Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Crazy Rootkit...or something


  • This topic is locked This topic is locked
2 replies to this topic

#1 staticz

staticz

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 09 January 2011 - 01:15 AM

Hey guys:

Typically I can get ahold of and mitigate viruses and malware on my own, but this one has me stumped. It has taken away the mouse, but allows keyboards to function (PS/2), disabled IE (Firefox is fine) and no task bar is available. I cannot run Malware Bytes as it blocks the program from running (error - "Your version of vbalsgrid6.ocx may be outdated") however I've been able to run the following:

TDSS Remover from eSage
SuperAntiSpyware
UnhackMe
HitmanPro
Kaspersky Manual Virus Remover (was able to get this to install manually)


I'm at a loss on this one, hopefully someone here will be willing to help me out! I've posted the DDS and GMER logs below. One other thing that may be useful - Windows Firewall cannot start and I cannot get to Windows Updates either.

==== Installed Programs ======================

32 Bit HP CIO Components Installer
8500A909_eDocs
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0
Agere Systems PCI Soft Modem
AiO_Scan
AiOSoftware
ATI Control Panel
ATI Display Driver
Barnyard Invasion from HP Media Center (remove only)
Bejeweled 2 Deluxe from HP Media Center (remove only)
Blackhawk Striker 2 from HP Media Center (remove only)
Blasterball 2 from HP Media Center (remove only)
Blasterball 2 Holidays from HP Media Center (remove only)
Boggle Supreme from HP Media Center (remove only)
Bookworm Deluxe from HP Media Center (remove only)
Bounce Symphony from HP Media Center (remove only)
BPD_DSWizards
bpd_scan
BPDSoftware
BPDSoftware_Ini
BufferChm
CameraDrivers
CCleaner
CleanUp!
CP_AtenaShokunin1Config
CP_CalendarTemplates1
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
Crystal Maze from HP Media Center (remove only)
CueTour
Destinations
DeviceManagementQFolder
Digby's Donuts from HP Media Center (remove only)
DocProc
DocumentViewer
DocumentViewerQFolder
Easy Internet Sign-up
FATE Demo from HP Media Center (remove only)
Fax
Flip Words from HP Media Center (remove only)
GemMaster Mystic
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Boot Optimizer
HP Customer Participation Program 12.0
HP Deskjet Printer Preload
HP DigitalMedia Archive
HP Document Viewer 5.3
HP Game Console and games
HP Image Zone 5.3
HP Image Zone for Media Center PC
HP Multimedia Keyboard Software
HP Photosmart 330,380,420,470,7800,8000,8200 Series
HP Photosmart Cameras 5.0
HP PSC & OfficeJet 5.3.B
HP Solution Center & Imaging Support Tools 5.3
HP Tunes
HP Update
HPProductAssistant
HpSdpAppCoreApp
Insaniquarium Deluxe from HP Media Center (remove only)
InstantShareDevices
IntelliMover Data Transfer Demo
InterVideo WinDVD Player
iTunes
iWin Games (remove only)
J2SE Runtime Environment 5.0
Jewel Quest from HP Media Center (remove only)
LightScribe  1.4.42.1
Mah Jong Quest from HP Media Center (remove only)
Malwarebytes' Anti-Malware
MarketResearch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Money 2005
Microsoft Office 2003 Primary Interop Assemblies
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Plus! Dancer LE
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Software Update for Web Folders  (English) 12
Microsoft Store Download Manager
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft Works
Mozilla Firefox (3.6.13)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6 Service Pack 2 (KB973686)
muvee autoProducer 4.0
muvee autoProducer unPlugged 1.1 - HPD
Network
NewCopy
Office 2003 Tour
Officejet Pro 8500 A909 Series
Otto
PanoStandAlone
PhotoGallery
Polar Bowler from HP Media Center (remove only)
Polar Golfer from HP Media Center (remove only)
PS2
PSPrinters08
PSTAPlugin
Puzzle Express from HP Media Center (remove only)
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
QFolder
QuickBooks
QuickBooks Pro 2009
Quicken 2005
QuickTime
RandMap
Readme
RealPlayer
Ricochet Lost Worlds from HP Media Center (remove only)
Scan
ScannerCopy
SCRABBLE Blast from HP Media Center (remove only)
SCRABBLE from HP Media Center (remove only)
SCRABBLE Rack Attack from HP Media Center (remove only)
SecureIT
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for 2007 Microsoft Office System (KB982331)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB982308)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB982135)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Shrek 2 Ogre Bowler from HP Media Center (remove only)
SkinsHP1
Slingo Deluxe from HP Media Center (remove only)
Slyder from HP Media Center (remove only)
SolutionCenter
Sonic Encoders
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sonic_PrimoSDK
Status
Super Granny from HP Media Center (remove only)
SUPERAntiSpyware
SupportSoft Assisted Service
Swarm from HP Media Center (remove only)
Toolbox
Tradewinds from HP Media Center (remove only)
TrayApp
UnHackMe 5.99 release
Unload
UnloadSupport
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB978506)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB953356)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB978207)
Update Rollup 1 for Windows XP Media Center Edition 2005 with HDTV Support (KB873369)
Updates from HP (remove only)
Visual Studio 2005 Tools for Office Second Edition Runtime
WebFldrs XP
WebReg
Windows Imaging Component
Windows Internet Explorer 8
Windows Media Format Runtime
Windows Media Player 10 Hotfix [See KB889858 for more information]
Windows XP Media Center Edition 2005 KB888316
Windows XP Media Center Edition 2005 KB890629
Windows XP Media Center Edition 2005 KB895678
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinRAR archiver

==== End Of File ===========================

DDS (Ver_10-12-12.02) - NTFSx86  
Run by HP_Administrator at  0:10:53.14 on Sun 01/09/2011
Internet Explorer: 8.0.6001.18702

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\SecureIT\SCControlPanel.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\SecureIT\scmonitor\SCUpdateService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\TeamViewer\Version6\TeamViewer.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\TeamViewer\Version6\tv_w32.exe
c:\docume~1\hp_adm~1\locals~1\temp\teamviewer\version6\TeamViewer_Desktop.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\HP_Administrator\My Documents\Downloads\dl7xinzs.exe
C:\Documents and Settings\HP_Administrator\My Documents\Downloads\dds.scr
C:\WINDOWS\System32\svchost.exe -k netsvcs

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: CPub Object: {c68ae9c0-0909-4ddc-b661-c1afb9f5ae53} - c:\program files\secureit\PopupBlocker.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [UnHackMe Monitor] c:\program files\unhackme\hackmon.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SCControlPanel] c:\program files\secureit\SCControlPanel.exe
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe  startup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\fza12owo.default\
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJPI150.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

============= SERVICES / DRIVERS ===============

R? bnyazxja;bnyazxja
R? cqvsj;Driver Network
R? dfmtahjke;dfmtahjke
R? huhjp;huhjp
R? iWinTrusted;iWinTrusted
R? odqzth;odqzth
R? Partizan;Partizan
R? SASDIFSV;SASDIFSV
R? SASKUTIL;SASKUTIL
R? SCMonitor;SecureIT Monitor
R? zvmpj;zvmpj
S? 50865521;50865521
S? 50865522;50865522 Boot Guard Driver
S? AVG Anti-Rootkit;AVG Anti-Rootkit
S? AvgArCln;Avg Anti-Rootkit Clean Driver
S? ipfrwl;SCFirewall
S? rk_remover-boot;rk_remover-boot
S? scupdateservice;SecureIT Update Service
S? securitf;securitf
S? setup_9.0.0.722_09.01.2011_04-39drv;setup_9.0.0.722_09.01.2011_04-39drv

=============== Created Last 30 ================

2011-01-09 04:07:37	--------	d-----w-	c:\program files\SUPERAntiSpyware
2011-01-09 04:04:42	37600	----a-w-	c:\windows\system32\Partizan.exe
2011-01-09 04:04:42	35816	----a-w-	c:\windows\system32\drivers\Partizan.sys
2011-01-09 04:04:24	12808	----a-w-	c:\windows\system32\drivers\UnHackMeDrv.sys
2011-01-09 03:37:52	--------	d-----w-	C:\ComboFix
2011-01-09 03:35:21	53248	----a-w-	c:\windows\system32\drivers\rk_remover.sys
2011-01-09 02:10:40	37392	----a-w-	c:\windows\system32\drivers\50865522.sys
2011-01-09 02:10:40	315408	----a-w-	c:\windows\system32\drivers\5086552.sys
2011-01-09 02:10:40	128016	----a-w-	c:\windows\system32\drivers\50865521.sys
2011-01-09 02:02:56	--------	d-----w-	c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2011-01-09 01:58:53	--------	d-----w-	c:\program files\CCleaner
2011-01-09 01:51:03	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-09 01:50:59	20952	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-01-09 01:50:58	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2011-01-07 21:08:36	1032192	----a-w-	c:\windows\explorer.exe
2011-01-05 21:36:09	98816	----a-w-	c:\windows\sed.exe
2011-01-05 21:36:09	89088	----a-w-	c:\windows\MBR.exe
2011-01-05 21:36:09	256512	----a-w-	c:\windows\PEV.exe

==================== Find3M  ====================

2011-01-09 04:04:37	2	--shatr-	c:\windows\winstart.bat
2010-11-18 23:07:07	1821192	----a-w-	C:\vc2008sp1.exe
2010-11-18 23:04:58	2723264	----a-w-	C:\vc2005sp1.exe
2010-11-02 15:15:13	1409	----a-w-	c:\windows\QTFont.for
2010-11-01 15:03:24	114413	----a-w-	c:\documents and settings\hp_administrator\ufc.bat
2009-04-15 23:15:30	370501680	----a-w-	c:\program files\QuickBooksPro2007.exe

============= FINISH:  0:11:24.17 ===============

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-01-09 00:09:54
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-1b ST3200826A rev.3.03
Running: dl7xinzs.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\uwryypog.sys


---- System - GMER 1.0.15 ----

SSDT            \SystemRoot\system32\drivers\rk_remover.sys (TDSS Remover Kernel Driver/eSage Lab)     ZwCreateFile [0xEEDB08F0]
SSDT            \SystemRoot\system32\drivers\rk_remover.sys (TDSS Remover Kernel Driver/eSage Lab)     ZwOpenFile [0xEEDB0850]

---- Kernel code sections - GMER 1.0.15 ----

.text           ntkrnlpa.exe!IofCallDriver                                                             804EF196 6 Bytes  PUSH EEDAEA60; RET \SystemRoot\system32\drivers\rk_remover.sys (TDSS Remover Kernel Driver/eSage Lab)
?               C:\WINDOWS\system32\Drivers\PROCEXP113.SYS                                             The system cannot find the file specified. !
?               C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\catchme.sys                                         The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text           C:\Program Files\Mozilla Firefox\firefox.exe[176] ntdll.dll!LdrLoadDll                 7C9163A3 5 Bytes  JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text           C:\Program Files\Mozilla Firefox\plugin-container.exe[1476] USER32.dll!TrackPopupMenu  7E46531E 5 Bytes  JMP 10402342 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT             \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter]                      [F1B8EA76] \SystemRoot\System32\Drivers\ipfrwl.SYS
IAT             \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter]                       [F1B8EACC] \SystemRoot\System32\Drivers\ipfrwl.SYS
IAT             \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol]                  [F1B8ECFC] \SystemRoot\System32\Drivers\ipfrwl.SYS
IAT             \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol]               [F1B8ED26] \SystemRoot\System32\Drivers\ipfrwl.SYS
IAT             \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol]                 [F1B8ECFC] \SystemRoot\System32\Drivers\ipfrwl.SYS
IAT             \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter]                      [F1B8EACC] \SystemRoot\System32\Drivers\ipfrwl.SYS
IAT             \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter]                     [F1B8EA76] \SystemRoot\System32\Drivers\ipfrwl.SYS
IAT             \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter]                    [F1B8EA76] \SystemRoot\System32\Drivers\ipfrwl.SYS
IAT             \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter]                     [F1B8EACC] \SystemRoot\System32\Drivers\ipfrwl.SYS
IAT             \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol]              [F1B8ED26] \SystemRoot\System32\Drivers\ipfrwl.SYS
IAT             \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol]                [F1B8ECFC] \SystemRoot\System32\Drivers\ipfrwl.SYS
IAT             \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol]                [F1B8ECFC] \SystemRoot\System32\Drivers\ipfrwl.SYS
IAT             \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol]              [F1B8ED26] \SystemRoot\System32\Drivers\ipfrwl.SYS
IAT             \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter]                    [F1B8EA76] \SystemRoot\System32\Drivers\ipfrwl.SYS
IAT             \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter]                     [F1B8EACC] \SystemRoot\System32\Drivers\ipfrwl.SYS

---- Devices - GMER 1.0.15 ----

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                 bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                 scfltr.sys
AttachedDevice  \FileSystem\Fastfat \Fat                                                               bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice  \FileSystem\Fastfat \Fat                                                               fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service         C:\WINDOWS\system32\svchost.exe (*** hidden *** )                                      [AUTO] cqvsj                                                                                                              <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg             HKLM\SYSTEM\CurrentControlSet\Services\cqvsj@DisplayName                               Driver Network
Reg             HKLM\SYSTEM\CurrentControlSet\Services\cqvsj@Type                                      32
Reg             HKLM\SYSTEM\CurrentControlSet\Services\cqvsj@Start                                     2
Reg             HKLM\SYSTEM\CurrentControlSet\Services\cqvsj@ErrorControl                              0
Reg             HKLM\SYSTEM\CurrentControlSet\Services\cqvsj@ImagePath                                 %SystemRoot%\system32\svchost.exe -k netsvcs
Reg             HKLM\SYSTEM\CurrentControlSet\Services\cqvsj@ObjectName                                LocalSystem
Reg             HKLM\SYSTEM\CurrentControlSet\Services\cqvsj@Description                               Monitors and protects system from security threats
Reg             HKLM\SYSTEM\CurrentControlSet\Services\cqvsj\Parameters                                
Reg             HKLM\SYSTEM\CurrentControlSet\Services\cqvsj\Parameters@ServiceDll                     C:\WINDOWS\system32\jkqbmbs.dll
Reg             HKLM\SYSTEM\ControlSet004\Services\cqvsj@DisplayName                                   Driver Network
Reg             HKLM\SYSTEM\ControlSet004\Services\cqvsj@Type                                          32
Reg             HKLM\SYSTEM\ControlSet004\Services\cqvsj@Start                                         2
Reg             HKLM\SYSTEM\ControlSet004\Services\cqvsj@ErrorControl                                  0
Reg             HKLM\SYSTEM\ControlSet004\Services\cqvsj@ImagePath                                     %SystemRoot%\system32\svchost.exe -k netsvcs
Reg             HKLM\SYSTEM\ControlSet004\Services\cqvsj@ObjectName                                    LocalSystem
Reg             HKLM\SYSTEM\ControlSet004\Services\cqvsj@Description                                   Monitors and protects system from security threats
Reg             HKLM\SYSTEM\ControlSet004\Services\cqvsj\Parameters (not active ControlSet)            
Reg             HKLM\SYSTEM\ControlSet004\Services\cqvsj\Parameters@ServiceDll                         C:\WINDOWS\system32\jkqbmbs.dll

---- Disk sectors - GMER 1.0.15 ----

Disk            \Device\Harddisk0\DR0                                                                  sector 61: malicious code @ sector 0x1749da10 size 0x1b5
Disk            \Device\Harddisk0\DR0                                                                  sector 62: copy of MBR

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:17 AM

Posted 14 January 2011 - 04:59 AM

Hello, and :welcome: to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!

If you have since resolved the original problem you were having, we would appreciate you letting us know.

In the upper right hand corner of the topic you will see a button called Watch Topic. By clicking this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.
  • I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand. :)
***************************************************

Please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Download Combofix from any of the links below but rename it to renamed.exe before saving it to your desktop.


Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
  • Double click on renamed.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


~Blade


In your next reply, please include the following:
ComboFix log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:17 AM

Posted 18 January 2011 - 05:49 AM

Due to lack of feedback, this topic is now Closed

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users