Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CONSRV rootkit on Vista 64-bit


  • This topic is locked This topic is locked
7 replies to this topic

#1 TxNetWolf

TxNetWolf

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:24 AM

Posted 21 October 2011 - 07:36 PM

Greetings!

I'm fighting with my son's Vista 64bit system which (to my eye) is infected with the CONSRV / ROOTKIT infection I've read about in other threads (such as http://www.bleepingcomputer.com/forums/topic422327.html) Upon trying to boot, I get a BSoD with Stop error C0000135 and a "consrv was not found" error message.

The system is currently unbootable, but I can go into the Repair Console and access the drive via Command Prompt.

In an attempt to streamline the repair, I have run FRST and generated the logfile, which reads as such:

Scan result of Farbars's Recovery Tool (FRST written by farbar) Version 2.2.6
Ran by SYSTEM at 2011-10-21 19:20:39
Running from F:\
Windows Vista ™ Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide [1584184 2008-01-20] (Microsoft Corporation)
HKLM\...\Run: [IAAnotif] "C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [178712 2008-04-15] (Intel Corporation)
HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1220392 2008-01-17] (Synaptics, Inc.)
HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [15851040 2008-05-13] (NVIDIA Corporation)
HKLM\...\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit [82464 2008-05-13] (NVIDIA Corporation)
HKLM\...\Run: [Launch LgDevAgt] "C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe" [397320 2008-11-06] (Logitech Inc.)
HKLM\...\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2049544 2008-11-06] (Logitech Inc.)
HKLM-x32\...\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Gateway\traybar.exe" [638976 2007-09-13] (Chicony)
HKLM-x32\...\Run: [eRecoveryService] [x]
HKLM-x32\...\Run: [Multiplicity] "C:\Program Files (x86)\Stardock\ThinkDesk\Multiplicity\Multipl.exe" [2512120 2008-01-16] (Stardock Corporation)
HKLM-x32\...\Run: [nmctxth] "C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [648504 2008-05-16] (Pure Networks, Inc.)
HKLM-x32\...\Run: [nmapp] "C:\Program Files (x86)\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash [451896 2008-05-21] (Pure Networks, Inc.)
HKLM-x32\...\Run: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe [x]
HKLM-x32\...\Run: [DeathAdder] "C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe" [251392 2010-05-05] ()
HKLM-x32\...\Run: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe [77824 2008-07-22] (AMD)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-04-08] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" [40368 2009-12-18] (Adobe Systems Incorporated)
HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2008-01-20] (Microsoft Corporation)
HKU\Default\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [x]
HKU\Mcx1\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2008-01-20] (Microsoft Corporation)
HKU\Mcx1\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [x]
HKU\Mcx1\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
HKU\Mcx1\...\Winlogon: [Shell] C:\Windows\eHome\McrMgr.exe [196096 2010-04-14] (Microsoft Corporation)
HKU\Teveren\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
HKU\Teveren\...\Run: [PlayNC Launcher] [x]
HKU\Teveren\...\Run: [Steam] "D:\Program Files (x86)\Steam\Steam.exe" -silent [x]
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
SubSystems: [Windows] ==> ZeroAccess

==================== Services (Whitelisted) ======

3 DFSR; C:\Windows\System32\DFSR.exe [3432960 2008-01-20] (Microsoft Corporation)
2 Dhcp; C:\Windows\System32\dhcpcsvc.dll [268288 2008-01-20] (Microsoft Corporation)
3 dkab_device; C:\Windows\system32\DKabcoms.exe -service [476568 2006-10-21] ( )
2 ehstart; C:\Windows\ehome\ehstart.dll [15360 2006-11-02] (Microsoft Corporation)
2 EMDMgmt; C:\Windows\System32\emdmgmt.dll [399872 2008-06-25] (Microsoft Corporation)
2 ETService; C:\Program Files\GATEWAY\Gateway Recovery Management\Service\ETService.exe [24576 2008-06-11] ()
2 Multiplicity; "C:\Program Files (x86)\Stardock\ThinkDesk\Multiplicity\MultiSrv64.exe" [354040 2007-11-17] ()
3 nmraapache; "C:\Program Files (x86)\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe" -k runservice [12800 2008-05-21] (Pure Networks, Inc.)
2 nmservice; "C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmsrvc.exe" [648504 2008-05-16] (Pure Networks, Inc.)
2 o2flash; "C:\Program Files (x86)\O2Micro Flash Memory Card Driver\o2flash.exe" [65536 2007-02-12] (O2Micro International)
3 p2pimsvc; C:\Windows\System32\p2psvc.dll [837632 2008-01-20] (Microsoft Corporation)
3 PNRPAutoReg; C:\Windows\System32\p2psvc.dll [837632 2008-01-20] (Microsoft Corporation)
3 PNRPsvc; C:\Windows\System32\p2psvc.dll [837632 2008-01-20] (Microsoft Corporation)
2 slsvc; C:\Windows\System32\SLsvc.exe [2161664 2008-01-20] (Microsoft Corporation)
3 SLUINotify; C:\Windows\System32\SLUINotify.dll [71168 2008-01-20] (Microsoft Corporation)
2 Themes; C:\Windows\System32\shsvcs.dll [301568 2009-07-10] (Microsoft Corporation)
3 usnjsvc; "C:\Program Files (x86)\MSN Messenger\usnsvc.exe" [97136 2007-01-19] (Microsoft Corporation)
3 WPFFontCache_v0400; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [1020768 2010-03-18] (Microsoft Corporation)
2 XAudioService; C:\Windows\System32\DRIVERS\xaudio64.exe [412672 2007-10-18] (Conexant Systems, Inc.)
3 AVG Security Toolbar Service; C:\Program Files (x86)\AVG\AVG10\Toolbar\ToolbarBroker.exe [x]
2 AVGIDSAgent; "C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe" [x]
2 avgwd; "C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe" [x]
3 DAUpdaterSvc; C:\Program Files (x86)\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [x]

========================== Drivers (Whitelisted) =============

4 adpu160m; C:\Windows\System32\drivers\adpu160m.sys [126520 2008-01-20] (Adaptec, Inc.)
3 AmdLLD64; C:\Windows\System32\DRIVERS\AmdLLD64.sys [39424 2007-06-29] (AMD, Inc.)
3 AVGIDSDriver; C:\Windows\System32\DRIVERS\AVGIDSDriver.Sys [117328 2011-05-27] (AVG Technologies CZ, s.r.o. )
0 AVGIDSEH; C:\Windows\System32\DRIVERS\AVGIDSEH.Sys [26704 2011-02-22] (AVG Technologies CZ, s.r.o. )
3 AVGIDSFilter; C:\Windows\System32\DRIVERS\AVGIDSFilter.Sys [29264 2011-02-10] (AVG Technologies CZ, s.r.o. )
1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [304720 2011-01-07] (AVG Technologies CZ, s.r.o.)
1 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [41552 2011-03-01] (AVG Technologies CZ, s.r.o.)
0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [37456 2011-03-16] (AVG Technologies CZ, s.r.o.)
1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [377936 2011-04-04] (AVG Technologies CZ, s.r.o.)
3 danewFltr; C:\Windows\System32\drivers\danew.sys [12800 2009-04-21] (Razer (Asia-Pacific) Pte Ltd)
0 Ecache; C:\Windows\System32\drivers\ecache.sys [157240 2008-01-20] (Microsoft Corporation)
4 HpCISSs; C:\Windows\System32\drivers\hpcisss.sys [47672 2008-01-20] (Hewlett-Packard Company)
3 HSFHWAZL; C:\Windows\System32\DRIVERS\VSTAZL6.SYS [286720 2008-01-20] (Conexant Systems, Inc.)
4 i2omp; C:\Windows\System32\drivers\i2omp.sys [35896 2008-01-20] (Microsoft Corporation)
2 int15; \??\C:\Windows\SysWOW64\drivers\int15_64.sys [17952 2008-06-11] (Acer, Inc.)
4 iteatapi; C:\Windows\System32\drivers\iteatapi.sys [37480 2006-11-02] (Integrated Technology Express, Inc.)
4 iteraid; C:\Windows\System32\drivers\iteraid.sys [37480 2006-11-02] (Integrated Technology Express, Inc.)
4 Mraid35x; C:\Windows\System32\drivers\mraid35x.sys [39016 2006-11-02] (LSI Logic Corporation)
3 O2MDRDR; C:\Windows\System32\DRIVERS\o2mdx64.sys [62040 2008-04-14] (O2Micro )
3 O2SDRDR; C:\Windows\System32\DRIVERS\o2sdx64.sys [51928 2008-04-07] (O2Micro )
2 pnarp; C:\Windows\System32\DRIVERS\pnarp.sys [31544 2008-05-16] (Pure Networks, Inc.)
2 purendis; C:\Windows\System32\DRIVERS\purendis.sys [33080 2008-05-16] (Pure Networks, Inc.)
4 SiSRaid2; C:\Windows\System32\drivers\sisraid2.sys [45624 2008-01-20] (Microsoft Corporation)
4 Symc8xx; C:\Windows\System32\drivers\symc8xx.sys [49256 2006-11-02] (LSI Logic)
4 Sym_hi; C:\Windows\System32\drivers\sym_hi.sys [44648 2006-11-02] (LSI Logic)
4 Sym_u3; C:\Windows\System32\drivers\sym_u3.sys [48232 2006-11-02] (LSI Logic)
3 SynTP; C:\Windows\System32\DRIVERS\SynTP.sys [320560 2008-01-17] (Synaptics, Inc.)
3 TcUsb; C:\Windows\System32\Drivers\tcusb.sys [62480 2008-01-30] (UPEK Inc.)
3 tunmp; C:\Windows\System32\DRIVERS\tunmp.sys [18432 2008-01-20] (Microsoft Corporation)
4 uliahci; C:\Windows\System32\drivers\uliahci.sys [284728 2008-01-20] (ULi Electronics Inc.)
4 UlSata; C:\Windows\System32\drivers\ulsata.sys [148072 2006-11-02] (Promise Technology, Inc.)
4 ulsata2; C:\Windows\System32\drivers\ulsata2.sys [174696 2008-01-20] (Promise Technology, Inc.)
3 UVCFTR; C:\Windows\System32\Drivers\UVCFTR_S.SYS [20784 2007-05-23] (Chicony Electronics Co., Ltd.)
3 vhidmini; C:\Windows\System32\DRIVERS\vHidDev.sys [7552 2009-12-21] (Windows ® Win 7 DDK provider)
3 WpdUsb; C:\Windows\System32\DRIVERS\wpdusb.sys [46080 2008-01-20] (Microsoft Corporation)
3 xnacc; C:\Windows\System32\DRIVERS\xnacc.sys [903168 2008-01-20] (Microsoft Corporation)
3 yukonx64; C:\Windows\System32\DRIVERS\yk60x64.sys [392192 2008-06-27] (Marvell)
3 dump_wmimmc; \??\C:\Program Files (x86)\NCsoft\Aion\bin32\GameGuard\dump_wmimmc.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 msiserver; C:\Windows\System32\msiexec /V [x]
3 npggsvc; C:\Windows\system32\GameMon.des -service [x]
3 NPPTNT2; \??\C:\Windows\system32\npptNT2.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2011-10-21 12:08 - 2011-10-21 13:21 - 0009166 ____A C:\Windows\System32\avgrep.txt
2011-10-21 11:48 - 2011-10-21 14:37 - 0544414 ____A C:\Windows\ntbtlog.txt
2011-10-21 10:17 - 2011-10-21 10:18 - 0000000 ____D C:\Program Files (x86)\BadAVG
2011-10-13 23:16 - 2011-10-13 23:21 - 0000000 ___DC C:\Program Files (x86)\Microsoft Games for Windows - LIVE
2011-10-13 23:14 - 2011-10-13 23:15 - 0442622 ____A C:\Windows\dd_vcredistMSI107D.txt
2011-10-13 23:14 - 2011-10-13 23:15 - 0011558 ____A C:\Windows\dd_vcredistUI107D.txt
2011-10-12 23:31 - 2011-10-12 23:31 - 0000000 ___DC C:\Program Files (x86)\Microsoft Silverlight
2011-10-12 00:06 - 2011-10-12 00:06 - 0579088 ____A C:\Windows\dd_vcredistMSI1B90.txt
2011-10-12 00:06 - 2011-10-12 00:06 - 0013612 ____A C:\Windows\dd_vcredistUI1B90.txt
2011-10-06 14:48 - 2011-10-06 14:48 - 0001961 ____A C:\Users\Public\Desktop\Adobe Reader 8.lnk
2011-10-06 14:48 - 2011-10-06 14:48 - 0000000 ___DC C:\Program Files (x86)\Adobe
2011-10-06 14:39 - 2011-10-06 14:40 - 0002067 ____A C:\Windows\ie8_main.log
2011-10-06 14:37 - 2011-05-04 01:52 - 0157472 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
2011-10-06 14:37 - 2011-05-04 01:52 - 0145184 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
2011-10-06 14:37 - 2011-05-04 01:52 - 0145184 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
2011-10-06 14:35 - 2011-10-06 14:37 - 0003748 ____A C:\Windows\SysWOW64\jupdate-1.6.0_26-b03.log
2011-10-05 23:28 - 2011-10-05 23:28 - 0000000 ____D C:\Windows\system64


============ 3 Months Modified Files and Folders =============

2011-10-21 14:37 - 2011-10-21 11:48 - 0544414 ____A C:\Windows\ntbtlog.txt
2011-10-21 13:21 - 2011-10-21 12:08 - 0009166 ____A C:\Windows\System32\avgrep.txt
2011-10-21 11:53 - 2006-11-02 04:46 - 0703388 ____A C:\Windows\System32\PerfStringBackup.INI
2011-10-21 10:18 - 2011-10-21 10:17 - 0000000 ____D C:\Program Files (x86)\BadAVG
2011-10-21 07:57 - 2008-01-20 19:26 - 0276734 ____A C:\Windows\PFRO.log
2011-10-21 07:56 - 2008-07-14 08:54 - 1204918 ____A C:\Windows\WindowsUpdate.log
2011-10-21 07:56 - 2006-11-02 07:42 - 0032602 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2011-10-21 07:56 - 2006-11-02 07:42 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2011-10-21 07:56 - 2006-11-02 07:22 - 0003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2011-10-21 07:56 - 2006-11-02 07:22 - 0003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2011-10-21 07:38 - 2010-10-17 08:06 - 0000000 ____D C:\Windows\System32\Drivers\AVG
2011-10-21 07:31 - 2008-07-14 09:00 - 0143167 ____A C:\ProgramData\nvModes.dat
2011-10-21 07:31 - 2008-07-14 09:00 - 0143167 ____A C:\ProgramData\nvModes.001
2011-10-20 18:06 - 2011-09-13 16:56 - 0000000 ____D C:\Users\Teveren\Documents\Hero Forge Characters
2011-10-20 17:31 - 2010-01-22 16:38 - 0000000 ____D C:\Users\Teveren\AppData\Local\Deployment
2011-10-20 15:26 - 2008-07-14 09:02 - 0000000 ____A C:\Windows\System32\LogConfigTemp.xml
2011-10-19 13:52 - 2011-09-13 16:59 - 0000000 ____D C:\Users\Teveren\Documents\Magic the Gathering Decks
2011-10-18 23:51 - 2011-05-24 19:46 - 0001873 ____A C:\Users\Teveren\Desktop\Kindle.lnk
2011-10-18 23:51 - 2009-12-06 20:19 - 0000000 ___DC C:\Program Files (x86)\Amazon
2011-10-18 13:05 - 2009-12-06 20:19 - 0000000 ____D C:\Users\Teveren\Documents\My Kindle Content
2011-10-13 23:21 - 2011-10-13 23:16 - 0000000 ___DC C:\Program Files (x86)\Microsoft Games for Windows - LIVE
2011-10-13 23:17 - 2006-11-02 05:33 - 0000000 ___DC C:\Program Files\Common Files\Microsoft Shared
2011-10-13 23:15 - 2011-10-13 23:14 - 0442622 ____A C:\Windows\dd_vcredistMSI107D.txt
2011-10-13 23:15 - 2011-10-13 23:14 - 0011558 ____A C:\Windows\dd_vcredistUI107D.txt
2011-10-13 13:17 - 2010-10-17 08:09 - 0000904 ____A C:\Users\Public\Desktop\AVG 2011.lnk
2011-10-12 23:31 - 2011-10-12 23:31 - 0000000 ___DC C:\Program Files (x86)\Microsoft Silverlight
2011-10-12 00:06 - 2011-10-12 00:06 - 0579088 ____A C:\Windows\dd_vcredistMSI1B90.txt
2011-10-12 00:06 - 2011-10-12 00:06 - 0013612 ____A C:\Windows\dd_vcredistUI1B90.txt
2011-10-12 00:01 - 2006-11-02 04:35 - 50086344 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2011-10-06 16:00 - 2008-11-09 07:48 - 0000376 ____A C:\Windows\ODBC.INI
2011-10-06 14:57 - 2008-06-11 12:54 - 0000000 ____D C:\ProgramData\Adobe
2011-10-06 14:48 - 2011-10-06 14:48 - 0001961 ____A C:\Users\Public\Desktop\Adobe Reader 8.lnk
2011-10-06 14:48 - 2011-10-06 14:48 - 0000000 ___DC C:\Program Files (x86)\Adobe
2011-10-06 14:40 - 2011-10-06 14:39 - 0002067 ____A C:\Windows\ie8_main.log
2011-10-06 14:37 - 2011-10-06 14:35 - 0003748 ____A C:\Windows\SysWOW64\jupdate-1.6.0_26-b03.log
2011-10-06 14:37 - 2008-06-11 12:52 - 0000000 ____D C:\Program Files (x86)\Java
2011-10-05 23:28 - 2011-10-05 23:28 - 0000000 ____D C:\Windows\system64
2011-09-30 15:49 - 2010-11-04 13:22 - 0007893 ____A C:\Windows\setupact.log
2011-09-28 17:07 - 2011-07-21 19:50 - 0001418 ____A C:\Users\Teveren\Desktop\Heroforge_v6.0.2.1 - Shortcut.lnk
2011-09-20 12:56 - 2010-07-07 13:08 - 0019456 ____A C:\Users\Teveren\Documents\Circuits.doc
2011-09-20 07:08 - 2011-09-20 08:32 - 0022528 ____A C:\Users\Public\Documents\Warrior.doc
2011-09-13 19:56 - 2011-09-13 19:56 - 3952669 ____A C:\Users\Teveren\Documents\Unit 3 Exam Question 29.rtf
2011-09-08 23:35 - 2011-06-08 18:47 - 0000000 ____D C:\Users\Teveren\Desktop\Minecraft
2011-09-02 10:18 - 2011-08-31 12:51 - 1999501 ____A C:\Users\Teveren\Documents\Research Assignment Temperature.rtf
2011-08-29 19:33 - 2011-09-20 08:32 - 4407205 ____A C:\Users\Public\Documents\amt7_7_2011-8-30.pdf
2011-08-26 12:02 - 2011-08-22 12:51 - 14154503 ____A C:\Users\Teveren\Documents\Writing Assignment Terms and Theorems.rtf
2011-08-22 12:02 - 2011-08-22 12:02 - 0004217 ____A C:\Users\Teveren\Documents\Writing Assignment Business Application.rtf
2011-08-21 14:14 - 2011-08-21 14:14 - 0008472 ____A C:\Users\Public\EDH SenTriplets MtG Deck.txt
2011-08-21 14:14 - 2006-11-02 05:33 - 0000000 ___RD C:\users\Public
2011-08-10 17:48 - 2011-08-10 17:48 - 0000102 ____A C:\Users\Teveren\Documents\Fudge Dice Odds.txt
2011-08-02 21:19 - 2011-08-02 21:19 - 0000020 ___SH C:\Users\Mcx1\ntuser.ini
2011-08-02 21:19 - 2011-08-02 21:19 - 0000000 __SHD C:\Users\Mcx1\Templates
2011-08-02 21:19 - 2011-08-02 21:19 - 0000000 __SHD C:\Users\Mcx1\Start Menu
2011-08-02 21:19 - 2011-08-02 21:19 - 0000000 __SHD C:\Users\Mcx1\PrintHood
2011-08-02 21:19 - 2011-08-02 21:19 - 0000000 __SHD C:\Users\Mcx1\NetHood
2011-08-02 21:19 - 2011-08-02 21:19 - 0000000 __SHD C:\Users\Mcx1\My Documents
2011-08-02 21:19 - 2011-08-02 21:19 - 0000000 __SHD C:\Users\Mcx1\Documents\My Videos
2011-08-02 21:19 - 2011-08-02 21:19 - 0000000 __SHD C:\Users\Mcx1\Documents\My Pictures
2011-08-02 21:19 - 2011-08-02 21:19 - 0000000 __SHD C:\Users\Mcx1\Documents\My Music
2011-08-02 21:19 - 2011-08-02 21:19 - 0000000 __SHD C:\Users\Mcx1\AppData\Local\Temporary Internet Files
2011-08-02 21:19 - 2011-08-02 21:19 - 0000000 __SHD C:\Users\Mcx1\AppData\Local\History
2011-08-02 21:19 - 2011-08-02 21:19 - 0000000 ____D C:\Users\Mcx1\AppData\LocalLow
2011-08-02 21:19 - 2011-08-02 21:19 - 0000000 ____D C:\users\Mcx1
2011-08-02 21:10 - 2006-11-02 07:07 - 0000000 ___RD C:\Users\Public\Recorded TV
2011-08-02 15:09 - 2011-08-02 15:05 - 0000000 ____D C:\Users\Teveren\Documents\PDF files
2011-08-01 18:49 - 2009-12-06 20:19 - 0000000 ____D C:\Users\Teveren\AppData\Local\Amazon


========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe
[2008-01-20 18:49] - [2008-01-20 18:49] - 0406016 ____A (Microsoft Corporation)

C:\Windows\System32\wininit.exe
[2008-01-20 18:50] - [2008-01-20 18:50] - 0123904 ____A (Microsoft Corporation) 117EA87DF785CA1B9D821F6F213DCE07

C:\Windows\explorer.exe
[2009-01-18 18:04] - [2008-10-28 22:49] - 3080704 ____A (Microsoft Corporation) BBD8E74F23D7605CB0CDB57A1B25D826

C:\Windows\System32\Drivers\volsnap.sys
[2008-01-20 18:47] - [2008-01-20 18:47] - 0271416 ____A (Microsoft Corporation) DE4307412D98050239026E56A7DFF3C0


========================= Memory info ======================

Percentage of memory in use: 9%
Total physical RAM: 4090.09 MB
Available physical RAM: 3694.39 MB
Total Pagefile: 3957.99 MB
Available Pagefile: 3759.06 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:88.3 GB) (Free:14.14 GB) NTFS
2 Drive d: (DATA) (Fixed) (Total:88.01 GB) (Free:13.57 GB) NTFS
4 Drive f: (WCN_LTD) (Removable) (Total:1.86 GB) (Free:1.37 GB) FAT
5 Drive x: (PQSERVICE) (Fixed) (Total:10 GB) (Free:2.91 GB) NTFS

==========================================================

Last Boot: 2011-10-21 12:07

======================= End Of Log ==========================


Thank you in advance for any/all assistance!!

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:24 PM

Posted 22 October 2011 - 10:31 AM

Hello TxNetWolf,

Welcome to Bleeping Computer.

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
SubSystems: [Windows] ==> ZeroAccess
end

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Now please enter System Recovery Options.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Also please restart normally and tell me how it went.

#3 TxNetWolf

TxNetWolf
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:24 AM

Posted 22 October 2011 - 05:50 PM

That seems to have done the trick! System able to boot... I assume you'll want me to run a full scan, just to be sure infection is completely gone?

Here is the log as generated by FRST...

Fix result of Farbars's Recovery Tool (FRST written by farbar version 2.2.6)
Ran by SYSTEM at 2011-10-22 17:44:36 R:1
Running from F:\

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored.

==== End of Fixlog ====

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:24 PM

Posted 23 October 2011 - 05:02 AM

Great. :thumbsup:

  • Please download unhide.exe to your desktop and run it.
    Tell me if your hidden files are unhidden.
  • Please download Malwarebytes' Anti-Malware from one of these locations:
    malwarebytes.org
    majorgeeks.com
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the MBAM log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


#5 TxNetWolf

TxNetWolf
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:24 AM

Posted 24 October 2011 - 07:51 AM

UnHide didn't find any files that needed changing, but it did complete successfully.

Here's Malwarebytes' log:



Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8005

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

10/23/2011 10:55:54 AM
mbam-log-2011-10-23 (10-55-54).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 414197
Time elapsed: 45 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Teveren\AppData\Local\nql.exe" -a "C:\Program Files (x86)\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Malwarebytes' prompted for a reboot, which I did; system started normally and seemed fine. I upgraded all Windows upgrades/service packs and reinstalled latest AVG with all updates.

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:24 PM

Posted 24 October 2011 - 08:00 AM

Well done.

I would like to check the system for vulnerabilities.

Please download OTL by OldTimer.
  • Save it to your desktop.
  • Double click on the OTL icon on your desktop.
  • Check the "Scan All Users" checkbox.
  • Check the "Standard Output".
  • Click Run Scan button.
  • Two reports will open, copy and paste OTL.txt and attach Extra.txt to your reply:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized


#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:24 PM

Posted 31 October 2011 - 02:12 AM

Are you still there?

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:24 PM

Posted 07 November 2011 - 02:01 AM

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a Private Message and I will reopen it for you. If you should have a new issue, please start a new topic.

Every one else should start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users