Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Have the SYSTEM RESTORE problem, can't run rkill


  • This topic is locked This topic is locked
37 replies to this topic

#1 big bishop

big bishop

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 31 October 2011 - 02:48 PM

I have the SYSTEM RESTORE problem. the operstion system on the PC is Windows XP. I followed the tutorial: How to see hidden files in Windows. That is stated in the removal guide. it worked to some degree, a good number of files/shortcuts on my desktop have re-appered.

Edit: to address post below.
i ran defogger. It never asked to reboot once it was finished, like the guide said. So I restarted the computer. desktop wipe of everything. the hidden view options are still were i changed them from above. yet all files/shortcut are still hidden. Just a black desktop. tried to run defogger again, i get "cannot create log" error
drive to a friends house to get the DDS and Gmer on a flash drive.
DDS ended up being a failure. It ran, and it ran for more than 3 minutes and then froze. I had to manually shutdown the PC. Started back up still in same situation, was able to get GMER running from flashdrive and is currently running. I will post the log once done. fingers crossed that it doesn't freeze like DDS. If it doesn't freeze i will also try to run DDS again.

Edit II: Went back to check PC, GMER was gone from the screen. Not only was it not running, but the DDS and GMER files that i saved to the desktop were hidden.
Saved them again to desktop, I have tried to run DDS a couple of times with the same end result: it runs till it freezes the entire computer.

Edited by big bishop, 01 November 2011 - 11:18 AM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:58 AM

Posted 31 October 2011 - 10:46 PM

Hello,

Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.

If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 big bishop

big bishop
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 02 November 2011 - 11:19 AM

I finally was able to get rkil to run, atfer that i ran malwarebytes. DDS still won't run its course, its will freeze the PC after running for about 10 minutes. I was able to run GMER. Below find the rkill and GMER logs

RKILL LOG:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 10/31/2011 at 14:54:31.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

Processes terminated by Rkill or while it was running:

C:\Documents and Settings\All Users\Application Data\trfnnmNFIoGhaDl.exe
C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk.exe


Rkill completed on 10/31/2011 at 14:54:36.
C:\Documents and Settings\All Users\Application Data\trfnnmNFIoGhaDl.exe
C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk.exe


Rkill completed on 10/31/2011 at 14:54:37.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 11/01/2011 at 10:20:26.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\Documents and Settings\All Users\Application Data\trfnnmNFIoGhaDl.exe
C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk.exe
C:\WINDOWS\system32\attrib.exe
L:\GMER.exe


Rkill completed on 11/01/2011 at 10:20:31.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 11/01/2011 at 10:31:39.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:



Rkill completed on 11/01/2011 at 10:31:44.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 11/01/2011 at 11:49:41.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Documents and Settings\All Users\Application Data\trfnnmNFIoGhaDl.exe
C:\WINDOWS\system32\attrib.exe
C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk.exe
C:\WINDOWS\system32\attrib.exe
C:\WINDOWS\system32\attrib.exe
C:\DOCUME~1\HP_Owner\Desktop\rkill.scr
C:\DOCUME~1\HP_Owner\Desktop\rkill.scr


Rkill completed on 11/01/2011 at 11:50:03.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 11/01/2011 at 12:07:14.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Documents and Settings\All Users\Application Data\trfnnmNFIoGhaDl.exe
C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk.exe
C:\DOCUME~1\HP_Owner\Desktop\rkill.scr
C:\DOCUME~1\HP_Owner\Desktop\rkill.scr


Rkill completed on 11/01/2011 at 12:07:40.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 11/01/2011 at 12:32:12.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Documents and Settings\All Users\Application Data\trfnnmNFIoGhaDl.exe
C:\WINDOWS\system32\attrib.exe
C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk.exe
C:\WINDOWS\system32\attrib.exe
C:\WINDOWS\system32\attrib.exe
C:\DOCUME~1\HP_Owner\Desktop\rkill.scr
C:\DOCUME~1\HP_Owner\Desktop\rkill.scr


Rkill completed on 11/01/2011 at 12:32:17.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 11/01/2011 at 12:34:51.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Documents and Settings\All Users\Application Data\trfnnmNFIoGhaDl.exe
C:\WINDOWS\system32\attrib.exe
C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk.exe
C:\WINDOWS\system32\attrib.exe
C:\WINDOWS\system32\attrib.exe
C:\DOCUME~1\HP_Owner\Desktop\rkill.scr
C:\DOCUME~1\HP_Owner\Desktop\rkill.scr


Rkill completed on 11/01/2011 at 12:34:56.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 11/01/2011 at 12:37:16.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Documents and Settings\All Users\Application Data\trfnnmNFIoGhaDl.exe
C:\WINDOWS\system32\attrib.exe
C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk.exe
C:\WINDOWS\system32\attrib.exe
C:\WINDOWS\system32\attrib.exe
C:\DOCUME~1\HP_Owner\Desktop\rkill.scr
C:\DOCUME~1\HP_Owner\Desktop\rkill.scr
C:\WINDOWS\System32\rundll32.exe


Rkill completed on 11/01/2011 at 12:37:21.

GMER LOG:


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-02 12:06:56
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3100011A rev.3.02
Running: GMER.exe; Driver: C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\awgoypod.sys


---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\HP_Owner\Desktop\2006 thru 2010 ATLANTIC PTG & WALLCOV, INC\2008 ATLANTIC PAINTING JAN. - DEC\AA-CURRENT PROJECTS\AT-2008-409 - BRIDGEWATER MUNICIPAL COMPLEX, Bridgewater, NJ\AT-2008-410 - BRIGHTON COLLECTIBLES, Freehold Raceway Mall, Freehold, NJ\LETTER to ELAN GEN CONT - enclg ltr of intent, etc. - 2008 Oct 14.doc 27136 bytes
File C:\Documents and Settings\HP_Owner\Desktop\2006 thru 2010 ATLANTIC PTG & WALLCOV, INC\2008 ATLANTIC PAINTING JAN. - DEC\AA-CURRENT PROJECTS\AT-2008-409 - BRIDGEWATER MUNICIPAL COMPLEX, Bridgewater, NJ\AT-2008-410 - BRIGHTON COLLECTIBLES, Freehold Raceway Mall, Freehold, NJ\Additional Insured Questionnaire - Suburban Ins.-2008 Oct 14.doc 26624 bytes
File C:\Documents and Settings\HP_Owner\Desktop\2006 thru 2010 ATLANTIC PTG & WALLCOV, INC\2008 ATLANTIC PAINTING JAN. - DEC\AA-CURRENT PROJECTS\AT-2008-409 - BRIDGEWATER MUNICIPAL COMPLEX, Bridgewater, NJ\AT-2008-410 - BRIGHTON COLLECTIBLES, Freehold Raceway Mall, Freehold, NJ\FAX to ELAN - Brighton Collectibles, Freehold, NJ - Ltr of Int, etc. - 2008 Oct 14.doc 30720 bytes
File C:\Documents and Settings\HP_Owner\Desktop\2006 thru 2010 ATLANTIC PTG & WALLCOV, INC\2008 ATLANTIC PAINTING JAN. - DEC\AA-CURRENT PROJECTS\AT-2008-409 - BRIDGEWATER MUNICIPAL COMPLEX, Bridgewater, NJ\AT-2008-410 - BRIGHTON COLLECTIBLES, Freehold Raceway Mall, Freehold, NJ\FAX to ELAN GEN CONT. Brighton Collectibles, Freehold, NJ - 2008 Dec 08.doc 30208 bytes
File C:\Documents and Settings\HP_Owner\Desktop\2006 thru 2010 ATLANTIC PTG & WALLCOV, INC\2008 ATLANTIC PAINTING JAN. - DEC\AA-CURRENT PROJECTS\AT-2008-409 - BRIDGEWATER MUNICIPAL COMPLEX, Bridgewater, NJ\AT-2008-410 - BRIGHTON COLLECTIBLES, Freehold Raceway Mall, Freehold, NJ\FAX to ELAN GEN CONT. Brighton Collectibles, Freehold, NJ - 2008 October 13.doc 30720 bytes
File C:\Documents and Settings\HP_Owner\Desktop\2006 thru 2010 ATLANTIC PTG & WALLCOV, INC\2008 ATLANTIC PAINTING JAN. - DEC\AA-CURRENT PROJECTS\AT-2008-409 - BRIDGEWATER MUNICIPAL COMPLEX, Bridgewater, NJ\AT-2008-410 - BRIGHTON COLLECTIBLES, Freehold Raceway Mall, Freehold, NJ\FAX to Suburban General Ins. ATTN Wanda re COI - 2008 Dec 03.doc 31232 bytes
File C:\Documents and Settings\HP_Owner\Desktop\2006 thru 2010 ATLANTIC PTG & WALLCOV, INC\2008 ATLANTIC PAINTING JAN. - DEC\AA-CURRENT PROJECTS\AT-2008-409 - BRIDGEWATER MUNICIPAL COMPLEX, Bridgewater, NJ\AT-2008-410 - BRIGHTON COLLECTIBLES, Freehold Raceway Mall, Freehold, NJ\FAX to Suburban General Ins. ATTN Wanda re COI - 2008 Oct 14.doc 31232 bytes
File C:\Documents and Settings\HP_Owner\Desktop\2006 thru 2010 ATLANTIC PTG & WALLCOV, INC\2008 ATLANTIC PAINTING JAN. - DEC\AA-CURRENT PROJECTS\AT-2008-409 - BRIDGEWATER MUNICIPAL COMPLEX, Bridgewater, NJ\AT-2008-410 - BRIGHTON COLLECTIBLES, Freehold Raceway Mall, Freehold, NJ\INVOICE #410.doc 30720 bytes
File C:\Documents and Settings\HP_Owner\Desktop\2006 thru 2010 ATLANTIC PTG & WALLCOV, INC\2008 ATLANTIC PAINTING JAN. - DEC\AA-CURRENT PROJECTS\AT-2008-409 - BRIDGEWATER MUNICIPAL COMPLEX, Bridgewater, NJ\AT-2008-410 - BRIGHTON COLLECTIBLES, Freehold Raceway Mall, Freehold, NJ\LETTER to ELAN GEN CONT - enclg Inv410, etc. - 2008 Nov 07.doc 27136 bytes
File C:\Documents and Settings\HP_Owner\Desktop\2006 thru 2010 ATLANTIC PTG & WALLCOV, INC\2008 ATLANTIC PAINTING JAN. - DEC\AA-CURRENT PROJECTS\AT-2008-409 - BRIDGEWATER MUNICIPAL COMPLEX, Bridgewater, NJ\AT-2008-410 - BRIGHTON COLLECTIBLES, Freehold Raceway Mall, Freehold, NJ\LETTER to ELAN GEN CONT - Letter of Intent - 2008 Oct 14.doc 29184 bytes
File C:\Documents and Settings\HP_Owner\Desktop\2006 thru 2010 ATLANTIC PTG & WALLCOV, INC\2008 ATLANTIC PAINTING JAN. - DEC\AA-CURRENT PROJECTS\AT-2008-409 - BRIDGEWATER MUNICIPAL COMPLEX, Bridgewater, NJ\AT-2008-410 - BRIGHTON COLLECTIBLES, Freehold Raceway Mall, Freehold, NJ\New Microsoft Word Document.doc 10752 bytes
File C:\Documents and Settings\HP_Owner\Desktop\2006 thru 2010 ATLANTIC PTG & WALLCOV, INC\2008 ATLANTIC PAINTING JAN. - DEC\AA-CURRENT PROJECTS\AT-2008-409 - BRIDGEWATER MUNICIPAL COMPLEX, Bridgewater, NJ\AT-2008-410 - BRIGHTON COLLECTIBLES, Freehold Raceway Mall, Freehold, NJ\PROPOSAL - ELAN GEN CONT.- Brighton Collectibles. Freehold, NJ - 2008 October 13.doc 50176 bytes
File C:\Documents and Settings\HP_Owner\Desktop\2006 thru 2010 ATLANTIC PTG & WALLCOV, INC\2008 ATLANTIC PAINTING JAN. - DEC\AA-CURRENT PROJECTS\AT-2008-409 - BRIDGEWATER MUNICIPAL COMPLEX, Bridgewater, NJ\AT-2008-410 - BRIGHTON COLLECTIBLES, Freehold Raceway Mall, Freehold, NJ\SUPPLIER LIST - Brighton Collect. - 2008 Nov 07.doc 28160 bytes
File C:\Documents and Settings\HP_Owner\Desktop\2006 thru 2010 ATLANTIC PTG & WALLCOV, INC\2008 ATLANTIC PAINTING JAN. - DEC\AA-CURRENT PROJECTS\AT-2008-409 - BRIDGEWATER MUNICIPAL COMPLEX, Bridgewater, NJ\AT-2008-410 - BRIGHTON COLLECTIBLES, Freehold Raceway Mall, Freehold, NJ\WARRANTY LETTER - ELAN t - Brighton Collectibles - 2008 Nov 07.doc 27136 bytes

---- EOF - GMER 1.0.15 ----

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:58 PM

Posted 05 November 2011 - 07:02 AM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#5 big bishop

big bishop
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 05 November 2011 - 07:44 PM

hi m0le,

I check this thread a couple times a day. So I'm all ears.

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:58 PM

Posted 05 November 2011 - 07:50 PM

Can you please run aswMBR, a rootkit scanner

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#7 big bishop

big bishop
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 06 November 2011 - 10:26 PM

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-11-06 16:35:06
-----------------------------
16:35:06.000 OS Version: Windows 5.1.2600 Service Pack 3
16:35:06.000 Number of processors: 1 586 0x401
16:35:06.000 ComputerName: YOUR-F78BF48CE2 UserName: HP_Owner
16:35:09.484 Initialize success
16:35:28.718 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
16:35:28.718 Disk 0 Vendor: ST3100011A 3.02 Size: 95396MB BusType: 3
16:35:28.718 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T1L0-17
16:35:28.718 Disk 1 Vendor: Maxtor_91741U4 FA570480 Size: 16603MB BusType: 3
16:35:28.750 Disk 0 MBR read successfully
16:35:28.750 Disk 0 MBR scan
16:35:28.750 Disk 0 unknown MBR code
16:35:28.765 Disk 0 scanning sectors +195371552
16:35:30.625 Disk 0 scanning C:\WINDOWS\system32\drivers
16:35:55.921 Service scanning
16:36:01.093 Modules scanning
16:36:29.609 Disk 0 trace - called modules:
16:36:29.625 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys
16:36:29.625 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f35ab8]
16:36:30.140 3 CLASSPNP.SYS[f77b6fd7] -> nt!IofCallDriver -> \Device\00000059[0x86f86e98]
16:36:30.140 5 ACPI.sys[f770d620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86fa9940]
16:36:30.140 Scan finished successfully
22:22:56.500 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\HP_Owner\Desktop\MBR.dat"
22:22:56.515 The log file has been saved successfully to "C:\Documents and Settings\HP_Owner\Desktop\aswMBR.txt"

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:58 PM

Posted 07 November 2011 - 06:38 PM

We need to run a tool which can help us work out why the MBR is unknown.

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#9 big bishop

big bishop
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 07 November 2011 - 07:39 PM

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000007fc

Kernel Drivers (total 123):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EF000 \WINDOWS\system32\hal.dll
0xF7C56000 \WINDOWS\system32\KDCOM.DLL
0xF7B66000 \WINDOWS\system32\BOOTVID.dll
0xF7707000 ACPI.sys
0xF7C58000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF76F6000 pci.sys
0xF7756000 isapnp.sys
0xF7766000 ohci1394.sys
0xF7776000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF7C5A000 intelide.sys
0xF79D6000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7786000 MountMgr.sys
0xF76D7000 ftdisk.sys
0xF79DE000 PartMgr.sys
0xF7796000 VolSnap.sys
0xF76BF000 atapi.sys
0xF769C000 fasttx2k.sys
0xF7684000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xF77A6000 disk.sys
0xF77B6000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7664000 fltmgr.sys
0xF7652000 sr.sys
0xF77C6000 PxHelp20.sys
0xF763B000 KSecDD.sys
0xF75AE000 Ntfs.sys
0xF7581000 NDIS.sys
0xF7567000 Mup.sys
0xF77F6000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF70B7000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF6898000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xF6884000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF7AC6000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF6860000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7ACE000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF672A000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0xF7AD6000 \SystemRoot\System32\Drivers\Modem.SYS
0xF6718000 \SystemRoot\system32\DRIVERS\Rtlnicxp.sys
0xF7976000 \SystemRoot\system32\DRIVERS\serial.sys
0xF7C52000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF6704000 \SystemRoot\system32\DRIVERS\parport.sys
0xF7986000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7ADE000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7522000 \SystemRoot\system32\DRIVERS\PS2.sys
0xF7AE6000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7996000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF79A6000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF79B6000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF66E1000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7AEE000 \SystemRoot\SYSTEM32\DRIVERS\GEARAspiWDM.sys
0xF64B4000 \SystemRoot\system32\drivers\ALCXWDM.SYS
0xF6490000 \SystemRoot\system32\drivers\portcls.sys
0xF79C6000 \SystemRoot\system32\drivers\drmk.sys
0xF7C90000 \SystemRoot\system32\DRIVERS\serscan.sys
0xF7E59000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7806000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF751A000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6479000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7816000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7826000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7AF6000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6468000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7836000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7AFE000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7B06000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7B0E000 \SystemRoot\system32\DRIVERS\wanatw4.sys
0xF7846000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7C92000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF640A000 \SystemRoot\system32\DRIVERS\update.sys
0xF750A000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF69E5000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF6975000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7CB8000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7CD0000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7E08000 \SystemRoot\System32\Drivers\Null.SYS
0xF7CD2000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7A36000 \SystemRoot\System32\drivers\vga.sys
0xF7CD4000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7CD6000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7A86000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7A96000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7C46000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xEC9A0000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xEC947000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xEC91F000 \SystemRoot\system32\DRIVERS\netbt.sys
0xEC8FD000 \SystemRoot\System32\drivers\afd.sys
0xF70F7000 \SystemRoot\system32\DRIVERS\netbios.sys
0xEC8D2000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xEC83A000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF70E7000 \SystemRoot\System32\Drivers\Fips.SYS
0xEC814000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF78D6000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF70D7000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xF7A9E000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xF7AB6000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xEDD0A000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xEC0D7000 \SystemRoot\system32\DRIVERS\rt2870.sys
0xF60B9000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xF7A26000 \SystemRoot\system32\drivers\hpfxbulk.sys
0xECA33000 \SystemRoot\system32\drivers\hpfxgen.sys
0xECA23000 \SystemRoot\system32\drivers\hpfxfax.sys
0xB5CB3000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xB5C9B000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xB7261000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB673F000 \SystemRoot\System32\drivers\Dxapi.sys
0xB6B8E000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7DB2000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF020000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF03F000 \SystemRoot\System32\ialmdev5.DLL
0xBF068000 \SystemRoot\System32\ialmdd5.DLL
0xBF136000 \SystemRoot\System32\ATMFD.DLL
0xB6BEA000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB5B7E000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB5B41000 \SystemRoot\system32\drivers\wdmaud.sys
0xEB6DE000 \SystemRoot\system32\drivers\sysaudio.sys
0xB5A73000 \SystemRoot\system32\DRIVERS\srv.sys
0xF78C6000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB54BA000 \SystemRoot\System32\Drivers\HTTP.sys
0xB511F000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 39):
0 System Idle Process
4 System
676 C:\WINDOWS\system32\smss.exe
776 csrss.exe
800 C:\WINDOWS\system32\winlogon.exe
844 C:\WINDOWS\system32\services.exe
856 C:\WINDOWS\system32\lsass.exe
1008 C:\WINDOWS\system32\svchost.exe
1092 svchost.exe
1144 C:\WINDOWS\system32\svchost.exe
1240 svchost.exe
1340 svchost.exe
1476 C:\WINDOWS\explorer.exe
1740 C:\WINDOWS\system32\spoolsv.exe
1828 svchost.exe
1860 C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe
1904 C:\WINDOWS\system32\svchost.exe
1924 C:\Program Files\Java\jre6\bin\jqs.exe
1984 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
2024 C:\WINDOWS\system32\svchost.exe
172 C:\WINDOWS\system32\svchost.exe
272 C:\WINDOWS\system32\svchost.exe
356 C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
396 wdfmgr.exe
524 C:\WINDOWS\wanmpsvc.exe
632 C:\WINDOWS\system32\wuauclt.exe
1640 C:\WINDOWS\system32\hkcmd.exe
1648 C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
1736 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
2008 C:\Program Files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe
1776 C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
248 C:\Program Files\Microsoft Money\System\Money Express.exe
252 C:\WINDOWS\system32\ctfmon.exe
312 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
1168 C:\Program Files\Belkin\Router Setup and Monitor\BelkinSetup.exe
2532 C:\Program Files\Internet Explorer\iexplore.exe
3152 C:\Program Files\Internet Explorer\iexplore.exe
4064 C:\Program Files\Internet Explorer\iexplore.exe
3304 C:\Documents and Settings\HP_Owner\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000001`be32e000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)
\\.\F: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (FAT32)

PhysicalDrive0 Model Number: ST3100011A, Rev: 3.02
PhysicalDrive1 Model Number: Maxtor91741U4, Rev: FA570480

Size Device Name MBR Status
--------------------------------------------
93 GB \\.\PhysicalDrive0 Legit MBR code detected
SHA1: F75A10171F7488C11BA9A98CEC3D186D7A8D3972
16 GB \\.\PhysicalDrive1 Unknown MBR code
SHA1: 8E1F74F40BCE5135794AB915A1A93001AEA7348D


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:58 PM

Posted 08 November 2011 - 05:26 PM

Please next run Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#11 big bishop

big bishop
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 09 November 2011 - 05:41 PM

I've tried to run combofix 3 times, and every time the pc froze.

it has stayed on the screen where it advised that it should only take 10 minutes and badly infected machine can easily double the scan time. something to that effect.
the first time it ran like that for more than 25 minutes and noticed that the time on the pc had stopped about 3 minutes after i started combo fix. I had to manually shut down the PC.
started backup ran rkill, then combo fix again. ran for more than 35 minutes and notcied the same thing with the time and pc was frozen. Shut diown again. ran some errands came back ran combo fix again. left for an hour and came back to combofix being frozen on the same screen.

any advice to get combo fix to competely run?

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:58 PM

Posted 09 November 2011 - 06:07 PM

any advice to get combo fix to competely run?


Not at this stage. I think this is ZeroAccess and it disables (or attempts to) tools that are run on the machine it is infecting.

We need to run a tool that doesn't trip the alarm. Gmer - with a twist. Attempt to run Gmer with only services checked. Then try registry on its own. Then just Files. Gmer instructions are below so just remember to leave only one item checked and post any logs you can get.

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Edited by m0le, 09 November 2011 - 06:09 PM.

Posted Image
m0le is a proud member of UNITE

#13 big bishop

big bishop
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 09 November 2011 - 06:14 PM

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000007fc

Kernel Drivers (total 123):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EF000 \WINDOWS\system32\hal.dll
0xF7C56000 \WINDOWS\system32\KDCOM.DLL
0xF7B66000 \WINDOWS\system32\BOOTVID.dll
0xF7707000 ACPI.sys
0xF7C58000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF76F6000 pci.sys
0xF7756000 isapnp.sys
0xF7766000 ohci1394.sys
0xF7776000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF7C5A000 intelide.sys
0xF79D6000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7786000 MountMgr.sys
0xF76D7000 ftdisk.sys
0xF79DE000 PartMgr.sys
0xF7796000 VolSnap.sys
0xF76BF000 atapi.sys
0xF769C000 fasttx2k.sys
0xF7684000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xF77A6000 disk.sys
0xF77B6000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7664000 fltmgr.sys
0xF7652000 sr.sys
0xF77C6000 PxHelp20.sys
0xF763B000 KSecDD.sys
0xF75AE000 Ntfs.sys
0xF7581000 NDIS.sys
0xF7567000 Mup.sys
0xF77F6000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF7996000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF6CC2000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xF6CAE000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF7A8E000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF6C8A000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7A96000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF6B54000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0xF7A9E000 \SystemRoot\System32\Drivers\Modem.SYS
0xF6B42000 \SystemRoot\system32\DRIVERS\Rtlnicxp.sys
0xF79A6000 \SystemRoot\system32\DRIVERS\serial.sys
0xF7BE6000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF6B2E000 \SystemRoot\system32\DRIVERS\parport.sys
0xF79B6000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7AA6000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7BEA000 \SystemRoot\system32\DRIVERS\PS2.sys
0xF7AAE000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF79C6000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7806000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7816000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF6B0B000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7AB6000 \SystemRoot\SYSTEM32\DRIVERS\GEARAspiWDM.sys
0xF68DE000 \SystemRoot\system32\drivers\ALCXWDM.SYS
0xF68BA000 \SystemRoot\system32\drivers\portcls.sys
0xF7826000 \SystemRoot\system32\drivers\drmk.sys
0xF7CB2000 \SystemRoot\system32\DRIVERS\serscan.sys
0xF7D3B000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7836000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7BF2000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF68A3000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7846000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7856000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7ABE000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6892000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7866000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7AC6000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7ACE000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7AD6000 \SystemRoot\system32\DRIVERS\wanatw4.sys
0xF7876000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7CB6000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF6834000 \SystemRoot\system32\DRIVERS\update.sys
0xF7373000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF78D6000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF6DFF000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7CDE000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7CF4000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7E6F000 \SystemRoot\System32\Drivers\Null.SYS
0xF7CF6000 \SystemRoot\System32\Drivers\Beep.SYS
0xF79F6000 \SystemRoot\System32\drivers\vga.sys
0xF7CFA000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7CFC000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7A56000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7A66000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF67DF000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xECDA6000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xECD4D000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xECD25000 \SystemRoot\system32\DRIVERS\netbt.sys
0xECD03000 \SystemRoot\System32\drivers\afd.sys
0xEE443000 \SystemRoot\system32\DRIVERS\netbios.sys
0xECCD8000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xECC40000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xEE433000 \SystemRoot\System32\Drivers\Fips.SYS
0xECB7A000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xEE423000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xEE413000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xEE0C4000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xEE0B4000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xEE08C000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xEC2DF000 \SystemRoot\system32\DRIVERS\rt2870.sys
0xF64D3000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xECE11000 \SystemRoot\system32\drivers\hpfxbulk.sys
0xECBE0000 \SystemRoot\system32\drivers\hpfxgen.sys
0xECBD0000 \SystemRoot\system32\drivers\hpfxfax.sys
0xB8CBB000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xB8CA3000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF67EE000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB9ED9000 \SystemRoot\System32\drivers\Dxapi.sys
0xF752F000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7E3A000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF020000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF03F000 \SystemRoot\System32\ialmdev5.DLL
0xBF068000 \SystemRoot\System32\ialmdd5.DLL
0xBF136000 \SystemRoot\System32\ATMFD.DLL
0xEB2CE000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB8C4E000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB8C11000 \SystemRoot\system32\drivers\wdmaud.sys
0xB9DC2000 \SystemRoot\system32\drivers\sysaudio.sys
0xB8B43000 \SystemRoot\system32\DRIVERS\srv.sys
0xB89F3000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB853A000 \SystemRoot\System32\Drivers\HTTP.sys
0xB80D4000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 44):
0 System Idle Process
4 System
672 C:\WINDOWS\system32\smss.exe
752 csrss.exe
776 C:\WINDOWS\system32\winlogon.exe
820 C:\WINDOWS\system32\services.exe
832 C:\WINDOWS\system32\lsass.exe
980 C:\WINDOWS\system32\svchost.exe
1080 svchost.exe
1120 C:\WINDOWS\system32\svchost.exe
1208 svchost.exe
1292 svchost.exe
1444 C:\WINDOWS\explorer.exe
1720 C:\WINDOWS\system32\spoolsv.exe
1800 svchost.exe
1836 C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe
1880 C:\WINDOWS\system32\svchost.exe
1920 C:\Program Files\Java\jre6\bin\jqs.exe
1964 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
2040 C:\WINDOWS\system32\svchost.exe
176 C:\WINDOWS\system32\svchost.exe
228 C:\WINDOWS\system32\svchost.exe
264 C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
368 wdfmgr.exe
428 C:\WINDOWS\wanmpsvc.exe
1580 C:\WINDOWS\system32\hkcmd.exe
1604 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
1732 C:\Program Files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe
1912 C:\Program Files\Microsoft Money\System\Money Express.exe
1936 C:\WINDOWS\system32\ctfmon.exe
748 C:\Program Files\Belkin\Router Setup and Monitor\BelkinSetup.exe
940 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
3500 C:\Program Files\Internet Explorer\iexplore.exe
4040 C:\Program Files\Internet Explorer\iexplore.exe
3736 C:\hp\KBD\KBD.exe
2120 C:\WINDOWS\ALCXMNTR.EXE
3472 C:\WINDOWS\AGRSMMSG.exe
3860 C:\WINDOWS\system\hpsysdrv.exe
504 C:\WINDOWS\system32\hphmon06.exe
2624 C:\Program Files\Java\jre1.5.0\bin\jusched.exe
2640 C:\Program Files\Java\jre1.5.0\bin\jucheck.exe
3392 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
1240 C:\Program Files\Internet Explorer\iexplore.exe
3932 C:\Documents and Settings\HP_Owner\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000001`be32e000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)
\\.\F: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (FAT32)

PhysicalDrive0 Model Number: ST3100011A, Rev: 3.02
PhysicalDrive1 Model Number: Maxtor91741U4, Rev: FA570480

Size Device Name MBR Status
--------------------------------------------
93 GB \\.\PhysicalDrive0 Legit MBR code detected
SHA1: F75A10171F7488C11BA9A98CEC3D186D7A8D3972
16 GB \\.\PhysicalDrive1 Unknown MBR code
SHA1: 8E1F74F40BCE5135794AB915A1A93001AEA7348D


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:58 PM

Posted 09 November 2011 - 06:17 PM

Apologies, big bishop, but I have decided to try Gmer instead of MBRCheck and you probably read it just before I edited it. Please take a look at the edited post which explains how to run Gmer with only one search item at a time.
Posted Image
m0le is a proud member of UNITE

#15 big bishop

big bishop
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 10 November 2011 - 09:36 AM

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-10 09:16:19
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3100011A rev.3.02
Running: zn4rdome.exe; Driver: C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\awgoypod.sys


---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Microsoft Money\System\Money Express.exe[1084] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [714F9B6A] C:\WINDOWS\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Money\System\Money Express.exe[1084] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FreeLibrary] [714F9C0D] C:\WINDOWS\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Money\System\Money Express.exe[1084] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [714F9B6A] C:\WINDOWS\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Money\System\Money Express.exe[1084] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!FreeLibrary] [714F9C0D] C:\WINDOWS\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:3172] B838D6D0
Thread System [4:3176] B836B120

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@RequireSignedAppInit_DLLs 1

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\HP_Owner\Desktop\2006 thru 2010 ATLANTIC PTG & WALLCOV, INC\2008 ATLANTIC PAINTING JAN. - DEC\AA-CURRENT PROJECTS\AT-2008-409 - BRIDGEWATER MUNICIPAL COMPLEX, Bridgewater, NJ\AT-2008-410 - BRIGHTON COLLECTIBLES, Freehold Raceway Mall, Freehold, NJ\LETTER to ELAN GEN CONT - enclg ltr of intent, etc. - 2008 Oct 14.doc 27136 bytes
File C:\Documents and Settings\HP_Owner\Desktop\2006 thru 2010 ATLANTIC PTG & WALLCOV, INC\2008 ATLANTIC PAINTING JAN. - DEC\AA-CURRENT PROJECTS\AT-2008-409 - BRIDGEWATER MUNICIPAL COMPLEX, Bridgewater, NJ\AT-2008-410 - BRIGHTON COLLECTIBLES, Freehold Raceway Mall, Freehold, NJ\Additional Insured Questionnaire - Suburban Ins.-2008 Oct 14.doc 26624 bytes
File C:\Documents and Settings\HP_Owner\Desktop\2006 thru 2010 ATLANTIC PTG & WALLCOV, INC\2008 ATLANTIC PAINTING JAN. - DEC\AA-CURRENT PROJECTS\AT-2008-409 - BRIDGEWATER MUNICIPAL COMPLEX, Bridgewater, NJ\AT-2008-410 - BRIGHTON COLLECTIBLES, Freehold Raceway Mall, Freehold, NJ\FAX to ELAN - Brighton Collectibles, Freehold, NJ - Ltr of Int, etc. - 2008 Oct 14.doc 30720 bytes
File C:\Documents and Settings\HP_Owner\Desktop\2006 thru 2010 ATLANTIC PTG & WALLCOV, INC\2008 ATLANTIC PAINTING JAN. - DEC\AA-CURRENT PROJECTS\AT-2008-409 - BRIDGEWATER MUNICIPAL COMPLEX, Bridgewater, NJ\AT-2008-410 - BRIGHTON COLLECTIBLES, Freehold Raceway Mall, Freehold, NJ\FAX to ELAN GEN CONT. Brighton Collectibles, Freehold, NJ - 2008 Dec 08.doc 30208 bytes
File C:\Documents and Settings\HP_Owner\Desktop\2006 thru 2010 ATLANTIC PTG & WALLCOV, INC\2008 ATLANTIC PAINTING JAN. - DEC\AA-CURRENT PROJECTS\AT-2008-409 - BRIDGEWATER MUNICIPAL COMPLEX, Bridgewater, NJ\AT-2008-410 - BRIGHTON COLLECTIBLES, Freehold Raceway Mall, Freehold, NJ\FAX to ELAN GEN CONT. Brighton Collectibles, Freehold, NJ - 2008 October 13.doc 30720 bytes
File C:\Documents and Settings\HP_Owner\Desktop\2006 thru 2010 ATLANTIC PTG & WALLCOV, INC\2008 ATLANTIC PAINTING JAN. - DEC\AA-CURRENT PROJECTS\AT-2008-409 - BRIDGEWATER MUNICIPAL COMPLEX, Bridgewater, NJ\AT-2008-410 - BRIGHTON COLLECTIBLES, Freehold Raceway Mall, Freehold, NJ\FAX to Suburban General Ins. ATTN Wanda re COI - 2008 Dec 03.doc 31232 bytes
File C:\Documents and Settings\HP_Owner\Desktop\2006 thru 2010 ATLANTIC PTG & WALLCOV, INC\2008 ATLANTIC PAINTING JAN. - DEC\AA-CURRENT PROJECTS\AT-2008-409 - BRIDGEWATER MUNICIPAL COMPLEX, Bridgewater, NJ\AT-2008-410 - BRIGHTON COLLECTIBLES, Freehold Raceway Mall, Freehold, NJ\FAX to Suburban General Ins. ATTN Wanda re COI - 2008 Oct 14.doc 31232 bytes
File C:\Documents and Settings\HP_Owner\Desktop\2006 thru 2010 ATLANTIC PTG & WALLCOV, INC\2008 ATLANTIC PAINTING JAN. - DEC\AA-CURRENT PROJECTS\AT-2008-409 - BRIDGEWATER MUNICIPAL COMPLEX, Bridgewater, NJ\AT-2008-410 - BRIGHTON COLLECTIBLES, Freehold Raceway Mall, Freehold, NJ\INVOICE #410.doc 30720 bytes
File C:\Documents and Settings\HP_Owner\Desktop\2006 thru 2010 ATLANTIC PTG & WALLCOV, INC\2008 ATLANTIC PAINTING JAN. - DEC\AA-CURRENT PROJECTS\AT-2008-409 - BRIDGEWATER MUNICIPAL COMPLEX, Bridgewater, NJ\AT-2008-410 - BRIGHTON COLLECTIBLES, Freehold Raceway Mall, Freehold, NJ\LETTER to ELAN GEN CONT - enclg Inv410, etc. - 2008 Nov 07.doc 27136 bytes
File C:\Documents and Settings\HP_Owner\Desktop\2006 thru 2010 ATLANTIC PTG & WALLCOV, INC\2008 ATLANTIC PAINTING JAN. - DEC\AA-CURRENT PROJECTS\AT-2008-409 - BRIDGEWATER MUNICIPAL COMPLEX, Bridgewater, NJ\AT-2008-410 - BRIGHTON COLLECTIBLES, Freehold Raceway Mall, Freehold, NJ\LETTER to ELAN GEN CONT - Letter of Intent - 2008 Oct 14.doc 29184 bytes
File C:\Documents and Settings\HP_Owner\Desktop\2006 thru 2010 ATLANTIC PTG & WALLCOV, INC\2008 ATLANTIC PAINTING JAN. - DEC\AA-CURRENT PROJECTS\AT-2008-409 - BRIDGEWATER MUNICIPAL COMPLEX, Bridgewater, NJ\AT-2008-410 - BRIGHTON COLLECTIBLES, Freehold Raceway Mall, Freehold, NJ\New Microsoft Word Document.doc 10752 bytes
File C:\Documents and Settings\HP_Owner\Desktop\2006 thru 2010 ATLANTIC PTG & WALLCOV, INC\2008 ATLANTIC PAINTING JAN. - DEC\AA-CURRENT PROJECTS\AT-2008-409 - BRIDGEWATER MUNICIPAL COMPLEX, Bridgewater, NJ\AT-2008-410 - BRIGHTON COLLECTIBLES, Freehold Raceway Mall, Freehold, NJ\PROPOSAL - ELAN GEN CONT.- Brighton Collectibles. Freehold, NJ - 2008 October 13.doc 50176 bytes
File C:\Documents and Settings\HP_Owner\Desktop\2006 thru 2010 ATLANTIC PTG & WALLCOV, INC\2008 ATLANTIC PAINTING JAN. - DEC\AA-CURRENT PROJECTS\AT-2008-409 - BRIDGEWATER MUNICIPAL COMPLEX, Bridgewater, NJ\AT-2008-410 - BRIGHTON COLLECTIBLES, Freehold Raceway Mall, Freehold, NJ\SUPPLIER LIST - Brighton Collect. - 2008 Nov 07.doc 28160 bytes
File C:\Documents and Settings\HP_Owner\Desktop\2006 thru 2010 ATLANTIC PTG & WALLCOV, INC\2008 ATLANTIC PAINTING JAN. - DEC\AA-CURRENT PROJECTS\AT-2008-409 - BRIDGEWATER MUNICIPAL COMPLEX, Bridgewater, NJ\AT-2008-410 - BRIGHTON COLLECTIBLES, Freehold Raceway Mall, Freehold, NJ\WARRANTY LETTER - ELAN t - Brighton Collectibles - 2008 Nov 07.doc 27136 bytes

---- EOF - GMER 1.0.15 ----




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users