Hi,
Seems I’ve been a bad boy and now I suspect I’m being punished with the Google redirect horror…
The symptoms match: iexplore.exe is open in the processes without IE running, any Google search redirects me to totally unrelated pages and lately my laptop frequently just freezes without any apparent error message. I’ve also been getting random popups saying I’ve won an iPad2 (generated by explorer.exe process); too bad I already have one…
Thanks a million already for your help!
Here are the required logs:
Mbam:
--------------------------------------------------------------------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org
Database version: 911122105
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
26/12/2011 11:59:28
mbam-log-2011-12-26 (11-59-27).txt
Scan type: Full scan (C:\|)
Objects scanned: 350682
Time elapsed: 1 hour(s), 14 minute(s), 33 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
--------------------------------------------------------------------------------------------------------------------------------------
GMER:
--------------------------------------------------------------------------------------------------------------------------------------
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-26 20:55:31
Windows 6.1.7600
Running: gxek03go.exe; Driver: C:\Users\VheymBB\AppData\Local\Temp\uwliipog.sys
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001e37fcb2e9
Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Linkage@Bind ?????9??? ???-???r?????t?t??n* 49???? ???????|???????????d?j?????????u?????????????????d????????????????????????????????????????????????ir????????????????????????????????????????????R????????????e?????????????????f?g?h???g?????e????????@nettun.inf,%msft%;Microsoft???????????????????e?????????????????????????????????????????????:??????$???4????? ??????? ??????????????? ????????????????????????????????????????? ??????????? ???horizationState?8}??????????????????????????Microsoft???????-2??????????????????Microsoft????????`?????????????eBC???????`???????????????????????g???????????????????????????f??{4d36e97d-e325-11ce-bfc1-08002be10318}\0034??????f?f?j?j?l?l?i???????????????????????????p??6"??system32\DRIVERS\raspppoe.sys????????????????????????n????N???????????????????N??????T????D03???MONITOR\SAM0373?????????????????t???????4m??? ??????????????s?????N???????????D??????t?t?????????t????????????????????????N????????????D????????????@nettun.inf,%msft%;Microsoft?-???-????????????N????????????D????{4d36e972-e325-
Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Linkage@Export ???o????ndis5???? ???????o???????????o??????????6?*?????C???system32\drivers\battc.sys??????? ???????o?????o?? ??o????????$?`?,???????????N??o?????????e????@%SystemRoot%\system32\bdesvc.dll,-100????????????????????????????Z??o????????h?????%SystemRoot%\System32\svchost.exe -k netsvcs????????????????t??????? ?????????????N??o?????????n????@%SystemRoot%\system32\bdesvc.dll,-101???????????o??????????? ???o??????????????localSystem?????????????????????????? B??o????????????????`??o???,??????????????SeChangeNotifyPrivilege?SeImpersonatePrivilege????????,??o???????????????????????????????????????o?o?o?o?o?o?o?o?o?o????? ???????o???????????o?,??????,?B??? ???????????????????????????????????%SystemRoot%\System32\bdesvc.dll????? ???????o???????????o??????????????????????????????0????????????????`???????????????????? ??????????? ?????????????????????????????????????????? ???????o?????????????,????????????????e??????o???o???o???o????? ???????o?????o???????????????????????????o????? ???????o???????????o????????????????0
Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Linkage@Bind ????er??????????????*6to4mp???????????????N???????????D??3???????e??{4d36e97d-e325-11ce-bfc1-08002be10318}\0012??????????????????????????????????/?????s?????g?g?k?k??????????:????????g?z?????????????????s7-???????9??? ???-???r?????t?t??n* 49???? ???????|???????????d?j?????????u?????????????????d????????????????????????????????????????????????ir????????????????????????????????????????????R????????????e?????????????????f?g?h???g?????e????????@nettun.inf,%msft%;Microsoft???????????????????e?????????????????????????????????????????????:??????$???4????? ??????? ??????????????? ????????????????????????????????????????? ??????????? ???horizationState?8}??????????????????????????Microsoft???????-2??????????????????Microsoft????????`?????????????eBC???????`???????????????????????g???????????????????????????f??{4d36e97d-e325-11ce-bfc1-08002be10318}\0034??????f?f?j?j?l?l?i???????????????????????????p??6"??system32\DRIVERS\raspppoe.sys????????????????????????n????N???????????????????N??????T????D03???MONITOR\SAM0373????
Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Linkage@Export ?????????????????????????????????k???k??????d_??????????????????? ???????2???????2???????????\??0.????????????N?????????????????? l?????????????????winusb.sys??HJ??????????tunnel?\C:??? ???????'???????'??????????????????? l??????????????????????????????????????????d????????????N????????????D????? l????????????ms_???????`???????????e??????ta???&????????????????????<??????i??????????TD??????????????????d???????????????????????????????????b????????????????????????????????????????g??disk.inf?????????????e???h??{745a17a0-74d3-11d0-b6fe-00a0c90f57da}?-51???????????x???????`?`?`?`?u?`?????e??????????disk.inf????????t????????????????????????????????????A??????????????????????????????????????????????text?x???????k??????s)??int?????? ???????.???????????????k???-??b3???????q???????????l????0?????????????????????????????????????????????????? ?????????????????????1????????6???????????????????????????????volsnap.inf?????????????????????????????????????? ?????????????????????1????????????????????? ?????????????????????1???
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x33 0x06 0x63 0x47 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xD2 0x65 0x78 0x8B ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xD7 0x0C 0xF8 0xC1 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001e37fcb2e9 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\LanmanServer\Linkage@Bind ???p?q??? ???????T?????T?????-?,????????$???<???????????????????????????????????\\?\Root#volmgr#0000#{53f5630e-b6bf-11d0-94f2-00a0c91efb8b}?????? ???????T???????????-?,????????z?????#?????LPTENUM\MicrosoftRawPort\5&b35a8ac&0&LPT1?????Z??U???????????????T??????????????????? ???????T?????????????,????????????&???????????????????????\\?\HDAUDIO#FUNC_01&VEN_8384&DEV_76A0&SUBSYS_102801FE&REV_1002#4&26492402&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\eMuxedCaptureTopo???\\?\HDAUDIO#FUNC_01&VEN_8384&DEV_76A0&SUBSYS_102801FE&REV_1002#4&26492402&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\eMuxedCaptureWave???\\?\LPTENUM#MicrosoftRawPort#5&b35a8ac&0&LPT1#{811fc6a5-f728-11d0-a537-0000f8753ed1}????\\?\DISPLAY#AUO2274#4&2615384a&0&UID67568640#{866519b5-3f07-4c97-b7df-24c5d8a8ccb8}?????\\?\DISPLAY#DELA02E#4&2615384a&0&UID50529024#{866519b5-3f07-4c97-b7df-24c5d8a8ccb8}?????ACPI\PNP0501\4&1d374948&0????????U????????????????4??U???????????????????U???????????????????.??????s???USBSTOR\Disk&Ven_2.0&Prod_&Rev_5.00\2609090
Reg HKLM\SYSTEM\ControlSet002\services\LanmanServer\Linkage@Export ???q?q??tunnel????????????????????????????????N??s????????h???????6??z????????h?????? :??????i?????{57???r?r????TDI?????Cryptography????????????????????????.NT?????????????? ???????o???????????p????????(?4?]??????????????????5????????????????????????6??q?????????e?????????????????|???|?????????????g????????????????????Tdx?nsi?????RpcSs???????Pointer Class?????X??t?????????e?????p???p?q?q??????????????????em??6-21-2006?????????????V????????????n????? ???????o?????q????Pq?2??????$?h?_???????????N??p?????????e????@%SystemRoot%\System32\dnsapi.dll,-101???????????p??????p?????h??p????????h?????%SystemRoot%\system32\svchost.exe -k NetworkService???????N??p?????????n????@%SystemRoot%\System32\dnsapi.dll,-102?????????q0????p??? 8??p??????????????NT AUTHORITY\NetworkService????????????????????????????q????TDI?????????????????t??????? ?????????????,? q???????????????????p???????????e??????????????????????? F??q???????????????q????b??p??????????????????SeChangeNotifyPrivilege?SeCreateGlobalPrivilege??????????q?????????
Reg HKLM\SYSTEM\ControlSet002\services\LanmanWorkstation\Linkage@Bind ???`?k?????_???_????????2????????????????[?\?\??????d???????????????1???????????????1???????????????5???????????????1???????????????d???????????????1???????????????1???????????????? ???????\???????????-?*??????????????6??????z?_?|???????/??????s????????`??? ???????[???????????/?*??????????????0???????N??a?????????D????*6to4mp??????`?`?_???|?|?|??????????????t????????????????]??????????????????????USB???????t?????????????{4d36e972-e325-11ce-bfc1-08002be10318}?fig????N??f???.???????e????d??|????????h???????6??h?????????????n?3??? ???h???/?????0?/??blbdrive????????1???????????????2???????????????1???????????????5????????????????????\??????????5???????????????1????????????[?\?\???[??????????????? ???????[???????????[?*???????? ??????x86??? ???????[?????????????*??????@??????????????????`???????????_???????????|?|?|???`???`???f?f?f???e?e????????????????????????? V??g???????????????}?v?|???????????????????????????????|??????????????????? ??????????????ACPI\PNP0103?*PNP0103??dIn???????????|??????????? .??e???e?????
Reg HKLM\SYSTEM\ControlSet002\services\LanmanWorkstation\Linkage@Export ?????\???????:???????????????0??????????????????????????l???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????MSAFD NetBIOS [\Device\NetBT_Tcpip6_{C721F45B-645C-452F-9AF9-D331521F7186}] DATAGRAM 23?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????l???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????MSAFD NetBIOS [\Device\NetBT_Tcpip6_{01A05210-FE2A-4176-B455-431976E5CE25}] SEQPACKET 22????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????l??????????????????????????????????????????????????????????????????????
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x33 0x06 0x63 0x47 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xD2 0x65 0x78 0x8B ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xD7 0x0C 0xF8 0xC1 ...
Reg HKLM\SOFTWARE\Microsoft\Windows Search\CatalogNames\Windows\SystemIndex@pkm:catalog:LastCatalogCrawlId 112
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\113
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\113@CrawlType 2
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\113@InProgress 1
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\113@DoneAddingCrawlSeeds 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\113@IsCatalogLevel 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\113@LogStartAddId 2
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\2@CrawlNumberInProgress 113
---- EOF - GMER 1.0.15 ----
--------------------------------------------------------------------------------------------------------------------------------------
DDS also freezes my laptop or just runs for hours without generating anything.
Doing my own research I came across ‘bootkit remover’, unfortunately no success…
Here are the results.
Just opening the boot_cleaner.exe:
--------------------------------------------------------------------------------------------------------------------------------------
Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com
Program version: 1.2.0.1
OS Version: Microsoft Windows 7 Enterprise Edition (build 7600), 32-bit
System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`075a9e00
Size Device Name MBR Status
--------------------------------------------
111 GB \\.\PhysicalDrive0 Controlled by rootkit!
Boot code on some of your physical disks is hidden by a rootkit.
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
Done;
Press any key to quit...
--------------------------------------------------------------------------------------------------------------------------------------
When running this script:
--------------------------------------------------------------------------------------------------------------------------------------
@ECHO OFF
START
boot_cleaner.exe fix \\.\PhysicalDrive0
EXIT
--------------------------------------------------------------------------------------------------------------------------------------
I get:
--------------------------------------------------------------------------------------------------------------------------------------
Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com
Program version: 1.2.0.1
OS Version: Microsoft Windows 7 Enterprise Edition (build 7600), 32-bit
System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`075a9e00
Restoring boot code at \\.\PhysicalDrive0...
ATA_Write(): DeviceIoControl() ERROR 1
ERROR: Can't write first sector of the disk.
Done;
Press any key to quit...
--------------------------------------------------------------------------------------------------------------------------------------
Seems I’ve been a bad boy and now I suspect I’m being punished with the Google redirect horror…
The symptoms match: iexplore.exe is open in the processes without IE running, any Google search redirects me to totally unrelated pages and lately my laptop frequently just freezes without any apparent error message. I’ve also been getting random popups saying I’ve won an iPad2 (generated by explorer.exe process); too bad I already have one…
Thanks a million already for your help!
Here are the required logs:
Mbam:
--------------------------------------------------------------------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org
Database version: 911122105
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
26/12/2011 11:59:28
mbam-log-2011-12-26 (11-59-27).txt
Scan type: Full scan (C:\|)
Objects scanned: 350682
Time elapsed: 1 hour(s), 14 minute(s), 33 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
--------------------------------------------------------------------------------------------------------------------------------------
GMER:
--------------------------------------------------------------------------------------------------------------------------------------
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-26 20:55:31
Windows 6.1.7600
Running: gxek03go.exe; Driver: C:\Users\VheymBB\AppData\Local\Temp\uwliipog.sys
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001e37fcb2e9
Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Linkage@Bind ?????9??? ???-???r?????t?t??n* 49???? ???????|???????????d?j?????????u?????????????????d????????????????????????????????????????????????ir????????????????????????????????????????????R????????????e?????????????????f?g?h???g?????e????????@nettun.inf,%msft%;Microsoft???????????????????e?????????????????????????????????????????????:??????$???4????? ??????? ??????????????? ????????????????????????????????????????? ??????????? ???horizationState?8}??????????????????????????Microsoft???????-2??????????????????Microsoft????????`?????????????eBC???????`???????????????????????g???????????????????????????f??{4d36e97d-e325-11ce-bfc1-08002be10318}\0034??????f?f?j?j?l?l?i???????????????????????????p??6"??system32\DRIVERS\raspppoe.sys????????????????????????n????N???????????????????N??????T????D03???MONITOR\SAM0373?????????????????t???????4m??? ??????????????s?????N???????????D??????t?t?????????t????????????????????????N????????????D????????????@nettun.inf,%msft%;Microsoft?-???-????????????N????????????D????{4d36e972-e325-
Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Linkage@Export ???o????ndis5???? ???????o???????????o??????????6?*?????C???system32\drivers\battc.sys??????? ???????o?????o?? ??o????????$?`?,???????????N??o?????????e????@%SystemRoot%\system32\bdesvc.dll,-100????????????????????????????Z??o????????h?????%SystemRoot%\System32\svchost.exe -k netsvcs????????????????t??????? ?????????????N??o?????????n????@%SystemRoot%\system32\bdesvc.dll,-101???????????o??????????? ???o??????????????localSystem?????????????????????????? B??o????????????????`??o???,??????????????SeChangeNotifyPrivilege?SeImpersonatePrivilege????????,??o???????????????????????????????????????o?o?o?o?o?o?o?o?o?o????? ???????o???????????o?,??????,?B??? ???????????????????????????????????%SystemRoot%\System32\bdesvc.dll????? ???????o???????????o??????????????????????????????0????????????????`???????????????????? ??????????? ?????????????????????????????????????????? ???????o?????????????,????????????????e??????o???o???o???o????? ???????o?????o???????????????????????????o????? ???????o???????????o????????????????0
Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Linkage@Bind ????er??????????????*6to4mp???????????????N???????????D??3???????e??{4d36e97d-e325-11ce-bfc1-08002be10318}\0012??????????????????????????????????/?????s?????g?g?k?k??????????:????????g?z?????????????????s7-???????9??? ???-???r?????t?t??n* 49???? ???????|???????????d?j?????????u?????????????????d????????????????????????????????????????????????ir????????????????????????????????????????????R????????????e?????????????????f?g?h???g?????e????????@nettun.inf,%msft%;Microsoft???????????????????e?????????????????????????????????????????????:??????$???4????? ??????? ??????????????? ????????????????????????????????????????? ??????????? ???horizationState?8}??????????????????????????Microsoft???????-2??????????????????Microsoft????????`?????????????eBC???????`???????????????????????g???????????????????????????f??{4d36e97d-e325-11ce-bfc1-08002be10318}\0034??????f?f?j?j?l?l?i???????????????????????????p??6"??system32\DRIVERS\raspppoe.sys????????????????????????n????N???????????????????N??????T????D03???MONITOR\SAM0373????
Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Linkage@Export ?????????????????????????????????k???k??????d_??????????????????? ???????2???????2???????????\??0.????????????N?????????????????? l?????????????????winusb.sys??HJ??????????tunnel?\C:??? ???????'???????'??????????????????? l??????????????????????????????????????????d????????????N????????????D????? l????????????ms_???????`???????????e??????ta???&????????????????????<??????i??????????TD??????????????????d???????????????????????????????????b????????????????????????????????????????g??disk.inf?????????????e???h??{745a17a0-74d3-11d0-b6fe-00a0c90f57da}?-51???????????x???????`?`?`?`?u?`?????e??????????disk.inf????????t????????????????????????????????????A??????????????????????????????????????????????text?x???????k??????s)??int?????? ???????.???????????????k???-??b3???????q???????????l????0?????????????????????????????????????????????????? ?????????????????????1????????6???????????????????????????????volsnap.inf?????????????????????????????????????? ?????????????????????1????????????????????? ?????????????????????1???
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x33 0x06 0x63 0x47 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xD2 0x65 0x78 0x8B ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xD7 0x0C 0xF8 0xC1 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001e37fcb2e9 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\LanmanServer\Linkage@Bind ???p?q??? ???????T?????T?????-?,????????$???<???????????????????????????????????\\?\Root#volmgr#0000#{53f5630e-b6bf-11d0-94f2-00a0c91efb8b}?????? ???????T???????????-?,????????z?????#?????LPTENUM\MicrosoftRawPort\5&b35a8ac&0&LPT1?????Z??U???????????????T??????????????????? ???????T?????????????,????????????&???????????????????????\\?\HDAUDIO#FUNC_01&VEN_8384&DEV_76A0&SUBSYS_102801FE&REV_1002#4&26492402&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\eMuxedCaptureTopo???\\?\HDAUDIO#FUNC_01&VEN_8384&DEV_76A0&SUBSYS_102801FE&REV_1002#4&26492402&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\eMuxedCaptureWave???\\?\LPTENUM#MicrosoftRawPort#5&b35a8ac&0&LPT1#{811fc6a5-f728-11d0-a537-0000f8753ed1}????\\?\DISPLAY#AUO2274#4&2615384a&0&UID67568640#{866519b5-3f07-4c97-b7df-24c5d8a8ccb8}?????\\?\DISPLAY#DELA02E#4&2615384a&0&UID50529024#{866519b5-3f07-4c97-b7df-24c5d8a8ccb8}?????ACPI\PNP0501\4&1d374948&0????????U????????????????4??U???????????????????U???????????????????.??????s???USBSTOR\Disk&Ven_2.0&Prod_&Rev_5.00\2609090
Reg HKLM\SYSTEM\ControlSet002\services\LanmanServer\Linkage@Export ???q?q??tunnel????????????????????????????????N??s????????h???????6??z????????h?????? :??????i?????{57???r?r????TDI?????Cryptography????????????????????????.NT?????????????? ???????o???????????p????????(?4?]??????????????????5????????????????????????6??q?????????e?????????????????|???|?????????????g????????????????????Tdx?nsi?????RpcSs???????Pointer Class?????X??t?????????e?????p???p?q?q??????????????????em??6-21-2006?????????????V????????????n????? ???????o?????q????Pq?2??????$?h?_???????????N??p?????????e????@%SystemRoot%\System32\dnsapi.dll,-101???????????p??????p?????h??p????????h?????%SystemRoot%\system32\svchost.exe -k NetworkService???????N??p?????????n????@%SystemRoot%\System32\dnsapi.dll,-102?????????q0????p??? 8??p??????????????NT AUTHORITY\NetworkService????????????????????????????q????TDI?????????????????t??????? ?????????????,? q???????????????????p???????????e??????????????????????? F??q???????????????q????b??p??????????????????SeChangeNotifyPrivilege?SeCreateGlobalPrivilege??????????q?????????
Reg HKLM\SYSTEM\ControlSet002\services\LanmanWorkstation\Linkage@Bind ???`?k?????_???_????????2????????????????[?\?\??????d???????????????1???????????????1???????????????5???????????????1???????????????d???????????????1???????????????1???????????????? ???????\???????????-?*??????????????6??????z?_?|???????/??????s????????`??? ???????[???????????/?*??????????????0???????N??a?????????D????*6to4mp??????`?`?_???|?|?|??????????????t????????????????]??????????????????????USB???????t?????????????{4d36e972-e325-11ce-bfc1-08002be10318}?fig????N??f???.???????e????d??|????????h???????6??h?????????????n?3??? ???h???/?????0?/??blbdrive????????1???????????????2???????????????1???????????????5????????????????????\??????????5???????????????1????????????[?\?\???[??????????????? ???????[???????????[?*???????? ??????x86??? ???????[?????????????*??????@??????????????????`???????????_???????????|?|?|???`???`???f?f?f???e?e????????????????????????? V??g???????????????}?v?|???????????????????????????????|??????????????????? ??????????????ACPI\PNP0103?*PNP0103??dIn???????????|??????????? .??e???e?????
Reg HKLM\SYSTEM\ControlSet002\services\LanmanWorkstation\Linkage@Export ?????\???????:???????????????0??????????????????????????l???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????MSAFD NetBIOS [\Device\NetBT_Tcpip6_{C721F45B-645C-452F-9AF9-D331521F7186}] DATAGRAM 23?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????l???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????MSAFD NetBIOS [\Device\NetBT_Tcpip6_{01A05210-FE2A-4176-B455-431976E5CE25}] SEQPACKET 22????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????l??????????????????????????????????????????????????????????????????????
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x33 0x06 0x63 0x47 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xD2 0x65 0x78 0x8B ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xD7 0x0C 0xF8 0xC1 ...
Reg HKLM\SOFTWARE\Microsoft\Windows Search\CatalogNames\Windows\SystemIndex@pkm:catalog:LastCatalogCrawlId 112
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\113
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\113@CrawlType 2
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\113@InProgress 1
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\113@DoneAddingCrawlSeeds 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\113@IsCatalogLevel 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\113@LogStartAddId 2
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\2@CrawlNumberInProgress 113
---- EOF - GMER 1.0.15 ----
--------------------------------------------------------------------------------------------------------------------------------------
DDS also freezes my laptop or just runs for hours without generating anything.
Doing my own research I came across ‘bootkit remover’, unfortunately no success…
Here are the results.
Just opening the boot_cleaner.exe:
--------------------------------------------------------------------------------------------------------------------------------------
Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com
Program version: 1.2.0.1
OS Version: Microsoft Windows 7 Enterprise Edition (build 7600), 32-bit
System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`075a9e00
Size Device Name MBR Status
--------------------------------------------
111 GB \\.\PhysicalDrive0 Controlled by rootkit!
Boot code on some of your physical disks is hidden by a rootkit.
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
Done;
Press any key to quit...
--------------------------------------------------------------------------------------------------------------------------------------
When running this script:
--------------------------------------------------------------------------------------------------------------------------------------
@ECHO OFF
START
boot_cleaner.exe fix \\.\PhysicalDrive0
EXIT
--------------------------------------------------------------------------------------------------------------------------------------
I get:
--------------------------------------------------------------------------------------------------------------------------------------
Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com
Program version: 1.2.0.1
OS Version: Microsoft Windows 7 Enterprise Edition (build 7600), 32-bit
System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`075a9e00
Restoring boot code at \\.\PhysicalDrive0...
ATA_Write(): DeviceIoControl() ERROR 1
ERROR: Can't write first sector of the disk.
Done;
Press any key to quit...
--------------------------------------------------------------------------------------------------------------------------------------