Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ROOT kit changing mbr


  • This topic is locked This topic is locked
2 replies to this topic

#1 yano247

yano247

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:32 PM

Posted 19 February 2013 - 05:44 PM

ive done 3 re installs and this rootkit persists first off when i boot up i cant even press f8 if i wanted to it takes me straight to boot manager  my search and destroy finds changed master boot records and also ive never seen any volumes like this in disk part

 

 
Boot Device: \Device\HarddiskVolume1

 

when i did rootkit scan it brings up files that i dont even get shown in windows explore im hoping by looking at the log yall will see the probelm because ive been dealing with this for so long its too much to type thank you in advance for the help and sorry for grammar. also every malware scan i do shows changed registry , in task manager network traffic shows all kinds of users named SYSTEM, AUTHENTICATED USERS , ADMINISTraTORS , some with ( BULT IN) and some with ( NT AUTHORITY) il let yall ask specific questions because i have so muh in fo ut not sure whihc of it is relevant.

 

 
1DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 
Run by Jake at 16:31:57 on 2013-02-19
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3839.1246 [GMT -8:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
FW: McAfee Firewall *Enabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files (x86)\Acer\Registration\GREGsvc.exe
C:\Program Files\Acer\Acer Updater\UpdaterService.exe
c:\PROGRA~2\mcafee\SITEAD~1\mcsacore.exe
C:\Windows\system32\mfevtps.exe
C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\PROGRA~1\McAfee\MSC\McAPExe.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe
C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe
C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe
C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
C:\Program Files\Common Files\McAfee\Platform\mcuicnt.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe
C:\Program Files (x86)\Acer\clear.fi\MVP\clear.fiAgent.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Acer\clear.fi\MVP\.\Kernel\DMR\DMREngine.exe
C:\Program Files (x86)\Nero\Update\NASvc.exe
C:\Program Files\McAfee\MAT\McPvTray.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
c:\PROGRA~2\mcafee\SITEAD~1\saui.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Common Files\McAfee\Platform\Core\mchost.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDRootAlyzer.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\vds.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDSysRepair.exe
C:\Windows\explorer.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDSysRepair.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\systempropertiesadvanced.exe
C:\Windows\System32\rundll32.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://acer.msn.com
uDefault_Page_URL = hxxp://acer.msn.com
mStart Page = hxxp://acer.msn.com
mWinlogon: Userinit = userinit.exe
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - 
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - 
TB: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll
uRun: [Spybot-S&D Cleaning] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe" /autoclean
mRun: [SuiteTray] "C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe"
mRun: [mcpltui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
mRun: [SDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
dRunOnce: [IsMyWinLockerReboot] msiexec.exe /qn /x{voidguid}
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHelper.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
TCP: NameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{C68585C8-AF71-4724-8964-BC2058D2CAF3} : DHCPNameServer = 209.18.47.61 209.18.47.62
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\MSC\McSnIePl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
Notify: SDWinLogon - SDWinLogon.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\24.0.1312.57\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-mStart Page = hxxp://acer.msn.com
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll
x64-TB: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
.
INFO: x64-HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
x64-Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl64.dll
x64-Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll
x64-Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
Hosts: 127.0.0.1    www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\System32\drivers\mfehidk.sys [2012-11-9 771096]
R0 mfewfpk;McAfee Inc. mfewfpk;C:\Windows\System32\drivers\mfewfpk.sys [2012-11-9 339776]
R1 mwlPSDFilter;mwlPSDFilter;C:\Windows\System32\drivers\mwlPSDFilter.sys [2011-6-20 22912]
R1 mwlPSDNServ;mwlPSDNServ;C:\Windows\System32\drivers\mwlPSDNserv.sys [2011-6-20 20328]
R1 mwlPSDVDisk;mwlPSDVDisk;C:\Windows\System32\drivers\mwlPSDVDisk.sys [2011-6-20 62584]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
R2 GREGService;GREGService;C:\Program Files (x86)\Acer\Registration\GREGsvc.exe [2010-1-8 23584]
R2 HomeNetSvc;McAfee Home Network;C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [2013-2-19 220856]
R2 Live Updater Service;Live Updater Service;C:\Program Files\Acer\Acer Updater\UpdaterService.exe [2011-6-20 244624]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\PROGRA~2\mcafee\SITEAD~1\mcsacore.exe [2013-2-19 103472]
R2 McMPFSvc;McAfee Personal Firewall;C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [2013-2-19 220856]
R2 McNaiAnn;McAfee VirusScan Announcer;C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [2013-2-19 220856]
R2 mcpltsvc;McAfee Platform Services;C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [2013-2-19 220856]
R2 McProxy;McAfee Proxy Service;C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [2013-2-19 220856]
R2 McPvDrv;McPvDrv Driver;C:\Windows\System32\drivers\McPvDrv.sys [2013-2-19 74120]
R2 mfecore;McAfee Anti-Malware Core;C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe [2013-2-19 1007288]
R2 mfefire;McAfee Firewall Core Service;C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe [2013-2-19 218320]
R2 mfevtp;McAfee Validation Trust Protection Service;C:\Windows\System32\mfevtps.exe [2013-2-19 177680]
R2 NAUpdate;Nero Update;C:\Program Files (x86)\Nero\Update\NASvc.exe [2010-5-4 503080]
R2 NOBU;Norton Online Backup;C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2010-6-1 2804568]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [2013-2-19 1103392]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2013-2-19 1369624]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [2013-2-19 168384]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-1-26 378984]
R3 cfwids;McAfee Inc. cfwids;C:\Windows\System32\drivers\cfwids.sys [2012-11-9 69672]
R3 HipShieldK;McAfee Inc. HipShieldK;C:\Windows\System32\drivers\HipShieldK.sys [2013-2-19 197264]
R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\System32\drivers\mfeavfk.sys [2012-11-9 309400]
R3 mfefirek;McAfee Inc. mfefirek;C:\Windows\System32\drivers\mfefirek.sys [2012-11-9 515528]
R3 mfencbdc;McAfee Inc. mfencbdc;C:\Windows\System32\drivers\mfencbdc.sys [2012-11-2 328976]
S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-3-1 183560]
S3 EgisTec Ticket Service;EgisTec Ticket Service;C:\Program Files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe [2010-9-27 172912]
S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S3 mfencrk;McAfee Inc. mfencrk;C:\Windows\System32\drivers\mfencrk.sys [2012-11-2 97208]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\netw5v64.sys [2009-6-10 5434368]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-2-19 19456]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-2-19 57856]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2013-2-19 30208]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-2-19 1255736]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2013-02-19 23:21:42    691568    ----a-w-    C:\Windows\SysWow64\FlashPlayerApp.exe
2013-02-19 23:21:41    71024    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-02-19 22:39:40    --------    d-sh--w-    C:\Windows\System32\%APPDATA%
2013-02-19 21:08:01    --------    d-----w-    C:\ProgramData\Spybot - Search & Destroy
2013-02-19 21:07:45    --------    d-----w-    C:\ProgramData\Blizzard Entertainment
2013-02-19 21:07:45    --------    d-----w-    C:\Program Files (x86)\World of Warcraft Public Test
2013-02-19 21:07:45    --------    d-----w-    C:\Program Files (x86)\Common Files\Blizzard Entertainment
2013-02-19 21:07:39    17272    ----a-w-    C:\Windows\System32\sdnclean64.exe
2013-02-19 21:07:33    --------    d-----w-    C:\Program Files (x86)\Spybot - Search & Destroy 2
2013-02-19 21:07:09    --------    d-----w-    C:\Users\Jake\AppData\Local\Programs
2013-02-19 21:06:01    --------    d-----w-    C:\ProgramData\Battle.net
2013-02-19 13:29:58    --------    d-----w-    C:\Program Files (x86)\MSXML 4.0
2013-02-19 13:03:16    197264    ----a-w-    C:\Windows\System32\drivers\HipShieldK.sys
2013-02-19 13:03:10    74120    ----a-w-    C:\Windows\System32\drivers\McPvDrv.sys
2013-02-19 13:03:09    --------    d-----w-    C:\Users\Jake\AppData\Local\McAfee File Lock
2013-02-19 13:02:56    --------    d-----w-    C:\Program Files (x86)\McAfee.com
2013-02-19 13:02:01    --------    d-----w-    C:\Program Files\McAfee.com
2013-02-19 13:02:01    --------    d-----w-    C:\Program Files\McAfee
2013-02-19 13:01:59    --------    d-----w-    C:\Program Files (x86)\McAfee
2013-02-19 12:55:24    177680    ----a-w-    C:\Windows\System32\mfevtps.exe
2013-02-19 12:55:19    --------    d-----w-    C:\Program Files\Common Files\McAfee
2013-02-19 12:37:57    996352    ----a-w-    C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll
2013-02-19 12:37:57    768000    ----a-w-    C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll
2013-02-19 12:27:57    3072    ----a-w-    C:\Windows\System32\drivers\en-US\tsusbflt.sys.mui
2013-02-19 12:26:34    514560    ----a-w-    C:\Windows\SysWow64\qdvd.dll
2013-02-19 12:26:34    366592    ----a-w-    C:\Windows\System32\qdvd.dll
2013-02-19 12:26:30    96768    ----a-w-    C:\Windows\SysWow64\sspicli.dll
2013-02-19 12:26:30    458712    ----a-w-    C:\Windows\System32\drivers\cng.sys
2013-02-19 12:26:30    340992    ----a-w-    C:\Windows\System32\schannel.dll
2013-02-19 12:26:30    247808    ----a-w-    C:\Windows\SysWow64\schannel.dll
2013-02-19 12:26:30    22016    ----a-w-    C:\Windows\SysWow64\secur32.dll
2013-02-19 12:26:30    154480    ----a-w-    C:\Windows\System32\drivers\ksecpkg.sys
2013-02-19 12:26:30    1448448    ----a-w-    C:\Windows\System32\lsasrv.dll
2013-02-19 12:26:20    1139200    ----a-w-    C:\Windows\System32\FntCache.dll
2013-02-19 12:26:19    902656    ----a-w-    C:\Windows\System32\d2d1.dll
2013-02-19 12:26:19    739840    ----a-w-    C:\Windows\SysWow64\d2d1.dll
2013-02-19 11:42:24    9728    ----a-w-    C:\Windows\System32\Wdfres.dll
2013-02-19 11:42:24    785512    ----a-w-    C:\Windows\System32\drivers\Wdf01000.sys
2013-02-19 11:42:24    54376    ----a-w-    C:\Windows\System32\drivers\WdfLdr.sys
2013-02-19 11:42:24    2560    ----a-w-    C:\Windows\System32\drivers\en-US\wdf01000.sys.mui
2013-02-19 11:08:06    70656    ----a-w-    C:\Windows\SysWow64\fontsub.dll
2013-02-19 11:08:06    46080    ----a-w-    C:\Windows\System32\atmlib.dll
2013-02-19 11:08:06    34304    ----a-w-    C:\Windows\SysWow64\atmlib.dll
2013-02-19 11:08:06    100864    ----a-w-    C:\Windows\System32\fontsub.dll
2013-02-19 11:08:05    367616    ----a-w-    C:\Windows\System32\atmfd.dll
2013-02-19 11:08:05    295424    ----a-w-    C:\Windows\SysWow64\atmfd.dll
2013-02-19 11:07:35    87040    ----a-w-    C:\Windows\System32\drivers\WUDFPf.sys
2013-02-19 11:07:35    84992    ----a-w-    C:\Windows\System32\WUDFSvc.dll
2013-02-19 11:07:35    45056    ----a-w-    C:\Windows\System32\WUDFCoinstaller.dll
2013-02-19 11:07:35    198656    ----a-w-    C:\Windows\System32\drivers\WUDFRd.sys
2013-02-19 11:07:35    194048    ----a-w-    C:\Windows\System32\WUDFPlatform.dll
2013-02-19 11:07:34    744448    ----a-w-    C:\Windows\System32\WUDFx.dll
2013-02-19 11:07:34    229888    ----a-w-    C:\Windows\System32\WUDFHost.exe
2013-02-19 11:06:02    81408    ----a-w-    C:\Windows\System32\imagehlp.dll
2013-02-19 11:06:02    23408    ----a-w-    C:\Windows\System32\drivers\fs_rec.sys
2013-02-19 11:06:02    159232    ----a-w-    C:\Windows\SysWow64\imagehlp.dll
2013-02-19 11:06:01    5120    ----a-w-    C:\Windows\SysWow64\wmi.dll
2013-02-19 11:06:01    5120    ----a-w-    C:\Windows\System32\wmi.dll
2013-02-19 11:03:01    2048    ----a-w-    C:\Windows\SysWow64\tzres.dll
2013-02-19 11:03:01    2048    ----a-w-    C:\Windows\System32\tzres.dll
2013-02-19 11:01:54    424448    ----a-w-    C:\Windows\System32\KernelBase.dll
2013-02-19 11:00:21    805376    ----a-w-    C:\Windows\SysWow64\cdosys.dll
2013-02-19 10:59:58    723456    ----a-w-    C:\Windows\System32\EncDec.dll
2013-02-19 10:58:36    70656    ----a-w-    C:\Windows\System32\nlaapi.dll
2013-02-19 10:57:50    7680    ----a-w-    C:\Windows\SysWow64\instnm.exe
2013-02-19 10:56:59    75776    ----a-w-    C:\Windows\SysWow64\psisrndr.ax
2013-02-19 10:55:54    67072    ----a-w-    C:\Windows\splwow64.exe
2013-02-19 10:55:54    559104    ----a-w-    C:\Windows\System32\spoolsv.exe
2013-02-19 10:55:52    1731920    ----a-w-    C:\Windows\System32\ntdll.dll
2013-02-19 10:55:52    1292080    ----a-w-    C:\Windows\SysWow64\ntdll.dll
2013-02-19 10:45:11    184320    ----a-w-    C:\Windows\System32\cryptsvc.dll
2013-02-19 10:45:11    1464320    ----a-w-    C:\Windows\System32\crypt32.dll
2013-02-19 10:45:11    140288    ----a-w-    C:\Windows\SysWow64\cryptsvc.dll
2013-02-19 10:45:11    140288    ----a-w-    C:\Windows\System32\cryptnet.dll
2013-02-19 10:45:11    1159680    ----a-w-    C:\Windows\SysWow64\crypt32.dll
2013-02-19 10:45:11    103936    ----a-w-    C:\Windows\SysWow64\cryptnet.dll
2013-02-19 10:44:51    77312    ----a-w-    C:\Windows\System32\packager.dll
2013-02-19 10:44:51    67072    ----a-w-    C:\Windows\SysWow64\packager.dll
2013-02-19 10:44:30    826880    ----a-w-    C:\Windows\SysWow64\rdpcore.dll
2013-02-19 10:44:30    23552    ----a-w-    C:\Windows\System32\drivers\tdtcp.sys
2013-02-19 10:44:30    1031680    ----a-w-    C:\Windows\System32\rdpcore.dll
2013-02-19 10:41:02    --------    d-----w-    C:\Users\Jake\AppData\Local\Google
2013-02-19 10:40:23    --------    d-----w-    C:\Users\Jake\AppData\Local\Deployment
2013-02-19 10:40:23    --------    d-----w-    C:\Users\Jake\AppData\Local\Apps
2013-02-19 10:39:44    2622464    ----a-w-    C:\Windows\System32\wucltux.dll
2013-02-19 10:39:35    99840    ----a-w-    C:\Windows\System32\wudriver.dll
2013-02-19 10:38:45    36864    ----a-w-    C:\Windows\System32\wuapp.exe
2013-02-19 10:38:45    186752    ----a-w-    C:\Windows\System32\wuwebv.dll
2013-02-19 10:32:55    --------    d-----w-    C:\Windows\pss
2013-02-19 10:30:07    --------    d-----w-    C:\ProgramData\clear.fi
2013-02-19 10:27:09    --------    d-----w-    C:\Users\Jake\AppData\Roaming\OEM
2013-02-19 10:27:08    --------    d-----w-    C:\Users\Jake\AppData\Local\EgisTec IPS
2013-02-19 10:25:35    --------    d-----w-    C:\Program Files (x86)\OEM
2013-02-19 10:25:25    --------    d-----w-    C:\ProgramData\OEM_E471269A730D
2013-02-19 10:25:12    --------    d-----w-    C:\Program Files (x86)\Times Reader
2013-02-19 10:10:09    --------    d-----w-    C:\Program Files (x86)\Barnes & Noble
2013-02-19 10:02:19    --------    d-----w-    C:\Program Files (x86)\Microsoft
2013-02-19 09:57:08    --------    d-----w-    C:\Program Files (x86)\NVIDIA Corporation
2013-02-19 09:53:15    --------    d-----w-    C:\ProgramData\EgisTec
2013-02-19 09:53:13    --------    d---a-w-    C:\book
2013-02-19 09:42:38    --------    d-----w-    C:\Windows\NAPP_Dism_Log
.
==================== Find3M  ====================
.
2013-01-05 05:53:43    5553512    ----a-w-    C:\Windows\System32\ntoskrnl.exe
2013-01-05 05:00:15    3967848    ----a-w-    C:\Windows\SysWow64\ntkrnlpa.exe
2013-01-05 05:00:11    3913064    ----a-w-    C:\Windows\SysWow64\ntoskrnl.exe
2013-01-04 05:46:09    215040    ----a-w-    C:\Windows\System32\winsrv.dll
2013-01-04 04:51:16    5120    ----a-w-    C:\Windows\SysWow64\wow32.dll
2013-01-04 04:43:21    44032    ----a-w-    C:\Windows\apppatch\acwow64.dll
2013-01-04 03:26:48    3153408    ----a-w-    C:\Windows\System32\win32k.sys
2013-01-04 02:47:35    25600    ----a-w-    C:\Windows\SysWow64\setup16.exe
2013-01-04 02:47:34    2048    ----a-w-    C:\Windows\SysWow64\user.exe
2013-01-04 02:47:33    14336    ----a-w-    C:\Windows\SysWow64\ntvdm64.dll
2013-01-03 06:00:54    1913192    ----a-w-    C:\Windows\System32\drivers\tcpip.sys
2013-01-03 06:00:42    288088    ----a-w-    C:\Windows\System32\drivers\FWPKCLNT.SYS
2012-12-07 13:20:16    441856    ----a-w-    C:\Windows\System32\Wpc.dll
2012-12-07 13:15:31    2746368    ----a-w-    C:\Windows\System32\gameux.dll
2012-12-07 12:26:17    308736    ----a-w-    C:\Windows\SysWow64\Wpc.dll
2012-12-07 12:20:43    2576384    ----a-w-    C:\Windows\SysWow64\gameux.dll
2012-12-07 11:20:04    30720    ----a-w-    C:\Windows\System32\usk.rs
2012-12-07 11:20:03    43520    ----a-w-    C:\Windows\System32\csrr.rs
2012-12-07 11:20:03    23552    ----a-w-    C:\Windows\System32\oflc.rs
2012-12-07 11:20:01    45568    ----a-w-    C:\Windows\System32\oflc-nz.rs
2012-12-07 11:20:01    44544    ----a-w-    C:\Windows\System32\pegibbfc.rs
2012-12-07 11:20:01    20480    ----a-w-    C:\Windows\System32\pegi-fi.rs
2012-12-07 11:20:00    20480    ----a-w-    C:\Windows\System32\pegi-pt.rs
2012-12-07 11:19:59    20480    ----a-w-    C:\Windows\System32\pegi.rs
2012-12-07 11:19:58    46592    ----a-w-    C:\Windows\System32\fpb.rs
2012-12-07 11:19:57    40960    ----a-w-    C:\Windows\System32\cob-au.rs
2012-12-07 11:19:57    21504    ----a-w-    C:\Windows\System32\grb.rs
2012-12-07 11:19:57    15360    ----a-w-    C:\Windows\System32\djctq.rs
2012-12-07 11:19:56    55296    ----a-w-    C:\Windows\System32\cero.rs
2012-12-07 11:19:55    51712    ----a-w-    C:\Windows\System32\esrb.rs
2012-11-30 05:45:35    362496    ----a-w-    C:\Windows\System32\wow64win.dll
2012-11-30 05:45:35    243200    ----a-w-    C:\Windows\System32\wow64.dll
2012-11-30 05:45:35    13312    ----a-w-    C:\Windows\System32\wow64cpu.dll
2012-11-30 05:43:12    16384    ----a-w-    C:\Windows\System32\ntvdm64.dll
2012-11-30 04:53:59    274944    ----a-w-    C:\Windows\SysWow64\KernelBase.dll
2012-11-30 03:23:48    338432    ----a-w-    C:\Windows\System32\conhost.exe
2012-11-30 02:38:59    6144    ---ha-w-    C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2012-11-30 02:38:59    4608    ---ha-w-    C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2012-11-30 02:38:59    3584    ---ha-w-    C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2012-11-30 02:38:59    3072    ---ha-w-    C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2012-11-23 03:13:57    68608    ----a-w-    C:\Windows\System32\taskhost.exe
2012-11-22 05:44:23    800768    ----a-w-    C:\Windows\System32\usp10.dll
2012-11-22 04:45:03    626688    ----a-w-    C:\Windows\SysWow64\usp10.dll
.
============= FINISH: 16:32:34.46 ===============
 

 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:32 PM

Posted 21 February 2013 - 10:35 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.
 
If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===
 
Nothing suspicious was found on your DDS logh
 
Please Download
 
>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue 
  • If a suspicious file is detected, the default action will be Skip, click on Continue
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.
  •  
    Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe)  to your desktop. Double click the aswMBR.exe to run it 
     
  • Click the "Scan" button to start scan.  
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
  • There shall also be a file on your desktop named MBR.dat.  Right click that file and select Send To>Compressed (zipped) folder.  Please attach that zipped file in your next reply.
     
    ===
     
    Please post the logs for my review.


    #3 nasdaq

    nasdaq

    • Malware Response Team
    • 39,586 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Montreal, QC. Canada
    • Local time:08:32 PM

    Posted 28 February 2013 - 09:38 AM

    Due to the lack of feedback, this topic is now closed.

    In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

    Please include a link to your topic in the Private Message. Thank you.




    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users