Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus/Malware in Kernel


  • This topic is locked This topic is locked
10 replies to this topic

#1 Bo1965

Bo1965

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 24 July 2011 - 07:05 PM

Hello,

I beleive I have a virus or malware in my Kernel. Every time I run SAS, it finds anywhere from 4 to 30 malware. I can run SAS once and find 5 malware and run it right after it finishes a second and third time and find another 5 to 10 malware and sometimes as much as 30 malware. I havent had that problem until recently. Please advise at your earliest convenience. Thank you in advance for your assistance.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:50 AM

Posted 24 July 2011 - 07:25 PM

Hello and welcome. Lets see that and another log.

Reboot into Safe Mode.update and scan. Post that scan log.

Reboot to Normal mode.
Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Bo1965

Bo1965
  • Topic Starter

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 25 July 2011 - 03:05 PM

Boopme,

Good afternoon. Here is what I did and the results. After updating SAS, I ran a fresh scan and SAS discovered 5 malwares (Log posted below as "first sas run"). Then I ran SAS in safe mode and zero malware detected. I rebooted and within 5 minutes, my computer started downloading or processing even before I applied my desktop password to logon to my computer. So I restarted in safe mode again and ran SAS and again, zero malware detected. Then I rebooted and decided to run one more SAS and sure enough, 18 malware detected (Log posted below as "second sas run"). I will run MBAM tonight and post the results.



First SAS run:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/25/2011 at 12:07 PM

Application Version : 4.55.1000

Core Rules Database Version : 7454
Trace Rules Database Version: 5266

Scan type : Complete Scan
Total Scan Time : 00:13:41

Memory items scanned : 480
Memory threats detected : 0
Registry items scanned : 12344
Registry threats detected : 0
File items scanned : 26925
File threats detected : 5

Adware.Tracking Cookie
C:\Users\Bo's\AppData\Roaming\Microsoft\Windows\Cookies\Low\bo's@collective-media[1].txt
C:\Users\Bo's\AppData\Roaming\Microsoft\Windows\Cookies\Low\bo's@doubleclick[1].txt
C:\Users\Bo's\AppData\Roaming\Microsoft\Windows\Cookies\Low\bo's@imrworldwide[2].txt
C:\Users\Bo's\AppData\Roaming\Microsoft\Windows\Cookies\Low\bo's@revsci[2].txt
C:\Users\Bo's\AppData\Roaming\Microsoft\Windows\Cookies\Low\bo's@serving-sys[2].txt



Second SAS run:


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/25/2011 at 01:28 PM

Application Version : 4.55.1000

Core Rules Database Version : 7454
Trace Rules Database Version: 5266

Scan type : Complete Scan
Total Scan Time : 00:12:11

Memory items scanned : 508
Memory threats detected : 0
Registry items scanned : 12344
Registry threats detected : 0
File items scanned : 27013
File threats detected : 18

Adware.Tracking Cookie
mediacast.realgravity.com [ C:\Users\Bo's\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\8LGP22UV ]
C:\Users\Bo's\AppData\Roaming\Microsoft\Windows\Cookies\Low\bo's@ad.yieldmanager[2].txt
C:\Users\Bo's\AppData\Roaming\Microsoft\Windows\Cookies\Low\bo's@adbrite[1].txt
C:\Users\Bo's\AppData\Roaming\Microsoft\Windows\Cookies\Low\bo's@ads.pubmatic[1].txt
C:\Users\Bo's\AppData\Roaming\Microsoft\Windows\Cookies\Low\bo's@advertising[2].txt
C:\Users\Bo's\AppData\Roaming\Microsoft\Windows\Cookies\Low\bo's@atdmt[2].txt
C:\Users\Bo's\AppData\Roaming\Microsoft\Windows\Cookies\Low\bo's@collective-media[1].txt
C:\Users\Bo's\AppData\Roaming\Microsoft\Windows\Cookies\Low\bo's@content.yieldmanager[1].txt
C:\Users\Bo's\AppData\Roaming\Microsoft\Windows\Cookies\Low\bo's@doubleclick[2].txt
C:\Users\Bo's\AppData\Roaming\Microsoft\Windows\Cookies\Low\bo's@imrworldwide[2].txt
C:\Users\Bo's\AppData\Roaming\Microsoft\Windows\Cookies\Low\bo's@invitemedia[1].txt
C:\Users\Bo's\AppData\Roaming\Microsoft\Windows\Cookies\Low\bo's@lucidmedia[1].txt
C:\Users\Bo's\AppData\Roaming\Microsoft\Windows\Cookies\Low\bo's@media6degrees[2].txt
C:\Users\Bo's\AppData\Roaming\Microsoft\Windows\Cookies\Low\bo's@network.realmedia[1].txt
C:\Users\Bo's\AppData\Roaming\Microsoft\Windows\Cookies\Low\bo's@pro-market[1].txt
C:\Users\Bo's\AppData\Roaming\Microsoft\Windows\Cookies\Low\bo's@realmedia[1].txt
C:\Users\Bo's\AppData\Roaming\Microsoft\Windows\Cookies\Low\bo's@revsci[2].txt
C:\Users\Bo's\AppData\Roaming\Microsoft\Windows\Cookies\Low\bo's@ru4[2].txt

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:50 AM

Posted 25 July 2011 - 06:43 PM

Hi Bo you did not run MBAM yet.
Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Lets see if there is something in the Master Boot record.


To check for and confirm an MBR (Master Boot Record) rootkit.


Please download mbr.exe and save it to the root directory, usually C:\ <- (Important!).
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe >>"C:\mbr.log"
  • press Enter.
  • The process is automatic...a black DOS window will open and quickly disappear. This is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.
If you have a problem using the command prompt, you can just double-click on mbr.exe to run the tool.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Bo1965

Bo1965
  • Topic Starter

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 25 July 2011 - 11:54 PM

Good evening Boopme,

Below are the logs you requested:



MBAM

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7278

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

7/25/2011 7:30:06 PM
mbam-log-2011-07-25 (19-30-06).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 265132
Time elapsed: 12 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

----------------------------------------------------------------------------------


Security Check:


Results of screen317's Security Check version 0.99.7
Windows 7 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Adobe Flash Player
Adobe Reader 9.4.3
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSMpEng.exe
Microsoft Security Essentials msseces.exe
Microsoft Security Client Antimalware MsMpEng.exe
Microsoft Security Client Antimalware NisSrv.exe
``````````End of Log````````````


----------------------------------------------------------------------------------------------

MBR:

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601

device: opened successfully
user: error reading MBR
error: Read The handle is invalid.
kernel: error reading MBR

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:50 AM

Posted 26 July 2011 - 08:54 AM

Lets try another.
Download MBRCheck.exe to your desktop
XP users ] double click on MBRCheck.exe to run it
Vista and Windows 7 users ] right click on MBRCheck.exe and select Run as Administrator
It will show a black screen with some data on it
Click on the black C:\ in the upper left hand corner of the black screen
Choose Edit ] Select All ] Press Enter to copy the data to your clip board
Press Enter again to close MBRCheck
Now open up notepad or wordpad and paste the data in (press Control+V)

Post the results in your reply
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Bo1965

Bo1965
  • Topic Starter

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 26 July 2011 - 02:26 PM

I clicked on the link and I got a "HTTP 404 not found." Do you have another link?

#8 Bo1965

Bo1965
  • Topic Starter

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 26 July 2011 - 02:36 PM

Ok, I got it. I went to another member's post and found one there. I ran the MBR Check and below are the results.

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: Service Pack 1 (build 7601), 64-bit
Base Board Manufacturer: EVGA
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer:
System Product Name:
Logical Drives Mask: 0x0000000c

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`06500000 (NTFS)

Size Device Name MBR Status
--------------------------------------------
931 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79


Done!
Press ENTER to exit...



MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: Service Pack 1 (build 7601), 64-bit
Base Board Manufacturer: EVGA
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer:
System Product Name:
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 178):
0x02808000 \SystemRoot\system32\ntoskrnl.exe
0x02DF1000 \SystemRoot\system32\hal.dll
0x00BAE000 \SystemRoot\system32\kdcom.dll
0x00C8F000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x00CDE000 \SystemRoot\system32\PSHED.dll
0x00CF2000 \SystemRoot\system32\CLFS.SYS
0x00E98000 \SystemRoot\system32\CI.dll
0x00F58000 \SystemRoot\system32\drivers\Wdf01000.sys
0x00E00000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x00E0F000 \SystemRoot\system32\drivers\ACPI.sys
0x00E66000 \SystemRoot\system32\drivers\WMILIB.SYS
0x00E6F000 \SystemRoot\system32\drivers\msisadrv.sys
0x00D50000 \SystemRoot\system32\drivers\pci.sys
0x00E79000 \SystemRoot\system32\drivers\vdrvroot.sys
0x00D83000 \SystemRoot\System32\drivers\partmgr.sys
0x00D98000 \SystemRoot\system32\drivers\volmgr.sys
0x00C00000 \SystemRoot\System32\drivers\volmgrx.sys
0x00E86000 \SystemRoot\system32\drivers\pciide.sys
0x00C5C000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x00C6C000 \SystemRoot\System32\drivers\mountmgr.sys
0x00E8D000 \SystemRoot\system32\drivers\atapi.sys
0x00DAD000 \SystemRoot\system32\drivers\ataport.SYS
0x00DD7000 \SystemRoot\system32\drivers\amdxata.sys
0x0107C000 \SystemRoot\system32\drivers\fltmgr.sys
0x010C8000 \SystemRoot\system32\drivers\fileinfo.sys
0x01245000 \SystemRoot\System32\Drivers\Ntfs.sys
0x010DC000 \SystemRoot\System32\Drivers\msrpc.sys
0x01200000 \SystemRoot\System32\Drivers\ksecdd.sys
0x0113A000 \SystemRoot\System32\Drivers\cng.sys
0x0121B000 \SystemRoot\System32\drivers\pcw.sys
0x0122C000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x014F5000 \SystemRoot\system32\drivers\ndis.sys
0x01400000 \SystemRoot\system32\drivers\NETIO.SYS
0x01460000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x01678000 \SystemRoot\System32\drivers\tcpip.sys
0x0187C000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x018C6000 \SystemRoot\system32\drivers\volsnap.sys
0x01912000 \SystemRoot\System32\Drivers\spldr.sys
0x0191A000 \SystemRoot\System32\drivers\rdyboost.sys
0x01954000 \SystemRoot\System32\Drivers\mup.sys
0x01966000 \SystemRoot\System32\drivers\hwpolicy.sys
0x0196F000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x019A9000 \SystemRoot\system32\DRIVERS\disk.sys
0x019BF000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x01628000 \SystemRoot\system32\drivers\cdrom.sys
0x0148B000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0x01652000 \SystemRoot\System32\Drivers\Null.SYS
0x0165B000 \SystemRoot\System32\Drivers\Beep.SYS
0x01662000 \SystemRoot\System32\drivers\vga.sys
0x014BC000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x014E1000 \SystemRoot\System32\drivers\watchdog.sys
0x015E8000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x015F1000 \SystemRoot\system32\drivers\rdpencdd.sys
0x01236000 \SystemRoot\system32\drivers\rdprefmp.sys
0x013E8000 \SystemRoot\System32\Drivers\Msfs.SYS
0x011AC000 \SystemRoot\System32\Drivers\Npfs.SYS
0x011BD000 \SystemRoot\system32\DRIVERS\tdx.sys
0x013F3000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x040AF000 \SystemRoot\system32\drivers\afd.sys
0x04138000 \SystemRoot\System32\DRIVERS\netbt.sys
0x0417D000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x04186000 \SystemRoot\system32\DRIVERS\pacer.sys
0x041AC000 \SystemRoot\system32\DRIVERS\netbios.sys
0x041BB000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x041D6000 \SystemRoot\system32\drivers\termdd.sys
0x041EA000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS
0x041F4000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS
0x04000000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x04051000 \SystemRoot\system32\drivers\nsiproxy.sys
0x0405D000 \SystemRoot\system32\drivers\mssmbios.sys
0x04068000 \SystemRoot\System32\drivers\discache.sys
0x04077000 \SystemRoot\System32\Drivers\dfsc.sys
0x04095000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x01000000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x01026000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x0F058000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x0FCB4000 \SystemRoot\System32\Drivers\nvBridge.kmd
0x0FCB6000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x0FDAA000 \SystemRoot\System32\drivers\dxgmms1.sys
0x0F000000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x03E25000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x03E7B000 \SystemRoot\system32\drivers\HDAudBus.sys
0x03E9F000 \SystemRoot\system32\DRIVERS\yk62x64.sys
0x03F02000 \SystemRoot\system32\drivers\1394ohci.sys
0x03F40000 \SystemRoot\system32\drivers\i8042prt.sys
0x03F5E000 \SystemRoot\system32\drivers\kbdclass.sys
0x03F6D000 \SystemRoot\system32\drivers\wmiacpi.sys
0x03F76000 \SystemRoot\system32\drivers\CompositeBus.sys
0x03F86000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x03F9C000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x03FC0000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x03FCC000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x03E00000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x0F011000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x0F032000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x0FDF0000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x03E1B000 \SystemRoot\system32\drivers\swenum.sys
0x04803000 \SystemRoot\system32\drivers\ks.sys
0x04846000 \SystemRoot\system32\drivers\umbus.sys
0x04858000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x048B2000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x048C7000 \SystemRoot\system32\drivers\HdAudio.sys
0x04923000 \SystemRoot\system32\drivers\portcls.sys
0x04960000 \SystemRoot\system32\drivers\drmk.sys
0x04982000 \SystemRoot\system32\drivers\ksthunk.sys
0x04988000 \SystemRoot\System32\Drivers\crashdmp.sys
0x04996000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x049A2000 \SystemRoot\System32\Drivers\dump_atapi.sys
0x049AB000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x00030000 \SystemRoot\System32\win32k.sys
0x049BE000 \SystemRoot\System32\drivers\Dxapi.sys
0x049CA000 \SystemRoot\system32\DRIVERS\monitor.sys
0x00520000 \SystemRoot\System32\TSDDD.dll
0x006C0000 \SystemRoot\System32\cdd.dll
0x049D8000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x049E6000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x0F04C000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x04800000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x019EF000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x01600000 \SystemRoot\system32\drivers\luafv.sys
0x0103C000 \SystemRoot\system32\drivers\WudfPf.sys
0x0105D000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x011DF000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x04C74000 \SystemRoot\system32\drivers\HTTP.sys
0x04D3D000 \SystemRoot\system32\DRIVERS\bowser.sys
0x04D5B000 \SystemRoot\System32\drivers\mpsdrv.sys
0x04D73000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x04DA0000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x04C00000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x04C24000 \SystemRoot\system32\DRIVERS\MpNWMon.sys
0x052C3000 \SystemRoot\system32\drivers\peauth.sys
0x05369000 \SystemRoot\System32\Drivers\secdrv.SYS
0x05374000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x053A5000 \SystemRoot\System32\drivers\tcpipreg.sys
0x05200000 \SystemRoot\System32\DRIVERS\srv2.sys
0x068AA000 \SystemRoot\System32\DRIVERS\srv.sys
0x06942000 \SystemRoot\system32\DRIVERS\NisDrvWFP.sys
0x00810000 \SystemRoot\System32\ATMFD.DLL
0x069C8000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0x77C90000 \Windows\System32\ntdll.dll
0x482E0000 \Windows\System32\smss.exe
0xFFFB0000 \Windows\System32\apisetschema.dll
0xFF8E0000 \Windows\System32\autochk.exe
0x77E60000 \Windows\System32\normaliz.dll
0x77B30000 \Windows\System32\wininet.dll
0xFFEC0000 \Windows\System32\advapi32.dll
0xFFEA0000 \Windows\System32\sechost.dll
0x779E0000 \Windows\System32\urlmon.dll
0xFFE90000 \Windows\System32\nsi.dll
0xFFDC0000 \Windows\System32\usp10.dll
0xFFD20000 \Windows\System32\clbcatq.dll
0xFFC40000 \Windows\System32\oleaut32.dll
0xFFC20000 \Windows\System32\imagehlp.dll
0xFFBB0000 \Windows\System32\gdi32.dll
0xFFB60000 \Windows\System32\ws2_32.dll
0xFFAC0000 \Windows\System32\msvcrt.dll
0xFFAB0000 \Windows\System32\lpk.dll
0xFFA80000 \Windows\System32\imm32.dll
0xFECF0000 \Windows\System32\shell32.dll
0xFEC50000 \Windows\System32\comdlg32.dll
0x77E50000 \Windows\System32\psapi.dll
0x778E0000 \Windows\System32\user32.dll
0x777C0000 \Windows\System32\kernel32.dll
0xFEBD0000 \Windows\System32\difxapi.dll
0xFEB70000 \Windows\System32\Wldap32.dll
0xFEA40000 \Windows\System32\rpcrt4.dll
0xFE830000 \Windows\System32\ole32.dll
0xFE650000 \Windows\System32\setupapi.dll
0x775B0000 \Windows\System32\iertutil.dll
0xFE540000 \Windows\System32\msctf.dll
0xFE4C0000 \Windows\System32\shlwapi.dll
0xFE4A0000 \Windows\System32\devobj.dll
0xFE460000 \Windows\System32\cfgmgr32.dll
0xFE3C0000 \Windows\System32\comctl32.dll
0xFE350000 \Windows\System32\KernelBase.dll
0xFE310000 \Windows\System32\wintrust.dll
0xFE1A0000 \Windows\System32\crypt32.dll
0xFE190000 \Windows\System32\msasn1.dll

Processes (total 55):
0 System Idle Process
4 System
280 C:\Windows\System32\smss.exe
360 csrss.exe
420 C:\Windows\System32\wininit.exe
448 csrss.exe
484 C:\Windows\System32\services.exe
504 C:\Windows\System32\lsass.exe
512 C:\Windows\System32\lsm.exe
628 C:\Windows\System32\winlogon.exe
656 C:\Windows\System32\svchost.exe
720 C:\Windows\System32\nvvsvc.exe
760 C:\Windows\System32\svchost.exe
824 C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
896 C:\Windows\System32\svchost.exe
928 C:\Windows\System32\svchost.exe
972 C:\Windows\System32\svchost.exe
556 C:\Windows\System32\svchost.exe
1056 C:\Windows\System32\svchost.exe
1180 C:\Windows\System32\spoolsv.exe
1208 C:\Windows\System32\svchost.exe
1316 C:\Program Files\SUPERAntiSpyware\SASCore64.exe
1352 C:\Program Files (x86)\Common Files\microsoft shared\VS7DEBUG\MDM.EXE
1484 C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
1496 C:\Windows\System32\nvvsvc.exe
1652 C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
1856 C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
1908 C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe
1940 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
1536 C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
684 C:\Windows\System32\SearchIndexer.exe
2136 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
2212 C:\Windows\System32\svchost.exe
2388 C:\Windows\System32\dwm.exe
2408 C:\Windows\explorer.exe
2488 C:\Windows\System32\taskhost.exe
2644 C:\Program Files\Microsoft Security Client\msseces.exe
2768 C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
2776 C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe
2868 C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
2876 C:\Program Files (x86)\QuickTime\qttask.exe
2932 C:\Windows\System32\svchost.exe
1660 C:\Program Files\Windows Media Player\wmpnetwk.exe
2276 WmiPrvSE.exe
1572 C:\Windows\System32\svchost.exe
3436 dllhost.exe
3560 C:\Program Files (x86)\Internet Explorer\iexplore.exe
3612 C:\Program Files (x86)\Internet Explorer\iexplore.exe
3820 C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10t_ActiveX.exe
1532 C:\Windows\System32\svchost.exe
3692 <unknown>
2192 C:\Windows\System32\audiodg.exe
496 C:\Users\Bo's\Desktop\MBRCheck.exe
3324 C:\Windows\System32\conhost.exe
3836 C:\Windows\System32\dllhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`06500000 (NTFS)

PhysicalDrive0 Model Number: WDCWD1002FAEX-00Z3A0, Rev: 05.01D05

Size Device Name MBR Status
--------------------------------------------
931 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79


Done!

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:50 AM

Posted 26 July 2011 - 03:15 PM

OK, there is a rootkit that needs special attention.
Please back up data as instructed in the guide below. We will need to rewrite your MBR to fix this and while most times this can be done without any problem, these infections can react badly and that could result in a PC not being bootable. You really don't have much choice though since these infections are too dangerous to your security to leave on a PC.


Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
Skip the GMER step and include the MBR log you posted earlier.
Let me know if that went well
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 Bo1965

Bo1965
  • Topic Starter

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 27 July 2011 - 12:56 AM

Will do, thank you for your time in helping me clean up this mess.

#11 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,946 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:50 AM

Posted 05 August 2011 - 01:10 AM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/topic411635.html you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take a few more days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users