TechSpot

Malware & Trojan Infection at Office, Browser Redirects

By mysticsyphon
Jun 4, 2011
  1. Hello, trying to clean out an office computer that's pretty deeply infected. Firefox will redirect any pages relating to antivirus/antimalware to spam sites. Chrome entirely won't load pages at all. Ran the requisite scans. Logs are below. Any help is appreciated, thanks.

    Malwarebytes' Anti-Malware 1.51.0.1200
    www.malwarebytes.org

    Database version: 6773

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    6/4/2011 2:05:06 PM
    mbam-log-2011-06-04 (14-05-06).txt

    Scan type: Quick scan
    Objects scanned: 147223
    Time elapsed: 2 minute(s), 52 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Alice\AppData\Local\jjd.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("C:\Users\Alice\AppData\Local\jjd.exe" -a "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    ---

    GMER 1.0.15.15640 - http://www.gmer.net
    Rootkit quick scan 2011-06-04 14:10:23
    Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200AAKS-75L9A0 rev.02.03E02
    Running: n4ey1pb7.exe; Driver: C:\Users\Alice\AppData\Local\Temp\uglorpog.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- Threads - GMER 1.0.15 ----

    Thread System [4:248] 861BAE7A
    Thread System [4:252] 861BD008

    ---- EOF - GMER 1.0.15 ----

    ---

    .
    DDS (Ver_2011-06-03.01) - NTFSx86
    Internet Explorer: 8.0.7600.16385
    Run by Alice at 14:11:05 on 2011-06-04
    Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3292.2531 [GMT -7:00]
    .
    AV: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
    SP: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Realtek\Audio\HDA\RtDCpl.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Windows\System32\ctfmon.exe
    C:\Program Files\Interwise\Participant\pull.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://mail.google.com/a/montereyparkinsurance.com
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
    TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtDCpl.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    StartupFolder: c:\users\alice\appdata\roaming\micros~1\windows\startm~1\programs\startup\setup_~1.lnk - c:\users\alice\desktop\av\virus removal tool\setup_9.0.0.722_29.05.2011_00-21\startup.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\pushcl~1.lnk - c:\program files\interwise\participant\pull.exe
    uPolicies-explorer: HideSCAHealth = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    mPolicies-system: EnableLinkedConnections = 1 (0x1)
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{71B5D565-7FA6-446F-BE74-66DF58DB3738} : DhcpNameServer = 192.168.1.1
    Notify: igfxcui - igfxdev.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\alice\appdata\roaming\mozilla\firefox\profiles\usnh55gh.default\
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\google updater\2.4.1970.7372\npCIDetect14.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 61036962;61036962 Boot Guard Driver;c:\windows\system32\drivers\61036962.sys [2011-5-28 37392]
    R1 61036961;61036961;c:\windows\system32\drivers\61036961.sys [2011-5-28 128016]
    R1 setup_9.0.0.722_29.05.2011_00-21drv;setup_9.0.0.722_29.05.2011_00-21drv;c:\windows\system32\drivers\6103696.sys [2011-5-28 311312]
    R2 eamonm;eamonm;c:\windows\system32\drivers\eamonm.sys [2010-12-21 137144]
    R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2011-1-12 810144]
    R2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2010-12-21 95384]
    R3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2010-3-18 273448]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-3 136176]
    S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-6-4 366640]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-12-3 136176]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-6-4 39984]
    S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-6-8 1343400]
    .
    =============== Created Last 30 ================
    .
    2011-06-04 21:00:33 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-06-04 21:00:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-05-29 01:30:05 94040 ----a-w- c:\program files\common files\windows live\.cache\ef99230a1cc1d9f18\DSETUP.dll
    2011-05-29 01:30:05 525656 ----a-w- c:\program files\common files\windows live\.cache\ef99230a1cc1d9f18\DXSETUP.exe
    2011-05-29 01:30:05 1691480 ----a-w- c:\program files\common files\windows live\.cache\ef99230a1cc1d9f18\dsetup32.dll
    2011-05-29 01:30:03 94040 ----a-w- c:\program files\common files\windows live\.cache\eeaacb481cc1d9f17\DSETUP.dll
    2011-05-29 01:30:03 525656 ----a-w- c:\program files\common files\windows live\.cache\eeaacb481cc1d9f17\DXSETUP.exe
    2011-05-29 01:30:03 1691480 ----a-w- c:\program files\common files\windows live\.cache\eeaacb481cc1d9f17\dsetup32.dll
    2011-05-29 01:29:28 -------- d-----w- c:\users\alice\appdata\local\Windows Live
    2011-05-29 01:28:21 26496 ----a-w- c:\windows\system32\drivers\Diskdump.sys
    2011-05-29 00:29:46 -------- d-sh--w- C:\found.000
    2011-05-29 00:25:04 -------- d-----w- c:\program files\CCleaner
    2011-05-28 23:46:23 -------- d-----w- c:\program files\ESET
    2011-05-28 21:33:10 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2011-05-28 21:26:59 -------- d-----w- c:\programdata\Kaspersky Lab
    2011-05-28 21:26:28 37392 ----a-w- c:\windows\system32\drivers\61036962.sys
    2011-05-28 21:26:28 311312 ----a-w- c:\windows\system32\drivers\6103696.sys
    2011-05-28 21:26:28 128016 ----a-w- c:\windows\system32\drivers\61036961.sys
    2011-05-28 20:59:27 -------- d-----w- c:\users\alice\appdata\roaming\Malwarebytes
    2011-05-28 20:59:24 -------- d-----w- c:\programdata\Malwarebytes
    2011-05-28 01:29:37 6962000 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{cb9ebe1f-2b0b-4eea-b281-ae721744e86e}\mpengine.dll
    2011-05-19 17:00:00 123904 ----a-w- c:\windows\system32\poqexec.exe
    2011-05-11 17:12:36 3957632 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-05-11 17:12:36 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe
    .
    ==================== Find3M ====================
    .
    2011-03-12 11:31:58 442880 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-03-11 05:44:09 146304 ----a-w- c:\windows\system32\drivers\storport.sys
    2011-03-11 05:44:01 143744 ----a-w- c:\windows\system32\drivers\nvstor.sys
    2011-03-11 05:44:01 1210240 ----a-w- c:\windows\system32\drivers\ntfs.sys
    2011-03-11 05:44:01 117120 ----a-w- c:\windows\system32\drivers\nvraid.sys
    2011-03-11 05:43:55 332160 ----a-w- c:\windows\system32\drivers\iaStorV.sys
    2011-03-11 05:43:46 80256 ----a-w- c:\windows\system32\drivers\amdsata.sys
    2011-03-11 05:43:46 22400 ----a-w- c:\windows\system32\drivers\amdxata.sys
    2011-03-11 05:40:24 1164288 ----a-w- c:\windows\system32\mfc42u.dll
    2011-03-11 05:40:24 1137664 ----a-w- c:\windows\system32\mfc42.dll
    2011-03-11 05:39:35 1686016 ----a-w- c:\windows\system32\esent.dll
    2011-03-11 05:37:34 74240 ----a-w- c:\windows\system32\fsutil.exe
    2011-03-08 05:38:13 740864 ----a-w- c:\windows\system32\inetcomm.dll
    .
    ============= FINISH: 14:11:36.67 ===============

    ---

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-03.01)
    .
    Microsoft Windows 7 Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 6/3/2010 7:27:48 PM
    System Uptime: 6/4/2011 2:06:20 PM (0 hours ago)
    .
    Motherboard: Dell Inc. | | 0F0TGN
    Processor: Intel(R) Core(TM)2 Duo CPU E7400 @ 2.80GHz | CPU | 2800/1066mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 297 GiB total, 268.037 GiB free.
    D: is CDROM ()
    E: is Removable
    F: is Removable
    G: is Removable
    H: is Removable
    I: is Removable
    J: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP163: 5/28/2011 4:45:38 PM - ComboFix created restore point
    RP165: 5/28/2011 4:46:17 PM - Installed ESET NOD32 Antivirus
    RP166: 5/28/2011 6:28:23 PM - Windows Update
    RP167: 5/28/2011 6:30:45 PM - Windows Update
    RP168: 5/28/2011 6:32:27 PM - Windows Update
    RP169: 6/3/2011 5:36:26 PM - Windows Update
    .
    ==== Installed Programs ======================
    .
    32 Bit HP CIO Components Installer
    Adobe Acrobat 4.0
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.2
    AnswerWorks 5.0 English Runtime
    AT&T Connect Participant
    Broadcom NetXtreme-I Netlink Driver and Management Installer
    Canon MF Toolbox 4.9.1.1.mf10
    Canon MF6500 Series
    CCleaner
    Chinese Simplified Fonts Support For Adobe Reader 9
    CutePDF Writer 2.8
    Dell Edoc Viewer
    ESET NOD32 Antivirus
    Google Chrome
    Google Earth Plug-in
    Google Update Helper
    Google Updater
    GoToMeeting 4.5.0.457
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) TV Wizard
    Java(TM) 6 Update 17
    Junk Mail filter update
    Malwarebytes' Anti-Malware version 1.51.0.1200
    Microsoft .NET Framework 4 Client Profile
    Microsoft Access 2002 Runtime
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Office 2000 SR-1 Standard
    Microsoft Office Live Meeting 2007
    Microsoft Search Enhancement Pack
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Sync Framework Runtime Native v1.0 (x86)
    Microsoft Sync Framework Services Native v1.0 (x86)
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Mozilla Firefox (3.6.17)
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    NJStar Chinese WP
    Picasa 3
    PowerDVD DX
    Prime 2000 Workstation
    Quicken 2010
    QuickFile Florida
    QuickQuote Runtime Files
    Realtek High Definition Audio Driver
    Roxio Creator Audio
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator DE 10.3
    Roxio Creator Tools
    Roxio Express Labeler 3
    Roxio Update Manager
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Soap Toolkit 3
    Total Access Memo 2003 Runtime
    WebEx
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Mail
    Windows Live Messenger
    Windows Live Movie Maker
    Windows Live Photo Gallery
    Windows Live Sign-in Assistant
    Windows Live Sync
    Windows Live Toolbar
    Windows Live Upload Tool
    Windows Live Writer
    WkSetup
    .
    ==== Event Viewer Messages From Past Week ========
    .
    61036961 discache SASDIFSV SASKUTIL setup_9.0.0.722_29.05.2011_00-21drv spldr Wanarpv6
    61036961 AFD CSC DfsC discache ehdrv NetBIOS NetBT nsiproxy Psched rdbss setup_9.0.0.722_29.05.2011_00-21drv spldr tdx Wanarpv6 WfpLwf
    6/4/2011 2:08:36 PM, Error: Service Control Manager [7001] - The MBAMService service depends on the MBAMProtector service which failed to start because of the following error: The system cannot find the file specified.
    6/4/2011 2:08:36 PM, Error: Service Control Manager [7000] - The MBAMProtector service failed to start due to the following error: The system cannot find the file specified.
    6/4/2011 2:08:11 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk6\DR6.
    6/3/2011 6:00:41 PM, Error: Microsoft-Windows-Application-Experience [205] - The Program Compatibility Assistant service failed to perform the phase two initialization.
    5/28/2011 6:00:01 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
    5/28/2011 5:39:03 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {D3DCB472-7261-43CE-924B-0704BD730D5F}
    5/28/2011 5:39:03 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
    5/28/2011 5:32:42 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    5/28/2011 5:32:42 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    5/28/2011 5:32:42 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    5/28/2011 5:32:41 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    5/28/2011 5:32:38 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    5/28/2011 5:32:35 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    5/28/2011 5:32:28 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load:
    5/28/2011 5:32:27 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    5/28/2011 5:32:27 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    5/28/2011 5:32:27 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    5/28/2011 5:32:27 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    5/28/2011 5:32:27 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    5/28/2011 5:32:27 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
    5/28/2011 5:32:27 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    5/28/2011 5:32:27 PM, Error: Service Control Manager [7001] - The Network Connections service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    5/28/2011 5:32:27 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    5/28/2011 5:32:27 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    5/28/2011 5:32:27 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    5/28/2011 4:46:28 PM, Error: Service Control Manager [7030] - The ESET Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    5/28/2011 4:43:33 PM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume OS.
    5/28/2011 4:43:33 PM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.
    5/28/2011 4:41:07 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
    5/28/2011 4:41:05 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
    5/28/2011 3:47:08 PM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    5/28/2011 2:18:07 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD CSC DfsC discache NetBIOS NetBT nsiproxy Psched rdbss spldr tdx Wanarpv6 WfpLwf
    5/28/2011 1:57:32 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache spldr Wanarpv6
    .
    ==== End Of File ===========================
     
  2. mysticsyphon

    mysticsyphon TS Rookie Topic Starter

    aswMBR log - bolded are red items

    aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
    Run date: 2011-06-04 14:21:36
    -----------------------------
    14:21:36.104 OS Version: Windows 6.1.7600
    14:21:36.104 Number of processors: 2 586 0x170A
    14:21:36.104 ComputerName: ALICE-PC UserName: Alice
    14:21:38.335 Initialize success
    14:21:47.867 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
    14:21:47.882 Disk 0 Vendor: WDC_WD3200AAKS-75L9A0 02.03E02 Size: 305245MB BusType: 3
    14:21:49.910 Disk 0 MBR read successfully
    14:21:49.910 Disk 0 MBR scan
    14:21:49.910 Disk 0 Windows 7 default MBR code
    14:21:51.923 Disk 0 scanning sectors +625139712
    14:21:51.954 Disk 0 scanning C:\Windows\system32\drivers
    14:21:55.885 Service scanning
    14:21:56.774 Disk 0 trace - called modules:
    14:21:56.790 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x861b61ed]<<
    14:21:56.790 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x860f1030]
    14:21:56.790 3 CLASSPNP.SYS[8bba959e] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x85c3e030]
    14:21:56.805 \Driver\atapi[0x85c3df38] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x861b61ed
    14:21:56.805 Scan finished successfully
    14:24:17.330 Disk 0 MBR has been saved successfully to "C:\Users\Alice\Desktop\MBR.dat"
    14:24:17.330 The log file has been saved successfully to "C:\Users\Alice\Desktop\aswMBR.txt"
     
  3. mysticsyphon

    mysticsyphon TS Rookie Topic Starter

    Rootkit Unhooker log

    RkU Version: 3.8.389.593, Type LE (SR2)
    ==============================================
    OS Name: Windows 7
    Version 6.1.7600
    Number of processors #2
    ==============================================
    >Drivers
    ==============================================
    0x92C12000 C:\Windows\system32\DRIVERS\igdkmd32.sys 6451200 bytes (Intel Corporation, Intel Graphics Kernel Mode Driver)
    0x91E0E000 C:\Windows\system32\DRIVERS\61036961.sys 5373952 bytes (Kaspersky Lab, Kaspersky Unified Driver)
    0x82A55000 C:\Windows\system32\ntkrnlpa.exe 4259840 bytes (Microsoft Corporation, NT Kernel & System)
    0x82A55000 PnpManager 4259840 bytes
    0x82A55000 RAW 4259840 bytes
    0x82A55000 WMIxWDM 4259840 bytes
    0x97A2F000 C:\Windows\system32\drivers\RTDVHDA.sys 2744320 bytes (Realtek Semiconductor Corp., Realtek(r) High Definition Audio Function Driver)
    0x980F0000 Win32k 2404352 bytes
    0x980F0000 C:\Windows\System32\win32k.sys 2404352 bytes (Microsoft Corporation, Multi-User Win32 Driver)
    0x8BE0D000 C:\Windows\System32\drivers\tcpip.sys 1347584 bytes (Microsoft Corporation, TCP/IP Driver)
    0x8BA38000 C:\Windows\System32\Drivers\Ntfs.sys 1241088 bytes (Microsoft Corporation, NT File System Driver)
    0x93239000 C:\Windows\System32\drivers\dxgkrnl.sys 749568 bytes (Microsoft Corporation, DirectX Graphics Kernel)
    0x8BCA7000 C:\Windows\system32\drivers\ndis.sys 749568 bytes (Microsoft Corporation, NDIS 6.20 driver)
    0x8B6F7000 C:\Windows\system32\CI.dll 700416 bytes (Microsoft Corporation, Code Integrity Module)
    0x8F212000 C:\Windows\system32\DRIVERS\eamonm.sys 679936 bytes (ESET, Amon monitor)
    0x99A26000 C:\Windows\system32\drivers\peauth.sys 618496 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
    0x8F318000 C:\Windows\system32\drivers\HTTP.sys 544768 bytes (Microsoft Corporation, HTTP Protocol Stack)
    0x8B624000 C:\Windows\system32\mcupdate_GenuineIntel.dll 491520 bytes (Microsoft Corporation, Intel Microcode Update Library)
    0x8B82D000 C:\Windows\system32\drivers\Wdf01000.sys 462848 bytes (Microsoft Corporation, Kernel Mode Driver Framework Runtime)
    0x90A80000 C:\Windows\system32\drivers\csc.sys 409600 bytes (Microsoft Corporation, Windows Client Side Caching Driver)
    0x8BC33000 C:\Windows\System32\Drivers\cng.sys 380928 bytes (Microsoft Corporation, Kernel Cryptography, Next Generation)
    0x90D1F000 C:\Windows\system32\drivers\afd.sys 368640 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
    0x99B44000 C:\Windows\System32\DRIVERS\srv.sys 335872 bytes (Microsoft Corporation, Server driver)
    0x90C15000 C:\Windows\system32\DRIVERS\6103696.sys 327680 bytes (Kaspersky Lab, Klif Mini-Filter [fre_wlh_x86])
    0x99AF5000 C:\Windows\System32\DRIVERS\srv2.sys 323584 bytes (Microsoft Corporation, Smb 2.0 Server driver)
    0x93397000 C:\Windows\system32\DRIVERS\USBPORT.SYS 307200 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
    0x8B95B000 C:\Windows\System32\drivers\volmgrx.sys 307200 bytes (Microsoft Corporation, Volume Manager Extension Driver)
    0x8B8AC000 C:\Windows\system32\DRIVERS\ACPI.sys 294912 bytes (Microsoft Corporation, ACPI Driver for NT)
    0x93348000 C:\Windows\system32\DRIVERS\k57nd60x.sys 278528 bytes (Broadcom Corporation, Broadcom NetLink (TM) Gigabit Ethernet NDIS6.x Unified Driver.)
    0x90B87000 C:\Windows\system32\DRIVERS\usbhub.sys 278528 bytes (Microsoft Corporation, Default Hub Driver for USB)
    0x8B6B5000 C:\Windows\system32\CLFS.SYS 270336 bytes (Microsoft Corporation, Common Log File System Driver)
    0x90A1F000 C:\Windows\system32\DRIVERS\rdbss.sys 266240 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
    0x8BF90000 C:\Windows\system32\DRIVERS\volsnap.sys 258048 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
    0x8BD5E000 C:\Windows\system32\drivers\NETIO.SYS 253952 bytes (Microsoft Corporation, Network I/O Subsystem)
    0x97DA9000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 241664 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
    0x932F0000 C:\Windows\System32\drivers\dxgmms1.sys 233472 bytes (Microsoft Corporation, DirectX Graphics MMS)
    0x82A1E000 ACPI_HAL 225280 bytes
    0x82A1E000 C:\Windows\system32\halmacpi.dll 225280 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
    0x8B7A2000 C:\Windows\system32\drivers\fltmgr.sys 212992 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
    0x90B45000 C:\Windows\system32\DRIVERS\ks.sys 212992 bytes (Microsoft Corporation, Kernel CSA Library)
    0x8BC00000 C:\Windows\System32\DRIVERS\fvevol.sys 204800 bytes (Microsoft Corporation, BitLocker Drive Encryption Driver)
    0x90D79000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
    0x8BF56000 C:\Windows\System32\drivers\fwpkclnt.sys 200704 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
    0x97CCD000 C:\Windows\system32\drivers\portcls.sys 192512 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
    0x8BDC1000 C:\Windows\System32\drivers\rdyboost.sys 184320 bytes (Microsoft Corporation, ReadyBoost Driver)
    0x8BB67000 C:\Windows\System32\Drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
    0x99BB7000 C:\Windows\System32\Drivers\fastfat.SYS 172032 bytes (Microsoft Corporation, Fast FAT File System Driver)
    0x8B905000 C:\Windows\system32\DRIVERS\pci.sys 172032 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
    0x8BBA5000 C:\Windows\system32\DRIVERS\CLASSPNP.SYS 151552 bytes (Microsoft Corporation, SCSI Class System Dll)
    0x8BD9C000 C:\Windows\System32\Drivers\ksecpkg.sys 151552 bytes (Microsoft Corporation, Kernel Security Support Provider Interface Packages)
    0x8B9DA000 C:\Windows\system32\DRIVERS\ataport.SYS 143360 bytes (Microsoft Corporation, ATAPI Driver Extension)
    0x8F3C8000 C:\Windows\system32\DRIVERS\mrxsmb.sys 143360 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
    0x923B7000 C:\Windows\system32\DRIVERS\ndiswan.sys 139264 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
    0x99AC7000 C:\Windows\System32\DRIVERS\srvnet.sys 135168 bytes (Microsoft Corporation, Server Network driver)
    0x9232E000 C:\Windows\system32\DRIVERS\tunnel.sys 135168 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
    0x90C9E000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
    0x99B96000 C:\Windows\system32\DRIVERS\WUDFRd.sys 135168 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Reflector)
    0x8BA00000 C:\Windows\system32\DRIVERS\cdrom.sys 126976 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
    0x90C73000 C:\Windows\system32\DRIVERS\ehdrv.sys 126976 bytes (ESET, ESET Helper driver)
    0x93329000 C:\Windows\system32\DRIVERS\HDAudBus.sys 126976 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
    0x90DB2000 C:\Windows\system32\DRIVERS\pacer.sys 126976 bytes (Microsoft Corporation, QoS Packet Scheduler)
    0x98380000 C:\Windows\System32\cdd.dll 122880 bytes (Microsoft Corporation, Canonical Display Driver)
    0x97D8E000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
    0x97DE4000 C:\Windows\system32\DRIVERS\mrxsmb20.sys 110592 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
    0x90DDF000 C:\Windows\system32\DRIVERS\serial.sys 106496 bytes (Microsoft Corporation, Serial Device Driver)
    0x8F2B8000 C:\Windows\system32\drivers\WudfPf.sys 106496 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
    0x8F39D000 C:\Windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
    0x97CFC000 C:\Windows\system32\drivers\drmk.sys 102400 bytes (Microsoft Corporation, Microsoft Trusted Audio Drivers)
    0x97A00000 C:\Windows\system32\DRIVERS\epfwwfpr.sys 102400 bytes (ESET, ESET Personal Firewall driver)
    0xB1EA9000 C:\Users\Alice\AppData\Local\Temp\uglorpog.sys 102400 bytes
    0x90AE4000 C:\Windows\System32\Drivers\dfsc.sys 98304 bytes (Microsoft Corporation, DFS Namespace Client Driver)
    0x9236A000 C:\Windows\system32\DRIVERS\parport.sys 98304 bytes (Microsoft Corporation, Parallel Port Driver)
    0x92394000 C:\Windows\system32\DRIVERS\rasl2tp.sys 98304 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
    0x923D9000 C:\Windows\system32\DRIVERS\raspppoe.sys 98304 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
    0x90B0A000 C:\Windows\system32\DRIVERS\raspptp.sys 94208 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
    0x90B21000 C:\Windows\system32\DRIVERS\rassstp.sys 94208 bytes (Microsoft Corporation, RAS SSTP Miniport Call Manager)
    0x90CFD000 C:\Windows\system32\DRIVERS\tdx.sys 94208 bytes (Microsoft Corporation, TDI Translation Driver)
    0x8F2D2000 C:\Windows\system32\DRIVERS\USBSTOR.SYS 94208 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
    0x8B9BB000 C:\Windows\System32\drivers\mountmgr.sys 90112 bytes (Microsoft Corporation, Mount Point Manager)
    0x97D67000 C:\Windows\system32\DRIVERS\HIDCLASS.SYS 77824 bytes (Microsoft Corporation, Hid Class Library)
    0x8BB92000 C:\Windows\System32\Drivers\ksecdd.sys 77824 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
    0x8F2F9000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
    0x90C00000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
    0x92382000 C:\Windows\system32\DRIVERS\AgileVpn.sys 73728 bytes (Microsoft Corporation, RAS Agile Vpn Miniport Call Manager)
    0x9234F000 C:\Windows\system32\DRIVERS\intelppm.sys 73728 bytes (Microsoft Corporation, Processor Device Driver)
    0x8F3B6000 C:\Windows\System32\drivers\mpsdrv.sys 73728 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
    0x8BFEF000 C:\Windows\system32\DRIVERS\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
    0x97D40000 C:\Windows\System32\Drivers\dump_dumpfve.sys 69632 bytes
    0x8B809000 C:\Windows\system32\drivers\fileinfo.sys 69632 bytes (Microsoft Corporation, FileInfo Filter Driver)
    0x90BCB000 C:\Windows\System32\Drivers\NDProxy.SYS 69632 bytes (Microsoft Corporation, NDIS Proxy)
    0x8B93A000 C:\Windows\System32\drivers\partmgr.sys 69632 bytes (Microsoft Corporation, Partition Management Driver)
    0x8B69C000 C:\Windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
    0x8F2E9000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
    0x8BFD7000 C:\Windows\System32\Drivers\mup.sys 65536 bytes (Microsoft Corporation, Multiple UNC Provider Driver)
    0x8BA1F000 C:\Windows\system32\DRIVERS\termdd.sys 65536 bytes (Microsoft Corporation, Remote Desktop Server Driver)
    0x8B94B000 C:\Windows\system32\DRIVERS\volmgr.sys 65536 bytes (Microsoft Corporation, Volume Manager Driver)
    0x933E2000 C:\Windows\system32\DRIVERS\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
    0x90AFC000 C:\Windows\system32\DRIVERS\blbdrive.sys 57344 bytes (Microsoft Corporation, BLB Drive Driver)
    0x90DD1000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
    0x90CEF000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
    0x8B9AD000 C:\Windows\system32\DRIVERS\PCIIDEX.SYS 57344 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
    0x8BC90000 C:\Windows\System32\drivers\pcw.sys 57344 bytes (Microsoft Corporation, Performance Counters for Windows Driver)
    0x90B79000 C:\Windows\system32\DRIVERS\umbus.sys 57344 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
    0x8B89E000 C:\Windows\system32\drivers\WDFLDR.SYS 57344 bytes (Microsoft Corporation, Kernel Mode Driver Framework Loader)
    0x8BE00000 C:\Windows\system32\DRIVERS\61036962.sys 53248 bytes (Kaspersky Lab, Kaspersky Lab Boot Guard Driver)
    0x92C00000 C:\Windows\system32\DRIVERS\CompositeBus.sys 53248 bytes (Microsoft Corporation, Multi-Transport Composite Bus Enumerator)
    0x97D1F000 C:\Windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)
    0x91E00000 C:\Windows\system32\DRIVERS\kbdclass.sys 53248 bytes (Microsoft Corporation, Keyboard Class Driver)
    0x90B38000 C:\Windows\system32\DRIVERS\mouclass.sys 53248 bytes (Microsoft Corporation, Mouse Class Driver)
    0x99AE8000 C:\Windows\System32\drivers\tcpipreg.sys 53248 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
    0x90CBF000 C:\Windows\System32\drivers\watchdog.sys 53248 bytes (Microsoft Corporation, Watchdog Driver)
    0x90A74000 C:\Windows\System32\drivers\discache.sys 49152 bytes (Microsoft Corporation, System Indexer/Cache Driver)
    0x8F30C000 C:\Windows\system32\DRIVERS\kbdhid.sys 49152 bytes (Microsoft Corporation, HID Keyboard Filter Driver)
    0x90C92000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
    0xB1EC9000 C:\Users\Alice\AppData\Local\Temp\aswMBR.sys 45056 bytes
    0x97D2C000 C:\Windows\System32\Drivers\dump_dumpata.sys 45056 bytes
    0x97D5C000 C:\Windows\system32\DRIVERS\hidusb.sys 45056 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
    0x97D51000 C:\Windows\system32\DRIVERS\monitor.sys 45056 bytes (Microsoft Corporation, Monitor Driver)
    0x97D83000 C:\Windows\system32\DRIVERS\mouhid.sys 45056 bytes (Microsoft Corporation, HID Mouse Filter Driver)
    0x90CE4000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
    0x923AC000 C:\Windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
    0x90D14000 C:\Windows\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)
    0x9338C000 C:\Windows\system32\DRIVERS\usbuhci.sys 45056 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
    0x8B92F000 C:\Windows\system32\DRIVERS\vdrvroot.sys 45056 bytes (Microsoft Corporation, Virtual Drive Root Enumerator)
    0x97D15000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
    0x90A6A000 C:\Windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
    0x90A60000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
    0x8B81A000 C:\Windows\System32\Drivers\PxHelp20.sys 40960 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
    0x923F1000 C:\Windows\system32\DRIVERS\rdpbus.sys 40960 bytes (Microsoft Corporation, Microsoft RDP Bus Device driver)
    0x99ABD000 C:\Windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
    0x933F1000 C:\Windows\system32\DRIVERS\serenum.sys 40960 bytes (Microsoft Corporation, Serial Port Enumerator)
    0x8B800000 C:\Windows\system32\drivers\amdxata.sys 36864 bytes (Advanced Micro Devices, Storage Filter Driver)
    0x8B9D1000 C:\Windows\system32\DRIVERS\atapi.sys 36864 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
    0xB1EDD000 C:\Windows\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
    0x97D37000 C:\Windows\System32\Drivers\dump_atapi.sys 36864 bytes
    0x8BC9E000 C:\Windows\System32\Drivers\Fs_Rec.sys 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
    0x98350000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
    0x8BF87000 C:\Windows\system32\DRIVERS\vmstorfl.sys 36864 bytes (Microsoft Corporation, Virtual Storage Filter Driver)
    0x92361000 C:\Windows\system32\DRIVERS\wmiacpi.sys 36864 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
    0x8B8F4000 C:\Windows\system32\DRIVERS\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
    0x8B6AD000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
    0x8BFE7000 C:\Windows\System32\drivers\hwpolicy.sys 32768 bytes (Microsoft Corporation, Hardware Policy Driver)
    0x80BD3000 C:\Windows\system32\kdcom.dll 32768 bytes (Microsoft Corporation, Serial Kernel Debugger)
    0x8B8FD000 C:\Windows\system32\DRIVERS\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
    0x90CCC000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
    0x90CD4000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Encoder Miniport)
    0x90CDC000 C:\Windows\system32\drivers\rdprefmp.sys 32768 bytes (Microsoft Corporation, RDP Reflector Driver Miniport)
    0x8BFCF000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
    0x90C6C000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
    0x97D7A000 C:\Windows\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
    0x8B9A6000 C:\Windows\system32\DRIVERS\intelide.sys 28672 bytes (Microsoft Corporation, Intel PCI IDE Driver)
    0xB1EC2000 C:\Users\Alice\AppData\Local\Temp\mbr.sys 28672 bytes
    0x90C65000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
    0x8F3EB000 C:\Windows\system32\DRIVERS\parvdm.sys 28672 bytes (Microsoft Corporation, VDM Parallel Driver)
    0x90DAB000 C:\Windows\system32\DRIVERS\wfplwf.sys 28672 bytes (Microsoft Corporation, WFP NDIS 6.20 Lightweight Filter Driver)
    0x92C0D000 C:\Windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
    0x97D81000 C:\Windows\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
    ==============================================
    >Stealth
    ==============================================
    0x861B7A91 Unknown page with executable code, 1391 bytes
    0x866E7F13 Unknown page with executable code, 237 bytes
    0x861B6288 Unknown page with executable code, 3448 bytes
    0x861B8191 Unknown page with executable code, 3695 bytes
    0x861BAE7A Unknown thread object [ ETHREAD 0x8634C5A8 ] TID: 248, 600 bytes
    0x861BD008 Unknown thread object [ ETHREAD 0x864A93C8 ] TID: 252, 600 bytes
    0x86624DA4 Unknown page with executable code, 604 bytes
    0x8662CD46 Unknown page with executable code, 698 bytes
    0x861BCCDC Unknown page with executable code, 804 bytes
     
  4. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ===================================================================

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
  5. mysticsyphon

    mysticsyphon TS Rookie Topic Starter

    Thanks for your help

    I unzipped it to my desktop, but when I try to run the TDSSKiller exe nothing loads...

    Tried Run as administrator via context menu too, but nothing :(
     
  6. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  7. mysticsyphon

    mysticsyphon TS Rookie Topic Starter

    I disabled the real-time protection on NOD32 beforehand, but Combofix still gave me a notification that it's scanners are still active - should I go ahead and run ComboFix anyway?
     
  8. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    If it's just a warning and it lets you continue, go ahead.
     
  9. mysticsyphon

    mysticsyphon TS Rookie Topic Starter

    Actually, on second thought, I'm just going to reformat and reinstall windows. Thanks for your time though. Much appreciated.
     
  10. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Not a problem.
    Thanks for letting me know :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...