Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PDF/Java rootkit mostly cleaned up, audio dropouts and DPC latency issues


  • This topic is locked This topic is locked
16 replies to this topic

#1 is3000

is3000

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 10 December 2011 - 05:28 PM

On 12/5 I ran into an infected PDF that downloaded a few trojans, etc. I sensed what was happening and quickly loaded up a bunch of antimalware and detection programs. Sure enough, I had a rootkit infection and several viruses that were downloading files to the \LocalService and \NetworkService accounts via some kind of Java exploit. I threw everything at the problem including:

HijackThis, Trend Micro Housecall, MBAM, Microsoft Security Essentials, RootRepeal, RootkitBuster, TDSSKiller, Sophos Anti-Rootkit, catchme, mbr, GMER, and ComboFix.

Now my antimalware scans turn up clean, but I'm experiencing audio dropouts and DPC latency issues that were not happening before this infection. I suspect it is not totally cleared.

Here is what MSE found and removed to give some background about the infection:

Trojan:Win32/Sefnit.AC
TrojanDownloader:Java/Comesis.A
Exploit:Win32/Pdfjsc.YN
Exploit:JS/Blacole.W
Exploit:Java/Blacole.CA
Exploit:Java/Blacole.BZ
Exploit:Java/Blacole.BY
Exploit:Java/CVE-2010-0840.NL
Exploit:Java/Blacole.CB

Attach.txt, GMER, and ComboFix logs are attached to this post.

Here is the DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Run by Jameson at 14:17:56 on 2011-12-10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1236 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Enabled/Outdated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\emaudsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Creative Professional\E-MU USB Audio\EmuUsbAudioCP.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\foobar2000\foobar2000.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [E-MU USB Audio Control Panel] "c:\program files\creative professional\e-mu usb audio\EmuUsbAudioCP.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
StartupFolder: c:\docume~1\jameson\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231105349359
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: DhcpNameServer = 67.235.59.242 67.235.59.246
TCP: Interfaces\{7D7A9E70-3BFD-4029-8008-182E1D5968EE} : DhcpNameServer = 67.235.59.242 67.235.59.246
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\jameson\application data\mozilla\firefox\profiles\jlq8d2rn.default\
FF - prefs.js: browser.search.selectedEngine - Amazon.com
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\documents and settings\jameson\local settings\application data\facebook\video\skype\npFacebookVideoCalling.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R2 emaudsv;E-MU Audio Service;c:\windows\system32\emaudsv.exe [2007-11-26 20992]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2009-1-8 33792]
R3 emusba10;E-MU USB-Audio 1.0 Driver;c:\windows\system32\drivers\emusba10.sys [2007-11-26 163352]
S1 MpKsl368779bb;MpKsl368779bb;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7e4eda48-d94c-4b68-b9d4-008c00f0081e}\mpksl368779bb.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7e4eda48-d94c-4b68-b9d4-008c00f0081e}\MpKsl368779bb.sys [?]
S1 MpKsl614d9997;MpKsl614d9997;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e54481c6-5c98-4843-a4c1-cc9f8ddb533a}\mpksl614d9997.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e54481c6-5c98-4843-a4c1-cc9f8ddb533a}\MpKsl614d9997.sys [?]
S1 MpKsl733c451d;MpKsl733c451d;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c60638b2-4490-459f-8abe-0dcd40d8fa70}\mpksl733c451d.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c60638b2-4490-459f-8abe-0dcd40d8fa70}\MpKsl733c451d.sys [?]
S1 MpKslb71571e0;MpKslb71571e0;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c60638b2-4490-459f-8abe-0dcd40d8fa70}\mpkslb71571e0.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c60638b2-4490-459f-8abe-0dcd40d8fa70}\MpKslb71571e0.sys [?]
S1 MpKslce9bf0c8;MpKslce9bf0c8;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c60638b2-4490-459f-8abe-0dcd40d8fa70}\mpkslce9bf0c8.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c60638b2-4490-459f-8abe-0dcd40d8fa70}\MpKslce9bf0c8.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 cpuz130;cpuz130;\??\c:\docume~1\jameson\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\jameson\locals~1\temp\cpuz130\cpuz_x32.sys [?]
S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\drivers\ivusb.sys [2010-3-10 24216]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\77.tmp --> c:\windows\system32\77.tmp [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-12-10 19:00:58 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-12-10 18:55:15 101632 ----a-w- c:\windows\system32\drivers\nvtcp.sys
2011-12-10 18:54:26 305152 ----a-w- c:\windows\system32\drivers\nvnrm.sys
2011-12-10 18:54:26 222592 ----a-w- c:\windows\system32\drivers\nvsnpu.sys
2011-12-10 18:54:25 35840 ----a-w- c:\windows\system32\nvconrm.dll
2011-12-10 18:54:25 34176 ----a-w- c:\windows\system32\drivers\NVENETFD.sys
2011-12-10 18:54:25 204288 ----a-w- c:\windows\system32\fdco1ins.dll
2011-12-10 18:54:25 204288 ----a-w- c:\windows\system32\fdco1.dll
2011-12-10 18:54:25 13056 ----a-w- c:\windows\system32\drivers\nvnetbus.sys
2011-12-10 18:54:24 9728 ----a-w- c:\windows\system32\bdco1ins.dll
2011-12-10 18:54:24 9728 ----a-w- c:\windows\system32\bdco1.dll
2011-12-10 18:41:58 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6bbc46f8-247a-434f-b940-fb09a86bcdfe}\offreg.dll
2011-12-10 18:07:08 602432 ----a-w- c:\windows\system32\easyupdatusapiu.dll
2011-12-10 18:07:02 285176 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-12-10 18:07:02 285176 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-12-10 18:07:02 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-12-10 18:06:35 65536 ----a-w- c:\windows\system32\OpenCL.dll
2011-12-10 18:06:34 919872 ----a-w- c:\windows\system32\nvdispco32.dll
2011-12-10 18:06:34 877376 ----a-w- c:\windows\system32\nvgenco32.dll
2011-12-10 18:06:34 2398016 ----a-w- c:\windows\system32\nvcuvid.dll
2011-12-10 18:06:34 2099520 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-12-10 18:06:34 17240064 ----a-w- c:\windows\system32\nvcompiler.dll
2011-12-10 17:55:31 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6bbc46f8-247a-434f-b940-fb09a86bcdfe}\mpengine.dll
2011-12-06 14:45:55 -------- d-----w- c:\program files\Sophos
2011-12-06 05:51:38 -------- d-----w- c:\documents and settings\jameson\local settings\application data\PCHealth
2011-12-06 01:06:29 6146896 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\updates\mpengine.dll
2011-12-06 01:06:10 -------- d-----w- c:\program files\Microsoft Security Client
2011-11-20 20:16:49 -------- d-----w- c:\windows\system32\windows media
2011-11-20 20:16:42 -------- d-----w- c:\windows\RegisteredPackages
2011-11-20 20:16:39 -------- d--h--w- c:\windows\msdownld.tmp
2011-11-20 20:16:37 -------- d-----w- c:\program files\Windows Media Components
.
==================== Find3M ====================
.
2011-12-06 04:47:17 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-08 04:50:00 5595136 ----a-w- c:\windows\system32\nvcuda.dll
2011-10-08 04:50:00 54272 ----a-w- c:\windows\system32\nvwddi.dll
2011-10-08 04:50:00 4226688 ----a-w- c:\windows\system32\nv4_disp.dll
2011-10-08 04:50:00 298304 ----a-w- c:\windows\system32\nvsvc32.exe
2011-10-08 04:50:00 2449408 ----a-w- c:\windows\system32\nvapi.dll
2011-10-08 04:50:00 220992 ----a-w- c:\windows\system32\nvcolor.exe
2011-10-08 04:50:00 203072 ----a-w- c:\windows\system32\nvmctray.dll
2011-10-08 04:50:00 17956864 ----a-w- c:\windows\system32\nvoglnt.dll
2011-10-08 04:50:00 16744256 ----a-w- c:\windows\system32\nvcpl.dll
2011-10-08 04:50:00 12791488 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3320620AS rev.3.AAE -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-24
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A713AB8]
3 CLASSPNP[0xB8118FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000007b[0x8A716F18]
5 ACPI[0xB7F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Ide\IdeDeviceP2T0L0-e[0x8A6B3D98]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
user != kernel MBR !!!
sectors 625142446 (+255): user != kernel
.
============= FINISH: 14:18:04.98 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 PM

Posted 16 December 2011 - 05:30 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/431738 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 is3000

is3000
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 17 December 2011 - 02:02 PM

New logs attached.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
Run by Jameson at 8:00:48 on 2011-12-17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1441 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Enabled/Outdated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Creative Professional\E-MU USB Audio\EmuUsbAudioCP.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\WINDOWS\system32\emaudsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Documents and Settings\Jameson\Desktop\Maintenance\dpclat.exe
C:\Program Files\Mozilla Firefox\firefox.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [E-MU USB Audio Control Panel] "c:\program files\creative professional\e-mu usb audio\EmuUsbAudioCP.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
StartupFolder: c:\docume~1\jameson\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231105349359
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: DhcpNameServer = 67.235.59.242 67.235.59.246
TCP: Interfaces\{7D7A9E70-3BFD-4029-8008-182E1D5968EE} : DhcpNameServer = 67.235.59.242 67.235.59.246
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\jameson\application data\mozilla\firefox\profiles\jlq8d2rn.default\
FF - prefs.js: browser.search.selectedEngine - YouTube
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\documents and settings\jameson\local settings\application data\facebook\video\skype\npFacebookVideoCalling.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKslad66486b;MpKslad66486b;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition

updates\{f810d934-c6dc-4a81-ba1d-0e9f78cffb71}\MpKslad66486b.sys [2011-12-16 29904]
R2 emaudsv;E-MU Audio Service;c:\windows\system32\emaudsv.exe [2007-11-26 20992]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2009-1-8 33792]
R3 dpclat_driver;dpclat_driver;\??\c:\windows\system32\drivers\dpclat_driver.sys --> c:\windows\system32\drivers\dpclat_driver.sys [?]
S1 MpKsl368779bb;MpKsl368779bb;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition

updates\{7e4eda48-d94c-4b68-b9d4-008c00f0081e}\mpksl368779bb.sys --> c:\documents and settings\all users\application data\microsoft\microsoft

antimalware\definition updates\{7e4eda48-d94c-4b68-b9d4-008c00f0081e}\MpKsl368779bb.sys [?]
S1 MpKsl614d9997;MpKsl614d9997;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition

updates\{e54481c6-5c98-4843-a4c1-cc9f8ddb533a}\mpksl614d9997.sys --> c:\documents and settings\all users\application data\microsoft\microsoft

antimalware\definition updates\{e54481c6-5c98-4843-a4c1-cc9f8ddb533a}\MpKsl614d9997.sys [?]
S1 MpKsl733c451d;MpKsl733c451d;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition

updates\{c60638b2-4490-459f-8abe-0dcd40d8fa70}\mpksl733c451d.sys --> c:\documents and settings\all users\application data\microsoft\microsoft

antimalware\definition updates\{c60638b2-4490-459f-8abe-0dcd40d8fa70}\MpKsl733c451d.sys [?]
S1 MpKslb71571e0;MpKslb71571e0;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition

updates\{c60638b2-4490-459f-8abe-0dcd40d8fa70}\mpkslb71571e0.sys --> c:\documents and settings\all users\application data\microsoft\microsoft

antimalware\definition updates\{c60638b2-4490-459f-8abe-0dcd40d8fa70}\MpKslb71571e0.sys [?]
S1 MpKslce9bf0c8;MpKslce9bf0c8;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition

updates\{c60638b2-4490-459f-8abe-0dcd40d8fa70}\mpkslce9bf0c8.sys --> c:\documents and settings\all users\application data\microsoft\microsoft

antimalware\definition updates\{c60638b2-4490-459f-8abe-0dcd40d8fa70}\MpKslce9bf0c8.sys [?]
S1 MpKslfb2e0990;MpKslfb2e0990;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition

updates\{794a36de-b72f-4be1-8d2b-e6ac45898f9c}\mpkslfb2e0990.sys --> c:\documents and settings\all users\application data\microsoft\microsoft

antimalware\definition updates\{794a36de-b72f-4be1-8d2b-e6ac45898f9c}\MpKslfb2e0990.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 cpuz130;cpuz130;\??\c:\docume~1\jameson\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\jameson\locals~1\temp\cpuz130\cpuz_x32.sys [?]
S3 emusba10;E-MU USB-Audio 1.0 Driver;c:\windows\system32\drivers\emusba10.sys [2007-11-26 163352]
S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\drivers\ivusb.sys [2010-3-10 24216]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\7b.tmp --> c:\windows\system32\7B.tmp [?]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18

753504]
.
=============== Created Last 30 ================
.
2011-12-17 03:40:15 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition

updates\{f810d934-c6dc-4a81-ba1d-0e9f78cffb71}\MpKslad66486b.sys
2011-12-17 03:39:59 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition

updates\{f810d934-c6dc-4a81-ba1d-0e9f78cffb71}\offreg.dll
2011-12-17 03:39:56 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition

updates\{f810d934-c6dc-4a81-ba1d-0e9f78cffb71}\mpengine.dll
2011-12-10 19:00:58 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-12-10 18:55:15 101632 ----a-w- c:\windows\system32\drivers\nvtcp.sys
2011-12-10 18:54:26 305152 ----a-w- c:\windows\system32\drivers\nvnrm.sys
2011-12-10 18:54:26 222592 ----a-w- c:\windows\system32\drivers\nvsnpu.sys
2011-12-10 18:54:25 35840 ----a-w- c:\windows\system32\nvconrm.dll
2011-12-10 18:54:25 34176 ----a-w- c:\windows\system32\drivers\NVENETFD.sys
2011-12-10 18:54:25 204288 ----a-w- c:\windows\system32\fdco1.dll
2011-12-10 18:54:25 13056 ----a-w- c:\windows\system32\drivers\nvnetbus.sys
2011-12-10 18:54:24 9728 ----a-w- c:\windows\system32\bdco1ins.dll
2011-12-10 18:54:24 9728 ----a-w- c:\windows\system32\bdco1.dll
2011-12-10 18:07:08 602432 ----a-w- c:\windows\system32\easyupdatusapiu.dll
2011-12-10 18:07:02 285176 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-12-10 18:07:02 285176 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-12-10 18:07:02 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-12-10 18:06:35 65536 ----a-w- c:\windows\system32\OpenCL.dll
2011-12-10 18:06:34 919872 ----a-w- c:\windows\system32\nvdispco32.dll
2011-12-10 18:06:34 877376 ----a-w- c:\windows\system32\nvgenco32.dll
2011-12-10 18:06:34 2398016 ----a-w- c:\windows\system32\nvcuvid.dll
2011-12-10 18:06:34 2099520 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-12-10 18:06:34 17240064 ----a-w- c:\windows\system32\nvcompiler.dll
2011-12-06 14:45:55 -------- d-----w- c:\program files\Sophos
2011-12-06 05:51:38 -------- d-----w- c:\documents and settings\jameson\local settings\application data\PCHealth
2011-12-06 01:06:29 6146896 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition

updates\updates\mpengine.dll
2011-12-06 01:06:10 -------- d-----w- c:\program files\Microsoft Security Client
2011-11-20 20:16:49 -------- d-----w- c:\windows\system32\windows media
2011-11-20 20:16:42 -------- d-----w- c:\windows\RegisteredPackages
2011-11-20 20:16:39 -------- d--h--w- c:\windows\msdownld.tmp
2011-11-20 20:16:37 -------- d-----w- c:\program files\Windows Media Components
.
==================== Find3M ====================
.
2011-12-06 04:47:17 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08 2148864 ------w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02 2027008 ------w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-08 04:50:00 5595136 ----a-w- c:\windows\system32\nvcuda.dll
2011-10-08 04:50:00 54272 ----a-w- c:\windows\system32\nvwddi.dll
2011-10-08 04:50:00 4226688 ----a-w- c:\windows\system32\nv4_disp.dll
2011-10-08 04:50:00 298304 ----a-w- c:\windows\system32\nvsvc32.exe
2011-10-08 04:50:00 2449408 ----a-w- c:\windows\system32\nvapi.dll
2011-10-08 04:50:00 220992 ----a-w- c:\windows\system32\nvcolor.exe
2011-10-08 04:50:00 203072 ----a-w- c:\windows\system32\nvmctray.dll
2011-10-08 04:50:00 17956864 ----a-w- c:\windows\system32\nvoglnt.dll
2011-10-08 04:50:00 16744256 ----a-w- c:\windows\system32\nvcpl.dll
2011-10-08 04:50:00 12791488 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2011-10-03 10:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 07:37:52 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3320620AS rev.3.AAE -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-24
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A6C3AB8]
3 CLASSPNP[0xB8118FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000007b[0x8A714030]
5 ACPI[0xB7F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Ide\IdeDeviceP2T0L0-e[0x8A762D98]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5;

REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
user != kernel MBR !!!
sectors 625142446 (+255): user != kernel
.
============= FINISH: 8:01:32.95 ===============

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,903 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:45 PM

Posted 18 December 2011 - 11:37 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Open notepad and copy/paste the text in the quote box below into it:

Driver::
MpKsl614d9997
MpKsl733c451d
MpKslb71571e0
MpKslce9bf0c8
cpuz130
MEMSWEEP2

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]



Save this as CFScript on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
===

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) ( 511KB ) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

Note: You may be asked if you want to download Avast Free Antivirus I suggest you deny this dowload unless you do not have any Antivirus protection on the computer.
===

Let me know what problem persists.

#5 is3000

is3000
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 18 December 2011 - 01:48 PM

Looks like we're getting closer. Thanks for the help so far!

New ComboFix, aswMBR log, and MBR data are attached.

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,903 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:45 PM

Posted 18 December 2011 - 02:35 PM

Now run the aswMBR.exe tool. Select the Fix button.

Important > you need to wait for the tool to report ... Infection fixed successfully
Do not reboot the machine until it has said so.

When you see the message restart the computer normally.

Run aswBMR.exe normally and post the log.


Run the ComboFix tool again and post the log also.

Please let me know what problem persists.
===

#7 is3000

is3000
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 18 December 2011 - 08:40 PM

The logs are looking better, but the DPC latency problem persists. It manifests as an audio stutter once per second at its worst. Sometimes the problem starts when I open a program, when I interact with the Windows GUI by minimizing or maximizing a window, when I try to use YouTube, etc., and sometimes it happens on its own without any interaction, even with the majority of my devices disabled (network adapter, sound, et al). The stuttering typically lasts a couple of minutes and goes away on its own. I have updated my drivers and BIOS to try to rule those out.

New logs are attached.

Attached Files



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,903 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:45 PM

Posted 19 December 2011 - 09:25 AM

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please download DrWeb-CureIt and save it to your Desktop. Do NOT perform a scan yet

  • Double-click on drweb-cureit.exe to start the program.
    An Express Scan of your PC notice will appear.
  • Under Start the Express Scan Now, Click OK to start the scan.
    This is a short scan that will scan the files currently running in memory.
    If something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the Scan tab and UNcheck Heuristic analysis
  • Back at the main window, click Custom Scan, then Select drives (a red dot will show which drives have been chosen).
  • Then click the Start/Stop Scanning button (green arrow on the right, and the scan will start.
  • When finished, a message will be displayed at the bottom advising if any viruses were found.
  • Click Yes to all if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found.
    If so, click it, then click the next icon right below and select Move incurable.
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your Desktop.
  • Exit Dr.Web Cureit when you have finished.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Please post the logs and keep me posted on the current issue.

#9 is3000

is3000
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 20 December 2011 - 11:14 PM

Results of screen317's Security Check version 0.99.29
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus out of date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
HijackThis 2.0.2
CCleaner
Eusing Cleaner
Java™ 6 Update 30
Adobe Flash Player 11.1.102.55
Adobe Reader 9 Adobe Reader out of date!
Mozilla Firefox (8.0.1)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSMpEng.exe
Microsoft Security Essentials msseces.exe
Microsoft Security Client Antimalware MsMpEng.exe
``````````End of Log````````````


DrWeb-CureIt results:

mirc.exe;C:\Program Files\mIRC;Program.mIRC.621;;
A0006021.scr;C:\System Volume Information\_restore{1F3ACDCB-11C1-484C-9A1C-B5ECC767FA8B}\RP15;Trojan.MulDrop3.6866;Incurable.Moved.;
A0006440.scr;C:\System Volume Information\_restore{1F3ACDCB-11C1-484C-9A1C-B5ECC767FA8B}\RP19;Trojan.MulDrop3.6866;Incurable.Moved.;

-------------

Adobe Reader is actually 10.1.1 and Microsoft Security Essentials is set to auto-update. Those .scr files in the system restore paths are probably versions of dds.scr. The express scan eliminated that file from the desktop. From what I can tell, everything appears to be up to date, but I'm still having the latency issue that occasionally results in audio blips every second.

Here's what it typically looks like:

Posted Image

Once it starts, it keeps going even if I close everything, disable drivers, etc. Then, after a few minutes, it goes back down on its own.

Edited by is3000, 20 December 2011 - 11:33 PM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,903 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:45 PM

Posted 21 December 2011 - 10:58 AM

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Include in your download" this is not required. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
===

The remarks in the latency checker should be investigated.

Try this and see if your operating system files are of the correct version.

From the Start menu, select Run.
In the Open field, type sfc /scannow (Note: There is a space between sfc and /scannow)
Select the OK button.
Follow the prompts throughout the System File Checker process.
Reboot the computer when System File Checker completes.

Do you see an Yellow Explamation marks in your Hardware setting?

#11 is3000

is3000
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 22 December 2011 - 09:44 PM

I completely uninstalled and reinstalled the following with newly-downloaded versions--

Adobe Reader
Adobe Flash
Firefox
Video drivers
Chipset drivers
Audio interface drivers

I also completely uninstalled Microsoft Security Essentials because I think the real-time scanning might have been contributing to my latency problem.

sfc /scannow completed a pass with my XP SP2 CD, though I did have to click Retry a number of times to keep it going.

Now I'm not having constant periods of audio dropouts like the above screenshot. It's more like this:

Posted Image

So, a lot closer. All of the devices in Device Manager have drivers installed. The strangest part is that these spikes happen even with all programs closed and almost all devices disabled in Device Manager (can't disable hard drives, etc.). Any kind of OS interaction seems to potentially cause a spike, but the spikes are worst when browsing.

Edit: The one-second dropout problem is still happening after all. Bummer.

Edited by is3000, 22 December 2011 - 10:12 PM.


#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,903 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:45 PM

Posted 23 December 2011 - 10:52 AM

Open the Start > run box
type cmd hit the ok button.

At the DOS prompt type mbr.exe -f (make sure you have a space before the e and the -f

hit the enter key.

Type exit at the prompt and hit the enter key.

Restart the computer normally.

How is it now?

Run the mbr.exe again.
Let me see the results.

#13 is3000

is3000
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 24 December 2011 - 10:38 PM

These results are after mbr.exe -f:

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3320620AS rev.3.AAE -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-24

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user != kernel MBR !!!
sectors 625142446 (+255): user != kernel

---

It's looked this way since the aswMBR fix. No change in DPC latency spikes, though the long periods of spikes seem to be happening less often after uninstalling MSE and reinstalling the other programs.

Edited by is3000, 24 December 2011 - 10:44 PM.


#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,903 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:45 PM

Posted 25 December 2011 - 09:41 AM

This infection if any is not being found with the tools we used.
It may be hidden in a separate partition

Execute the following attentively. If at any time you need help please ask.

You will need two new CD to complete the task.

Preferably from a clean computer, I need you to download: gparted-live-0.10.0-3.iso (115.1 MB) and Windows XP Recovery Console rc.iso

Create a bootable CD, 1 for Gparted and 1 for the Windows XP Recovery Console, from the ISO images. You can use ImgBurn do this.

This may help burning the iso image(s) to a CD.
http://www.imgburn.com/index.php?act=screenshots#isowrite
===


Now boot off of the newly created Gparted CD.

Posted Image
You should be here...
Press ENTER

Posted Image
By default, "do not touch keymap" is highlighted. Leave this setting alone and just press ENTER.

Posted Image
Choose your language and press ENTER. English is default [33]

Posted Image
Once again, at this prompt, press ENTER

You will now be taken to the main GUI screen below
Posted Image

I would like to see that last screen.

To do print screen follow these steps:

* Press Alt and Print Screen button on your keyboard
* Open Paint program
* From the menu choose Edit then Paste
* Now save the picture and attach it here for me to review.

Exit all programs.

#15 is3000

is3000
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 28 December 2011 - 11:03 PM

After brushing up on my Linux drive mounting and file operation commands, here it is:

Posted Image
I also ran a long test with SeaTools and a handful of passes with MemTest86+; both the HD and RAM showed no errors.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users