Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I have a problem that seems to be due to some manner of rootkit


  • Please log in to reply
6 replies to this topic

#1 boxl

boxl

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 30 August 2012 - 10:32 PM

I have windows 7 professional 64-bit installed in a PC I built about a year ago (asrock H61m-VS, i5-2500k, HD 6950, corsair XMS ram)

I first noticed a problem a few months ago I downloaded a large .exe file (oracle virtualbox installer) and it wouldn't run, the checksum was incorrect. I downloaded it again and had the same issue. Since that time, often when I download an installer, .exe or .zip file, it is corrupt. If I download the same files on a laptop, they download correctly, seemingly ruling out a problem with my internet.

Yesterday I removed my hard drive, put in a newly purchased hard drive, and installed windows 7 pro 64 from a CD (a different CD than my original year-old install). Directly after installing the drivers from the CD that came with my motherboard, I downloaded the GPU driver package from AMDs website (~150 MB installer .exe) and ran it, it was corrupt. I downloaded virtualbox just as an experiment, it too was corrupt. So my fresh windows install has the same issue as my old one. This seems to rule out a problem with either the windows CDs or the hard drives.

I thought it could be an issue with RAM causing corruption of of data, so I ran memtest for several passes and found no errors.

I then transferred a couple corrupted files freshly downloaded from my new windows 7 install onto a usb drive and then to a laptop, and compared them to the same files freshly downloaded on the laptop.

What I found is that files downloaded/corrupted on my windows 7 PC have one or more sequences of approximately 107 bytes which differ from the data in the uncorrupted file.

In a 5mb zip file (LAN drivers I downloaded), there is a single, 107-byte corrupted area. In a larger file (150MB GPU drivers), there are over a dozen modified areas in the file, again each is about 107 bytes. I can provide copies of the smaller file with and without corruption, or just a hex dump of the difference if anyone here can make use of this information.

I'm not certain whether this only happens to downloaded files, but I could do some experiments to try and find out, if necessary.

(On my new win7 install) I tried installing, updating and running a full scan with Microsoft Security Essentials, I also ran TDSSkiller, both came up clean.

Summary: It seems to me that if I have some kind of malware, it has persisted through the physical replacement of my hard drive, and must therefore be re-infecting either by exploiting some sort of network issue, or infecting firmware.
If anyone has any idea what could be causing this, or opinions about whether or not it is malware, or instructions of how to test further, it would be appreciated. If not, advice on where to go for assistance would be appreciated.

Thanks for your time
-box

PS: I forgot to mention that after downloading files on my win7 PC with IE9, in the case of corrupted files it usually says something along the lines of "This file has been reported as unsafe" in the browser download list, in red font, but no other useful information is provided. I can get a screenshot of this if needed.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,344 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:22 PM

Posted 31 August 2012 - 10:01 PM

Hello,Lets try to see if we can spot something.

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.



Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 boxl

boxl
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 01 September 2012 - 05:56 PM

Hi thanks for the reply
(the StarCraft crash errors in the minitoolbox logs are all expected behavior caused by boxlsc.dll and not related to malware)
I plugged back in my main HDD that originally had the problem and ran the tools, here are those logs:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-09-01 01:05:30
-----------------------------
01:05:30.610 OS Version: Windows x64 6.1.7601 Service Pack 1
01:05:30.610 Number of processors: 4 586 0x2A07
01:05:30.610 ComputerName: ONE-PC UserName: one
01:05:31.780 Initialize success
01:10:44.520 AVAST engine defs: 12083102
01:13:05.190 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
01:13:05.190 Disk 0 Vendor: WDC_WD75 80.0 Size: 715404MB BusType: 3
01:13:05.200 Disk 0 MBR read successfully
01:13:05.200 Disk 0 MBR scan
01:13:05.210 Disk 0 Windows 7 default MBR code
01:13:05.210 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
01:13:05.220 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 249899 MB offset 206848
01:13:05.250 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 50000 MB offset 512000000
01:13:05.250 Disk 0 Partition - 00 0F Extended LBA 415403 MB offset 614400000
01:13:05.290 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 200000 MB offset 614402048
01:13:05.330 Disk 0 scanning C:\Windows\system32\drivers
01:13:12.000 Service scanning
01:13:25.131 Modules scanning
01:13:25.131 Disk 0 trace - called modules:
01:13:25.151 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys sptd.sys hal.dll
01:13:25.151 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8006016060]
01:13:25.151 3 CLASSPNP.SYS[fffff88001dc743f] -> nt!IofCallDriver -> [0xfffffa8004168380]
01:13:25.151 5 ACPI.sys[fffff88000ec37a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80042e1050]
01:13:26.011 AVAST engine scan C:\Windows
01:13:27.391 AVAST engine scan C:\Windows\system32
01:15:17.501 AVAST engine scan C:\Windows\system32\drivers
01:15:25.541 AVAST engine scan C:\Users\one
01:28:14.869 File: C:\Users\one\Desktop\STARCRAFT\junk\Chaoslauncher\wDetector_v219\wLoader.exe **INFECTED** Win32:Malware-gen
01:28:15.579 File: C:\Users\one\Desktop\STARCRAFT\junk\CL\wDetector_v219\wLoader.exe **INFECTED** Win32:Malware-gen
01:29:01.499 AVAST engine scan C:\ProgramData
01:29:35.789 Scan finished successfully
01:29:47.769 Disk 0 MBR has been saved successfully to "C:\Users\one\Desktop\MBR.dat"
01:29:47.769 The log file has been saved successfully to "C:\Users\one\Desktop\aswMBR.txt"


===========================================================================================

MiniToolBox by Farbar Version: 23-07-2012
Ran by one (administrator) on 01-09-2012 at 01:02:47
Microsoft Windows 7 Professional Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================



========================= IP Configuration: ================================

Atheros AR8152 PCI-E Fast Ethernet Controller (NDIS 6.20) = Local Area Connection (Connected)
VirtualBox Host-Only Ethernet Adapter = VirtualBox Host-Only Network (Connected)
VMware Virtual Ethernet Adapter for VMnet1 = VMware Network Adapter VMnet1 (Connected)
VMware Virtual Ethernet Adapter for VMnet8 = VMware Network Adapter VMnet8 (Connected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled
add address name="VMware Network Adapter VMnet8" address=192.168.223.1 mask=255.255.255.0
add address name="VirtualBox Host-Only Network" address=192.168.56.1 mask=255.255.255.0
add address name="VMware Network Adapter VMnet1" address=192.168.21.1 mask=255.255.255.0


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : one-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : local.tld

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : local.tld
Description . . . . . . . . . . . : Atheros AR8152 PCI-E Fast Ethernet Controller (NDIS 6.20)
Physical Address. . . . . . . . . : 00-25-22-B6-59-B2
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::f9f6:6f2e:87c:439%10(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.0.100(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Saturday, September 01, 2012 1:00:04 AM
Lease Expires . . . . . . . . . . : Saturday, September 01, 2012 1:00:04 PM
Default Gateway . . . . . . . . . : 192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.1
DHCPv6 IAID . . . . . . . . . . . : 234890530
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-A8-48-F9-00-25-22-B6-59-B2
DNS Servers . . . . . . . . . . . : 66.82.4.8
66.82.4.12
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter VMware Network Adapter VMnet1:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VMware Virtual Ethernet Adapter for VMnet1
Physical Address. . . . . . . . . : 00-50-56-C0-00-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::a893:9274:bbfc:bd90%20(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.21.1(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 520114262
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-A8-48-F9-00-25-22-B6-59-B2
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter VMware Network Adapter VMnet8:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VMware Virtual Ethernet Adapter for VMnet8
Physical Address. . . . . . . . . : 00-50-56-C0-00-08
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::a076:7ef3:f81a:8e6%21(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.223.1(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 536891478
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-A8-48-F9-00-25-22-B6-59-B2
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter VirtualBox Host-Only Network:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VirtualBox Host-Only Ethernet Adapter
Physical Address. . . . . . . . . : 08-00-27-00-48-E5
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::89bf:a961:403e:61e5%25(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.56.1(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 503840807
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-A8-48-F9-00-25-22-B6-59-B2
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{0D6E876D-97C8-4E4D-9862-C3ED71160CBB}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.local.tld:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : local.tld
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{E7369862-0BC9-4882-AA9E-596869AFDF87}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{FCD3D197-C39A-4324-86FF-B918EEFBA71E}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: ns.direcpc.com
Address: 66.82.4.8

Name: google.com
Addresses: 2607:f8b0:4009:803::1006
74.125.225.134
74.125.225.128
74.125.225.130
74.125.225.129
74.125.225.133
74.125.225.136
74.125.225.131
74.125.225.142
74.125.225.137
74.125.225.135
74.125.225.132


Pinging google.com [74.125.225.134] with 32 bytes of data:
Reply from 74.125.225.134: bytes=32 time=164ms TTL=49
Reply from 74.125.225.134: bytes=32 time=172ms TTL=49

Ping statistics for 74.125.225.134:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 164ms, Maximum = 172ms, Average = 168ms
Server: ns.direcpc.com
Address: 66.82.4.8

Name: yahoo.com
Addresses: 72.30.38.140
98.139.183.24
98.138.253.109


Pinging yahoo.com [72.30.38.140] with 32 bytes of data:
Reply from 72.30.38.140: bytes=32 time=352ms TTL=46
Reply from 72.30.38.140: bytes=32 time=473ms TTL=47

Ping statistics for 72.30.38.140:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 352ms, Maximum = 473ms, Average = 412ms
Server: ns.direcpc.com
Address: 66.82.4.8

Name: bleepingcomputer.com
Address: 208.43.87.2


Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:
Reply from 208.43.87.2: Destination host unreachable.
Reply from 208.43.87.2: Destination host unreachable.

Ping statistics for 208.43.87.2:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
10...00 25 22 b6 59 b2 ......Atheros AR8152 PCI-E Fast Ethernet Controller (NDIS 6.20)
20...00 50 56 c0 00 01 ......VMware Virtual Ethernet Adapter for VMnet1
21...00 50 56 c0 00 08 ......VMware Virtual Ethernet Adapter for VMnet8
25...08 00 27 00 48 e5 ......VirtualBox Host-Only Ethernet Adapter
1...........................Software Loopback Interface 1
11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.100 20
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.0.0 255.255.255.0 On-link 192.168.0.100 276
192.168.0.100 255.255.255.255 On-link 192.168.0.100 276
192.168.0.255 255.255.255.255 On-link 192.168.0.100 276
192.168.21.0 255.255.255.0 On-link 192.168.21.1 276
192.168.21.1 255.255.255.255 On-link 192.168.21.1 276
192.168.21.255 255.255.255.255 On-link 192.168.21.1 276
192.168.56.0 255.255.255.0 On-link 192.168.56.1 276
192.168.56.1 255.255.255.255 On-link 192.168.56.1 276
192.168.56.255 255.255.255.255 On-link 192.168.56.1 276
192.168.223.0 255.255.255.0 On-link 192.168.223.1 276
192.168.223.1 255.255.255.255 On-link 192.168.223.1 276
192.168.223.255 255.255.255.255 On-link 192.168.223.1 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.56.1 276
224.0.0.0 240.0.0.0 On-link 192.168.0.100 276
224.0.0.0 240.0.0.0 On-link 192.168.21.1 276
224.0.0.0 240.0.0.0 On-link 192.168.223.1 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.56.1 276
255.255.255.255 255.255.255.255 On-link 192.168.0.100 276
255.255.255.255 255.255.255.255 On-link 192.168.21.1 276
255.255.255.255 255.255.255.255 On-link 192.168.223.1 276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
25 276 fe80::/64 On-link
10 276 fe80::/64 On-link
20 276 fe80::/64 On-link
21 276 fe80::/64 On-link
25 276 fe80::89bf:a961:403e:61e5/128
On-link
21 276 fe80::a076:7ef3:f81a:8e6/128
On-link
20 276 fe80::a893:9274:bbfc:bd90/128
On-link
10 276 fe80::f9f6:6f2e:87c:439/128
On-link
1 306 ff00::/8 On-link
25 276 ff00::/8 On-link
10 276 ff00::/8 On-link
20 276 ff00::/8 On-link
21 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 11 C:\Windows\SysWOW64\vsocklib.dll [63088] (VMware, Inc.)
Catalog9 12 C:\Windows\SysWOW64\vsocklib.dll [63088] (VMware, Inc.)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 11 C:\Windows\System32\vsocklib.dll [67184] (VMware, Inc.)
x64-Catalog9 12 C:\Windows\System32\vsocklib.dll [67184] (VMware, Inc.)

========================= Event log errors: ===============================

Application errors:
==================
Error: (08/29/2012 08:51:42 AM) (Source: Application Error) (User: )
Description: Faulting application name: StarCraft.exe, version: 1.16.1.1, time stamp: 0x496589ca
Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec49b8f
Exception code: 0xc0000005
Fault offset: 0x0002e3be
Faulting process id: 0xa44
Faulting application start time: 0xStarCraft.exe0
Faulting application path: StarCraft.exe1
Faulting module path: StarCraft.exe2
Report Id: StarCraft.exe3

Error: (08/29/2012 08:47:22 AM) (Source: Application Error) (User: )
Description: Faulting application name: StarCraft.exe, version: 1.16.1.1, time stamp: 0x496589ca
Faulting module name: smackw32.dll, version: 3.0.0.0, time stamp: 0x34bfa011
Exception code: 0xc0000005
Fault offset: 0x00005b66
Faulting process id: 0x1f88
Faulting application start time: 0xStarCraft.exe0
Faulting application path: StarCraft.exe1
Faulting module path: StarCraft.exe2
Report Id: StarCraft.exe3

Error: (08/29/2012 08:47:18 AM) (Source: Application Error) (User: )
Description: Faulting application name: StarCraft.exe, version: 1.16.1.1, time stamp: 0x496589ca
Faulting module name: boxlsc.dll, version: 0.0.0.0, time stamp: 0x503e3975
Exception code: 0xc0000005
Fault offset: 0x00002b3a
Faulting process id: 0x1f88
Faulting application start time: 0xStarCraft.exe0
Faulting application path: StarCraft.exe1
Faulting module path: StarCraft.exe2
Report Id: StarCraft.exe3

Error: (08/29/2012 08:45:31 AM) (Source: Application Error) (User: )
Description: Faulting application name: StarCraft.exe, version: 1.16.1.1, time stamp: 0x496589ca
Faulting module name: smackw32.dll, version: 3.0.0.0, time stamp: 0x34bfa011
Exception code: 0xc0000005
Fault offset: 0x00005b66
Faulting process id: 0x1224
Faulting application start time: 0xStarCraft.exe0
Faulting application path: StarCraft.exe1
Faulting module path: StarCraft.exe2
Report Id: StarCraft.exe3

Error: (08/29/2012 08:45:28 AM) (Source: Application Error) (User: )
Description: Faulting application name: StarCraft.exe, version: 1.16.1.1, time stamp: 0x496589ca
Faulting module name: boxlsc.dll, version: 0.0.0.0, time stamp: 0x503e390a
Exception code: 0xc0000005
Fault offset: 0x00001b54
Faulting process id: 0x1224
Faulting application start time: 0xStarCraft.exe0
Faulting application path: StarCraft.exe1
Faulting module path: StarCraft.exe2
Report Id: StarCraft.exe3

Error: (08/29/2012 08:45:06 AM) (Source: Application Error) (User: )
Description: Faulting application name: StarCraft.exe, version: 1.16.1.1, time stamp: 0x496589ca
Faulting module name: smackw32.dll, version: 3.0.0.0, time stamp: 0x34bfa011
Exception code: 0xc0000005
Fault offset: 0x00005b66
Faulting process id: 0x1480
Faulting application start time: 0xStarCraft.exe0
Faulting application path: StarCraft.exe1
Faulting module path: StarCraft.exe2
Report Id: StarCraft.exe3

Error: (08/29/2012 08:44:32 AM) (Source: Application Error) (User: )
Description: Faulting application name: StarCraft.exe, version: 1.16.1.1, time stamp: 0x496589ca
Faulting module name: boxlsc.dll, version: 0.0.0.0, time stamp: 0x503e38d7
Exception code: 0xc0000005
Fault offset: 0x00001b51
Faulting process id: 0x1480
Faulting application start time: 0xStarCraft.exe0
Faulting application path: StarCraft.exe1
Faulting module path: StarCraft.exe2
Report Id: StarCraft.exe3

Error: (08/28/2012 11:09:29 AM) (Source: Application Error) (User: )
Description: Faulting application name: StarCraft.exe, version: 1.16.1.1, time stamp: 0x496589ca
Faulting module name: smackw32.dll, version: 3.0.0.0, time stamp: 0x34bfa011
Exception code: 0xc0000005
Fault offset: 0x00005b66
Faulting process id: 0x12f8
Faulting application start time: 0xStarCraft.exe0
Faulting application path: StarCraft.exe1
Faulting module path: StarCraft.exe2
Report Id: StarCraft.exe3

Error: (08/28/2012 11:09:19 AM) (Source: Application Error) (User: )
Description: Faulting application name: StarCraft.exe, version: 1.16.1.1, time stamp: 0x496589ca
Faulting module name: boxlsc.dll, version: 0.0.0.0, time stamp: 0x503d08ec
Exception code: 0xc0000005
Fault offset: 0x00001bec
Faulting process id: 0x12f8
Faulting application start time: 0xStarCraft.exe0
Faulting application path: StarCraft.exe1
Faulting module path: StarCraft.exe2
Report Id: StarCraft.exe3

Error: (08/27/2012 06:02:12 PM) (Source: Application Hang) (User: )
Description: The program iexplore.exe version 9.0.8112.16448 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 1514

Start Time: 01cd84b873dbca58

Termination Time: 5

Application Path: C:\Program Files\Internet Explorer\iexplore.exe

Report Id:


System errors:
=============
Error: (08/27/2012 01:20:18 PM) (Source: VDS Basic Provider) (User: )
Description: Unexpected failure. Error code: 490@01010004


Microsoft Office Sessions:
=========================
Error: (08/29/2012 08:51:42 AM) (Source: Application Error)(User: )
Description: StarCraft.exe1.16.1.1496589cantdll.dll6.1.7601.177254ec49b8fc00000050002e3bea4401cd85fdc359f67aC:\Starcraft\StarCraft.exeC:\Windows\SysWOW64\ntdll.dll6d18fcab-f1f1-11e1-a9ac-005056c00008

Error: (08/29/2012 08:47:22 AM) (Source: Application Error)(User: )
Description: StarCraft.exe1.16.1.1496589casmackw32.dll3.0.0.034bfa011c000000500005b661f8801cd85fd897503cbC:\Starcraft\StarCraft.exeC:\Starcraft\smackw32.dlld1c0112b-f1f0-11e1-a9ac-005056c00008

Error: (08/29/2012 08:47:18 AM) (Source: Application Error)(User: )
Description: StarCraft.exe1.16.1.1496589caboxlsc.dll0.0.0.0503e3975c000000500002b3a1f8801cd85fd897503cbC:\Starcraft\StarCraft.exeC:\Starcraft\boxlsc.dllcf7313b5-f1f0-11e1-a9ac-005056c00008

Error: (08/29/2012 08:45:31 AM) (Source: Application Error)(User: )
Description: StarCraft.exe1.16.1.1496589casmackw32.dll3.0.0.034bfa011c000000500005b66122401cd85fd4593e8f9C:\Starcraft\StarCraft.exeC:\Starcraft\smackw32.dll90192752-f1f0-11e1-a9ac-005056c00008

Error: (08/29/2012 08:45:28 AM) (Source: Application Error)(User: )
Description: StarCraft.exe1.16.1.1496589caboxlsc.dll0.0.0.0503e390ac000000500001b54122401cd85fd4593e8f9C:\Starcraft\StarCraft.exeC:\Starcraft\boxlsc.dll8e19fbc3-f1f0-11e1-a9ac-005056c00008

Error: (08/29/2012 08:45:06 AM) (Source: Application Error)(User: )
Description: StarCraft.exe1.16.1.1496589casmackw32.dll3.0.0.034bfa011c000000500005b66148001cd85f843294a73C:\Starcraft\StarCraft.exeC:\Starcraft\smackw32.dll81305081-f1f0-11e1-a9ac-005056c00008

Error: (08/29/2012 08:44:32 AM) (Source: Application Error)(User: )
Description: StarCraft.exe1.16.1.1496589caboxlsc.dll0.0.0.0503e38d7c000000500001b51148001cd85f843294a73C:\Starcraft\StarCraft.exeC:\Starcraft\boxlsc.dll6ccd7e54-f1f0-11e1-a9ac-005056c00008

Error: (08/28/2012 11:09:29 AM) (Source: Application Error)(User: )
Description: StarCraft.exe1.16.1.1496589casmackw32.dll3.0.0.034bfa011c000000500005b6612f801cd854204ce60fcC:\Starcraft\StarCraft.exeC:\Starcraft\smackw32.dll81c46da6-f13b-11e1-a9ac-005056c00008

Error: (08/28/2012 11:09:19 AM) (Source: Application Error)(User: )
Description: StarCraft.exe1.16.1.1496589caboxlsc.dll0.0.0.0503d08ecc000000500001bec12f801cd854204ce60fcC:\Starcraft\StarCraft.exeC:\Starcraft\boxlsc.dll7c4ce343-f13b-11e1-a9ac-005056c00008

Error: (08/27/2012 06:02:12 PM) (Source: Application Hang)(User: )
Description: iexplore.exe9.0.8112.16448151401cd84b873dbca585C:\Program Files\Internet Explorer\iexplore.exe


=========================== Installed Programs ============================

µTorrent (Version: 3.0.0)
7-Zip 9.20 (x64 edition) (Version: 9.20.00.0)
Acrobat.com (Version: 0.0.0)
Acrobat.com (Version: 1.1.377)
Adobe Reader 9.5.2 (Version: 9.5.2)
AMD APP KernelAnalyzer 1.9 (Version: 1.9)
AMD APP Profiler 2.3 (Version: 2.3)
AMD APP SDK Developer (Version: 2.5.684.213)
AMD APP SDK Runtime (Version: 2.5.732.1)
AMD APP SDK Samples (Version: 2.5.684.213)
AMD Catalyst Install Manager (Version: 3.0.842.0)
AMD Drag and Drop Transcoding (Version: 2.00.0000)
AMD Media Foundation Decoders (Version: 1.0.60914.1136)
Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver (Version: 1.0.0.35)
Avidemux 2.5 (Version: 2.5.4.7200)
Catalyst Control Center - Branding (Version: 1.00.0000)
Catalyst Control Center (Version: 2011.0908.1355.23115)
Catalyst Control Center Graphics Previews Common (Version: 2011.0908.1355.23115)
Catalyst Control Center InstallProxy (Version: 2011.0908.1355.23115)
ccc-utility64 (Version: 2011.0908.1355.23115)
CCC Help English (Version: 2011.0908.1354.23115)
Crysis® (Version: 1.00.0000)
Crysis® 2 (Version: 1.0.0.0)
Deus Ex
E.Y.E Divine Cybermancy
FileZilla Client 3.5.3 (Version: 3.5.3)
FL DataStorm (Version: 4.01.0171)
Freelancer
Gothic III (Version: 1.0.0)
Gothic III Release Update (Version: 1.00.0000)
Half-Life (Version: Half-Life - Non Steam)
Intel® Management Engine Components (Version: 7.0.0.1144)
Intel® Rapid Storage Technology (Version: 10.1.0.1008)
Java Auto Updater (Version: 2.0.7.1)
Java™ 6 Update 31 (Version: 6.0.310)
MagicDisc 2.7.106
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
Microsoft .NET Framework 4 Multi-Targeting Pack (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Game Studios Common Redistributables Pack 1 (Version: 1.0.0)
Microsoft Help Viewer 1.0 (Version: 1.0.30319)
Microsoft SQL Server 2008 Management Objects (Version: 10.0.1600.22)
Microsoft SQL Server Compact 3.5 SP2 ENU (Version: 3.5.8080.0)
Microsoft SQL Server Compact 3.5 SP2 x64 ENU (Version: 3.5.8080.0)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.56336)
Microsoft Visual C++ 2008 Express Edition with SP1 - ENU
Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4974 (Version: 9.0.30729.4974)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319 (Version: 10.0.30319)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319 (Version: 10.0.30319)
Microsoft Visual C++ 2010 Express - ENU (Version: 10.0.30319)
Microsoft Visual Studio 2008 Remote Debugger Light (x64) - ENU
Microsoft Visual Studio 2008 Remote Debugger Light (x64) - ENU (Version: 9.0.30729)
Microsoft Visual Studio 2008 Remote Debugger Light (x64) - ENU Service Pack 1 (KB945140) (Version: 1)
Microsoft Visual Studio 2010 Express Prerequisites x64 - ENU (Version: 10.0.30319)
Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries (Version: 6.1.5288.17011)
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - enu (Version: 3.5.30729)
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32 (Version: 6.1.5295.17011)
Microsoft XML Parser (Version: 8.20.8730.4)
mIRC (Version: 7.25)
Mobile PhoneTools (Version: 3.55)
NVIDIA PhysX v8.10.29 (Version: 8.10.29)
Oracle VM VirtualBox 4.1.20 (Version: 4.1.20)
PANTECH USB Modem V2 (Version: 1.2.4151.1109)
Python 2.7.2 (64-bit) (Version: 2.7.2150)
ScmDraft 2 0.8.1
Skype™ 5.9 (Version: 5.9.114)
Slik Subversion 1.7.5 (x86) (Version: 1.7.5.0)
SQL Server System CLR Types (Version: 10.0.1600.22)
StarCraft II (Version: 1.0.0.16117)
System Requirements Lab for Intel (Version: 4.4.24.0)
U.S. Cellular Broadband Connect (Version: 1.17)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2600217) (Version: 1)
VmciSockets (Version: 9.1.54.1)
VMware Player (Version: 4.0.2.28060)
WinPcap 4.1.2 (Version: 4.1.0.2001)
wLauncher (Version: 1.00)
XNResourceEditor 3.0.0.1

========================= Memory info: ===================================

Percentage of memory in use: 31%
Total physical RAM: 4061.05 MB
Available physical RAM: 2771.07 MB
Total Pagefile: 8120.29 MB
Available Pagefile: 6572.23 MB
Total Virtual: 4095.88 MB
Available Virtual: 3967.82 MB

========================= Partitions: =====================================

1 Drive c: (Boot) (Fixed) (Total:244.04 GB) (Free:154.32 GB) NTFS
2 Drive d: (BROODWAR) (CDROM) (Total:0.61 GB) (Free:0 GB) CDFS
3 Drive e: (FL_v1) (CDROM) (Total:0.58 GB) (Free:0 GB) CDFS
6 Drive s: (Storage) (Fixed) (Total:195.31 GB) (Free:98.68 GB) NTFS
7 Drive v: (VM) (Fixed) (Total:48.83 GB) (Free:25.41 GB) NTFS

========================= Users: ========================================

User accounts for \\ONE-PC

Administrator Guest one


**** End of log ****

#4 boxl

boxl
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 01 September 2012 - 06:01 PM

I should mention that I've never run the two files aswMBR detected as being infected, and they probably aren't malware anyway - I imagine the heuristic detected them because they are packed files that contain .dll injection code and such

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,344 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:22 PM

Posted 01 September 2012 - 09:46 PM

Ok ...I didn't notice an antivirus.
Lets check for and confirm the MBR (Master Boot Record) rootkit.


Please download mbr.exe and save it to the root directory, usually C:\ <- (Important!).
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe >>"C:\mbr.log"
  • press Enter.
  • The process is automatic...a black DOS window will open and quickly disappear. This is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.
If you have a problem using the command prompt, you can just double-click on mbr.exe to run the tool.



Win32:Malware-gen is a heuristic detection for any kind of computer threat that performs numerous actions once executed. This major risk can root to system instability when not removed immediately. With its main payload of downloading and executing various malware, Win32:Malware-gen is expected to be a ruinous type of infection. Because of the threat characteristics, the payload may differ between specific threats to another. Although they came from one group, each variant is created with different role. Most common traits for members of this group are the following:

Probably incurred thru an illegal torrent download. If you want to leave it then I can go no farther.

I will give you these.
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 boxl

boxl
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 01 September 2012 - 11:56 PM

Ok ...I didn't notice an antivirus.
Lets check for and confirm the MBR (Master Boot Record) rootkit.


Please download mbr.exe and save it to the root directory, usually C:\ <- (Important!).

  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe >>"C:\mbr.log"
  • press Enter.
  • The process is automatic...a black DOS window will open and quickly disappear. This is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.
If you have a problem using the command prompt, you can just double-click on mbr.exe to run the tool.

here is that log:

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601

device: opened successfully
user: error reading MBR
error: Read The handle is invalid.
kernel: error reading MBR


Probably incurred thru an illegal torrent download. If you want to leave it then I can go no farther.

I'm not sure I understand this remark, are you accusing me of stealing software? You are providing me assistance and I appreciate it, but this is uncalled for. Did I misunderstand you?

Wloader/wDetector is a legitimate, free program for detecting cheaters in an online game. Nowhere did I say I intended to keep it, as you can see it is in a folder labeled 'junk'.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,344 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:22 PM

Posted 02 September 2012 - 12:38 PM

I see I was not clear,I am saying you probably got the infection from a torrent download. Many are illegal and carry malware.

I was referring to Malware Gen as what it usually is.. In some cases perhaps its a false positive and in a future update of the scan software it will be removed.

I work with what I have I am not judging ,only stating my realities from many many logs.
Even if you used illegal software we would still clean the machine after it was removed.
Since you know that is safe then OK,we can go on. I just have spent too many hours removing and re moving newly downloaded malwares from downloaders.

Did the MBR scan offer a repair option?

If so then tun the Fix..
If not then it cannot and we need a deeper look to see what is happening.

In the latter...
Then the rootkit still exists.

Please go here....Preparation Guide ,do steps 6-9.

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If GMER won't run (it may not on a 64 bit system) skip it and move on.

Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users