Jump to content

Unable to remove nasty rootkit


Recommended Posts

Hi everyone,

The other day my mother calls me up saying she got some message about a harddrive problem and her system shutting down. The computer is less than 2 years old so I found it odd that the HDD would crap out. After finally getting the computer to boot up we discovered roughly half the the desktop icons missing and avast! popped up with a message regarding this bad boy (I have seen you guys help someone with a similar one in the forums): MBR:\\.\PHYSICALDRIVE0\Partition3 is what avast flags as a rootkit. My first orders of business including running a full system scan with avast!, running Malwarebytes, and lastly Advanced SystemCare 5 to see if I could remedy the issue. Low and behold it appears to not have worked and every startup includes avast popping up with the same rootkit. Below I included the last MBAM log and DDS log. Attached are the zip of the GMER and Attach.txt from DDS as per your guidelines. Thanks in advanced for any help.

Attach.zip.zip

Internet Explorer 9.0.8112.16421

Rosemary :: ROSEMARY-PC [administrator]

3/20/2012 6:05:13 PM

mbam-log-2012-03-20 (18-05-13).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 190243

Time elapsed: 4 minute(s), 7 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 9.0.8112.16421

Run by Rosemary at 17:18:54 on 2012-03-20

Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.3062.1693 [GMT -4:00]

.

AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\taskeng.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\hp\support\hpsysdrv.exe

C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Windows\system32\igfxsrvc.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Program Files\HP\HP Software Update\hpwuschd2.exe

C:\Program Files\Alwil Software\Avast5\AvastUI.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Users\Rosemary\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Windows\system32\msiexec.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\WUDFHost.exe

C:\Program Files\IObit\Advanced SystemCare 5\ASCTray.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Windows\System32\mobsync.exe

C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\Macromed\Flash\FlashUtil10p_ActiveX.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\IELowutil.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.optonline.net/

uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cndt

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cndt

mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cndt

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: 24MusicBar Toolbar: {54d0da58-64e7-4408-be1f-72659f70fcbe} - c:\program files\24musicbar\tb24M1.dll

uURLSearchHooks: TV Bar 1.2 Toolbar: {70a38074-97a6-45da-b1a1-34b0a34dc3ff} - c:\program files\tv_bar_1.2\tbTV_B.dll

mURLSearchHooks: 24MusicBar Toolbar: {54d0da58-64e7-4408-be1f-72659f70fcbe} - c:\program files\24musicbar\tb24M1.dll

mURLSearchHooks: TV Bar 1.2 Toolbar: {70a38074-97a6-45da-b1a1-34b0a34dc3ff} - c:\program files\tv_bar_1.2\tbTV_B.dll

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll

BHO: 24MusicBar Toolbar: {54d0da58-64e7-4408-be1f-72659f70fcbe} - c:\program files\24musicbar\tb24M1.dll

BHO: TV Bar 1.2 Toolbar: {70a38074-97a6-45da-b1a1-34b0a34dc3ff} - c:\program files\tv_bar_1.2\tbTV_B.dll

BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: {FBF2401B-7447-4727-BE5D-C19B2075CA84} - No File

TB: {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - No File

TB: 24MusicBar Toolbar: {54d0da58-64e7-4408-be1f-72659f70fcbe} - c:\program files\24musicbar\tb24M1.dll

TB: TV Bar 1.2 Toolbar: {70a38074-97a6-45da-b1a1-34b0a34dc3ff} - c:\program files\tv_bar_1.2\tbTV_B.dll

TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun

uRun: [Octoshape Streaming Services] "c:\users\rosemary\appdata\roaming\octoshape\octoshape streaming services\OctoshapeClient.exe" -inv:bootrun

uRun: [HPADVISOR] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe view=DOCKVIEW,SYSTRAY

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

uRun: [Advanced SystemCare 5] "c:\program files\iobit\advanced systemcare 5\ASCTray.exe" /AutoStart

mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe

mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe

mRun: [DPService] "c:\program files\hp\dvdplay\DPService.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [<no NAME="">]

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [avast] "c:\program files\alwil software\avast5\avastUI.exe" /nogui

mRun: [Garmin Lifetime Updater] c:\program files\garmin\lifetime updater\GarminLifetime.exe /StartMinimized

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\snapfi~1.lnk - c:\program files\snapfish picture mover\SnapfishMediaDetector.exe

mPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL

Trusted Zone: intuit.com\ttlc

DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/3.0.1.0/GarminAxControl.CAB

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.5.1.0.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{D27399D4-0ECE-4E4A-8345-85CAA6D56B24} : DhcpNameServer = 192.168.1.1

Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll

Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll

Notify: igfxcui - igfxdev.dll

SEH: {1869181A-9F50-4FCF-8BFF-1B8588ECB85C} - No File

.

============= SERVICES / DRIVERS ===============

.

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-8-12 435032]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-9-9 314456]

R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\iobit\advanced systemcare 5\ASCService.exe [2012-3-19 913752]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-9-9 20568]

R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2008-9-9 55128]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-26 44768]

R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]

R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2011-8-25 13672]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 GamesAppService;GamesAppService;c:\program files\wildtangent games\app\GamesAppService.exe [2010-10-12 206072]

.

=============== Created Last 30 ================

.

2012-03-20 21:13:06 6552120 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{6afd976d-92f9-4240-8e14-6cf4100e6efa}\mpengine.dll

2012-03-20 21:12:06 472808 ----a-w- c:\windows\system32\deployJava1.dll

2012-03-20 02:34:22 -------- d-----w- C:\Temp

2012-03-19 22:30:52 -------- d-----w- C:\TDSSKiller_Quarantine

2012-03-19 22:05:08 21848 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe

2012-03-19 21:57:55 -------- d-----w- c:\programdata\IObit

2012-03-19 21:57:47 -------- d-----w- c:\users\rosemary\appdata\roaming\IObit

2012-03-19 21:57:40 -------- d-----w- c:\program files\IObit

2012-03-19 21:39:17 -------- d-----w- c:\users\rosemary\appdata\roaming\Malwarebytes

2012-03-19 21:39:09 -------- d-----w- c:\programdata\Malwarebytes

2012-03-19 21:39:08 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-03-19 21:39:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-03-13 21:03:55 2044416 ----a-w- c:\windows\system32\win32k.sys

2012-03-13 21:03:49 219648 ----a-w- c:\windows\system32\d3d10_1core.dll

2012-03-13 21:03:49 1068544 ----a-w- c:\windows\system32\DWrite.dll

2012-03-13 21:03:47 1172480 ----a-w- c:\windows\system32\d3d10warp.dll

2012-03-13 21:03:46 683008 ----a-w- c:\windows\system32\d2d1.dll

2012-03-13 21:03:46 160768 ----a-w- c:\windows\system32\d3d10_1.dll

2012-03-13 21:03:38 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat

2012-03-13 21:03:25 613376 ----a-w- c:\windows\system32\rdpencom.dll

2012-03-13 21:03:25 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys

.

==================== Find3M ====================

.

2012-02-23 14:18:36 237072 ------w- c:\windows\system32\MpSigStub.exe

.

============= FINISH: 17:20:15.35 ===============</no>

Link to post
Share on other sites

  • 2 months later...

Hi,

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.