Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection might have caused disappearance of partitions from disk management


  • This topic is locked This topic is locked
2 replies to this topic

#1 ouanixi

ouanixi

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:37 PM

Posted 27 July 2011 - 07:30 AM

Hello everyone,
My HP recovery doesn't seem to be working. I'm wanting to reinstall everything to their factory settings but when I hit F11 windows just starts automatically.
I have been told to go and activate my recovery partition on the disk manager, but none of my partitions (C: and D:) is there. The only drive I can see is the DVD/CD one.
I have been told that this might be caused by an infection on the ATAPI.SYS file and this is why I am here, I read through the "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help" and I did some scans with DDS and GMER. I'm posting the logs here.... I'd be very greatful if someone could help me with this, I really need to install the original windows vista that came with this laptop, this laptop doesn't seem fit for Windows 7.
Thanks A lot.





.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_24
Run by Mehdi at 14:00:44 on 2011-07-27
Microsoft Windows 7 Édition Intégrale 6.1.7600.0.1252.33.1036.18.3070.1924 [GMT 2:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_9691412ff1876250\STacSV.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_9691412ff1876250\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
C:\Windows\SMINST\BLService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Windows\System32\spool\drivers\w32x86\3\CNAP2LAK.EXE
C:\Program Files\Epson Software\Event Manager\EEventManager.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Windows Searchqu Toolbar\Datamngr\datamngrUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Larousse\Petit Larousse 2009\bin\Hyperappel.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\spool\DRIVERS\W32X86\3\CNAP2RPK.EXE
C:\Windows\system32\spool\DRIVERS\W32X86\3\CNAB8SWK.EXE
C:\Windows\ehome\ehmsas.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=fr_fr&c=83&bd=Pavilion&pf=cnnb
uStart Page = hxxp://search.babylon.com/?babsrc=HP_ss&mntrId=042b43300000000000000016ead9e4a5&tlver=1.4.19.19&affID=17159
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=fr_fr&c=83&bd=Pavilion&pf=cnnb
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://search.babylon.com/?babsrc=SP_ss&q={searchTerms}&mntrId=042b43300000000000000016ead9e4a5&tlver=1.4.19.19&affID=17159
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: CescrtHlpr Object: {2eecd738-5844-4a99-b4b6-146bf802613b} - c:\program files\babylontoolbar\babylontoolbar\1.4.19.19\bh\BabylonToolbar.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Searchqu Toolbar: {7ff99715-3016-4381-84ce-e4e4c9673020} - c:\progra~1\wia6eb~1\toolbar\SearchquDx.dll
BHO: Programme d'aide de l'Assistant de connexion Windows Live ID: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Searchqu Toolbar: {7ff99715-3016-4381-84ce-e4e4c9673020} - c:\progra~1\wia6eb~1\toolbar\SearchquDx.dll
TB: Babylon Toolbar: {98889811-442d-49dd-99d7-dc866be87dbc} - c:\program files\babylontoolbar\babylontoolbar\1.4.19.19\BabylonToolbarTlbr.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [EPSON SX110 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatifbe.exe /fu "c:\windows\temp\E_SC352.tmp" /EF "HKCU"
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [adiras] adiras.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [OnScreenDisplay] c:\program files\hewlett-packard\hp quicktouch\HPKBDAPP.exe
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" update "software\cyberlink\youcam\2.0"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [CNAP2 Launcher] c:\windows\system32\spool\drivers\w32x86\3\CNAP2LAK.EXE
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [DATAMNGR] c:\progra~1\wia6eb~1\datamngr\DATAMN~1.EXE
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [BabylonToolbar] "c:\program files\babylontoolbar\babylontoolbar\1.4.19.19\BabylonToolbarsrv.exe" /md I
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [svchost] c:\windows\temp\ysvo\setup.exe
dRun: [hbhaz] c:\windows\system32\config\systemprofile\hbhaz.exe /d
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hypera~1.lnk - c:\program files\larousse\petit larousse 2009\bin\Hyperappel.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Ajouter la cible du lien à un fichier PDF existant - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Ajouter à un fichier PDF existant - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convertir au format Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: Convertir la cible du lien au format Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: E&xporter vers Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{23FF552B-988F-4A78-96EF-710159F08D53} : DhcpNameServer = 10.21.203.10 10.1.6.10 10.1.7.10
TCP: Interfaces\{E078E434-C941-4BF2-9E81-E8B25728479F} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{E078E434-C941-4BF2-9E81-E8B25728479F}\350756564645F6573686146324638364 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{E078E434-C941-4BF2-9E81-E8B25728479F}\4505D2C494E4B4F5643363546364 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{E078E434-C941-4BF2-9E81-E8B25728479F}\5405145544A5 : DhcpNameServer = 193.194.64.11 8.8.8.8
TCP: Interfaces\{E078E434-C941-4BF2-9E81-E8B25728479F}\8474532303 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{E078E434-C941-4BF2-9E81-E8B25728479F}\84F64756C6D224F65727E616E656 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{E078E434-C941-4BF2-9E81-E8B25728479F}\E4544574541425 : DhcpNameServer = 10.0.0.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: c:\progra~1\wia6eb~1\datamngr\datamngr.dll acaptuser32.dll
SecurityProviders: credssp.dll, mqdmybni.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\mehdi\appdata\roaming\mozilla\firefox\profiles\ztan4jln.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.searchqu.com/web?src=ffb&systemid=402&q=
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\program files\windows searchqu toolbar\datamngr\firefoxextension\components\DataMngrHlp.dll
FF - component: c:\users\mehdi\appdata\roaming\mozilla\firefox\profiles\ztan4jln.default\extensions\piclens@cooliris.com\components\cooliris.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1739.5352\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.51204.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\mehdi\appdata\roaming\mozilla\firefox\profiles\ztan4jln.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\users\mehdi\appdata\roaming\mozilla\plugins\np-mswmp.dll
FF - plugin: c:\users\mehdi\appdata\roaming\mozilla\plugins\npcoolirisplugin.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
user_pref(extensions.kwiclick.channel.campaign,'AddonFoxInt');
user_pref(extensions.kwiclick.channel.content,'AddonFoxInt');
user_pref(extensions.kwiclick.channel.id,'AddonFoxInt');
user_pref(extensions.kwiclick.channel.cse,'009607407620987551725:3hfwsbgoj80');
user_pref(extensions.kwiclick.channel.medium,'cpa');
user_pref(extensions.kwiclick.channel.source,'AddonFoxInt');
user_pref(extensions.kwiclick.channel.set,true);
user_pref(extensions.kwiclick.channel.campaign,'AddonFoxInt');
user_pref(extensions.kwiclick.channel.content,'AddonFoxInt');
user_pref(extensions.kwiclick.channel.id,'AddonFoxInt');
user_pref(extensions.kwiclick.channel.cse,'009607407620987551725:3hfwsbgoj80');
user_pref(extensions.kwiclick.channel.medium,'cpa');
user_pref(extensions.kwiclick.channel.source,'AddonFoxInt');
user_pref(extensions.kwiclick.channel.set,true);
.
============= SERVICES / DRIVERS ===============
.
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_x86_neutral_9691412ff1876250\AEstSrv.exe [2009-3-2 81920]
R2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2008-3-18 19456]
R2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\sony ericsson\sony ericsson pc suite\SupServ.exe [2010-3-8 90112]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\sminst\BLService.exe [2008-7-30 361808]
R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2008-1-24 52736]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2008-7-8 96856]
R3 NETw5s32;Pilote de carte Intel® Wireless WiFi Link pour Windows 7 32 bits ;c:\windows\system32\drivers\NETw5s32.sys [2010-1-13 6755840]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2010-2-6 66664]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-3-2 139776]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2010-3-8 27632]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 14336]
S2 ELOADER;General Purpose USB Driver (adildr.sys);c:\windows\system32\drivers\adildr.sys [2009-4-12 56088]
S2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe -k netsvcs [2009-7-14 20992]
S2 gupdate;gupdate;c:\program files\google\update\GoogleUpdate.exe [2009-10-17 133104]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-7-30 193840]
S3 gupdatem;Service Google Update (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-10-17 133104]
S3 netw5v32;Pilote de carte de liaison WiFi sans fil Intel® 5000 Series pour Windows Vista 32 bits;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [2010-3-8 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [2010-3-8 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [2010-3-8 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [2010-3-8 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [2010-3-8 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [2010-3-8 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [2010-3-8 115752]
S3 WatAdminSvc;Service Windows Activation Technologies;c:\windows\system32\wat\WatAdminSvc.exe [2010-6-14 1343400]
.
=============== Created Last 30 ================
.
2011-07-27 00:29:11 -------- d-----w- c:\users\mehdi\appdata\roaming\Malwarebytes
2011-07-27 00:29:06 -------- d-----w- c:\programdata\Malwarebytes
2011-07-27 00:22:44 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-07-27 00:22:43 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
.
==================== Find3M ====================
.
2005-09-30 01:42:57 161792 ----a-w- c:\program files\Mssv29.asi
2005-09-30 01:42:57 142848 ----a-w- c:\program files\Mssv12.asi
2005-09-30 01:42:57 125952 ----a-w- c:\program files\Mp3dec.asi
2011-01-22 13:57:28 241664 --sh--r- c:\windows\system32\config\systemprofile\hbhaz.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7600 Disk: Hitachi_HTS542525K9A300 rev.BBFOC3MP -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x87005555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8700b7b0]; MOV EAX, [0x8700b82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x8345B458] -> \Device\Harddisk0\DR0[0x86FE3030]
3 CLASSPNP[0x8C0A359E] -> ntkrnlpa!IofCallDriver[0x8345B458] -> [0x86EF6E80]
\Driver\atapi[0x86FE6918] -> IRP_MJ_CREATE -> 0x87005555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x132; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskHitachi_HTS542525K9A300_________________BBFOC3MP#5&3a2ba34&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 488397166 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 14:01:08,88 ===============





-------------------------------------------------------------------------------------------------------------------------------------------------------------------------






GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-07-27 14:29:30
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdePort0 Hitachi_HTS542525K9A300 rev.BBFOC3MP
Running: gmer.exe; Driver: C:\Users\Mehdi\AppData\Local\Temp\ugryrfob.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 83462599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 83486F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
PAGE spsys.sys!?SPRevision@@3PADA + 4F90 A21A4000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 50B3 A21A4123 629 Bytes [F5, 19, A2, FE, 05, 34, F5, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 5329 A21A4399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 538F A21A43FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 543B A21A44AB 2228 Bytes [8B, FF, 55, 8B, EC, FF, 75, ...]
PAGE ...
? C:\Users\Mehdi\AppData\Local\Temp\mbr.sys Le fichier spécifié est introuvable. !

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[952] ntdll.dll!NtProtectVirtualMemory 77265360 5 Bytes JMP 003B000A
.text C:\Windows\system32\svchost.exe[952] ntdll.dll!NtWriteVirtualMemory 77265EE0 5 Bytes JMP 003C000A
.text C:\Windows\system32\svchost.exe[952] ntdll.dll!KiUserExceptionDispatcher 77266448 5 Bytes JMP 0028000A
.text C:\Windows\system32\svchost.exe[952] ole32.dll!CoCreateInstance 7706590C 5 Bytes JMP 0065000A
.text C:\Windows\system32\svchost.exe[952] USER32.dll!GetCursorPos 76CBC198 5 Bytes JMP 0067000A
.text C:\Windows\system32\svchost.exe[952] USER32.dll!GetForegroundWindow 76CC565D 5 Bytes JMP 0069000A
.text C:\Windows\system32\svchost.exe[952] USER32.dll!WindowFromPoint 76CE6D0C 5 Bytes JMP 0068000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1276] ntdll.dll!NtProtectVirtualMemory 77265360 5 Bytes JMP 0036000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1276] ntdll.dll!NtWriteVirtualMemory 77265EE0 5 Bytes JMP 0038000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1276] ntdll.dll!KiUserExceptionDispatcher 77266448 5 Bytes JMP 0035000A
.text C:\Windows\Explorer.EXE[3388] ntdll.dll!NtProtectVirtualMemory 77265360 5 Bytes JMP 0090000A
.text C:\Windows\Explorer.EXE[3388] ntdll.dll!NtWriteVirtualMemory 77265EE0 5 Bytes JMP 0091000A
.text C:\Windows\Explorer.EXE[3388] ntdll.dll!KiUserExceptionDispatcher 77266448 5 Bytes JMP 008F000A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3804] USER32.dll!SetWindowLongA 76CBB1E3 5 Bytes JMP 645EEDA6 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3804] USER32.dll!SetWindowLongW 76CC6614 5 Bytes JMP 645EED38 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3804] USER32.dll!GetWindowInfo 76CC6A82 5 Bytes JMP 64405451 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3804] USER32.dll!TrackPopupMenu 76CE4B3B 5 Bytes JMP 64405A99 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Runtime de l’infrastructure de pilotes en mode noyau/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Runtime de l’infrastructure de pilotes en mode noyau/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004e halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
Device \Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskHitachi_HTS542525K9A300_________________BBFOC3MP#5&3a2ba34&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\BTHPORT
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\HidBth
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\LocalRadioSettings
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\BTHPORT (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\HidBth (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\LocalRadioSettings (not active ControlSet)
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-71799018-3844735601-810654179-1000@RefCount 6
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\Mehdi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Earth\Démarrer Google\x00a0Earth en mode DirectX.lnk 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Earth\Démarrer Google\x00a0Earth en mode DirectX.lnk 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\Mehdi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Earth\Google\x00a0Earth.lnk 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Earth\Google\x00a0Earth.lnk 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\Mehdi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Earth\Démarrer Google\x00a0Earth en mode OpenGL.lnk 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Earth\Démarrer Google\x00a0Earth en mode OpenGL.lnk 1

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----

Sorry I forgot to attach the DDS attach.txt

:)

EDIT: Posts merged ~Budapest

Attached Files


Edited by Budapest, 27 July 2011 - 08:42 PM.


BC AdBot (Login to Remove)

 


#2 ouanixi

ouanixi
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:37 PM

Posted 29 July 2011 - 04:30 AM

Problem solved. Kaspersky was the solution. Factory settings recovered and comuputer working perfectly.

Thanks.

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,947 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:37 PM

Posted 05 August 2011 - 12:53 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users