rundll32.exe

tyrus · December 29, 2010

OK, when I try

bootsect /nt60 C:\ I get a msg that the bootsect is activated.

When I enter either:

bootsect /nt60 SYS

bootsect /nt60 ALL

They run and say they have been updated. When I reboot the problem remains. In the recovery environment when I select the dos option it goes to the x: drive. I assume this is the "boot drive" as it is not he c: drive.

I have searched how to change "Since Bootsect is located inside the boot folder, you need to change the directory to boot" but have not found much to guide me.

Can you confirm?

Any ideas? Here is the latest scan since the above was done. Thanks, and Thanks again T.

ComboFix 10-12-28.02 - Audet 28/12/2010 22:58:06.7.2 - x86

Microsoft Windows 7 Professional 6.1.7600.0.1252.2.1033.18.1913.1246 [GMT -7:00]

Running from: c:\users\Audet\Desktop\COMBOFIXXX.exe

AV: avast! Antivirus *Disabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}

SP: avast! Antivirus *Disabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2010-11-28 to 2010-12-29 )))))))))))))))))))))))))))))))

.

2010-12-29 06:03 . 2010-12-29 06:03 -------- d-----w- c:\users\Public\AppData\Local\temp

2010-12-29 06:03 . 2010-12-29 06:03 -------- d-----w- c:\users\Default\AppData\Local\temp

2010-12-28 17:04 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{38CEC201-EFCA-4F8E-AAD4-582F9926ED87}\mpengine.dll

2010-12-26 15:50 . 2010-12-26 15:58 -------- d-----w- C:\COMBOFIXXX

2010-12-24 19:42 . 2010-12-24 19:51 -------- d-----w- C:\Combo-Fix

2010-12-09 04:18 . 2010-12-24 19:33 -------- d-----w- C:\ComboFix

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-12-21 01:09 . 2010-11-21 15:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-21 01:08 . 2010-11-21 15:34 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-28 21:45 . 2010-11-28 21:45 388096 ----a-r- c:\users\Audet\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-11-13 01:53 . 2010-06-12 18:55 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-10-19 17:41 . 2010-03-29 21:48 222080 ------w- c:\windows\system32\MpSigStub.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-10 7612960]

"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-03-13 68976]

"LENOVO.TPFNF6R"="c:\program files\Lenovo\HOTKEY\TPFNF6R.exe" [2009-08-20 62752]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-08-07 186904]

"TpShocks"="TpShocks.exe" [2009-07-09 337184]

"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2009-12-10 865640]

"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-28 49976]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2009-08-05 244208]

"AcWin7Hlpr"="c:\program files\Lenovo\Access Connections\AcTBenabler.exe" [2009-10-14 36864]

"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2009-10-23 827904]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-09-24 159472]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-23 270336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux1"=wdmaud.drv

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-04-11 136176]

R2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [2009-08-05 362992]

R2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2009-08-05 309744]

R2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2009-08-05 166384]

R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]

R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [2009-12-10 75112]

R3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [2009-08-05 313840]

R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2009-08-05 1124848]

R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]

R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]

R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-07 1343400]

R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-09-24 268528]

S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2009-06-29 20520]

S1 aswSP;aswSP; [x]

S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2008-05-12 13480]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]

S2 aswFsBlk;aswFsBlk; [x]

S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-09-07 50768]

S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2009-07-03 45424]

S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032]

S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2009-07-15 62320]

S3 5U877;USB Video Device;c:\windows\system32\DRIVERS\5U877.sys [2009-06-18 125568]

S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-07-09 122880]

S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2009-05-18 119256]

S3 NETw5s32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2009-09-15 6114816]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-05-22 167936]

S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

2010-12-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-11 12:27]

2010-12-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-11 12:27]

2010-12-13 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job

- c:\program files\PC-Doctor\pcdr5cuiw32.exe [2009-10-08 21:43]

2010-12-27 c:\windows\Tasks\SystemToolsDailyTest.job

- c:\program files\PC-Doctor\pcdr5cuiw32.exe [2009-10-08 21:43]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://lenovo.msn.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\users\Audet\AppData\Roaming\Mozilla\Firefox\Profiles\mr8mjq6m.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}

FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2912)

c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL

c:\progra~1\ThinkPad\UTILIT~1\US\PWMRT32V.DLL

c:\progra~1\ThinkPad\UTILIT~1\PWMIF32V.DLL

.

Completion time: 2010-12-28 23:05:20

ComboFix-quarantined-files.txt 2010-12-29 06:05

ComboFix2.txt 2010-12-26 22:32

ComboFix3.txt 2010-12-26 15:58

ComboFix4.txt 2010-12-24 19:51

ComboFix5.txt 2010-12-29 05:56

Pre-Run: 143,672,918,016 bytes free

Post-Run: 143,635,865,600 bytes free

- - End Of File - - 194AAB8993C8EE48CA51D49B554E7A0F

Maniac · December 29, 2010

Why you ran ComboFix without my instructions? I need a new fresh copy GMER log file.

tyrus · December 29, 2010

My mistake. Here is the latest GMER log. Thanks.

GMER 1.0.15.15530 - http://www.gmer.net

Rootkit scan 2010-12-29 09:01:26

Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD25 rev.14.0

Running: 8due8ge9.exe; Driver: C:\Users\Audet\AppData\Local\Temp\kgrdqpob.sys

---- System - GMER 1.0.15 ----

INT 0x61 ? 9283C058

INT 0x71 ? 9283C2D8

INT 0x82 ? 9283CCD8

INT 0xA2 ? 9283C7D8

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8D938BAE]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x8D9389D2]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0x8D938B0C]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82E93599 1 Byte [06]

.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82EB7F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

PAGE ntkrnlpa.exe!ZwLoadDriver 82FF1291 7 Bytes JMP 8D938B10 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

PAGE ntkrnlpa.exe!ObMakeTemporaryObject 83058FBF 5 Bytes JMP 8D9345D4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

PAGE ntkrnlpa.exe!ObInsertObject + 27 83072CF3 5 Bytes JMP 8D936012 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

PAGE ntkrnlpa.exe!NtCreateSection 83080D63 7 Bytes JMP 8D9389D6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

PAGE ntkrnlpa.exe!ZwCreateProcessEx 8312AEAC 7 Bytes JMP 8D938BB2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

? C:\Users\Audet\AppData\Local\Temp\catchme.sys The system cannot find the file specified. !

? C:\Windows\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1308] kernel32.dll!SetUnhandledExceptionFilter 756D3162 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }

.text C:\Program Files\Mozilla Firefox\firefox.exe[5228] ntdll.dll!LdrLoadDll 7728F625 5 Bytes JMP 00D313F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\iaStor \Device\Ide\iaStor0 dvd43llh.sys (dvd43llh.sys/RIF)

Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 dvd43llh.sys (dvd43llh.sys/RIF)

Device \Driver\iaStor \Device\Ide\IAAStorageDevice-1 dvd43llh.sys (dvd43llh.sys/RIF)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004f halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{66B83FF8-A374-485D-B703-3B337F65D337}\Connection@Name Local Area Connection* 11

Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Bind \Device\{1F8631FE-800F-4030-83F9-647A20204939}?\Device\{66B83FF8-A374-485D-B703-3B337F65D337}?\Device\{FE24CCFD-8B58-4116-AFAC-F5F19506270B}?\Device\{632E3BA5-1818-4F7F-8521-6604650691E2}?

Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Route "{1F8631FE-800F-4030-83F9-647A20204939}"?"{66B83FF8-A374-485D-B703-3B337F65D337}"?"{FE24CCFD-8B58-4116-AFAC-F5F19506270B}"?"{632E3BA5-1818-4F7F-8521-6604650691E2}"?

Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Export \Device\TCPIP6TUNNEL_{1F8631FE-800F-4030-83F9-647A20204939}?\Device\TCPIP6TUNNEL_{66B83FF8-A374-485D-B703-3B337F65D337}?\Device\TCPIP6TUNNEL_{FE24CCFD-8B58-4116-AFAC-F5F19506270B}?\Device\TCPIP6TUNNEL_{632E3BA5-1818-4F7F-8521-6604650691E2}?

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001f3ad3f68b

Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{66B83FF8-A374-485D-B703-3B337F65D337}@InterfaceName isatap.{ABDD02A1-2DC6-4D0E-92FA-F291C9AB6618}

Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{66B83FF8-A374-485D-B703-3B337F65D337}@ReusableType 0

Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001f3ad3f68b (not active ControlSet)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 08: copy of MBR

---- EOF - GMER 1.0.15 ----

Maniac · December 29, 2010

What are the options when right-clicking on this line:

Disk \Device\Harddisk0\DR0 sector 08: copy of MBR

tyrus · December 29, 2010

When I right click on this line in GMER I get a menu. Many items are greyed out except Copy, Options, About. Options ha a sub directory that contains IRP Hooks, NTAPI Registry Scan, File Version Info, Only Non MS Files

Maniac · December 29, 2010

Let's see if Dr.Web is able to detect and remove this rootkit.

Please download to your Desktop: Dr.Web CureIt

After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
Once the short scan has finished, Click on the Complete scan radio button.
Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
On the File types tab ensure you select All files
Click on the Actions tab and set the following:
- Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
- Infected packages Archive = Move, E-mails = Report, Containers = Move
- Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
- Do not change the Rename extension - default is: #??
- Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
- Leave prompt on Action checked
[*]On the Log file tab leave the Log to file checked.
[*]Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log
[*]Log mode = Append
[*]Encoding = ANSI
[*]Details Leave Names of file packers and Statistics checked.
[*]Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.
[*]On the General tab leave the Scan Priority on High
[*]Click the Apply button at the bottom, and then the OK button.
[*]On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.
[*]In this mode it will scan Boot sectors of all disks, All removable media, and all local drives
[*]The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.
[*]When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.
[*]Click 'Yes to all' if it asks if you want to cure/move the files.
[*]This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)
[*]After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
[*]Save the report to your Desktop. The report will be called DrWeb.csv
[*]Close Dr.Web Cureit.
[*]Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
[*]After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply.

tyrus · December 30, 2010

I followed directions exactly and ran an express scan and then a long scan. Nothing was found. No change in problem. The log file is 95MB large. Do you want me to post it? I searched it for %Device\Harddisk0\DR0% and did not find it in log.

Maniac · December 30, 2010

Please attach it.

tyrus · December 30, 2010

Cure-it log won't attach. Error from forum.

"Select a file

Attachment space used 6.31K of 10MB

You did not select a file to upload"

Of course I did select a file and it tried to upload for 5-10minutes two times now.

??? Thanks again.

Maniac · January 2, 2011

Can you please try to upload somewhere? For example here: http://www.mediafire.com/

tyrus · January 4, 2011

File should be here. http://www.mediafire.com/file/nkkucyrwd6bbywb/CureIt.log

Thanks again for your help.

Maniac · January 5, 2011

Any change?

tyrus · January 5, 2011

No change in the problems that have been existing since the start. Rundll32 still loading on startup and interfering with streaming media and interfering with the battery monitor. Can still shut off in task manager. Checked to see if Rundll32.exe is in startup in msconfig but not listed there.

???

Thanks

Maniac · January 5, 2011

Hope this helps:

http://www.sevenforums.com/general-discuss...and-prompt.html

tyrus · January 8, 2011

Hope this helps:
http://www.sevenforums.com/general-discuss...and-prompt.html

Went through thread and I still get:

'fixmbr' is not a recognized as an internal or external command, operable program or batch file.

As before I have tried many combination of /FixMbr etc. etc.

When I go into System Recovery Options > Command Prompt I get

X:\\sources\recovery>

Is the correct area I should be entering in?

When I enter BootRec.exe it seems to start OK and tells me the following commands are supported: /FixMbr, /FixBoot, /ScanOs, /RebuidBcd .

Entering these does not seem to work. When entering the command line still says X:\\sources\recovery>

Any ideas?

Should I consider reinstalling windows?

Thanks again.

Maniac · January 12, 2011

Should be:

bootrec.exe /fixmbr

http://windows7themes.net/how-to-fix-mbr-in-windows-7.html

tyrus · January 14, 2011

Thanks for the continued help.

Entered bootrec.exe /fixmbr

and report is "The operation was completed successfully"

What next?

Maniac · January 14, 2011

I need a new fresh GMER log.

tyrus · January 15, 2011

Here you go. Thanks.

GMER 1.0.15.15530 - http://www.gmer.net

Rootkit scan 2011-01-14 21:57:59

Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD25 rev.14.0

Running: 3ws5np4n.exe; Driver: C:\Users\Audet\AppData\Local\Temp\kgrdqpob.sys

---- System - GMER 1.0.15 ----

INT 0x61 ? 90C6BCD8

INT 0x90 ? 90C6BA58

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8E70DBAE]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x8E70D9D2]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0x8E70DB0C]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82E8D599 1 Byte [06]

.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82EB1F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

PAGE spsys.sys!?SPRevision@@3PADA + 4F90 AC49F000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...]

PAGE spsys.sys!?SPRevision@@3PADA + 50B3 AC49F123 629 Bytes [A5, 49, AC, FE, 05, 34, A5, ...]

PAGE spsys.sys!?SPRevision@@3PADA + 5329 AC49F399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...]

PAGE spsys.sys!?SPRevision@@3PADA + 538F AC49F3FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...]

PAGE spsys.sys!?SPRevision@@3PADA + 543B AC49F4AB 2228 Bytes [8B, FF, 55, 8B, EC, FF, 75, ...]

PAGE ...

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1404] kernel32.dll!SetUnhandledExceptionFilter 75CF3162 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }

.text C:\Program Files\Mozilla Firefox\firefox.exe[6108] ntdll.dll!LdrLoadDll 7779F625 5 Bytes JMP 008A13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000054 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)