Suspected rootkit/bootkit

[helpme33]

Hi everyone Desperately need help here. Basically I'm fairly sure the pc is infected with something that has root access, possibly a hidden boot partition on the hard drive, or worse (bios).

Basically there's all sorts of processes, services & things running that I don't think should be. Windows Update won't work, there are now Group Policy controls running, even though the pc is a home pc. The firewall seems to be configured to leave the system wide open, there's quite a few DCOM things running. Also, this may be normal I'm not sure, but I'm using a 500GB hdd that has the system reserved partition that windows sets up automatically, but this partition is marked as active, & the actual c: drive partition is marked at BOOT, PAGEFILE, CRASHDUMP & Primary.

I've wiped the hardrive partitions & reinstalled a few times, cleared & updated the bios but it just reinstalls back this way. All these logs are from a clean install with nothing but the programs themselves installed. There's also a hidden group of non-plug & play objects in the device manager controlling a lot of network authority stuff. I also have another blank 500gb installed, but this been formatted & had its partitions wiped. Please HHEELLPP!

MBAM Quick sCAN

Malwarebytes Anti-Malware (Trial) 1.62.0.1300

www.malwarebytes.org

Database version: v2012.07.13.03

Windows 7 x64 NTFS

Internet Explorer 8.0.7600.16385

pc1 :: pc [administrator]

Protection: Enabled

26/01/2011 00:55:26

mbam-log-2011-01-26 (00-55-26).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 201673

Time elapsed: 58 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

DDS SCAN

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 8.0.7600.16385

Run by pc1 at 0:59:36 on 2011-01-26

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.353.1033.18.4095.2871 [GMT 0:00]

.

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\system32\sppsvc.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\system32\svchost.exe -k SDRSVC

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.ie/

mWinlogon: Userinit=userinit.exe

mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

mRunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

TCP: Interfaces\{3BFE3A88-130E-4593-B34E-3562A7D3A0FE} : NameServer = 89.101.160.4,89.101.160.5

mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

mRunOnce-x64: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

.

============= SERVICES / DRIVERS ===============

.

R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-1-26 655944]

R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]

.

=============== Created Last 30 ================

.

2011-01-26 08:28:43 -------- d-----w- C:\Windows\Panther

2011-01-26 00:54:59 -------- d-----w- C:\Users\pc1\AppData\Roaming\Malwarebytes

2011-01-26 00:54:53 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys

2011-01-26 00:54:53 -------- d-----w- C:\ProgramData\Malwarebytes

2011-01-26 00:54:53 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2011-01-26 00:54:20 9013136 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{86AEB329-7848-41E3-8648-A1AA45834322}\mpengine.dll

2011-01-26 00:44:38 2622464 ----a-w- C:\Windows\System32\wucltux.dll

2011-01-26 00:44:26 36864 ----a-w- C:\Windows\System32\wuapp.exe

2011-01-26 00:44:26 186752 ----a-w- C:\Windows\System32\wuwebv.dll

.

==================== Find3M ====================

.

.

============= FINISH: 0:59:55.25 ===============

COMBOFIX LOG

ComboFix 12-07-13.01 - pc1 26/01/2011 1:06.1.4 - x64

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.353.1033.18.4095.2879 [GMT 0:00]

Running from: c:\users\pc1\Desktop\ComboFix.exe

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((( Files Created from 2010-12-26 to 2011-01-26 )))))))))))))))))))))))))))))))

.

.

2011-01-26 08:28 . 2011-01-26 00:37 -------- d-----w- c:\windows\Panther

2011-01-26 00:54 . 2012-07-03 13:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-01-26 00:54 . 2011-01-26 00:54 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2011-01-26 00:54 . 2011-01-26 00:54 -------- d-----w- c:\programdata\Malwarebytes

2011-01-26 00:54 . 2012-06-18 03:12 9013136 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{86AEB329-7848-41E3-8648-A1AA45834322}\mpengine.dll

2011-01-26 00:44 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll

2011-01-26 00:44 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe

2011-01-26 00:44 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll

2011-01-26 00:44 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll

2011-01-26 00:44 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll

2011-01-26 00:44 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll

2011-01-26 00:44 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll

2011-01-26 00:44 . 2012-06-02 15:19 186752 ----a-w- c:\windows\system32\wuwebv.dll

2011-01-26 00:44 . 2012-06-02 15:15 36864 ----a-w- c:\windows\system32\wuapp.exe

2011-01-26 00:37 . 2011-01-26 00:37 -------- d-----w- c:\users\pc1

2011-01-26 00:37 . 2011-01-26 00:37 -------- d-----w- C:\Recovery

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - NSIPROXY

*NewlyCreated* - WS2IFSL

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.google.ie/

mLocal Page = c:\windows\SysWOW64\blank.htm

TCP: Interfaces\{3BFE3A88-130E-4593-B34E-3562A7D3A0FE}: NameServer = 89.101.160.4,89.101.160.5

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

.

**************************************************************************

.

Completion time: 2011-01-26 01:12:28 - machine was rebooted

ComboFix-quarantined-files.txt 2011-01-26 01:12

.

Pre-Run: 484,271,935,488 bytes free

Post-Run: 484,153,880,576 bytes free

.

- - End Of File - - 8655822A4F1CA92D69687DBF9A1F2EFC

ASWMBR LOG

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software

Run date: 2011-01-26 01:58:37

-----------------------------

01:58:37.227 OS Version: Windows x64 6.1.7600

01:58:37.227 Number of processors: 4 586 0xF0B

01:58:37.227 ComputerName: PC UserName:

01:58:38.024 Initialize success

01:59:19.970 AVAST engine defs: 12071300

01:59:39.658 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000052

01:59:39.658 Disk 0 Vendor: WDC_WD50 01.0 Size: 476940MB BusType: 3

01:59:39.673 Disk 1 \Device\Harddisk1\DR1 -> \Device\00000053

01:59:39.673 Disk 1 Vendor: WDC_WD50 01.0 Size: 476940MB BusType: 3

01:59:39.673 Disk 0 MBR read successfully

01:59:39.689 Disk 0 MBR scan

01:59:39.689 Disk 0 Windows 7 default MBR code

01:59:39.689 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 476938 MB offset 2048

01:59:39.705 Disk 0 scanning C:\Windows\system32\drivers

01:59:43.142 Service scanning

01:59:52.564 Modules scanning

01:59:52.564 Disk 0 trace - called modules:

01:59:52.580 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys storport.sys hal.dll nvstor.sys

01:59:52.580 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004d4a060]

01:59:52.580 3 CLASSPNP.SYS[fffff8800199343f] -> nt!IofCallDriver -> [0xfffffa8004aefd80]

01:59:52.595 5 ACPI.sys[fffff88000f17781] -> nt!IofCallDriver -> \Device\00000052[0xfffffa8004ae0540]

01:59:53.439 AVAST engine scan C:\

02:08:49.573 Scan finished successfully

02:10:01.354 Disk 0 MBR has been saved successfully to "C:\Users\pc1\Desktop\MBR.dat"

02:10:01.354 The log file has been saved successfully to "C:\Users\pc1\Desktop\aswMBR.txt"

Can anyone help with this? Do I even have anything suspicious running or is it all normal? PLEASE ADVISE.....

DDS Attach.txt

[AdvancedSetup]

Well right off hand I doubt you are infected but we'll take a look at some things and see what we can find.

As you've run quite a few things and done quite a few things already let's first run an Offline AV scan using Kaspersky Rescue Disk 10

Please visit the Kaspersky site and review the information and then download and burn the ISO image to CD to use on the affected computer.

Make sure you update the definitions for Kaspersky before doing the actual scan. Make sure to also write down what it finds or does as some users have trouble saving and accessing the log afterwards.

• Kaspersky Rescue Disk 10 Product Info
  
• Kaspersky Rescue Disk 10 download
  
• Kaspersky Rescue Disk - User Guide (English)
  Here is a free safe utility to properly burn the ISO image if needed.
  
• ImgBurn
  
• How to write an image file to a disc with ImgBurn
  Further information on using Kaspersky Rescue Disk
  
• How to Use the Kaspersky Rescue Disk to Clean Your Infected PC
  

[AdvancedSetup]

Just checking back in to see if you were able to get this scanner working. Please post an update when you have time.

Thanks

[AdvancedSetup]

You still with us?

[screen317]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!