Removed Rootkit - System corrupted

[Bigglet]

Hello MB users,

 

Over the weekend my PC has refused to do pretty much anything. It has been crashing explorer.exe on boot and crashes it over and over all the time.

Booted in safe-mode and ran malwarebytes anti-rootkit; came up with a infection as "Unknown.Rootkit.Driver" under \system32\drivers\nvlddmkm.sys.

 

It's in quarantine in malwarebytes atm, but I presume it has corrupted half or more than half of my system as alot of programs do not work anymore.

Even downloading new programs (big files) are corrupted, when I for instance try and unpack a game that's RAR'd up, it keeps giving errors that the individual files are corrupt.

 

Skype won't launch, even my NOD32 antivirus is crashed, and even malwarebytes gets affected. - NOD32 doesn't scan properly, when rightclicking files to scan with NOD32 it scans 0 objects, so I removed it from my system and plan to reinstall it later. Malwarebytes keeps coming up with version 0.00.00 as database when I boot my PC and it has to update back to the current virus definitions every boot-up.

 

I am wondering, is there still something left in my system that corrupts it? If not, can my system corruption be fixed or is a full format and re-install required?

 

Thanks in advance,

 

Bigglet

attach.txt

dds.txt

[gringo_pr]

Hello Bigglet

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.

Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

• Please do not run any tools unless instructed to do so.
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
• Please do not attach logs or use code boxes, just copy and paste the text.
  • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
• Please read every post completely before doing anything.
  • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
• Please provide feedback about your experience as we go.
  • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.

NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
• Click on Scan.
• After the scan is complete click on "Clean"
• Confirm each time with Ok.
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[s1].txt as well.

-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next message.

When they are complete let me have the two reports and let me know how things are running.

Gringo

[Bigglet]

I'm sorry I won't have access to the computer until tomorrow evening, will follow up then.

[gringo_pr]

No problem and I will be looking for you then

gringo

[Bigglet]

# AdwCleaner v3.022 - Report created 14/03/2014 at 19:45:39
# Updated 13/03/2014 by Xplode
# Operating System : Windows 7 Ultimate Service Pack 1 (64 bits)
# Username : Bjorn - BJORN-PC
# Running from : C:\Downloads\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Save

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\NCTAudioCDGrabber2.DLL
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{35B8892D-C3FB-4D88-990D-31DB2EBD72BD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5EB0259D-AB79-4AE6-A6E6-24FFE21C3DA4}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CADAF6BE-BF50-4669-8BFD-C27BD4E6181B}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2BEF239C-752E-4001-8048-F256E0D8CD93}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{49C00A51-6E59-41FE-B3FA-2D2157FAD67B}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6DFF5DBA-AE3A-46DB-B301-ECFFC6DB2982}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{DE34CD67-F1C8-4001-9A23-B8A68F63F377}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{93E3D79C-0786-48FF-9329-93BC9F6DC2B3}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{2BEF239C-752E-4001-8048-F256E0D8CD93}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{49C00A51-6E59-41FE-B3FA-2D2157FAD67B}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{6DFF5DBA-AE3A-46DB-B301-ECFFC6DB2982}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{DE34CD67-F1C8-4001-9A23-B8A68F63F377}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}
Key Deleted : [x64] HKLM\SOFTWARE\systweak

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.16518


-\\ Mozilla Firefox v27.0.1 (en-US)

[ File : C:\Users\Bjorn\AppData\Roaming\Mozilla\Firefox\Profiles\o21j7cth.default\prefs.js ]


*************************

AdwCleaner[R0].txt - [2379 octets] - [14/03/2014 19:44:06]
AdwCleaner[s0].txt - [2316 octets] - [14/03/2014 19:45:39]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [2376 octets] ##########
 

[Bigglet]

As far as the junkware removal tool goes: I get a pop-up with "Registry Console Tool has stopped working" - When I 'Close the program' it infinitely loops back to this error and I can't seem to get rid of it without rebooting...?

 

Just want to add; when I just booted the pc for the first time it booted windows in 640x480 (really small shitty resolution) opposed to the 1920x1080 it normally boots to.

 

I've also installed NOD32 again and when trying to update it's virus definitions I get a crucial error, it won't update.

[Bigglet]

Ok, after another reboot it finished:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.2 (02.20.2014:1)
OS: Windows 7 Ultimate x64
Ran by Bjorn on vr 14-03-2014 at 20:04:45,91
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ FireFox

Emptied folder: C:\Users\Bjorn\AppData\Roaming\mozilla\firefox\profiles\o21j7cth.default\minidumps [116 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on vr 14-03-2014 at 20:13:48,37
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

[Bigglet]

I have tried installing Windows updates -- 2 out of 3 important updates came back with error 643 -- when looking it up it appeared that my .NET framework is corrupt, should I attempt the windows FIXIT fix?

[gringo_pr]

Hello Bigglet

the windows FIXIT fix? - send me the link you are talking about

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

• Link 1

  Link 2

  Link 3

1. Close any open browsers or any other programs that are open.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

• In your next post I need the following
• Log from Combofix
• let me know of any problems you may have had
• How is the computer doing now?

Gringo

[Bigglet]

http://support.microsoft.com/kb/976982 for the windows entry -- http://go.microsoft.com/?linkid=9666880 for the FIXIT fix

[gringo_pr]

Hello

Yes go ahead and try it and let me know if it works - I have not seen that yet

Gringo

[Bigglet]

I ran the microsoft fix -- not much happened, it just said 'fix processed' after a minute -- so I just did the combofix instead. I'm thinking I should update the .NET framework through microsoft update and see what that gives?

I don't use the PC very often as I'm an international student, so I'll have to see if it screws up again tomorrow.

 

When booting firefox to direct here I got a message (after running combofix) that firefox isn't my standard browser, when clicking yes to make it my standard browser, I got an error.

 

ComboFix 14-03-13.01 - Bjorn 16-03-2014  16:57:09.1.4 - x64
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.31.1033.18.3071.1828 [GMT 1:00]
Gestart vanuit: c:\users\Bjorn\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 7.0 *Disabled/Updated* {19259FAE-8396-A113-46DB-15B0E7DFA289}
SP: ESET NOD32 Antivirus 7.0 *Disabled/Updated* {A2447E4A-A5AC-AE9D-7C6B-2EC29C58E834}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((   Bestanden Gemaakt van 2014-02-16 to 2014-03-16  ))))))))))))))))))))))))))))))
.
.
2014-03-16 16:04 . 2014-03-16 16:04    --------    d-----w-    c:\users\UpdatusUser\AppData\Local\temp
2014-03-16 16:04 . 2014-03-16 16:04    --------    d-----w-    c:\users\Default\AppData\Local\temp
2014-03-16 15:39 . 2014-03-16 15:39    --------    d-----w-    c:\windows\Migration
2014-03-14 18:52 . 2014-03-14 18:52    --------    d-----w-    c:\windows\ERUNT
2014-03-14 18:44 . 2014-01-29 02:32    484864    ----a-w-    c:\windows\system32\wer.dll
2014-03-14 18:44 . 2014-01-29 02:06    381440    ----a-w-    c:\windows\SysWow64\wer.dll
2014-03-14 18:44 . 2014-02-07 01:23    3156480    ----a-w-    c:\windows\system32\win32k.sys
2014-03-14 18:44 . 2014-02-04 02:32    624128    ----a-w-    c:\windows\system32\qedit.dll
2014-03-14 18:44 . 2014-02-04 02:04    509440    ----a-w-    c:\windows\SysWow64\qedit.dll
2014-03-14 18:44 . 2014-03-14 18:45    --------    d-----w-    C:\AdwCleaner
2014-03-08 20:36 . 2014-03-15 01:05    --------    d-----w-    c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-03-08 18:38 . 2014-03-15 00:38    91352    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-03-08 16:46 . 2014-02-07 17:50    1863048    -c----w-    c:\programdata\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_WinD_d4958ee3d77cbd45b4754a127fc55ed13a85ebe_cab_0adbf6cc\FlashPlayerPlugin_12_0_0_44.exe
2014-03-08 16:45 . 2014-03-08 16:45    --------    d-----w-    c:\users\Bjorn\AppData\Local\ElevatedDiagnostics
2014-02-15 08:53 . 2013-12-21 09:53    548864    ----a-w-    c:\windows\system32\vbscript.dll
2014-02-15 08:53 . 2013-12-21 08:56    454656    ----a-w-    c:\windows\SysWow64\vbscript.dll
2014-02-15 08:49 . 2013-12-06 02:30    1882112    ----a-w-    c:\windows\system32\msxml3.dll
2014-02-15 08:49 . 2013-12-06 02:30    2048    ----a-w-    c:\windows\system32\msxml3r.dll
2014-02-15 08:49 . 2013-12-06 02:02    2048    ----a-w-    c:\windows\SysWow64\msxml3r.dll
2014-02-15 08:49 . 2013-12-06 02:02    1237504    ----a-w-    c:\windows\SysWow64\msxml3.dll
2014-02-15 08:49 . 2013-12-24 23:09    1987584    ----a-w-    c:\windows\SysWow64\d3d10warp.dll
2014-02-15 08:49 . 2013-12-24 22:48    2565120    ----a-w-    c:\windows\system32\d3d10warp.dll
2014-02-15 08:49 . 2013-11-26 08:16    3419136    ----a-w-    c:\windows\SysWow64\d2d1.dll
2014-02-15 08:49 . 2013-11-22 22:48    3928064    ----a-w-    c:\windows\system32\d2d1.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((   Find3M Rapport   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-03-14 21:54 . 2012-12-10 19:54    90015360    ----a-w-    c:\windows\system32\MRT.exe
2014-03-14 21:03 . 2012-12-07 23:52    71048    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-03-14 21:03 . 2012-12-07 23:52    692616    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2014-02-03 11:20 . 2012-12-07 04:38    270496    ------w-    c:\windows\system32\MpSigStub.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Opstartpunten   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Pro Agent"="c:\program files (x86)\DAEMON Tools Pro\DTAgent.exe" [2012-10-23 3108480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
.
R2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys;c:\windows\SYSNATIVE\drivers\mbamchameleon.sys [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys;c:\windows\SYSNATIVE\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys;c:\windows\SYSNATIVE\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys;c:\windows\SYSNATIVE\DRIVERS\dtsoftbus01.sys [x]
S1 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys;c:\windows\SYSNATIVE\DRIVERS\eamonm.sys [x]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys;c:\windows\SYSNATIVE\DRIVERS\ehdrv.sys [x]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe;c:\program files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [x]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys;c:\windows\SYSNATIVE\DRIVERS\epfwwfpr.sys [x]
S2 NvStreamSvc;NVIDIA Streamer Service;c:\program files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe;c:\program files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S3 nvvad_WaveExtensible;NVIDIA Virtual Audio Device (Wave Extensible) (WDM);c:\windows\system32\drivers\nvvad64v.sys;c:\windows\SYSNATIVE\drivers\nvvad64v.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
--- Andere Services/Drivers In Geheugen ---
.
*Deregistered* - RTCore64
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt    REG_MULTI_SZ       hpqcxs08 hpqddsvc
.
Inhoud van de 'Gedeelde Taken' map
.
2014-03-16 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-12-07 21:03]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Nvtmru"="c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe" [2013-11-08 1028384]
"ShadowPlay"="c:\windows\system32\nvspcap64.dll" [2013-11-08 1064224]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2013-09-12 5618456]
.
------- Bijkomende Scan -------
.
uLocal Page = c:\windows\system32\blank.htm

mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xporteren naar Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 212.54.40.25 212.54.35.25 192.168.1.1
FF - ProfilePath - c:\users\Bjorn\AppData\Roaming\Mozilla\Firefox\Profiles\o21j7cth.default\
FF - prefs.js: browser.startup.homepage - www.google.nl
FF - ExtSQL: !HIDDEN! 2013-05-26 19:11; smartwebprinting@hp.com; c:\program files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
.
- - - - ORPHANS VERWIJDERD - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
AddRemove-BattlEye for A2 - c:\program files (x86)\Steam\steamapps\common\Arma 2BattlEye\UnInstallBE.exe
.
.
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_12_0_0_77_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_12_0_0_77_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_12_0_0_77_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_12_0_0_77_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_77.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.12"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_77.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_77.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_77.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Voltooingstijd: 2014-03-16  17:07:41
ComboFix-quarantined-files.txt  2014-03-16 16:07
.
Pre-Run: 275.058.241.536 bytes free
Post-Run: 279.482.482.688 bytes free
.
- - End Of File - - A83937B6EBDE4897DEEB854466438918
A36C5E4F47E84449FF07ED3517B43A31
 

[Bigglet]

I'm still getting alot of 'corruption' errors... My rar volumes still appear corrupted, NOD32 updates sometimes go through, but often end with 'file corrupted' or 'general compiler error' or 'Undocumented serious error (1106)'

 

I don't know what's causing it, and I don't know what the rootkit has caused, can't even find out what it was as malwarebytes sets it as 'unknown rootkit driver'

 

PC is still far from performing the way it should..

[gringo_pr]

Download Windows Repair (all in one) from http://www.bleepingcomputer.com/download/windows-repair-all-in-one-portable/

Install the program then run

Go to step 3 and allow it to run SFC

On the start repairs tab click start

Select the following items and tick restart system when finished

Reset Registry Permissions

Reset File Permissions

Register System Files

Repair WMI

Repair Windows Firewall

Repair Internet Explorer

Repair Hosts File

Remove Policies Set By Infections

Repair Missing Start menu Icons

Repair Icons

Repair Winsock & DNS Cache

Remove Temp Files

Repair Proxy Settings

Unhide Non System Files

Repair Windows Updates

Set windows Services To Default

Repair MSI (windows Installer)

Repair File Associations

Repair windows Safe mode

After that come back and tell me if that has made a difference.

[Bigglet]

Zzz, bluescreened during the process, trying again...

[Bigglet]

No bluescreen this time, after reboot my ESET NOD32 fails to load - "Virus scanner initialization failed. Most of the ESET NOD32 Antivirus modules will not function properly."

 

Firefox still crashing...

 

I ran the checkdisk option in the program you provided, and came up with the following log (errors found):

 

 

Microsoft Windows [Version 6.1.7601]
Copyright © 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Bjorn\AppData\Local\Temp\Rar$EXa0.413\Tweaking.com - Windows Repair>
CD /D C:\

C:\>
chkdsk C:

The type of the file system is NTFS.

The volume is in use by another process. Chkdsk
might report errors when no corruption is present.


WARNING!  F parameter not specified.
Running CHKDSK in read-only mode.


CHKDSK is verifying files (stage 1 of 3)...
 0 percent complete. (0 of 193024 file records processed)     

0 percent complete. (16591 of 193024 file records processed)     

1 percent complete. (19303 of 193024 file records processed)     

2 percent complete. (38605 of 193024 file records processed)     

3 percent complete. (57908 of 193024 file records processed)     

5 percent complete. (96512 of 193024 file records processed)     

6 percent complete. (115815 of 193024 file records processed)     

7 percent complete. (135117 of 193024 file records processed)     

8 percent complete. (154420 of 193024 file records processed)     

9 percent complete. (173722 of 193024 file records processed)     

193024 file records processed.                                         

File verification completed.

1023 large file records processed.                                   

  0 bad file records processed.                                     


2 EA records processed.                                           


59 reparse records processed.                                      

CHKDSK is verifying indexes (stage 2 of 3)...
11 percent complete. (4367 of 278804 index entries processed)    
12 percent complete. (9095 of 278804 index entries processed)    

13 percent complete. (13824 of 278804 index entries processed)    
14 percent complete. (18552 of 278804 index entries processed)    
15 percent complete. (23280 of 278804 index entries processed)    

16 percent complete. (28008 of 278804 index entries processed)    
17 percent complete. (32736 of 278804 index entries processed)    
18 percent complete. (37464 of 278804 index entries processed)    

19 percent complete. (42192 of 278804 index entries processed)    

20 percent complete. (46920 of 278804 index entries processed)    
21 percent complete. (51649 of 278804 index entries processed)    

22 percent complete. (56377 of 278804 index entries processed)    
23 percent complete. (61105 of 278804 index entries processed)    
24 percent complete. (65833 of 278804 index entries processed)    

25 percent complete. (70561 of 278804 index entries processed)    
26 percent complete. (75289 of 278804 index entries processed)    

27 percent complete. (80017 of 278804 index entries processed)    
28 percent complete. (84745 of 278804 index entries processed)    

29 percent complete. (89474 of 278804 index entries processed)    
30 percent complete. (94202 of 278804 index entries processed)    
31 percent complete. (98930 of 278804 index entries processed)    

32 percent complete. (103658 of 278804 index entries processed)    
33 percent complete. (108386 of 278804 index entries processed)    
34 percent complete. (113114 of 278804 index entries processed)    

35 percent complete. (117842 of 278804 index entries processed)    
36 percent complete. (122570 of 278804 index entries processed)    
37 percent complete. (127299 of 278804 index entries processed)    
38 percent complete. (132027 of 278804 index entries processed)    

39 percent complete. (136755 of 278804 index entries processed)    
40 percent complete. (141483 of 278804 index entries processed)    

41 percent complete. (146211 of 278804 index entries processed)    
42 percent complete. (150939 of 278804 index entries processed)    
43 percent complete. (155667 of 278804 index entries processed)    
44 percent complete. (160395 of 278804 index entries processed)    

45 percent complete. (165124 of 278804 index entries processed)    
46 percent complete. (169852 of 278804 index entries processed)    
47 percent complete. (174580 of 278804 index entries processed)    

48 percent complete. (179308 of 278804 index entries processed)    
49 percent complete. (184036 of 278804 index entries processed)    
50 percent complete. (188764 of 278804 index entries processed)    

51 percent complete. (193492 of 278804 index entries processed)    

52 percent complete. (198220 of 278804 index entries processed)    

53 percent complete. (202949 of 278804 index entries processed)    

54 percent complete. (207677 of 278804 index entries processed)    

55 percent complete. (212405 of 278804 index entries processed)    

56 percent complete. (217133 of 278804 index entries processed)    

57 percent complete. (221861 of 278804 index entries processed)    

58 percent complete. (226589 of 278804 index entries processed)    

59 percent complete. (231317 of 278804 index entries processed)    

278804 index entries processed.                                        

Index verification completed.

0 unindexed files scanned.                                        

  0 unindexed files recovered.                                      

CHKDSK is verifying security descriptors (stage 3 of 3)...

70 percent complete. (13567 of 193024 file SDs/SIDs processed)    

71 percent complete. (27752 of 193024 file SDs/SIDs processed)    

72 percent complete. (41936 of 193024 file SDs/SIDs processed)    
73 percent complete. (56120 of 193024 file SDs/SIDs processed)    

74 percent complete. (70305 of 193024 file SDs/SIDs processed)    
75 percent complete. (84489 of 193024 file SDs/SIDs processed)    

76 percent complete. (98673 of 193024 file SDs/SIDs processed)    

77 percent complete. (112858 of 193024 file SDs/SIDs processed)    
78 percent complete. (127042 of 193024 file SDs/SIDs processed)    

79 percent complete. (141227 of 193024 file SDs/SIDs processed)    
80 percent complete. (155411 of 193024 file SDs/SIDs processed)    

81 percent complete. (169595 of 193024 file SDs/SIDs processed)    

82 percent complete. (183780 of 193024 file SDs/SIDs processed)    
  193024 file SDs/SIDs processed.                                        

Security descriptor verification completed.
  42891 data files processed.                                           

CHKDSK is verifying Usn Journal...

99 percent complete. (0 of 35518264 USN bytes processed)        

100 percent complete. (35512320 of 35518264 USN bytes processed)        
  35518264 USN bytes processed.                                            

Usn Journal verification completed.

The master file table's (MFT) BITMAP attribute is incorrect.

The Volume Bitmap is incorrect.
Windows found problems with the file system.
Run CHKDSK with the /F (fix) option to correct these.

 488282111 KB total disk space.
 215037044 KB in 134725 files.
     94220 KB in 42892 indexes.
         0 KB in bad sectors.

310375 KB in use by the system.
     65536 KB occupied by the log file.
 272840472 KB available on disk.

      4096 bytes in each allocation unit.
 122070527 total allocation units on disk.
  68210118 allocation units available on disk.


C:\>
 

[Bigglet]

I really don't know what's causing all this stuff. I just rebooted after some windows updates - it boots in 640x480 resolution again.

 

Now, I checked device manager and the screen resolution tab - max resolution I can put it to is 1280x1024

 

Device manager gives me 3 exclamation marks:

 

Graphic card (NVIDA GeForce 8800GTS) - when opening properties it shows the following message:

Windows cannot verify the digital signature for the drivers required for this device. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. (Code 52)

 

Same goes for a device called the WAN Miniport (PPT), under the network adapters tab -- I don't even know what this is?

 

Aside from that windows update keeps coming up with 1 important update every boot;

 

Update for Windows 7 for x64-based Systems (KB2868116) (not sure if it's this one all the time, though)
 

[Bigglet]

So, am currently in safe-mode, back with the screwed up resolution, running MBAR which has, again, detected a rootkit present.

\system32\drivers\ndis.sys [unknown.Rootkit.Driver]

 

What should I do?

[Bigglet]

MBAR crashed during that scan. I just did a quick driver scan to follow up, it finds a differently named rootkit .sys file -- the same as in the OP -- nvlddmkm.sys

 

I'll just await instructions - I've exited MBAR without cleaning it up. - Both of the files were so called "Forged Files".

Afterwards I've re-ran the scan a couple of times, and it finds nothing anymore.. I'll just wait for a reply cause I'm dazzled by the skill these censoreding things have.

 

Is it safe to assume I should change all my passwords and not use this PC to log-in to any password-protected sites anymore, or does a rootkit not compromise this?

[gringo_pr]

Hello Bigglet

I would like you to try and run these next.

TDSSKiller

Please download the latest version of TDSSKiller from here and save it to your Desktop.

• Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
• Put a checkmark beside loaded modules.
• A reboot will be needed to apply the changes. Do it.
• TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
• Then click on Change parameters in TDSSKiller.
• Check all boxes then click OK.
• Click the Start Scan button.
• The scan should take no longer than 2 minutes.
• If a suspicious object is detected, the default action will be Skip, click on Continue.
• If malicious objects are found, they will show in the Scan results
• Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

  Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

• more than one report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". The one that I need is the larger one. Please copy and paste the contents of that file here.

  Note** this report can be very long - so if the website gives you an error saying it is to long you may attache it

  If the forum still complains about it being to long send me everything that is at the end of the report after where it says

  ==================

  Scan finished

  ==================

and I will see if I want to see the whole report

send me the reports made from TDSSKiller

Gringo

[Bigglet]

10:35:42.0468 0x06c4  ============================================================
10:35:42.0468 0x06c4  Scan finished
10:35:42.0468 0x06c4  ============================================================
10:35:42.0478 0x06a8  Detected object count: 0
10:35:42.0478 0x06a8  Actual detected object count: 0


Derp...

[gringo_pr]

Hello Bigglet

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache:: 

Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.

Restart if you have to.

Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

• In your next post I need the following
  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

[Bigglet]

Hello Gringo,

 

I've not had access to the infected computer ever since I ran the TDSSKiller last time. I got home and ran it again a couple of times; this time it produced a result:

 

18:36:25.0118 0x0354  ============================================================
18:36:25.0118 0x0354  Scan finished
18:36:25.0118 0x0354  ============================================================
18:36:25.0128 0x0df8  Detected object count: 1
18:36:25.0128 0x0df8  Actual detected object count: 1
18:36:53.0960 0x0df8  nvlddmkm ( ForgedFile.Multi.Generic ) - skipped by user
18:36:53.0960 0x0df8  nvlddmkm ( ForgedFile.Multi.Generic ) - User select action: Skip
18:36:58.0840 0x0ed8  Deinitialize success
 

I'll wait with the ComboFix thing until the next reply.

[Bigglet]

So, just bluescreened during a administrator in-depth NOD32 scan. Something to do with memory was the error?

 

Rebooted in a different shitty resolution; can't open screen settings now -> EXPLORER.EXE: Server execution failed. (?)

 

Malwarebytes came up with a critical error right up on boot; http://imgur.com/FhcGnpp for the screenshot

 

Running TDSSKiller again as admin now, without the 'loaded modules' option checked, though. No threats found, sadly.. The scan took forever though compared to the others (20 minutes!).

 

My firefox does however seem to be crashing alot when I play a video. Sometimes it doesn't boot up at all and crashes itself repeatedly... I guess that's where the combofix thing comes in handy.
 

[Bigglet]

After a reboot, everything went back to normal; ran another TDSSKiller with loaded modules and came up with the same stuff as 2 posts above, under a different name this time.

 

However, Malware-bytes boots again; but the database was missing or corrupt and needed a new download. Same for NOD32 which is giving me compilation errors again.

censored this thing. I want to get rid of it.

 

20:10:29.0535 0x0b68  ============================================================
20:10:29.0535 0x0b68  Scan finished
20:10:29.0535 0x0b68  ============================================================
20:10:29.0545 0x1160  Detected object count: 1
20:10:29.0545 0x1160  Actual detected object count: 1
20:10:55.0675 0x1160  WatAdminSvc ( ForgedFile.Multi.Generic ) - skipped by user
20:10:55.0675 0x1160  WatAdminSvc ( ForgedFile.Multi.Generic ) - User select action: Skip
20:10:58.0925 0x0e74  Deinitialize success