rundll32.exe

tyrus · December 24, 2010

My laptop has a problem. I noticed that when streaming music from the internet, every 60seconds the music becomes garbled/distorted for about three seconds and then returns to normal only to repeat again. The battery info is also no functioning. Through observation of processes in task manager I was able to determine that rundll32.exe was likely responsible. If I end the process in task manager the problems go away. If I reboot it is reloaded and the problem re-appears. There are no other problems with the computer that I know of.

I am running Avast and have done a normal scan and a boot time scan but nothing is picked up. I have also run Malwarebytes and Doufix with both not finding anything. I have followed the directions for scans etc. The only trouble I had is when I run defogger it does not prompt me to reboot after it completes. I manually rebotted before proceeding to the next steps. Here are my logs. Any help would be greatly appreciated. Thanks in advance!

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5389

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

24/12/2010 11:00:03 AM

mbam-log-2010-12-24 (11-00-03).txt

Scan type: Full scan (C:\|Q:\|)

Objects scanned: 242098

Time elapsed: 35 minute(s), 17 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS (Ver_10-12-12.02) - NTFSx86

Run by Audet at 9:36:29.50 on 24/12/2010

Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_23

Microsoft Windows 7 Professional 6.1.7600.0.1252.2.1033.18.1913.1227 [GMT -7:00]

AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}

SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\ibmpmsvc.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\Windows\system32\WLANExt.exe

C:\Windows\system32\conhost.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe

C:\PROGRA~1\Lenovo\HOTKEY\tpnumlk.exe

C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe

C:\Program Files\Intel\WiFi\bin\EvtEng.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\svchost.exe -k hpdevmgmt

C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe

C:\Windows\System32\svchost.exe -k HPZ12

C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Lenovo\Access Connections\AcSvc.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe -k HPService

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Lenovo\Message Center Plus\MCPLaunch.exe

C:\Program Files\Alwil Software\Avast5\AvastUI.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\igfxext.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Windows\system32\sppsvc.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

c:\Program Files\Lenovo\System Update\SUService.exe

C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\DllHost.exe

C:\Users\Audet\Downloads\dds.com

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://lenovo.msn.com

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll

mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe

mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe

mRun: [LENOVO.TPFNF6R] c:\program files\lenovo\hotkey\TPFNF6R.exe

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe

mRun: [TpShocks] TpShocks.exe

mRun: [PWMTRV] rundll32 c:\progra~1\thinkpad\utilit~1\PWMTR32V.DLL,PwrMgrBkGndMonitor

mRun: [Message Center Plus] c:\program files\lenovo\message center plus\MCPLaunch.exe /start

mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatchTray10.exe"

mRun: [AcWin7Hlpr] c:\program files\lenovo\access connections\AcTBenabler.exe

mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [dvd43] c:\program files\dvd43\dvd43_tray.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\audet\appdata\roaming\mozilla\firefox\profiles\mr8mjq6m.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/

FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - plugin: c:\users\audet\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}

FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}

============= SERVICES / DRIVERS ===============

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2009-6-29 20520]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-3-29 165584]

R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2009-7-16 13480]

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-3-29 17744]

R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-3-29 50768]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-14 40384]

R2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\lenovo\hotkey\micmute.exe [2009-10-5 45424]

R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]

R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2009-10-5 62320]

R3 5U877;USB Video Device;c:\windows\system32\drivers\5U877.sys [2010-2-22 125568]

R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-14 40384]

R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-14 40384]

R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-9-9 122880]

R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2009-6-7 119256]

R3 NETw5s32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETw5s32.sys [2009-9-15 6114816]

R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-2-22 167936]

R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-11 136176]

S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\roxio\digital home 10\RoxioUpnpService10.exe [2009-8-4 362992]

S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2009-8-4 309744]

S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2009-8-4 166384]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]

S3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2010-2-22 75112]

S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\roxio\digital home 10\RoxioUPnPRenderer10.exe [2009-8-4 313840]

S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2009-8-4 1124848]

S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]

S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]

S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]

S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-7 1343400]

S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2010-9-24 268528]

=============== Created Last 30 ================

2010-12-22 03:39:26 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{ddd7b65f-da3a-4279-9550-1306b5f832bb}\mpengine.dll

2010-12-09 04:34:58 -------- d-sh--w- C:\$RECYCLE.BIN

2010-12-09 04:18:14 -------- d-----w- C:\ComboFix

2010-11-28 22:22:54 -------- d-----w- c:\program files\EndItAll

2010-11-28 21:45:23 388096 ------r- c:\users\audet\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2010-11-28 21:45:23 -------- d-----w- c:\program files\Trend Micro

==================== Find3M ====================

2010-11-13 01:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-11-08 08:20:24 89088 ------w- c:\windows\MBR.exe

2010-11-04 05:52:17 978944 ----a-w- c:\windows\system32\wininet.dll

2010-11-04 05:48:36 44544 ----a-w- c:\windows\system32\licmgr10.dll

2010-11-04 04:41:26 386048 ----a-w- c:\windows\system32\html.iec

2010-11-04 04:08:54 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2010-11-02 04:41:12 351232 ----a-w- c:\windows\system32\wmicmiplugin.dll

2010-11-02 04:40:36 496128 ----a-w- c:\windows\system32\taskschd.dll

2010-11-02 04:40:36 305152 ----a-w- c:\windows\system32\taskcomp.dll

2010-11-02 04:39:32 749056 ----a-w- c:\windows\system32\schedsvc.dll

2010-11-02 04:34:44 192000 ----a-w- c:\windows\system32\taskeng.exe

2010-11-02 04:34:33 179712 ----a-w- c:\windows\system32\schtasks.exe

2010-10-27 04:32:36 2048 ----a-w- c:\windows\system32\tzres.dll

2010-10-20 04:54:18 34304 ----a-w- c:\windows\system32\atmlib.dll

2010-10-20 03:00:24 2327552 ----a-w- c:\windows\system32\win32k.sys

2010-10-20 02:58:41 294400 ----a-w- c:\windows\system32\atmfd.dll

2010-10-19 17:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe

2010-10-16 04:41:02 101760 ----a-w- c:\windows\system32\consent.exe

2010-10-16 04:36:10 314368 ----a-w- c:\windows\system32\webio.dll

============= FINISH: 9:37:08.01 ===============

GMER 1.0.15.15530 - http://www.gmer.net

Rootkit scan 2010-12-24 10:21:44

Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD25 rev.14.0

Running: 6xj5rxd1.exe; Driver: C:\Users\Audet\AppData\Local\Temp\kgrdqpob.sys

---- System - GMER 1.0.15 ----

INT 0x61 ? 91041CD8

INT 0x71 ? 91012058

INT 0x82 ? 91012A58

INT 0x90 ? 91012CD8

INT 0xA2 ? 91012558

INT 0xB0 ? 91041A58

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8EB21BAE]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x8EB219D2]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0x8EB21B0C]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82E80599 1 Byte [06]

.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82EA4F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

PAGE ntkrnlpa.exe!ZwLoadDriver 82FDE291 7 Bytes JMP 8EB21B10 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

PAGE ntkrnlpa.exe!ObMakeTemporaryObject 83045FBF 5 Bytes JMP 8EB1D5D4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

PAGE ntkrnlpa.exe!ObInsertObject + 27 8305FCF3 5 Bytes JMP 8EB1F012 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

PAGE ntkrnlpa.exe!NtCreateSection 8306DD63 7 Bytes JMP 8EB219D6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

PAGE ntkrnlpa.exe!ZwCreateProcessEx 83117EAC 7 Bytes JMP 8EB21BB2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

PAGE spsys.sys!?SPRevision@@3PADA + 4F90 BA449000 85 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...]

PAGE spsys.sys!?SPRevision@@3PADA + 4FE6 BA449056 61 Bytes [bA, 5E, C3, 8B, FF, 55, 8B, ...]

PAGE spsys.sys!?SPRevision@@3PADA + 5024 BA449094 142 Bytes [bA, FF, 25, 80, F1, 43, BA, ...]

PAGE spsys.sys!?SPRevision@@3PADA + 50B3 BA449123 629 Bytes [45, 44, BA, FE, 05, 34, 45, ...]

PAGE spsys.sys!?SPRevision@@3PADA + 5329 BA449399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...]

PAGE ...

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1512] kernel32.dll!SetUnhandledExceptionFilter 76533162 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }

.text C:\Program Files\Mozilla Firefox\firefox.exe[5452] ntdll.dll!LdrLoadDll 7780F625 5 Bytes JMP 002113F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004f halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001f3ad3f68b

Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001f3ad3f68b (not active ControlSet)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 08: copy of MBR

---- EOF - GMER 1.0.15 ----

Attach.txt

Maniac · December 24, 2010

Hello tyrus! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

The process of cleaning your system may take some time, so please be patient.
Follow my instructions step by step if there is a problem somewhere, stop and tell me.
Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
Instructions that I give are for your system only!
If you don't know or can't understand something please ask.
Do not install or uninstall any software or hardware, while work on.
Keep me informed about any changes.

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
- Open Tools -> Options -> Main tab
- Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------

Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

tyrus · December 24, 2010

THanks for the quick reply.

OK, had two problem with your directions. 1) I was not able to rename combofix before downloading. I don't get the option using Firefox. I renamed after downloading but I know you rather it done before 2) I went through Avast and stoped all types of protection. When combofix run it says Avast is still running. Tried the program Enditall but same result.

Here is the log. Thanks!

ComboFix 10-12-24.01 - Audet 24/12/2010 12:44:27.4.2 - x86

Microsoft Windows 7 Professional 6.1.7600.0.1252.2.1033.18.1913.1196 [GMT -7:00]

Running from: c:\users\Audet\Downloads\Combo-Fix.exe

AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}

SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((( Files Created from 2010-11-24 to 2010-12-24 )))))))))))))))))))))))))))))))

.

2010-12-24 19:49 . 2010-12-24 19:49 -------- d-----w- c:\users\Public\AppData\Local\temp

2010-12-24 19:49 . 2010-12-24 19:49 -------- d-----w- c:\users\Default\AppData\Local\temp

2010-12-22 03:39 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{DDD7B65F-DA3A-4279-9550-1306B5F832BB}\mpengine.dll

2010-12-09 04:18 . 2010-12-24 19:33 -------- d-----w- C:\ComboFix

2010-11-28 22:22 . 2010-11-29 00:22 -------- d-----w- c:\program files\EndItAll

2010-11-28 21:45 . 2010-11-28 21:45 388096 ------r- c:\users\Audet\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-11-28 21:45 . 2010-11-28 21:45 -------- d-----w- c:\program files\Trend Micro

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-12-21 01:09 . 2010-11-21 15:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-21 01:08 . 2010-11-21 15:34 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-13 01:53 . 2010-06-12 18:55 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-10-19 17:41 . 2010-03-29 21:48 222080 ------w- c:\windows\system32\MpSigStub.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-10 7612960]

"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-03-13 68976]

"LENOVO.TPFNF6R"="c:\program files\Lenovo\HOTKEY\TPFNF6R.exe" [2009-08-20 62752]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-08-07 186904]

"TpShocks"="TpShocks.exe" [2009-07-09 337184]

"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2009-12-10 865640]

"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-28 49976]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2009-08-05 244208]

"AcWin7Hlpr"="c:\program files\Lenovo\Access Connections\AcTBenabler.exe" [2009-10-14 36864]

"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2009-10-23 827904]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-09-24 159472]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-23 270336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux1"=wdmaud.drv

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-04-11 136176]

R2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [2009-08-05 362992]

R2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2009-08-05 309744]

R2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2009-08-05 166384]

R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]

R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [2009-12-10 75112]

R3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [2009-08-05 313840]

R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2009-08-05 1124848]

R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]

R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]

R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-07 1343400]

R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-09-24 268528]

S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2009-06-29 20520]

S1 aswSP;aswSP; [x]

S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2008-05-12 13480]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]

S2 aswFsBlk;aswFsBlk; [x]

S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-09-07 50768]

S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2009-07-03 45424]

S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032]

S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2009-07-15 62320]

S3 5U877;USB Video Device;c:\windows\system32\DRIVERS\5U877.sys [2009-06-18 125568]

S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-07-09 122880]

S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2009-05-18 119256]

S3 NETw5s32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2009-09-15 6114816]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-05-22 167936]

S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

2010-12-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-11 12:27]

2010-12-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-11 12:27]

2010-12-13 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job

- c:\program files\PC-Doctor\pcdr5cuiw32.exe [2009-10-08 21:43]

2010-12-22 c:\windows\Tasks\SystemToolsDailyTest.job

- c:\program files\PC-Doctor\pcdr5cuiw32.exe [2009-10-08 21:43]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://lenovo.msn.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\users\Audet\AppData\Roaming\Mozilla\Firefox\Profiles\mr8mjq6m.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}

FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2010-12-24 12:51:23

ComboFix-quarantined-files.txt 2010-12-24 19:51

ComboFix2.txt 2010-12-09 04:35

ComboFix3.txt 2010-12-09 03:59

ComboFix4.txt 2010-11-24 13:34

Pre-Run: 91,938,242,560 bytes free

Post-Run: 91,894,059,008 bytes free

- - End Of File - - 1E079A3884744E757E68CE6927F0B634

Maniac · December 24, 2010

Download MBRCheck to your desktop
For Windows XP: Double click on MBRCheck.exe to run it.
For Windows Vista/7: Right click on MBRCheck.exe and select Run as Administrator
It will show a black screen with some data on it
Don't run any of the options!!!
When it's done, Press Enter to close the program
A file will called MBRCheck_ will appear on your desktop
Please copy into to your next reply

tyrus · December 24, 2010

Here is what it shows:

MBRCheck, version 1.2.3

Command-line:

Windows Version: Windows 7 Professional

Windows Information: (build 7600), 32-bit

Base Board Manufacturer: LENOVO

BIOS Manufacturer: LENOVO

System Manufacturer: LENOVO

System Product Name: 2842F7U

Logical Drives Mask: 0x0001000c

Kernel Drivers (total 202):

0x82E48000 \SystemRoot\system32\ntkrnlpa.exe

0x82E11000 \SystemRoot\system32\halmacpi.dll

0x80BCE000 \SystemRoot\system32\kdcom.dll

0x88608000 \SystemRoot\system32\mcupdate_GenuineIntel.dll

0x88680000 \SystemRoot\system32\PSHED.dll

0x88691000 \SystemRoot\system32\BOOTVID.dll

0x88699000 \SystemRoot\system32\CLFS.SYS

0x886DB000 \SystemRoot\system32\CI.dll

0x88786000 \SystemRoot\system32\drivers\Wdf01000.sys

0x8883A000 \SystemRoot\system32\drivers\WDFLDR.SYS

0x88848000 \SystemRoot\system32\DRIVERS\ACPI.sys

0x88890000 \SystemRoot\system32\DRIVERS\WMILIB.SYS

0x88899000 \SystemRoot\system32\DRIVERS\msisadrv.sys

0x888A1000 \SystemRoot\system32\DRIVERS\pci.sys

0x888CB000 \SystemRoot\system32\DRIVERS\vdrvroot.sys

0x888D6000 \SystemRoot\System32\drivers\partmgr.sys

0x888E7000 \SystemRoot\system32\DRIVERS\compbatt.sys

0x888EF000 \SystemRoot\system32\DRIVERS\BATTC.SYS

0x888FA000 \SystemRoot\system32\DRIVERS\volmgr.sys

0x8890A000 \SystemRoot\System32\drivers\volmgrx.sys

0x88955000 \SystemRoot\System32\drivers\mountmgr.sys

0x88A01000 \SystemRoot\system32\DRIVERS\iaStor.sys

0x88ADB000 \SystemRoot\system32\DRIVERS\atapi.sys

0x88AE4000 \SystemRoot\system32\DRIVERS\ataport.SYS

0x88B07000 \SystemRoot\system32\DRIVERS\msahci.sys

0x88B11000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS

0x88B1F000 \SystemRoot\system32\DRIVERS\amdxata.sys

0x88B28000 \SystemRoot\system32\drivers\fltmgr.sys

0x88B5C000 \SystemRoot\system32\drivers\fileinfo.sys

0x88B6D000 \SystemRoot\System32\Drivers\PxHelp20.sys

0x88C33000 \SystemRoot\System32\Drivers\Ntfs.sys

0x88D62000 \SystemRoot\System32\Drivers\msrpc.sys

0x88D8D000 \SystemRoot\System32\Drivers\ksecdd.sys

0x88DA0000 \SystemRoot\System32\Drivers\cng.sys

0x88C00000 \SystemRoot\System32\drivers\pcw.sys

0x88C0E000 \SystemRoot\System32\Drivers\Fs_Rec.sys

0x88E39000 \SystemRoot\system32\drivers\ndis.sys

0x88EF0000 \SystemRoot\system32\drivers\NETIO.SYS

0x88F2E000 \SystemRoot\System32\Drivers\ksecpkg.sys

0x89032000 \SystemRoot\System32\drivers\tcpip.sys

0x8917B000 \SystemRoot\System32\drivers\fwpkclnt.sys

0x891AC000 \SystemRoot\system32\DRIVERS\vmstorfl.sys

0x891B5000 \SystemRoot\system32\DRIVERS\volsnap.sys

0x891F4000 \SystemRoot\System32\DRIVERS\ApsHM86.sys

0x89000000 \SystemRoot\System32\Drivers\spldr.sys

0x88F53000 \SystemRoot\System32\drivers\rdyboost.sys

0x89008000 \SystemRoot\System32\DRIVERS\Apsx86.sys

0x88F80000 \SystemRoot\System32\Drivers\mup.sys

0x89028000 \SystemRoot\System32\drivers\hwpolicy.sys

0x88F90000 \SystemRoot\System32\DRIVERS\fvevol.sys

0x88FC2000 \SystemRoot\system32\DRIVERS\disk.sys

0x88FD3000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS

0x8DCF2000 \SystemRoot\system32\DRIVERS\cdrom.sys

0x8DD11000 \SystemRoot\System32\Drivers\Null.SYS

0x8DD18000 \SystemRoot\System32\Drivers\Beep.SYS

0x8DD1F000 \SystemRoot\System32\drivers\vga.sys

0x8DD2B000 \SystemRoot\System32\drivers\VIDEOPRT.SYS

0x8DD4C000 \SystemRoot\System32\drivers\watchdog.sys

0x8DD59000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0x8DD61000 \SystemRoot\system32\drivers\rdpencdd.sys

0x8DD69000 \SystemRoot\system32\drivers\rdprefmp.sys

0x8DD71000 \SystemRoot\System32\Drivers\Msfs.SYS

0x8DD7C000 \SystemRoot\System32\Drivers\Npfs.SYS

0x8DD8A000 \SystemRoot\system32\DRIVERS\tdx.sys

0x8DDA1000 \SystemRoot\system32\DRIVERS\TDI.SYS

0x8DDAC000 \SystemRoot\System32\Drivers\aswTdi.SYS

0x88B77000 \SystemRoot\system32\drivers\afd.sys

0x8DDB6000 \SystemRoot\System32\Drivers\aswRdr.SYS

0x8DDBB000 \SystemRoot\System32\DRIVERS\netbt.sys

0x8DDED000 \SystemRoot\system32\DRIVERS\wfplwf.sys

0x88E0D000 \SystemRoot\system32\DRIVERS\pacer.sys

0x88C17000 \SystemRoot\system32\DRIVERS\vwififlt.sys

0x88BD1000 \SystemRoot\system32\DRIVERS\netbios.sys

0x88BDF000 \SystemRoot\system32\DRIVERS\wanarp.sys

0x8DDF4000 \SystemRoot\System32\drivers\Tppwr32v.sys

0x8896B000 \SystemRoot\system32\DRIVERS\termdd.sys

0x8897B000 \SystemRoot\system32\DRIVERS\rdbss.sys

0x88E2C000 \SystemRoot\system32\drivers\nsiproxy.sys

0x88C28000 \SystemRoot\system32\DRIVERS\mssmbios.sys

0x8DDFB000 \SystemRoot\system32\DRIVERS\smiif32.sys

0x88BF2000 \SystemRoot\System32\drivers\discache.sys

0x8CC26000 \SystemRoot\system32\drivers\csc.sys

0x8CC8A000 \SystemRoot\System32\Drivers\dfsc.sys

0x8CCA2000 \SystemRoot\system32\DRIVERS\blbdrive.sys

0x8CCB0000 \SystemRoot\System32\Drivers\aswSP.SYS

0x8CCD7000 \SystemRoot\system32\DRIVERS\tunnel.sys

0x8FE01000 \SystemRoot\system32\DRIVERS\igdkmd32.sys

0x90428000 \SystemRoot\System32\drivers\dxgkrnl.sys

0x904DF000 \SystemRoot\System32\drivers\dxgmms1.sys

0x90518000 \SystemRoot\system32\DRIVERS\usbuhci.sys

0x90523000 \SystemRoot\system32\DRIVERS\USBPORT.SYS

0x9056E000 \SystemRoot\system32\DRIVERS\usbehci.sys

0x9057D000 \SystemRoot\system32\DRIVERS\HDAudBus.sys

0x9059C000 \SystemRoot\system32\DRIVERS\jmcr.sys

0x905BB000 \SystemRoot\system32\DRIVERS\SCSIPORT.SYS

0x91E02000 \SystemRoot\system32\DRIVERS\NETw5s32.sys

0x923E1000 \SystemRoot\system32\DRIVERS\vwifibus.sys

0x8CCF8000 \SystemRoot\system32\DRIVERS\Rt86win7.sys

0x905E1000 \SystemRoot\system32\DRIVERS\i8042prt.sys

0x923EB000 \SystemRoot\system32\DRIVERS\kbdclass.sys

0x8CD24000 \SystemRoot\system32\DRIVERS\SynTP.sys

0x923F8000 \SystemRoot\system32\DRIVERS\USBD.SYS

0x8CD5B000 \SystemRoot\system32\DRIVERS\mouclass.sys

0x923FA000 \SystemRoot\system32\DRIVERS\ibmpmdrv.sys

0x905F9000 \SystemRoot\System32\DRIVERS\dvd43llh.sys

0x8CD68000 \SystemRoot\system32\DRIVERS\intelppm.sys

0x8CD7A000 \SystemRoot\system32\DRIVERS\CmBatt.sys

0x8CD7E000 \SystemRoot\system32\DRIVERS\wmiacpi.sys

0x8CD87000 \SystemRoot\system32\DRIVERS\CompositeBus.sys

0x8CD94000 \SystemRoot\system32\DRIVERS\AgileVpn.sys

0x8CDA6000 \SystemRoot\system32\DRIVERS\rasl2tp.sys

0x8CDBE000 \SystemRoot\system32\DRIVERS\ndistapi.sys

0x8CDC9000 \SystemRoot\system32\DRIVERS\ndiswan.sys

0x8CC00000 \SystemRoot\system32\DRIVERS\raspppoe.sys

0x889BC000 \SystemRoot\system32\DRIVERS\raspptp.sys

0x889D3000 \SystemRoot\system32\DRIVERS\rassstp.sys

0x8CC18000 \SystemRoot\system32\DRIVERS\rdpbus.sys

0x8CDEB000 \SystemRoot\system32\DRIVERS\psadd.sys

0x91E00000 \SystemRoot\system32\DRIVERS\swenum.sys

0x88800000 \SystemRoot\system32\DRIVERS\ks.sys

0x8CDF2000 \SystemRoot\system32\DRIVERS\umbus.sys

0x9301F000 \SystemRoot\system32\DRIVERS\usbhub.sys

0x93063000 \SystemRoot\System32\Drivers\NDProxy.SYS

0x9441D000 \SystemRoot\system32\drivers\RTKVHDA.sys

0x946A5000 \SystemRoot\system32\drivers\portcls.sys

0x946D4000 \SystemRoot\system32\drivers\drmk.sys

0x946ED000 \SystemRoot\system32\drivers\IntcHdmi.sys

0x81E60000 \SystemRoot\System32\win32k.sys

0x94710000 \SystemRoot\System32\drivers\Dxapi.sys

0x9471A000 \SystemRoot\system32\DRIVERS\usbccgp.sys

0x94731000 \SystemRoot\system32\DRIVERS\5U877.sys

0x94750000 \SystemRoot\system32\DRIVERS\STREAM.SYS

0x9475E000 \SystemRoot\system32\DRIVERS\monitor.sys

0x820C0000 \SystemRoot\System32\TSDDD.dll

0x94769000 \SystemRoot\system32\DRIVERS\udfs.sys

0x820F0000 \SystemRoot\System32\cdd.dll

0x947A9000 \SystemRoot\System32\Drivers\crashdmp.sys

0x93074000 \SystemRoot\System32\Drivers\dump_iaStor.sys

0x947B6000 \SystemRoot\System32\Drivers\dump_dumpfve.sys

0x947C7000 \SystemRoot\system32\drivers\luafv.sys

0x9314E000 \??\C:\Windows\system32\drivers\aswMonFlt.sys

0x947E2000 \SystemRoot\System32\Drivers\aswFsBlk.SYS

0x947E5000 \SystemRoot\system32\drivers\WudfPf.sys

0x94400000 \SystemRoot\system32\DRIVERS\lltdio.sys

0x93185000 \SystemRoot\system32\DRIVERS\nwifi.sys

0x931CB000 \SystemRoot\system32\DRIVERS\ndisuio.sys

0x931DB000 \SystemRoot\system32\DRIVERS\rspndr.sys

0x8DC00000 \SystemRoot\system32\drivers\HTTP.sys

0x93000000 \SystemRoot\system32\DRIVERS\bowser.sys

0x931EE000 \SystemRoot\System32\drivers\mpsdrv.sys

0x8DC85000 \SystemRoot\system32\DRIVERS\mrxsmb.sys

0x8DCA8000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys

0xABA07000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys

0xABA3A000 \SystemRoot\system32\DRIVERS\vwifimp.sys

0xABA43000 \SystemRoot\system32\drivers\peauth.sys

0xABADA000 \SystemRoot\system32\drivers\regi.sys

0xABADC000 \SystemRoot\System32\Drivers\secdrv.SYS

0xABAE6000 \SystemRoot\System32\DRIVERS\srvnet.sys

0xABB07000 \SystemRoot\System32\drivers\tcpipreg.sys

0xABB14000 \SystemRoot\System32\DRIVERS\srv2.sys

0xABB63000 \SystemRoot\System32\DRIVERS\srv.sys

0xB766F000 \??\C:\Users\Audet\AppData\Local\Temp\catchme.sys

0xB7677000 \??\C:\Windows\system32\Drivers\PROCEXP113.SYS

0x77740000 \Windows\System32\ntdll.dll

0x47FE0000 \Windows\System32\smss.exe

0x77980000 \Windows\System32\apisetschema.dll

0x00EE0000 \Windows\System32\autochk.exe

0x778A0000 \Windows\System32\msctf.dll

0x776E0000 \Windows\System32\difxapi.dll

0x776B0000 \Windows\System32\imagehlp.dll

0x775B0000 \Windows\System32\wininet.dll

0x77890000 \Windows\System32\psapi.dll

0x77520000 \Windows\System32\clbcatq.dll

0x774C0000 \Windows\System32\shlwapi.dll

0x772C0000 \Windows\System32\iertutil.dll

0x77880000 \Windows\System32\normaliz.dll

0x772A0000 \Windows\System32\sechost.dll

0x77140000 \Windows\System32\ole32.dll

0x770C0000 \Windows\System32\comdlg32.dll

0x770B0000 \Windows\System32\lpk.dll

0x76F70000 \Windows\System32\urlmon.dll

0x76ED0000 \Windows\System32\advapi32.dll

0x76E80000 \Windows\System32\Wldap32.dll

0x76DB0000 \Windows\System32\user32.dll

0x76D20000 \Windows\System32\oleaut32.dll

0x76CD0000 \Windows\System32\gdi32.dll

0x76C20000 \Windows\System32\rpcrt4.dll

0x76A80000 \Windows\System32\setupapi.dll

0x769A0000 \Windows\System32\kernel32.dll

0x768F0000 \Windows\System32\msvcrt.dll

0x75CA0000 \Windows\System32\shell32.dll

0x75C80000 \Windows\System32\imm32.dll

0x75C40000 \Windows\System32\ws2_32.dll

0x75BA0000 \Windows\System32\usp10.dll

0x75B90000 \Windows\System32\nsi.dll

0x75B40000 \Windows\System32\KernelBase.dll

0x75A20000 \Windows\System32\crypt32.dll

0x75A00000 \Windows\System32\devobj.dll

0x759D0000 \Windows\System32\cfgmgr32.dll

0x75940000 \Windows\System32\comctl32.dll

0x75910000 \Windows\System32\wintrust.dll

0x75900000 \Windows\System32\msasn1.dll

Processes (total 68):

0 System Idle Process

4 System

340 C:\Windows\System32\smss.exe

484 csrss.exe

540 C:\Windows\System32\wininit.exe

556 csrss.exe

592 C:\Windows\System32\services.exe

616 C:\Windows\System32\lsass.exe

624 C:\Windows\System32\lsm.exe

724 C:\Windows\System32\svchost.exe

784 C:\Windows\System32\winlogon.exe

848 C:\Windows\System32\ibmpmsvc.exe

904 C:\Windows\System32\svchost.exe

948 C:\Windows\System32\svchost.exe

1004 C:\Windows\System32\svchost.exe

1032 C:\Windows\System32\svchost.exe

1192 C:\Windows\System32\svchost.exe

1320 C:\Windows\System32\svchost.exe

1400 C:\Windows\System32\wlanext.exe

1408 C:\Windows\System32\conhost.exe

1424 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

1812 C:\Windows\System32\spoolsv.exe

1840 C:\Windows\System32\svchost.exe

1932 C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe

1964 C:\PROGRA~1\Lenovo\HOTKEY\tpnumlk.exe

1976 C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe

2032 C:\Program Files\Intel\WiFi\bin\EvtEng.exe

496 C:\Windows\System32\svchost.exe

372 C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe

2004 C:\Windows\System32\svchost.exe

1340 C:\Program Files\Lenovo\HOTKEY\micmute.exe

2072 C:\Windows\System32\svchost.exe

2128 C:\Windows\System32\svchost.exe

2172 C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

2208 C:\Windows\System32\svchost.exe

2316 C:\Program Files\Lenovo\Access Connections\AcSvc.exe

2396 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe

2616 unsecapp.exe

2652 C:\Windows\System32\svchost.exe

2848 WmiPrvSE.exe

3312 C:\Windows\System32\taskhost.exe

3648 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

3740 C:\Program Files\Lenovo\Message Center Plus\MCPLaunch.exe

3872 C:\Program Files\Alwil Software\Avast5\AvastUI.exe

3920 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

3660 C:\Windows\System32\SearchIndexer.exe

3828 C:\Program Files\Windows Media Player\wmpnetwk.exe

4220 C:\Windows\System32\svchost.exe

4584 C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe

5736 C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe

5980 C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

4772 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

4872 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

2560 C:\Program Files\Lenovo\System Update\SUService.exe

4532 C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

5156 C:\Windows\System32\svchost.exe

5384 C:\Windows\explorer.exe

5956 C:\Windows\notepad.exe

1200 C:\Program Files\Mozilla Firefox\firefox.exe

3076 C:\Program Files\EndItAll\enditall.exe

4916 C:\Windows\System32\dwm.exe

3212 C:\Windows\System32\SearchProtocolHost.exe

3916 C:\Windows\System32\SearchFilterHost.exe

4728 C:\Windows\System32\audiodg.exe

6092 dllhost.exe

6140 dllhost.exe

5376 C:\Users\Audet\Downloads\MBRCheck.exe

1912 C:\Windows\System32\conhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`4b100000 (NTFS)

\\.\Q: --> \\.\PhysicalDrive0 at offset 0x00000037`c7a00000 (NTFS)

PhysicalDrive0 Model Number: WDCWD2500BEVS-08VAT2, Rev: 14.01A14

Size Device Name MBR Status

--------------------------------------------

232 GB \\.\PhysicalDrive0 Unknown MBR code

SHA1: E970FC01CBF7A56C8A472E7C02D5F3CB965793C2

Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Options:

[1] Dump the MBR of a physical disk to file.

[2] Restore the MBR of a physical disk with a standard boot code.

[3] Exit.

Enter your choice:

Done!

Maniac · December 24, 2010

Run MBRCheck.exe
Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Please push the 'Y' key and then press Enter
When program ask you Enter your choice: enter 2 and press the Enter key
Now the program will ask you "Enter the physical disk number to fix (0-99, -1 to cancel):"
Enter 0 and press the Enter key.
The program will show Available MBR codes:, followed by a list of operating systems. Please enter the number for Windows 7, and then press Enter.
The program will prompt for confirmation. Type 'YES' and hit Enter.
Left click on the title bar (where program name and path is written).
From menu chose Edit => Select All
Hit the Enter key on your keyboard to copy selected text.
Paste that text into Notepad, save it to your desktop as "MBRCheck results.txt"
Restart your PC.
Post the text in "MBRCheck results.txt" here, please.

tyrus · December 25, 2010

Here you go!

MBRCheck, version 1.2.3

Command-line:

Windows Version: Windows 7 Professional

Windows Information: (build 7600), 32-bit

Base Board Manufacturer: LENOVO

BIOS Manufacturer: LENOVO

System Manufacturer: LENOVO

System Product Name: 2842F7U

Logical Drives Mask: 0x0001000c

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`4b100000 (NTFS)

\\.\Q: --> \\.\PhysicalDrive0 at offset 0x00000037`c7a00000 (NTFS)

Size Device Name MBR Status

--------------------------------------------

232 GB \\.\PhysicalDrive0 Unknown MBR code

SHA1: E970FC01CBF7A56C8A472E7C02D5F3CB965793C2

Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit: y

Options:

[1] Dump the MBR of a physical disk to file.

[2] Restore the MBR of a physical disk with a standard boot code.

[3] Exit.

Enter your choice: 2

Enter the physical disk number to fix (0-99, -1 to cancel): 0

Available MBR codes:

[ 0] Default (Windows 7)

[ 1] Windows XP

[ 2] Windows Server 2003

[ 3] Windows Vista

[ 4] Windows 2008

[ 5] Windows 7

[-1] Cancel

Please select the MBR code to write to this drive: 5

Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: y

Done!

Press ENTER to exit...

Maniac · December 25, 2010

Can you please post a new fresh GMER log?

tyrus · December 25, 2010

Sorry took a long time a there were many crashes during scans. Here is the report...

GMER 1.0.15.15530 - http://www.gmer.net

Rootkit scan 2010-12-24 18:53:24

Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD25 rev.14.0

Running: finhojvr.exe; Driver: C:\Users\Audet\AppData\Local\Temp\kgrdqpob.sys

---- System - GMER 1.0.15 ----

INT 0x61 ? 92B0DCD8

INT 0x71 ? 92A92058

INT 0x82 ? 92A92A58

INT 0x90 ? 92A92CD8

INT 0xA2 ? 92A92558

INT 0xB0 ? 92B0DA58

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8E4DABAE]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x8E4DA9D2]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0x8E4DAB0C]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82E52599 1 Byte [06]

.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82E76F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

PAGE ntkrnlpa.exe!ZwLoadDriver 82FB0291 7 Bytes JMP 8E4DAB10 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

PAGE ntkrnlpa.exe!ObMakeTemporaryObject 83017FBF 5 Bytes JMP 8E4D65D4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

PAGE ntkrnlpa.exe!ObInsertObject + 27 83031CF3 5 Bytes JMP 8E4D8012 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

PAGE ntkrnlpa.exe!NtCreateSection 8303FD63 7 Bytes JMP 8E4DA9D6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

PAGE ntkrnlpa.exe!ZwCreateProcessEx 830E9EAC 7 Bytes JMP 8E4DABB2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

PAGE spsys.sys!?SPRevision@@3PADA + 4F90 AB47B000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...]

PAGE spsys.sys!?SPRevision@@3PADA + 50B3 AB47B123 629 Bytes [65, 47, AB, FE, 05, 34, 65, ...]

PAGE spsys.sys!?SPRevision@@3PADA + 5329 AB47B399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...]

PAGE spsys.sys!?SPRevision@@3PADA + 538F AB47B3FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...]

PAGE spsys.sys!?SPRevision@@3PADA + 543B AB47B4AB 2228 Bytes [8B, FF, 55, 8B, EC, FF, 75, ...]

PAGE ...

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1428] kernel32.dll!SetUnhandledExceptionFilter 76193162 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }

.text C:\Program Files\Mozilla Firefox\firefox.exe[4984] ntdll.dll!LdrLoadDll 7722F625 5 Bytes JMP 010B13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000051 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001f3ad3f68b

Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001f3ad3f68b (not active ControlSet)

Reg HKLM\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Catalogs\SystemIndex@{E300B591-2005-11DF-BCE0-806E6F6E6963} 2052730976

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 08: copy of MBR

---- EOF - GMER 1.0.15 ----

Maniac · December 25, 2010

It's very stubborn... we should fix MBR, so please follow these instructions (for Vista, but they worked on Windows 7):

http://helpdeskgeek.com/how-to/fix-mbr-xp-vista/

Then please post a new fresh GMER log.

tyrus · December 25, 2010

OK, system recovery is installed on my hard drive. Pressing F8 during boot brings it up. After entering the console I choose dos prompt. In the DOS window I enter bootrec.exe and I am told the following:

Repairs Critical Disk Structures. The following commands are supported:

/FixMbr

/FixBoot

/ScanOS

/RebuildBcd

but when I enter /fixmbr I get the following error:

'fixmbr' is not a recognized as an internal or external command, operable program or batch file.

I have tried /fixmbr /FixMbr fixmbr and FixMbr all with the same results. Same story with FixBoot.

From the recovery tool console I choose Startup Repair and the system tries to detect a problem. After the search a report come back saying "startup repair could not detect a problem."

I looked at system restore to see if there is a point before the problem but unfortunately there is not.

Problem is still present. Any suggestions? Borislav, again a big thanks for your continued support and happy holidays!

Maniac · December 25, 2010

See here for Windows 7:

http://www.hddoctor.net/fix-mbr-in-windows...ta-by-yourself/

tyrus · December 26, 2010

I entered bootsect.exe in the DOS window during system recovery and was told that

"updated NTFS filesystem bot code"

So I belive it worked. I restarted. Problem remains. Here is the GMER log after the botsect.exe was complete. Crashed a few times before a successful scan.

Thanks!

GMER 1.0.15.15530 - http://www.gmer.net

Rootkit scan 2010-12-25 16:55:25

Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD25 rev.14.0

Running: 0elui2nu.exe; Driver: C:\Users\Audet\AppData\Local\Temp\kgrdqpob.sys

---- System - GMER 1.0.15 ----

INT 0x61 ? 936A4058

INT 0x71 ? 936A42D8

INT 0x82 ? 936A4CD8

INT 0xA2 ? 936A47D8

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8DCC2BAE]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x8DCC29D2]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0x8DCC2B0C]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82E8D599 1 Byte [06]

.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82EB1F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1504] kernel32.dll!SetUnhandledExceptionFilter 774D3162 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }

.text C:\Program Files\Mozilla Firefox\firefox.exe[4800] ntdll.dll!LdrLoadDll 77B0F625 5 Bytes JMP 00BD13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)