Removed Rootkit - System corrupted

[Bigglet]

Sigh. Feels stuff gets worse and worse every boot-up.

 

Windows failed to boot: System start-up repair had to fix it. Probably restored to some earlier system restore point... Still have the corruption bullshit from before the repair, though.

[gringo_pr]

Ok run what I had asked you to do- the combofix script please

gringo

[Bigglet]

ComboFix 14-03-19.01 - Bjorn 20-03-2014  12:26:17.2.4 - x64
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.31.1033.18.3071.1311 [GMT 1:00]
Gestart vanuit: c:\users\Bjorn\Desktop\ComboFix.exe
gebruikte Opdracht switches :: c:\users\Bjorn\Desktop\CFScript.txt
SP: ESET NOD32 Antivirus 7.0 *Disabled/Updated* {A2447E4A-A5AC-AE9D-7C6B-2EC29C58E834}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((   Bestanden Gemaakt van 2014-02-20 to 2014-03-20  ))))))))))))))))))))))))))))))
.
.
2014-03-20 11:33 . 2014-03-20 11:33    --------    d-----w-    c:\users\UpdatusUser\AppData\Local\temp
2014-03-20 11:33 . 2014-03-20 11:33    --------    d-----w-    c:\users\Default\AppData\Local\temp
2014-03-19 21:06 . 2014-02-17 00:32    10536864    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{596E5A52-76CE-4B32-8499-A56E63D6A62C}\mpengine.dll
2014-03-16 20:08 . 2012-07-26 04:47    2560    ----a-w-    c:\windows\system32\drivers\en-US\wdf01000.sys.mui
2014-03-16 20:07 . 2012-07-26 03:08    229888    ----a-w-    c:\windows\system32\WUDFHost.exe
2014-03-16 20:07 . 2012-07-26 03:08    84992    ----a-w-    c:\windows\system32\WUDFSvc.dll
2014-03-16 20:07 . 2012-07-26 03:08    744448    ----a-w-    c:\windows\system32\WUDFx.dll
2014-03-16 20:07 . 2012-07-26 03:08    45056    ----a-w-    c:\windows\system32\WUDFCoinstaller.dll
2014-03-16 20:07 . 2012-07-26 03:08    194048    ----a-w-    c:\windows\system32\WUDFPlatform.dll
2014-03-16 20:07 . 2012-07-26 02:26    87040    ----a-w-    c:\windows\system32\drivers\WUDFPf.sys
2014-03-16 20:07 . 2012-07-26 02:26    198656    ----a-w-    c:\windows\system32\drivers\WUDFRd.sys
2014-03-16 18:58 . 2014-03-20 05:41    --------    d-----w-    c:\windows\system32\catroot2
2014-03-16 18:49 . 2014-03-20 11:21    --------    d-----w-    c:\windows\system32\wbem\repository
2014-03-16 18:02 . 2014-03-16 18:49    --------    d-----w-    c:\windows\SysWow64\wbem\Performance
2014-03-16 17:49 . 2014-03-16 18:53    181064    ----a-w-    c:\windows\PSEXESVC.EXE
2014-03-16 17:45 . 2014-03-16 17:45    --------    d-----w-    C:\RegBackup
2014-03-16 16:37 . 2011-04-22 22:15    27520    ----a-w-    c:\windows\system32\drivers\Diskdump.sys
2014-03-16 16:35 . 2011-02-18 10:51    31232    ----a-w-    c:\windows\system32\prevhost.exe
2014-03-16 16:35 . 2011-02-18 05:39    31232    ----a-w-    c:\windows\SysWow64\prevhost.exe
2014-03-16 15:39 . 2014-03-16 15:39    --------    d-----w-    c:\windows\Migration
2014-03-14 18:52 . 2014-03-14 18:52    --------    d-----w-    c:\windows\ERUNT
2014-03-14 18:44 . 2014-01-29 02:32    484864    ----a-w-    c:\windows\system32\wer.dll
2014-03-14 18:44 . 2014-01-29 02:06    381440    ----a-w-    c:\windows\SysWow64\wer.dll
2014-03-14 18:44 . 2014-02-07 01:23    3156480    ----a-w-    c:\windows\system32\win32k.sys
2014-03-14 18:44 . 2014-02-04 02:32    624128    ----a-w-    c:\windows\system32\qedit.dll
2014-03-14 18:44 . 2014-02-04 02:04    509440    ----a-w-    c:\windows\SysWow64\qedit.dll
2014-03-14 18:44 . 2014-03-16 19:45    --------    d-----w-    C:\AdwCleaner
2014-03-08 20:36 . 2014-03-16 21:32    --------    d-----w-    c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-03-08 18:38 . 2014-03-15 00:38    91352    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-03-08 16:45 . 2014-03-16 19:54    --------    d-----w-    c:\users\Bjorn\AppData\Local\ElevatedDiagnostics
.
.
.
(((((((((((((((((((((((((((((((((((((((   Find3M Rapport   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-03-14 21:54 . 2012-12-10 19:54    90015360    ----a-w-    c:\windows\system32\MRT.exe
2014-03-14 21:03 . 2012-12-07 23:52    71048    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-03-14 21:03 . 2012-12-07 23:52    692616    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2014-02-03 11:20 . 2012-12-07 04:38    270496    ----a-w-    c:\windows\system32\MpSigStub.exe
2013-12-24 23:09 . 2014-02-15 08:49    1987584    ----a-w-    c:\windows\SysWow64\d3d10warp.dll
2013-12-24 22:48 . 2014-02-15 08:49    2565120    ----a-w-    c:\windows\system32\d3d10warp.dll
2013-12-21 09:53 . 2014-02-15 08:53    548864    ----a-w-    c:\windows\system32\vbscript.dll
2013-12-21 08:56 . 2014-02-15 08:53    454656    ----a-w-    c:\windows\SysWow64\vbscript.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Opstartpunten   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Pro Agent"="c:\program files (x86)\DAEMON Tools Pro\DTAgent.exe" [2012-10-23 3108480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
.
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys;c:\windows\SYSNATIVE\drivers\mbamchameleon.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys;c:\windows\SYSNATIVE\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys;c:\windows\SYSNATIVE\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys;c:\windows\SYSNATIVE\DRIVERS\dtsoftbus01.sys [x]
S1 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys;c:\windows\SYSNATIVE\DRIVERS\eamonm.sys [x]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys;c:\windows\SYSNATIVE\DRIVERS\ehdrv.sys [x]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe;c:\program files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [x]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys;c:\windows\SYSNATIVE\DRIVERS\epfwwfpr.sys [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [x]
S2 NvStreamSvc;NVIDIA Streamer Service;c:\program files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe;c:\program files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
S3 nvvad_WaveExtensible;NVIDIA Virtual Audio Device (Wave Extensible) (WDM);c:\windows\system32\drivers\nvvad64v.sys;c:\windows\SYSNATIVE\drivers\nvvad64v.sys [x]
S3 RTCore64;RTCore64;c:\program files (x86)\MSI Afterburner\RTCore64.sys;c:\program files (x86)\MSI Afterburner\RTCore64.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt    REG_MULTI_SZ       hpqcxs08 hpqddsvc
.
Inhoud van de 'Gedeelde Taken' map
.
2014-03-16 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-12-07 21:03]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Nvtmru"="c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe" [2013-11-08 1028384]
"ShadowPlay"="c:\windows\system32\nvspcap64.dll" [2013-11-08 1064224]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2013-09-12 5618456]
.
------- Bijkomende Scan -------
.
uLocal Page = c:\windows\system32\blank.htm

mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xporteren naar Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 212.54.40.25 212.54.35.25 192.168.1.1
FF - ProfilePath - c:\users\Bjorn\AppData\Roaming\Mozilla\Firefox\Profiles\o21j7cth.default\
FF - prefs.js: browser.startup.homepage - www.google.nl
FF - ExtSQL: !HIDDEN! 2013-05-26 19:11; smartwebprinting@hp.com; c:\program files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
.
- - - - ORPHANS VERWIJDERD - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
SafeBoot-03941931.sys
AddRemove-BattlEye for A2 - c:\program files (x86)\Steam\steamapps\common\Arma 2BattlEye\UnInstallBE.exe
.
.
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_12_0_0_77_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_12_0_0_77_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Voltooingstijd: 2014-03-20  12:36:30
ComboFix-quarantined-files.txt  2014-03-20 11:36
.
Pre-Run: 276.764.401.664 bytes free
Post-Run: 276.691.357.696 bytes free
.
- - End Of File - - 7B8D05F3974E7562CF313A2470E0F8F6
A36C5E4F47E84449FF07ED3517B43A31
 

[gringo_pr]

I want you to run things in selective startup, this will help pinpoint the type of problem it is

1. push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)

2. In the Open box, type msconfig and then click OK. The System Configuration Utility appears.

3. Click the "services" tab.

4. Put a checkmark in "hide all Microsofts services".

5. Uncheck anything that is left.

6. click on the "startup" tab

7. uncheck all under this tab

8. click on the apply button

Restat the computer and see how things are doing, If things are doing better then repeat the process but this time start with the services and start by adding the first half back and apply the changes

If things go bad again then you know the problem is in the services that you restarted and you can keep searching untill you find the one it is

if you restart all the services and things are still ok then go back and do the same thing for the startup programs

[Bigglet]

Everything turned off and issues still persist. Firefox still crashing randomly, NOD32 still not working properly (compiler errors when updating database) and you name it.

 

I think I'll just have to re-install the PC completely, takes alot less stuff to put up with and it (should?) completely erase all traces of this anoying rootkit or whatever the hell it is.

 

Thank you alot for your time and efforts. Unless you have another solution that can fix it -- I'll just give up on it. It's not like there are many important files on it, of course it sucks to have to remove it all, but oh well.

[gringo_pr]

Yes that is correct as long as you format any thing on the computer will be erased

gringo

[Bigglet]

Fair, then that's what I'll do. Thanks again!

[Bigglet]

Freshly installed so this topic is no longer in business.

 

Can be closed.

[gringo_pr]

Thank you for letting me know

gringo

[gringo_pr]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.