Jump to content

Possible Rootkit on my system


Firefox

Recommended Posts

I have talked with Exile360 and he said I should just post here for some help.

OK I have my workstation at my work that I use on a day to day basis, and basically I use it when surfing the net, and posting on this forum thorough out the day. I have used it to submit samples from time to time as well here at Malwarebytes.

Anyway for the last few days, my Symantec Endpoint protection keeps catching and quarantine a Trojan.Gen file that gets put in my temp folder. I thought I had it licked but it was there again last night.

The files are random name like DWH230C.tmp, last night I had the temp folder open and I could see it show up, then removed by AV. This process went on for about 5 hours and then quit starting at about 8 PM. It was happening about every 2 to 6 seconds and then stopped.

Currently it is not happening, but I think it will happen again.

I have ran MBAM, Full scan with Symantec Endpoint Protection AV, tried the TDSS rootkit tool, Kaspersky Virus Removal Tool. Here are my logs (including ark.txt, attach.txt, dds.txt and mbam log).....

Link to post
Share on other sites

Is this the one you are talking about?

DDS (Ver_10-03-17.01) - NTFSx86

Run by cmack at 9:04:54.40 on Wed 09/08/2010

Internet Explorer: 8.0.7600.16385

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3326.1877 [GMT -5:00]

============== Running Processes ===============

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Program Files\Creative\Shared Files\CTAudSvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Windows\system32\nvvsvc.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe

C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\Windows\System32\svchost.exe -k HPZ12

C:\Program Files\Symantec\Ghost\ngserver.exe

C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\system32\taskhost.exe

C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe

C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe

C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe

C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe

C:\Windows\system32\vmnat.exe

C:\Windows\system32\vssvc.exe

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\Program Files\RealVNC\VNC4\winvnc4.exe

C:\Program Files\VMware\VMware Workstation\vmware-authd.exe

C:\Windows\system32\vmnetdhcp.exe

C:\Windows\system32\vsnapvss.exe

C:\Program Files\Symantec\Ghost\bin\dbserv.exe

C:\Program Files\Symantec\Ghost\db\..\bin\rteng9.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\Windows\System32\Ctxfihlp.exe

C:\Program Files\Roxio 2010\5.0\CPMonitor.exe

C:\Program Files\Roxio 2010\Roxio Burn\RoxioBurnLauncher.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Common Files\PX Storage Engine\VxBlockServer.exe

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\Program Files\Symantec\Ghost\ngtray.exe

C:\Windows\SYSTEM32\CTXFISPI.EXE

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Windows\WindowsMobile\wmdc.exe

C:\Windows\system32\svchost.exe -k WindowsMobile

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\Program Files\r2 Studios\Tonic\Tonic.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\VMware\VMware Workstation\vmware-tray.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\GetSmile\getsmile.exe

C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\Stardock\ObjectDock\ObjectDock.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE

C:\Program Files\Microsoft Streets & Trips 2010\StreetsOlkShim.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Users\cmack.TXFBDOM\Desktop\Stageing Area\Malwarebytes Stuff\Tools\dds.scr

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://sharepoint.txfb.org/it/default.aspx

uInternet Settings,ProxyServer = proxy.txfb-ins.local:8080

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [GetSmile] c:\program files\getsmile\getsmile.exe

uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVDtray.exe

mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet

mRun: [CTxfiHlp] CTXFIHLP.EXE

mRun: [CPMonitor] "c:\program files\roxio 2010\5.0\CPMonitor.exe"

mRun: [Desktop Disc Tool] "c:\program files\roxio 2010\roxio burn\RoxioBurnLauncher.exe"

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [pdfFactory Pro Dispatcher v3] "c:\windows\system32\spool\drivers\w32x86\3\fppdis3a.exe" /source=HKLM

mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"

mRun: [NGTray] "c:\program files\symantec\ghost\ngtray.exe"

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Tonic] "c:\program files\r2 studios\tonic\Tonic.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [vmware-tray] "c:\program files\vmware\vmware workstation\vmware-tray.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

StartupFolder: c:\users\cmack~1.txf\appdata\roaming\micros~1\windows\startm~1\programs\startup\stardo~1.lnk - c:\program files\stardock\objectdock\ObjectDock.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll

IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

LSP: c:\program files\vmware\vmware workstation\vsocklib.dll

Trusted Zone: cinemanow.com

Trusted Zone: kltforums.net\www

Trusted Zone: malwarebytes.org\forums

Trusted Zone: qflix.com

Trusted Zone: roxio.com

Trusted Zone: sonic.com\redirect

Trusted Zone: sonic.com\redirect2

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxps://a248.e.akamai.net/f/248/14778/2h/dlmanager.download.akamai.com/14778/dlmanager/versions/activex/dlm-activex-2.2.5.7.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://productivecorp.webex.com/client/T27LB/training/ieatgpc1.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15112/CTPID.cab

DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100

TCP: {7BF66DA3-4B95-4FA8-9D59-2E49098E026B} = 10.1.1.7,10.1.1.22

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Notify: PCANotify - PCANotify.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [2010-5-11 21488]

R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [2010-5-11 15856]

R0 stcvsm;StorageCraft Volume Snapshot Driver;c:\windows\system32\drivers\stcvsm.sys [2010-8-18 193440]

R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [2010-5-11 25584]

R1 sbmount;StorageCraft Image Mount Driver;c:\windows\system32\drivers\sbmount.sys [2010-7-7 102560]

R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\roxio\backontrack\disaster recovery\SaibSVC.exe [2009-6-2 457200]

R2 CinemaNow Service;CinemaNow Service;c:\program files\cinemanow\cinemanow media manager\CinemaNowSvc.exe [2009-6-23 127352]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-5-12 47640]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-5-12 304464]

R2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\nvidia corporation\performance drivers\nvPDsvc.exe [2009-12-8 5241448]

R2 ShadowProtectSvc;ShadowProtect Service;c:\program files\storagecraft\shadowprotect\ShadowProtectSvc.exe [2010-7-7 1657376]

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-4-16 240232]

R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2010-4-1 1822296]

R2 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-7-6 173352]

R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2010-8-1 539184]

R2 VSNAPVSS;StorageCraft Shadow Copy Provider;c:\windows\system32\vsnapvss.exe [2010-7-7 67616]

R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2009-6-4 171032]

R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2009-6-4 1324056]

R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2009-6-4 72728]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-26 102448]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-5-12 20952]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-11 135664]

S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\common files\roxio shared\12.0\sharedcom\RoxWatch12.exe [2009-7-24 219632]

S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\common files\creative labs shared\service\AL6Licensing.exe [2010-5-11 79360]

S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2010-5-11 79360]

S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2009-6-4 171032]

S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2009-6-4 1324056]

S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2009-6-4 72728]

S3 RoxMediaDB12;RoxMediaDB12;c:\program files\common files\roxio shared\12.0\sharedcom\RoxMediaDB12.exe [2009-7-24 1116656]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-5-11 1343400]

=============== Created Last 30 ================

2010-09-08 14:03:26 0 ----a-w- c:\users\cmack.txfbdom\defogger_reenable

2010-09-08 13:45:38 0 d-----w- c:\program files\Lunarsoft

2010-09-07 20:46:10 0 d-----w- c:\program files\Ultra File Search

2010-09-02 19:14:43 0 d-sh--w- C:\$RECYCLE.BIN

2010-09-02 18:57:16 77312 ----a-w- c:\windows\MBR.exe

2010-09-02 18:57:16 256512 ----a-w- c:\windows\PEV.exe

2010-09-02 18:57:15 98816 ----a-w- c:\windows\sed.exe

2010-09-02 18:57:15 161792 ----a-w- c:\windows\SWREG.exe

2010-08-31 18:43:18 65536 --sha-w- c:\users\cmack.txfbdom\ntuser.dat{772916b9-b52f-11df-a749-005056c00008}.TM.blf

2010-08-31 18:43:18 524288 --sha-w- c:\users\cmack.txfbdom\ntuser.dat{772916b9-b52f-11df-a749-005056c00008}.TMContainer00000000000000000002.regtrans-ms

2010-08-31 18:43:18 524288 --sha-w- c:\users\cmack.txfbdom\ntuser.dat{772916b9-b52f-11df-a749-005056c00008}.TMContainer00000000000000000001.regtrans-ms

2010-08-27 18:20:52 0 d-----w- c:\program files\VideoLAN

2010-08-27 16:51:59 0 d-----w- C:\YouTubeVideos

2010-08-27 16:48:26 0 d-----w- c:\program files\AliveMedia

2010-08-25 18:49:43 65536 --sha-w- c:\users\cmack.txfbdom\ntuser.dat{62eb3fdb-b079-11df-9c18-005056c00008}.TM.blf

2010-08-25 18:49:43 524288 --sha-w- c:\users\cmack.txfbdom\ntuser.dat{62eb3fdb-b079-11df-9c18-005056c00008}.TMContainer00000000000000000002.regtrans-ms

2010-08-25 18:49:43 524288 --sha-w- c:\users\cmack.txfbdom\ntuser.dat{62eb3fdb-b079-11df-9c18-005056c00008}.TMContainer00000000000000000001.regtrans-ms

2010-08-25 00:12:24 571904 ----a-w- c:\windows\system32\oleaut32.dll

2010-08-23 14:04:13 756 --sha-w- c:\windows\setup_9.0.0.722_23.08.2010_15-51drv.spi

2010-08-23 13:53:01 0 d-----w- c:\programdata\Kaspersky Lab

2010-08-18 19:34:08 4096 --sha-w- C:\VSM000.IDX

2010-08-18 19:30:31 193440 ----a-w- c:\windows\system32\drivers\stcvsm.sys

2010-08-17 20:41:06 334384 ----a-w- c:\windows\system32\vmnetdhcp.exe

2010-08-17 20:41:02 399920 ----a-w- c:\windows\system32\vmnat.exe

2010-08-17 20:41:02 26288 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys

2010-08-17 20:40:56 760368 ----a-w- c:\windows\system32\vnetlib.dll

2010-08-17 20:40:44 24624 ----a-w- c:\windows\system32\drivers\VMkbd.sys

2010-08-17 20:40:01 0 d-----w- c:\program files\common files\VMware

2010-08-17 20:39:05 0 d-----w- c:\program files\VMware

2010-08-10 23:17:09 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys

2010-08-10 23:17:04 82944 ----a-w- c:\windows\system32\iccvid.dll

2010-08-10 23:17:04 197632 ----a-w- c:\windows\system32\ir32_32.dll

2010-08-10 23:17:03 37376 ----a-w- c:\windows\system32\rtutils.dll

2010-08-10 23:17:03 1233920 ----a-w- c:\windows\system32\msxml3.dll

2010-08-10 23:17:02 310784 ----a-w- c:\windows\system32\drivers\srv.sys

2010-08-10 23:17:02 307200 ----a-w- c:\windows\system32\drivers\srv2.sys

2010-08-10 23:17:02 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys

2010-08-10 23:17:00 3955080 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-08-10 23:17:00 3899784 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-08-10 10:15:58 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2010-08-10 10:15:58 69632 ----a-w- c:\windows\system32\QuickTime.qts

2010-08-09 18:54:44 65536 --sha-w- c:\users\cmack.txfbdom\ntuser.dat{6af38069-a3e7-11df-a0b9-005056c00008}.TM.blf

2010-08-09 18:54:44 524288 --sha-w- c:\users\cmack.txfbdom\ntuser.dat{6af38069-a3e7-11df-a0b9-005056c00008}.TMContainer00000000000000000002.regtrans-ms

2010-08-09 18:54:44 524288 --sha-w- c:\users\cmack.txfbdom\ntuser.dat{6af38069-a3e7-11df-a0b9-005056c00008}.TMContainer00000000000000000001.regtrans-ms

==================== Find3M ====================

2010-08-01 17:55:38 70704 ----a-w- c:\windows\system32\drivers\vmci.sys

2010-08-01 17:55:36 854064 ----a-w- c:\windows\system32\drivers\vmx86.sys

2010-08-01 17:54:52 14896 ----a-w- c:\windows\system32\drivers\vmparport.sys

2010-08-01 16:39:06 32304 ----a-w- c:\windows\system32\drivers\hcmon.sys

2010-08-01 16:12:36 252464 ----a-w- c:\windows\system32\vmnc.dll

2010-08-01 14:18:26 31280 ----a-w- c:\windows\system32\drivers\vmusb.sys

2010-08-01 14:18:24 59952 ----a-w- c:\windows\system32\vnetinst.dll

2010-08-01 14:18:24 51248 ----a-w- c:\windows\system32\vmnetbridge.dll

2010-08-01 14:18:24 36400 ----a-w- c:\windows\system32\drivers\vmnetbridge.sys

2010-08-01 14:18:24 18736 ----a-w- c:\windows\system32\drivers\vmnet.sys

2010-08-01 14:18:24 16560 ----a-w- c:\windows\system32\drivers\vmnetadapter.sys

2010-07-17 10:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll

2010-07-15 23:11:10 26144 ----a-w- c:\windows\system32\stcsnap.dll

2010-07-15 23:11:08 67616 ----a-w- c:\windows\system32\vsnapvss.exe

2010-07-15 23:10:20 102560 ----a-w- c:\windows\system32\drivers\sbmount.sys

2010-06-30 06:25:31 978432 ----a-w- c:\windows\system32\wininet.dll

2010-06-19 04:07:18 2326016 ----a-w- c:\windows\system32\win32k.sys

2010-06-17 15:22:53 627712 ----a-w- c:\windows\system32\gpprefbr.dll

2010-06-17 15:22:53 4342272 ----a-w- c:\windows\system32\gppref.dll

2010-06-17 15:22:53 2548736 ----a-w- c:\windows\system32\propshts.dll

2010-06-17 15:22:53 225280 ----a-w- c:\windows\system32\gpregistrybrowser.dll

2010-06-17 15:22:53 166400 ----a-w- c:\windows\system32\gpprefcn.dll

2010-06-16 05:48:35 224256 ----a-w- c:\windows\system32\schannel.dll

2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat

2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat

2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat

2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat

2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini

2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat

2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat

2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat

2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat

2010-06-09 20:48:41 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

2010-05-11 14:55:30 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat

2010-05-11 14:55:30 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat

2010-05-11 14:55:30 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat

2010-05-11 14:55:30 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 9:05:28.57 ===============

Link to post
Share on other sites

That helps but did you run a TDSSKiller scan?

If not, try it and use Copy / Paste to post the results.

For whatever reason I can't open your zip file.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

Please download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1

Download Mirror #2

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • It doesn't take long to run, once it is finished move onto the next step

Download TDSSKiller and save it to your Desktop.

  • Make sure all other windows are closed and to let it run uninterrupted.
  • Extract the file and run it.
  • Once completed it will create a log in your C:\ drive called TDSSKiller_* (* denotes version & date)
  • Reboot your machine and see if the infection is gone
  • Please post the contents of that log TDSSKiller and GooredFix log.

Link to post
Share on other sites

2010/09/08 11:36:59.0447 TDSS rootkit removing tool 2.4.2.1 Sep 7 2010 14:43:44

2010/09/08 11:36:59.0447 ================================================================================

2010/09/08 11:36:59.0447 SystemInfo:

2010/09/08 11:36:59.0447

2010/09/08 11:36:59.0447 OS Version: 6.1.7600 ServicePack: 0.0

2010/09/08 11:36:59.0447 Product type: Workstation

2010/09/08 11:36:59.0447 ComputerName: 1WWLLF1

2010/09/08 11:36:59.0463 UserName: cmack

2010/09/08 11:36:59.0463 Windows directory: C:\Windows

2010/09/08 11:36:59.0463 System windows directory: C:\Windows

2010/09/08 11:36:59.0463 Processor architecture: Intel x86

2010/09/08 11:36:59.0463 Number of processors: 8

2010/09/08 11:36:59.0463 Page size: 0x1000

2010/09/08 11:36:59.0463 Boot type: Normal boot

2010/09/08 11:36:59.0463 ================================================================================

2010/09/08 11:36:59.0931 Initialize success

2010/09/08 11:37:10.0336 ================================================================================

2010/09/08 11:37:10.0336 Scan started

2010/09/08 11:37:10.0336 Mode: Manual;

2010/09/08 11:37:10.0336 ================================================================================

2010/09/08 11:37:15.0172 ================================================================================

2010/09/08 11:37:15.0172 Scan finished

2010/09/08 11:37:15.0172 ================================================================================

2010/09/08 11:37:21.0662 Deinitialize success

And the GooredFix LOG

GooredFix by jpshortstuff (03.07.10.1)

Log created at 11:58 on 08/09/2010 (cmack)

Firefox version [unable to determine]

========== GooredScan ==========

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\

(none)

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]

(none)

-=E.O.F=-

Link to post
Share on other sites

Nothing bad there.

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have SP3, use the SP2 package.If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

BTW, I have edited my original post to include a rar file format of my logs, sometimes zip files have issues but I checked the RAR file and that one worked.

I am currently trying to run the combofix (I had ran it before with no issues about 1 week ago) but this time I am having a little trouble.

I get error: Find String (QGREP) Utility has stopped working and my only option is close.

I have restarted the computer and re-ran the combo fix, this time I got this message:

Combofix has detected the presence of rootkit activity and needs to reboot the machine.... I clicked ok and will let you know how it goes on the next post.

Link to post
Share on other sites

I would suppose they update the combofix file from time to time, like I said I had scanned about a week ago and I did not get that message..... anyway here is my log.....

ComboFix 10-09-07.03 - cmack 09/08/2010 13:57:33.4.8 - x86

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3326.2401 [GMT -5:00]

Running from: c:\users\cmack.TXFBDOM\Desktop\ComboFix.exe

.

((((((((((((((((((((((((( Files Created from 2010-08-08 to 2010-09-08 )))))))))))))))))))))))))))))))

.

2010-09-08 19:03 . 2010-09-08 19:03 -------- d-----w- c:\users\cmack.TXFBDOM\AppData\Local\temp

2010-09-08 19:03 . 2010-09-08 19:03 -------- d-----w- c:\users\Public\AppData\Local\temp

2010-09-08 19:03 . 2010-09-08 19:03 -------- d-----w- c:\users\LogMeInRemoteUser\AppData\Local\temp

2010-09-08 19:03 . 2010-09-08 19:03 -------- d-----w- c:\users\Default\AppData\Local\temp

2010-09-08 19:03 . 2010-09-08 19:03 -------- d-----w- c:\users\CMACK~1~TXF\AppData\Local\temp

2010-09-08 19:03 . 2010-09-08 19:03 -------- d-----w- c:\users\cmack\AppData\Local\temp

2010-09-08 13:45 . 2010-09-08 13:45 -------- d-----w- c:\users\cmack.TXFBDOM\AppData\Local\Lunarsoft

2010-09-08 13:45 . 2010-09-08 13:45 -------- d-----w- c:\program files\Lunarsoft

2010-09-07 20:46 . 2010-09-07 20:47 -------- d-----w- c:\program files\Ultra File Search

2010-08-31 15:04 . 2010-08-31 15:04 -------- d-----w- c:\users\cmack.TXFBDOM\AppData\Roaming\Apple Computer

2010-08-27 18:21 . 2010-08-27 18:22 -------- d-----w- c:\users\cmack.TXFBDOM\AppData\Roaming\vlc

2010-08-27 18:20 . 2010-08-27 18:20 -------- d-----w- c:\program files\VideoLAN

2010-08-27 16:51 . 2010-08-31 15:00 -------- d-----w- C:\YouTubeVideos

2010-08-27 16:48 . 2010-08-27 16:48 -------- d-----w- c:\program files\AliveMedia

2010-08-26 15:19 . 2010-08-30 16:12 12195 ----a-w- c:\programdata\DVDXStudio\CloneDVD5\MainApp.dll

2010-08-25 00:12 . 2010-04-07 07:10 571904 ----a-w- c:\windows\system32\oleaut32.dll

2010-08-23 13:53 . 2010-08-23 13:53 -------- d-----w- c:\programdata\Kaspersky Lab

2010-08-19 12:44 . 2010-08-19 12:45 -------- d-----w- c:\program files\QuickTime

2010-08-18 19:30 . 2010-07-15 22:48 193440 ----a-w- c:\windows\system32\drivers\stcvsm.sys

2010-08-17 20:41 . 2010-08-01 17:55 334384 ----a-w- c:\windows\system32\vmnetdhcp.exe

2010-08-17 20:41 . 2010-08-01 17:55 399920 ----a-w- c:\windows\system32\vmnat.exe

2010-08-17 20:41 . 2010-08-01 17:52 26288 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys

2010-08-17 20:40 . 2010-08-01 17:55 760368 ----a-w- c:\windows\system32\vnetlib.dll

2010-08-17 20:40 . 2010-08-01 17:54 24624 ----a-w- c:\windows\system32\drivers\VMkbd.sys

2010-08-17 20:40 . 2010-08-17 20:40 -------- d-----w- c:\program files\Common Files\VMware

2010-08-17 20:39 . 2010-08-17 20:39 -------- d-----w- c:\program files\VMware

2010-08-17 15:48 . 2010-08-17 16:29 -------- d-----w- c:\users\cmack.TXFBDOM\AppData\Roaming\Download Manager

2010-08-12 12:52 . 2010-08-12 12:52 -------- d-----w- c:\users\cmack.TXFBDOM\AppData\Local\Opera

2010-08-12 12:52 . 2010-08-12 12:52 -------- d-----w- c:\program files\Opera

2010-08-11 16:23 . 2010-08-11 16:23 -------- d-----w- c:\windows\Sun

2010-08-11 16:23 . 2010-08-11 16:23 -------- d-----w- c:\program files\Common Files\Java

2010-08-10 23:17 . 2010-06-14 06:12 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys

2010-08-10 23:17 . 2010-07-29 06:30 197632 ----a-w- c:\windows\system32\ir32_32.dll

2010-08-10 23:17 . 2010-07-29 06:30 82944 ----a-w- c:\windows\system32\iccvid.dll

2010-08-10 23:17 . 2010-06-19 06:23 37376 ----a-w- c:\windows\system32\rtutils.dll

2010-08-10 23:17 . 2010-06-08 06:02 1233920 ----a-w- c:\windows\system32\msxml3.dll

2010-08-10 23:17 . 2010-06-22 02:47 310784 ----a-w- c:\windows\system32\drivers\srv.sys

2010-08-10 23:17 . 2010-06-22 02:47 307200 ----a-w- c:\windows\system32\drivers\srv2.sys

2010-08-10 23:17 . 2010-06-22 02:47 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys

2010-08-10 23:17 . 2010-06-19 06:33 3955080 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-08-10 23:17 . 2010-06-19 06:33 3899784 ----a-w- c:\windows\system32\ntoskrnl.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-08 18:52 . 2010-05-12 16:36 -------- d-----w- c:\programdata\VMware

2010-09-08 18:52 . 2010-05-11 14:57 -------- d-----w- c:\programdata\NVIDIA

2010-09-08 13:09 . 2010-05-12 18:53 -------- d-----w- c:\program files\LogMeIn

2010-09-07 15:39 . 2010-05-18 20:26 -------- d-----w- c:\users\cmack.TXFBDOM\AppData\Roaming\VMware

2010-09-02 14:33 . 2010-05-11 19:35 -------- d-----w- c:\programdata\Roxio

2010-09-01 14:44 . 2010-05-11 19:37 -------- d-----w- c:\programdata\Sonic

2010-08-26 15:19 . 2010-05-20 13:34 -------- d-----w- c:\program files\CloneDVD5

2010-08-26 15:17 . 2010-05-20 13:34 -------- d-----w- c:\users\cmack.TXFBDOM\AppData\Roaming\Vso

2010-08-26 15:16 . 2010-05-20 13:34 -------- d-----w- c:\programdata\DVDXStudio

2010-08-26 14:33 . 2010-05-12 16:17 -------- d-----w- c:\users\cmack.TXFBDOM\AppData\Roaming\FileZilla

2010-08-25 18:52 . 2010-05-11 20:54 -------- d-----w- c:\program files\CCleaner

2010-08-23 14:31 . 2010-06-28 21:44 -------- d-----w- c:\program files\KLTImageshack uploader

2010-08-23 13:41 . 2010-05-12 16:17 -------- d-----w- c:\program files\FileZilla FTP Client

2010-08-19 12:44 . 2010-05-12 16:09 -------- d-----w- c:\programdata\Apple Computer

2010-08-17 20:42 . 2010-05-12 16:37 921608 ----a-w- c:\programdata\VMware\VMware Workstation\Uninstaller\uninstall.exe

2010-08-17 20:42 . 2010-05-12 16:37 629296 ----a-w- c:\programdata\VMware\VMware Workstation\Uninstaller\instUtils.dll

2010-08-17 20:38 . 2010-05-12 16:37 581632 ----a-w- c:\programdata\VMware\VMware Workstation\Uninstaller\module_core.dll

2010-08-17 20:38 . 2010-05-12 16:37 360448 ----a-w- c:\programdata\VMware\VMware Workstation\Uninstaller\module_license.dll

2010-08-17 20:38 . 2010-05-12 16:37 356352 ----a-w- c:\programdata\VMware\VMware Workstation\Uninstaller\module_ws.dll

2010-08-17 20:38 . 2010-05-12 16:37 968752 ----a-w- c:\programdata\VMware\VMware Workstation\Uninstaller\vnetlib64.dll

2010-08-17 20:38 . 2010-05-12 16:37 932400 ----a-w- c:\programdata\VMware\VMware Workstation\Uninstaller\vnetlib64.exe

2010-08-17 20:38 . 2010-05-12 16:37 760368 ----a-w- c:\programdata\VMware\VMware Workstation\Uninstaller\vnetlib.dll

2010-08-17 20:38 . 2010-05-12 16:37 760368 ----a-w- c:\programdata\VMware\VMware Workstation\Uninstaller\vminstutil.dll

2010-08-17 20:38 . 2010-05-12 16:37 707120 ----a-w- c:\programdata\VMware\VMware Workstation\Uninstaller\vnetlib.exe

2010-08-11 16:23 . 2010-05-12 15:17 -------- d-----w- c:\program files\Java

2010-08-11 08:03 . 2010-05-11 19:07 -------- d-----w- c:\programdata\Microsoft Help

2010-08-05 13:18 . 2010-08-05 13:15 -------- d-----w- c:\program files\Microsoft Streets & Trips 2010

2010-08-05 12:57 . 2010-08-05 12:57 -------- d-----w- c:\program files\MSECache

2010-08-03 13:21 . 2010-05-11 21:41 -------- d-----w- c:\programdata\FLEXnet

2010-08-03 13:21 . 2010-05-11 19:40 -------- d-----w- c:\programdata\CinemaNow

2010-08-02 16:12 . 2010-08-02 16:12 -------- d-----w- c:\program files\Jufsoft

2010-08-01 17:55 . 2010-08-01 17:55 70704 ----a-w- c:\windows\system32\drivers\vmci.sys

2010-08-01 17:55 . 2010-08-01 17:55 854064 ----a-w- c:\windows\system32\drivers\vmx86.sys

2010-08-01 17:54 . 2010-08-01 17:54 14896 ----a-w- c:\windows\system32\drivers\vmparport.sys

2010-08-01 16:39 . 2010-08-01 16:39 32304 ----a-w- c:\windows\system32\drivers\hcmon.sys

2010-08-01 16:12 . 2010-08-01 16:12 252464 ----a-w- c:\windows\system32\vmnc.dll

2010-08-01 14:18 . 2010-08-01 14:18 31280 ----a-w- c:\windows\system32\drivers\vmusb.sys

2010-08-01 14:18 . 2010-08-01 14:18 59952 ----a-w- c:\windows\system32\vnetinst.dll

2010-08-01 14:18 . 2010-08-01 14:18 51248 ----a-w- c:\windows\system32\vmnetbridge.dll

2010-08-01 14:18 . 2010-08-01 14:18 36400 ----a-w- c:\windows\system32\drivers\vmnetbridge.sys

2010-08-01 14:18 . 2010-08-01 14:18 18736 ----a-w- c:\windows\system32\drivers\vmnet.sys

2010-08-01 14:18 . 2010-08-01 14:18 16560 ----a-w- c:\windows\system32\drivers\vmnetadapter.sys

2010-07-28 16:19 . 2010-07-28 16:19 -------- d-----w- c:\program files\r2 Studios

2010-07-27 14:28 . 2010-05-11 21:35 -------- d-----w- c:\program files\Common Files\Adobe

2010-07-17 10:00 . 2010-05-12 15:17 423656 ----a-w- c:\windows\system32\deployJava1.dll

2010-07-16 21:38 . 2010-07-16 21:38 -------- d-----w- c:\program files\Spb Software House

2010-07-15 23:11 . 2010-07-07 20:30 26144 ----a-w- c:\windows\system32\stcsnap.dll

2010-07-15 23:11 . 2010-07-07 20:30 67616 ----a-w- c:\windows\system32\vsnapvss.exe

2010-07-15 23:10 . 2010-07-07 20:31 102560 ----a-w- c:\windows\system32\drivers\sbmount.sys

2010-07-13 21:30 . 2010-07-13 21:27 -------- d-----w- c:\program files\Content Manager

2010-07-13 21:27 . 2010-05-11 18:18 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-06-30 20:44 . 2010-06-30 15:40 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-06-30 06:25 . 2010-08-10 23:16 978432 ----a-w- c:\windows\system32\wininet.dll

2010-06-23 12:35 . 2010-06-23 12:35 501936 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtbA614.tmp.exe

2010-06-19 04:07 . 2010-08-10 23:16 2326016 ----a-w- c:\windows\system32\win32k.sys

2010-06-17 15:22 . 2010-06-17 15:22 627712 ----a-w- c:\windows\system32\gpprefbr.dll

2010-06-17 15:22 . 2010-06-17 15:22 2548736 ----a-w- c:\windows\system32\propshts.dll

2010-06-17 15:22 . 2010-06-17 15:22 4342272 ----a-w- c:\windows\system32\gppref.dll

2010-06-17 15:22 . 2010-06-17 15:22 225280 ----a-w- c:\windows\system32\gpregistrybrowser.dll

2010-06-17 15:22 . 2010-06-17 15:22 166400 ----a-w- c:\windows\system32\gpprefcn.dll

2010-06-16 05:48 . 2010-08-10 23:16 224256 ----a-w- c:\windows\system32\schannel.dll

2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat

2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

.

((((((((((((((((((((((((((((( SnapShot@2010-09-02_19.04.59 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-05-11 18:35 . 2010-09-08 18:58 37056 c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin

+ 2009-07-14 04:55 . 2010-09-08 18:58 36692 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin

- 2009-07-14 04:55 . 2010-09-01 14:46 36692 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin

- 2010-05-11 16:53 . 2010-09-02 02:48 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

+ 2010-05-11 16:53 . 2010-09-08 18:52 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

- 2010-05-11 16:53 . 2010-09-02 02:48 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

+ 2010-05-11 16:53 . 2010-09-08 18:52 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

+ 2009-07-14 04:41 . 2010-09-08 18:52 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

- 2009-07-14 04:41 . 2010-09-02 02:48 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

- 2010-05-11 23:13 . 2010-09-02 13:38 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

+ 2010-05-11 23:13 . 2010-09-08 18:07 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

+ 2010-05-13 14:12 . 2010-09-08 13:03 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat

- 2010-05-13 14:12 . 2010-09-02 19:02 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat

+ 2010-05-13 14:12 . 2010-09-08 13:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat

- 2010-05-13 14:12 . 2010-09-02 19:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat

- 2010-05-13 14:12 . 2010-09-02 19:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat

+ 2010-05-13 14:12 . 2010-09-08 13:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat

- 2010-05-11 23:13 . 2010-09-02 19:02 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

+ 2010-05-11 23:13 . 2010-09-08 18:07 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

- 2010-05-11 23:13 . 2010-09-02 13:38 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

+ 2010-05-11 23:13 . 2010-09-08 18:07 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

+ 2010-05-11 18:25 . 2010-09-08 18:58 8584 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1957994488-1563985344-1417001333-1107_UserData.bin

+ 2010-09-08 18:52 . 2010-09-08 18:52 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

- 2010-09-01 14:36 . 2010-09-01 14:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

- 2010-09-01 14:36 . 2010-09-01 14:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

+ 2010-09-08 18:52 . 2010-09-08 18:52 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

+ 2010-06-16 18:12 . 2010-09-06 15:54 118322 c:\windows\System32\wdi\SuspendPerformanceDiagnostics_SystemData_S4.bin

- 2009-07-14 02:05 . 2010-09-02 18:40 629528 c:\windows\System32\perfh009.dat

+ 2009-07-14 02:05 . 2010-09-08 18:56 629528 c:\windows\System32\perfh009.dat

- 2009-07-14 02:05 . 2010-09-02 18:40 108370 c:\windows\System32\perfc009.dat

+ 2009-07-14 02:05 . 2010-09-08 18:56 108370 c:\windows\System32\perfc009.dat

- 2009-07-14 02:03 . 2010-09-02 00:59 7077888 c:\windows\System32\SMI\Store\Machine\schema.dat

+ 2009-07-14 02:03 . 2010-09-08 09:41 7077888 c:\windows\System32\SMI\Store\Machine\schema.dat

- 2010-05-14 20:14 . 2010-08-26 14:10 1603672 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat

+ 2010-05-14 20:14 . 2010-09-02 19:12 1603672 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-05-11 39408]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]

"GetSmile"="c:\program files\GetSmile\getsmile.exe" [2007-06-02 2031616]

"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2010-06-15 4398016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-04-15 1657448]

"CTxfiHlp"="CTXFIHLP.EXE" [2009-06-04 25600]

"CPMonitor"="c:\program files\Roxio 2010\5.0\CPMonitor.exe" [2009-07-21 84464]

"Desktop Disc Tool"="c:\program files\Roxio 2010\Roxio Burn\RoxioBurnLauncher.exe" [2009-06-23 494064]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

"pdfFactory Pro Dispatcher v3"="c:\windows\system32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2010-03-18 614400]

"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]

"NGTray"="c:\program files\Symantec\Ghost\ngtray.exe" [2009-12-25 206216]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-01-25 115560]

"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

"Tonic"="c:\program files\r2 Studios\Tonic\Tonic.exe" [2006-09-03 840192]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2010-08-01 129584]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]

c:\users\cmack.TXFBDOM\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2010-5-12 3581680]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-6-12 622653]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]

2007-04-27 17:10 18744 ----a-w- c:\windows\System32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"mixer1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

[HKLM\~\startupfolder\C:^Users^cmack.TXFBDOM^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]

path=c:\users\cmack.TXFBDOM\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup

backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSS]

2008-11-25 14:06 1466459 ----a-w- c:\program files\Mace Security\MACE PRO SURVEILLANCE SYSTEM\EPSS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]

2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Magellan CmTray]

2010-06-01 17:26 435200 ----a-w- c:\program files\Content Manager\CmTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-08-10 10:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]

2009-07-24 13:33 240112 ----a-w- c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatchTray12.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-11 135664]

R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatch12.exe [2009-07-24 219632]

R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2010-05-11 79360]

R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2010-05-11 79360]

R3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.SYS [2009-06-04 171032]

R3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.SYS [2009-06-04 1324056]

R3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.SYS [2009-06-04 72728]

R3 RoxMediaDB12;RoxMediaDB12;c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxMediaDB12.exe [2009-07-24 1116656]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-11 1343400]

S0 SahdIa32;HDD Filter Driver;c:\windows\System32\Drivers\SahdIa32.sys [2009-06-02 21488]

S0 SaibIa32;Volume Filter Driver;c:\windows\System32\Drivers\SaibIa32.sys [2009-06-02 15856]

S0 stcvsm;StorageCraft Volume Snapshot Driver;c:\windows\system32\DRIVERS\stcvsm.sys [2010-07-15 193440]

S1 SaibVd32;Virtual Disk Driver;c:\windows\system32\Drivers\SaibVd32.sys [2009-06-02 25584]

S1 sbmount;StorageCraft Image Mount Driver; [x]

S2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [2009-06-03 457200]

S2 CinemaNow Service;CinemaNow Service;c:\program files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe [2009-06-23 127352]

S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2008-08-11 12856]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2010-04-29 304464]

S2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [2009-12-08 5241448]

S2 ShadowProtectSvc;ShadowProtect Service;c:\program files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe [2010-07-15 1657376]

S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-04-16 240232]

S2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [2010-07-06 173352]

S2 vmci;VMware vmci;c:\windows\system32\Drivers\vmci.sys [2010-08-01 70704]

S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [2010-08-01 539184]

S2 VSNAPVSS;StorageCraft Shadow Copy Provider;c:\windows\system32\vsnapvss.exe [2010-07-15 67616]

S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\System32\drivers\CT20XUT.SYS [2009-06-04 171032]

S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\System32\drivers\CTEXFIFX.SYS [2009-06-04 1324056]

S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\System32\drivers\CTHWIUT.SYS [2009-06-04 72728]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-26 102448]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-04-29 20952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WindowsMobile REG_MULTI_SZ wcescomm rapimgr

LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Contents of the 'Scheduled Tasks' folder

2010-09-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-11 18:54]

2010-09-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-11 18:54]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://sharepoint.txfb.org/it/default.aspx

uInternet Settings,ProxyServer = proxy.txfb-ins.local:8080

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll

Trusted Zone: cinemanow.com

Trusted Zone: kltforums.net\www

Trusted Zone: malwarebytes.org\forums

Trusted Zone: qflix.com

Trusted Zone: roxio.com

Trusted Zone: sonic.com\redirect

Trusted Zone: sonic.com\redirect2

TCP: {7BF66DA3-4B95-4FA8-9D59-2E49098E026B} = 10.1.1.7,10.1.1.22

.

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: >>UNKNOWN [0x82E14000]<< >>UNKNOWN [0x8C3AD000]<< >>UNKNOWN [0x8C39C000]<< >>UNKNOWN [0x8C400000]<< >>UNKNOWN [0x8BE3A000]<< >>UNKNOWN [0x83224000]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

IoDeviceObjectType -> DumpProcedure -> 0xd46a624f

SecurityProcedure -> 0x857c8390

QueryNameProcedure -> 0x857c8520

user & kernel MBR OK

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2010-09-08 14:05:28

ComboFix-quarantined-files.txt 2010-09-08 19:05

ComboFix2.txt 2010-09-02 19:07

Pre-Run: 66,836,123,648 bytes free

Post-Run: 66,626,142,208 bytes free

- - End Of File - - B42298E7387F723F5F5D207AC1AF7789

Link to post
Share on other sites

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: >>UNKNOWN [0x82E14000]<< >>UNKNOWN [0x8C3AD000]<< >>UNKNOWN [0x8C39C000]<< >>UNKNOWN [0x8C400000]<< >>UNKNOWN [0x8BE3A000]<< >>UNKNOWN [0x83224000]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

IoDeviceObjectType -> DumpProcedure -> 0xd46a624f

SecurityProcedure -> 0x857c8390

QueryNameProcedure -> 0x857c8520

user & kernel MBR OK

Not sure I've seen that before.

Try a GMER scan.

I'll be back online in about 4 hrs.

Link to post
Share on other sites

Here is a screen shot of the options I had selected, let me know if that is ok.....

gmeroptions.jpg

Here is the log....

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-09-08 09:18:19

Windows 6.1.7600

Running: oiu5nnvo.exe; Driver: C:\Users\CMACK~1.TXF\AppData\Local\Temp\pxddqpod.sys

---- System - GMER 1.0.15 ----

SSDT 874ABF48 ZwAlertResumeThread

SSDT 8733C078 ZwAlertThread

SSDT 874BFD78 ZwAllocateVirtualMemory

SSDT 872860D0 ZwConnectPort

SSDT 874C1E78 ZwCreateMutant

SSDT 874CB4B8 ZwCreateThread

SSDT 8747F0C8 ZwFreeVirtualMemory

SSDT 874ABDC8 ZwImpersonateAnonymousToken

SSDT 874ABE88 ZwImpersonateThread

SSDT 874C1AD0 ZwMapViewOfSection

SSDT 874C1DB8 ZwOpenEvent

SSDT 874965C0 ZwOpenProcessToken

SSDT 874ABAB0 ZwOpenThreadToken

SSDT \??\C:\Windows\system32\drivers\wpsdrvnt.sys ZwProtectVirtualMemory [0x8DFB68B0]

SSDT 87496B38 ZwResumeThread

SSDT 8747F048 ZwSetContextThread

SSDT 874C1978 ZwSetInformationProcess

SSDT 874AB958 ZwSetInformationThread

SSDT 874C1CF8 ZwSuspendProcess

SSDT 8733C180 ZwSuspendThread

SSDT 8579A848 ZwTerminateProcess

SSDT 8733C240 ZwTerminateThread

SSDT 8748A4C8 ZwUnmapViewOfSection

SSDT 8747F198 ZwWriteVirtualMemory

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E27AF8

INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E27104

INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E273F4

INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E102D8

INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E0F898

INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E271DC

INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E27958

INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E276F8

INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E27F2C

INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E281A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82E87599 1 Byte [06]

.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82EABF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

.text ntkrnlpa.exe!RtlSidHashLookup + 224 82EB3734 8 Bytes [48, BF, 4A, 87, 78, C0, 33, ...]

.text ntkrnlpa.exe!RtlSidHashLookup + 23C 82EB374C 4 Bytes [78, FD, 4B, 87]

.text ntkrnlpa.exe!RtlSidHashLookup + 2DC 82EB37EC 4 Bytes [D0, 60, 28, 87]

.text ntkrnlpa.exe!RtlSidHashLookup + 318 82EB3828 4 Bytes [78, 1E, 4C, 87]

.text ntkrnlpa.exe!RtlSidHashLookup + 34C 82EB385C 4 Bytes [b8, B4, 4C, 87]

.text ...

.text peauth.sys ABCFAC9D 28 Bytes [1E, A3, AF, 57, A5, 5F, 50, ...]

.text peauth.sys ABCFACC1 28 Bytes [1E, A3, AF, 57, A5, 5F, 50, ...]

PAGE peauth.sys ABD00E20 101 Bytes [26, C0, D7, 58, 10, C7, A7, ...]

PAGE peauth.sys ABD0102C 102 Bytes [41, 4A, 64, 91, 23, 1B, 5D, ...]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[1440] USER32.dll!CreateWindowExW 75E10E51 5 Bytes JMP 6A9C8157 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[1440] USER32.dll!DialogBoxIndirectParamW 75E34AA7 5 Bytes JMP 6AAEF970 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[1440] USER32.dll!DialogBoxParamW 75E3564A 5 Bytes JMP 6A8E4BA7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[1440] USER32.dll!DialogBoxParamA 75E4CF6A 5 Bytes JMP 6AAEF90D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[1440] USER32.dll!DialogBoxIndirectParamA 75E4D29C 5 Bytes JMP 6AAEF9D3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[1440] USER32.dll!MessageBoxIndirectA 75E5E8C9 5 Bytes JMP 6AAEF8A2 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[1440] USER32.dll!MessageBoxIndirectW 75E5E9C3 5 Bytes JMP 6AAEF837 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[1440] USER32.dll!MessageBoxExA 75E5EA29 5 Bytes JMP 6AAEF7D5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[1440] USER32.dll!MessageBoxExW 75E5EA4D 5 Bytes JMP 6AAEF773 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE[2208] kernel32.dll!SetUnhandledExceptionFilter 75263162 5 Bytes JMP 64835164 C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation)

.text C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE[2208] ole32.dll!OleLoadFromStream 76B85B88 5 Bytes JMP 652E9D32 C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2600] USER32.dll!UnhookWindowsHookEx 75E0CC7B 5 Bytes JMP 6A9D835E C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2600] USER32.dll!CallNextHookEx 75E0CC8F 5 Bytes JMP 6A9B9D5C C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2600] USER32.dll!CreateWindowExW 75E10E51 5 Bytes JMP 6A9C8157 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2600] USER32.dll!SetWindowsHookExW 75E1210A 5 Bytes JMP 6A974633 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2600] USER32.dll!DialogBoxIndirectParamW 75E34AA7 5 Bytes JMP 6AAEF970 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2600] USER32.dll!DialogBoxParamW 75E3564A 5 Bytes JMP 6A8E4BA7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2600] USER32.dll!DialogBoxParamA 75E4CF6A 5 Bytes JMP 6AAEF90D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2600] USER32.dll!DialogBoxIndirectParamA 75E4D29C 5 Bytes JMP 6AAEF9D3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2600] USER32.dll!MessageBoxIndirectA 75E5E8C9 5 Bytes JMP 6AAEF8A2 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2600] USER32.dll!MessageBoxIndirectW 75E5E9C3 5 Bytes JMP 6AAEF837 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2600] USER32.dll!MessageBoxExA 75E5EA29 5 Bytes JMP 6AAEF7D5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2600] USER32.dll!MessageBoxExW 75E5EA4D 5 Bytes JMP 6AAEF773 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2600] ole32.dll!OleLoadFromStream 76B85B88 5 Bytes JMP 6AAEFCCE C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2600] ole32.dll!CoCreateInstance 76BD57FC 5 Bytes JMP 6A9C8C45 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[4780] USER32.dll!UnhookWindowsHookEx 75E0CC7B 5 Bytes JMP 6A9D835E C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[4780] USER32.dll!CallNextHookEx 75E0CC8F 5 Bytes JMP 6A9B9D5C C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[4780] USER32.dll!CreateWindowExW 75E10E51 5 Bytes JMP 6A9C8157 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[4780] USER32.dll!SetWindowsHookExW 75E1210A 5 Bytes JMP 6A974633 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[4780] USER32.dll!DialogBoxIndirectParamW 75E34AA7 5 Bytes JMP 6AAEF970 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[4780] USER32.dll!DialogBoxParamW 75E3564A 5 Bytes JMP 6A8E4BA7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[4780] USER32.dll!DialogBoxParamA 75E4CF6A 5 Bytes JMP 6AAEF90D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[4780] USER32.dll!DialogBoxIndirectParamA 75E4D29C 5 Bytes JMP 6AAEF9D3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[4780] USER32.dll!MessageBoxIndirectA 75E5E8C9 5 Bytes JMP 6AAEF8A2 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[4780] USER32.dll!MessageBoxIndirectW 75E5E9C3 5 Bytes JMP 6AAEF837 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[4780] USER32.dll!MessageBoxExA 75E5EA29 5 Bytes JMP 6AAEF7D5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[4780] USER32.dll!MessageBoxExW 75E5EA4D 5 Bytes JMP 6AAEF773 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[4780] ole32.dll!OleLoadFromStream 76B85B88 5 Bytes JMP 652E9D32 C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[4780] ole32.dll!CoCreateInstance 76BD57FC 5 Bytes JMP 6A9C8C45 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[7004] USER32.dll!UnhookWindowsHookEx 75E0CC7B 5 Bytes JMP 6A9D835E C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[7004] USER32.dll!CallNextHookEx 75E0CC8F 5 Bytes JMP 6A9B9D5C C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[7004] USER32.dll!CreateWindowExW 75E10E51 5 Bytes JMP 6A9C8157 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[7004] USER32.dll!SetWindowsHookExW 75E1210A 5 Bytes JMP 6A974633 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[7004] USER32.dll!DialogBoxIndirectParamW 75E34AA7 5 Bytes JMP 6AAEF970 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[7004] USER32.dll!DialogBoxParamW 75E3564A 5 Bytes JMP 6A8E4BA7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[7004] USER32.dll!DialogBoxParamA 75E4CF6A 5 Bytes JMP 6AAEF90D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[7004] USER32.dll!DialogBoxIndirectParamA 75E4D29C 5 Bytes JMP 6AAEF9D3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[7004] USER32.dll!MessageBoxIndirectA 75E5E8C9 5 Bytes JMP 6AAEF8A2 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[7004] USER32.dll!MessageBoxIndirectW 75E5E9C3 5 Bytes JMP 6AAEF837 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[7004] USER32.dll!MessageBoxExA 75E5EA29 5 Bytes JMP 6AAEF7D5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[7004] USER32.dll!MessageBoxExW 75E5EA4D 5 Bytes JMP 6AAEF773 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[7004] ole32.dll!OleLoadFromStream 76B85B88 5 Bytes JMP 6AAEFCCE C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[7004] ole32.dll!CoCreateInstance 76BD57FC 5 Bytes JMP 6A9C8C45 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs stcvsm.sys (StorageCraft Volume Snapshot Driver/StorageCraft Technology Corporation)

Device \Driver\usbhub \Device\0000008e hcmon.sys

Device \Driver\usbhub \Device\0000008f hcmon.sys

AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy1 SaibIa32.sys (Disk Filter Driver/Sonic Solutions)

Device \Driver\usbuhci \Device\USBPDO-0 hcmon.sys

Device \Driver\usbuhci \Device\USBPDO-1 hcmon.sys

Device \Driver\usbuhci \Device\USBPDO-2 hcmon.sys

Device \Driver\usbuhci \Device\USBPDO-3 hcmon.sys

Device \Driver\usbehci \Device\USBPDO-4 hcmon.sys

Device \Driver\usbhub \Device\000000a0 hcmon.sys

AttachedDevice \Driver\tdx \Device\Tcp wpsdrvnt.sys

Device \Driver\usbhub \Device\USBPDO-5 hcmon.sys

Device \Driver\usbhub \Device\USBPDO-6 hcmon.sys

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 SaibIa32.sys (Disk Filter Driver/Sonic Solutions)

Device \Driver\usbhub \Device\USBPDO-7 hcmon.sys

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 SaibIa32.sys (Disk Filter Driver/Sonic Solutions)

Device \Driver\usbhub \Device\USBPDO-8 hcmon.sys

AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 SaibIa32.sys (Disk Filter Driver/Sonic Solutions)

Device \Driver\iaStorV \Device\Ide\iaStor0 AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)

Device \Driver\iaStorV \Device\Ide\IAAStorageDevice-0 AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)

Device \Driver\iaStorV \Device\Ide\IAAStorageDevice-1 AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)

Device \Driver\iaStorV \Device\Ide\IAAStorageDevice-2 AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 SaibIa32.sys (Disk Filter Driver/Sonic Solutions)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 SaibIa32.sys (Disk Filter Driver/Sonic Solutions)

Device \Driver\usbhub \Device\USBPDO-10 hcmon.sys

Device \Driver\ACPI_HAL \Device\00000075 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 SaibIa32.sys (Disk Filter Driver/Sonic Solutions)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 SaibIa32.sys (Disk Filter Driver/Sonic Solutions)

Device \Driver\usbhub \Device\00000090 hcmon.sys

AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 SaibIa32.sys (Disk Filter Driver/Sonic Solutions)

Device \Driver\usbhub \Device\USBPDO-13 hcmon.sys

Device \Driver\usbhub \Device\00000091 hcmon.sys

AttachedDevice \Driver\volmgr \Device\HarddiskVolume9 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume9 SaibIa32.sys (Disk Filter Driver/Sonic Solutions)

AttachedDevice \Driver\tdx \Device\Udp wpsdrvnt.sys

Device \Driver\usbuhci \Device\USBFDO-0 hcmon.sys

Device \Driver\usbhub \Device\00000099 hcmon.sys

Device \Driver\usbuhci \Device\USBFDO-1 hcmon.sys

Device \Driver\usbuhci \Device\USBFDO-2 hcmon.sys

Device \Driver\usbuhci \Device\USBFDO-3 hcmon.sys

Device \Driver\usbehci \Device\USBFDO-4 hcmon.sys

Device \Driver\usbhub \Device\0000008d hcmon.sys

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@L:\Downloads\Magellan\xae RoadMate\xae 1200 Software\Firmware Update v3.12\New Folder\Magellan_Roadmate_1200_US_1.50_3.12_Rel1.exe 1

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

I'm not seeing anything bad so far.

Please download MBRCheck.exe to your desktop.

  1. Double click MBRCheck.exe to run it
  2. right click on the top title bar (where program name and path is written)
  3. From the drop down menu chose Edit then Select All
  4. Click the Enter key on the keyboard > this will copy the selected text to the clipboard
  5. In your reply > right click in the reply window and paste the copied text

Link to post
Share on other sites

Good to see nothing is found so far..... here is the next log.....

MBRCheck, version 1.2.3

© 2010, AD

Command-line:

Windows Version: Windows 7 Ultimate Edition

Windows Information: (build 7600), 32-bit

Base Board Manufacturer: Dell Inc.

BIOS Manufacturer: Dell Inc.

System Manufacturer: Dell Inc.

System Product Name: Precision WorkStation T5400

Logical Drives Mask: 0x00000bfc

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`036e8e00 (NTFS)

\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000018`80f0f400 (NTFS)

\\.\L: --> \\.\PhysicalDrive1 at offset 0x00000000`007e0000 (FAT32)

Size Device Name MBR Status

--------------------------------------------

298 GB \\.\PhysicalDrive0 Windows 7 MBR code detected

SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79

931 GB \\.\PhysicalDrive1 RE: Unknown MBR code

SHA1: 639AC5CDF8A5CF3245975932C6A4215450A7B98F

Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit: y

Options:

[1] Dump the MBR of a physical disk to file.

[2] Restore the MBR of a physical disk with a standard boot code.

[3] Exit.

Enter your choice:

Link to post
Share on other sites

Please do the following:

  1. Run MBRCheck.exe
  2. Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  3. Please push the 'Y' key and then press Enter
  4. When program ask you Enter your choice: enter (2) and press the Enter key
  5. Now the program will ask you "Enter the physical disk number to fix (0-99, -1 to cancel):"
  6. Enter 1 and press the Enter key.
  7. The program will show Available MBR codes:, followed by a list of operating systems. Please enter 1 for Windows XP, and then press Enter.
  8. The program will prompt for confirmation. Type 'YES' and hit Enter.
  9. Left click on the title bar (where program name and path is written).
  10. From menu chose Edit -> Select All
  11. Hit the Enter key on your keyboard to copy selected text.
  12. Paste that text into Notepad, save it to your desktop as "MBRCheck results.txt"
  13. Restart your PC.
  14. Post the text in "MBRCheck results.txt" here, please.

Link to post
Share on other sites

ok not following....

I have 2 hard drives that are mirrored and partitioned into C an D as seen below. The L drive is an external usb hard drive.

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`036e8e00 (NTFS)

\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000018`80f0f400 (NTFS)

\\.\L: --> \\.\PhysicalDrive1 at offset 0x00000000`007e0000 (FAT32)

The instructions you gave me is going to reset the mbr on which drive? and you want me to select 1 (windows xp) even though I have win7?

Link to post
Share on other sites

ok not following....

I have 2 hard drives that are mirrored and partitioned into C an D as seen below. The L drive is an external usb hard drive.

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`036e8e00 (NTFS)

\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000018`80f0f400 (NTFS)

\\.\L: --> \\.\PhysicalDrive1 at offset 0x00000000`007e0000 (FAT32)

The instructions you gave me is going to reset the mbr on which drive? and you want me to select 1 (windows xp) even though I have win7?

Lets back up a little.

I'm going to have someone look at this before we do anything else.

I did edit my post as you're correct. It should be 5 for Windows 7, but I want to be sure we should even do it.

Link to post
Share on other sites

Just because it shows non-standard doesn't always mean it's bad.

298 GB \\.\PhysicalDrive0 Windows 7 MBR code detected

SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79

931 GB \\.\PhysicalDrive1 RE: Unknown MBR code

SHA1: 639AC5CDF8A5CF3245975932C6A4215450A7B98F

Found non-standard or infected MBR.

Link to post
Share on other sites

931 GB \\.\PhysicalDrive1 RE: Unknown MBR code

SHA1: 639AC5CDF8A5CF3245975932C6A4215450A7B98F

That partition is my external usb Buffalo terastation which contains two 1GB hard drives that are also mirrored.

Still waiting to see if you want me to proceed with the previous instructions....

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.