Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit in MBR:\\.\physicaldevice0


  • This topic is locked This topic is locked
5 replies to this topic

#1 G2442g

G2442g

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 12 September 2011 - 02:16 PM

Because I had the following issues I set my computer back to factory settings:

- My computer wanted to format every USB storage device I inserted (this was the reason for me to re-install)
- Checkdisk and System File Checker detected a lot of registry errors it couldn't fix.
- I couldn't create a partition larger than 1,87 GB of space (and only one)
- System restore was turned of and I couldn't get it turned on again.

During the re-installation I wasn't looking at my computer the entire time, so my first hint something was wrong was an error report that indicated there had been a bluescreen issue during the re-installation of my computer.
An Avast scan found out there was a rootkit in MBR:\\.\physicaldevice0, but Avast couldn't remove it without having to resort to system restore to make my system start up properly after removing it. So basically, system restore changed it back the way it was before Avast tried to remove the rootkit... so the rootkit was still there.
I tried to remove it with Avast twice.

The content of the DDS log:
-------------


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.6002.18005
Run by MarcelF at 19:45:03 on 2011-09-12
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.31.1033.18.3038.1284 [GMT 2:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
"C:\Windows\system32\svchost.exe"
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k yksvcs
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Sony\VAIO Update 4\VAIOUpdt.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Sony\Network Utility\NSUService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Sony\VAIO Power Management\SPMService.exe
C:\Program Files\Sony\VAIO Reminder\VAIOReminder.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Sony\VAIO Event Service\VESMgrSub.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Sony\Marketing Tools\MarketingTools.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Sony\Network Utility\LANUtil.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Windows\system32\conime.exe
c:\PROGRA~1\mcafee\msc\mcupdmgr.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Windows\system32\mfevtps.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
c:\PROGRA~1\mcafee\msc\mcupdui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Users\MarcelF\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\MarcelF\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\MarcelF\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\rundll32.exe
C:\Users\MarcelF\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\MarcelF\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\MarcelF\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SNYT&bmod=EU01
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=SNYT&bmod=EU01
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SNYT&bmod=SNYT
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=SNYT&bmod=EU01
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110912100829.dll
BHO: Partner BHO Class: {83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4} - c:\programdata\partner\partner.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [NSUFloatingUI] "c:\program files\sony\network utility\LANUtil.exe"
uRun: [Google Update] "c:\users\marcelf\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ISBMgr.exe] "c:\program files\sony\isb utility\ISBMgr.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [MarketingTools] c:\program files\sony\marketing tools\MarketingTools.exe
mRun: [AML] c:\program files\sony\vaio launcher\AML.exe InitApp
mRun: [Skytel] c:\program files\realtek\audio\hda\Skytel.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10a.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
TCP: DhcpNameServer = 131.174.78.16 131.174.78.17
TCP: Interfaces\{5DFAC4C5-23F2-410F-A5CC-2C39F6DFFE57} : DhcpNameServer = 131.174.78.16 131.174.78.17
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: VESWinlogon - VESWinlogon.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-9-12 387480]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-9-12 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-9-12 320856]
R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2011-9-12 64584]
R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-9-12 165032]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-9-12 20568]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-9-12 54616]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-9-12 44768]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2011-9-12 198432]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-9-12 271480]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-9-12 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-9-12 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-9-12 141792]
R2 NSUService;NSUService;c:\program files\sony\network utility\NSUService.exe [2011-9-12 303104]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-18 11032]
R2 uCamMonitor;CamMonitor;c:\program files\arcsoft\magic-i visual effects 2\uCamMonitor.exe [2011-9-12 104960]
R2 VAIO Power Management;VAIO Power Management;c:\program files\sony\vaio power management\SPMService.exe [2009-3-24 415592]
R2 VCFw;VAIO Content Folder Watcher;c:\program files\common files\sony shared\vaio content folder watcher\VCFw.exe [2009-1-14 5184872]
R2 yksvc;Marvell Yukon Service;c:\windows\system32\svchost.exe -k yksvcs [2008-1-21 21504]
R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\drivers\ArcSoftKsUFilter.sys [2011-9-12 17920]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2009-3-24 29736]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-9-12 56064]
R3 JMCR_CFS;JMCR_CFS;c:\windows\system32\drivers\jmcr_cfs.sys [2009-3-24 55696]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-9-12 314088]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-8-29 3664384]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-3-24 44064]
R3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\drivers\SFEP.sys [2009-3-24 9344]
R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-9-11 41272]
S2 0197341315781654mcinstcleanup;McAfee Application Installer Cleanup (0197341315781654);c:\windows\temp\019734~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\019734~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-9-12 271480]
S2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-9-12 171168]
S3 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-12-9 169312]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2011-9-12 30192]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-9-12 153280]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-9-12 52320]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-9-12 84488]
S3 Partner Service;Partner Service;c:\programdata\partner\partner.exe [2011-9-12 111088]
S3 SOHCImp;VAIO Media plus Content Importer;c:\program files\common files\sony shared\sohlib\SOHCImp.exe [2011-9-12 120104]
S3 SOHDBSvr;VAIO Media plus Database Manager;c:\program files\common files\sony shared\sohlib\SOHDBSvr.exe [2011-9-12 70952]
S3 SOHDms;VAIO Media plus Digital Media Server;c:\program files\common files\sony shared\sohlib\SOHDms.exe [2011-9-12 390440]
S3 SOHDs;VAIO Media plus Device Searcher;c:\program files\common files\sony shared\sohlib\SOHDs.exe [2011-9-12 75048]
S3 SOHPlMgr;VAIO Media plus Playlist Manager;c:\program files\common files\sony shared\sohlib\SOHPlMgr.exe [2011-9-12 91432]
S3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\sony\vcm intelligent analyzing manager\VcmIAlzMgr.exe [2011-9-12 394536]
S3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\common files\sony shared\vcmxml\VcmXmlIfHelper.exe [2011-9-12 83240]
.
=============== Created Last 30 ================
.
2011-09-12 08:08:28 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-09-12 08:08:17 141792 ----a-w- c:\windows\system32\mfevtps.exe
2011-09-12 08:08:14 84488 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-09-12 08:08:14 64584 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2011-09-12 08:08:14 387480 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-09-12 08:08:14 314088 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-09-12 08:08:14 165032 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2011-09-12 08:08:13 95824 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-09-12 08:08:13 56064 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-09-12 08:08:13 52320 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-09-12 08:08:13 153280 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-09-12 00:44:44 -------- d-----w- C:\_FS_SWRINFO
2011-09-12 00:44:43 -------- d-----w- C:\Documentation
2011-09-12 00:44:24 -------- d-----w- c:\programdata\Roaming
2011-09-12 00:43:59 -------- d-----w- c:\program files\Cisco
2011-09-12 00:43:58 -------- d-----w- c:\program files\common files\Intel
2011-09-12 00:43:05 -------- d-----w- c:\program files\Windows Live SkyDrive
2011-09-12 00:42:09 140779848 ----a-w- c:\program files\common files\windows live\.cache\wlcD77A.tmp
2011-09-12 00:42:03 -------- d-----w- c:\program files\common files\Windows Live
2011-09-12 00:41:44 1645320 ----a-w- c:\windows\system32\gdiplus.dll
2011-09-12 00:38:52 3727720 ----a-w- c:\windows\system32\d3dx9_35.dll
2011-09-12 00:37:59 98304 ----a-w- c:\windows\system32\VESWinlogon.dll
2011-09-12 00:31:19 -------- d-----w- c:\program files\Skype
2011-09-12 00:31:10 -------- d-----w- c:\programdata\Uninstall
2011-09-12 00:30:57 -------- d-----w- c:\program files\Roxio
2011-09-12 00:30:36 -------- d-----w- c:\program files\common files\Sonic Shared
2011-09-12 00:30:12 129520 ------w- c:\windows\system32\pxafs.dll
2011-09-12 00:26:37 -------- d-----w- c:\programdata\Symantec
2011-09-12 00:26:37 -------- d-----w- c:\program files\Symantec
2011-09-12 00:25:09 -------- d-----w- c:\program files\Microsoft Office Suite Activation Assistant
2011-09-12 00:23:02 33104 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\msonpppr.dll
2011-09-12 00:23:02 32592 ----a-w- c:\windows\system32\msonpmon.dll
2011-09-12 00:22:23 -------- d-----w- c:\windows\PCHEALTH
2011-09-12 00:16:34 -------- d-----w- c:\program files\common files\McAfee
2011-09-12 00:16:11 -------- d-----w- c:\program files\McAfee.com
2011-09-12 00:16:09 -------- d-----w- c:\program files\McAfee
2011-09-12 00:14:51 -------- d-----w- c:\program files\DivX
2011-09-12 00:14:51 -------- d-----w- c:\program files\common files\DivX Shared
2011-09-12 00:10:27 -------- d-----w- c:\program files\common files\InterVideo
2011-09-12 00:06:47 -------- d-----w- c:\programdata\eSellerate
2011-09-12 00:06:46 -------- d-----w- c:\programdata\SmartSound Software Inc
2011-09-12 00:06:41 -------- d-----w- c:\program files\SmartSound Software
2011-09-12 00:01:48 -------- d-----w- c:\program files\common files\Macrovision Shared
2011-09-12 00:01:28 -------- d-----w- c:\program files\common files\PX Storage Engine
2011-09-11 23:59:27 -------- d-----w- c:\windows\Sonysys
2011-09-11 22:45:03 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-09-11 22:45:01 54616 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-09-11 22:43:12 41184 ----a-w- c:\windows\avastSS.scr
2011-09-11 20:35:57 -------- d-----w- c:\programdata\AVAST Software
2011-09-11 20:35:57 -------- d-----w- c:\program files\AVAST Software
2011-09-11 20:26:25 -------- d-----w- c:\program files\Microsoft
2011-09-11 20:24:50 83249512 ----a-w- c:\program files\common files\windows live\.cache\wlc2167.tmp
2011-09-11 20:07:21 -------- d-----w- c:\windows\system32\eu-ES
2011-09-11 20:07:21 -------- d-----w- c:\windows\system32\ca-ES
2011-09-11 20:07:20 -------- d-----w- c:\windows\system32\vi-VN
2011-09-11 20:03:41 -------- d-----w- c:\windows\system32\SPReview
2011-09-11 19:52:11 928768 ----a-w- c:\windows\system32\scavenge.dll
2011-09-11 19:52:00 57856 ----a-w- c:\windows\system32\compcln.exe
2011-09-11 19:45:57 941056 ----a-w- c:\program files\common files\microsoft shared\ink\ShapeCollector.exe
2011-09-11 19:36:48 14744 ----a-w- c:\users\marcelf\appdata\roaming\microsoft\identitycrl\production\ppcrlconfig.dll
2011-09-11 19:36:21 -------- d-----w- c:\users\marcelf\Tracing
2011-09-11 19:29:49 -------- d-----w- c:\windows\system32\EventProviders
2011-09-11 19:10:50 -------- d-----w- c:\users\marcelf\appdata\roaming\Malwarebytes
2011-09-11 19:10:28 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-11 19:10:27 -------- d-----w- c:\programdata\Malwarebytes
2011-09-11 19:10:23 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-11 19:10:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-11 18:44:26 -------- d-----w- c:\users\marcelf\appdata\local\{0E6C5F86-961A-44F9-9EB8-58B52CBB1367}
2011-09-11 16:35:13 172032 ----a-w- c:\windows\system32\wintrust.dll
2011-09-11 16:35:11 98304 ----a-w- c:\windows\system32\cabview.dll
2011-09-11 16:22:36 2421760 ----a-w- c:\windows\system32\wucltux.dll
2011-09-11 16:22:09 87552 ----a-w- c:\windows\system32\wudriver.dll
2011-09-11 16:22:08 -------- d-----w- c:\users\marcelf\appdata\local\Deployment
2011-09-11 16:22:08 -------- d-----w- c:\users\marcelf\appdata\local\Apps
2011-09-11 16:22:03 33792 ----a-w- c:\windows\system32\wuapp.exe
2011-09-11 16:22:03 171608 ----a-w- c:\windows\system32\wuwebv.dll
2011-09-11 16:20:30 -------- d-----w- c:\users\marcelf\appdata\local\Sony_Corporation
2011-09-11 16:20:18 -------- d-----w- c:\users\marcelf\appdata\local\Google
2011-09-11 16:20:10 -------- d-----w- c:\users\marcelf\appdata\local\Broadcom
.
==================== Find3M ====================
.
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
.
Disk trace:
called modules: ntkrnlpa.exe >>UNKNOWN [0x88BCBA0A]<<
_asm { MOV EDI, EDI; PUSH EBP; MOV EBP, ESP; PUSH EBX; MOV EBX, [EBP+0xc]; MOV EAX, [EBX+0x60]; MOV ECX, [EAX+0xc]; OR ECX, [EAX+0x10]; PUSH ESI; JNZ 0x94; MOV ESI, 0x200; CMP [EAX+0x4], ESI; JB 0x94; }
1 ntkrnlpa!IofCallDriver[0x81E80912] -> \Device\Harddisk0\DR0[0x859EBAC8]
\Driver\disk[0x84189A50] -> IRP_MJ_READ -> 0x88BCBA0A
kernel: MBR read successfully
_asm { NOP ; XOR AX, AX; NOP ; MOV DS, AX; MOV ES, AX; NOP ; MOV SS, AX; MOV SP, 0x7c00; MOV SI, 0x7c00; NOP ; MOV DI, 0x600; NOP ; MOV CX, 0x80; NOP ; CLD ; REP MOVSD ; NOP ; JMP FAR 0x0:0x626; }
user != kernel MBR !!!
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 19:46:16,69 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:35 AM

Posted 15 September 2011 - 08:45 PM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
Posted Image Download TDSSKiller.zip and extract TDSSKiller.exe to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found then ensure Cure is selected. Important - If there is no option to "Cure" it is critical that you select "Skip"
  • Then click Continue > Reboot now
  • Once complete, a log will be produced in c:\. It will be named for example, TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt
  • Post that log, please.
Posted Image Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Please include the following in your next post:
  • TDSSKiller log
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 G2442g

G2442g
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 16 September 2011 - 07:26 AM

Thanks for the help, I REALLY appreciate it :)
Hopefully I'm clean now...

(The Combofix log has some Dutch in it; I can translate if necessary.)

ComboFix 11-09-15.05 - MarcelF 16-09-2011 13:59:50.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.31.1033.18.3038.1853 [GMT 2:00]
Gestart vanuit: c:\users\MarcelF\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Roaming
c:\windows\system32\comct332.ocx
.
.
(((((((((((((((((((( Bestanden Gemaakt van 2011-08-16 to 2011-09-16 ))))))))))))))))))))))))))))))
.
.
2011-09-16 12:11 . 2011-09-16 12:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-09-13 18:04 . 2011-09-13 18:04 -------- d-----w- c:\program files\Vuze
2011-09-13 17:11 . 2010-09-06 16:20 125952 ----a-w- c:\windows\system32\srvsvc.dll
2011-09-13 17:10 . 2010-09-06 16:19 17920 ----a-w- c:\windows\system32\netevent.dll
2011-09-13 17:10 . 2009-08-24 11:36 377344 ----a-w- c:\windows\system32\winhttp.dll
2011-09-13 16:40 . 2011-03-12 21:55 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-09-13 14:58 . 2011-09-13 14:58 -------- d-----w- c:\windows\system32\Adobe
2011-09-13 13:57 . 2007-10-22 01:37 17928 ----a-w- c:\windows\system32\X3DAudio1_2.dll
2011-09-13 13:57 . 2007-06-20 18:46 266088 ----a-w- c:\windows\system32\xactengine2_8.dll
2011-09-13 13:57 . 2007-05-16 14:45 443752 ----a-w- c:\windows\system32\d3dx10_34.dll
2011-09-13 13:57 . 2007-05-16 14:45 1124720 ----a-w- c:\windows\system32\D3DCompiler_34.dll
2011-09-13 13:57 . 2007-05-16 14:45 3497832 ----a-w- c:\windows\system32\d3dx9_34.dll
2011-09-13 13:57 . 2007-04-04 16:55 261480 ----a-w- c:\windows\system32\xactengine2_7.dll
2011-09-13 13:57 . 2007-04-04 16:53 81768 ----a-w- c:\windows\system32\xinput1_3.dll
2011-09-13 13:57 . 2007-03-15 14:57 443752 ----a-w- c:\windows\system32\d3dx10_33.dll
2011-09-13 13:57 . 2007-03-12 14:42 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll
2011-09-13 13:57 . 2007-03-12 14:42 1123696 ----a-w- c:\windows\system32\D3DCompiler_33.dll
2011-09-13 13:57 . 2007-03-05 10:42 15128 ----a-w- c:\windows\system32\x3daudio1_1.dll
2011-09-13 13:56 . 2011-09-13 14:18 138464 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-09-13 13:56 . 2011-09-13 14:17 111928 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-09-13 13:56 . 2011-09-13 13:56 682280 ----a-w- c:\windows\system32\pbsvc.exe
2011-09-13 13:56 . 2011-09-13 13:56 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2011-09-13 13:25 . 2011-09-13 13:25 -------- d-----w- c:\program files\Activision
2011-09-13 02:33 . 2011-03-03 15:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-09-13 02:33 . 2011-03-03 13:35 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-09-13 02:16 . 2011-09-13 02:16 -------- d-----w- c:\program files\Windows Portable Devices
2011-09-13 01:46 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2011-09-13 01:46 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2011-09-13 01:46 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2011-09-13 01:45 . 2009-09-25 01:33 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2011-09-13 01:45 . 2009-09-25 02:07 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2011-09-13 01:45 . 2009-09-25 02:10 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2011-09-13 01:45 . 2009-09-25 02:04 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2011-09-13 01:45 . 2009-09-25 01:33 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2011-09-13 01:45 . 2009-09-25 01:32 252928 ----a-w- c:\windows\system32\dxdiag.exe
2011-09-13 01:45 . 2009-09-25 01:31 519680 ----a-w- c:\windows\system32\d3d11.dll
2011-09-13 01:43 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-13 01:43 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2011-09-13 01:43 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2011-09-13 01:25 . 2009-11-08 08:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2011-09-13 01:25 . 2009-11-08 08:55 297808 ----a-w- c:\windows\system32\mscoree.dll
2011-09-13 01:25 . 2009-11-08 08:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2011-09-13 01:25 . 2009-11-08 08:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
2011-09-13 01:25 . 2009-11-08 08:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
2011-09-13 01:21 . 2010-02-12 10:32 293376 ----a-w- c:\windows\system32\browserchoice.exe
2011-09-13 01:20 . 2011-09-13 01:20 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2011-09-13 01:13 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
2011-09-13 01:13 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
2011-09-13 01:13 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys
2011-09-13 01:10 . 2011-09-13 01:10 -------- d-----w- c:\program files\MSXML 4.0
2011-09-13 01:04 . 2009-10-09 21:56 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2011-09-12 08:41 . 2010-09-13 13:56 168960 ----a-w- c:\program files\Windows Media Player\wmplayer.exe
2011-09-12 08:41 . 2010-09-13 13:56 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2011-09-12 08:39 . 2009-08-14 13:48 105984 ----a-w- c:\windows\system32\netiohlp.dll
2011-09-12 08:39 . 2009-08-14 13:49 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2011-09-12 08:39 . 2009-08-14 13:49 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2011-09-12 08:39 . 2009-08-14 13:49 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2011-09-12 08:39 . 2009-08-14 13:49 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2011-09-12 08:39 . 2009-08-14 13:49 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2011-09-12 08:39 . 2009-08-14 13:49 19968 ----a-w- c:\windows\system32\ARP.EXE
2011-09-12 08:39 . 2009-08-14 13:49 10240 ----a-w- c:\windows\system32\finger.exe
2011-09-12 08:38 . 2011-02-22 13:23 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-09-12 08:38 . 2009-07-11 19:01 302592 ----a-w- c:\windows\system32\wlansec.dll
2011-09-12 08:38 . 2009-07-11 19:01 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2011-09-12 08:38 . 2009-07-11 17:03 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2011-09-12 08:38 . 2009-07-11 19:01 513536 ----a-w- c:\windows\system32\wlansvc.dll
2011-09-12 08:38 . 2009-07-11 19:01 65024 ----a-w- c:\windows\system32\wlanapi.dll
2011-09-12 08:38 . 2009-08-11 16:44 1401856 ----a-w- c:\windows\system32\msxml6.dll
2011-09-12 08:38 . 2011-04-14 14:59 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-09-12 08:38 . 2010-10-15 13:48 1205080 ----a-w- c:\windows\system32\ntdll.dll
2011-09-12 08:36 . 2011-02-18 14:03 305152 ----a-w- c:\windows\system32\drivers\srv.sys
2011-09-12 08:36 . 2011-07-06 15:31 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-09-12 08:36 . 2011-04-29 13:24 79872 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-09-12 08:36 . 2011-04-29 13:24 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-09-12 08:36 . 2011-03-02 15:44 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-09-12 08:36 . 2009-05-04 09:59 25088 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-09-12 08:36 . 2010-04-05 17:01 67072 ----a-w- c:\windows\system32\asycfilt.dll
2011-09-12 08:36 . 2010-06-28 17:00 1316864 ----a-w- c:\windows\system32\ole32.dll
2011-09-12 08:36 . 2010-06-28 14:54 339968 ----a-w- c:\program files\Windows NT\Accessories\wordpad.exe
2011-09-12 08:36 . 2009-07-17 13:54 71680 ----a-w- c:\windows\system32\atl.dll
2011-09-12 08:35 . 2011-07-11 13:25 2048 ----a-w- c:\windows\system32\tzres.dll
2011-09-12 08:35 . 2010-08-17 14:11 128000 ----a-w- c:\windows\system32\spoolsv.exe
2011-09-12 08:35 . 2009-06-10 11:42 160256 ----a-w- c:\windows\system32\wkssvc.dll
2011-09-12 08:35 . 2010-08-26 16:37 157184 ----a-w- c:\windows\system32\t2embed.dll
2011-09-12 08:34 . 2011-04-21 13:58 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2011-09-12 08:34 . 2011-06-02 13:34 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-09-12 08:34 . 2010-12-14 14:49 1169408 ----a-w- c:\windows\system32\sdclt.exe
2011-09-12 08:34 . 2010-06-17 18:08 10926592 ----a-w- c:\program files\Movie Maker\MOVIEMK.dll
2011-09-12 08:34 . 2010-06-17 16:16 150016 ----a-w- c:\program files\Movie Maker\MOVIEMK.exe
2011-09-12 08:34 . 2011-04-29 13:25 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-09-12 08:34 . 2011-04-29 13:25 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-09-12 08:34 . 2011-05-02 17:19 766464 ----a-w- c:\program files\Common Files\Microsoft Shared\vgx\VGX.dll
2011-09-12 08:34 . 2009-10-23 17:10 714240 ----a-w- c:\windows\system32\timedate.cpl
2011-09-12 08:34 . 2010-08-26 16:34 1696256 ----a-w- c:\windows\system32\gameux.dll
2011-09-12 08:32 . 2010-06-18 17:31 36864 ----a-w- c:\windows\system32\rtutils.dll
2011-09-12 08:32 . 2009-06-15 14:54 175104 ----a-w- c:\windows\system32\wdigest.dll
2011-09-12 08:32 . 2009-06-15 14:52 499712 ----a-w- c:\windows\system32\kerberos.dll
2011-09-12 08:32 . 2009-06-15 23:15 439864 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2011-09-12 08:32 . 2009-06-15 14:52 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2011-09-12 08:32 . 2009-06-15 14:53 72704 ----a-w- c:\windows\system32\secur32.dll
2011-09-12 08:32 . 2009-06-15 12:48 9728 ----a-w- c:\windows\system32\lsass.exe
2011-09-12 08:32 . 2010-08-20 16:05 867328 ----a-w- c:\windows\system32\wmpmde.dll
2011-09-12 08:32 . 2010-01-21 15:05 62464 ----a-w- c:\windows\system32\l3codeca.acm
2011-09-12 08:32 . 2009-04-11 06:27 220672 ----a-w- c:\windows\system32\l3codecp.acm
2011-09-12 08:32 . 2010-12-29 18:28 322560 ----a-w- c:\windows\system32\sbe.dll
2011-09-12 08:32 . 2010-12-29 18:28 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-09-12 08:32 . 2010-12-29 18:26 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-09-12 08:31 . 2010-12-29 18:28 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-09-12 08:31 . 2010-11-04 18:55 352768 ----a-w- c:\windows\system32\taskschd.dll
2011-09-12 08:31 . 2010-11-04 18:55 601600 ----a-w- c:\windows\system32\schedsvc.dll
2011-09-12 08:31 . 2010-11-04 18:56 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll
2011-09-12 08:31 . 2010-11-04 18:55 270336 ----a-w- c:\windows\system32\taskcomp.dll
2011-09-12 08:31 . 2010-11-04 16:34 171520 ----a-w- c:\windows\system32\taskeng.exe
2011-09-12 08:31 . 2011-05-02 17:16 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-12 08:31 . 2010-10-18 13:37 81920 ----a-w- c:\windows\system32\consent.exe
2011-09-12 08:31 . 2010-06-11 16:15 1248768 ----a-w- c:\windows\system32\msxml3.dll
2011-09-12 08:30 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2011-09-12 08:30 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc.dll
2011-09-12 08:30 . 2010-01-25 08:21 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2011-09-12 08:28 . 2010-12-17 13:54 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-09-12 08:28 . 2011-06-20 08:54 3602832 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-09-12 08:28 . 2011-06-20 08:54 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-09-12 08:28 . 2011-06-17 20:13 905104 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-09-12 08:28 . 2009-12-08 17:26 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2011-09-12 08:28 . 2009-10-07 11:36 243712 ----a-w- c:\windows\system32\rastls.dll
.
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4}]
2011-09-12 00:15 159728 ----a-w- c:\programdata\Partner\partner.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 20:45 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NSUFloatingUI"="c:\program files\Sony\Network Utility\LANUtil.exe" [2008-12-22 274432]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-01-06 6703648]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-03-10 835584]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-12-03 35184]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-24 136600]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2008-12-18 317288]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2011-09-11 30192]
"MarketingTools"="c:\program files\Sony\Marketing Tools\MarketingTools.exe" [2011-09-12 26112]
"AML"="c:\program files\Sony\VAIO Launcher\AML.exe" [2009-03-09 1101824]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-01-06 1833504]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-06 13548064]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-06 92704]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10a.exe" [2008-10-05 235936]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-1-24 780840]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2009-01-19 19:49 98304 ----a-w- c:\windows\System32\VESWinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 0231041316174026mcinstcleanup;McAfee Application Installer Cleanup (0231041316174026);c:\windows\TEMP\023104~1.EXE [x]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [x]
R3 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-12-08 169312]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [x]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2011-09-11 30192]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [x]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [x]
R3 Partner Service;Partner Service;c:\programdata\Partner\partner.exe [2011-09-12 111088]
R3 SOHCImp;VAIO Media plus Content Importer;c:\program files\Common Files\Sony Shared\SOHLib\SOHCImp.exe [2009-01-20 120104]
R3 SOHDBSvr;VAIO Media plus Database Manager;c:\program files\Common Files\Sony Shared\SOHLib\SOHDBSvr.exe [2009-01-20 70952]
R3 SOHDms;VAIO Media plus Digital Media Server;c:\program files\Common Files\Sony Shared\SOHLib\SOHDms.exe [2009-01-20 390440]
R3 SOHDs;VAIO Media plus Device Searcher;c:\program files\Common Files\Sony Shared\SOHLib\SOHDs.exe [2009-01-20 75048]
R3 SOHPlMgr;VAIO Media plus Playlist Manager;c:\program files\Common Files\Sony Shared\SOHLib\SOHPlMgr.exe [2009-01-20 91432]
R3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [2009-01-19 394536]
R3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe [2009-01-17 83240]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-09-06 54616]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [x]
S2 NSUService;NSUService;c:\program files\Sony\Network Utility\NSUService.exe [2008-12-22 303104]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032]
S2 uCamMonitor;CamMonitor;c:\program files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe [2008-09-18 104960]
S2 VAIO Power Management;VAIO Power Management;c:\program files\Sony\VAIO Power Management\SPMService.exe [2008-12-19 415592]
S2 VCFw;VAIO Content Folder Watcher;c:\program files\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe [2009-01-14 5184872]
S2 yksvc;Marvell Yukon Service;c:\windows\System32\svchost.exe [2008-01-21 21504]
S3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\DRIVERS\ArcSoftKsUFilter.sys [2008-04-24 17920]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-02-19 29736]
S3 JMCR_CFS;JMCR_CFS;c:\windows\system32\DRIVERS\jmcr_cfs.sys [2008-11-06 55696]
S3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-08-29 3664384]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-03-06 44064]
S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\DRIVERS\SFEP.sys [2008-11-19 9344]
.
.
--- Andere Services/Drivers In Geheugen ---
.
*Deregistered* - mfeavfk01
*Deregistered* - mfenlfk
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
yksvcs REG_MULTI_SZ yksvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Inhoud van de 'Gedeelde Taken' map
.
2011-09-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4003705562-535109584-3577070377-1000Core.job
- c:\users\MarcelF\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-11 16:22]
.
2011-09-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4003705562-535109584-3577070377-1000UA.job
- c:\users\MarcelF\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-11 16:22]
.
.
------- Bijkomende Scan -------
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SNYT&bmod=EU01
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SNYT&bmod=SNYT
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.2.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-16 14:11
Windows 6.0.6002 Service Pack 2 NTFS
.
scannen van verborgen processen ...
.
scannen van verborgen autostart items ...
.
scannen van verborgen bestanden ...
.
Scan succesvol afgerond
verborgen bestanden: 0
.
**************************************************************************
.
Voltooingstijd: 2011-09-16 14:19:25
ComboFix-quarantined-files.txt 2011-09-16 12:19
.
Pre-Run: 418.996.672.000 bytes free
Post-Run: 419.221.770.752 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=7 Sets=1,2,3,4,5,6,7
- - End Of File - - F3E067AB2C5CFC4C4249FE9A883B574E

Attached Files


Edited by RPMcMurphy, 16 September 2011 - 08:14 PM.


#4 G2442g

G2442g
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 16 September 2011 - 07:42 AM

Because I disabled Avast while running the Combofix scan I clicked "restart" and went to the toilet. When I came back I got the black and white screen, telling me that Windows failed to start and if I wanted to go to System Restore or start Windows normally (I did last).

After start up, there was a notification telling me Windows recovered from an unexpected shutdown;

----

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.0.6002.2.2.0.768.3
Locale ID: 1043

Additional information about the problem:
BCCode: 1
BCP1: 82809696
BCP2: 00000000
BCP3: 0000FFFE
BCP4: 00000000
OS Version: 6_0_6002
Service Pack: 2_0
Product: 768_1

Files that help describe the problem:
C:\Windows\Minidump\Mini091611-01.dmp
C:\Users\MarcelF\AppData\Local\Temp\WER-102149-0.sysdata.xml
C:\Users\MarcelF\AppData\Local\Temp\WERD9F9.tmp.version.txt

Read our privacy statement:
http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409


----

Although they "help describe the problem" I don't have permission to open the first two, I included the WERD9F9.tmp.version.txt as an attachment.

Attached Files



#5 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:35 AM

Posted 16 September 2011 - 08:18 PM

G2442g:

Please do this next:

Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above FixCSet::

FixCSet::

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Posted Image You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:
  • ComboFix log
  • MBAM log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:35 AM

Posted 25 September 2011 - 03:45 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users