Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Trouble with Malware

  • This topic is locked This topic is locked
6 replies to this topic

#1 Casualblue


  • Members
  • 4 posts
  • Local time:01:40 AM

Posted 12 December 2010 - 11:50 AM

I somehow received a lovely batch of malware on my laptop a couple of days ago. Normally, safe mode> system restore > run malware bytes / spybot S&D works fine (i rarely get malware anyway, so this is a rare occurence and its normally pretty easy to remove stuff), although this hasn't been the case this time.

System restore isn't working (always get some error and it doesnt restore). I've ran spybot S&D and malware bytes in safe mode, and theyve found and removed 2 trojans + some adware, yet whenever I reboot the comp, norton notifies me that it is blocking attacks, my web pages oepn in my browser/google links take me to random attack sites/ad pages about 50% of the time and my laptop is still noticeably slower than it should be.

I've now downloaded combofix, and it worked partially - found some rootdisk stuff and removed it, then rebooted, and got to stage 4.

cue blue screen of death. This happens every time removes rootdisk, reboot, BSOD at stage 4/5every time.

So i'm currently stuck...

My orignal intention was to run Combo-fix then post the log here to make sure everything was gone, but obviously I can't even do that =\...

also, I have just noticed that I now have a Q drive along side my C drive and recovery one, and access to it is denied... no idea where that came from or what it is

DDS log

DDS (Ver_10-12-12.02) - NTFSx86
Run by Iain at 16:55:57.08 on 12/12/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.2814.1415 [GMT 0:00]

AV: Norton 360 *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton 360 *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Norton 360 *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}

============== Running Processes ===============

C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton 360\Engine\\ccSvcHst.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\SMINST\BLService.exe
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Norton 360\Engine\\ccSvcHst.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Mozilla Firefox 4.0 Beta 1\firefox.exe
C:\Program Files\Mozilla Firefox 4.0 Beta 1\plugin-container.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://uk.ask.com?o=15007&l=dis
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=91&bd=Presario&pf=cnnb
uInternet Settings,ProxyOverride = *.local
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IeCatch5 Class: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\progra~1\flashget\jccatch.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: BrowserHelper Class: {edf48a39-1442-463f-9f4e-f376a78d034a} - c:\program files\livedrive\LivedriveExplorerExtensions.dll
BHO: gFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\progra~1\flashget\getflash.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} -
TB: FlashGet Bar: {e0e899ab-f487-11d5-8d29-0050ba6940e3} - c:\progra~1\flashget\fgiebar.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\\coIEPlg.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [FlashGet 3] "c:\program files\flashget network\flashget 3\Flashget3.exe" -minimize
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [Google Update] "c:\users\iain\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [hpfsched] c:\windows\hpfsched.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [combofix] "c:\combo-fix\cf19525.cfxxe" /c "c:\combo-fix\C.bat"
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &AOL Toolbar Search - c:\programdata\aol\ietoolbar\resources\en-gb\local\search.html
IE: Download All by FlashGet - c:\program files\flashget\jc_all.htm
IE: Download using FlashGet - c:\program files\flashget\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\programs\partygaming\partypoker\RunApp.exe
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\progra~1\flashget\flashget.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: kuaiche.com\software
DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} - hxxp://dl.uc.sina.com/cab/downloader.cab
DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} - hxxp://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\iain\appdata\roaming\mozilla\firefox\profiles\svwfwpp7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/?ref=hp
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\mozilla firefox 4.0 beta 1\plugins\npqtplugin8.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - plugin: c:\users\iain\appdata\local\google\update\\npGoogleOneClick8.dll

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0403000.005\symds.sys [2010-12-11 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0403000.005\symefa.sys [2010-12-11 173104]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20101123.003\BHDrvx86.sys [2010-11-23 691248]
R1 CbFs;CbFs;c:\windows\system32\drivers\cbfs.sys [2009-9-2 146904]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0403000.005\cchpx86.sys [2010-12-11 501888]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20101210.001\IDSvix86.sys [2010-12-11 353912]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0403000.005\ironx86.sys [2010-12-11 116784]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\n360\0403000.005\symtdiv.sys [2010-12-11 339504]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2010-2-7 12672]
R2 cvhsvc;Client Virtualization Handler;c:\program files\common files\microsoft shared\virtualization handler\CVHSVC.EXE [2009-9-26 819600]
R2 hpzstatn;Printer Status Server;c:\windows\system32\spool\drivers\w32x86\hpzstatn.exe [1999-12-29 503296]
R2 N360;Norton 360;c:\program files\norton 360\engine\\ccsvchst.exe [2010-12-11 126392]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2008-10-26 365952]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-12-10 1153368]
R2 sftlist;Application Virtualization Client;c:\program files\microsoft application virtualization client\sftlist.exe [2009-9-23 447832]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-12-10 102448]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-8-12 66592]
R3 sftfs;sftfs;c:\program files\microsoft application virtualization client\drivers\SftFSlh.sys [2009-9-23 543064]
R3 sftplay;sftplay;c:\program files\microsoft application virtualization client\drivers\sftplaylh.sys [2009-9-23 190312]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirlh.sys [2009-9-23 21848]
R3 sftvol;sftvol;c:\program files\microsoft application virtualization client\drivers\SftVollh.sys [2009-9-23 14680]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\microsoft application virtualization client\sftvsa.exe [2009-9-23 203608]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe -k netsvcs [2009-7-13 20992]
S2 PEVSystemStart;PEVSystemStart;c:\combo-fix\PEV.cfxxe [2010-12-12 256512]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-10-26 193840]
S3 KMWDFILTERx86;HIDServiceDesc;c:\windows\system32\drivers\KMWDFILTER.sys [2009-4-29 25088]

=============== Created Last 30 ================

2010-12-12 16:19:55 -------- d-s---w- C:\Combo-Fix
2010-12-11 04:07:34 339504 ----a-w- c:\windows\system32\drivers\n360\0403000.005\symtdiv.sys
2010-12-11 04:07:34 328752 ----a-r- c:\windows\system32\drivers\n360\0403000.005\symds.sys
2010-12-11 04:07:34 173104 ----a-w- c:\windows\system32\drivers\n360\0403000.005\symefa.sys
2010-12-11 04:07:33 501888 ----a-w- c:\windows\system32\drivers\n360\0403000.005\cchpx86.sys
2010-12-11 04:07:33 43696 ----a-w- c:\windows\system32\drivers\n360\0403000.005\srtspx.sys
2010-12-11 04:07:33 325680 ----a-w- c:\windows\system32\drivers\n360\0403000.005\srtsp.sys
2010-12-11 04:07:33 116784 ----a-w- c:\windows\system32\drivers\n360\0403000.005\ironx86.sys
2010-12-10 20:39:50 -------- d-----w- c:\windows\system32\drivers\n360\0403000.005
2010-12-10 19:33:22 -------- d-----w- c:\users\iain\appdata\local\iDFX
2010-12-10 19:32:43 -------- d-----w- c:\program files\iDFX
2010-12-10 17:54:47 -------- d-----w- c:\users\iain\appdata\roaming\SUPERAntiSpyware.com
2010-12-10 17:54:47 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2010-12-10 17:53:32 -------- d-----w- c:\users\iain\appdata\roaming\Malwarebytes
2010-12-10 17:53:24 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-10 17:53:23 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-10 17:53:23 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2010-12-10 17:53:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-10 17:52:56 -------- d-----w- c:\progra~2\Malwarebytes
2010-12-10 17:52:53 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-10 17:52:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-10 00:06:42 -------- d-----w- c:\users\iain\appdata\local\CrashDumps
2010-12-10 00:05:39 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-12-10 00:05:39 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-12-10 00:05:35 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-12-10 00:05:32 -------- d-----w- c:\program files\Symantec
2010-12-10 00:05:28 -------- d-----w- c:\program files\Norton Internet Security
2010-12-10 00:04:19 -------- d-----w- c:\windows\system32\drivers\N360
2010-12-10 00:04:15 -------- d-----w- c:\program files\Norton 360
2010-12-07 21:32:57 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{f14db459-b228-4e10-b3ab-8291a197b6fe}\mpengine.dll
2010-12-07 13:32:30 -------- d-----w- c:\users\iain\appdata\roaming\Mozilla-Cache
2010-11-23 21:02:40 7680 ----a-w- c:\program files\internet explorer\iecompat.dll

==================== Find3M ====================

2010-11-08 01:20:24 89088 ----a-w- c:\windows\MBR.exe
2010-10-19 10:41:44 222080 ----a-w- c:\windows\system32\MpSigStub.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7600 Disk: TOSHIBA_MK2555GSX rev.FG002C -> Harddisk0\DR0 -> \Device\Ide\IdePort3 P3T0L0-5

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x865CB555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x865d17b0]; MOV EAX, [0x865d182c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x82E4C458] -> \Device\Harddisk0\DR0[0x865AC158]
3 CLASSPNP[0x8B18659E] -> ntkrnlpa!IofCallDriver[0x82E4C458] -> [0x86494358]
5 ACPI[0x8374D3B2] -> ntkrnlpa!IofCallDriver[0x82E4C458] -> \IdeDeviceP3T0L0-5[0x8648F908]
\Driver\atapi[0x865B0608] -> IRP_MJ_CREATE -> 0x865CB555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x132; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP3T0L0-5 -> \??\IDE#DiskTOSHIBA_MK2555GSX_______________________FG002C__#5&b0fd174&0&1.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 488397166 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 17:00:10.99 ===============


GMER - http://www.gmer.net
Rootkit scan 2010-12-12 18:55:08
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdePort3 TOSHIBA_MK2555GSX rev.FG002C
Running: gmer.exe; Driver: C:\Users\Iain\AppData\Local\Temp\kgldqpoc.sys

---- System - GMER 1.0.15 ----

SSDT 870B73B8 ZwAlertResumeThread
SSDT 8728D278 ZwAlertThread
SSDT 87296920 ZwAllocateVirtualMemory
SSDT 86A02230 ZwAlpcConnectPort
SSDT 872E44E8 ZwAssignProcessToJobObject
SSDT 872DFC88 ZwCreateMutant
SSDT 872E4208 ZwCreateSymbolicLinkObject
SSDT 87287870 ZwCreateThread
SSDT 872E42F8 ZwCreateThreadEx
SSDT 872965E0 ZwDebugActiveProcess
SSDT 8692A340 ZwDuplicateObject
SSDT 87296780 ZwFreeVirtualMemory
SSDT 8692E918 ZwImpersonateAnonymousToken
SSDT 871B6048 ZwImpersonateThread
SSDT 8695FF70 ZwLoadDriver
SSDT 872966A0 ZwMapViewOfSection
SSDT 8731EE00 ZwOpenEvent
SSDT 87323D10 ZwOpenProcess
SSDT 870A60B8 ZwOpenProcessToken
SSDT 87323CD8 ZwOpenSection
SSDT 86904410 ZwOpenThread
SSDT 872E43F8 ZwProtectVirtualMemory
SSDT 87289A30 ZwResumeThread
SSDT 87110048 ZwSetContextThread
SSDT 87296F38 ZwSetInformationProcess
SSDT 868D8668 ZwSetSystemInformation
SSDT 868CA8D0 ZwSuspendProcess
SSDT 87110300 ZwSuspendThread
SSDT 8712F048 ZwTerminateProcess
SSDT 8715DF90 ZwTerminateThread
SSDT 87207048 ZwUnmapViewOfSection
SSDT 87296850 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82E53599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82E77F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 224 82E7F734 8 Bytes [B8, 73, 0B, 87, 78, D2, 28, ...]
.text ntkrnlpa.exe!RtlSidHashLookup + 23C 82E7F74C 4 Bytes [20, 69, 29, 87]
.text ntkrnlpa.exe!RtlSidHashLookup + 248 82E7F758 4 Bytes [30, 22, A0, 86]
.text ntkrnlpa.exe!RtlSidHashLookup + 29C 82E7F7AC 4 Bytes CALL A36F25F5
.text ntkrnlpa.exe!RtlSidHashLookup + 318 82E7F828 4 Bytes [88, FC, 2D, 87]
.text ...
? C:\Users\Iain\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[1060] ntdll.dll!NtProtectVirtualMemory 77305380 5 Bytes JMP 0020000A
.text C:\Windows\system32\svchost.exe[1060] ntdll.dll!NtWriteVirtualMemory 77305F00 5 Bytes JMP 0025000A
.text C:\Windows\system32\svchost.exe[1060] ntdll.dll!KiUserExceptionDispatcher 77306448 5 Bytes JMP 001F000A
.text C:\Windows\system32\svchost.exe[1060] ole32.dll!CoCreateInstance 75E4590C 5 Bytes JMP 009A000A
.text C:\Windows\system32\svchost.exe[1060] USER32.dll!GetCursorPos 75B8C198 5 Bytes JMP 0023000A
.text C:\Windows\Explorer.EXE[2364] ntdll.dll!NtProtectVirtualMemory 77305380 5 Bytes JMP 001C000A
.text C:\Windows\Explorer.EXE[2364] ntdll.dll!NtWriteVirtualMemory 77305F00 5 Bytes JMP 001D000A
.text C:\Windows\Explorer.EXE[2364] ntdll.dll!KiUserExceptionDispatcher 77306448 5 Bytes JMP 001B000A
.text C:\Windows\system32\wuauclt.exe[4484] ntdll.dll!NtProtectVirtualMemory 77305380 5 Bytes JMP 001D000A
.text C:\Windows\system32\wuauclt.exe[4484] ntdll.dll!NtWriteVirtualMemory 77305F00 5 Bytes JMP 001E000A
.text C:\Windows\system32\wuauclt.exe[4484] ntdll.dll!KiUserExceptionDispatcher 77306448 5 Bytes JMP 001B000A
.text C:\Program Files\Mozilla Firefox 4.0 Beta 1\plugin-container.exe[4816] USER32.dll!SetWindowLongA 75B8B1E3 5 Bytes JMP 62D5CF00 C:\Program Files\Mozilla Firefox 4.0 Beta 1\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox 4.0 Beta 1\plugin-container.exe[4816] USER32.dll!SetWindowLongW 75B96614 5 Bytes JMP 62D5CEA0 C:\Program Files\Mozilla Firefox 4.0 Beta 1\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox 4.0 Beta 1\plugin-container.exe[4816] USER32.dll!TrackPopupMenu 75BB4B3B 5 Bytes JMP 62BC1695 C:\Program Files\Mozilla Firefox 4.0 Beta 1\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox 4.0 Beta 1\firefox.exe[5100] ntdll.dll!NtProtectVirtualMemory 77305380 5 Bytes JMP 004C000A
.text C:\Program Files\Mozilla Firefox 4.0 Beta 1\firefox.exe[5100] ntdll.dll!NtWriteVirtualMemory 77305F00 5 Bytes JMP 004D000A
.text C:\Program Files\Mozilla Firefox 4.0 Beta 1\firefox.exe[5100] ntdll.dll!KiUserExceptionDispatcher 77306448 5 Bytes JMP 0047000A
.text C:\Program Files\Mozilla Firefox 4.0 Beta 1\firefox.exe[5100] ntdll.dll!LdrLoadDll 7731F625 5 Bytes JMP 01171430 C:\Program Files\Mozilla Firefox 4.0 Beta 1\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000061 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Device\Ide\IdeDeviceP3T0L0-5 -> \??\IDE#DiskTOSHIBA_MK2555GSX_______________________FG002C__#5&b0fd174&0&1.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 02: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 04: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 488396912 (+255): rootkit-like behavior;

---- EOF - GMER 1.0.15 ----

Edited by Casualblue, 12 December 2010 - 01:55 PM.

BC AdBot (Login to Remove)


#2 Casualblue

  • Topic Starter

  • Members
  • 4 posts
  • Local time:01:40 AM

Posted 12 December 2010 - 01:56 PM

just ran gmer as well

#3 Casey_boy


    Bleeping physicist

  • Malware Response Team
  • 7,765 posts
  • Gender:Male
  • Location:UK
  • Local time:01:40 AM

Posted 21 December 2010 - 12:55 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


If I have been helping you and I do not reply within 48hours, feel free to send me a PM.

* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *

#4 Casualblue

  • Topic Starter

  • Members
  • 4 posts
  • Local time:01:40 AM

Posted 22 December 2010 - 09:11 AM

yeah I sorted it out about a day after I made the original post...

didn't see the point in waiting any longer

Edited by Casualblue, 22 December 2010 - 09:11 AM.

#5 Casey_boy


    Bleeping physicist

  • Malware Response Team
  • 7,765 posts
  • Gender:Male
  • Location:UK
  • Local time:01:40 AM

Posted 22 December 2010 - 09:22 AM

OK, thanks for letting us know.

For future reference (and for anyone reading this thread), this is exactly the reason you shouldn't run ComboFix without trained supervision.

I'll get this topic closed.


If I have been helping you and I do not reply within 48hours, feel free to send me a PM.

* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *

#6 Casualblue

  • Topic Starter

  • Members
  • 4 posts
  • Local time:01:40 AM

Posted 22 December 2010 - 12:12 PM

combofix has worked for me in the past, it's just this laptop is a bit old.

it runs fine now anyway

#7 thcbytes


  • Malware Response Team
  • 14,790 posts
  • Gender:Male
  • Local time:08:40 PM

Posted 22 December 2010 - 02:03 PM

Since this topic appears to be resolved, I will now close it.
If you need this topic re-opened please send me a PM.

Everyone else, please start a new topic.
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users