Rootkit: hidden boot sector

View previous topic View next topic Go down

Rootkit: hidden boot sector

Post by AdkWoody on 11th May 2011, 3:59 am

Hello all. I have a friends computer that I'm working on trying to remove this pesky thing. File name is MBR:\\.\PHYSICALDRIVE0 and the Rootkit name is Rootkit: hidden boot sector. Avast has picked it up every time and says it has deleted it every time. I have even done a boot scan, it caught it, said it got rid of it, did another scan after start up and it said nothing found. Not a half hour later, avast says it found the rootkit again. There is no restore point to go from since my friend never created one and earlier today was the most recent. Malwarebytes comes up clean, and housecall.trendmicro.com comes up clean. There is no boot disk or windows disk to load to wipe it clean. I do have the application dvd and the drivers and utilities dvd. Is there anything I can do to fix this with what I have?


Life is extremely short.... One VERY long day at a time. Can't Believe It

AdkWoody
Intermediate
Intermediate

Posts Posts : 69
Joined Joined : 2010-08-17
Gender Gender : Male
OS OS : Windows 7 Home Premium 64-Bit
Protection Protection : Avast
Points Points : 23757
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by AdkWoody on 11th May 2011, 4:02 am

The computer is a Dell Inspiron laptop running Windows 7 64bit


Life is extremely short.... One VERY long day at a time. Can't Believe It

AdkWoody
Intermediate
Intermediate

Posts Posts : 69
Joined Joined : 2010-08-17
Gender Gender : Male
OS OS : Windows 7 Home Premium 64-Bit
Protection Protection : Avast
Points Points : 23757
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by Crush on 11th May 2011, 5:29 am

Hi,


Please download ComboFix from [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found [You must be registered and logged in to see this link.]
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console


Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.


Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42128
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by AdkWoody on 11th May 2011, 4:05 pm

ComboFix 11-05-10.02 - Christine 05/11/2011 11:49:59.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2008.926 [GMT -4:00]
Running from: c:\users\Christine\Downloads\commy.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
.
----- BITS: Possible infected sites -----
.
[You must be registered and logged in to see this link.]
.
((((((((((((((((((((((((( Files Created from 2011-04-11 to 2011-05-11 )))))))))))))))))))))))))))))))
.
.
2011-05-11 15:57 . 2011-05-11 15:57 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-11 15:19 . 2010-05-26 14:39 6144 ------w- c:\windows\system32\B5B8.tmp
2011-05-11 15:18 . 2010-05-26 14:39 6144 ------w- c:\windows\system32\2C9B.tmp
2011-05-11 14:11 . 2010-05-26 14:39 6144 ------w- c:\windows\system32\82D6.tmp
2011-05-11 14:10 . 2010-05-26 14:39 6144 ------w- c:\windows\system32\11AC.tmp
2011-05-11 14:10 . 2011-05-11 14:10 -------- d-----w- c:\program files (x86)\Sophos
2011-05-11 05:03 . 2010-09-06 09:26 189520 ----a-w- c:\windows\SysWow64\drivers\tmcomm.sys
2011-05-11 01:22 . 2010-12-20 22:09 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-05-11 01:22 . 2011-05-11 01:22 -------- d-----w- c:\programdata\Malwarebytes
2011-05-11 01:21 . 2011-05-11 01:22 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-05-11 01:21 . 2010-12-20 22:08 24152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-11 00:41 . 2011-05-11 00:41 -------- d-----w- c:\programdata\CyberLink
2011-05-11 00:40 . 2001-09-05 08:18 225280 ----a-w- c:\program files (x86)\Common Files\InstallShield\IScript\iscript.dll
2011-05-11 00:40 . 2001-09-05 08:18 77824 ----a-w- c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll
2011-05-11 00:40 . 2001-09-05 08:14 176128 ----a-w- c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll
2011-05-11 00:40 . 2001-09-05 08:13 32768 ----a-w- c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll
2011-05-11 00:15 . 2011-05-11 00:15 -------- d-----w- c:\program files (x86)\Google
2011-05-11 00:15 . 2011-04-18 17:18 287064 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-05-11 00:15 . 2011-04-18 17:13 22360 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-05-11 00:15 . 2011-04-18 17:13 31064 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-05-11 00:15 . 2011-04-18 17:17 600920 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-11 00:15 . 2011-04-18 17:16 53592 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-05-11 00:15 . 2011-04-18 17:25 253888 ----a-w- c:\windows\system32\aswBoot.exe
2011-05-11 00:15 . 2011-04-18 17:13 64344 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-05-11 00:14 . 2011-04-18 17:25 40112 ----a-w- c:\windows\avastSS.scr
2011-05-11 00:14 . 2011-04-18 17:25 199304 ----a-w- c:\windows\SysWow64\aswBoot.exe
2011-05-11 00:14 . 2011-05-11 00:14 -------- d-----w- c:\programdata\AVAST Software
2011-05-11 00:14 . 2011-05-11 00:14 -------- d-----w- c:\program files\AVAST Software
2011-05-11 00:12 . 2011-04-18 13:15 8802128 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D1E45A3C-A590-48A6-8D46-591CD26E4604}\mpengine.dll
2011-05-11 00:12 . 2011-02-02 22:11 270720 ------w- c:\windows\system32\MpSigStub.exe
2011-05-10 21:30 . 2011-05-10 23:37 -------- d-----w- c:\users\Christine
2011-05-10 21:17 . 2011-05-11 01:40 -------- d-----w- C:\Emergency
2011-05-10 20:54 . 2011-05-10 21:17 -------- d-----w- c:\windows\SMINST
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Dell DataSafe Online"="c:\program files (x86)\Dell DataSafe Online\DataSafeOnline.exe" [2010-02-09 1807680]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-10-15 498160]
"DellSupportCenter"="c:\program files (x86)\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-04-18 3460784]
"PDVDDXSrv"="c:\program files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-06-25 140520]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\program files (x86)\Dell DataSafe Local Backup\Components\scheduler\Launcher.exe" [2011-01-13 165184]
.
c:\users\Christine\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-11 136176]
R3 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-09-18 169312]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-11 136176]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\B5B8.tmp [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_7f58c91b65c73836\AESTSr64.exe [2009-03-02 89600]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2011-01-13 705856]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-11 00:15]
.
2011-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-11 00:15]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-04-18 17:25 134384 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-04-06 384296]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-02-25 487424]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-02-21 165912]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-02-21 387608]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-02-21 365592]
"Broadcom Wireless Manager UI"="c:\program files\Dell\Dell Wireless WLAN Card\WLTRAY.exe" [2009-07-17 4968960]
"QuickSet"="c:\program files\Dell\QuickSet\QuickSet.exe" [2009-07-02 3180624]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
SafeBoot-mcmscsvc
SafeBoot-MCODS
Toolbar-Locked - (no file)
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\B5B8.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10d.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10d.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-05-11 12:02:00
ComboFix-quarantined-files.txt 2011-05-11 16:01
.
Pre-Run: 186,958,000,128 bytes free
Post-Run: 186,942,464,000 bytes free
.
- - End Of File - - 0C8677023DC144E98CA2B4177EE84D5A


Life is extremely short.... One VERY long day at a time. Can't Believe It

AdkWoody
Intermediate
Intermediate

Posts Posts : 69
Joined Joined : 2010-08-17
Gender Gender : Male
OS OS : Windows 7 Home Premium 64-Bit
Protection Protection : Avast
Points Points : 23757
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by AdkWoody on 11th May 2011, 4:09 pm

Thank you for the help. Please let me know if what you need is here. If not, I will restart the computer and do it again. One of the programs I tried to use to get rid of it before I posted here may still have it in their "grasp"? It found like 6 or so infected files but said it can't remove them without destroying the computer. The program is called Sophos Anti-Rootkit. Not sure if this helps you any. Thanks again.


Life is extremely short.... One VERY long day at a time. Can't Believe It

AdkWoody
Intermediate
Intermediate

Posts Posts : 69
Joined Joined : 2010-08-17
Gender Gender : Male
OS OS : Windows 7 Home Premium 64-Bit
Protection Protection : Avast
Points Points : 23757
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by Crush on 11th May 2011, 6:32 pm

Just these to deal with now:

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    c:\windows\system32\B5B8.tmp
    c:\windows\system32\2C9B.tmp
    c:\windows\system32\82D6.tmp
    c:\windows\system32\11AC.tmp

    Registry::
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MEMSWEEP2]
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42128
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by AdkWoody on 11th May 2011, 9:37 pm

It won't let me. Every time I drop the file into Commy, it starts up and about 1 minute later I get a blue screen saying windows is under attack then the whole computer restarts.


Life is extremely short.... One VERY long day at a time. Can't Believe It

AdkWoody
Intermediate
Intermediate

Posts Posts : 69
Joined Joined : 2010-08-17
Gender Gender : Male
OS OS : Windows 7 Home Premium 64-Bit
Protection Protection : Avast
Points Points : 23757
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by Crush on 12th May 2011, 4:50 am

Try in Safe Mode

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42128
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by AdkWoody on 12th May 2011, 9:35 pm

Ok. I have done it in safe mode but now it wants to submit malware files for further analysis and asking me to ensure I'm connected to the internet before clicking on the OK. In safe mode, I have no internet. What do I do here. I am going to assume that I can copy and past the log in a note and then it will save for when I get back into normal boot?.... I do also have desktop computer that I can hook the hard drive to if it's easier for you... as long as you walk me through accessing the hard drive from it. That computer has Vista 32 bit or Ubuntu 10.10 64 bit.


Life is extremely short.... One VERY long day at a time. Can't Believe It

AdkWoody
Intermediate
Intermediate

Posts Posts : 69
Joined Joined : 2010-08-17
Gender Gender : Male
OS OS : Windows 7 Home Premium 64-Bit
Protection Protection : Avast
Points Points : 23757
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by AdkWoody on 13th May 2011, 12:14 am

ComboFix 11-05-10.02 - Christine 05/12/2011 17:21:05.4.2 - x64 MINIMAL
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2008.1216 [GMT -4:00]
Running from: c:\users\Christine\Desktop\commy.exe
Command switches used :: c:\users\Christine\Desktop\CFScript - Shortcut.lnk
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-04-12 to 2011-05-12 )))))))))))))))))))))))))))))))
.
.
2011-05-12 21:26 . 2011-05-12 21:26 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-12 07:02 . 2011-05-12 07:02 -------- d-----w- c:\program files (x86)\Microsoft.NET
2011-05-11 15:19 . 2010-05-26 14:39 6144 ----a-w- c:\windows\system32\B5B8.tmp
2011-05-11 15:18 . 2010-05-26 14:39 6144 ----a-w- c:\windows\system32\2C9B.tmp
2011-05-11 14:11 . 2010-05-26 14:39 6144 ----a-w- c:\windows\system32\82D6.tmp
2011-05-11 14:10 . 2010-05-26 14:39 6144 ----a-w- c:\windows\system32\11AC.tmp
2011-05-11 14:10 . 2011-05-11 14:10 -------- d-----w- c:\program files (x86)\Sophos
2011-05-11 05:03 . 2010-09-06 09:26 189520 ----a-w- c:\windows\SysWow64\drivers\tmcomm.sys
2011-05-11 01:22 . 2010-12-20 22:09 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-05-11 01:22 . 2011-05-11 01:22 -------- d-----w- c:\programdata\Malwarebytes
2011-05-11 01:21 . 2011-05-11 01:22 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-05-11 01:21 . 2010-12-20 22:08 24152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-11 00:41 . 2011-05-11 00:41 -------- d-----w- c:\programdata\CyberLink
2011-05-11 00:40 . 2001-09-05 08:18 225280 ----a-w- c:\program files (x86)\Common Files\InstallShield\IScript\iscript.dll
2011-05-11 00:40 . 2001-09-05 08:18 77824 ----a-w- c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll
2011-05-11 00:40 . 2001-09-05 08:14 176128 ----a-w- c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll
2011-05-11 00:40 . 2001-09-05 08:13 32768 ----a-w- c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll
2011-05-11 00:15 . 2011-05-11 00:15 -------- d-----w- c:\program files (x86)\Google
2011-05-11 00:15 . 2011-04-18 17:18 287064 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-05-11 00:15 . 2011-04-18 17:13 22360 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-05-11 00:15 . 2011-04-18 17:13 31064 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-05-11 00:15 . 2011-04-18 17:17 600920 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-11 00:15 . 2011-04-18 17:16 53592 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-05-11 00:15 . 2011-04-18 17:25 253888 ----a-w- c:\windows\system32\aswBoot.exe
2011-05-11 00:15 . 2011-04-18 17:13 64344 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-05-11 00:14 . 2011-04-18 17:25 40112 ----a-w- c:\windows\avastSS.scr
2011-05-11 00:14 . 2011-04-18 17:25 199304 ----a-w- c:\windows\SysWow64\aswBoot.exe
2011-05-11 00:14 . 2011-05-11 00:14 -------- d-----w- c:\programdata\AVAST Software
2011-05-11 00:14 . 2011-05-11 00:14 -------- d-----w- c:\program files\AVAST Software
2011-05-11 00:12 . 2011-04-18 13:15 8802128 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D1E45A3C-A590-48A6-8D46-591CD26E4604}\mpengine.dll
2011-05-11 00:12 . 2011-02-02 22:11 270720 ------w- c:\windows\system32\MpSigStub.exe
2011-05-10 21:30 . 2011-05-12 21:00 -------- d-----w- c:\users\Christine
2011-05-10 21:17 . 2011-05-11 01:40 -------- d-----w- C:\Emergency
2011-05-10 20:54 . 2011-05-10 21:17 -------- d-----w- c:\windows\SMINST
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-14 04:54 . 2011-05-11 15:04 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2011-05-12 21:03 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2011-05-11 15:04 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2011-05-12 21:03 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-05-11 15:04 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-05-12 21:03 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-05-11 13:30 . 2011-05-12 20:55 98176 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2010-07-10 01:37 . 2011-05-12 07:24 32376 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-05-12 21:03 30944 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-05-12 21:59 . 2011-05-12 20:55 67584 c:\windows\system32\LogFiles\Srt\bootstat.dat
- 2011-05-10 21:26 . 2011-05-11 15:01 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-05-10 21:26 . 2011-05-12 21:13 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-05-10 21:26 . 2011-05-12 21:13 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-05-10 21:26 . 2011-05-11 15:01 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-05-11 15:01 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-05-12 21:13 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:46 . 2011-05-12 21:04 78512 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
- 2011-05-10 22:13 . 2011-05-11 15:04 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-05-10 22:13 . 2011-05-12 21:08 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-05-10 22:13 . 2011-05-11 15:04 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-05-10 22:13 . 2011-05-12 21:08 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-05-10 23:51 . 2011-05-12 21:03 5152 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1338394851-2888564178-1302984018-1000_UserData.bin
+ 2011-05-11 18:15 . 2011-05-11 18:15 8192 c:\windows\system32\Microsoft\Protect\Recovery\Recovery.dat
+ 2011-05-12 21:13 . 2011-05-12 21:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-05-11 15:01 . 2011-05-11 15:01 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-05-11 15:01 . 2011-05-11 15:01 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-05-12 21:13 . 2011-05-12 21:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 02:36 . 2011-05-12 21:20 615122 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-05-12 21:20 103496 c:\windows\system32\perfc009.dat
+ 2009-07-14 05:38 . 2011-05-12 21:59 262144 c:\windows\system32\config\systemprofile\ntuser.dat
- 2009-07-14 05:38 . 2010-07-10 02:59 262144 c:\windows\system32\config\systemprofile\ntuser.dat
- 2009-07-14 04:45 . 2011-05-11 00:52 3802522 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2009-07-14 04:45 . 2011-05-12 21:03 3802522 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
- 2009-07-14 02:34 . 2011-05-11 15:15 10223616 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-07-14 02:34 . 2011-05-11 23:57 10223616 c:\windows\system32\SMI\Store\Machine\schema.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"dellsupportcenter"="c:\program files (x86)\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
"Launcher"="c:\program files (x86)\Dell DataSafe Local Backup\Components\scheduler\Launcher.exe" [2011-01-13 165184]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R1 aswSnx;aswSnx; [x]
R1 aswSP;aswSP; [x]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_7f58c91b65c73836\AESTSr64.exe [2009-03-02 89600]
R2 aswFsBlk;aswFsBlk; [x]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-11 136176]
R2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2011-01-13 705856]
R3 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-09-18 169312]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-11 136176]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-11 00:15]
.
2011-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-11 00:15]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-04-18 17:25 134384 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-04-06 384296]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-02-25 487424]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-02-21 165912]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-02-21 387608]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-02-21 365592]
"Broadcom Wireless Manager UI"="c:\program files\Dell\Dell Wireless WLAN Card\WLTRAY.exe" [2009-07-17 4968960]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKLM-RunOnce- - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10d.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10d.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-05-12 17:28:44
ComboFix-quarantined-files.txt 2011-05-12 21:28
ComboFix2.txt 2011-05-11 16:02
.
Pre-Run: 186,741,207,040 bytes free
Post-Run: 186,299,559,936 bytes free
.
- - End Of File - - 2B4134E82019319CAE62101FD6C36CF7


Life is extremely short.... One VERY long day at a time. Can't Believe It

AdkWoody
Intermediate
Intermediate

Posts Posts : 69
Joined Joined : 2010-08-17
Gender Gender : Male
OS OS : Windows 7 Home Premium 64-Bit
Protection Protection : Avast
Points Points : 23757
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by AdkWoody on 13th May 2011, 12:16 am

Here's the report without sending to the internet. It said it saved the file to send at a later time. I don't know how to find it or if it's even needed. Let me know.


Life is extremely short.... One VERY long day at a time. Can't Believe It

AdkWoody
Intermediate
Intermediate

Posts Posts : 69
Joined Joined : 2010-08-17
Gender Gender : Male
OS OS : Windows 7 Home Premium 64-Bit
Protection Protection : Avast
Points Points : 23757
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by Crush on 13th May 2011, 1:15 am

Hi,

You created a shortcut to the txt file so it didn't execute correctly. Please be sure you save it as cfscript.txt

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42128
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by AdkWoody on 13th May 2011, 2:26 am

I'm not sure how to save it to the desktop so I can drop it into combo fix without creating a shortcut. I did save it as CFScript.txt in note pad but only the main icon saying "note pad" is visible on the desktop. How do I get it to the drag and drop as described above?


Life is extremely short.... One VERY long day at a time. Can't Believe It

AdkWoody
Intermediate
Intermediate

Posts Posts : 69
Joined Joined : 2010-08-17
Gender Gender : Male
OS OS : Windows 7 Home Premium 64-Bit
Protection Protection : Avast
Points Points : 23757
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by Crush on 13th May 2011, 5:18 am

How are you saving the file? File>Save As? That will allow you to specify the location for the txt file

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42128
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by AdkWoody on 13th May 2011, 6:45 pm

ComboFix 11-05-10.02 - Christine 05/13/2011 14:15:42.5.2 - x64 NETWORK
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2008.1565 [GMT -4:00]
Running from: c:\users\Christine\Desktop\commy.exe
Command switches used :: c:\users\Christine\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\windows\system32\11AC.tmp"
"c:\windows\system32\2C9B.tmp"
"c:\windows\system32\82D6.tmp"
"c:\windows\system32\B5B8.tmp"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\11AC.tmp
c:\windows\system32\2C9B.tmp
c:\windows\system32\82D6.tmp
c:\windows\system32\B5B8.tmp
.
.
((((((((((((((((((((((((( Files Created from 2011-04-13 to 2011-05-13 )))))))))))))))))))))))))))))))
.
.
2011-05-13 18:22 . 2011-05-13 18:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-13 07:07 . 2011-05-13 07:07 -------- d-----w- c:\windows\SysWow64\Wat
2011-05-13 07:07 . 2011-05-13 07:07 -------- d-----w- c:\windows\system32\Wat
2011-05-12 07:02 . 2011-05-12 07:02 -------- d-----w- c:\program files (x86)\Microsoft.NET
2011-05-11 14:10 . 2011-05-11 14:10 -------- d-----w- c:\program files (x86)\Sophos
2011-05-11 05:03 . 2010-09-06 09:26 189520 ----a-w- c:\windows\SysWow64\drivers\tmcomm.sys
2011-05-11 01:22 . 2010-12-20 22:09 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-05-11 01:22 . 2011-05-11 01:22 -------- d-----w- c:\programdata\Malwarebytes
2011-05-11 01:21 . 2011-05-11 01:22 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-05-11 01:21 . 2010-12-20 22:08 24152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-11 00:41 . 2011-05-11 00:41 -------- d-----w- c:\programdata\CyberLink
2011-05-11 00:40 . 2001-09-05 08:18 225280 ----a-w- c:\program files (x86)\Common Files\InstallShield\IScript\iscript.dll
2011-05-11 00:40 . 2001-09-05 08:18 77824 ----a-w- c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll
2011-05-11 00:40 . 2001-09-05 08:14 176128 ----a-w- c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll
2011-05-11 00:40 . 2001-09-05 08:13 32768 ----a-w- c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll
2011-05-11 00:15 . 2011-05-11 00:15 -------- d-----w- c:\program files (x86)\Google
2011-05-11 00:15 . 2011-04-18 17:18 287064 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-05-11 00:15 . 2011-04-18 17:13 22360 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-05-11 00:15 . 2011-04-18 17:13 31064 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-05-11 00:15 . 2011-04-18 17:17 600920 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-11 00:15 . 2011-04-18 17:16 53592 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-05-11 00:15 . 2011-04-18 17:25 253888 ----a-w- c:\windows\system32\aswBoot.exe
2011-05-11 00:15 . 2011-04-18 17:13 64344 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-05-11 00:14 . 2011-04-18 17:25 40112 ----a-w- c:\windows\avastSS.scr
2011-05-11 00:14 . 2011-04-18 17:25 199304 ----a-w- c:\windows\SysWow64\aswBoot.exe
2011-05-11 00:14 . 2011-05-11 00:14 -------- d-----w- c:\programdata\AVAST Software
2011-05-11 00:14 . 2011-05-11 00:14 -------- d-----w- c:\program files\AVAST Software
2011-05-11 00:12 . 2011-04-18 13:15 8802128 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D1E45A3C-A590-48A6-8D46-591CD26E4604}\mpengine.dll
2011-05-11 00:12 . 2011-02-02 22:11 270720 ------w- c:\windows\system32\MpSigStub.exe
2011-05-10 21:30 . 2011-05-12 21:00 -------- d-----w- c:\users\Christine
2011-05-10 21:17 . 2011-05-11 01:40 -------- d-----w- C:\Emergency
2011-05-10 20:54 . 2011-05-10 21:17 -------- d-----w- c:\windows\SMINST
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-10 01:37 . 2011-05-13 00:12 32566 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-05-13 07:05 30984 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-05-12 21:59 . 2011-05-12 20:55 67584 c:\windows\system32\LogFiles\Srt\bootstat.dat
- 2011-05-10 21:26 . 2011-05-11 15:01 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-05-10 21:26 . 2011-05-13 18:03 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-05-10 21:26 . 2011-05-11 15:01 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-05-10 21:26 . 2011-05-13 18:03 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-05-11 15:01 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-05-13 18:03 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:46 . 2011-05-13 09:09 12368 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
- 2011-05-10 22:13 . 2011-05-11 15:04 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-05-10 22:13 . 2011-05-13 09:00 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-05-10 22:13 . 2011-05-11 15:04 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-05-10 22:13 . 2011-05-13 09:00 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-05-10 23:51 . 2011-05-13 07:05 5442 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1338394851-2888564178-1302984018-1000_UserData.bin
+ 2011-05-11 18:15 . 2011-05-11 18:15 8192 c:\windows\system32\Microsoft\Protect\Recovery\Recovery.dat
- 2011-05-11 15:01 . 2011-05-11 15:01 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-05-13 18:23 . 2011-05-13 18:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-05-13 18:23 . 2011-05-13 18:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-05-11 15:01 . 2011-05-11 15:01 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-05-11 13:30 . 2011-05-13 18:01 118214 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2011-05-13 07:07 . 2011-05-13 07:07 152888 c:\windows\system32\Wat\WatWeb.dll
+ 2011-05-13 07:07 . 2011-05-13 07:07 249656 c:\windows\system32\Wat\WatUX.exe
+ 2011-05-13 07:07 . 2011-05-13 07:07 138664 c:\windows\system32\Wat\npWatWeb.dll
+ 2009-07-14 02:36 . 2011-05-13 18:08 615122 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-05-13 18:08 103496 c:\windows\system32\perfc009.dat
+ 2009-07-14 05:38 . 2011-05-12 21:59 262144 c:\windows\system32\config\systemprofile\ntuser.dat
- 2009-07-14 05:38 . 2010-07-10 02:59 262144 c:\windows\system32\config\systemprofile\ntuser.dat
+ 2011-05-13 07:07 . 2011-05-13 07:07 1255736 c:\windows\system32\Wat\WatAdminSvc.exe
+ 2009-07-14 04:45 . 2011-05-13 09:08 3802522 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
- 2009-07-14 04:45 . 2011-05-11 00:52 3802522 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
- 2009-07-14 02:34 . 2011-05-11 15:15 10223616 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-07-14 02:34 . 2011-05-13 08:01 10223616 c:\windows\system32\SMI\Store\Machine\schema.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"dellsupportcenter"="c:\program files (x86)\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
"Launcher"="c:\program files (x86)\Dell DataSafe Local Backup\Components\scheduler\Launcher.exe" [2011-01-13 165184]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R1 aswSnx;aswSnx; [x]
R1 aswSP;aswSP; [x]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_7f58c91b65c73836\AESTSr64.exe [2009-03-02 89600]
R2 aswFsBlk;aswFsBlk; [x]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-11 136176]
R2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2011-01-13 705856]
R3 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-09-18 169312]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-11 136176]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-11 00:15]
.
2011-05-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-11 00:15]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-04-18 17:25 134384 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-04-06 384296]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-02-25 487424]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-02-21 165912]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-02-21 387608]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-02-21 365592]
"Broadcom Wireless Manager UI"="c:\program files\Dell\Dell Wireless WLAN Card\WLTRAY.exe" [2009-07-17 4968960]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKLM-RunOnce- - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10d.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10d.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-05-13 14:32:54 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-13 18:32
ComboFix2.txt 2011-05-12 21:28
ComboFix3.txt 2011-05-11 16:02
.
Pre-Run: 184,488,480,768 bytes free
Post-Run: 184,414,531,584 bytes free
.
- - End Of File - - 4C2D99F4A65D6A85A2349635F9ED8F17


Life is extremely short.... One VERY long day at a time. Can't Believe It

AdkWoody
Intermediate
Intermediate

Posts Posts : 69
Joined Joined : 2010-08-17
Gender Gender : Male
OS OS : Windows 7 Home Premium 64-Bit
Protection Protection : Avast
Points Points : 23757
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by AdkWoody on 13th May 2011, 6:48 pm

I hope I did it right this time! If not, let me know what to do. It did restart while in the middle of it, but combofix came right back up and said it was creating the boot log. Not sure if it was intentional of the program, or the rootkit trying to protect it's self again.


Life is extremely short.... One VERY long day at a time. Can't Believe It

AdkWoody
Intermediate
Intermediate

Posts Posts : 69
Joined Joined : 2010-08-17
Gender Gender : Male
OS OS : Windows 7 Home Premium 64-Bit
Protection Protection : Avast
Points Points : 23757
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by Crush on 13th May 2011, 6:53 pm

Yes. Looks good. How are things running?

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42128
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by AdkWoody on 13th May 2011, 7:17 pm

About 5 min after I booted back up into normal mode, the rootkit came up again in the grasp of avast.... even though avast was shut off permanently through this process and I hadn't turned it back on yet. Same thing. I just shut the computer down to await further instructions.


Life is extremely short.... One VERY long day at a time. Can't Believe It

AdkWoody
Intermediate
Intermediate

Posts Posts : 69
Joined Joined : 2010-08-17
Gender Gender : Male
OS OS : Windows 7 Home Premium 64-Bit
Protection Protection : Avast
Points Points : 23757
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by Crush on 13th May 2011, 7:50 pm


  • Download [You must be registered and logged in to see this link.] and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • Click the Report button and copy/paste the contents of it into your next reply
Note:It will also create a log in the C:\ directory.

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42128
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by AdkWoody on 15th May 2011, 3:47 pm

2011/05/15 11:44:56.0118 1900 TDSS rootkit removing tool 2.5.1.0 May 13 2011 13:20:29
2011/05/15 11:44:56.0149 1900 ================================================================================
2011/05/15 11:44:56.0149 1900 SystemInfo:
2011/05/15 11:44:56.0149 1900
2011/05/15 11:44:56.0149 1900 OS Version: 6.1.7600 ServicePack: 0.0
2011/05/15 11:44:56.0149 1900 Product type: Workstation
2011/05/15 11:44:56.0149 1900 ComputerName: CHRISTINE-PC
2011/05/15 11:44:56.0149 1900 UserName: Christine
2011/05/15 11:44:56.0149 1900 Windows directory: C:\Windows
2011/05/15 11:44:56.0149 1900 System windows directory: C:\Windows
2011/05/15 11:44:56.0149 1900 Running under WOW64
2011/05/15 11:44:56.0149 1900 Processor architecture: Intel x64
2011/05/15 11:44:56.0149 1900 Number of processors: 2
2011/05/15 11:44:56.0149 1900 Page size: 0x1000
2011/05/15 11:44:56.0149 1900 Boot type: Normal boot
2011/05/15 11:44:56.0149 1900 ================================================================================
2011/05/15 11:44:56.0445 1900 Initialize success


Life is extremely short.... One VERY long day at a time. Can't Believe It

AdkWoody
Intermediate
Intermediate

Posts Posts : 69
Joined Joined : 2010-08-17
Gender Gender : Male
OS OS : Windows 7 Home Premium 64-Bit
Protection Protection : Avast
Points Points : 23757
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by AdkWoody on 15th May 2011, 3:52 pm

Sorry it took so long. The computer says it had 68 windows updates that it was configuring on reboot. It was stuck on update 1 for EVER! I turned off the updates for now. Please let me know if there is anything else I should do. I will run a full scan with Avast again to see what it pulls up and let you know. Thanks for all your help Crush. GeekPolice is a life saver for me!


Life is extremely short.... One VERY long day at a time. Can't Believe It

AdkWoody
Intermediate
Intermediate

Posts Posts : 69
Joined Joined : 2010-08-17
Gender Gender : Male
OS OS : Windows 7 Home Premium 64-Bit
Protection Protection : Avast
Points Points : 23757
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by Crush on 15th May 2011, 7:44 pm


Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42128
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by AdkWoody on 16th May 2011, 12:23 am

Avast picked up a TON more than before when I had it set for high sensitivity and checked all packers. I simply hit repair then apply since I couldn't copy and past that log report and couldn't go to any other window without closing that one first. Once the computer reset, I seemed to have more control over the computer and it seems as though it's back to normal. I then changed all the setting for the full system scan back to normal and that came back clean. I just finished the full round of windows updates... 73 including the optional security ones. Now I am running another full system scan with the setting back to the high and all packers to see what happens. I will let you know if that came back clean, or if it found anything.


Life is extremely short.... One VERY long day at a time. Can't Believe It

AdkWoody
Intermediate
Intermediate

Posts Posts : 69
Joined Joined : 2010-08-17
Gender Gender : Male
OS OS : Windows 7 Home Premium 64-Bit
Protection Protection : Avast
Points Points : 23757
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by AdkWoody on 16th May 2011, 2:05 am

This is what came up on the Avast full system scan with high sensitivity and all packers checked.

File Names Status

C:\...|>_TUProj.dat Error: Archive is password protected
C:\...|>DataSave_Green.ico Error: Archive is password protected
C:\...|>IRIMG1.BMP Error: Archive is password protected
C:\...|>IRIMG1.JPG Error: Archive is password protected
C:\...|>DataSafe_Green.ico Error: Archive is password protected
C:\...|>diff_000001.dif Error: Archive is password protected
C:\...|>diff_000002.dif Error: Archive is password protected
C:\...|>diff_000003.dif Error: Archive is password protected
C:\...|>diff_000004.dif Error: Archive is password protected
C:\...|>diff_000005.dif Error: Archive is password protected
C:\...|>diff_000006.dif Error: Archive is password protected
C:\...|>diff_000007.dif Error: Archive is password protected

I couldn't copy and paste so I had to enter this manually. Under the Status of each one it says "Error: Archive is password protect.." Because I couldn't see it I just filled in the blanks. Before I clicked on the report it said the scan couldn't check all files.


Life is extremely short.... One VERY long day at a time. Can't Believe It

AdkWoody
Intermediate
Intermediate

Posts Posts : 69
Joined Joined : 2010-08-17
Gender Gender : Male
OS OS : Windows 7 Home Premium 64-Bit
Protection Protection : Avast
Points Points : 23757
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by Crush on 16th May 2011, 5:14 pm

Those are nothing to worry about. The high sensitivity will produce false positives. The important thing is, is it still picking up the rootkit in the MBR?


Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42128
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by AdkWoody on 17th May 2011, 1:01 pm

Awesome! I think it's gone then! What's the MBR? I know that Avast and TDSSkiller both came back clean. Thanks again Crush!


Life is extremely short.... One VERY long day at a time. Can't Believe It

AdkWoody
Intermediate
Intermediate

Posts Posts : 69
Joined Joined : 2010-08-17
Gender Gender : Male
OS OS : Windows 7 Home Premium 64-Bit
Protection Protection : Avast
Points Points : 23757
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by Crush on 17th May 2011, 6:22 pm

The Master Boot Record. This infection will produce a detection from Avast similar to what you're stating. Is the detection from the first post gone?

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42128
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by AdkWoody on 18th May 2011, 5:20 pm

Yes. All is gone nothing is being detected. Thank you so much for your help Crush! My friend thanks you too!


Life is extremely short.... One VERY long day at a time. Can't Believe It

AdkWoody
Intermediate
Intermediate

Posts Posts : 69
Joined Joined : 2010-08-17
Gender Gender : Male
OS OS : Windows 7 Home Premium 64-Bit
Protection Protection : Avast
Points Points : 23757
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by Crush on 18th May 2011, 5:55 pm

To uninstall ComboFix



  • Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  • In the field, type in ComboFix /uninstall




(Note: Make sure there's a space between the word ComboFix and the forward-slash.)



  • Then, press Enter, or click OK.
  • This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.

====

Download Security Check from [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42128
# Likes # Likes : 0

View user profile

Back to top Go down

I have a similar issue

Post by Lapps on 1st February 2013, 2:18 pm

Hey guys,
I made an account specifically for noticing this thread. My problem is that my world of warcraft account continuously gets hacked, and I have FOUR of those things popping up in my avast security when I try doing a quick scan. The datasafe_green pops up, along with the following:
|>diff_000001.dif
|>IRIMG1.BMP
|>IRIMG1.JPG

Now I notice you guys have figured these notices are not of issue, however what is it exactly that keeps on gaining access to my WOW account and locking it? Is it a keylogger? And what can I do to get rid of this? It's been happening for several years even when I was not playing on the account.

Any help will be greatly appreciated!! Smile
Lapps

Lapps
Beginner
Beginner

Posts Posts : 1
Joined Joined : 2013-02-01
OS OS : Windows 7
Points Points : 14085
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum