-w- c:\windows\system32\nvcuvid.dll
2009-09-27 22:12:22 2007040 ----a-w- c:\windows\system32\nvcuda.dll
2009-09-27 22:12:22 1714792 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-09-27 22:12:22 170600 ----a-w- c:\windows\system32\nvcodins.dll
2009-09-27 22:12:22 170600 ----a-w- c:\windows\system32\nvcod.dll
2009-09-27 22:12:22 1604482 ----a-w- c:\windows\system32\nvdata.bin
2009-09-27 22:12:22 10756096 ----a-w- c:\windows\system32\nvoglnt.dll
2009-09-24 15:24:18 490088 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 23:44:40 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-04 23:44:40 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-09-04 23:44:40 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-09-04 23:29:34 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-09-04 23:29:34 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-09-04 23:29:32 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-04 23:29:32 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-04 23:29:30 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36:27 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36:24 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-29 00:42:52 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2008-06-10 01:06:02 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008060220080609\index.dat
2008-06-10 01:06:02 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008060920080610\index.dat

============= FINISH: 1:17:01.03 ===============

And the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:50:10 PM, on 11/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\Logitech\G35\G35.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Documents and Settings\Joel\Desktop\RootRepeal.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [Logitech G35] C:\Program Files\Logitech\G35\G35.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" boot "C:\Documents and Settings\Joel\Local Settings\Application Data\NVIDIA Corporation\nTune\Profiles\osbootpf.nsu"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpywareTerminatorUpdate] "C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1212960111686
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1213051158827
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - Unknown owner - E:\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Update Center Service (UpdateCenterService) - NVIDIA - C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe

--
End of file - 9092 bytes

Attached Files



BC AdBot (Login to Remove)

 


#2 cshoulder

cshoulder
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 29 November 2009 - 01:31 AM

Got tired of waiting around for any input and was able to isolate and delete the remaining issue. Can no longer find any issues in the file system after running fixmbr from the windows recovery console. There does seem to be copies of the MBR that were made by a rootkit but they are not being used.

I would like to get rid of those copies, I was able to see where they were located using "mbr.exe" from gmer.net but I don't know how to delete those specific addresses. If anyone has information on how to best do that I would certainly love to hear about it.

If no one has any idea how to get rid of those sans format, feel free to lock this thread.

#3 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:08:56 AM

Posted 29 November 2009 - 11:58 AM

Your question would be better off posted in one of our Operating System forums

Log topic is closed
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users